REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Similar documents
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

My FreeScan Vulnerabilities Report

CTS2134 Introduction to Networking. Module Network Security

Medical Device Security Health Group Digital Output

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Networking for Caribbean Development

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Penetration Testing Report Client: Business Solutions June 15 th 2015

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

8. Firewall Design & Implementation

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Basics of Internet Security

Security. TestOut Modules

Windows Remote Access

Rapid Vulnerability Assessment Report

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Cyber Essentials. Test Specification

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Topics in Network Security

Cisco Advanced Services for Network Security

Linux Network Security

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

CMPT 471 Networking II

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

March

Security Considerations White Paper for Cisco Smart Storage 1

SonicWALL PCI 1.1 Implementation Guide

For more information or call

The Nexpose Expert System

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Network Security Fundamentals

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Introduction of Intrusion Detection Systems

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Global Partner Management Notice

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

CS5008: Internet Computing

Network Defense Tools

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

What is Really Needed to Secure the Internet of Things?

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Codes of Connection for Devices Connected to Newcastle University ICT Network

Foundstone ERS remediation System

IBM. Vulnerability scanning and best practices

Network Access Security. Lesson 10

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Exam Questions SY0-401

Solution of Exercise Sheet 5

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Building A Secure Microsoft Exchange Continuity Appliance

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

4. Getting started: Performing an audit

Network Security: Introduction

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Firewalls (IPTABLES)

General Network Security

Guide to Vulnerability Management for Small Companies

Protecting Critical Infrastructure

Web App Security Audit Services

A radical approach to secure LAN network using novel hardening techniques

What is Web Security? Motivation

MIGRATIONWIZ SECURITY OVERVIEW

Cornerstones of Security

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Firewalls. Chapter 3

SNI Vulnerability Assessment Report

Second-generation (GenII) honeypots

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Network Security Guidelines. e-governance

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Locking down a Hitachi ID Suite server

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

EXPLORER. TFT Filter CONFIGURATION

SAST, DAST and Vulnerability Assessments, = 4

Transcription:

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001)

Network Audit Table of Contents Page No. Executive Summary 3 Audit Objective 4 Audit Scope 4 Audit Approach 4 Observations 5 APPENDIX A C-STAR Network Architecture 6 APPENDIX B Details of Findings and Recommendations 10 2

1. Executive Summary This document is a report based on the audit of the network security of the local area network of Center of Security Theory and Algorithmic Research (C-STAR) at IIIT, Hyderabad. As a part of the audit questionnaire, different aspects of security of network and hosts ranging from cryptographic security measures in place as well as defense mechanisms against common threats were evaluated. This report explains the important findings in each area, and recommends specific enhancements where appropriate. Because the research center s local area network is not accessible from Internet, we concentrated much of our efforts on the internal threat. We developed a set of specific information security related objectives for this audit. They include: Ensure that hosts are not vulnerable to network based security attacks. Determine the use of unnecessary services by hosts. Determine the use of insecure protocols in the network. Check the strength of passwords being used. During the audit, we identified several findings that impact the security of hosts and network. These findings occurred in the areas of insecure protocols in use, host security and weak passwords in use. Our recommendations will minimize the risk that security problems will occur in future. Overall Score: Moderate Network Security System Security Authentication Security of data in transit Security of host/perimeter Identification/Authorization Weak Moderate Moderate 3

2. Audit Objective The objective of this audit was to conduct a threat and risk assessment related to data, network, and operations of the systems, accompanied by recommendations aimed at mitigating discovered risks. This audit included the following activities: Thorough review of the network, application and operating system architectures. Penetration testing of hosts, with subsequent identification of susceptibility to known hacker techniques. Vulnerability assessment of hosts. Review of strength of passwords being used. Identification of significant security practices. Prioritized summary of discovered vulnerabilities. Prioritized recommendations for risk reduction, as appropriate. Review and comparison of the security practices and implementation in the context of security industry best practices where possible. Assistance in mitigating any security risks involved. 3. Audit Scope The audit was conducted in accordance with the BS7799/ISO-7799 Information Security Standard. The scope of this audit was limited to the network security, host security, and authentication measures in use in Center of Security Theory and Algorithmic Research (C-STAR). The audit was conducted during the period of March 29 to April 5, 2007. The audit of the Intranet hosts included a review of the operating system and running services. This review was performed to determine if any vulnerability existed that could allow an intruder unauthorized access, and included penetration testing. The controls we reviewed included password standards and the use of encryption to transmit data over the local area network. 4. Audit Approach Below we provide the approach for performing the security audit. Our evaluation focused on three different aspects: Network Security Audit: The Network audit was used to determine security weaknesses on a network segment of the research center. The network audit mixes the host audit and network segment audit. The entire network segment was checked 4

for hosts that were operating. Each individual host and workstation found was then probed to determine the services operating. Each individual host and workstation found operating a service of any type was then checked against a list of known vulnerable services corresponding to the services found on that specific host. Audit logs were generated reflecting the information obtained, i.e. the entire network segment mapped, identified host and workstations operating, identified services operating on all host and workstations, known vulnerabilities of services operating on hosts identified and the level of threat to each individual host. Host Security Audit: The Host audit was used to determine the security weakness of an individual host. The host was checked for access and what services were operating. Once a complete list of services operating had been obtained, the services were checked for known vulnerabilities against a database of vulnerabilities. Once the host services have been checked, logs were generated, documenting the name of the host audited, the time / date of the audit, services found operating on the host, all known vulnerabilities of each individual service, as well as the level of risk and threat of each vulnerability. Authentication: Here, the purpose was to check the authentication mechanisms being used, specifically the passwords, and their strength. Eavesdropping was carried out to collect data being sent across the network. The data was then parsed and filtered to extract passwords and other credentials. 5. Observations During the audit, we identified several findings that impact the security of the hosts as well as privacy of the users in the research center. These findings occurred in the following areas: Insecure protocols in use Host security Weak passwords in use We recommend that the problems we identified be corrected to strengthen the security of the research center s local area network. Our recommendations will correct present problems and minimize the risk that security problems will occur in future. Appendix B, Details of Findings and Recommendations, lists the observations and recommendations. Because of the sensitivity of the observations, we have classified Appendix B as privileged and confidential. 5

APPENDIX A Network Architecture of CSTAR The first step to audit was to gather information about the network architecture of the research center, and about the hosts. For this purpose, an initial footprinting was carried out so as to gain information about the topology of the network. The following figure shows the topology of the network. The next step to audit was to conduct an initial review of the hosts in the research center, to gain information about hosts, their operating systems, and the services that were running. For this purpose, we carried out operating system and application fingerprinting of the hosts in the research center. The following table shows the operating systems and services running on machines in the research center. 6

IP Address Operating System Services 172.16.32.151 Linux Kernel 2.6.x, Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.152 Windows XP SP2 Microsoft Terminal Services (3389/tcp) 172.16.32.153 Windows XP SP2 Microsoft Windows RPC (135/tcp), NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.154 Linux Kernel 2.6.x OpenSSH 4.0 (protocol 2.0) (22/tcp), MySQL (3306/tcp) 172.16.32.156 Windows XP SP2 Microsoft Windows RPC (135/tcp), NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.163 Linux Kernel 2.6.x vsftpd 2.0.1 (21/tcp), OpenSSH 3.9p1 (protocol 1.99), Linux telnetd (23/tcp), Kerberised RSH (544/tcp), MySQL (3306/tcp) 172.16.32.164 Linux Kernel 2.4.x OpenSSH 3.5p1 (protocol 1.99) (22/tcp) 172.16.32.165 Linux Kernel 2.4.x OpenSSH 4.3 (protocol 2.0) (22/tcp) 172.16.32.171 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.177 Linux Kernel 2.4.x, Windows XP SP2 172.16.32.180 Linux Kernel 2.6.x, Windows XP SP2 Microsoft Terminal Services (3389/tcp) NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.181 Linux Kernel 2.6.x vsftpd 2.0.4 (21/tcp), OpenSSH 4.2.p1 Debian7-ubuntu3 (protocol 7

2.0) (22/tcp), Samba smb 3.x (139,445/tcp) 172.16.32.182 Linux Kernel 2.6.x OpenSSH 4.0 (protocol 2.0) (22/tcp), Sendmail 8.13.4 (25/tcp) 172.16.32.183 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.184 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.185 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp), Microsoft Terminal Services (3389/tcp) 172.16.32.190 NetBIOS Name Service (137/udp) 172.16.32.191 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp) 172.16.32.192 Windows XP SP2 172.16.32.196 Windows XP SP2 NetBIOS Name service (137/udp), Microsoft Datagram Service (445/tcp) 172.16.32.199 HP JetDirect ROM x.x.x EEPROM x.x.x HP JetDirect ftpd (21/tcp), HP JetDirect printer telnetd (23/tcp), HTTP (80/tcp), SNMP (161/udp), HTTPS (443/tcp), JetDirect (9100/tcp) During the audit, we discovered that Microsoft File Sharing services were among the most heavily used service in the network. Among other heavily used services in the network were Microsoft Terminal Services (Remote Desktop Services) and Secure Shell (SSH). The figure below shows the most present services discovered in the network during the audit. 8

We also discovered several services which were deployed but not being used. The most widely deployed service among such services was sunrpc running on several hosts running some flavor of Linux operating system. We also discovered insecure services such as FTP, Telnet and SMTP, which accept credentials in plaintext form. 9

Appendix - B Details of Findings and Recommendations 1. Network Security Network Security mechanisms are used to protect data in transit. This is the most insidious problem facing connected machines today because the standard Internet protocols, most visibly TCP/IP, were not designed with an emphasis on efficiency and reliability and not security. Data sent across a network - whether a private network or a public one such as the Internet - is vulnerable to "packet sniffing". In other words, data that moves to and from connected machines can be eavesdropped without such activity being detected, and further, it is also susceptible to unauthorized tampering and misrepresentation ("spoofing") unless network security is in place. Most commonly, network security is achieved by the use of cryptographic protocols at one or more layers of the network stack, depending on the requirements of the application that handles sensitive data. Not only does data passing through the system need to be secured, management and control data to/from the system also needs to be secured to prevent unauthorized remote management and to enforce access control. 1.1. Audit Results The current state of Network Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Weak based on the following findings: Several hosts on the network use insecure protocols such as POP and IMAP. o POP and IMAP sessions can easily be modified by any intermediate router between the client and server, which is a threat for e-mail privacy and security. o POP and IMAP use plaintext passwords for authentication, which can be eavesdropped and used for potential future exploits. Several users on the network use web interface to check their mail on Students and Research servers which use SquirrelMail. 10

o Sessions of SquirrelMail can easily be modified by any intermediate routers between the client and server, which is a threat for e-mail privacy and security. o SquirrelMail accepts passwords in plaintext, which can be eavesdropped and used for future exploits. Few users use HTTP Basic Authentication to access certain websites, which is a very weak form of encoding (Base64), and is susceptible to eavesdropping. During the auditing period of seven days, we were able to capture 116 passwords, that were being transmitted using insecure protocols such as POP, IMAP, HTTP (Web-based e-mail), and HTTP Basic Authentication. Following are the details of captured passwords: Protocol Passwords Captured POP 8 IMAP 77 HTTP 29 HTTP Basic Auth. 2 Total Passwords 116 Unique Passwords 13 Captured Plaintext Passwords HTTP 25% HTTP Basic Authentication 2% POP 7% IMAP 66% 1.2. Recommendations The current state of network security can be hardened using the following practices: Using Kerberos enabled servers. 11

Using IMAP/SSL and POP/SSL instead of IMAP and POP to retrieve mail. Using SSH to read e-mail. Configure web-mail to use SSL. 2. System Security System Security mechanisms are used to protect the system itself or the perimeter of a network from external intrusions. Uncontrolled external connections to a system could result in a variety of attacks including packet floods, invalid data that uses up valuable bandwidth or processing power on the device, or Denial of Service (DoS) attacks where illegitimate users could prevent valid users from using the device's services or from managing the device. Basic system security usually takes the form of a simple "packet-filtering" firewall that enables the system to only allow or deny packets to/from specific peers based on a variety of criteria such as source/destination IP addresses, protocol type, ingress/egress network interface and other packet data fields. More evolved "stateful inspection" firewalls look beyond a single packet for their decision making and instead maintain packet stream state enabling protection against floods or corrupt data emanating from valid network nodes. Sophisticated intrusion protection and detection systems bolster this capability with fast pattern matching, bandwidth control to allow management even in the face of attacks and automatic protection measures against Denial of Service attacks. 2.1. Audit Results The current state of System Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Moderate based on the following findings: Nine (9) hosts were discovered running Microsoft Terminal Services (Remote Desktop Services), which is vulnerable to Man-in-the-middle attack. One (1) host was discovered running SNMP service with default community string, which can be used by an attacker to gain more information about the host or to change the configuration remotely. 12

One (1) host was discovered running HTTP server having vulnerability which can be used to read arbitrary files on the web server. Four (4) hosts were discovered running services that use plaintext passwords for authentication. Two (2) hosts were discovered running SSH protocol 1.0, which is vulnerable to Man-in-the-middle attack. Several hosts were discovered running unnecessary services. We classified the vulnerabilities as follows: High Risk: Vulnerabilities that can be easily exploited, and could lead to compromise, and/or pose a high risk to the stability of the campus network. Moderate Risk: Vulnerabilities whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or the integrity or availability of processing/network devices. Low Risk: Vulnerabilities that are very difficult to exploit or, if exploited, impact would be minimal. Below is the summary of vulnerabilities found during the audit. Vulnerabilities Count Low Risk 21 Moderate Risk 12 High Risk 2 Vulnerabilities 6% 34% 60% Low Risk Moderate Risk High Risk During the audit, we were able to discover one (1) host with two (2) high risk vulnerabilities, and eleven hosts with one or more moderate risk vulnerabilities. Below is the summary of vulnerabilities discovered on each host during the audit. 13

Specifically, we discovered that HP LaserJet Printer (172.16.32.199) installed in the research center was vulnerable to two high risk vulnerabilities. Also, several hosts were discovered running services that were not being used. Below is the summary of unnecessary services discovered during the audit. 14

2.2. Recommendations We recommend the following practices to improve the state of system security of hosts: Minimize use of Microsoft Terminal Services. Patching or upgrading vulnerable services. Using SSH protocol 2.0 instead of protocol 1.0. Using SSH and SFTP/SCP instead of Telnet/RSH and FTP/RCP. Shutting down services which are not being used. 3. Authentication Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization is finding out if the person, once identified, is permitted to have the resource. Since they are the least expensive to implement, most systems rely on passwords to authenticate users. As well, passwords are often used in addition to physical or cryptographic proofs of identity to further strengthen security. 3.1. Audit Results The current state of System Security in the local area network of Center of Security Theory and Algorithmic Research was deemed Moderate based on the following findings: 31% of the passwords in use were found to be weak, in the sense that either they were short or were easily guessable. Services were discovered that accept credentials in plaintext form, and are therefore susceptible to eavesdropping. Below is the summary of strength of passwords in use in the network: Password Strength Count Weak 4 Moderate 5 Strong 4 15

Password Strength Strong 31% Weak 31% Moderate 38% 3.2. Recommendations We recommend the following practices to harden the strength of passwords being used: Use of special characters and numeral along with alphabets to construct passwords. Use of passwords which are eight characters or longer. Not using easily guessable information such as first or last name, date of birth, etc. in passwords. Using services that accept credentials in secure form. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information