- BlogInfoSec.com - https://www.bloginfosec.com -

Assessing your Organization’s Network Perimeter (pt. 2)

Welcome once again to the risk rack. This time on the risk rack we will be continuing our review of how to assess your organization’s network perimeter. As a reminder the identified steps were:

In Part I [1] we reviewed tips and tricks for Step 1 “Define the functions and purposes of your network perimeter” and started a spreadsheet.

In Part II of “assessing your perimeter” we will be looking at tips and tricks for Step 2: “Assess the technology used along the perimeter of your network.”

Let us begin by first defining the term “Technology” for the purpose of this article. Technology for the purpose of this article is defined as any hardware or software as well as architectural design. To provide some structure for the technology assessment I have provided the following stepped approach which I will describe below.

Defining an endpoint is simply identifying any segment of the network that interfaces with an external environment. There are three basic forms of endpoint interfaces:

  1. Private – An external link which is setup to communicate to a single entity (i.e. a standalone modem connection or T1 line) using a ‘closed’ network.
  2. Semi-Private – An external link that is setup to interface with a number of entities (i.e. modem pool, shared frame relay, etc.) using a ‘closed’ network
  3. Public – An external link that is that is setup using a open network such as the Internet

Step 1:
The best starting point for identifying network endpoints are detailed network diagrams which you should be able to obtain from your network architect. Working with your network architects you should be able to identify all of your endpoints and establish their specific type. Create a spreadsheet for each endpoint listing the endpoint and the basic form on the spreadsheet with a brief description.

Step 2:
Once you have identified all of the endpoints you should now identify the hardware within the Demilitarized Zone (DMZ) for each endpoint. The DMZ refers to the no mans land between your network and the outside word typically the DMZ begins with a firewall used to buffer your internal network from the outside link and ends with a either another firewall or router that directly interfaces with the external abyss.

Again a good source for this information is a detailed network diagram and a network architect. Some of the types of hardware you are looking for are routers, modems, switches, firewall servers, monitoring servers, mail servers, proxy servers, remote access servers, Load balancers, application servers, etc. Please also note there are many devices that are sold as appliances, these devices must be included as well. In this step you should also capture the type of communication link used at this endpoint i.e T1, T3, Frame, ISDN, PBX, etc..

Update the spreadsheet you created in step 1 with the information accumulated in this step. You should also create a subset of your network diagram depicting each perimeter endpoint. This diagram is a good visual for analysis as well as reporting

In addition to the devices within the DMZ you must also include the other servers that are related to the function and purpose of the endpoint that reside on the internal network i.e. database servers and application servers etc. as the majority of functionality for externally facing services is placed on internal segments for security reasons.

Step 3:
Once you have listed all the devices you must identify all of the software related to each. The first piece of software that must be identified is the operating system of the device. Every device will have some type of operating system including the telecommunication devices and appliances. Using the spreadsheet first created in step 1 update it to reflect the operating system for each device.

After you have completed capturing the operating system information you should then capture any other application running on each device and capture that information on the spreadsheet as well.

Step 4:
Once you have completed step 3 you should have all the raw technology information you need to perform your assessment but prior to performing your analysis you must first cross reference all the information gathered in steps 1 through 3 with the functions and purposes you identified in Part I of “assessing your perimeter” marking the first sanity check of our exercise.

A few notes to consider when mapping devices and software to the functions and purposes:

  1. Start by mapping the end points to the functions and purposes.
  2. It is ok to map end points to multiple functions and purposes.
  3. It is ok to map a device to more than one function and purpose.
  4. It is ok to map a piece of software to more than one function and purpose.
  5. If you can not map any endpoint(s) or device(s) to a function or purpose either you are not supporting that function or purpose or you are missing an end point and devices.
  6. If you can not map any software to a function or purpose either you are not supporting that function or purpose or you are missing some software.
  7. If you can not find a purpose of function for a piece of software you are either missing a function or purpose or the function or purpose of the software is no longer required. (This is probably more common than you might think)
  8. If you can not find a purpose of function for an endpoint(s) and/or device(s) you are either missing a function or purpose or the function or purpose of the endpoint(s) and/or /devices(s) is no longer required. (This is probably more common than you might think)

At this point it is probably a good idea to review your spreadsheet with the network architect (or someone else in your organization that may be suited to assist) to make sure you are capturing the information completely, accurately and have mapped everything effectively. Please make sure you review your list of unmatched components with the architect as well as the architect may be able to fill in the blanks.

Step 5:
Once you have confirmed your information with a trusted source you can finally begin your analysis. For this step you will be required to refer to your organization’s security and operational standards. If you do not have security and operational standards then refer to Part III of this series. If you do have these standards your analysis should consist of the following:

Level I by End point

  1. Validation that each device within this endpoint is configured based on the organization’s security and operational standards.
  2. Validation that the architecture does not permit bypassing firewall to enter internal network.
  3. Validation that all applications are at the proper version levels as per organization’s security and operational standards.
  4. Validation that all applications are at the proper patch levels as per organization’s security and operational standards.
  5. Validation that all the patch levels for each device within the endpoint is up to date based on the organization’s security and operational standards.
  6. Validation that any monitoring devices are configured as per organization’s security and operational standards.
  7. Validation that all end point devices are not vulnerable to network layer penetration attack by performing network penetration test.
  8. Validation that all end point devices are not vulnerable to application layer penetration attack. by performing application penetration test.

Level II by purpose and function.

  1. Validation that the endpoint is in the proper form to support the purpose and functions it is supporting. For example if the purpose and function expects a secure point to point connection to a business partner to transfer sales information and the endpoint is an unprotected public link you have a problem.
  2. Validation that only the required ports and protocols are enabled on the devices to support each purpose and function.
  3. Firewall rules must be examined to ensure that they support the purpose and functions of the endpoint.

A few thoughts before we leave step 5:

  1. Complying with patch levels does not always mean you must have the latest patches in place. What level of patching required should be noted in your standards and if the latest patch levels are not required there should be criteria for why and how to judge if the patch levels meet the documented and agreed upon criteria.
  2. As with patches complying with version levels does not always mean you must have the latest version in place. The version level that is required should be noted in your standards and if the latest version levels are not required there should be criteria for why and how to judge if the version levels meet the documented and agreed upon criteria.
  3. External penetration testing is often performed more reliably by external third parties who perform this function often and have the facilities to execute it quickly and cost effectively. My recommendation is to choose a reliable third party and have them perform periodic penetration testing of your perimeter end points.
  4. Firewall rules must be viewed in their entirety as some rules supersede others. Prior to reviewing the firewall rules get some background on your firewall so that you can understand the full rule set when you read it.
  5. Some appliance vendors will try and tell you that they do not have an operating system but, they do even if it is proprietary there is one and it is usually based on open source UNIX operating system.

Step 6:
Based on the analysis performed in Step 5 document all your observations based on an endpoint level as well as a level for each purpose and function. For continuity these observations should be captured on the same spreadsheet we have been using. Please note that observations can apply to multiple purposes and functions and is acceptable.

I hope this article has been helpful as I have tried to provide as much guidance as I could in a limited format. Please join me next time when we review the Step 3 of assessing your perimeter “Assess the Processes used to support your network perimeter”.