| Perimeter auditing should include the entire perimeter, not simply the organization's Internet connection. Earlier, we defined the perimeter as locations where non-trusted parties have access to internal resources. Common perimeter points include: Internet connections, including dial-up Active modems for inbound or outbound communications Partner, vendor, and customer network connections Wireless access points VPN access points
The following is a list of recommended tasks for auditing the perimeter: Understand what can be seen from the outside world Perform a network scan on the entire address range assigned to your Internet connection. You should not simply scan the addresses you know about, but the entire possible range of addresses assigned to the organization. Here you want to find all the systems that are visible from the outside. During this process, check security devices to see if they are properly reporting your intrusion attempts. Find your direct vulnerabilities Perform a vulnerability scan on all externally accessible devices; this includes routers, servers, switches, etc. Scans should not only test the vulnerabilities of systems, but also the effectiveness of monitoring devices in noticing the scans. This should consist of two scans: Scan all devices from within the local network with no firewalls or other security devices between the scanner and the devices. Scan the same devices from the outside network (Internet, dial-up, etc.) with security controls in place between the scanner and the devices.
Perform a hands-on audit of all external devices During this audit process, make sure systems are properly hardened; check logging, policy settings, password protection, disabled accounts, etc. Audit security device settings Log into all perimeter security devices and verify settings and controls. Firewalls Check each rule and search for any rules that are out-of-date, misconfigured, or not following the Rule of Least Privilege. Make sure the application and operating system are patched with the latest security fixes and that logs are properly administered. Attempt to access systems through the firewall and observe the organization's response. IDS Check signatures to make sure they are up-to-date and that proper events are being monitored. Simulate attacks to make sure the IDS is properly configured for the network and is reporting properly. Observe the organization's response to the attack simulation (be sure to have permission before taking such action).
Check for multiple security layers Make sure that external routers enforce some degree of filtering and logging, that the firewall and other security devices are hardened, and that externally accessible devices are properly secured and events are being logged. Perform extended entry point searching If possible, download or purchase a war-dialer to call all numbers local to your organization. Some of these tools will simply search for attached modems, while other more advanced products will attempt to further exploit systems that answer.
|
