Leak Path Discovery
Organizations cannot manage or patch devices that have not been detected. And a lack of network visibility means any number of devices are unknown, leak paths go unchecked, and the environment is likely compromised by policy and segmentation violations.
This application note describes FireMon's end-to-end solution for leak path detection, firewall clean-up, and compliance reporting using Asset Manager Leak Discovery and Security Manager.
Leak Discovery is not intended for use in the cloud. For discovery within cloud environments, use CloudVisibility.
What is a Leak & Leak Discovery
A leak is an unauthorized inbound or outbound connection route to the internet or to sub-networks. A leak goes through the network perimeter or between secure zones. It may take the form of an unsecured forwarding device exposed to the internet, for example, or it could manifest as a forgotten open link to a former business partner.
Leak Discovery is Asset Manager's indirect method of uncovering potential leak paths in a zone. It identifies Layer-3, stateless connections and reports network devices that were reachable via a particular, prohibited port. Leak Discovery is typically used between internal segments of a network to test the defenses of secure zone configurations to ensure enclaves are secure. It is also used to determine if any of the devices on targeted networks have connectivity to the Internet. Leak discovery is capable of spotting leaks in the network infrastructure such as router and firewall configuration issues.
How does Leak Discovery Work?
In Leak Discovery, two Asset Manager devices work together to provide spoofed source addresses for leak testing. This process is performed with all discovered IP addresses to determine which hosts are leaking. Specialized markers are used within the discovery packets to ensure that Scouts identify packets involved in Leak Discovery.
Mobile devices that come onto a network only periodically, would be discovered nevertheless in Asset Manager's rounds of continuous monitoring. These too would be included in the scope of Leak Discovery and continuously monitored for risks.
In the event a device is not reachable after three rescan intervals, Asset Manager designates it as inactive and removes it from the rounds of Leak Discovery collection.
What's the Process?
Leak Discovery is performed as follows:
-
A Leak Scout and its attendant collector are positioned within an enclave-of-interest (e.g., inside that zone's firewall). To test for leaks between internal network enclaves, for example, a Asset Manager Command Center would be connected to a Leak Scout deployed inside one of the enclaves.
-
Configure Host Discovery and Leak Discovery on Asset Manager and let them run.
Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. For this reason, Host and Leak Discovery tabs are enabled at this point in the process. -
Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall. It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
Communication Considerations
Communication between a Command Center (CC) and a Scout performing Leak Discovery (aka Leak Scout) takes place over an encrypted SSL connection on TCP port 443, as it does for all Asset Manager communications. When the CC needs to communicate with the Scout to deliver an instruction, it creates an HTTPS session over TCP port 443 to the Scout. Once the instruction is executed, the Scout no longer stores the instruction or the data. If there is a firewall between the CC and the Scout, TCP port 443 must be open and return packets must be permitted.
Perimeter Controls and Stateful Inspection
A firewall is designed to block unauthorized network access while permitting authorized communications based on a set of rules and other criteria. Most routers include rudimentary access control lists which in some cases include simple stateful inspection. These perimeter controls should stop leaks from occurring. In addition, firewalls and routing devices can (and should) be used to examine the correct progression of the state of a connection, especially session establishment. In the context of Leak Discovery, Asset Manager is specifically requesting the devices being tested (e.g., hosts) to "reply." However firewalls and other devices tracking a packet's state will have not seen a request, and therefore should drop any replies. In the event stateful inspection is off, misconfigured, or unavailable on the routing device, the device will push the reply packet out to the Leak Scout and this stateless reply will be recorded and returned to the Command Center for reporting. All intermediary devices must cooperate in the communication process to ensure a leak is properly tracked. For example, if a discovery packet is sent to a host and a router is blocking its reply, this host will not be targeted for leak discovery.
Asset Manager
Asset Manager is a real-time visibility and risk management solution that enables cloud, network, and security teams to find unknown networks, devices, and connections. Through active, passive, and indirect methods, Asset Manager uses a unique, patent-pending technology to recursively discover a network’s state. Customers gain visibility into their entire infrastructure, including cloud instances and assets, and including IPv4/IPv6 connections and devices. Asset Manager provides authoritative data about the network and its devices in real-time, and at a fine level of granularity. It synthesizes device responses, performs analyses to surface risk, and alerts both systems and people with the power to remediate so they can take action immediately.
Asset Manager amplifies the value of asset-, breach-, EDR-, HVM-, alert-, risk- and network-management applications by supplying them with better foundational data. It delivers superior results and superior security intelligence: The broadest reach and most comprehensive network coverage in the industry, authoritative visibility, enterprise-grade user management, and a visual way to grasp the significance of events, trends, security gaps, threats, and misconfigurations. Use it alongside your firewalls and integrate it with your security applications to achieve the full value of your network security ecosystem.
Perform Leak Path Discovery
To perform Leak Path Discovery, do the following:
- Position a Leak Scout and its attendant collector outside your zone of interest (e.g., exterior to that zone's firewall). For example, to test for leaks between internal networks and the Internet, select a Leak Scout that has been placed outside the internal networks' firewalls.
-
Configure Host Discovery and Leak Discovery and let them run.
Note that Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. Therefore, complete both the Host and Leak tabs at this point in the process.If you change the collector interface used in Leak Path indexing, be sure to update the Interface field on the Leak Path tab to display the current correct interface. The Interface field displays the name of the previous interface until you change it.
- Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall.
It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
Leak Testing
In the following illustration, Asset Manager identifies leaks in a dual-homed Windows desktop. To elicit all possible responses, the firewall and all packet-forwarding capabilities have been disabled so that response packets are forwarded according to the routing table. On the outbound interface, ensure there are no firewalls restricting egress.
When Leak Path Discovery is configured, the parameters are forwarded onto the nominated Leak Scout and a packet spoofing the Leak Scout is sent from the source Scout to the target IP address of the Leak Scout. If a response is received by the Leak Scout, it is reported back to the Command Center via the pre-established SSL link.
Configure Leak Discovery
If you would like to maximize the speed of Leak Path Discovery, consider also configuring Broadcast Discovery (i.e., set all boxes to yes). This has the effect of sending discovered devices immediately into the Leak Discovery process without waiting for the completion of a whole discovery cycle, as it would otherwise do.
Protocol-specific scenarios include:
-
ICMP
To ensure that the received packets can be associated with the targeted address, the original targeted IP address is the first 8 bytes of the ICMP echo payload. -
UDP High Port, DNS, SNMP
When UDP, DNS or SNMP Leak Path tests target an unreachable port, the target generates an ICMP unreachable message. These messages have the first 28 octets of the original packet (the IP header plus 8) which includes the original targeted address. If the device replies to one of those protocols, the targeted address will be the same as the replying address which is taken from the payload and may indicate unexpected behavior. -
Use Custom TCPPorts
During TCP Leak Path Discovery a TCP SYN packet is sent to the designated target IP address and port. If this packet reaches a non-listening port, the TCP stack generates a TCP Reset. If the device (or something between it and the Leak Path Scout) is networkaddress translating, Asset Manager will report the IP address for both the targeted and responding IP address. If the device is listening on the targeted port it will generate a TCP SYN/ACK packet which will have the same potentially unexpected behavior. This behavior is based on the IP stack and not any intervening service such as a firewall which could be configured to detect and drop spoofed packets or silently drop the request.
Users can opt to perform inbound leak path discovery, outbound leak path discovery, or both.
During Leak Path Discovery a single packet is sent per protocol selected (1 per ICMP, 1 per UDP), except for TCP where a reset packet is sent to close a connection when an acknowledgment is received (2 per TCP).
Mobile devices that come onto a network only periodically are discovered in Asset Manager's rounds of continuous monitoring. These mobile devices are then added to Asset Manager's targets for Leak Path Discovery and continuously monitored for vulnerabilities.
In the event a device is not reachable after three rescan intervals, Asset Manager designates it as inactive and removes it from the rounds of Leak Path Discovery collection.