REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Transcription

1 REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli ( ) Chandan Kumar ( ) Aamil Farooq ( )

2 Network Audit Table of Contents Page No. Executive Summary 3 Audit Objective 4 Audit Scope 4 Audit Approach 4 Observations 5 APPENDIX A C-STAR Network Architecture 6 APPENDIX B Details of Findings and Recommendations 10 2

3 1. Executive Summary This document is a report based on the audit of the network security of the local area network of Center of Security Theory and Algorithmic Research (C-STAR) at IIIT, Hyderabad. As a part of the audit questionnaire, different aspects of security of network and hosts ranging from cryptographic security measures in place as well as defense mechanisms against common threats were evaluated. This report explains the important findings in each area, and recommends specific enhancements where appropriate. Because the research center s local area network is not accessible from Internet, we concentrated much of our efforts on the internal threat. We developed a set of specific information security related objectives for this audit. They include: Ensure that hosts are not vulnerable to network based security attacks. Determine the use of unnecessary services by hosts. Determine the use of insecure protocols in the network. Check the strength of passwords being used. During the audit, we identified several findings that impact the security of hosts and network. These findings occurred in the areas of insecure protocols in use, host security and weak passwords in use. Our recommendations will minimize the risk that security problems will occur in future. Overall Score: Moderate Network Security System Security Authentication Security of data in transit Security of host/perimeter Identification/Authorization Weak Moderate Moderate 3

4 2. Audit Objective The objective of this audit was to conduct a threat and risk assessment related to data, network, and operations of the systems, accompanied by recommendations aimed at mitigating discovered risks. This audit included the following activities: Thorough review of the network, application and operating system architectures. Penetration testing of hosts, with subsequent identification of susceptibility to known hacker techniques. Vulnerability assessment of hosts. Review of strength of passwords being used. Identification of significant security practices. Prioritized summary of discovered vulnerabilities. Prioritized recommendations for risk reduction, as appropriate. Review and comparison of the security practices and implementation in the context of security industry best practices where possible. Assistance in mitigating any security risks involved. 3. Audit Scope The audit was conducted in accordance with the BS7799/ISO-7799 Information Security Standard. The scope of this audit was limited to the network security, host security, and authentication measures in use in Center of Security Theory and Algorithmic Research (C-STAR). The audit was conducted during the period of March 29 to April 5, The audit of the Intranet hosts included a review of the operating system and running services. This review was performed to determine if any vulnerability existed that could allow an intruder unauthorized access, and included penetration testing. The controls we reviewed included password standards and the use of encryption to transmit data over the local area network. 4. Audit Approach Below we provide the approach for performing the security audit. Our evaluation focused on three different aspects: Network Security Audit: The Network audit was used to determine security weaknesses on a network segment of the research center. The network audit mixes the host audit and network segment audit. The entire network segment was checked 4

5 for hosts that were operating. Each individual host and workstation found was then probed to determine the services operating. Each individual host and workstation found operating a service of any type was then checked against a list of known vulnerable services corresponding to the services found on that specific host. Audit logs were generated reflecting the information obtained, i.e. the entire network segment mapped, identified host and workstations operating, identified services operating on all host and workstations, known vulnerabilities of services operating on hosts identified and the level of threat to each individual host. Host Security Audit: The Host audit was used to determine the security weakness of an individual host. The host was checked for access and what services were operating. Once a complete list of services operating had been obtained, the services were checked for known vulnerabilities against a database of vulnerabilities. Once the host services have been checked, logs were generated, documenting the name of the host audited, the time / date of the audit, services found operating on the host, all known vulnerabilities of each individual service, as well as the level of risk and threat of each vulnerability. Authentication: Here, the purpose was to check the authentication mechanisms being used, specifically the passwords, and their strength. Eavesdropping was carried out to collect data being sent across the network. The data was then parsed and filtered to extract passwords and other credentials. 5. Observations During the audit, we identified several findings that impact the security of the hosts as well as privacy of the users in the research center. These findings occurred in the following areas: Insecure protocols in use Host security Weak passwords in use We recommend that the problems we identified be corrected to strengthen the security of the research center s local area network. Our recommendations will correct present problems and minimize the risk that security problems will occur in future. Appendix B, Details of Findings and Recommendations, lists the observations and recommendations. Because of the sensitivity of the observations, we have classified Appendix B as privileged and confidential. 5

6 APPENDIX A Network Architecture of CSTAR The first step to audit was to gather information about the network architecture of the research center, and about the hosts. For this purpose, an initial footprinting was carried out so as to gain information about the topology of the network. The following figure shows the topology of the network. The next step to audit was to conduct an initial review of the hosts in the research center, to gain information about hosts, their operating systems, and the services that were running. For this purpose, we carried out operating system and application fingerprinting of the hosts in the research center. The following table shows the operating systems and services running on machines in the research center. 6

7 IP Address Operating System Services Linux Kernel 2.6.x, Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Windows XP SP2 Microsoft Terminal Services (3389/tcp) Windows XP SP2 Microsoft Windows RPC (135/tcp), NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Linux Kernel 2.6.x OpenSSH 4.0 (protocol 2.0) (22/tcp), MySQL (3306/tcp) Windows XP SP2 Microsoft Windows RPC (135/tcp), NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Linux Kernel 2.6.x vsftpd (21/tcp), OpenSSH 3.9p1 (protocol 1.99), Linux telnetd (23/tcp), Kerberised RSH (544/tcp), MySQL (3306/tcp) Linux Kernel 2.4.x OpenSSH 3.5p1 (protocol 1.99) (22/tcp) Linux Kernel 2.4.x OpenSSH 4.3 (protocol 2.0) (22/tcp) Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Linux Kernel 2.4.x, Windows XP SP Linux Kernel 2.6.x, Windows XP SP2 Microsoft Terminal Services (3389/tcp) NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Linux Kernel 2.6.x vsftpd (21/tcp), OpenSSH 4.2.p1 Debian7-ubuntu3 (protocol 7

8 2.0) (22/tcp), Samba smb 3.x (139,445/tcp) Linux Kernel 2.6.x OpenSSH 4.0 (protocol 2.0) (22/tcp), Sendmail (25/tcp) Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) NetBIOS Name Service (137/udp) Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp) Windows XP SP Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp) HP JetDirect ROM x.x.x EEPROM x.x.x HP JetDirect ftpd (21/tcp), HP JetDirect printer telnetd (23/tcp), HTTP (80/tcp), SNMP (161/udp), HTTPS (443/tcp), JetDirect (9100/tcp) During the audit, we discovered that Microsoft File Sharing services were among the most heavily used service in the network. Among other heavily used services in the network were Microsoft Terminal Services (Remote Desktop Services) and Secure Shell (SSH). The figure below shows the most present services discovered in the network during the audit. 8

9 We also discovered several services which were deployed but not being used. The most widely deployed service among such services was sunrpc running on several hosts running some flavor of Linux operating system. We also discovered insecure services such as FTP, Telnet and SMTP, which accept credentials in plaintext form. 9

10 Appendix - B Details of Findings and Recommendations 1. Network Security Network Security mechanisms are used to protect data in transit. This is the most insidious problem facing connected machines today because the standard Internet protocols, most visibly TCP/IP, were not designed with an emphasis on efficiency and reliability and not security. Data sent across a network - whether a private network or a public one such as the Internet - is vulnerable to "packet sniffing". In other words, data that moves to and from connected machines can be eavesdropped without such activity being detected, and further, it is also susceptible to unauthorized tampering and misrepresentation ("spoofing") unless network security is in place. Most commonly, network security is achieved by the use of cryptographic protocols at one or more layers of the network stack, depending on the requirements of the application that handles sensitive data. Not only does data passing through the system need to be secured, management and control data to/from the system also needs to be secured to prevent unauthorized remote management and to enforce access control Audit Results The current state of Network Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Weak based on the following findings: Several hosts on the network use insecure protocols such as POP and IMAP. o POP and IMAP sessions can easily be modified by any intermediate router between the client and server, which is a threat for privacy and security. o POP and IMAP use plaintext passwords for authentication, which can be eavesdropped and used for potential future exploits. Several users on the network use web interface to check their mail on Students and Research servers which use SquirrelMail. 10

11 o Sessions of SquirrelMail can easily be modified by any intermediate routers between the client and server, which is a threat for privacy and security. o SquirrelMail accepts passwords in plaintext, which can be eavesdropped and used for future exploits. Few users use HTTP Basic Authentication to access certain websites, which is a very weak form of encoding (Base64), and is susceptible to eavesdropping. During the auditing period of seven days, we were able to capture 116 passwords, that were being transmitted using insecure protocols such as POP, IMAP, HTTP (Web-based ), and HTTP Basic Authentication. Following are the details of captured passwords: Protocol Passwords Captured POP 8 IMAP 77 HTTP 29 HTTP Basic Auth. 2 Total Passwords 116 Unique Passwords 13 Captured Plaintext Passwords HTTP 25% HTTP Basic Authentication 2% POP 7% IMAP 66% 1.2. Recommendations The current state of network security can be hardened using the following practices: Using Kerberos enabled servers. 11

12 Using IMAP/SSL and POP/SSL instead of IMAP and POP to retrieve mail. Using SSH to read . Configure web-mail to use SSL. 2. System Security System Security mechanisms are used to protect the system itself or the perimeter of a network from external intrusions. Uncontrolled external connections to a system could result in a variety of attacks including packet floods, invalid data that uses up valuable bandwidth or processing power on the device, or Denial of Service (DoS) attacks where illegitimate users could prevent valid users from using the device's services or from managing the device. Basic system security usually takes the form of a simple "packet-filtering" firewall that enables the system to only allow or deny packets to/from specific peers based on a variety of criteria such as source/destination IP addresses, protocol type, ingress/egress network interface and other packet data fields. More evolved "stateful inspection" firewalls look beyond a single packet for their decision making and instead maintain packet stream state enabling protection against floods or corrupt data emanating from valid network nodes. Sophisticated intrusion protection and detection systems bolster this capability with fast pattern matching, bandwidth control to allow management even in the face of attacks and automatic protection measures against Denial of Service attacks Audit Results The current state of System Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Moderate based on the following findings: Nine (9) hosts were discovered running Microsoft Terminal Services (Remote Desktop Services), which is vulnerable to Man-in-the-middle attack. One (1) host was discovered running SNMP service with default community string, which can be used by an attacker to gain more information about the host or to change the configuration remotely. 12

13 One (1) host was discovered running HTTP server having vulnerability which can be used to read arbitrary files on the web server. Four (4) hosts were discovered running services that use plaintext passwords for authentication. Two (2) hosts were discovered running SSH protocol 1.0, which is vulnerable to Man-in-the-middle attack. Several hosts were discovered running unnecessary services. We classified the vulnerabilities as follows: High Risk: Vulnerabilities that can be easily exploited, and could lead to compromise, and/or pose a high risk to the stability of the campus network. Moderate Risk: Vulnerabilities whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or the integrity or availability of processing/network devices. Low Risk: Vulnerabilities that are very difficult to exploit or, if exploited, impact would be minimal. Below is the summary of vulnerabilities found during the audit. Vulnerabilities Count Low Risk 21 Moderate Risk 12 High Risk 2 Vulnerabilities 6% 34% 60% Low Risk Moderate Risk High Risk During the audit, we were able to discover one (1) host with two (2) high risk vulnerabilities, and eleven hosts with one or more moderate risk vulnerabilities. Below is the summary of vulnerabilities discovered on each host during the audit. 13

14 Specifically, we discovered that HP LaserJet Printer ( ) installed in the research center was vulnerable to two high risk vulnerabilities. Also, several hosts were discovered running services that were not being used. Below is the summary of unnecessary services discovered during the audit. 14

15 2.2. Recommendations We recommend the following practices to improve the state of system security of hosts: Minimize use of Microsoft Terminal Services. Patching or upgrading vulnerable services. Using SSH protocol 2.0 instead of protocol 1.0. Using SSH and SFTP/SCP instead of Telnet/RSH and FTP/RCP. Shutting down services which are not being used. 3. Authentication Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization is finding out if the person, once identified, is permitted to have the resource. Since they are the least expensive to implement, most systems rely on passwords to authenticate users. As well, passwords are often used in addition to physical or cryptographic proofs of identity to further strengthen security Audit Results The current state of System Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Moderate based on the following findings: 31% of the passwords in use were found to be weak, in the sense that either they were short or were easily guessable. Services were discovered that accept credentials in plaintext form, and are therefore susceptible to eavesdropping. Below is the summary of strength of passwords in use in the network: Password Strength Count Weak 4 Moderate 5 Strong 4 15

16 Password Strength Strong 31% Weak 31% Moderate 38% 3.2. Recommendations We recommend the following practices to harden the strength of passwords being used: Use of special characters and numeral along with alphabets to construct passwords. Use of passwords which are eight characters or longer. Not using easily guessable information such as first or last name, date of birth, etc. in passwords. Using services that accept credentials in secure form. 16