Sample Network Assessment

Title Page

(Sample)
Network Audit for the Advanced Technology Laboratory (ATL)


Gurney Halleck
Nov. 17, 2000

Table of Contents

  1. Executive Summary
  2. Audit Goals and Objectives
  3. Audit Methodology
  4. Audit Context
  5. Potential Vulnerabilities and Suggested Corrective Actions
  6. Appendix
  7. Glossary

Executive Summary

The Advanced Technology Laboratory (ATL) is a self contained and self supporting network subdomain, atl.yoyodyne.com. It maintains its own DNS server (cerebus) and its own NIS domain (atl). The network is composed of approximately 30 hosts running various operating systems including Solaris, Linux, OpenBSD, Windows NT and a single machine with Mac OSX.

Of the 21 hosts audited 11 have High risk ratings due to possibly exploitable services. In each of these cases, manual inspection should be made to verify or correct the patch level of these services or these services should be evaluated for removal.

Additional Medium and Low risk items were discovered. These should also be manually verified, corrected or reviewed against the current security stance.

Audit Goals and Objectives

The primary objective of this audit is to discover networking and security deficiencies in the ATL network.

Audit Methodology

Auditing was done via manual inspection using such tools as nmap, ping and traceroute.

Automated inspection was done using Saint.

Physical access was provided, as were accounts on local hosts and the NIS domain.

Audit Context

The Advanced Technology Laboratory (ATL) is a self contained and self supporting network subdomain, atl.yoyodyne.com. It maintains its own DNS server (cerebus) and its own NIS domain (atl). The network is composed of approximately 30 hosts running various operating systems including Solaris, Linux, OpenBSD, Windows NT and a single machine with Mac OSX.

The network is 100baseT switched ethernet and inhabits the 167.35.53.0/26 subnet. Broadcast is designated as 167.35.53.64 with a gateway at 167.35.53.62. The predominant networking protocol is TCP/IP over ethernet.

The machines Hawthorn and Rowan are master and backup for the NIS domain, atl.

A Beowulf cluster composed of 20 machines share a 100baseT switched network. This network inhabits the 172.20.0.0/16 subnet and is only accessible when logged on to the Beowulf head node (167.35.53.13). This host does not forward packets to the internal 172.20.0.0/16 subnet. 172.20.0.0/16 falls in the 172.16/12 block of IANA reserved IP addresses for private intranets. The Beowulf subnet was excluded from this audit.

Network Map

Not provided for external access.

Active Hosts

The following hosts were active (as reported by nmap) during the audit:

cerebus.atl.yoyodyne.com (167.35.53.1)
Solaris 2.5, 2.5.1
chestnut.atl.yoyodyne.com (167.35.53.2)
Solaris 8
alder.atl.yoyodyne.com (167.35.53.3)
Solaris 2.5, 2.5.1
elm.atl.yoyodyne.com (167.35.53.4)
Solaris 2.5, 2.5.1
hawthorn.atl.yoyodyne.com (167.35.53.5)
Solaris 2.5, 2.5.1
hazel.atl.yoyodyne.com (167.35.53.6)
Solaris 2.5, 2.5.1
willow.atl.yoyodyne.com (167.35.53.7)
OpenBSD 2.6
erwin.atl.yoyodyne.com (167.35.53.8)
Linux 2.1.122 - 2.2.16
mulberry.atl.yoyodyne.com (167.35.53.10)
OpenBSD 2.6
oak.atl.yoyodyne.com (167.35.53.11)
Solaris 2.5, 2.5.1
rowan.atl.yoyodyne.com (167.35.53.12)
Solaris 2.5, 2.5.1
beowulf.atl.yoyodyne.com (167.35.53.13)
Linux 2.1.122 - 2.2.16
cluster.atl.yoyodyne.com (167.35.53.14)
Windows NT4
blackbox.atl.yoyodyne.com (167.35.53.15)
OpenBSD 2.6
atlhub.atl.yoyodyne.com (167.35.53.16)
3Com SuperStack II
furby.atl.yoyodyne.com (167.35.53.17)
Mac OSX
redbox.atl.yoyodyne.com (167.35.53.21)
OpenBSD 2.6
bluebox.atl.yoyodyne.com (167.35.53.22)
OpenBSD 2.6
kerberos.atl.yoyodyne.com (167.35.53.23)
OpenBSD 2.6
infowar.atl.yoyodyne.com (167.35.53.29)
Sun Solaris 8
holly.atl.yoyodyne.com (167.35.53.43)
Printer
swr2-1.nba.yoyodyne.com (167.35.53.61)
Cisco Catalyst 1900 switch
gwr2.nba.yoyodyne.com (167.35.53.62)
Cisco Router/Switch
(167.35.53.63) (broadcast address)

Servers

DNS
Cerebus
FTP
Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Rowan, Willow, Chestnut, Infowar
POP, IMAP
Elm, Rowan
NIS
Hawthorn, Rowan
NFS
Alder, Cerebus, Elm, Hawthorn, Hazel, Oak, Rowan, Chestnut
SMTP
Alder, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Rowan, Willow, Chestnut, Infowar, Beowulf, Erwin
R Services
Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Oak, Rowan, Chestnut, Infowar
Telnet
Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Oak, Rowan, Chestnut, Infowar
WWW
Alder, Infowar, Cluster
WWW (non-standard port webcache)
Elm
XDM
Chestnut, Infowar

Potential Vulnerabilities and Suggested Corrective Actions

The following potential vulnerabilities were found during the audit.

Potential Root Access via Buffer Overflow (Rating High)

Alder
Chestnut
Cerebus
Elm
Hawthorn
Hazel
Kerberos
Mulberry
Oak
Rowan
Willow

Corrective Action:

Potential User shell Problems (Rating: High)

Alder

Corrective Action:

Information Gathering (Rating: Medium)

Alder, Blackbox, Bluebox, Chestnut, Cerebus, Elm, Hawthorn, Hazel, Infowar, Kerberos, Mulberry, Oak, Redbox, Rowan, and Willow
Alder, Blackbox, Bluebox, Chestnut, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Redbox, Rowan, and Willow

Corrective Actions:

Potential Vulnerabilities: (Rating: Medium/Low)

Alder
Bluebox
Chestnut
Cluster
Cerebus
Elm
Hawthorn
Hazel
Infowar
Kerberos
Oak
Rowan

Additional Recommendations

R Services (Rating: Medium)

The use of R services (rsh, rlogin, rexec, rcp) should be reviewed against the current security stance. R service sessions are vulnerable to sniffing. User misconfiguration can facilitate a compromise.

FTP and Telnet (Rating: Medium)

FTP and Telnet services should be reviewed against the current security stance. Both of these services are vulnerable to sniffing. These services could be replaced by SSH and SCP which provide encrypted authentication and sessions.

XDM (Rating: Medium/Low)

XDM service on Chestnut and Infowar should be reviewed against the current security stance.

WWW (non-standard port webcache) (Rating: Investigate)

This should be investigated on Elm.

ATL Switch (atlhub) (Rating: Medium)

Configuration of the ATL Switch (atlhub.atl.yoyodyne.com) can be access via Telnet or WWW. Both are password protected but neither provide session encryption. There is a potential for session hijacking or sniffing. Options include: disabling remote administration or using a switch which provides for encrypted sessions (ssh/ssl).

SNMP (Rating: Medium/Low)

Standard or guessable SNMP community names for writable MIB entries exist. It is suggested that they be disabled or renamed.

Echo and Chargen Services (Rating: Medium/Low)

Echo and chargen, or other combinations of UDP services, can be used in tandem to flood a server. These services should be reviewed for removal.

Smurf Amplification (Rating: Medium/Low)

ICMP packets to broadcast addresses are allowed. This could facilitate a denial of service attack. Solutions could include a filtering router.

Appendix

Add any additional required information here (example: Saint Report)

Glossary

A standard and/or expanded Glossary would be inserted here.


shrdlu AT deaddrop DOT org

Last modified: Sat Jun 7 19:45:47 PDT 2003