From: redteam@all.net Reply-to: redteam@all.net Organization: Red Team Mailing List Subject: RedTeam Mailing List 980324 
---------------------------------------------
From: Fred Cohen 
Subject: Example RedTeam report

I thought our readers might be interested in reading and commenting on some
parts of some redteam reports I have recently encountered. Needless to say,
the names and some of the details have been changed for anonymity purposes.
Following is a draft executive summary of a redteam report done earlier this
year. Other parts of this report may be released to the list in slightly
altered form if there is interest and if readers find it worthy of comment.

FC

		DRAFT Protection Testing Report 98****

EXECUTIVE SUMMARY:

	In **** of 1998, REDTEAM-GROUP tested the client's network firewalls
for the purposes of (1) determining whether or not they did what they were
supposed to do according to the client's specifications and plans, and (2)
exposing defenders to different methods of attacks to practice their skills
and improve their recognition of and reaction to these methods. These tests
were primarily directed toward the goals of (1) determining whether or not
the firewalls protected against attempts to address internal computers from
outside the firewalls, and (2) determining how effective the firewalls and
the people behind them were at defending against outside attempts to cause
prolonged denial of services.  These tests were intended to be indicative of
attackers with the following properties:

	- Reasonably well-funded - in the range of $100,000 to $500,000 of
	  capabilities and willing to spend $10,000-$100,000 in this attack.
	- With insider knowledge of the firewalls but not able to attain
	  detailed information about authorized users with external access
	  and their passwords.
	- Making a concerted effort with tools slightly better than those
	  widely available over the Internet.
	- Choosing to attack strictly from the Internet with the goal of
	  gaining access to internal machines and/or denying services.
	- Willing to risk detection in order to succeed.

	Based on the tests performed and the information provided, it
appears that there are several weaknesses in the firewalls that are
detectable from the Internet and that could be exploited to gain unlimited
access to internal client networks. The sophistication level necessary to
exploit most of these vulnerabilities is substantial, and the level of
effort required to find them is moderate, but some of these vulnerabilities
appear to be widely known and easily exploitable. Fortunately, most of these
weaknesses can be easily corrected, and overall, the firewalls appear to do
their job reasonably well. While denial of service is feasible, prolonged
denial of service due to firewall failure is not likely with the current
firewall based on the identified threat profile and the people who are
currently employed to support it. Based on these results, the following
actions should be undertaken as soon as possible:

	1) Outer routers should be reconfigured.
	2) Machines within the firewalls should be readjusted.
	3) The people running the firewalls should be better trained.
	4) Some activities within the firewalls should be further investigated.

It would also be prudent to do a detailed examination of firewall components
to determine integrity of all hardware, software, and settings, so as to
assure that no compromise has gone undetected. Alternatively, if risk
management decisions support delays, additional assurance may be provided
during firewall upgrades.

---------------------------------------------