In a recent article, I discussed the importance of conducting a regular gap analysis of your organization's security practices. While it's vital that your organization regularly perform such audits of security policies and procedures, it's just as important to include a network risk assessment in this process.
An external network risk assessment is the first phase of identifying potential network security vulnerabilities on your organization's systems that are visible to the general public from the Internet. An internal assessment uses similar methodology, but you conduct it from the point of view of someone with access to the internal network.
Using a combination of various freeware and commercial tools and techniques to evaluate your network offers a clear picture of the dangers the company faces. At the minimum, an effective network assessment testing methodology should address the following areas:
- External network topology for improper firewall configuration
- Router filtering rules and configuration
- Weak authentication mechanisms (which could lead to a dictionary-based authentication attack)
- Improperly configured or vulnerable e-mail and DNS servers
- Potential network-layer Web server exploits
- Improperly configured database servers
- SNMP checks
- Vulnerable FTP servers
Make a point of emphasizing systems that deliver content or services to the public Internet. In my experience, services that provide information through common delivery mechanisms are at a greater security risk of becoming targets for potential intruders and automated malicious software, including worm attacks due to increased accessibility and exposure. Network services in this category include HTTP and HTTPS Web servers that provide content to remote users.
Your network risk assessment should include four phases: discovery, device profiling, scanning, and validation. Let's drill down into each phase.
Discovery involves establishing a fingerprint of the target network segment. This should include all active device addresses and their associated TCP, UDP, and other network services accessible from the internal network.
During this phase, use both active and passive sniffers to collect network traffic for parsing and analysis. Information obtained through this method should include identification of active hosts, authentication credentials (such as username and password combinations), indication of potential computer worm and/or Trojan presence, and other vulnerabilities.
Here's a list of some of the most popular tools used for network discovery:
- Nmap: This network service port scanner implements numerous techniques for evasion of network intrusion detection system (IDS) sensors.
- Ethereal: This passive network sniffer supports capture and interpretation of most Link Layer (media) and network and application protocols. When you use this tool in combination with Ettercap and ngrep, you can extract the captured network traffic to meaningful content, such as Web application transactions, user authentication for numerous protocols, e-mail messages, and other data.
- Firewalk: This tool implements methods of accurately determining network and protocol filtering rules of remote ingress network routing devices.
- hping: This tool provides methods of crafting unique packets using multiple protocols (e.g., ICMP, TCP, and UDP) to determine host availability, routing information, and several other metrics.
Using the information gathered during the discovery phase, you can analyze the list of accessible network services, Internet Protocol (IP) stack fingerprints, and known network architectures to identify potential roles and trust relationships each device plays in your network infrastructure.
Test each network service identified during the discovery and device profiling phases for known vulnerabilities. Vulnerabilities can fall into one or more categories. These include:
- System compromise
- Unauthorized data access
- Information disclosure
- Command execution
- Denial of service (DoS)
In some instances, it's possible to detect and exploit security risks associated with a particular network service using the following software applications:
- Nessus: This is a popular all-in-one vulnerability scanning tool kit that includes many of the most updated tests for a variety of operating systems and network services.
- onesixtyone: This is an SNMP service scanner and wordlist-based community string testing utility.
- nikto: This is a Web server vulnerability scanning tool.
After you've completed the first three phases of your network risk assessment, your final step is to attempt to exploit or validate all results from the vulnerability scanning phase. Tests and techniques applied during this stage of the assessment are often very specific to the potential vulnerabilities detected. This final phase of the assessment will generate the bulk of your results.
The Internet is a lawless place: Assessing your network for potential risks is part of the responsibility of providing network services to your organization's users and customers. If you don't find the problems on your network, you can be sure that someone else will.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.