Merging The Networks Inventory Mapping And Auditing

Published Date: 02 Nov 2017

Axiom Networks, as a professional IT consultant for the upcoming expansion, has summarized an overall security initiative and prospective plan for the acquisition, convergence, addition and reduction (where necessary) of multiple network nodes and equipment in addition to your own inventory. This includes identifying new and potentially unknown assets, the new risks that may or not be exposed, and creating a baseline acceptable use policy for all new & existing employees to follow immediately with all combined infrastructure. Merging companies is a "challenging and costly process that can make or break companies. While most companies provide a strong infrastructure that can change with the times it is much more difficult to merge personnel and data processing designs..." (Kralicek, 2001)

Because not much is known about the existing perimeter defense and other security and remediation tools and protocols present in the acquisitions current environment, we will also suggest the implementation of a new perimeter defense system, including a new network firewall, intrusion detection / prevention system as well as a vulnerability scanner for threat and exploit management. Keeping a record of the latest scan results to compare and database makes auditing and compliance more efficient as well.

Although a full security policy is beyond the scope of this document, we will touch on how this policy will play a major role in securing the environment.

This type of problem can almost always be somewhat remediated by using best practices in assessment, deployment and monitoring of a stronger security initiative. A decent budget always helps, but accurate planning proves to be the best use of resources, no matter how many expensive appliances you have.

Our first objective, as with any new acquisition, is to inventory and secure the goods. We will start the process by creating a comprehensive map of the network, including both base network and acquired network. Again, because of the vague details of the new equipment, combined with the professional coordination between existing IT team, we must take into account the possibility of ‘leaked’ access points, in which terminated and/or restricted users retain rights to equipment through old configurations, E.G. remote access to wireless routers, WPS authorization. Other exploitive methods include ‘rogue’ access points and misconfiguration exploits. Hardware addresses of all access points, wireless and wired, will be recorded by vendor and matched against our configuration in the Router Security Policy. This process is outlined in more detail on page 3.

Any in-house code that is found should be documented and researched. Often these types of wares play an important role in a specific business process, and frequently the only people with the knowledge to service and port the code is the writer or maintainer, in this case probably one of the members of the mergers IT whom are being particularly disobliging and difficult. We need to know if these wares to play a role in operations, if they can be painlessly integrated into our new topology and network layout, or if an alternate substitute will be needed, before the network goes live.

After determining our inventory and configuration, our newly acquired (purchased and gained from the merger) equipment will be scanned for vulnerabilities. This process is detailed in the ‘Web Vulnerability and Scanning’ section below on page 6.

Merging the Networks: Inventory, Mapping & Auditing

Scanning with the recommended tool NetCrunch configured on a Windows 2008 console central to our home network (to provide obscurity of our internal networks IP addresses), combined with O/S fingerprinting and stealth capabilities of Nmap probing using crafted TCP and UDP packets from the DMZ point of our network (to ensure authenticity of scans without packet-filtering devices interference) we would begin mapping the network in its entirety. NetCrunch 6.5 can also be deployed from cloud services to provide virtually unrestricted scanning, regardless of location or host resources.

The results of these scans will be further analyzed by our internal security analysts who provide for on-the-fly insight into structure and topology flaws. Knowing what needs replaced and redeployed versus what can simply be reconfigured can have a positive impact on budget.

Passive nodes and media such as cabling, dumb hubs & switches and terminals can be re-used after inspection, allowing more efficient allocation of funds other than basic equipment overhead. Although a physical walk-through and more detailed inventory will be necessary in the future, the results of our network mapping scans will give us a head start and at least allow us to plug accurate metadata such as hardware addresses, logical placement, firmware and operating system versioning and serial #s into our inventory database. This data will be used later to provide a full inventory, asset listing and implemented in our threat identification and mitigation techniques.

Merging the Networks: Setting the Perimeter & Baselines

Since factors such as total number of employees, computers and type of infrastructure is unknown, we must gain as much details about the background of the company’s former business processes by investigating publicly available information. We use proven internet research methods and analysts who go through public records including IPO, white pages, U.S. Securities & Stock Exchange databases & WebCheck to build a profile of the merger to estimate its value, business operations, any history or disclosed compromises in order to build a picture of how to best merge our assets in a secure manner.

Once the new network is mapped and documented, the perimeter nodes should be replaced (firewall / IDS) and vulnerability testing should be in its beginning stages. The resulting audits performed from scan results are base-lined, and scanned to tune packet-filtering appliances and feed the anomaly profile if being used in conjunction with your IDPDS. As always, we take a layered approach to security, as per described in the Defense in Depth (DiD) strategy. We also take offensive approach when it comes to penetration, stress and bench testing. We will go further into the tools we use and a few strategies in the Vulnerability scanner section.

Merging the Networks: Closing Security Gaps

The parent company’s configuration files and rule-bases should be backed up, reviewed, and finally deployed on the new infrastructure. It is ideal to put the firewall and the IDPS in definition mode until the new network traffic can be modeled into anomaly profiles.

If it is possible at this point to do a walk-through on the new grounds, do so. Even if not able to fully document the new environment, we will take notes on locations that will be important once the facility is up and running from a security perspective. Locations that are publicly accessible should be noted. Where is the server room located? Can it be physically secured, or will the something else have to be implemented? What external connectivity issues are there, if any? Taking these preemptive measures ensures at the very minimum there are no location-centric surprises.

At the parent company facility, we will be deploying an extranet as a central hub for key executives and personnel to share the latest information on the merge, host a copy of the company security policy, and will host computer-based training programs aimed at creating awareness about how security affects everyone. FAQ and forums will be posted here, and as the merger nears completion, the seed company will be granted restricted access as well, as an open opportunity to share about their business processes, how things will change for them and the new security policy that will be enforced on employees that will remain after the merge.

Intrusion Detection System

Although some say that the methodology of detection systems is past its prime as a single line of defense, as opposed to the recently revamped wave of intrusion prevention systems and all-in-one security appliances, we still believe that finely-tuned IDS, that allows for multiple modes of detection, or combined with a prevention system is the best way to keep the layered approach. Leveraging the price versus functionality and scalability, we found that the Juniper IDP-8200 more than met our requirements.

Our runner up was Netprowler IDS by Symantec. This IDS consists of an agent, manager and a console. When we were choosing the network-based IDS, we listed three types of attacks that were likely the IDS would face today: recon (scanning, o/s fingerprinting) exploits (bugs and commercial) and DoS-based attacks. After some research, we found that Netprowler has a fatal DoS exploit and therefore should not be used in our environment.

The Juniper system comes with a hardware ID/PS appliance that combines stateful signature, anomaly and backdoor detection with application intelligence, successfully utilizing the best methods of both IDS and IPS in one easy-to-deploy, secure and cost effective solution. Other flagship features that really increase the flexibility and possibly ROI is one that allows the administrator to deploy virtual honeypots with full IP tracking that allows you see the latest exploits in action to mitigate them and add to your defenses, as well as catch the would-be intruder in the act. I/O modules include support for fiber (lx + sx) and up to 4 ports supporting up to 10 GbE copper. It comes with Network & Security Manager software that supports up to 100 licenses, which runs on the command console for network-wide administration.

This appliance will be placed directly behind the firewall to ensure that it is not facing the public internet. Although it will be at the perimeter along with other security appliances for extra layers of defense, make no mistake, this is sold as a network-wide security solution in itself. The super-high throughput and scalability allows it to be deployed anywhere on the network without having to worry about bottlenecking traffic through a n inspection node, and its functionality is not just limited to detection and alert systems. The ROI shows itself again when comparing competitors’ products; similar functionality at half of the throughput is about all we could find in the same price-range. On-box reporting and logging allows for administration through an SSL session on any web-browser, without the need to connect to a third-man server to get on-the-fly analysis done. If a more thorough analysis is needed, administrators can log on to a centrally managed console hosted on any server for complete configuration control. IDP as well as VPN traffic can be monitored here as well. Axiom Labs estimates a deployment life of at least 6 years.

"The idea is to establish your network perimeter and to identify all possible points of entry to your network. Once found IDS sensors can be put in place and must be configured to l report to a central management console. The dedicated administrators would logon to the console and manage the sensors, providing it with a new-updated signature, and reviewing logs." (SANS; Understanding IDS, 2001)

Combined with the rest of the tools described below, along with our expertise and a truly robust Security Policy, we believe that adding the new merger and its assets will become a benefit as opposed to a security concern, and possibly even increased security because of the greater focus.

Web & Vulnerability Scanner

There is a wealth of web and network scanners out there, with great choices in both the commercial and open source offerings. In our experience, the accuracy of the scans may be dependent on what your systems are running, your existing security stance as well as your system baselines. Furthermore, vast differences in detection and even the categorization of vulnerabilities makes this choice even tougher, given that we don’t know much about the new infrastructure gained from the acquisition. For instance, Accunetix may be great and detecting exploitable PHP, OpenVAS may be better for an environment with multiple codebases and needs, as the software has a robust choice of installable modules. Another great vulnerability scanning solution coming up is Nexposé by Rapid7, which has great integration features with the Metasploit framework.

Due to the criticality and financial risk, shaky cooperation with adopted IT and unknown type of environment we will be adopting; we decided that skimping out here may prove fatal. We propose adopting at least a 1-year license of Core Impact Pro. This software/hardware suite is a bit pricey, but delivers a robust, professional way to scan & assess vulnerabilities as well as do full penetration tests on network assets. It does deep recon, vulnerability scanning, pen-testing and reporting; all in one point-and-click GUI environment.

Plain-Jane vulnerability scanning won’t offer the insight that we need to identify, remediate and mitigate threats. And with a full pen-testing suite that makes use of commercial, in-house exploits and full vendor support give us the ability to identify which of the vulnerabilities actually pose a real threat to our network and determine the exact impact a compromise would yield on our specific systems. Combined with the honeypot feature of our IDPS, we would be able to replicate an attack from any angle and vector and see the exact effect if would have without actually disrupting our production machines. Once our new network nodes have been scanned and documented, we can test them under the rules of our security policy for effectiveness and then place them where needed. Identified vulnerabilities can be validated and categorized by what we deem to be critical, medium, or low-risk vulnerabilities, as described by our policy and asset/process identification. This is the type of offensive security that allows for a prospective advantage when it comes to keeping pace with the evolution of cyber-threats, which will be detailed in the conclusion section.

After we have documented, hardened, deployed and secured our new assets, processes and equipment, and after about a year of tweaking and documenting our environment; the IT, Disaster Recovery and Security team may re-evaluate the market for a more traditional, supplemental vulnerability and web scanner. In the meantime; reliable, open-source scanners like Nessus (home-feed) and OpenVAS are suggested as a cross reference and second opinion. As always, no written program is a replacement for a seasoned security analyst or pen-tester. People, places and things are all components to securing your data and assets.

Firewall Recommendations

Ironically, our last recommendation for the security appliances will be your first defense against compromise and data leaks. Although the firewall is often incorrectly assumed to be a one-device-stops-all component, it does play a critical role in our overall defense strategy. Filtering and dropping most malicious packets before they even touch the network is vital in blocking external threats, but internal too, as well as keeping unnecessary traffic out. The sheer number of workstations in our network, along with various locations and high throughput counter-components we have recommended suggests that delivering high-performance and policy-based multi-site connectivity would be a necessity. Our first choice that met our specifications comes from Dell’s SonicWALL brand. Specifically, the self-proclaimed NG-class NSA (Network Security Appliance) E8510 meets all of our deliverables and then some. Our first choice was the newly released Supermassive 9000. After comparative research, it was found that the E8510 combined with the IDP-8200 covered the feature set of the 9000 with a significantly reduced pricing point.

Diving into the spec sheet, we found that the firewall can be deployed as a gateway device at the perimeter, or in-line on another network segment. The firewall uses two different methods of packet-inspection, standard stateful and deep-packet inspection capabilities. DPI, also known as ‘complete packet inspection’ inspects the entire packet’s data, instead of just the header, searching for known malicious signatures and scans for packets not matching the security policy. This is performed by combining standards from intrusion detection, prevention and stateful inspection, all before the datagram enters the network. Logging takes place locally, on the system log and in the embedded ‘viewpoint’ system for flexible analysis and documenting. Some of the corporate services supported include IKEv2 VPN, Citrix Term Services and SSL control. This is great to have, as we may have more than one remote access solution and policy. Policy-based routing and NAT further enforce our policy at layer 2 and 3 of the OSI model. Other built-in security features include VoIP protection, single-sign on options and multi-WAN connections, which may serve well with our current merger position. This will allow us to secure incoming connections from our ISP as well as the mergers connection until we come up with a single backbone solution.

On the performance end, the E8510 is no slouch either. Without the gateway anti-virus module active, we’re looking at a minimum throughput of 2/Gbps, even with full DPI running; and with 4GB of RAM onboard, the appliance stays happily humming along under stress as well. Load balancing does the same justice for inbound connections, and QoS features and bandwidth management configurations allow us to put the most juice where it is needed. The firewall supports up to 50,000 connections, which almost matches our total asset count. The price, flexibility, features and spec sheet make this a great choice for our business and networking.

All facilities will be required to have at least one of these appliances deployed at the perimeter of the network. If possible, it is recommended that one be placed in line at the server room. This will keep unauthorized employees from reaching servers that play no functional role in their job description, as well as perform load-balancing in this heavy traffic area.

Overall Conclusions

In conclusion, we have demonstrated that a new merger and possible employees can be a beneficial business gain, but can be challenging when implementing best practices in security, especially when the merger proves uncooperative. Regardless, as their days are numbered, our countdown starts too, and we must do what we can with the limited information to make critical decisions about the security of our network infrastructure. Reconnaissance, logging and analysis data is by far the most revealing information, and will later be combined with our equipment and risk analysis / business process assessments to form security baselines and certain parts of our security policy.

Remember, that this is a preliminary assessment and initial deployment; continued security is only achievable through continued defense. Security event management, change management, escalation response and continued learning are all ways to constantly reevaluate and strengthen our defensive position. We define security as not only protection, but the complete confidentiality, integrity and non-repudiation of data traversing your network. (This is called the ‘CIA triad of networking security’)

While we will provide the skill and insight to put an effective security plan and instill an overall security stance in your business is our objective, all efforts will be moot without the full support of upper management. Once our operation is fully up and running, the real process of maintaining security begins. Although it is impossible to prepare for a mitigate every possible risk or threat to our organization specifically, keeping servers and firmware up to date and keeping a constant watchful eye on logs and traffic analysis, an you will find yourself at minimum in the best possible position to continue to mitigate new threats. We also practice the defense strategy of ‘active’ or, ‘offensive’ security. This entails dissecting known attacks and scenarios, as well as intelligence gathering and counter-surveillance of known attacks and attackers. Intelligence acquired, learned from previous attacks can be employed to later prevent them from occurring again. Sharing these findings with partners and other organizations can further decrease the odds of getting stung by the same bee twice. "For us to be successful, you can’t keep reacting to an event...we have to get ahead of the adversary; if you can see how you your adversary is manipulating various systems out there today, then you can stop them." (Col. Hensley, 2011)

Our layered approach to defensive security comprises of several measurable aspects including physical security, authentication methods including 2-step verification, network appliances that work together (E.G. the firewall & IDPS) along with regular audits and log analysis. Combines with access control lists, built in security functions on protocols for our remote connections and a security policy to clarify everything in between; we start to at provide an overall level of confidence (as security is never a guarantee.)

Although a security initiative of this size and complexity will assuredly come with a decent price tag, "in terms of return on investment [ROI], the cost of a security breach would be much higher." (Weaver, Network Defense and Countermeasures, 2007)

Always remember, if it is not written, it does not exist. Everything up until this point should have been documented. This will prove critical later on when estimating the total ROI on the acquisition, how we remediated technical, physical & policy –driven security issues and where we can improve in future endeavors.