Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: IPSO/Secure Platform audit
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Fri, 19 Aug 2005 09:29:03 -0700

The firewall ruleset analysis should be easy to do in ruling out holes in
your existing rules. However, another thing to consider is an System
Integrity Verification (SIV) tool like fcheck or similar This is assuming
the Nokia is running SunOS and not the appliance version which an SIV
wouldn't apply. SIV's check, and track moving forward, the MD5 hashes of
whatever you want to monitor (usually rootkit targets like modified ls, ps,
top, etc). Any modifications to those binaries will be flagged or blocked
depending on the tool you use.

-Erin Carroll

-----Original Message-----
From: Olasupo Lawal [mailto:lawal () shaw ca] 
Sent: Thursday, August 18, 2005 2:14 PM
To: Dan Rogers
Cc: pen-test () securityfocus com
Subject: Re: IPSO/Secure Platform audit

You can lock down all access to the Nokia Appliance to 
specific source IP addresses (https, SSH). Fpr SSH, you can 
actually specific which interfaces you want the Nokia 
applicnace to accept connections on. You can further restrict 
access using the Check Point Policy.

In addition to this lock down, you can then create a new 
administrator ID, removing all other administrator accounts.. 
That way, any adminbistrators who are unable to log on will 
get a hold of you to find out what may be happening. Any 
other person who has no busienss logging into teh Nokia 
appliance, and who have no business case for continued access 
wil simply let go!

Hope this helps!

Ola

----- Original Message -----
From: Dan Rogers <pentestguy () gmail com>
Date: Thursday, August 18, 2005 6:00 am
Subject: IPSO/Secure Platform audit

Hi list,

I'm currently reviewing a Check point/Nokia box and a 
Secure Platform 
manager. The settings in Voyager are all good, and likewise the Web 
GUI of the SPLAT manager is fine, they're both patched and 
the policy 
is also clean - but I want to ensure the o/s themselves are 
ok. I've 
checked that there aren't any users there shouldn't be in 
/etc/passwd, 
checked there aren't any unknown processes (at least any visible 
ones), any unusual open ports or any strange scripts 
scheduled to run 
in crontab. The firewall logs themselves aren't showing anything 
unusual.

I am concerned that a previous administrator may have left himself 
access by the back-door somehow - but am not in a position 
to rebuild 
them to be sure. What else would you lot check for?

Ta

Dan

-------------------------------------------------------------------
-----------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know 
That You 
Don't

Learn the hacker's secrets that compromise wireless LANs. 
Secure your 
WLAN by understanding these threats, available hacking tools and 
provencountermeasures. Defend your WLAN against man-in-the-Middle 
attacks and session hijacking, denial-of-service, rogue 
access points, 
identity thefts and MAC spoofing. Request your complimentary white 
paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------
------------




--------------------------------------------------------------
----------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know 
That You Don't

Learn the hacker's secrets that compromise wireless LANs. 
Secure your WLAN by understanding these threats, available 
hacking tools and proven countermeasures. Defend your WLAN 
against man-in-the-Middle attacks and session hijacking, 
denial-of-service, rogue access points, identity thefts and 
MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
--------------------------------------------------------------
-----------------

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release 
Date: 8/19/2005
 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 8/19/2005
 


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault