Packet flow from all networks

By: Craig S. Wright

Service provider takeaway: Regulatory and standards compliance can provide several challenges from both a business and a technical perspective. This section of the chapter excerpt from the book The IT Regulatory and Standards Compliance Handbook:: How to Survive Information Systems Audit and Assessments will focus on scanning and analyzing packet and trafic flow through the networks.

Download the .pdf of the chapter here.

Vulnerability scanners should be complemented with other specialized tools designed to analyze the packets going through the network.

Scanning the Network

Apart from assessing misconfigurations and vulnerabilities of the rulebase directly, the network itself should be scanned from every possible interface, both from the inside and outside, in all directions. For these scans, several tools that perform network mapping and port reconnaissance are available for download from the Internet, such as nmap, NmapWin, hping, Superscan and nemesis. Passive vulnerability assessment tools (packet sniffers) are also available; these capture and display network traffic for analysis. Examples of these tools are Wireshark, tcpdump, and windump, to name a few. Lastly, there are active vulnerability scanners, wherein especially crafted probes via plugins are sent through the network to see how the target will respond. Examples of active vulnerability scanners are Nessus, Saint, SARA, and others.

Using the aforementioned tools, you can perform some basic tests such as:

• Using Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to scan the firewall for all possible 65535 ports.
• Performing a ping sweep to see if echo-requests can pass through
• Performing a SYN scan subnet to look for open ports (use a full TCP Connect scan for proxies)
• Performing a slow SYN scan to see if port scans are detected
• Performing a scan with FIN packets to see if they are handled differently
• Performing a scan with ACK packets to see if they are handled differently
• Fragmenting ACK packets to see if they are handled differently
• Performing a UDP scan subnet to look for open ports

It is recommended that security administrators use more than a couple of tools to scan and monitor the network. This use of multiple tools will minimize false positives and false negatives, and will give a more complete picture of the network.

When scanning, ensure that sniffers are configured to monitor traffic passing through the firewall. Do not trust the firewall logs alone.

Using nmap
The following are screenshots captured while performing some of the basic tests listed above using nmap. Note that several types of information, such as open ports and running services, are displayed as output.

TCP and UDP scan the firewall for all possible 65535 ports; see Figure 11.7.

Nmap --sTU --p1-65535

Perform a ping sweep to see if echo-requests can pass through; see Figure 11.8.

Nmap --PE

SYN scan subnet to look for open ports (use a full TCP Connect scan for proxies); see Figure 11.9.

Nmap --sS

Scan with FIN packets to see if they are handled differently; see Figure 11.10.

Nmap --sF

Scan with ACK packets to see if they are handled differently; see Figure 11.11.

Nmap --sA

UDP scan subnet to look for open ports; see Figure 11.12.

Nmap --sU /24

Using hping2

Also available is hping2, a command-line oriented TCP/IP packet assembler/analyzer. Patterned after the ping(8) Unix command, hping supports TCP, UDP, ICMP and Raw IP protocols, has a traceroute mode, the ability to send files through a covert channel, and many other features. All header fields can be modified and controlled using the command line. Some of the uses of hping are firewall testing, advanced port scanning, network testing using different protocols, type of service (ToS), fragmentation, manual path maximum transmission unit (MTU) discovery, advanced traceroute under all the supported protocols, remote OS fingerprinting, remote uptime guessing, and TCP/IP stacks auditing.

Execute an hping for UDP scan of port 123; see Figure 11.13.

Send an ICMP timestamp request packet (icmptype 13); see Figure 11.14.

Do hping SYN scan of port 1; see Figure 11.15.

Change Control

A properly configured firewall rulebase soon becomes weak if it is not given a regular checkup. It comes to no surprise that some firewall administrators configure their firewalls just once and then never worry about it again. New vulnerabilities in both operating systems and firewall software are constantly being discovered. If the firewall operating system and software, including the rulebase, are not being updated, the firewall will not be able to withstand an attack, and would have little claim to due diligence, and reasonable and prudent precautions in any legal proceedings.

However, changes to the firewall should never be done arbitrarily or on impulse. A proper change management procedure, as part of the overall security policy, is highly recommended. The following information should be included as comments whenever a rule is modified:

• Name of person modifying rule
• Date/time of rule change
• Reason for rule change
• Approval from management

The best part here is that this type of check is custom designed to by baselines and placed into an automated check. Why not let the system do the work for you and send an alert when anything changes without going through the correct change process?

About the book

The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments provides detailed methodology of several techincally based and professional IT audit skills that lead to compliance. Purchase the book from Syngress Publishing.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments" by Craig S. Wright. For more information about this title and other similar books, please visit www.elsevierdirect.com.