|
Client/Server Audit: One Bite At A Time |
|
Dateline:
Toronto, ON, June 1999 No wonder people are overwhelmed when they set out to review a client/server network. It's too big and complex. Often, they don't have a clue where to start. Well, as the old saying goes: "How do you eat an elephant? One bite at a time." Read on and you'll see how to tackle this task one bite at a time. To proceed in a structured fashion, we first need some kind of structure or model. A model serves as a single reference point, providing a common ground for discussion and illustration. The model we'll use is the famous information technology palindrome, ISO OSI. The ISO part is easy. It stands for the International Organization for Standardization, which was founded in 1946. More than a hundred countries belong to the ISO, and many have national standards organizations such as the American National Standards Institute (ANSI) and the Canadian Standards Association (CSA), that participate in and contribute to the standards process. The OSI part is easy too. It stands for Open Systems Interconnection, a universal reference model for communication protocols. Understanding the model and how to use it, however, is not so simple. Established in 1983, OSI is a "reference model" that explains how two points in a telecommunication network transmit messages. The reference model defines seven layers of functionality that take place at each end of a communication. The seven layers are shown in Figure 1. Figure 1. Open Systems Interconnect Reference Model The advantage of using the OSI model to review a client/server environment is that most software and hardware found in today's networks are designed and implemented with it as a guideline. The actual programming and hardware furnishing the seven layers are usually a combination--from the top--of the operating system, applications (such as Web browsers), TCP/IP or alternative transport and network protocols, and the software and hardware that enable you to pump a signal out your computer. How do you use this model to review your network? The best way to start is to draw a physical model of your client/server environment, and then an OSI representation of the physical environment. For example, show a bridge as a Layer 2 device, a router as a Layer 3 device and an application server and client system as Layer 7 devices. Then describe in detail the software and hardware found at each layer. Once you've finished this drawing, you can perform a vertical review of a client or server, a horizontal review across one or more layers, or both. Intuition should tell you to start at the lowest layer and build up: for when you can't rely on Layer 1, you can't trust anything else. By way of illustration, the following sections detail each layer and offer review areas to start thinking about. Layer 1-The Physical LayerThe physical layer is responsible for moving raw bits from one node to another, transporting the bit stream through the network at the electrical and mechanical level. At this layer, are such devices as repeaters and hubs. Cabling media and topology present key considerations for review. SecurityReview the security of the cabling to ensure that it's immune from tampering and physical destruction, as well as from active and passive tapping. IntegrityEvaluate the integrity of the cabling: Was the cable installed according to your organization's standards and the cable and hardware manufacturer's recommendations? And did the installer properly label it? Does the wiring topology meet the organization's needs and does it provide the required level of protection? Unused connectionsDetermine that all unused connections at the hub have been disconnected. An unused connection lets anyone plug a packet analyzer into your network and grab confidential information. ToolsAs an aid to your review, use an Enterprise Security Architecture (ESA) product. These products focus on in-depth physical security including cabling media and topology. Layer 2-The Data Link LayerThe data link layer ensures that everything physically sent was physically received. It provides error control and synchronization for the physical layer, and is responsible for grouping bits into frames and moving them from one node to another. The data link layer may define hardware addresses. In addition, there are protocols that send packets of information and others that send bytes of information. Packet-oriented protocols include ARCnet, Ethernet, Fiber Distributed Data Interface (FDDI) and Token Ring. Asynchronous, binary-synchronous, high-level data link control (HDLC) and synchronous data link control (SDLC) are representative of byte-oriented protocols. Several devices work at Layer 2. A bridge links two cable segments and provides some traffic-handling capability. Similarly, switches and smart hubs pass packets from one cable to another. Frame relay access devices (FRADs), packet assemblers/disassemblers (PADs) and modems transport bytes over wide area networks. These devices work on the hardware addresses. Cover all of your bases here by looking at a number of possible weaknesses. SoftwareIt's important to analyze standard software, which is usually considered part of the Logical Link Control sub-layer of Layer 2. Someone could change this software to make it send multiple copies of the message with different addresses. Novell's Open Data Link Interface (ODI) and Microsoft/3Com's Network Driver Interface Specification (NDIS) are two of the most widely supported de-facto standards for interfacing protocol stacks to network adapter device drivers. Promiscuous devicesDuring your review, ensure that all devices are authorized and that none are running promiscuously. Promiscuous devices access all packets not just those destined for them. Depending on your skills, you can do anything from running a program such as Check for Promiscuous Mode (CPM) to using an ohmmeter. Rogue modemsLook for backdoor modems. To find them, use a freeware tool such as Thief or Toneloc, or a commercial one such as Dialup Auditor. Physical protectionEnsure the physical protection of the bridges, switches, smart hubs, FRADs and other Layer 2 devices. This helps to prevent denial-of-service attacks, reprogramming of the device or active or passive tapping. Physical protection of interconnectivity devices is your first line of defense. AuthorizationEnsure that only authorized individuals have access to any Layer 2 software. Determine how changes are made and who can make them. From the standpoint of availability, review your organization's capability to monitor the Layer 2 network for performance degradation and network outages. Layer 3-The Network LayerThe network layer handles the routing or forwarding of the data. Layer 3 provides host-to-host communication and defines the basic unit of transfer or packet, network level addressing and possibly routing. Routers are Layer 3 devices that link two networks together. When you install a router, you create separate destinations for each cable, each destination with its own network number. There are several well-known Layer 3 protocols such as Internet Packet Exchange (IPX), DECnet Routing and Internet Protocol (IP). With respect to routers and the supporting protocols, there are a number things to consider. Message controlEvaluate whether Routing Internet Protocol (RIP) and Service Advertising Protocol (SAP) messages are under control. Is the number of advertising protocol messages kept to a minimum? How often are they sent? Are the advertising protocol messages sent a limited number of hops? Physical securityMajor concerns for your internetworking devices are physical security and maintenance. Maintenance is critical to your ability to provide service, yet affects availability because of its potential to disrupt service. Test how your organization remotely maintains these devices. Do they remotely login? Do they use Simple Network Management Protocol (SNMP)? Do they dial-in or do they connect locally to a serial port? Guarantee that only authorized individuals have access to the router. Intrusion detectionLayer 3 is extremely complex, so use a network-based intrusion detection tool such as Abirnet's SessionWall-3, Cisco's NetRanger and ISS's RealSecure. If your organization allows the use of freeware then contemplate Argus, Courtney, Gabriel, Netlog, Network Flight Recorder and Shadow. Layer 4-The Transport LayerThe transport layer manages end-to-end control--determining, for example, whether all packets have arrived--as well as performs error checking. It ensures complete data transfer. This layer provides process-to-process communication, and may add other end-to-end services like reliability. Sequenced Packet Exchange (SPX), DECnet Transport, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) embody Layer 4 software. Also, bear in mind AppleTalk Protocol (ATP), Advanced Peer-to-Peer Networking (APPN) and NetBEUI. Meanwhile, inter-application communications programs NetBIOS, Berkeley Socket Data Interface (BSDI), Winsock, Transport Layer Interface (TLI) and Common Programming Interface for Communications (CPI-C) provide an interface to multi-vendor, multi-protocol stacks. All of these programs require attention. Protocol protectionEnsure that protocols are authorized and well-protected from unauthorized changes. Review your change management standards and procedures for controlling all software. Layer 3 controlsIn addition, some routers--known as multi-protocol routers, grouters or stateful-packet filters--work at Layer 4. Consequently, you need to apply all the controls you applied to Layer 3 devices. Layer 5-The Session LayerThe session layer sets up, coordinates and terminates conversations, exchanges and dialogs between the applications at each end. It deals with session and connection coordination. Layer 5 sets up remote communication sessions, and can tie together multiple transport streams into a single "session." Layer 5 is where that you find the middleware. Open Data Base Connectivity (ODBC), Integrated Database API (IDAPI), Oracle Glue, Call Level Interface (CLI), and Distributed Relational Database Architecture (DRDA) are examples of middleware that support databases. TxRPC and XATMI are good examples of transactional middleware. Groupware includes software such as Common Mail Calls (CMC), Messaging API (MAPI), Vendor Independent Calendaring (VIC) and Vendor Independent Messaging (VIM) middleware. And last but not least, there is distributed system management middleware, represented by SNMP and Common Management Information Protocol (CMIP). There are a number of considerations when reviewing middleware. SecurityMost protocols provide built-in security features. Make sure, however, that the security features suit the security requirements of the applications and data. In addition, ensure that security is consistent across your network systems. Looking at on-line transaction processing (OLTP), for example, one should test for application integrity, proper routing of transactions, queue capability to handle large volumes of messages, the capability to handle messages under extreme stress conditions and the capability to handle incomplete transactions. Audit trailsSince your applications may hand off transactions or messages, evaluate how you use audit trails: Can you correlate the audit logs of the client and server systems to track a transaction that passes through a client and all the servers? Is there an audit log of all additions and deletions of users of critical systems or files, or changes to their privileges? How long are audit logs stored? Who has access to them? Default passwordsInvestigate the use of community strings with SNMP and ensure that default passwords have been changed. Finding all the default passwords on systems may be daunting. Use a point-in-time commercial audit program such as Axent's OmniGuard/Enterprise Security Manager, BindView's EMS, ISS's System Security Scanner or Security Dynamic's Kane Security Analyst or freeware such as COPS, SPI and TAMU's Tiger scripts. An automated tool can tell you quickly whether you have correctly installed operating system components and have changed or created weak passwords. When using an automated tool review who is allowed to use it, if the use of audit software audited, and how often the systems are audited? Intrusion detectionConsider the use of Centrax's eNTrax, Kane Security Monitor, OmniGuard/ITA and NAI's WebStalker or NetStalker products for intrusion detection and alerting. Freeware tools include Scan-Detector, Swatch, TCP_Wrapper and Tripwire. Layer 6-The Presentation LayerThe presentation layer, which is usually part of the operating system, converts incoming and outgoing data from one presentation format to another. For example, it converts data from text stream into a pop-up window with the newly arrived text, or from EBCDIC to ASCII. The presentation layer, sometimes called the syntax layer, is a hodgepodge of things including data format exchange (Extended Data Representation [XDR], Network Data Representation [NDR] or Abstract Syntax Notation [ASN.1]), compression/decompression, encryption/decryption and image conversion. Since this layer manipulates data, it's important to ensure that the software is authorized. Encryption. Investigate the use of encryption, such as Secure Socket Layer (SSL). Review what encryption algorithm is in use and whether it's used securely and whether secure implementations are used. For instance, are you using the 40-bit encryption key for SSL or the more secure 128-bit one? If you are generating certificates, is the private key secure? There are lots of questions associated with the secure use of encryption. Layer 7-The Application LayerThe application layer is where user authentication and privacy are considered, and where communication partners, quality of service and constraints on data syntax are identified. When reviewing applications, think about the three tiers: client, application server and database server. ClientReview the application design. Can a user modify the interface and make it malfunction? Does the application have embedded passwords? Of course, you must ensure that the product is intact. For instance, find out whether the source code matches the executable. You don't want unauthorized changes, so make sure that all new client modules, or upgraded client modules go through a complete quality-assurance review and adequate testing. This review needs to look at the testing of input functions and whether standards are met with respect to the use of application programming interfaces and remote procedure calls. Application serverLook at measures that ensure the integrity of the message. Ask such questions as: What program logic is in the application to ensure messages cannot be totally lost? What program logic is in the application to recover lost messages? Where security is implemented by a Tier-2 application, ask how are user IDs and passwords stored, how are they moved between the client and server, and how does the authentication mechanism work? You need to evaluate the integrity of the application and processing of the application server, so review controls such as change management and access control. Database serverConsider measures that ensure the integrity of the application. Stored procedures, triggers, rules and dynamic and static SQL must enforce application integrity. Review other integrity features such as two-phase commit, rollback and roll forward, journaling and database replication. ToolsConsider evaluating tools that help you review applications. These tools are either network or host-based. Tools such as Axent's NetRecon, Cisco's NetSonar, ISS's Internet Security Scanner and Web Security Scanner, NAI's CyberCop and WebTrend's Security Scanner scan applications (more accurately, ports) testing for vulnerabilities. Don't forget the application specific tools such as BrainTree's SQL Secure, DBSecure's SQL Auditor, ISS's Database Scanner and WebTrend's Security Analyzer. And finally, there are vendor specific application tools such as PentaSafe's JDEdwards Software Application Module (JDE-SAM). The Last WordSo there you have it, a structured method for reviewing your client/server computing network. There's a lot to think about. What you see here, however, is just the tip of the iceberg. We could have examined many more things, but the point was to get you started. It still might seem overwhelming, but at least you now have a review methodology, one that "stacks" up well vis-à-vis any other. So when you're not sure where to start, think about the OSI reference model. Also, remember what that famous Roman philosopher, Pubilius Syrus, once said, "If you wish to reach the highest, begin at the lowest." Originally published in "Information Security" magazine. |