Internet Infrastructure Security Testing Overview
Internet infrastructure security tests are often used to find security vulnerabilities that may exist in a public network or internet accessible system, that may have existing security measures in place. A network security test involves the use of attack methods conducted by an authorised organisation that are similar to those used by hostile intruders whether they are external attackers or malicious employees.
Depending on the type of network security test that is required, this may involve a baseline scan of an IP address range to find machines and check that those present are as expected. Network security testing may also involve attempts to exploit known vulnerabilities that may exist on any identified hosts operating system.
The exact scope of the test is confirmed and agreed in advance with the client to determine that the network security test matches their requirements.
The results of network security testing are documented and produced as a report to the client and the identified security vulnerabilities can then be resolved or the security risk mitigated. The time frame necessary to conduct a network security test varies on the size and complexity of the network being assessed.
A network security test is a view or snapshot of a public network’s security posture within a given time frame. A mistake sometimes made is to use a network security test as a method of forcing security related actions and updates to take place within a client’s public network.
This course of action can result in a client’s public internet facing systems being patched and the state of the external network changing during the course of the security test; therefore introducing inconsistency into the results of the security test.
Internet Infrastructure Security Testing Frameworks
The internet security community has produced several internet security testing frameworks that can be consulted for guidance which give current best practice in terms of testing the security of networks and infrastructure.
One such framework is the Open Source Security Testing Methodology Manual (OSSTMM) which is a peer-reviewed method for performing security tests; among other areas it focuses on network security testing practice and result recording.
Internet Infrastructure Surveying
The open source tool ‘nmap’ is a standard tool used to do a network survey as it has the capability to find hosts, operating systems and the version of software presenting a network connection.
Having performed a network survey to find the hosts on the network and confirming that the identified hosts are within the scope of the network infrastructure test the external network can be port scanned to find the ports that are open on the internet accessible hosts.
There are typically 65,000 possible TCP and UDP ports which are potentially open on a network host, the extent to which surveying and port scanning is executed depends on the requirements of the test and the time allocated to do these actions.
Internet Infrastructure Vulnerability Detection
Having obtained the relevant information about the network hosts from the survey and port scanning stage, the next stage would typically be to find any vulnerabilities that may exist on each network accessible host.
The commercial tool ‘nessus’ a network security scanner, can be used to automate the process of vulnerability detection due to the tools extensive collection of scripts that are used to find known vulnerabilities or weaknesses. The tool produces a list of known vulnerabilities that may exist in a network’s hosts and steps that can be taken to resolve these vulnerabilities.
To complement automated scanning a manual process of verifying the output should be performed using the internet security testers knowledge to find the presence of any false positives or attempt to find any missed vulnerabilities.
Internet Infrastructure Penetration Testing
Following the identification of any vulnerabilities that may exist in systems on the network, the next stage is to find any suitable targets for a penetration attempt. Any penetration attempts would typically concentrate on a specific set of vulnerabilities and may involve choosing a representative subset based on the role of any identified vulnerable hosts.
Some of the areas covered during the internet network penetration test phase may include the following:
Exploits: After identifying suitable targets and dependent on the security tester having access to appropriately tested exploit material, the penetration attempt will be performed. Identifying that a vulnerability exists does not always imply that it can be exploited, it is not always possible to do a successful penetration attempt even though it may be theoretically possible.
This may be due to the lack of suitable exploit material or the fact that an exploit may not have been coded or tested. There are a variety of exploit frameworks available in both the open source and commercial domains that provide security testers with tested and reliable exploit material.
Authentication: Internet infrastructure networks carry authentication and credentials as part of their transport function, not all authentication methods are secure and some transmit authentication or credentials in clear-text. Authentication or login attempts are normal practice in network security tests. In some cases network services such as imap, pop, telnet, ssh or ftp may be running on systems, attempts to find suitable credentials for authentication can be made using various methods such as:
- Dictionary Attack: Using a word list or dictionary file.
- Hybrid Attack: Using variations of passwords in a word list of dictionary file.
- Brute Force: Using all combinations of characters in a given character set.
Devices: The devices used to form the network infrastructure such as switches, routers and printers commonly offer management interfaces to the network. These management services which may include SNMP, routing protocols or web management interfaces are sometimes left accessible or with their default factory settings in place, providing the means for a security tester to attempt to administer components of the core network infrastructure.
Other indicative network and infrastructure related areas that could be included in a network security test may include:
- Information Services: DNS, Finger, LDAP, Berkeley r* services.
- Web Servers: Directory enumeration, subsystems and component identification.
- Web Applications: Default accounts, access control, SSL.
- Remote Access: X-Windows, Citrix, RDP, account guessing.
- Email Services: SMTP mail relay, POP & IMAP account enumeration.
- VPN Services: IPSec, PPTP, SSL, connectivity, access control.
The client requirements, scope and the number of systems to be tested would play a part in determining the extent to which these areas are analysed in the course of an internet infrastructure security test.
Security Testing Analysis and Reporting
Following the delivery of an internet infrastructure security test, the next task is to clearly communicate the findings of the security test to the client in the form of a structured and coherent report.
The report may start with an overview including an introduction and scope of the internet infrastructure security test that has been performed for the client. This section may be followed by a management summary specifying the identified security vulnerabilities and risks at a high level.
An in-depth technical findings section details the identified security vulnerabilities and provides recommendations for remedial action to correct or mitigate the security risks.
Indimon Internet Services
Indimon Internet Services has the necessary experience and knowledge to do complex, in-depth internet infrastructure security tests. These tests give clients a view of known weakness and identified vulnerabilities in their internet infrastructure. This process assists the client by providing the information for them to decide steps which can be taken to improve or enhance the security stance of their internet infrastructure.