From: redteam@all.net Reply-to: redteam@all.net Organization: Red Team Mailing List Subject: RedTeam Mailing List 980324
--------------------------------------------- From: Fred CohenSubject: Example RedTeam report I thought our readers might be interested in reading and commenting on some parts of some redteam reports I have recently encountered. Needless to say, the names and some of the details have been changed for anonymity purposes. Following is a draft executive summary of a redteam report done earlier this year. Other parts of this report may be released to the list in slightly altered form if there is interest and if readers find it worthy of comment. FC DRAFT Protection Testing Report 98**** EXECUTIVE SUMMARY: In **** of 1998, REDTEAM-GROUP tested the client's network firewalls for the purposes of (1) determining whether or not they did what they were supposed to do according to the client's specifications and plans, and (2) exposing defenders to different methods of attacks to practice their skills and improve their recognition of and reaction to these methods. These tests were primarily directed toward the goals of (1) determining whether or not the firewalls protected against attempts to address internal computers from outside the firewalls, and (2) determining how effective the firewalls and the people behind them were at defending against outside attempts to cause prolonged denial of services. These tests were intended to be indicative of attackers with the following properties: - Reasonably well-funded - in the range of $100,000 to $500,000 of capabilities and willing to spend $10,000-$100,000 in this attack. - With insider knowledge of the firewalls but not able to attain detailed information about authorized users with external access and their passwords. - Making a concerted effort with tools slightly better than those widely available over the Internet. - Choosing to attack strictly from the Internet with the goal of gaining access to internal machines and/or denying services. - Willing to risk detection in order to succeed. Based on the tests performed and the information provided, it appears that there are several weaknesses in the firewalls that are detectable from the Internet and that could be exploited to gain unlimited access to internal client networks. The sophistication level necessary to exploit most of these vulnerabilities is substantial, and the level of effort required to find them is moderate, but some of these vulnerabilities appear to be widely known and easily exploitable. Fortunately, most of these weaknesses can be easily corrected, and overall, the firewalls appear to do their job reasonably well. While denial of service is feasible, prolonged denial of service due to firewall failure is not likely with the current firewall based on the identified threat profile and the people who are currently employed to support it. Based on these results, the following actions should be undertaken as soon as possible: 1) Outer routers should be reconfigured. 2) Machines within the firewalls should be readjusted. 3) The people running the firewalls should be better trained. 4) Some activities within the firewalls should be further investigated. It would also be prudent to do a detailed examination of firewall components to determine integrity of all hardware, software, and settings, so as to assure that no compromise has gone undetected. Alternatively, if risk management decisions support delays, additional assurance may be provided during firewall upgrades. ---------------------------------------------