CryptoVue Vulnerability Assessment Guidelines

This report is intended to assist a financial institution in performing an independent Vulnerability Assessment of the ERF Wireless CryptoVue System by an outside third-party testing company.

ERF Wireless Enterprise Network Services is offering its customers a solution to secure Microwave network connectivity at a better price point than traditional leased line solutions. Since this traffic is transmitted via microwaves and, therefore, subject to potential eavesdropping, ERF Wireless has incorporated advanced encryption technology in its offering to ensure that traffic passing from one CryptoVue device (IPSec gateway) to another across these microwave segments is secure. ERF Wireless recommends that a financial institution contract with an independent third-party firm to perform a vulnerability assessment on its CryptoVue IPSec gateway devices to determine what, if any, vulnerabilities exist in the current configuration. These devices are intended to operate as dual-controlled, monitored Virtual Private Network (VPN) end-points between each secure location and branch offices within the financial institution’s enterprise network and, as such, require that the financial institution’s data be highly encrypted and secure from attack. It is intended that these CryptoVue devices be placed into facilities operated and controlled by the financial institution and, consequently, physical security falls to the financial institution and its staff.

The CryptoVue device runs the current release of Debian GNU Linux. Debian uses the Linux kernel but most of the basic OS tools come from the GNU Project. The device has two Ethernet network interface cards (NICs), one for the microwave segment and one for the internal segment. It also has a CD-ROM drive and multiple USB ports. The BIOS is password-protected and configured to boot from the hard drive only. The methodology used for the assessment should be to first scan the two network interfaces of the CryptoVue devices to determine what (if any) services are available and then to further test for vulnerabilities in these services. The next action should be to install and run an audit tool designed to test OS-related settings for vulnerabilities that might allow attackers to more easily compromise the system. Third, the characteristics of the CryptoVue device should be tested for physical compromise. This would typically include someone walking up to the system, power cycling it (turning it off then back on) and attempting to boot their own media, mounting the file system and copying critical system files, or attempting to install a "root kit", which would give the attacker control over the system.

Key points in the assessment should include:

1.) Scan for services running on exposed NICs. Conduct the test with tools such as SARA and Nessus. The following services run on a CryptoVue device:

a. Eth0  - Eth0:

i. OpenSSH, Daytime, Time, RJE, and Discard

b. Eth1

i.  none

2.) Next, test for OS Hardening with a tool such as TIGER. Verify that the BIOS is password protected.

3.) Physical security

a. Who has access to the device and what exposure exists to unrestricted access?   Verify ability to not boot from external medium
b. Verify that network segments servicing the CryptoVue devices are physically secured.
c. Service reliability

i.     CryptoVue devices represent a Single point of failure.

Verify hot spare availability.

Scan the system with tools such as SARA and Nessus. Both are open source Linux- based tools with Nessus consistently delivering the highest degree of performance in independent tests of popular scanners. Both scanners attempt to identify "open" UDP and TCP/IP ports, Operating System, versions of "live" services running on the open ports, and then scan for common and known vulnerabilities in the following categories:

1. Backdoors
2. CGI Abuses
3. Denial of Service
4. Finger abuses
5. Firewalls
6. FTP
7. Gain a shell remotely
8. Gain root remotely
9. General
10. Misc.
11. NIS
12. Port scanners
13. Remote file access
14. RPC
15. SMTP problems
16. SNMP
17. Useless services
18. Windows

The next step requires root access to a CryptoVue device. ERF Wireless recommends that the login be performed only by employees of the financial institution, and that the root password not be given to outside personnel. The procedure for testing is to first notify ERF Wireless of the test so that the CryptoVue Monitoring System can be disabled from generating alarms.  Next, after root login, install and scan the Linux system with a tool such as TIGER. TIGER was originally developed by the CIS department at Texas A&M University to provide a check of UNIX systems on the campus that could be accessed from off-campus. The CIS department stopped supporting the software and it was picked up by others under the GPL License. Its current release supports numerous versions of Unix/Linux, is more comprehensive, and is used as a security audit and intrusion detection tool. Notify ERF Wireless when the testing is complete.

Finally, the system configuration should be tested against what could be construed as a direct physical attack. A cold boot of the system should be performed using a bootable Linux CD to see if one could mount the file system on the hard drive and write files to it simulating what an attacker wanting to install a "root kit” or back-door on the system would do.