From: Erin Carroll (amoeba@amoebazone.com)
Date: Sun Jul 01 2007 - 17:22:14 EDT
Excellent reply Pete. As a moderator it makes my day when detailed responses
like this are submitted. :)
In my experience the most time consuming task is the audit and enumeration
rules/ACL's etc of network devices. There are several tools out there in the
Risk Assessment/Audit market which can help to expedite this portion (Cisco,
SkyBox, Red Seal, etc). I've some experience on these tools and Red Seal is
the only one (AFAIK) that offers a engagement or consulting-based solution
which sounds like it would fit your needs. Grab the configs of the
firewalls, routers, switches etc and it will build you a nice map and risk
analysis which should help grab the low hanging fruit. It always nice to
have a quick and easy way to show a client that if they change foo at X how
it affects bar at Y and tools like Red Seal's allow a simple visual
representation which easily translates to non-techs.
As Pete mentions though, that part is only the beginning and the OSSTMM
controls are a great guideline to follow to sniff out the non-obvious risks.
-- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" > -----Original Message----- > From: listbounce@securityfocus.com > [mailto:listbounce@securityfocus.com] On Behalf Of Pete Herzog > Sent: Sunday, July 01, 2007 9:35 AM > To: Joseph McCray > Cc: pen-test@securityfocus.com > Subject: Re: Advanced Network Infrastructure Assessment Questions.... > > Hi Joe, > > I know you're a smart security guy so I won't insult you with > basic stuff you probably know but rather approach this as 3 > possible tiers. > > Depending on your assessment (what you're promising or > selling) you may want to just make sure that the > routers/firewalls are working as designed for egress/ingress > filtering, depth and level of that filtering, packet > manipulation type from that filtering, packet contents added > or removed with the filtering, holding states properly if so > configured, controls and handling for accepted protocols > (here the TCP/UDP/ICMP trinity is merly the start), and > controlled access granted appropriately and to the right > vector. And that's the unit itself. > > Then there's the environment around the unit, its processes > and controls where they interact with other channels and > vectors like people, telecommunications, wireless, etc. and > from the inside, outside, or direct access. > > The third possibility is to test the systems themselves for > vulnerabilities where the standard fare applies of validation > of interactivity whether direct (interactive with the system) > or indirect (system writes a log which is exploited). But > that may not be something where you will find the average > corporate customer buying. It all depends what you're doing > or want to do. > > Of course the first 2 tiers can be repackaged into a variety > of partials audits for various compliance objectives. Same > chips, different colored bag, change flavoring powder to taste. > > One way we have been approaching the means of increasing the > depth of security tests is to use the 10 controls of the > OSSTMM as a starting point. > It's an easy way of trying to find how and where that > control is implemented in the security solution and what > weaknesses it has. That list is available under the security > metrics (RAVs) portion of OSSTMM 2.2 at www.osstmm.org. Here > it is reprinted: > > Controls > Controls are the 10 loss protection categories in two > categories, Class A > (interactive) and Class B (process). The Class A categories are > authentication, indemnification, subjugation, continuity, and > resilience. > The Class B categories are non-repudiation, confidentiality, > privacy, integrity, and alarm. > > Class A > Authentication is the control of interaction requiring > having both credentials and authorization where > identification is required for obtaining both. > Indemnification is the control over the value of assets by > law and/or insurance to recoup the real and current value of the loss. > Subjugation is the locally sourced control over the > protection and restrictions of interactions by the asset responsible. > Continuity is the control over processes to maintain > access to assets in the events of corruption or failure. > Resilience is the control over security mechanisms to > provide protection to assets in the event of corruption or failure. > > Class B > Non-repudiation prevents the source from denying its role > in any interactivity regardless whether or not access was obtained. > Confidentiality is the control for assuring an asset > displayed or exchanged between parties can be known outside > of those parties. > Privacy is the control for the method of how an asset > displayed or exchanged between parties can be known outside > of those parties. > Integrity is the control of methods and assets from > undisclosed changes. > Alarm is the control of notification that OPSEC or any > controls have failed, been compromised, or circumvented. > > Sincerely, > -pete. > > > Joseph McCray wrote: > > I'm starting to do more and more network infrastructure assessment > > work (specifically auditing > Routers/Switches/Firewalls/VPNs/etc), and > > I'm really looking to expand the scope of this service and make my > > audit as thorough as possible. > > > > Basically, the stuff that I'm hitting the hardest right now > is SNMP, > > TFTP, NTP, VPN psk stuff, firewall leak testing, and of course weak > > passwords/clear text protocols for network management. > > > > My most commonly used tools right now are: > > > > * nmap (obviously) > > * nessus > > * onesixtyone (and other snmp tools) > > * cisco-torch > > * cge.pl > > * ftester > > * ike-scan (and other scripts) > > > > Tools of interest for me are scapy and yersinia. Just > really haven't > > sat down and learned them, but read about and have played > with them a > > little (never on an audit though). > > > > I'm looking for other things that I may be > forgetting/neglecting. I'm > > running into a lot more non-cisco gear so that is new for > me (Extreme, > > Foundry, Juniper, etc). So I'm looking for good general information > > that will help me improve my audits in that area. > > > > I'm specifically looking for more links on auditing NAC > solutions (a > > methodology that I could follow or at least point me in the right > > direction). More stuff like this: > > > > > https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Prese > > ntation/bh-eu-07-dror-ppt-apr19.pdf > > > https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/White > > paper/bh-eu-07-dror-WP.pdf ...and Ofir Arkin's research on > the subject > > > http://media.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh > > -dc-07-Arkin-ppt-up.pdf > > > > I'm also looking for people that are auditing things like 802.1x, > > and/or doing 802.1x implementations in a hybrid network > infrastructure (i.e. > > Cisco, Extreme, Foundry, blah blah blah). > > > > > > Let me know guys...I could really use the help. > > > > -------------------------------------------------------------- > ---------- > This List Sponsored by: Cenzic > > Swap Out your SPI or Watchfire app sec solution for Cenzic's > robust, accurate risk assessment and management solution FREE > - limited Time Offer > > http://www.cenzic.com/wf-spi > -------------------------------------------------------------- > ---------- > ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT