Before you start to map the network, there are a few preliminary tasks that will ensure success. Most organizations will not have these initially and not all will apply. Starting this process will allow you to see what you have and what is missing. These are:
1. Determine the scope, what is it that you are planning to test? a. Individual networks
b. A subnet range c. The entire network d. VPN and remote sites
2. Determine the risk. Have any previous assessments been completed?
3. Detail what your uptime requirements are. How long can the organization afford to be out of action for in the event of a:
a. Non critical single component failure, and b. A critical single component failure, c. Total systems failure.
4. Collect the system and network design documentation. This can be broken down into the following components.
a. System Logical/Infrastructure Diagram. This is a diagram showing the components of the system in enough detail to support the Concept of Operations document
b. Concept of Operations documents for systems. This document details the purpose of each system (what is the purpose of the system, what does do/provide?)
i. How it fulfills that purpose (how does it tick?)
ii. Component dependencies on other components, (what parts of the system rely on) iii. Other parts of the system, what do they rely on them for and how?
5. List of Mandatory Requirements
a. This component should detail exactly what mandatory requirements the organization is required by legislation, to meet. Attach copies of the relevant parts of the legislation. b. This should also show in a matrix, how you have met each regulation in enough so
that there is no doubt that all requirements have been met and how. 6. Risk Based Requirements
a. This should be a map of the prioritized countermeasures mapped out to the risks identified in the Risk Assessment, with specific reference to those countermeasures designed to counter the specific risks.
7. List of Critical Configurations
a. These are the critical configurations that should be checked or changed on a regular basis, to ensure integrity of the system. It may include:
b. firewall configuration (rule-sets, object definitions, filter lists), c. proxy server configuration file,
d. web server configuration, e. mail server configuration, f. DNS server configuration, g. Database server configuration,
h. Finance, Payroll and HR Systems and Applications
i. O/S configuration (system auditing settings, passwords file settings, account profiles settings). j. The designers should also specify how these configurations/settings can be most
efficiently checked on a regular basis. 8. Detailed Configuration Documentation
a. This document should cover the detailed configurations of each component of the system. For non security enforcing devices, it should cover at least the following information for each component:
i. Hostname ii. Network Address iii. Function
iv. O/S Version and Patch Level v. Application Configuration Settings vi. User Accounts
vii. Integrity Testing Settings
b. For security enforcing devices, it should cover at least the following information for each component:
c. Hostname d. Network Address e. Function
f. O/S Version and Patch Level g. Application Configuration Settings h. User Accounts
i. Integrity Testing Settings j. Router configurations listings
k. Firewall: i. Rule sets ii. Filter listings iii. Proxy information iv. Object definitions
9. Detailed Network Diagrams – Detailed network diagrams clearly indicating: a. Host names of all components,
b. Network addresses of all components, c. Function of all components,
d. Network addresses of all network segments, e. Netmasks of all network segments, and f. Any VLANs and VPNs.
10. Policy Documents, Any related policy. This is likely to include an Access Policy a. The access policy should contain at least:
i. Those services which are allowed to be: ii. Externally accessible by anyone,
iii. Externally accessible by customers,
iv. Externally accessible by external support providers. v. Those services available to all internally connected clients
b. Access between internal networks, especially those networks that have different requirements for different levels of security. This should detail those services that are allowed between internal network segments,
i. Those services to allow on an individual basis.
ii. Those services available only from the system management segment. iii. Those services available only from the systems console
11. Procedures and Plans
a. Change Implementation Procedures b. Operational Support Procedures
c. Contingency Plans (something could go wrong during the test)
Needs to allow and the services it uses to be able to do to conduct business,
What is the level of security needed to validly conduct business including that which is permitted, denied, and logged, and
From where and by who are connections and services needed.
Any material that is not available can be created as a component of the initial review. In testing services and systems over the network, the end result is an increased understanding of what is running. Do not waste this. Use this to create an understanding of what and why. Most crucially, document this so that it is available next time.