SANS Critical Control 13: Boundary Defense

As we are getting ready to descend for a couple of days to Vegas for Black Hat / DefCon / BSides, here’s the blog post on SANS Critical Control 13 dealing with Boundary Defenses.

“Boundary defenses” define those security controls aimed at protecting and segregating various networks with different degree of trust. Typical example of those defenses are firewalls, Intrusion Detection and Prevention Systems, Web Content Filtering, Network Access Controls, Routes / Switches, and Proxy Servers.

SANS describes the following steps to be accomplished in order to achieve Control #13:

Step 1: Hardened device configurations applied to production devices

Step 2:Two-factor authentication systems required for administrative access to production devices

Step 3: Production network devices send events to log management and correlation system

Step 4: Network monitoring system analyzes network traffic

Step 5: Network monitoring system sends events to log management and correlation system

Step 6: Outbound traffic passes through and is examined by network proxy devices

Step 7: Network systems scanned for potential weaknesses.

  • Unified VRM can help detect vulnerabilities and misconfigurations in the security controls mentioned above, thus making those stronger.
  • Unified VRM Configuration Review and XCCDF Scanning module can help detecting security misconfigurations in Cisco devices (firewall, routers, and switches), Solaris and various other flavors of Linux and Unixes.
  • Unified VRM External and Internal module can test the strength of passwords in various remote daemons (SSH, Remote Desktop, etc.) to prove the need for dual factor authentication.
  • Unified VRM platform has in itself a very strong correlation engine, correlating vulnerabilities across platforms (network, VoIP, web applications, etc.) belonging to the same hosts.
  • Unified VRM helps scanning various network and web applications for network and application-based vulnerabilities.
  • Unified VRM helps finds vulnerabilities in web applications and application proxy which might allow an attacker to escalate attack privileges.

Again, Unified VRM does not offer defensive security controls capable of blocking ongoing attacks. It is more like your periodic “doctor visit” that is capable of detecting and preventing growing problems in your body.