NIST Special Publication 800-42 DRAFT Guideline on Network Security Testing Recommendations of the National Institute of Standards and Technology John Wack, Miles Tracey C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director ii DRAFT GUIDE TO NETWORK SELF-TEST Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-42 Natl. Inst. Stand. Technol. Spec. Publ. 800-42, XX pages (Feb. 2002) CODEN: XXXXX Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or con cept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Stan- dards and Technology, nor is it intended to imply th at the entities, materials, or equipment are necessarily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 ii DRAFT GUIDE TO NETWORK SELF-TEST Acknowledgements The authors, John Wack of NIST and Miles Tracy of Booz, Allen, and Hamilton (BAH), wish to acknowledge staff at NIST and BAH who reviewed drafts of this publication and made substantial improvements to its quality, including Murugiah Souppaya, Timothy Grance, and Peter Mell. iii DRAFT GUIDE TO NETWORK SELF-TEST iv DRAFT GUIDE TO NETWORK SELF-TEST Table Of Contents 1. Introduction........................................................................................................................... 3 1.1. Purpose and Scope..........................................................................................................3 1.2. Definitions....................................................................................................................... 4 1.3. Audience ......................................................................................................................... 5 1.4. Document Organization ................................................................................................. 5 2. Security Testing and the System Development Life Cycle............................................. 7 2.1. Why Test? ....................................................................................................................... 7 2.2. Life cycle......................................................................................................................... 7 2.3. Documentation................................................................................................................ 9 2.4. Security Management Staff............................................................................................ 9 3. Security Testing Techniques............................................................................................. 11 3.1. Network Mapping......................................................................................................... 11 3.2. Vulnerability Scanning................................................................................................. 13 3.3. Penetration Testing....................................................................................................... 16 3.4. Security Test and Evaluation ....................................................................................... 21 3.5. Password Cracking....................................................................................................... 22 3.6. Log Reviews ................................................................................................................. 23 3.7. File Integrity Checkers ................................................................................................. 24 3.8. Virus Detectors ............................................................................................................. 25 3.9. War Dialing................................................................................................................... 26 3.10. Summary Comparisons of Network testing Techniques.......................................... 27 4. Prioritizing Security Testing............................................................................................. 31 A. Terminology................................................................................................................... 35 B. References ......................................................................................................................37 C. Common Testing Tools ................................................................................................ 39 C.1. File Integrity Checkers................................................................................................. 39 C.2. Network Sniffers.......................................................................................................... 39 C.3. Password Crackers....................................................................................................... 40 C.4. Privilege Escalation and Back Door Tools................................................................. 40 C.5. Scanning and Enumeration Tools ............................................................................... 41 C.6. Vulnerability Scanning Tools...................................................................................... 42 v DRAFT GUIDE TO NETWORK SELF-TEST C.7. War Dialing Tools ....................................................................................................... 43 D. Example Usage Of Common Testing Tools .............................................................. 44 D.1. Using Nmap Port Scanner........................................................................................... 44 D.2. Using L0pht Crack ...................................................................................................... 50 D.3. Using LANguard File Integrity Checker.................................................................... 51 D.4. Using Tripwire.............................................................................................................53 D.5. Snort ............................................................................................................................. 57 List Of Tables Table 3.1- Comparison of Testing Procedures........................................................................ 29 Table 3.2 - Summarized Evaluation Factors ........................................................................... 30 List Of Figures Figure 2.1 - Security Testing and the System Development Life Cycle.................................. 8 Figure 3.1 - Four-Stage Penetration Testing Methodology.................................................... 18 Figure 3.2 - Attack Phase Steps with Loopback to Discovery Phase .................................... 19 vi DRAFT GUIDE TO NETWORK SELF-TEST Executive Summary Network security testing should be integrated into an organization’s security program to evaluate system security mechanisms and validate that systems are operating according to the organization’s security policies and system security requirements. To maximize their usefulness and ensure that they are affordable, organizations should prioritize network test- ing activities according to system criticality, testing costs, and the benefits that testing will provide. Organizations can use a prioritization process, described in this document, to de- termine minimum required sets of tests and appropriate frequencies for these tests Routine testing of networks can greatly reduce the chances of a network compromise by helping to ensure that critical systems, e.g., firewalls, routers, servers, are configured, main- tained, and operated according to the organization's security policy. Exploitation of a sys- tem could have a costly impact on an organization’s operations. Network testing can be a valuable and cost effective measure of protecting a network and preventing costly compro- mise. 1 DRAFT GUIDE TO NETWORK SELF-TEST 2 DRAFT GUIDE TO NETWORK SELF-TEST 1. Introduction The Internet has interconnected the world and produced many benefits. It is now possible to share ideas and resources instantaneously