Penetration Testing

imuonagor · ‎09-10-2008

My financial services company has contracted an external auditing firm to carry out a Penetration Testing on our network.

Can someone put me through on what Penetration testing will seek to test on our network and steps I should take to secure the network and prevent succesfuly penetration. We have Pix 525 Firewalls and IPS.

Thanks a million in advance.

suschoud · ‎09-10-2008

Here are few commands which should make the pix/asa more secure ( other then the security provided by DEFAULT PIX/ASA CONFIG ) :

__________________________________________________________________

ASA5510-Single(config)# ip verify reverse-path interface inside

ASA5510-Single(config)# ip verify reverse-path interface prodDMZ

ASA5510-Single(config)# ip verify reverse-path interface stageDMZ

ASA5510-Single(config)# ip verify reverse-path interface extrDMZ

ASA5510-Single(config)# ip verify reverse-path interface outside

ASA5510-Single(config)# ip audit attack action drop

ASA5510-Single(config)# ip audit info action drop

__________________________________________________________________

You can get the details of these commands in the link below :

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/cmd_ref

.html

imuonagor · ‎09-22-2008

Thanks a million Suschoud.

I still have issues though. I took all icmp permissions off our access-lists but i noticed that nmap scans which depend on icmp still go.

I wish I could stop any nmap or nessus traffic from ever passing through the firewall. Any commands i could use?

Thanks again.

Ifeanyi

cleidh_mor · ‎09-11-2008

Hi,

It will depend on the type of pen test that has been commissioned. A black box test is where the contractor is given nothing more than, say, the company name and they will attempt to gain unauthorised access to your systems using a variety of techniques, possibly including social engineering.

A white box test means that the contractor will have more detailed inside information and they may be able to tailor their attacks to your particular system. It all depends on how far the contractor is allowed to go.

You should watch out primarily for recon attacks such as port scans on your external firewalls. That will give you a heads up that the test is in progress. In terms of securing against it, make sure that your firewalls are as tight as possible.

Keep a very close eye on your IPS console, and of course follow the procedures in your security policy when you notice anything suspicious - that's part of the test.

HTH

imuonagor · ‎09-22-2008

Thanks Cleidh,

It's most likely white box because we supplied our devices' ip addresses to the contractor.

You mentioned I should watch out for reckon attacks such as port scans... how do i identify these on the Firewall logs?

I've done some scans using nmap and saw a few ports open. How can I close these ports?

Lastly you mentioned I should make sure the Firewalls are as tight as possible. How can i do this?

Thanks a million for your help.

Ifeanyi

mhellman · ‎09-11-2008

As already mentioned, the breadth and quality of a 3rd party penetration testing varies depending on the goal (and how much you paid). Typically, if it's the "certify that we're compliant on a quarterly basis" kind of pen test, it involves little more than a vulnerability scan with something like Nessus (and hardly any manual verification). You should be doing that already, so no big deal right;-)

At the other end of the spectrum, they may do do social engineering, physical attacks like trying to get into a building or dropping usb sticks in the parking lot and "intelligent human being" application-level testing (SQL injection, XSS, etc). IMO, the further up the stack they get (app-level testing) the less likely you'll be able to detect/stop at the network layer. A simple thing called SSL/TLS usually prevents your IPS from being useful at all. All of this is almost always coordinated well in advance because the 3rd party has to protect itself.

Is there an expectation that they'll be testing your security controls (i.e. firewall and IPS)? I would recommend a pre-emptive Nessus scan of your external network.