Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Transcription

1 Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm pk.linkedin.com/in/armahmood abdulmahmood-sss alphasecure mahmood_cubix VC++, VB, ASP

2

3 Objectives Unravel the complexity of network equipment. Understand critical network controls. Review specific controls for routers, switches, and firewalls.

4 Additional Switch Controls: Layer 2 1. Verify that administrators avoid using VLAN 1 By default, ports of Cisco switch are members of VLAN1. 2. Evaluate the use of trunk autonegotiation. A trunk on a switch joins two separate VLANs into an aggregate port, allowing traffic access to either VLAN. There are two trunking protocols: 802.1qo(open standard) and ISL(Cisco). If switch is set to autotrunking mode, all the VLANs on the switch become members of the new trunked port. Disabling trunk autonegotiation mitigates the risks associated with a VLAN-hopping attack - someone in one VLAN is able to access resources in another VLAN. Dynamic Trunking Protocol (DTP) might help to determine which trunking protocol the switch should use and how the protocol should operate.

5 Additional Switch Controls: Layer 2 NSA Switch Configuration Guide: Do not use the DTP if possible. Assign trunk interfaces to a native VLAN other than VLAN 1. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native vlan 998 Put nontrunking interfaces in permanent nontrunking mode without negotiation. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiate Put trunking interfaces in permanent trunking mode without negotiation. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate

6 Additional Switch Controls: Layer 2 NSA Switch Configuration Guide: Specifically list all VLANs that are part of the trunk. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport trunk allowed vlan 6, 10, 20, 101 Use a unique native VLAN for each trunk on a switch. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport trunk native vlan 998 Switch(config)# interface fastethernet 0/2 Switch(config-if)# switchport trunk native vlan 997

7 Additional Switch Controls: Layer 2 3. Verify that Spanning-Tree Protocol attack mitigation is enabled (BPDU Guard, Root Guard). attacker may use the Spanning-Tree Protocol to change the topology of a network. The Spanning-Tree Protocol is designed to prevent network loops from developing. For access ports, look for the following configuration: spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable For downlink ports to other switches, look for the following configuration: spanning-tree guard root 4. Evaluate the use of VLANs on the network. VLANs should be used to break up broadcast domains and, where necessary, to help divide resources with different security levels.

8 Additional Switch Controls: Layer 2 5. Disable all unused ports and put them in an unused VLAN. This setup prevents network intruders from plugging into unused ports and communicating with the rest of the network. 6. Evaluate use of the VLAN Trunking Protocol (VTP) in the environment. VTP is a Layer 2 messaging protocol that distributes VLAN configuration information over trunks. VTP allows the addition, deletion, and renaming of VLANs on a networkwide basis. A network attacker could add or remove VLANs from the VTP domain as well as create Spanning-Tree Protocol loops.

9 Additional Switch Controls: Layer 2 Both situations can lead to disastrous results. A switch with a higher configuration version number in its VTP database has authority over other switches with a lower number. If a lab switch such as this one were placed on the production network, you might accidently reconfigure your entire network. If VTP is necessary, domains should be set up for different areas of the network and passwords should be enabled. Look for these lines in the configuration file: vtp domain domain_name vtp password Some_strong_password 7. Verify that thresholds exist that limit broadcast/multicast traffic on ports. Configuring storm controls helps to mitigate the risk of a network outage in the event of a broadcast storm. Review the configuration file for the presence of storm-control [broadcast multicast unicast] level.

10 Additional Router Controls: Layer 3 1. Verify that inactive interfaces on the router are disabled. LAN WAN interfaces such as Ethernet, Serial, and ATM. Command shutdown is used to disable interfaces. 2. Ensure that the router is configured to save all core dumps. dump is an image of the router s memory at the time of the crash) can be extremely useful to Cisco tech support in diagnosing a crash The core dumps should be located in a protected area that is accessible only to the network administrator.

11 Additional Router Controls: Layer 3 3. Verify that all routing updates are authenticated. The authentication of routing advertisements is available with Routing Information Protocol (RIPv2), OSPF (Open Shortest Path First). RIPv2 authentication is configured on a per-interface basis. Look in the configuration file for something like this: router rip version 2 key chain name_of_keychain key 1 key-string string interface ethernet 0 ip rip authentication key-chain name_of_keychain ip rip authentication mode md5

12 Additional Router Controls: Layer 3 OSPF authentication is configured on a per-area basis with keys additionally specified per interface. Look in the configuration file for something like this: router ospf 1 area 0 authentication message-digest interface ethernet 0 ip ospf message-digest-key 1 md5 authentication_key 4. Verify that IP source routing and IP directed broadcasts are disabled. for disabling IP source routing might look something like this for Cisco routers: no ip source-route You should see the following on each interface in the configuration file for Cisco routers to disable IP directed broadcasts: no ip directed-broadcast

13 Additional Firewall Controls 1. Verify that all packets are denied by default. All packets on a firewall should be denied except for packets coming from and headed to addresses and ports that are all explicitly defined. 3. Evaluate firewall rule sets to provide appropriate protection. Traffic coming from the internal address space should not have external addresses as the source address. Traffic coming from external network should not have your internal network as the source address. firewalls should hide internal DNS information from external networks.

14 Additional Firewall Controls 3. Evaluate firewall rule sets to provide appropriate protection. Failure to manage firewall rules expose you to unnecessary risk from open or inappropriate access. Several thousands, of rules on a single appliance. Rules accumulate and are difficult to remove because: administrators are afraid to break applications. forget why specific rules exist. can t navigate the complexity of hundreds of rules. Products shown in following Table helps avoid mistakes and manage firewall rules in large environments.

15 Tools and Technology