Periodic boundary vulnerability testing is critical for any company that is aware of the network security assessment. Some of the attacks were initiated internally, and many of the attacks came from outside the company. This means that the company must be able to verify the boundary devices, ensure that the system installs patches in a timely manner, and maintain updates. Boundary tests typically include network scanning, intrusion detection (IDS) and intrusion Prevention systems (IPS), firewall testing, and Honeypot technology deployment and testing.
Network scanning is the first activity that penetration testing should perform. After all, you should try to check the network from an attacker's point of view. Your view of the Web is from the inside out, but the attacker's angle is different. Performing a boundary scan can help you determine the operating system and patch level of the boundary device, whether the device is accessible from outside the network, and whether there is a vulnerability to SSL and T Transport Layer Security (TLS) certificates. In addition, network scanning helps determine whether an accessible device has adequate protection against exposing vulnerabilities after the device is deployed. Nmap is a free open source security Scanning tool that can be used to monitor the network; This tool supports a wide variety of switches to discover open ports, services, and operating systems.
Deploying IDs and IPs is another way to detect malicious software activity. Most companies deploy IDs or IPs at the network boundaries, but there is still controversy over the effectiveness of these devices against attacks. There are a number of ways to test IDs and IPs, including:
• Insert attack. These forms of attack are that the attacker sends packets to the terminal system and is denied, but IDs considers them to be valid. When this attack occurs, the attacker inserts data into IDs but is not discovered by other systems.
• Avoid attacks. This method allows an attacker to cause IDs to reject packets that are acceptable to a terminal system.
• Denial of service attacks. This attack is in the form of an attacker sending a large amount of data to IDs, which completely loses the processing power of the IDs. This submerged approach may allow malicious traffic to sneak around the defenses.
• False alarms. Remember that little boy who lied about his intelligence? This attack intentionally sends a large amount of alert data. These false alarms interfere with analysis and prevent the defense device from distinguishing the real attack.
Confusion IDS must check all forms of malware signatures. To confuse this IDs, an attacker could encode, encrypt, or split traffic to hide their identity.
• To synchronize. This method, such as synchronizing before and after connecting, can be used to hide malicious traffic.
A firewall is another common boundary device that can be used to control inlet and outlet traffic. Firewalls can be stateful or stateless and can be tested in a variety of ways. Common test methods include the following:
• Firewall identification. Open ports may be useful for determining the specific firewall technology used.
• Determine whether the firewall is stateful or stateless. Some simple techniques, such as ACK scans, can help determine the type of firewall.
• Interception of advertisements on fire walls. Although this method is not necessarily effective, some older firewalls may actually add some version information to the AD.
Finally, there is a honeypot. These devices can be used to trap or "imprison" attackers, or perhaps to learn more about their activities. The honeypot is divided into two types: low interaction and high interaction. The honeypot can be detected by observing their function. A good low interactive honeypot is netcat, a network tool that can read and write data transmitted over a network connection.
Execute NC-V-l-p 80 to open the TCP 80 listening port, but if further detection does not return the advertisement. High-interaction trapping not only returns an open port, but also returns the current AD, which makes it more difficult for an attacker to determine whether it is a real system or a trap system.
Although I've introduced several ways to let you know what the attacker sees as a network boundary, it's important to note that many attackers can bypass boundary devices and controls from the inside out. If an attacker could allow an end-user to install tools inside the network, such as clicking on a link or visiting a malicious Web site, the attacker would be able to transmit traffic from the inside out through the channel, which is simpler in nature than in the outside.