presentation _id © 1999, cisco systems, inc. cisco security consulting assessing your network for...
TRANSCRIPT
Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting
Assessing your Network for Vulnerabilities
Assessing your Network for Vulnerabilities
Danny Rodriguez
Network Security Engineer
2Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
AgendaAgenda
• Why assess your Network?
• Define Assessment goals
• Assessment Methodology
• Break
• Common vulnerabilities
• Recent vulnerabilities
3Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Why Assess your Network?Why Assess your Network?
• Fear of “CNN” moment
• Mandated by management
• Determine risk to Intrusion
• Measure effectiveness of safeguards
4Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Why Assess your Network? (Cont.)
Why Assess your Network? (Cont.)
• To accurately map your network
• To identify vulnerabilities and countermeasures
• ...
5Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Define Assessment goalsDefine Assessment goals
• What do you want to accomplish?
• Test effectiveness of current safeguards
• Measure staffs ability to detect and respond
• Discover vulnerabilities present
• Determine risk to Denial-of-Service
Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting
Assessment MethodologyAssessment Methodology
7Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
SPA = External, Dial, Internal Analysis
SPA = External, Dial, Internal Analysis
WAN
Internet
Enterprise Network
External IP Assessment
Internal Network Assessment
External Dial Assessment
8Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Dial MethodologyDial Methodology
• Discovery
– Dial phone numbers provided
– During normal business hours
– During off hours (weekends, nights)
– Identify phone numbers with carriers
9Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Dial Methodology(Cont.)Dial Methodology(Cont.)
• Carrier Analysis
– Determine type of connected device
• router, PC, phone switch
– Determine type of remote control software
• pcAnywhere, ReachOut
10Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Dial Methodology(Cont.)Dial Methodology(Cont.)
• Penetration
– Test authentication
• Digital lines often overlooked (ISDN, DSL)
11Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network Assessment Network Assessment
• Network Mapping
– Host and Service discovery
• Targeting
– Identifying potential vulnerabilities
• Exploitation
– Confirm potential vulnerabilities
12Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network MappingNetwork Mapping
• Build registered map
– Public info
• Whois database (InterNIC, ARIN)
• DNS High Zone transfers
13Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network Mapping (Cont.)Network Mapping (Cont.)
• Build electronic map
–“Live” hosts and active services
• ICMP Sweeps
• Port scans
– well know ports
– “blind” (not responding to ICMP)
14Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network Mapping (Cont.)Network Mapping (Cont.)
• Map of record
– Customer provided information
• Network topos
– Including ISP information
• Registered domain names
• Hosted web sites
15Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
TargetingTargeting
• Banner analysis
– Host (login)
– Service (smtp, pop, http)
• Port correlation
• Identify potential vulnerabilities
16Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
ExploitationExploitation
• Automated confirmation tools
• Manual confirmation
– “Mind” in the middle
• Secondary exploitation
– “Launch pad”
Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting
BreakBreak
Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting
Common Vulnerabilities
Common Vulnerabilities
19Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Common vulnerabilitiesCommon vulnerabilities
• Passwords
• Dial-up
• Network Infrastructure
• Host based
• Service based
– HTTP, SMTP, FTP
20Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
PasswordsPasswords
• Clear-Text
• “Null” passwords
• “Joe” passwords
• Weak passwords
21Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
PasswordsPasswords
• No required length
• No aging
• No history
• Same password used for different access levels
22Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Password RecommendationsPassword Recommendations
• Use encrypted passwords
• Develop a password policy
– Require a password
– Require a minimum length
• 7 alphanumeric
– Implement password history and aging
23Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Passwords Recommendations (Cont.)
Passwords Recommendations (Cont.)
• Develop a password policy
– Require unique passwords be used for different levels of access
• “Crack” passwords routinely
– L0phtCrack and John the Ripper
24Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Dial-upDial-up
• Unauthorized modems
• Poor authentication mechanism
• No logging
• Digital lines often not analyzed
25Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Dial-up RecommendationsDial-up Recommendations
• Have strict policies and procedures
• Centralize modem pool
• Implement proper authentication mechanism
• Adequate logging
• Include Digital lines in assessment
26Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network InfrastructureNetwork Infrastructure
• Unfiltered network traffic
• Remote management not restricted
• Susceptible to “sniffers”
• Susceptible to session hijacking
27Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network InfrastructureNetwork Infrastructure
• Guessable SNMP community strings
– public, private, system, read, write
• Extranet connections
– vendors, partners
• No logging
28Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network Infrastructure: Recommendations
Network Infrastructure: Recommendations
• Determine what network traffic should be allowed IN and OUT (policy)
• Restrict remote access only to authorized management workstations
• Determine if encryption is an option
• Implement a switched network
29Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Network Infrastructure: Recommendations (Cont.)
Network Infrastructure: Recommendations (Cont.)
• Adequate logging
– Log to external device (syslog)
• Use “good” snmp community strings
• Designate SNMP host servers
• Identify and properly segment extranet connections
30Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Host basedHost based
• Unnecessary Services
• Incorrect file permissions
• Trust relationships
• Log files not reviewed
• No logging
31Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Windows Windows
• Accessible shares to “Everyone”
• No logging
– Disabled by default in Windows NT
• WinNT NTFS not being utilized
• Domain Admin and Local Admin password the same
32Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Windows (Cont.) Windows (Cont.)
• Anonymous user connection
• Ability for any user to submit a “AT” job
• Access to backup SAM file
• Misconfigured domain trust relationship
33Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Windows RecommendationsWindows Recommendations
• Apply latest service packs, where applicable
• Adequate logging
• Set correct file permissions
– shares
– sensitive system files
• backup SAM
34Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Windows Recommendations (Cont.)
Windows Recommendations (Cont.)
• Format WinNT system as NTFS
• Use different passwords for Domain Admin and Local Admin accounts
• Implement registry edits for:
Anonymous user connection
AT job submission
• Properly design NT domain Trusts
35Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
UnixUnix
• Incorrect file permissions
• Log files not reviewed
• Unnecessary services
R-services: rsh, rlogin, rexec
echo, discard, finger, rpc
36Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Unix (Cont.)Unix (Cont.)
• setuid programs
• Misconfigured NFS servers
• Trust relationships
• World readable password file
• Access to X-Windows*
37Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Unix RecommendationsUnix Recommendations
• Implement system auditing tools
– tripwire, logcheck
• Implement host based access control
– tcpwrappers
• Replace R-services with SSH implementation
38Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Unix Recommendations (Cont.)
Unix Recommendations (Cont.)
• Identify and remove setuid programs that are not needed
– $find / -perm -4000 -print
• Implement proper NFS access controls
– Host and file permissions
39Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Unix Recommendations (Cont.)
Unix Recommendations (Cont.)
• Determine need for trust relationships
• Enforce X-Windows access control
• Implement shadow passwords
– pwconv
40Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
NovellNovell
• Accounts with “Null” password
• Access to management tools
– RCONSOLE
– NWAMDIN, SYSCON
41Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Novell (Cont.)Novell (Cont.)
• Access to SYSTEM and ETC file systems
• Weak RCONSOLE passwords
• No logging
42Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Novell RecommendationsNovell Recommendations
• Require passwords
• Restrict access to system files and management tools
• Determine need for RCONSOLE
43Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Novell Recommendations (Cont.)
Novell Recommendations (Cont.)
• Implement encrypted RCONSOLE password mechanism
• Choose “good” RCONSOLE password
• Adequate logging
44Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Common Service Vulnerabilities
Common Service Vulnerabilities
• HTTP (Web)
– Apache, Netscape, MS IIS
• SMTP (Mail)
– Sendmail, MS Exchange
• FTP
– wu-ftp, ProFTP, MS FTP
45Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
HTTP Vulnerabilities HTTP Vulnerabilities
• Access to cgi-bin, scripts directory
• Sample scripts
• PUT Method
• Buffer overflow
– MS IIS
46Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
SMTP Vulnerabilities SMTP Vulnerabilities
• Mail Relay
• SPAM
• Old sendmail versions
– remote “root” exploit
47Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
FTP VulnerabilitiesFTP Vulnerabilities
• Anonymous FTP
– Read/Write permissions incorrect
• Misconfigured “root” directory
– Allows access to entire file system
• Ability to perform “bounce” port scan
48Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Recent VulnerabilitiesRecent Vulnerabilities
• Windows
– MS IIS (DoS attack)
– MS Office ODBC
• Linux
– crond, libtermcap, wu-ftpd
49Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsultingCisco Security Consulting
Recent Vulnerabilities (Cont.)Recent Vulnerabilities (Cont.)
• Solaris
– Calendar program (rpc.cmsd)
• HTTP
– cgi script allowed access to HotMail accounts
Presentation_ID © 1999, Cisco Systems, Inc. Cisco Security Consulting
QuestionsQuestions
51Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com/go/securityconsulting