RE: IPSO/Secure Platform audit

From: Matthew MacAulay (matthew.macaulay_at_cobweb.co.uk)
Date: 08/19/05

  • Next message: Erin Carroll: "RE: IPSO/Secure Platform audit"
    Date: Fri, 19 Aug 2005 14:51:12 +0100
    To: <pen-test@securityfocus.com>
    
    

    Hello,

    In addition to Ola and Volker suggestions.

    You could pass the syslog message of the Nokia boxes to an IDS box to
    alert to any valid or non valid log attempts. www.prelude-ids.org is
    fairly simple to setup. At least this would give you a log independent
    of the Nokia boxes for log on's valid or not.

    But as Ola suggested locking down where ssh and https can initiate
    connection to the Nokia boxes should be done first. I normally have
    these rules (management rules) defined as the first couple followed by
    an any any drop (to the FW them selves) so no connections can be made to
    the firewalls directly for non allowed services or source of connection.

    I also don't allow access to manage the firewalls from a remote
    location. Risky but I have some fault tolerance built it...

    If you have the facility to tap into the external traffic you could pass
    it to Snort and look for ssh connection attempts. Again Prelude provides
    a nice front end. (Prewikka) But that is prob a bit OTT.

    Regards,

    Mat.

    -----Original Message-----
    From: Volker Tanger [mailto:vtlists@wyae.de]
    Sent: 18 August 2005 22:56
    To: pen-test@securityfocus.com
    Subject: Re: IPSO/Secure Platform audit

    Greetings!

    On Thu, 18 Aug 2005 13:00:50 +0100
    Dan Rogers <pentestguy@gmail.com> wrote:
    > I'm currently reviewing a Check point/Nokia box and a Secure Platform
    > manager. The settings in Voyager are all good, and likewise the Web
    > GUI of the SPLAT manager is fine, they're both patched and the policy
    > is also clean - but I want to ensure the o/s themselves are ok.

    I assume you already checked the rulebase e.g. for SSH-Allow from
    outside and VPN- or SecureClient rules, did you?

    Unless you have the possibility to check that all binaries (esp. SSH and
    other listening servers) are 100% genuine there is no way to ensure
    that. IPSO and SPLAT are just plain BSD and Linux after all, so creating
    custom binaries is not that much of a problem.

    > I am concerned that a previous administrator may have left himself
    > access by the back-door somehow - but am not in a position to rebuild
    > them to be sure. What else would you lot check for?

    Are you *concerned* or do you have no reason to worry and just do "a
    proper handover". If you have reason to torry, you really should do a
    reinstall and do a thorough audit of the ruleset.

    If management does not allow that, let them give you that order in
    writing ("We have received your warning of DATE about a possible
    compromise of the firewall system(s) by the former administrator NAME,
    but decided against your proposal...") to cover your butt.

    Bye

    Volker

    -- 
    Volker Tanger    http://www.wyae.de/volker.tanger/
    --------------------------------------------------
    vtlists@wyae.de                    PGP Fingerprint
    378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
    ------------------------------------------------------------------------
    ------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
    Don't
    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:
    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    ------------------------------------------------------------------------
    -------
    ----------------------------------------------------------------
    The information in this email is confidential and may be legally
    privileged. It is intended solely for the addressee. Access to
    this email by anyone else is unauthorised. If you are not the
    intended recipient, any disclosure, copying, distribution or any
    action taken or omitted to be taken in reliance on it, is
    prohibited and may be unlawful. If you have received this
    communication in error please return it to the sender, then
    delete and destroy any copies of it.
    ----------------------------------------------------------------
    ------------------------------------------------------------------------------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:
    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    -------------------------------------------------------------------------------
    

  • Next message: Erin Carroll: "RE: IPSO/Secure Platform audit"

    Relevant Pages

    • RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
      ... U will probably need to "morphine" your evil apps before you run them on an AV protected machine - download morphine from hxdef.org; might as well pick up a copy of hf's rootkit while your there... ... FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't ... WLAN by understanding these threats, ...
      (Pen-Test)
    • RE: AD password Auditing
      ... Subject: AD password Auditing ... > FREE WHITE PAPER - Wireless LAN Security: ... Defend your WLAN against ... FREE WHITE PAPER - Wireless LAN Security: ...
      (Pen-Test)
    • RE: AD password Auditing
      ... FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't ... WLAN by understanding these threats, available hacking tools and proven ...
      (Pen-Test)
    • Re: Handling Sysads resignation/termination
      ... FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't ... WLAN by understanding these threats, ... Switch to Netscape Internet Service. ...
      (Pen-Test)
    • RE: Handling Sysads resignation/termination
      ... when an administrator behaves badly, ... >FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't ... >WLAN by understanding these threats, ...
      (Pen-Test)