Network Security Auditing April 2015

(1)

Network Security

Auditing

April 2015

(2)

PwC

Agenda

Objectives

Concepts

Definitions

Key Review Areas

Architecture

Assessment Types

Nipper Overview

Firewall Configuration Review

Case Study

AlgoSec Overview

Firewall Ruleset/Access Review

Case Study

2 April 2015

(3)

PwC

Objectives

3 April 2015

• Explain key concepts and definitions pertaining to network

security, device configuration reviews, and rule-set/access reviews.

• Provide high-level overview of network security practice offerings

• Explain technical and procedural processes for using the Nipper

tool

• Explain technical and procedural processes for using the AlgoSec

tool

(4)

PwC 4 April 2015

Network Redundancy/Resiliency

• Resiliency is not needed at every layer, but

should exist at critical points in the network, such as the internet presence.

• Resiliency can be achieved through

redundant hardware, fault tolerant systems, virtualized platforms, etc..

DMZ

• We stole this term from the military just as

we stole “quarantining” from the CDC.

• DMZs quarantine high-risk zones from all

other networks.

• Segmentation provides an extra layer of

security by isolating critical systems and applications.

• Segmentation is often executed through

firewalls access controls and logical networks to restrict the flow of

communication in and out of the zone.

• Two types of DMZs: External and Internal • External DMZ:It is not to protect the

external services in the DMZ.It is to protect the internal network from them. • Internal DMZ:Protect critical

applications and systems in the DMZ from everything else.

Key Concepts

2

1

3

4

(5)

PwC

Definitions

Hardware/Device Types:

Routers: A device that routes network traffic along different networks.

Firewalls: Inspects network traffic entering or leaving a network and accepts or rejects it based on defined access-control lists (firewall rules).

Switches: Multi-port network bridge that processes and forwards data at the data link layer (layer 2) of the OSI model

IDS: Device which performs an analysis of passing traffic on the entire subnet. Works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of knows attacks.

IPS: Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly.

Web Proxy / Gateway : Devices used for monitoring and restricting unapproved inbound and outbound internet traffic.

Network Access Control (NAC): Networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.

5 April 2015

(6)

PwC

Routing:

OSPF: "Open Shortest Path First." OSPF is a method of finding the shortest path from one router another in a local area network (LAN). As long as a network is IP-Based, the OSPF algorithm will calculate the most efficient way for data to be transmitted.

BGP: Border Gateway Protocol, an exterior gateway routing protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established

Multi-Protocol Label Switching: Multiprotocol Label Switching is a mechanism

primarily utilized in WAN architecture networks that directs data from one network node to the next based on short path labels rather than long network addresses

6 April 2015

(7)

PwC

Authentication and Access Control:

ACL: An Access Control Lists specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects

RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

TACAS : TACACS is an access control network protocol for routers, network access servers and other networked computing devices that allows a remote access server to forward a user's logon password to an authentication server to determine

whether access can be allowed to a given system.

7 April 2015

(8)

PwC

Internal Network Assessment

8 April 2015

An assessment of architecture, security, and resiliency within the

internal, local area network at the Layer 3 level

Internal Network Routers Internal Firewalls Switches

(9)

PwC

Key Review Areas

• Governance, Policies, Procedures • Topology & Placement of Devices

• Review of Internal Firewall Ruleset/Access (Algosec) • Review of internal device configurations (Nipper) • Network Segmentation

• Inventory & Asset Classification

• Wireless Topology/Configuration Review (Nipper) (Cisco WAP Review

Tool)

• Third Party Connectivity

9 April 2015

(10)

PwC

Global Communications

10 April 2015

An assessment of architecture, security, and resiliency, of the

network connecting multiple country offices located around the world

Global Comm. Firewall CE/PE Router _WAN Accelerator

Local Area Network

Over

(11)

PwC

Key Review Areas

• Review of MPLS Topology , Infrastructure , & Encryption • Review of Country Office Firewalls & IPSEC Tunnels

• Review of Country Office Internet Connectivity • Review of Router Configurations (Nipper)

• Review of WAN Optimization Device Configurations (Nipper) • Review of Firewall & VPN Configuration (Nipper)

11 April 2015

(12)

PwC

Perimeter Security

12 April 2015

An assessment of architecture, security, and resiliency of the network

at the outer most logical layer – the separation of external and

internal

Global Comm. Externally Facing Firewall IDS/IPS ISP Connectivity

(13)

PwC

Key Review Areas

• Configuration Review of Firewalls and Routers • Review of Resiliency and DR capabilities

• Network Intrusion Identification & Response

• Logging & Monitoring of Firewalls, IDS, and Web-Proxy Devices

13 April 2015

(14)

PwC

Governance Review

14 April 2015

Objective: To ensure processes have been established to govern

the management of network security

(15)

PwC

Policy, Procedures, & Standards Review

15 April 2015

Objective: Policies, Procedures, & Standards are appropriately

established to govern all devices, systems, applications, and

users contributing to network security

Information Security Device Hardening Availability Security Monitoring Logging & Monitoring Access Control Resiliency & High Availability BCP& DR Third Party

Budget & Cost Share

Governance Steering

(16)

PwC

Architecture

- Ingress and Egress Filtering

Network Security Architecture

Internal Network

Internet

(untrusted)

Semi-Trusted

April 2015 Slide 16

(17)

PwC

Application Tier

Database Tier

Architecture - Segmentation

Network Security Architecture

Internal Network

Internet

(untrusted)

Web Tier

Slide 17 April 2015

Internal DMZ

(18)

PwC

Key Technical Review Areas – Application Layer

18 April 2015

Definition: This layer supports application and end-user processes

Areas & Services:

FTP (21) SSH (22) Telnet (23) Mail (25) TFTP (69) Finger (79) Kerberos (88) Microsoft (135-139, 445) POP3 (110) SUNRPC (111) CheckPoint (264) LDAP (389) Syslog (514) DB2 (523) IMAP (993) Lotus Notes (1352) MSSQL (1433-1434) Oracle (1521, 66) MS-RDP (3389) pcAnywhere (5631) VNC (5800, 5900) X Windows (6000, 6001) IRC (6666-6667)

(19)

PwC

Key Review Areas – Network Layer

19 April 2015

Definition: This layer provides switching and routing technologies,

creating logical paths for transmitting data from node to node.

Routing and forwarding are functions of this layer, as well as

addressing, internetworking, error handling, congestion control and

packet sequencing.

Areas & Services:

IPv4

ICMP Ipsec ARP

Route Authentication

Subnet Traffic Control

Logical – Physical Addressing External Routing Protocols Internal Routing Protocols

(20)

PwC

Key Review Areas – Data Link Layer

20 April 2015

Definition: The Data Link layer is concerned with moving data across

Key Review Areas - Firewall Concepts

Page 23 April 2015

Ideal Firewall Rule

• Purpose • Administrator

• Date Modified/Reviewed

Remark

ACL

Permit/Deny

Source

Destination

Service/Port

Rule

Stateful Firewall - A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. Each entry records the session's source and destination IP address and port numbers, and the current TCP sequence number.

(24)

PwC

Key Review Areas - Firewall Ruleset

• What to look for:

- Weak filtering of source

- Weak filtering of destination

- Unnecessary or excessive services/ports

- Inadequate logging of rules

- Duplicate/deprecated/shadowed rules

Slide 24 April 2015

(25)

PwC

Key Technical Review Areas – AAA

25 April 2015 OSPF RIPv2 EIGRP BGP OSPF/RIPv2

Authentication

– Method for

identifying users: logon, password

Authorization

– Method for remote

access control (RADIUS or TACAS+)

Accounting

– Method for collecting

and sending security server

information for auditing and

reporting

(26)

PwC

Key Review Areas - Logging and Monitoring

• What is the Level of logging enabled on the networking device?

• Is network latency and other network monitoring also enabled?

• Logging should be enabled on network devices. They should log successful

and failed logins to the network.

• Logs must be audited for them to be useful. Auditing periodically can help

find suspicious activity prior to a fully fledged attack takes place.

• They should send alerts when suspicious activity is noticed and admins

should respond in a timely manner.

Slide 26 April 2015

(27)

PwC

Key Review Areas– VPN Solutions

• VPN Services

- Provides mechanism for staff to connect to local area network from

Internet

- Can also use to uplink vendors to key positions on network

- Analysis includes:

◦ Verifying proper access control being performed

◦ Strong methods of authentication in place

- Some workprograms exist, but depends on which solution selected

- Two primary competing technology platforms (SSL vs. IPSec)

Slide 27 April 2015

(28)

PwC

Key Review Areas - VPN Overview

April 2015 Slide 28

(29)

PwC

Nipper

29 April 2015

(30)

PwC

Nipper Overview

30 April 2015

How does Titatnia describe themselves?

• “Security Audit Software” - Tool that analyzes network devices’ native

configurations and produces audit style reports

How can PwC benefit from Nipper Studio?

• As a tool to standardize the configuration review of multiple devices and platforms,

allowing us to deliver consistent and credible analysis to the client

How does PwC utilize the capabilities and features of Nipper Studio?

• Network Device Configuration Review • Firewall Configuration Review

(31)

PwC 31 April 2015

Where is the value?

Consistent Process:

• Allows PwC to maintain a similar approach for each client engagement

Efficiently streamlines work load

• Tool is designed to analyze the configuration files for network devices so that

we can spend more time analyzing the results

Identification of Issues

• Allows us to fully understand the types of issues the organization is facing

(i.e. Patch Management, Access Control, Authentication, etc.)

Provides us the platform to provide our

value

• Any organization can purchase Nipper and run the tool

• They hire PwC for our ability to determine the root causes or potential issues

(32)

PwC 32 April 2015

Prior Audits and Workprograms

Workprogram detailing

the

controls, findings, and recommendations for issues discovered through scan.

(33)

PwC 33 April 2015

Prior Audits and Workprograms

Issues & Action Plan based upon the issues discovered through analysis of Nipper Report

(34)

PwC

Nipper Tool

34 April 2015

Local Area Network

The home screen of Nipper

Studio:

• New Report

• Settings

• Licenses

• Tutorials

• Help

• Supported Devices

Key Takeaway

: Very simple user interface with minimal amount of

overhead

(35)

Local Area Network

What is the foundation for a Nipper report?

Issue Finding – Impact – Ease - Recommendation Ratings: Critical/High/Medium/Low/Info: (Impact)

Trivial/Easy/Moderate/Challenge/N/A (Ease) Involved/Planned/Quick (Fix)

• However this powerful tool allows us to build upon our service offerings and offer

the client quality analysis and deliverables

• Increases our understanding of the client environment which can lead to

additional client opportunities (i.e. Developing a patch management program)

• Increases your ability to understand and comprehend the issues that

organizations face in safeguarding their networks and processes

• Finally, this is just one of the ways we are able to sell our brand and

(43)

PwC

AlgoSec

43 June 2014

(44)

PwC

What is AlgoSec Firewall Analyzer?

• Analyzes firewall configurations and produces risk reports

• Maps out network topology

• Cross references results with compliance and risk issues

• Can monitor groups of firewalls in real time

• Server based

44 June 2014

(45)

PwC

Value added features - General benefits

• Consistency:

PwC can easily leverage the same process across multiple

engagements

• Efficiency:

using AlgoSec to analyze the configurations and relationships

between the rules can bring issues to the analyst’s attention quicker

• Increased visibility

: it can provide us with insight into the client’s

network topology to leverage on other engagements

45 June 2014

(46)

PwC

Value added features - Deep risk analysis

• Maps network topology:

AlgoSec builds an interactive map of the

different networking devices

• Risk Based Analysis:

Identifies and ranks threats based on industry

leading practices

• Prioritization:

findings are categorized according to risk when presenting

them to the analyst

• Remediation:

output contains proposed solutions and vendor-specific

configuration changes

46 June 2014

(47)

PwC

Value added features – network topology ex

47 June 2014

(48)

PwC

Value added features – compliance reporting

48

ISO 27000/1

PCI-DSS

J-SOXA

BASEL-II

SOX

Internal Standards

AlgoSec Compliance Reports

(49)

PwC

Value added features – compliance reporting ex.

49 June 2014

(50)

PwC

Value added features - Aware of tiering/hierarchy

• Analyzes group hierarchy:

accounts for the relationship between

firewalls and their relative positions on the network when

determining the risk of a finding

• Firewall zoning:

the user can define zones and trust relationships

50 June 2014

(51)

PwC

Value added features – metrics/dashboard

51 June 2014

Dashboard tracks changes, connections, rules, etc.

(52)

PwC

How does PwC use it?

52 June 2014 Engagements Network Assessments Vulnerability Assessments Firewall Review

(53)

PwC

How does PwC use it? – Prior Workprograms

53 June 2014

Spreadsheet detailing configuration findings

(54)

PwC

How do clients use it?

54 June 2014 Client Value Operations testing and deployment Internal testing Alert and monitoring

(55)

PwC

AlgoSec Firewall Analyzer

Demo!

55 June 2014

(56)

Questions, Comments, Concerns, and

Applause

The information contained in this document is shared as a matter of courtesy and for

information or interest only. PwC has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser.