Now that the Routing and Switching class is over, it's time to get ready for the CCENT. I'm aiming for that in the next month. I was aiming for two weeks, but I can get a voucher for half-priced testing, so I'm going to go for the voucher.
That being said, let's go back to network security.
I had a AHA! moment last week on network security, and it leads me to believe a very large vendor does not really provide security updates. They also have some serious problems with their code. It's all Apache web server, but it's an unpatched version of Apache that still has some serious vulnerabilities.
About a year ago, or maybe a little less, I realized when we replaced a router, all of our internal vulnerability scans started passing. It was weird. But I didn't know what it could have been. Over the past couple of weeks, I've been working on replacing their router with my own. After breaking our internal vulnerability scanner for a couple of weeks, our vendor finally fixed the device.
About the same time, we ran into a situation where a location suddenly started showing up as failing when it had been passing. Thinking back, during the intervening period we had upgraded the site and swapped out the equipment. At that point, we had swapped out a router. And suddenly the site started failing scans.
Not suddenly, but it seems like it. So I started thinking about what could have gone wrong during the upgrade. Everything is built from standard equipment. The results are pretty predictable and cookie cutter. So how did this cookie fall out of the cutter mess up? We'd tried a different configuration with the router, and the site ended up failing internal scans.
So, why did this router fail and other pass? It's pretty simple: access control lists. There was an implicit deny on the VLAN with the internal scanner.
Now I know why my scans are all passing. The door to the scanner is closed. And the equipment we're dealing with is no way near as secure as we thought. All because of Apache.
It's also the realization that I can fake a passing scan in less than 30 minutes by simply throwing an ACL in every single router we have. It'd be easy. I already know the syntax. Come to think of it, I could make it highly precise, so it wouldn't be something I could automate.
Anyways.
It just pisses me off that a multi-national company can't patch Apache. Or, that I have to find the holes in their system.
Now, off to figure out Apache on my own so I can ramp up my network base lining and turn all the data I've collected into something usable.
I should probably write an article on that. It's basically a combination of Java, mySQL, and some Ubuntu cron jobs.
No comments:
Post a Comment