www.pwc.com Network Security Auditing
Agenda Objectives Concepts Definitions Key Review Areas Architecture Assessment Types Nipper Overview Firewall Configuration Review Case Study AlgoSec Overview Firewall Ruleset/Access Review Case Study 2
Objectives Explain key concepts and definitions pertaining to network security, device configuration reviews, and rule-set/access reviews. Provide high-level overview of network security practice offerings Explain technical and procedural processes for using the Nipper tool Explain technical and procedural processes for using the AlgoSec tool Discuss real world case studies to provide practical knowledge 3
Key Concepts 1 2 3 4 Network Redundancy/Resiliency Resiliency is not needed at every layer, but should exist at critical points in the network, such as the internet presence. Resiliency can be achieved through redundant hardware, fault tolerant systems, virtualized platforms, etc.. DMZ We stole this term from the military just as we stole quarantining from the CDC. DMZs quarantine high-risk zones from all other networks. Segmentation provides an extra layer of security by isolating critical systems and applications. Segmentation is often executed through firewalls access controls and logical networks to restrict the flow of communication in and out of the zone. Two types of DMZs: External and Internal External DMZ: It is not to protect the external services in the DMZ. It is to protect the internal network from them. Internal DMZ: Protect critical applications and systems in the DMZ from everything else. 4
Definitions Hardware/Device Types: Routers: A device that routes network traffic along different networks. Firewalls: Inspects network traffic entering or leaving a network and accepts or rejects it based on defined access-control lists (firewall rules). Switches: Multi-port network bridge that processes and forwards data at the data link layer (layer 2) of the OSI model IDS: Device which performs an analysis of passing traffic on the entire subnet. Works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of knows attacks. IPS: Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly. Web Proxy / Gateway : Devices used for monitoring and restricting unapproved inbound and outbound internet traffic. Network Access Control (NAC): Networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. 5
Definitions Routing: OSPF: "Open Shortest Path First." OSPF is a method of finding the shortest path from one router another in a local area network (LAN). As long as a network is IP-Based, the OSPF algorithm will calculate the most efficient way for data to be transmitted. BGP: Border Gateway Protocol, an exterior gateway routing protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established Multi-Protocol Label Switching: Multiprotocol Label Switching is a mechanism primarily utilized in WAN architecture networks that directs data from one network node to the next based on short path labels rather than long network addresses 6
Definitions Authentication and Access Control: ACL: An Access Control Lists specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. TACAS : TACACS is an access control network protocol for routers, network access servers and other networked computing devices that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. 7
Internal Network Assessment An assessment of architecture, security, and resiliency within the internal, local area network at the Layer 3 level Routers Local Area Network Internal Network Internal Firewalls Switches 8
Key Review Areas Governance, Policies, Procedures Topology & Placement of Devices Review of Internal Firewall Ruleset/Access (Algosec) Review of internal device configurations (Nipper) Network Segmentation Inventory & Asset Classification Wireless Topology/Configuration Review (Nipper) (Cisco WAP Review Tool) Third Party Connectivity 9
Global Communications An assessment of architecture, security, and resiliency, of the network connecting multiple country offices located around the world Firewall CE/PE Router Global Comm. WAN Accelerator Local Area Network Over Wide Area Network 10
Key Review Areas Governance, Policies, Procedures Topology & Placement of Devices Review of MPLS Topology, Infrastructure, & Encryption Review of Country Office Firewalls & IPSEC Tunnels Review of Country Office Internet Connectivity Review of Router Configurations (Nipper) Review of WAN Optimization Device Configurations (Nipper) Review of Firewall & VPN Configuration (Nipper) 11
Perimeter Security An assessment of architecture, security, and resiliency of the network at the outer most logical layer the separation of external and internal Externally Facing Firewall Global Comm. Wide Area Network IDS/IPS ISP Connectivity 12
Key Review Areas Governance, Policies, Procedures Topology & Placement of Devices Configuration Review of Firewalls and Routers Review of Resiliency and DR capabilities Network Intrusion Identification & Response Logging & Monitoring of Firewalls, IDS, and Web-Proxy Devices 13
Governance Review Objective: To ensure processes have been established to govern the management of network security 14
Policy, Procedures, & Standards Review Objective: Policies, Procedures, & Standards are appropriately established to govern all devices, systems, applications, and users contributing to network security Device Hardening Logging & Monitoring Information Security Availability Security Monitoring Access Control BCP& DR Budget & Cost Share Resiliency & High Availability Third Party Governance Steering 15
Network Security Architecture Architecture - Ingress and Egress Filtering Internet (untrusted) Semi-Trusted Internal Network Slide 16
Network Security Architecture Architecture - Segmentation Internet (untrusted) Web Tier Application Tier Database Tier Internal Network Internal DMZ Slide 17
Key Technical Review Areas Application Layer Definition: This layer supports application and end-user processes Areas & Services: FTP (21) SSH (22) Telnet (23) Mail (25) TFTP (69) Finger (79) Kerberos (88) Microsoft (135-139, 445) POP3 (110) SUNRPC (111) CheckPoint (264) LDAP (389) Syslog (514) DB2 (523) IMAP (993) Lotus Notes (1352) MSSQL (1433-1434) Oracle (1521, 66) MS-RDP (3389) pcanywhere (5631) VNC (5800, 5900) X Windows (6000, 6001) IRC (6666-6667) 18
Key Review Areas Network Layer Definition: This layer provides switching and routing technologies, creating logical paths for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing. Areas & Services: IPv4 ICMP Ipsec ARP Route Authentication Subnet Traffic Control Logical Physical Addressing External Routing Protocols Internal Routing Protocols 19
Key Review Areas Data Link Layer Definition: The Data Link layer is concerned with moving data across the physical links in the network. Areas & Services: ATM Frame Relay MPLS VPN Spoofing MAC Attacks DHCP Attacks VLAN Hopping 20
Key Review Areas - VLAN Hopping ATM Frame Relay MPLS VPN Spoofing MAC Attacks DHCP Attacks VLAN Hopping 21
Key Review Areas - VLAN Hopping Defense ATM Frame Relay MPLS VPN Spoofing MAC Attacks DHCP Attacks VLAN Hopping Configure the switch s edge ports to accept only untagged packets 22
Key Review Areas - Firewall Concepts Remark Purpose Administrator Date Modified/Reviewed Rule Ideal Firewall Rule ACL Permit/Deny Source Destination Service/Port Stateful Firewall - A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. Each entry records the session's source and destination IP address and port numbers, and the current TCP sequence number. Page 23
Key Review Areas - Firewall Ruleset What to look for: - Weak filtering of source - Weak filtering of destination - Unnecessary or excessive services/ports - Inadequate logging of rules - Duplicate/deprecated/shadowed rules Slide 24
Key Technical Review Areas AAA EIGRP BGP Authentication Method for OSPF identifying users: logon, password RIPv2 Authorization Method for remote access control (RADIUS or TACAS+) Accounting Method for collecting and sending security server information for auditing and reporting OSPF/RIPv2 25
Key Review Areas - Logging and Monitoring What is the Level of logging enabled on the networking device? Is network latency and other network monitoring also enabled? Logging should be enabled on network devices. They should log successful and failed logins to the network. Logs must be audited for them to be useful. Auditing periodically can help find suspicious activity prior to a fully fledged attack takes place. They should send alerts when suspicious activity is noticed and admins should respond in a timely manner. Slide 26
Key Review Areas VPN Solutions VPN Services - Provides mechanism for staff to connect to local area network from Internet - Can also use to uplink vendors to key positions on network - Analysis includes: Verifying proper access control being performed Strong methods of authentication in place - Some workprograms exist, but depends on which solution selected - Two primary competing technology platforms (SSL vs. IPSec) Slide 27
Key Review Areas - VPN Overview Slide 28
Nipper 29
Nipper Overview How does Titatnia describe themselves? Security Audit Software - Tool that analyzes network devices native configurations and produces audit style reports How can benefit from Nipper Studio? As a tool to standardize the configuration review of multiple devices and platforms, allowing us to deliver consistent and credible analysis to the client How does utilize the capabilities and features of Nipper Studio? Network Device Configuration Review Firewall Configuration Review Router/Switch/WAP Configuration Review 30
Where is the value? Consistent Process: Allows to maintain a similar approach for each client engagement Efficiently streamlines work load Tool is designed to analyze the configuration files for network devices so that we can spend more time analyzing the results Identification of Issues Allows us to fully understand the types of issues the organization is facing (i.e. Patch Management, Access Control, Authentication, etc.) Provides us the platform to provide our value Any organization can purchase Nipper and run the tool They hire for our ability to determine the root causes or potential issues based upon our analysis of the findings 31
Prior Audits and Workprograms Workprogram detailing the controls, findings, and recommendations for issues discovered through scan. 32
Prior Audits and Workprograms Issues & Action Plan based upon the issues discovered through analysis of Nipper Report 33
Nipper Tool The home screen of Nipper Studio: New Report Settings Licenses Tutorials Help Supported Devices Local Area Network Key Takeaway: Very simple user interface with minimal amount of overhead 34
Nipper Tool Local Area Network Ways to add a configuration file: Add File / Add Directory / Add Network 35
Nipper Tool Local Area Network What kind of reports is Nipper able to produce? Security Audit Vulnerability Audit, STIG Compliance, SANS Policy Compliance, PCI Compliance Audit, Filtering Complexity, Configuration Report, Raw Configuration Appendix 36
Nipper Tool Report for Router/Switch Config Local Area Network What is the foundation for a Nipper report? Issue Finding Impact Ease - Recommendation Ratings: Critical/High/Medium/Low/Info: (Impact) Trivial/Easy/Moderate/Challenge/N/A (Ease) Involved/Planned/Quick (Fix) 37
Nipper Tool Local Area Network 38
Nipper Tool Local Area Network 39
Nipper Tool Local Area Network 40
DEMO! Local Area Network 41
What does this all mean for us? Nipper is an easy to use tool However this powerful tool allows us to build upon our service offerings and offer the client quality analysis and deliverables Increases our understanding of the client environment which can lead to additional client opportunities (i.e. Developing a patch management program) Increases your ability to understand and comprehend the issues that organizations face in safeguarding their networks and processes Finally, this is just one of the ways we are able to sell our brand and maintain/create new relationships with clients! 42
AlgoSec June 2014 43
What is AlgoSec Firewall Analyzer? Analyzes firewall configurations and produces risk reports Maps out network topology Cross references results with compliance and risk issues Can monitor groups of firewalls in real time Server based June 2014 44
Value added features - General benefits Consistency: can easily leverage the same process across multiple engagements Efficiency: using AlgoSec to analyze the configurations and relationships between the rules can bring issues to the analyst s attention quicker Increased visibility: it can provide us with insight into the client s network topology to leverage on other engagements June 2014 45
Value added features - Deep risk analysis Maps network topology: AlgoSec builds an interactive map of the different networking devices Risk Based Analysis: Identifies and ranks threats based on industry leading practices Prioritization: findings are categorized according to risk when presenting them to the analyst Remediation: output contains proposed solutions and vendor-specific configuration changes June 2014 46
Value added features network topology ex June 2014 47
Value added features compliance reporting PCI-DSS SOX AlgoSec ISO 27000/1 J-SOXA Compliance Reports BASEL-II Internal Standards 48
Value added features compliance reporting ex. June 2014 49
Value added features - Aware of tiering/hierarchy Analyzes group hierarchy: accounts for the relationship between firewalls and their relative positions on the network when determining the risk of a finding Firewall zoning: the user can define zones and trust relationships June 2014 50
Value added features metrics/dashboard Dashboard tracks changes, connections, rules, etc. June 2014 51
How does use it? Network Assessments Engagements Firewall Review Vulnerability Assessments June 2014 52
How does use it? Prior Workprograms Spreadsheet detailing configuration findings June 2014 53
How do clients use it? Operations testing and deployment Client Value Alert and monitoring Internal testing June 2014 54
AlgoSec Firewall Analyzer Demo! June 2014 55
Questions, Comments, Concerns, and Applause The information contained in this document is shared as a matter of courtesy and for information or interest only. has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and has not independently verified, validated, or audited such data. does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by and is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of. Before making any decision or taking any action, you should consult a competent professional adviser. 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.