[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

Risk Analysis for FWSM and Switches

I have an audit coming up and I wanted to find out what the risks are for the following setup and see what my defensive position might be.

    We have a border router that goes to a firewall.  On the other side of the firewall is a DMZ with servers that people have access to.  Beyond that the connection goes to a layer 2 switch.  The layer 2 switch then goes to a FWSM on another switch.  Technically it is a DMZ, but it has an extra switch in the way.  I wanted to find out what the risks are in terms of hackers.  What if someone compromized the switch without the FWSM?  There are other VLANS on that switch.  Is there any way for a hacker to get to the other VLANS from that switch?  I'm trying to determine the worst case scenario is to prepare myself for the auditors.

Thanks,
0
awakenings
Asked:
awakenings
  • 6
  • 4
4 Solutions
 
rsivanandanCommented:
What do you have on that 'middle' switch?, I mean what all. Also can you mention the make of all the network devices. One probable thing which I assume you would've taken care already would be to disable CDP.

What is that you have open on your firewall (web/smtp ???) etc etc. and where they are actually in the picture.

Cheers,
Rajesh
0
 
awakeningsAuthor Commented:
Rajesh,

      It is a web server that people access through the firewall to the server sitting on the DMZ.  I am still waiting to get the configs of the devices as I have no access so I am not sure what is going on with those devices from a network level.  I may have those next week.  The firewall is a pix 515e.  The switch is a 6009 which is entirely layer 2.  The layer 3 switch with the FWSM is a 6509.  The 6509 controls the VLANS on the 6009.  There are numerous VLANS coming off the 6009.  That is what gives me pause because it would seem to me that if they can access the 6009, they can access most of the internal VLANS (is my fear).  The network admin says that because the 6509 controls the VLANS, the 6009 has no risks associated with it.  I don't buy it so I am trying to see what risks are associated with it.

Thanks,

awakenings
0
 
rsivanandanCommented:
One of the ways to look at how you can enhance your security side of configuration is by using Cisco's output interpreter. Login to Cisco using CCO credentials and post your config one by one and it will tell ya on the improvements. Then about the VLANs, worry about the security on the individual hosts first. The thing is, the switch wouldn't know at all if there is an attack going on. Again FWSM is good for some of the attacks but anything looking legitimate on the data side of a packet, FWSM will allow it to go through.

Make sure you don't have any hole opened between your external firewall and FWSM other than the connections originated from within inside.

Do a port scan from within each network segment on the switches/routers/pix and see what you get. nMap could serve that.

Cheers,
Rajesh
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
awakeningsAuthor Commented:
Rajeesh,

     My role is purely audit.  I have no ability to configure devices.  I also can not post configs, but I can look for VLAN ACL's and determine if any traffic is allowed through.  If someone were to hack the server on the DMZ, could they then hack the 6009?  Obviously they could poison the CAM table.  If so, could they alter VLAN assignments from the 6009?  Could they gain access to all the other computers on the other VLANS from the 6009?  Remember the 6009 is between the DMZ and the FWSM (which is on the 6509) which provides the layer 3 configurations.  Your point about traffic that look legit is well taken however.  I may try to run nmap from alternate locations on the network, but that may take a week or two to complete for reasons I will not go into.

Any other suggestions?

awakenings
0
 
rsivanandanCommented:
Awakenings,

  I don't want you to be publishing your configs here but I'm sure about the fact that you need to inspect each and every device's configuration and make sure that nothing is turned on which shouldn't be. The Cisco's site could lead you to a lot of such information.

  Again, when we are talking about network devices, there are so many options. Lets say somebody hacks into your webserver and sniffs the traffic for telnet going to 6009 (which is very much possible since it is connected on the same device), it is like walk in the park. So make sure to lock it down. Disable telnet as much as possible and use other means like SSH. Also there are so many services, to name a few -> finger, cdp, snmp and stuff. CAM poisoning and stuff is like a higher level of attacks. If you think about what is easy, easy would be to 'bring your network down'. That is pretty easy for anybody with internet access. Voila, there are hell lot of tools out there. So make sure you access-lists doesn't have a hole in itself. A lot of times in EE, we have seen stuff like;

access-list 100 ip permit any any
access-list 100 tcp deny any host 10.10.10.10

Now look at this; this is as stupid as could look like and we're obviously gonna miss it *when* we are scanning through a lot of configurations at once. But if you use a configuration analyis tool, it helps.

Now, lets say you get a virus in a packet, now looking purely at the networking devices none of them could help you. May it be a router/firewall/fwsm/dmz/internal/external all are crap because these devices will pass through the data. In such cases, you need to have a well managed antivirus system to protect you. Now since I mentioned that it is easy to bring your network down rather than getting into it, think about if you can enable some settings in your firewall that can prevent such things.

One of the easiest attack will be send an awful lot of 'SYN' packets to your webserver. Your firewall will allow it because you want others to be looking into your website. Now what happens when this 'SYN' packets get high, webserver looses it buffer following by system crash of even buffer overflow attacks. Do you have it enabled on your firewall to check the SYN limit? stuff like that.

Cheers,
Rajesh
0
 
rsivanandanCommented:
There are 2 ways of looking at it;

1. Block all and allow what you need.

2. Allow all and block what you don't need.


I found the 1st method to be very effective and I can't likely open a hole, because when I start with an initial configuration, I will know when to open a new hole in my firewall.

But you cannot audit your network without scanning with tools like nMAP and others. You know, it could ring a bell or two by just running it once.

Another ones are like let me ask you; do you agree to the fact that one or more networking devices you manage share the same password? :-) You don't have to answer me but it happens all the time. How many devices have MD7 encryption on passwords? 'coz I could tell you the password in minutes.

Cheers,
Rajesh
0
 
awakeningsAuthor Commented:
Rajesh,

     You did a pretty good job putting things in perspective and justifying some of the concerns I had.  Many, if not all, of the items you mentioned to block are on our build document.  So from an audit perspective, it sounds like we may be ok if our configurations are good.  The possible / probably risk is really DOS or DDOS (which I do believe is small because the border router in that case only goes to a network that, in theory, should also have fairly high security).  To protect myself from the audit, do you think it would be wise to put a firewall up between the 515e and the 6009 switch to better protect ourselves?

At the moment, the points are basically yours.

Awakenings

P.S.  I do agree that passwords on network devices can be cracked in minutes.  There are many web sites that will perform that crack for you.  That is why we use another method.  :)
0
 
rsivanandanCommented:
Good. go with AAA and radius for authentication, not good on a management point of view (need more work) but technical aspects that is the best you can get :-)

You don't need another firewall. It is fine for the way you have it because your external firewall and a FWSM should be doing good. What you need to make sure is to patch up the webserver pretty much safe and that should be enough. I'm not sure if your webserver is a windows server. If so, download the security templates from microsoft and tighten the security of that box according to that. If you are running IIS, there is an IIS LOCKDOWN tool available, use that to lock IIS.

Once you go over all what we discussed you should okay... Eventhough you mentioned the network aspect, I was more concerned on the whole corporate (Well my work is that :-)). Make sure you disable all the unwanted services on printers (MultiFunction network printers). Usually they have everything widely open. All the community strings set to 'public' and HP printers doesn't even need a password to connect to it. Just spawn an Browser and browse to the printer and you can see a whole lot of stuff.

Cheers,
Rajesh

Cheers,
Rajesh
0
 
awakeningsAuthor Commented:
Rajesh!

    Thanks!  All the other aspects of security we pretty much have.  I do my best to keep up to date with NIST and DISA and I set the standards for securing the web server so they should, in theory, be doing the work.  We do dest with many of the vulnerability analysis tools as well.  Due diligence is my job!

Thanks!
0
 
rsivanandanCommented:
Perfect, that should be the way to go about it.

Cheers,
Rajesh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now