186
A Practical Guide to Security Assessments
are checklists that have to be modified for the environment similar to
the more process-oriented checklists in the appendices of this book.
•
Firewalls
— Firewalls are a key component of the overall security archi-
tecture and will almost certainly be tested in any security assessment.
Firewalls are put up to filter traffic that is coming into and out of the
network. Firewall testing has three components:
–
Firewall placement —
There is a review of the overall network topology
and the placement of the firewall to determine whether it is optimally
placed. In addition, access control to the firewall is also reviewed to
determine who has access to the firewall.
–
Rule base configuration —
The firewall rule base is reviewed with the
client to determine whether the rules reflect the client’s business
requirements with the rule of thumb being “deny everything and allow
only what is required.” With firewalls, VPN (virtual private network)
functionality is often used, and if that is the case, VPN configuration
is also reviewed.
–
Logging and monitoring —
The logging feature is reviewed with the
client to determine what is logged and the frequency of the log review.
The testing related to the firewall can require significant time with client
personnel due to the interactive nature of the test.
•
Intrusion detection systems (IDS) —
Along with firewalls, intrusion detec-
tion systems are another significant piece of the overall security architecture.
Traditional intrusion detection systems are essentially alarms — i.e., they
tell you something is happening but you then must validate and research
the issue so you can react. Intrusion detection systems can be a significant
amount of work to manage. The testing of intrusion detection systems
comprises four main areas:
–
Architecture —
The IDS architecture will be reviewed in conjunction
with the network topology to determine whether the IDS sensors are
optimally placed — i.e., are the IDS sensors protecting the critical
hosts and network segments?
–
Signature update maintenance —
For an IDS to continue to be effective,
attack signatures should be updated on a regular basis. The process for
doing these updates will be reviewed.
–
Incident handling process —
IDS primarily serves as an alarm (it can
be configured to take action depending on the software), so the process
for responding to these alarms is important. The alert classifications
as well as the process for responding to alarms are reviewed.
–
Optimization process —
One of the most significant issues with IDS
is false alarms — i.e., illegitimate alerts. The way to minimize false
alarms is to review the IDS logs on an ongoing basis, determine which
alerts are false alarms, and make the necessary adjustments so that
those false alarms are minimized.
The different intrusion detection systems are similar in some ways but
each has its own nuances for how alerts are done. The particular system
needs to be thoroughly researched before reviewing the IDS.
AU1706_book.fm Page 186 Tuesday, August 17, 2004 11:02 AM