What is Network Vulnerability Testing ?

Introduction

Network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects.Regularly performing penetration tests helps enterprises uncover network security weaknesses that can lead to data or equipment being compromised or destroyed by exploits (attacks on a network, usually by "exploiting" avulnerability of the system),Trojans (viruses), denial of service attacks, and other intrusions.

Testing also exposes vulnerabilities that may be introduced by patches and updates or by misconfigurations on servers, routers, and firewalls.

Penetration Testing Overview

The overall objective of penetration testing is to discover areas of the enterprise network where an intruder can exploit security vulnerabilities. Different types of penetration testing are necessary for different types of network devices. For example, a penetration test of a firewall is different from a penetration test of a typical user’s machine. Even a penetration test of devices in the DMZ (demilitarized zone) is different from performing a scan to see if network penetration is possible.The type of penetration test should be weighed against the value of the data on the machine being tested and the need for connectivity to a given service.

The penetration testing process has three primary components:

• Defining the scope

• Performing the penetration test

• Reporting and delivering results

Step 1: Defining the Scope

Before a penetration test can be launched, the enterprise must define the scope of the testing.This step includes determining the extent of testing, what will be tested, from where it will be tested, and by whom.

Full-Scale vs.Targeted Testing

An enterprise must decide whether to conduct a full-scale test of the entire network or to target specific devices, such as the firewall. It is usually best to do both in order to determine the level of exposure to the public infrastructure, as well as the security of individual targets. For example, firewall policies are often written to allow certain services to pass through them.The security for those services is placed on the device performing those services and not at the firewall.Therefore, it is necessary to test the security of those devices as well as the firewall. Some of the specific targets that should be considered for penetration testing are firewalls, routers,Web servers, mail servers, FTP servers, and DNS servers.

Devices, Systems, and Passwords

In defining the scope of the project, the enterprise must also decide on the range of testing. For example, is it looking only for vulnerabilities that could lead to a compromise of a device, or is it also looking for susceptibility to denial of service attacks? In addition, the enterprise must decide whether it will allow its password file to be hacked by the security team to test its users’ choice of passwords, and whether it will subject its devices to password grinding across the network.

Remote vs. Local Testing

Next, the enterprise must decide whether the testing will be performed from a remote location across the Internet or onsite via the local network. This decision is dictated to a large degree by the targets that are selected for testing and by the current security implementations. For example, a remote test of a machine behind a firewall that hides network address translation for Internet access will fail if the firewall appropriately prevents access to the machine. However, testing the same firewall to see if it will protect users’ computers from a remote scan will be successful.

In-House vs. Outsourced Testing

After the scope of the testing has been determined, the IT team must decide whether to use in-house resources to perform the testing or to hire outside consultants. In-house testing should be chosen only if an enterprise lacks the funds to hire outside consultants, or if the data is so sensitive that no one outside the company should view it. In all other cases, hiring outside consultants is recommended. Outside security consultants are highly trained and have worked with hundreds of different networks, bringing specific expertise and broad experience to the testing process. In addition, they help ensure an unbiased and complete testing procedure. Security
consultants continuously research new vulnerabilities, invest in and understand the latest security testing hardware and software, recommend solutions for resolving problems, and provide additional personnel for the testing process. Enterprises can leverage the experience and resources of outside security consultants to help ensure thorough, properly executed penetration tests.

Step 2: Performing the Penetration Test

Proper methodology is essential to the success of the penetration test. It involves gathering information and then testing the target environment. The testing process begins with gathering as much information as possible about the network architecture, topology, hardware, and software in order to find all security vulnerabilities. Researching public information such as Whois records, SEC filings, business news articles, patents, and trademarks not only provides security engineers with background information, but also gives insight into what information hackers can use to find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve information from the target environment and help determine network
topology, Internet provider, and architecture.Tools such as port scanners, NMAP, SNMPC, and NAT help determine hardware, operating systems, patch levels, and services running on each target device.

Three Level of Testing Services:

Common Vulnerability Assessment (CVA)

The CVA is a remote security assessment that focuses on the services that are most commonly misconfigured by personnel and are most commonly exploited by intruders. It also focuses on the most probable means of unauthorized access. A professional security engineer not only interprets the scanner output but also creates an executive summary and recommendations report.

Secure Device Assessment (SDA)

The SDA is an on-location device configuration assessment that includes architectural review of device deployment, operating system configuration, and device and policy configuration.This assessment is similar to an audit, except that it includes scanning services, when necessary.

Secure Exploit Assessment (SEA)

This penetration study encompasses all aspects of the CVA and also includes the following features: additional vulnerability research, DNS auditing, full enumeration including NetBios and Windows NT- and Unix-specific issues, penetration attempts with multi-stage attacks, and custom attack methodologies. Additional options include "brute force" password cracking and grinding, blind scanning(attacker perspective),"war dialing," and testing for denial of service attacks and social engineering (manipulating users to obtain confidential information such as passwords).