90 Managing Network Vulnerability Assessment
Exhibit 1. Pre-Vulnerability Assessment Questionnaire
Date: 10/30/02
Client: ACME Corp.
Client Address: Michigan
Consultant Name: Rosalie Merpi
1. Do you have any security-related policies and standards?
2. If so, do you want us to review them?
3. Do you want us to perform a review of the physical security of your servers and
network infrastructure?
4. How many Internet domains do you have?
5. How many Internet hosts do you have?
6. Do you want us to map your Internet presence? Otherwise, can you provide us
with a detailed diagram of your Internet presence, including addresses, host OS
types, and software in use on the hosts? We will also need addresses in use on
both sides of the hosts if they connect to both the Internet and the internal
network.
7. Do you want us to review the security of your routers and hubs?
8. If so, how many routers and hubs exist on your network?
9. Do you want us to perform a security review of the workstations on the network?
10. If so, what operating systems are the workstations running?
11. If so, how many workstations would you like tested?
12. Our review will assess five or less servers of each type (NT, UNIX, and Novell); do
you want us to review more than that?
13. If so, how many of each?
14. Do you want denial-of-service testing to be conducted? This testing can have
adverse effects on the systems tested. We can arrange to do this test during non-
production hours.
15. Do you want us to perform a modem scan of your analog phone lines?
16. What kind of RAS server are you using, and how many modems are used?
17. Do you want us to travel to other sites to perform assessments on systems?
Step 1: Site Survey
The first step of the six-step model, site survey, is sometimes difficult to
complete. The easiest way to get the background information necessary to
build the test plan is to have the questionnaire shown in Exhibit 1 answered.
This also ties into setting the project scope for the technical aspects of the
NVA. As it was once explained to us, this step is necessary so that we do not
end up trying to boil the ocean for $15,000. The primary questions you need
to answer are listed in Exhibit 1 (also in Appendix B).
There are a few major points that you need to uncover during the site
survey. They include the determination of many environmental considerations,
such as the media types that your target network may have. There must be
special consideration given to most non-Ethernet media types. This has become
an even more important point with the proliferation of wireless networking.
Wireless network testing will require that special tools be added to your toolkit
and additional time be spent in the NVA. If you have to limit your scope to
Technical (Bottom-Up) Methodology 91
meet time or cost concerns, it is not recommended to skip the wireless network
review. This is due to the many potential security holes in current wireless
network technology. Special consideration for network media types does not
end with just wireless networking, but also includes technologies such as
Token Ring, FDDI (Fiber Distributed Data Interface) or other fiber-optic
technologies, and some of the much older technologies such as arcnet.
In addition to the media types run on the target network, it is important
to find out the makeup of the concentrator devices on the client network.
Depending on whether the target network has primarily switches or hubs can
create a large time difference in performing the NVA. This is due to the fact
that using a network sniffer in an environment that has switches will be limited
to that one network segment. The technology of switches is such that each
port on a switch is, in effect, a single network segment. This is good in terms
of bandwidth and security, but more difficult in terms of security assessment.
For example, a 100-megabit switch provides a full 100 megabits for each port
on the switch. If only one device is plugged into that particular port, which
is generally the case, that machine has 100 megabits all to itself. Conversely,
a hub shares the total bandwidth between all of its ports. This means that a
100-megabit, eight-port hub actually divides the 100 megabits between all
eight ports. If you happen to be the only machine currently accessing the
network on the eight-port hub, than you would get the full 100 megabits.
However, if there are eight machines accessing the network on your hub,
your effective bandwidth is one eighth of the 100 possible megabits. The
impact on the assessment process is due to the fact that you could plug a
network sniffer into any one of the ports on the hub and see all of the network
traffic on the eight ports. If you plugged the same network sniffer into a
switch, you would only see the network traffic for the machine plugged into
your same network segment, plus broadcast traffic, which is meant for every-
one on the network to see. This entire switch-versus-hub debate can be taken
a step further when you also have to consider the smart switch, or “layer 3”
switch as it is often called. A smart switch adds one more wrinkle. It really
is not much of a switch anymore — it is really a multi-port router. The potential
issue in terms of the assessment lies in the fact that a layer 3 switch can also
segment itself into logical switches. This process is known as using a virtual
local area network (VLAN). So by plugging your network sniffer into a smart
switch with multiple VLANs, you would only see the network traffic for your
network port and only the broadcast traffic for your VLAN. However, the layer
3 switch does have a feature that can help in performing network sniffing.
This feature, known as a “span port,” (Note: also known as port mirroring)
allows your network sniffer to see all of the network traffic across all of the
network ports into the switch. Of course, how well this works, if at all, depends
on both the configuration and the manufacturer of the network device.
If you thought the site survey was complete after a determination of media
type and concentrator type, think again. Another area for consideration in the
site survey is the number and type of operating systems run on the target
network. While there are some tools that run equally well against an NT
machine or a UNIX machine, not all tools pull dual duty. In addition, there
92 Managing Network Vulnerability Assessment
may be configuration changes between multiple operating systems on the
same tool. This can also be impacted by the difficulty in finding tools to help
assess the less popular operating systems. It is generally pretty easy to find tools
to help assess Microsoft operating systems (Win9x, NT, 2000, or XP), common
distributions of UNIX, and most distributions of Linux operating systems. How-
ever, it is becoming increasingly difficult to find tools to help with the once very
popular Novell network operating system. Tools still exist for Novell but not near
the range of the previously mentioned operating systems.
So now you know the network media, network concentrator type, and the
number and types of operating systems. You are finished with the site survey,
right? Well, not exactly, but you are getting close. Another factor you must
determine in the site survey is an actual determination of where the network
starts and stops. This seems like it might be an easy question to answer; but
when you take into account all of the possible network extenders, such as
virtual private networks (VPNs) or wide area network (WAN) connections, it
can become a little more difficult to decide. So this step in the site survey is
the best place to get the actual determination of where the network begins
and ends, as well as what you are responsible for testing. It is better to get
this fixed now during the site survey than to try to get it corrected during the
presentation of your final results.
Another key issue that you must determine in the site survey is the number
and type of network protocols on the target network. Because the Internet
Protocol (IP) is the most popular, the majority of the tools we will discuss
are IP based. However, there are many different network protocols that may
still be found on your target network. So, similar to the previous step, it is
much better to find out here in the site survey that your target network runs
exclusively the Internet Packet Exchange (IPX) protocol.
A most important key issue to determine during the site survey is the
location of sensitive information. This allows you to focus your security
assessment on the parts of the network that would have the greatest impact
on the organization if compromised. Just imagine yourself giving the final
results presentation on your vulnerability assessment, and only then realize
that you had exhaustively tested each workstation for vulnerabilities but missed
the crucial network segment that contained all the company’s financial and
customer data. This could become what is known as a “career-limiting move.”
The above issue is closely tied to the following issue. The number and
location of servers almost always coincides with where the sensitive informa-
tion is located. However, that may not always be the case. It is also important
to find out the number of servers because you are more likely to run host-
based security tools on servers. So, the larger the number of servers, the more
time you can spend on running host-based tools. Do not worry if you are
not familiar with the phrase “host-based tools;” we will spend some time
looking at them in Step 3: Building the Toolkit.
The final question requiring an answer in the site survey is whether the
physical security of your target network will be assessed as well. Often,
performing the physical security review is one of the most entertaining tests
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.