The three security auditing companies that signed on for this eValuation—Guardent Inc., PricewaterhouseCoopers and SystemExperts Corp.—faced a tough challenge: to lock down the network of a Corporate Partner at a federal agency (who asked not to be named).
This network, which is not described in great detail because of the Corporate Partners security concerns, included segments running Solaris, Windows NT and NetWare, with SQL databases; commercial document management programs; DNS (Domain Name System)-based Internet access; a Microsoft Corp. Exchange e-mail system; and Web, video and enterprise backup servers installed. Approximately 150,000 users and visitors access the network daily.
The network blueprint also included seven IP networks, four IPX networks, an asynchronous transfer mode switch and two Cisco Systems Inc. routers.
Based on the information available, all three auditors discovered vulnerabilities that could be eliminated using better security practices and new hardware. All three warned that their audits would be incomplete without more information about the company, the nature of its business and its personnel policies. Nevertheless, this eVal gives IT managers an idea of what it means to call in an auditor for customized security.
The auditors approaches vary, as does their pricing.
Guardent provided a thorough report on the environment with vulnerability assessments and possible solutions in a variety of areas for both internal and external security issues. PWC offered a more integrated strategy, including its related host-based systems to help maintain security over the long term. SystemExperts offered the most expertise for dealing with issues related to networks and policies and emphasized quick turnaround time.
In most cases, cost is a determining factor when hiring a security auditor. Those we evaluated offered various pricing models that match their consulting strategies.
Guardent provides a time line of work and a breakdown of each area that will be assessed. Areas include network and host vulnerability assessment, intrusion assessment, architecture review, enterprise assessment, and report and presentation. Fees can total $150,000 to $225,000, depending on the size of the network.
PWCs fees also depend on what network components must be reviewed. For example, internal and external network penetration testing is $15,000 to $30,000, review of one firewall costs $5,000, and reviews of IDSes (intrusion detection systems) are $5,000 each.
SystemExperts billing is a two-step process. Signing of a Statement of Work is $10,000, and a Submission of Findings and Recommendations is $35,000. These are fixed prices that exclude optional services and out-of-pocket expenses.
Guardent based its approach to securing the network on both internal and external factors. Internally, Guardent consultants recommended that the client company isolate critical components (routers and virus protection), further segment its network, and install additional intrusion detection and VPNs (virtual private networks).
Additional network segmentation would safeguard the network components such as database servers and PDCs (Primary Domain Controllers).
Segmented security on multiple boxes such as mail servers and firewalls would provide a higher level of security, but it has a downside—the costs of purchasing, installing and managing additional boxes.
The location of the client networks IDS also raised a red flag. Guardent recommended that the IDS be moved from its current location outside the network to a new location on a virtual LAN in a dedicated network segment.
The Guardent consultants suggested installing VPNs that incorporate authentication and encryption of network traffic, implementing the Point-to-Point Protocol and IP Security protocols to ensure that all network traffic was secure. Guardent also discussed using Secure Sockets Layer authentication and encryption to make sure browser-based communication was also secure.
Guardent also pointed out vulnerabilities in the DNS structure (version control and so on) and mail servers (internal and external relay).
To prevent internal attacks and inside hacks, the best approach would be a careful analysis of security policies, which would then be implemented before firewall hardware and software were installed. Guardent also recommended application firewalls inside the network instead of the current internal Internet firewalls.
Unlike the other auditors in this eVal, whose bread and butter is network security, PWC offers a wide variety of other consulting services.
As might be expected, PWC took a holistic approach, emphasizing management of business risk instead of merely finding and filling security holes.
Nevertheless, the vendors major caveat was that more hands-on testing of the network equipment would be needed to properly assess its security needs.
According to the PWC consultants, the most vulnerable points in the client companys network were firewall and router configuration, and the three IP networks that connect into one firewall were another area of concern. PWC recommended architectural changes to secure these points. Chief among them were additional network intrusion detection hardware, host-based systems, and additional monitoring hardware and software.
Many companies inadvertently put high security on areas where data is of little value, according to PWC consultants, so they recommended determining where high-priority data resides on the network and tailoring high-security measures to these areas.
Although PWC recommended a four-phase strategy for locking down the client companys network, its proposals were less specific than those made by the other auditors.
Phase 1 of the strategy would include a detailed assessment of architecture pertaining to the state of the network. Then the auditor would conduct network penetration testing and assessment of client interaction to determine what security problems existed at this level.
Phase 2 would include developing a risk domain for information. PWC would work with the client company to determine what areas would need a higher level of security. Phase 3 would be an assessment of the internal environment, and Phase 4 would be an evaluation of the external environment.
PWC also offers Enterprise Security Architecture Service, a hosted Web tool that assists in long-term maintenance of the policies and standards that are implemented in the network. PWC was the only auditor to offer this type of service, although Guardent offers defensive services if a network is compromised.
The cost of PWCs solution is determined by the parts of a network that need review. This could get expensive for an extensive audit of a large enterprise network.
SystemExperts proposal differed from the other two auditors in several areas. The major difference was that SystemExperts promised a quicker turnaround of its overall network assessment. The auditors philosophy is that security is an enabler of business, not an impediment. SystemExperts consultants focus on the business requirements that drive the environment and the security that supports it.
eWeek Labs and the Corporate Partners found the SystemExperts reports were more concise than the other auditors, and its lower price made it more attractive than the other two vendors.
According to SystemExperts consultants, the auditor would concentrate on specific areas of the network to achieve tighter security while maintaining the quality, trustworthiness and availability of information networkwide. To accomplish this, SystemExperts would hold in-depth conversations with the client company, then proceed to network testing to determine where security holes exist.
The key network vulnerabilities that SystemExperts found were multiple access points from the Internet and remote users and sites, a network segment switch that sits in the same area as a "demilitarized zone" where database and DNS services are provided (which exposes them to security risks from the Internet), and a VPN where hosted services sit.
In addition, SystemExperts recommended that the company review the configuration of its firewall and routers.
The first step in the SystemExperts process would be to secure traffic to and from the Internet and remote network points. The service network and the internal network segments must also be monitored.
SystemExperts next recommended installing monitors and intrusion detection software on the network segments that are exposed to the Internet.
As installed now, the client companys Net Ranger IDS cannot monitor VPN traffic, and SystemExperts recommended that the system must be moved or bolstered with additional security measures. These would include an IDS focused only on Internet traffic and additional application firewalls for internal traffic.
SystemExperts recommended that high-speed connectivity areas and network intrusion detection be complemented with host-based intrusion detection because the networks current in-house IDSes are limited, especially in file integrity checking.
Firewall configuration and failover are also issues in the client companys network, especially in the systems new Cisco Secure PIX firewall.
Single authentication is also a concern, especially authenticating users on the networks unencrypted links. A security breach here would cause big problems.
SystemExperts recommendations for the interior of the client companys network focused on boosting the security of the domain controller; creating and enforcing policies for employee Internet use; and controlling access to administration consoles, which are the most powerful interfaces used in attacking or corrupting a network from within.
Unlike Guardent and PWC, SystemExperts does not provide hosted services, and there is an additional charge for penetration testing and hands-on analysis.