We found a large company that has not been engaged in information security for 5 years and is still alive

About 5-6 years ago, there was a really cool admin who set up the network like a clock and equipped him with modern at that time equipment of the economy segment. The administrator compensated for the lack of budget with good configs and proper architecture. In general, it is clear that a lot of work has been done.

Then the company split into two, expanded, it all changed a couple of times - and during all this time the network was supported with crutches. Since IT is not our client’s core business, the situation is generally clear. It is such a lot where, but so that a large network (geographically distributed company, dozens of branches) lasted 5 years in this form - I have never seen anything like it.

Actually, it did not last. We were called to conduct an audit of the network infrastructure after a recorded hacking case, when their databases with all the information representing commercial secrets were simply downloaded. More precisely, the wrong people have surfaced.

Circumstances, parts of topology and other details are slightly modified, so that you can not know the customer. Nevertheless, the post is based on real events and is as close to reality as our security guards allowed.
')
The company represents the main production (server node in the same place) and dozens of branches throughout the country. The branches have thin clients installed that go through VPN + RDP to the server node, where users work. The branches also have equipment that uses the services and databases of the central site. If the connection disappears in the branch, then it simply dies before connecting the network again.

Network - several dozen prehistoric switches, dust-covered “blunt” routers and MPLS L3 VPN-interface from the provider for transferring data between sites.

Root switch in another company

As I said, the company was divided into two independent and slightly competing a few years ago. So, the network parts remained common, because then they decided not to break. Strange, but logical result: the root switch belongs to competitors. Users of competitors can send jobs to network printers, admin competitors - with some effort to watch their network balls and so on. Servers with archive of video surveillance in general are still common. Lab mini cluster - too. Iiii ...

No firewall!

Networks are not demarcated. More precisely, like: at the junction there is an old piece of hardware, which until the advent of firewalls of the new generation was used also for protection. In fact, it works as a simple statefull firewall. Traces of a normal config were found on it, which were commented out, because, apparently, at some point they prevented the development of the network.

Common problems

Here are excerpts from the report:

• With the current settings of the switches, the network infrastructure is vulnerable both to attacks on the active network equipment itself: DoS / DDoS, unauthorized access, and to attacks on user traffic and server equipment: DoS / DDoS attacks, traffic interception attacks by spoofing MAC and IP addresses, attacks on the DHCP service.
• To prevent unauthorized access to active network equipment, you need to configure centralized authentication and authorization, and also restrict the IP addresses of devices from which administrators can establish management connections to devices.
• To prevent unauthorized access to the network and attacks on active network equipment and devices on the network, you must turn off unused interfaces and put them into an unused VLAN.
• To prevent attacks on the DHCP service and subsequent traffic compromise, you must use the DHCP snooping functionality.
• To prevent attacks on the substitution of MAC-addresses and attacks on the switching tables of switches with the subsequent traffic compromise, it is necessary to use the port-security functionality.
• To prevent attacks aimed at redirecting traffic by sending malicious ARP responses, you must use Dynamic ARP Inspection functionality.
• To prevent attacks on switches and user traffic, you must use the spanning-tree BPDUguard functionality.
• To prevent DoS and DDoS attacks on the network infrastructure, as well as in connection with the probability of occurrence of switching loops, it is necessary to use the storm control functionality (unicast, broadcast, multicast).
• The site uses outdated switch models with outdated OS versions. It is recommended to upgrade the OS versions on the switches, but even after that these switches will not be able to provide the necessary data network security at the second level of the OSI model.
• Communication with other sites and Internet access on this site depend on the network infrastructure of another company. It is recommended to connect to service providers on the local root switch.
• The network has a number of foreign devices that are in the guest VLAN. With end-device support, the dot1x supplicant functionality needs to configure for all these devices dot1x authentication with assigning VLANs and dynamic access control lists that restrict traffic from these devices. If this functionality is not supported by end devices, it is recommended to configure access control and port-security lists as well as QoS policing on the switch interfaces to limit the amount of allowed traffic.
• As access points, devices are used that do not support centralized authentication by administrators that allow connections using the HTTP protocol as well as via HTTPS based on the SSL v1 protocol.
• SSIDs are advertised in broadcast mode, it is recommended to declare them hidden.
• WPA2 keys used for authentication coincide both for the internal SSID and for the guest, and are 10 letters of the Latin alphabet (the name of the founder).
• The current IPsec VPN settings on the IKE router on Phase 1 and 2 use 3DES as the encryption algorithm, MD5 as the authentication algorithm, and DH 2. We recommend using AES-256, SHA-512 and higher, and DH 19 and higher. You must also enable PFS functionality with a group of DH 19 or higher.

OpenVPN remote access (Debian Linux 8). Depending on the connection port, different routes are returned to different clients as split-tunneling, thus implicitly allowing access only to certain networks for remote connection. But the client can manually register additional routes to the logical tunnel created when connecting to the OpenVPN server, thus having the opportunity to route traffic to any company networks.

Traffic from users and servers at all sites is transmitted to the Internet and from the Internet via routers, without being tested and inspected by modern firewalls and intrusion prevention systems. Also, this traffic in most cases is either unlimited or almost unlimited. In this regard, devices, applications and company data are practically not protected from a number of attacks that can be used against the company. These are attacks that exploit application and operating system vulnerabilities, DoS and DDoS attacks on servers, applications and active network equipment of a company, attacks on company users' data using viruses and network worms, etc. All company traffic transmitted from or to public networks, as well as traffic between different sites of the company and traffic between the company and its partners, should be limited and tested by the latest generation of firewalls and intrusion prevention systems. Due to the high cost of such solutions, it is advisable to use a centralized device pair (for fault tolerance) in the central office and route traffic from all sites to the Internet and to other company sites through these devices.

How was the audit going?

Stage one. I sent the customer questionnaires and asked them to fill out before I work. The questionnaires were in the format of doc-files and Excel plates, the amount of information depended on the objects. On some equipment there was a lot of information, on some - on zeros. In general, filling out such questionnaires is a standard procedure, there are indicated IP-addresses, the number of servers, where, what and how, and so on.

Not all IT people involved in the network configuration process were full-time employees of the customer, there was also outsourcing support. OpenVPN to me was configured just by the external engineer. I asked him to give me remote access and configuration files. There are no special problems. The information I received during the week, after connected to the equipment. If there were questions, solved them with the local administrator. Several sections of Linux configurations met several times, and in order to understand them, I had to connect my colleagues. These were traces of the very mythical admin who launched everything like a clock many years ago.

In the second stage, I requested the configuration of the proxy server and the OpenSSL VPN server, which I subsequently analyzed. It took about another week.

Stage Three. Climbed on all the "glands" and looked. This is an optional procedure in such an audit. In principle, everything should be in the configuration file. However, there are some things that you can’t see so easily. Part of the "iron" was turned off, part of the documents sent showed the default settings, rather than the actual. The list of these settings, no one led, they are not indicated anywhere. Therefore, it was better to check everything manually. He did. Each interface equipment of any vendor keeps statistics of received and sent traffic. If the statistics are zero, it is clear that the equipment is not used and it can be turned off. There were also interfaces that had counters that were not zero, but nothing was connected to the equipment. I reset the traffic counters and checked whether the number of bytes increased through the interface or not. If after two weeks nothing was transmitted through this interface, then a preliminary conclusion can be made that it was not used.

I also watched what protocols are, how authentication is configured. Conducted a full audit for each piece of hardware: remote access protocols, setting up protocols, authentication, authorization, whether the interfaces are turned on / off, NAT, Wi-Fi - everything. Access lists on routers are very important. Either there were none, or they were very basic. It took three weeks along with the design of the reports. And, yes, I also checked the OS, firmware versions, can I upgrade and get more modern functionality, is there a suitable version.

The fourth stage - aggregated information and made recommendations for each piece of hardware.

How did they survive?

Most likely - according to the principle of the Elusive Joe. 5 years of luck ended with a burglary, about which it became known. Much more interesting - how in the past five years have they not picked up another epidemic of blockers or have not caught the miners or the occasional DDoS that would have “laid” them?

In general, I can say that small companies (especially different industries in distant regions) live this way. Even private banks are small, sometimes they work that way, colleagues told such stories. But to a company of this size and with such a turnover is very strange. Elementary, all competitors must be gentlemen, so as not to put their infrastructure one left.

What ended the story

They are buying modern corporate equipment again. There will be a pair of firewalls, there will be new, more functional routers, there will be correct settings and rules for allowed traffic. Routing access to the Internet will go through the main server node for the entire country, because a couple of firewalls are only there. Already, they have closed all unused ports and generally updated the settings. Update firmware where possible.

The new switches will have centralized authentication, logging, and delineation of user management rights. Support will finally have different accounts - now they are working one at a time. If you now remove the config and reboot the device, then no one will know who it was.

After that, they will slowly save for DLP and other features.

Links

• IB through microsegmentation
• How we built a new Aeroexpress network
• Targeted attacks and defense
• My mail is ASigachev@croc.ru