Embed Size (px)
Citation preview
Acknowledgements
HRD Division
Department of Electronics and Information Technology
Ministry of Communications and Information Technology
Government of India
Page 1
INTRUSION PREVENTION SYSTEM
AUDITING PROCESS
Page 2
Security Audit Checklist
# Audit Check Current Setting.
1. Audit Check: Check for Device Make & Model.
S. No. Parameter Current Value
1. Device Make & Model
2. Audit Check: Check the hostname configured on device. How to Check: Login as Admin/user Go to devices/CDAC/COR-IPSCORE-IPS-CLS CDAC-R09R02-COR-IPS01 Summary
Recommended Setting: Hostname should be configured as per the Organization Security Policies.
3. Audit Check: Check Logon Banner message? How to Check: Login as Admin/user Go toManage /CDAC > Setup GUI Access Logon Banner
Page 3
# Audit Check Current Setting. Checking After providing the wrong credentials whether we are getting the MOTD message or not:
Recommended Solution: Proper banner should be configured as per “Cyber Security Policies of the Organization” for Pre-Login and Post-Login with a legal warning should be configured as a due care.
Page 4
4. Audit Check: Default username (admin) is active.
How to Check: For checking the default username (admin) of the device: Go toPutty Login as Admin and type the command as “userlist”
Recommended Setting: “Organization Security Policies”, default user name should be renamed before installing any device in the production environment.
5. Audit Check: Check for the account lock account policy How to Check: Log in as admin using the web interface: Go to view modeadvanceduser managementPassword Policy
Recommended Setting: Implement Password policy and account lockout policy as per “Organization Security Policies” (Ref. Annexure1).
6. Audit Check: Check for the session idle “Timeout” configuration Settings. How to Check: Login as admin/user go to Advance System ManagementSession
Recommended Setting: As per the Password Management Guidelines for “Organization Security Policies” “Active sessions of a User shall be terminated after pre-defined duration of inactivity, say 15 minutes.”
7. Audit Check: Check the Backup plan for Checkpoint Firewall (Gaia) configuration
Page 5
How to Check: Login as admin/user Manage/CDAC Maintenance Backups Automated Backups
Recommended Setting: As per the “Organization Security Policies” the device shall be backed up at least once in a three months.
8. Audit Check: Check the Auto update settings for IPS Signature Sets. How to Check: Login as admin/user Manage /CDAC Updating Automatic Updating IPS Signature Sets
Recommended Setting: Ensure that the latest patches and updates are applied to the firewall components manually are thoroughly tested and then applied to the security device as per the “Organization Security Policies”.
9. Audit Check: Check ‘SNMP version’ and Default community string. How to check: Login as admin/user Manage/CDAC/COR-IPS Setup Notification IPS Events SNMP Login as admin/user Manage/CDAC/COR-IPS Setup Notification Faults SNMP
Login as admin/user Manage/CDAC/COR-IPS Setup Notification User Activity SNMP
Recommended Setting: SNMPv3 should be used and default community string (for example, “public”) shall not be used as per the “Organization Security Policies”.
Page 6
10. Audit Check: Check for Primary and Secondary DNS Servers. How to Check: Login as admin/user Devices /CDAC/COR-IPS CORE-IPS-CLS Setup Name Resolution
Recommended Setting: Configure DNS Servers to make sure the availability of updates as per “Organization Security Policies”. Configure Secondary DNS Server to make sure the availability of DNS server in case primary DNS Server fails.
11. Audit Check: Check for ‘Time Zone’ settings. How to Check Login as admin/user Devices /CDAC/COR-IPS CORE-IPS-CLS Setup Time Zone
Recommended Setting: Configure Time Zone to local time zone (IST).
12. Audit Check: Check for alerts are enabled or not for any type of events / faults. How to Check: Login as admin/user Manage/CDAC/COR-IPS Setup Notification IPS Events Summary Login as admin/user Manage/CDAC/COR-IPS Setup Notification IPS Events E-mail
Login as admin/user Manage/CDAC/COR-IPS Setup Notification IPS Events Pager
Login as admin/user Manage/CDAC/COR-IPS Setup Notification Faults Summary
Page 7
Login as admin/user Manage/CDAC/COR-IPS Setup Notification Faults Syslog
Login as admin/user Manage/CDAC/COR-IPS Setup Notification Faults E-Mail
Recommended Setting Alert should be configured to raise alarm and inform the concern administrator for any incident, fault or error. If no action is taken within a predefined time period the subsequent alert should be raised (escalated) to higher authorities.
13. Audit Check: Check for the AAA authentication or Tacacs Server authentication or RADIUS Server authentication. How to Check: Login as admin/user Devices /CDAC/COR-IPS > CORE-IPS-CLS > Setup > Remote Access > TACACS+ Login as admin/user Manage /CDAC Setup External Authentication Summary
Recommended Setting: Implement “AAA” authentication mechanism as AAA server is meant to make user configuration and other administration tasks centralized and convenient for the large network. Create separate username and password for each user of network team. Sharing of username and password should be strongly discouraged.
14. Audit Check: Check NTP Settings for device time synchronization. How to Check: Login as admin/userDevices /CDAC/COR-IPS CORE-IPS-CLS Setup NTP Recommended Setting: As per the “Organization Security Policies”, Time and Date synchronization should be happen with the
Page 8
centrally managed NTP server.
15. Audit Check: Check for Password Policy settings. How to Check: Login as admin/user Manage /CDAC Setup GUI Access Password Control
Recommended Setting: Implement Password policy and account lockout policy as “Organization Security Policies”
Page 9
16. Audit Check: Check for IPS logging option for most of the available options. How to Check: Login as admin/user Devices Global /CDAC/COR-IPS Default Device Settings IPS Devices IPS Event Logging Login as admin/user Devices /CDAC/COR-IPS CORE-IPS-CLS Setup Quarantine Logging
Login as admin/user Devices /CDAC/COR-IPS CORE-IPS-CLS Setup Logging Firewall Access Logging Recommended Setting: Logging should be enabled as per the “Organization Security Policies”.
Page 10
17. Audit Check: Check for ‘Advance Traffic Inspection’, ‘HTTP Response Scanning’ and ‘Advanced botnet detection’. How to Check: Login as admin/user Devices /CDAC/COR-IPS CORE-IPS-CLS IPS Interfaces 1A-1B Protection Profile
Recommended Setting: Inspection for all inbound and outbound traffic should be enabled.
Page 11
18. Audit Check: Check for comment/description of Rule objects and Policy rules. How to Check: Login as admin/user Policy/CDAC/COR-IPS Intrusion Prevention Objects Rule Objects
Login as admin/user Policy/CDAC/COR-IPS Intrusion Prevention Exceptions Rule Objects Login as admin/user Policy/CDAC/COR-IPS Intrusion Prevention Firewall Policies
Recommended Setting: All rule objects and policy rules should be configured with the details like Creation date, validity, authorized by and the purpose of creation in the description field.
19. Audit Check: Check redundancy (high availability) at device level. How to Check: Login as admin/user DevicesGlobal /CDAC/COR-IPS Failover Pairs
Recommended Setting: Device should be configured in High Availability mode to provide redundancy and to overcome the problem of single point of failure.
20. Audit Check: Check for Sensor action to block traffic in attack categories.
How To Check: Login As Admin/User /CDAC/COR-IPS PolicyIntrusion Prevention IPS Policies Select Any Policy Select any attack
Page 12
Recommendations: ‘Block traffic’ action should be enabled for all unwanted traffic and manager should raise alert for all unwanted activities.
21. Audit Check: Check for IPS Policies related to Attack categories ‘DOS Threshold Attack’, ‘Exploit’, ‘Policy Violation’, ‘Reconnaissance Correlation’. How to Check: Login As Admin/User /CDAC/COR-IPS PolicyIntrusion Prevention IPS Policies Select Any Policy Check for state Policy Violation
Login As Admin/User /CDAC/COR-IPS PolicyIntrusion Prevention IPS Policies Select Any Policy Check for state DOS Threshold Attack
Recommendation: Configure/enable IPS Policies related to Attack categories DOS Threshold Attack, Exploit, Policy Violation, reconnaissance Correlation.
Page 13
27. Audit Check: Check for Device Policy options, ‘advanced malware policy’, ‘Connection Limiting’ and ‘Quality of service’. How to Check: Login As Admin/User Policy /CDAC/COR-IPS Intrusion Prevention QoS Policies Login As Admin/User Policy /CDAC/COR-IPS Intrusion Prevention Connection Limiting Policies
Login As Admin/User Policy /CDAC/COR-IPS Intrusion Prevention Advanced Malware Advanced Malware Policies
Recommended Solution: For the optimized use of device, configure all available Policy options (advanced malware policy, Connection Limiting and Quality of service).
Page 14
28. Audit Check: Check for Anti-spoofing for both Inbound and Outbound traffic. How to Check: Login As Admin/User Devices /CDAC/COR-IPS CORE-IPS-CLS Policy Advanced Anti-Spoofing
Recommended Solution: Anti-spoofing feature should be enabled for both Inbound and Outbound traffic.
Page 15
Annexure 1
Password Policy: It is recommended to enforce Password Policy settings as shown below: Password Policy for User: Policy Secure Setting Password Policy
1. Enforce Password History 24 Passwords 2. Maximum Password Age 120 Days 3. Minimum Password Age 1 Days 4. Minimum Password Length 10 Characters 5. Passwords Must Meet Complexity requirements Enabled 6. Store Password Using Reversible Encryption Disabled
Account Lockout Policy 7. Account Lockout Duration 30 Minutes 8. Account Lockout Threshold 5 Invalid Login Attempts 9. Reset Account Lockout Threshold After 30 Minutes
Password Policy for Administrator: Policy Secure Setting Password Policy
1. Enforce Password History 24 Passwords 2. Maximum Password Age 120 Days 3. Minimum Password Age 1 Days 4. Minimum Password Length 15 Characters 5. Passwords Must Meet Complexity requirements Enabled 6. Store Password Using Reversible Encryption Disabled
Account Lockout Policy 7. Account Lockout Duration 30 Minutes 8. Account Lockout Threshold 3 Invalid Login Attempts 9. Reset Account Lockout Threshold After 30 Minutes
Page 16
CONTRIBUTED BY: 1. Mr Ch A.S Murty
2. Mr Tyeb Naushad
3. Mr Devi Satish
4. Mr Shrinath Rusia
5. Ms Vertika Singh
6. Mr Vinay Kumar
C-DAC, Hyderabad
