Wednesday, 22 January 2014

A Tool That Tells a Tale

Richard Hatch, IT Security Consultant at Portcullis

About the Author

Richard Hatch is a software engineering graduate who joined Portcullis in 2011. As an IT security consultant he carries out penetration testing, writes reports, develops tools and supports in-house capabilities. He has an interest in reverse engineering.

Portcullis is committed to providing a comprehensive IT security consultancy for our clients to ensure that their networks and websites are secure from threat of attack. As a leading UK service provider, we assist our clients through penetration testing, digital forensic services, incident response, training and bespoke consultancy services to ensure they have a true sense of security.

Portcullis can complete tests under the CREST and CESG CHECK schemes.

At Portcullis we understand the benefits of automating data gathering and parsing data with tools to quickly extract pertinent information. Such information can be used to automatically run additional targeted checks against certain network services for example. This enables a penetration tester to be quickly alerted about known security issues and provides references to related vulnerability information, e.g. matching Metasploit exploits to Nessus output.

When it comes to performing security assessments of network devices such as firewalls, routers or switches then Nipper Studio is the first tool we reach for.

After running a Nipper Studio audit, the report is presented (as HTML) within an embedded browser. Nipper Studio also allows the user to export that report in a number of easily selectable formats (CSV, txt, HTML, XML etc.). A nice feature of the presented report is the cross-linked references to issues, tables, etc. which enables the user to drill down in to logical names present in rules (such as object groups). Any passwords, some of which are decoded from the obfuscated forms, can either be displayed inside the report or masked.

Additionally, Nipper Studio reports on known software vulnerability issues for the device firmware version, without the need for an active Internet connection. This saves time that can then be spent reviewing the issues identified or considering the device within the business context. For example does the device adequately fulfill the role it is supposed to play, or should additional rules be present to address specific needs or concerns of our customer?

The options to perform checks against different compliance policies, as well as differential comparisons (a “before” and “after” review to highlight changes), makes what would be a time-consuming and challenging task a quick and straight-forward one.

The output formats supported by Nipper Studio enables our penetration testers to use bespoke tools to process the report output and process references such as CVE numbers. These are then imported in to our own custom reporting tools.

The explanation of the issue findings in Nipper Studio also serve as both an insight and a reminder when encountering some of the more obscure issues or features present on a device. For instance a configuration file command that starts “glbp” may not be immediately recognised by a tester as the Gateway Load Balancing Protocol, a proprietary Cisco protocol. The issue help text from Nipper Studio expands such acronyms and enables the tester to recall their understanding of the technology invoked by the “glbp” technology.

The benefits of using Nipper Studio for security analysts mirror those for the client: It offers a faster, potentially more in-depth review with more technical detail available. Furthermore is has the ability to determine if a device adheres to necessary compliance policies, documented design rules, or what configuration changes are present against a known baseline. For example, imagine a company detects that their internal network has been compromised, but are unsure if the attacker gained access to a router and changed the configuration (to breach network segregation). They can quickly compare the current
configuration against the Nipper Studio report of a known-good configuration that could not have been affected by a hacker, (e.g. stored on a backup CD that is held in a safe at another location).

In one case, a client had asked for a security assessment of a firewall, with specific consideration given to the protection of key network assets. The firewall had a large number of rules configured and there was a chance that the assessment could not have been completed in the time available. By using Nipper Studio to automate the time consuming process of manually identifying issues, the tester was able to take a “step back”. With the help of a network diagram they determined that, although access to key assets was prevented from the Internet, there were no such restrictions in place to prevent access from an internal network area. The client was then able to add additional filtering to prevent access to the sensitive data held within those key assets. The client commented that none of the previous firewall assessments undertaken had identified this issue which when pointed out seemed obvious.

In conclusion, Portcullis use Nipper Studio to quickly identify potential security concerns arising from the configuration of network devices, in a way that provides those findings in formats that can be processed by scripts. The consultants save time, allowing more in-depth assessments even in environments were internet access is not permitted. These assessments take into account the environment in which a device will operate, allowing better (and more detailed) information to be provided to clients. Any technical team that have a need to review, assess or compare the configurations of firewalls, routers or switches would do well to consider Nipper Studio.

No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.