Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Network Router Audit Program

advertisement 
WP #
2001.00
Audit of Network Routers
Description
[Describe the nature and intended usage for the program here]
Revision Info
This program was last reviewed/updated on [Click to Insert Date here]
Step
Audit Procedure
Perf’d/
Approved
By
Workpaper
Reference
BACKGROUND & PLANNING
1.
Obtain adequate background information on the audit
area such as:





2.
Audit reports from other audit and/or compliance
groups
Productivity and performance measurement
reports/stats
Policies & Procedures
List of information technology applications utilized
List of laws and regulations
Review router security policies and ensure the policies
address:




Physical Integrity (physical access, electrical access)
Core Static Configuration (admin access, software
updates, etc)
Dynamic configuration and router status (routing
protocols)
Network traffic through the router (filtering)
See router policy checklist in Appendix
3.
Examine productivity and performance measures for
trends to assist in the developing audit scope.
INFORMATION SYSTEMS
The following represents general information systems testwork to be performed if warranted
based on the risk posed by individual systems.
4.
Determine and list the primary information systems
utilized within the operations. Consider performing the
following testing based on the risk.
5.
Review the process for granting and terminating user
access. Perform detailed testing to determine if access is
terminated timely.
Page 1 of 12
WP #
2001.00
Audit of Network Routers
Step
Audit Procedure
6.
On a sample basis, test specific user access to determine
if access is commensurate with job functions.
Additionally, determine if access promotes adequate
segregation of duties.
7.
Perform testing where necessary to determine if system
data is adequately backed up.
8.
Determine the nature and extent of system interfaces.
Review (perform testing of) interfaces to determine if
data is accurate, complete and timely. Also consider
whether there is a process to address interface errors.
9.
Determine the effectiveness of basic application controls.
Consider the following:
Perf’d/
Approved
By
Does the system



Promote the use of strong passwords
Contain an appropriate audit trail
Contain adequate input validation controls
DETERMINE ROUTER RESPONSIBILITIES & PROCESSES
10.
Determine router processes and responsibilities by
interviewing relevant personnel (system administrators,
network administrators, information security team, etc)
to gain an understanding of the following:




Initial setup (i.e. baselines, standards builds, etc)
User management (i.e. user setup, remote access,
password policy, etc)
Configuration updates/change control
Logging and backups
Page 2 of 12
Workpaper
Reference
WP #
2001.00
Audit of Network Routers
DETERMINE NETWORK ARCHITECTURE
11.
Utilize an up to date network diagram to determine the
network architecture. Gain an understanding of function
of routers within the network. For example,
Interior Routers
An interior router forwards traffic between two or more
local networks within an organization or enterprise. The
networks connected by an interior router often share the
same security policy, and the level of trust between them
is usually high.
Backbone Routers
A backbone or exterior router is one that forwards traffic
between different enterprises (sometimes called different
‘autonomous systems’). The traffic between the different
networks that make up the Internet is directed by
backbone routers.
Border Routers
A border router forwards traffic between an enterprise
and exterior networks. The key aspect of a border router
is that it forms part of the boundary between the trusted
internal networks of an enterprise, and untrusted external
networks (e.g. the Internet).
12.
With the assistance of and permission from appropriate
personnel, use a network mapping tool to obtain an
“active footprint” of the network. The appropriate
network personnel should have a tool (i.e. nmap,
Nessus). Allow information technology personnel to
perform the network mapping scan. Determine, at
minimum:


What hosts are available on the network
The operating system and version running
Note: It is not necessary to determine the services
running at this point.
13.
Compare results to information maintained by the IT
group (i.e. are there devices connected that IT is unaware
of).
Page 3 of 12
WP #
2001.00
Audit of Network Routers
PHYSICAL SECURITY
14.
Determine the physical location of router and firewall
equipment. Ensure the area is physical secured in a
manner that provides access to relevant personnel only.
2007.00
EVALUATE ROUTER SYSTEM MANAGEMENT
15.
Obtain an understanding of the Authentication,
Authorization, and Accounting (AAA) functions (i.e.
granting, revoking, and monitoring user access).
In Cisco routers, this is the new access control facility
for controlling access, privileges, and logging of user
activities on a router. (1)Authentication is the
mechanism for identifying users before allowing access
to a network component. (2)Authorization is the method
used to describe what a user has the right to do once he
has authenticated to the router. (3) Accounting is the
component that allows for logging and tracking of user
and traffic activities on the router which can be used
later for resource tracking or trouble shooting.
16.
Based on risk, select specific routers for detailed access
testing:
 Determine the access methods utilized (telnet, ssh,
http, snmp, tftp, etc)
o Ensure remote access over untrusted networks is
adequately protected because the user’s password
will travel the network in clear text form (i.e. The
security of remote administration can be
enhanced by using a protocol that provides
confidentiality and integrity assurances, such as
IPSec or SSH)
 Determine if access control lists are used and
evaluate the appropriateness of the lists.
 Ensure the use of timeouts for session activity.


Ensure the authentication method is secure
(encryption) and requires strong passwords.
Ensure “Accounting” is adequate. For example,
determine if user access is logged and if logs are
adequately secured and maintained in a manner that
promotes future reference if necessary.
Page 4 of 12
WP #
2001.00
Step

Audit of Network Routers
Audit Procedure
Ensure banners are used to notify individuals of the
equipment ownership, intended uses and
repercussions of unwarranted uses. Additionally,
ensure banners do not contain (1) network
architecture or device information in the banner
message (2) router model and location information
(3) any information that should not be shared with
the general public
o MOTD (message of the day banner) – displays
legal notice
o Login Banner – (typically a clear text protocol)
o Exec Banner – (displays after authentication)
Perf’d/
Approved
By
Ensure unnecessary management services are disabled.
For example:



Finger-Unix user lookup service, allows remote
listing of logged in users.
Identd-The ident protocol is considered dangerous
because it allows hackers to gain a list of usernames
on a computer system which can later be used for
attacks. A generally accepted solution to this is to set
up a generic/generated identifier, returning node
information or even gibberish (from the requesters
point of view) rather than usernames
http-offer web-based configuration
EVALUATE ROUTER SYSTEM CONTROL
17.
Determine the nature and extent of system controls
including but not limited to:



Clock Configuration (external synchronization)
Logging (enabled, offsite to another server, time
stamped messages, buffer sizes appropriate, console
level logging enabled, appropriate logging levels
(p56))
Control Services (appropriate services
enabled/disabled such as small tcp services, small
udp services, bootp, cdp, config services, tftp
services, use tcp keep-alives)
Page 5 of 12
Workpaper
Reference
WP #
2001.00
Audit of Network Routers
Step
Audit Procedure
18.
Perform detailed testing of select routers and determine
if
 If all are synchronized in a manner that allows for
comparative analysis
 Logging
o Logging is enabled
o Logs are stored in a secure location
o Activity logged is adequate
19.
Perform detailed testing of select routers and determine
if unnecessary services are disabled and necessary
services are enabled.
Page 6 of 12
Perf’d/
Approved
By
Workpaper
Reference
WP #
2001.00
Audit of Network Routers
EVALUATE ROUTER DATA CONTROL
20.
Evaluate the measures taken to control information
passing through the router and/or information originating
from the router itself. Specifically gain an understanding
of the philosophy and usage of the following:
Directed Broadcast – amplifies a request, can be used
to map a network, smurf attacks
Source Routing – allowing packets to specify the path
to take
Proxy ARP – router acts as proxy server
Tunneled Interfaces
ICMP Redirects & Echo Request – router is giving
away too much information
ICMP unreachable – router notifies senders of incorrect
IP addresses
Ingress Filtering – traffic coming in from external
sources
 Loopback addresses – 127.0.0.0/8 – special IP
address that allows IP applications to communicate
with other applications on the same host without
knowing the IP address assigned to the host
 Link Local addresses –
 Zero addresses (this network) – 0.0.0.0/8
Egress Filtering – Traffic going out
 let out packets with a valid source IP address (makes
you good net neighbor)
 Log MAC id of traffic to identify (or come close to
identifying offenders)
21.
Select a sample of routers and ensure appropriate use of:
 Directed Broadcasts
 Source Routing
 Proxy ARP
 Tunneled Interfaces
 Redirects
 Unreachable Notifications
22.
Select a sample of routers and ensure appropriate use of:
Inbound traffic filters (i.e. inbound traffic with source IP
of internal network and/or reserved addresses blocked)
Page 7 of 12
WP #
2001.00
Audit of Network Routers
Step
Audit Procedure
23.
Select a sample of routers and ensure appropriate use of:
Perf’d/
Approved
By
Outbound traffic filters (i.e. only allow owned addresses
out).
BUSINESS CONTINUITY PLANNING
24.
If necessary, obtain and review the department’s
business continuity plan. Determine if the plan
identifies, at minimum:






25.
Critical Business Processes
Applications & Systems
Process Dependencies
Process Recovery Procedures
Recovery Site Information
Contact Lists Including
o Employee Contact Information
o Department Notifications
o Vendor Notification
o Other Emergency Contact Numbers (Local EMS,
Fire, Police, Etc)
Determine if the plan is tested regularly. Obtain and
review the most recent testing documentation.
WRAP UP
26.
Notate all issues on the issue log.
27.
Submit workpapers for review.
28.
Clear review notes.
29.
Prepare draft report.
30.
Prepare final report.
31.
Return original client documentation.
32.
File workpapers (manual and/or electronic).
Page 8 of 12
Workpaper
Reference
WP #
2001.00
Audit of Network Routers
Appendix
Overview of IOS Features to Disable or Restrict
Feature
Cisco Discovery
Protocol (CDP)
TCP small servers
UDP small servers
Finger
HTTP server
Bootp server
Configuration
auto-loading
PAD service
IP source routing
Proxy ARP
IP directed
broadcast
IP unreachable
notifications
IP mask reply
IP redirects
Maintenance
Operations
Protocol (MOP)
NTP service
Simple Network
Mgmt. Protocol
Description
Proprietary layer 2
protocol between Cisco
devices.
Standard TCP network
services: echo, chargen,
etc.
Standard UDP network
services: echo, discard,
etc.
Unix user lookup service,
allows remote listing of
logged in users.
Some Cisco IOS devices
offer web-based
configuration.
Service to allow other
routers to boot from this
one.
Router will attempt to load
its configuration via
TFTP.
Router will support X.25
packet assembler service.
Feature that allows a
packet to specify its own
route.
Router will act as a proxy
for layer 2 address
resolution.
Packets can identify a
target LAN for broadcasts.
Router will explicitly
notify senders of incorrect
IP addresses.
Router will send an
interface’s IP address
mask in response to an
ICMP mask request.
Router will send an ICMP
redirect message in
response to certain routed
IP packets.
Legacy management
protocol , part of the
DECNet protocol suite.
Router can act as a time
server for other devices
and hosts.
Routers can support
SNMP remote query and
configuration.
Default
Enabled
Recommendation
CDP is almost never needed,
disable it.
11.3: disabled11.2:
enabled
This is a legacy feature, disable it
explicitly.
11.3: disabled11.2:
enabled
This is a legacy feature, disable it
explicitly.
Enabled
Unauthorized persons don’t need
to know this, disable it.
Varies by device
If not in use, explicitly disable,
otherwise restrict access.
Enabled
This is rarely needed and may
open a security hole, disable it.
Disabled
This is rarely used, disable it if it
is not in use.
Enabled
Disable if not explicitly needed.
Enabled
Can be helpful in attacks, disable
it.
Enabled
Disable this service unless the
router is serving as a LAN
bridge.
Directed broadcast can be used
for attacks, disable it.
Can aid network mapping,
disable on interfaces to untrusted
networks.
Can aid IP address mapping;
explicitly disable on interfaces to
untrusted networks.
Enabled (11.3 &
earlier)
Enabled
Disabled
Enabled
Can aid network mapping,
disable on interfaces to untrusted
networks.
Enabled (on Ethernet
Disable if not explicitly needed.
interfaces)
Enabled (if NTP is
configured)
Enabled
Page 9 of 12
If not in use, explicitly disable,
otherwise restrict access.
If not in use, remove default
community strings and explicitly
disable, otherwise restrict access.
WP #
2001.00
Feature
Domain Name
Service
Audit of Network Routers
Description
Routers can perform DNS
name resolution.
Default
Enabled
(broadcast)
Page 10 of 12
Recommendation
Set the DNS server addresses
explicitly, or disable DNS
lookup.
WP #
2001.00
Audit of Network Routers
Router Security Policy Checklist (from the National Security Agency - System and Network Attack Center (SNAC))
The checklist below is designed as an aid for creating router security policy. After drafting a policy, step through the list and check that each item is
addressed in your policy.
Physical Security
•
Designates who is authorized to install, de-install, and move the router.
•
Designates who is authorized to perform hardware maintenance and to change the physical configuration of the router.
•
Designates who is authorized to make physical connections to the router.
•
Defines controls on placement and use of console and other direct access port connections.
•
Defines recovery procedures for the event of physical damage to the router, or evidence of tampering with the router.
Static Configuration Security
•
Designates who is authorized to log in directly to the router via the console or other direct access port connections.
•
Designates who is authorized to assume administrative privileges on the router.
•
Defines procedures and practices for making changes to the router static configuration (e.g. log book, change recording, review procedures)
•
Defines the password policy for user/login passwords, and for administrative or privilege passwords. Include a list of conditions that require
passwords to be changed (e.g lifetime, staff changes, compromise)
•
Designates who is authorized to log in to the router remotely.
•
Designates protocols, procedures, and networks permitted for logging in to the router remotely.
•
Defines the recovery procedures and identifies individuals responsible for recovery, in the case of compromise of the router’s static configuration.
•
Defines the audit log policy for the router, including outlining log management practices and procedures and log review responsibilities.
•
Designates procedures and limits on use of automated remote management and monitoring facilities (e.g. SNMP)
•
Outlines response procedures or guidelines for detection of an attack against the router itself.
•
Defines the management policy and update intervals for long-term secrets, such as those for routing protocols, NTP, TACACS+, RADIUS, and
SNMP.
•
Defines the key management policy for long-term cryptographic keys (if any).
Dynamic Configuration Security
•
Identifies the dynamic configuration services permitted on the router, and the networks permitted to access those services.
•
Identifies the routing protocols to be used, and the security features to be employed on each.
•
Designates mechanisms and policies for setting or automating maintenance of the router’s clock (e.g. manual setting, NTP).
•
Identifies key agreement and cryptographic algorithms authorized for use in establishing VPN tunnels with other networks (if any).
Network Service Security
•
Enumerates protocols, ports, and services to be permitted or filtered by the router, for each interface or connection (e.g. inbound and outbound), and
identifies procedures and authorities for authorizing them.
Page 11 of 12
WP #
•
2001.00
Audit of Network Routers
Describes security procedures and roles for interactions with external service providers and maintenance technicians.
Compromise Response
•
Enumerates individuals or organizations to be notified in the event of a network compromise.
•
Identifies relevant configuration information to be captured and retained.
•
Defines response procedures, authorities, and objectives for response after a successful attack against the network, including provision for
preserving evidence and for notification of law enforcement.
Page 12 of 12
Related documents
Assignment 1
Assignment 1
Chapter 2
Chapter 2
If your Internet is not working please try the following steps before
If your Internet is not working please try the following steps before
NetworkHardware
NetworkHardware
What is a Router/Hub/Switch
What is a Router/Hub/Switch
SI202: Week 1
SI202: Week 1
SI202: Week 1
SI202: Week 1
CCNA 2
CCNA 2
Router and Switch Security Policy 1. Overview 2. Purpose 3
Router and Switch Security Policy 1. Overview 2. Purpose 3
Unit 1: Network Security Introduction End of Unit Tutorial Questions
Unit 1: Network Security Introduction End of Unit Tutorial Questions
Download
advertisement