A Network Segregation Test is a series of passive and active tests which identify poor network isolation between adjacent networks on a firewall or VLAN-segregated network.
Poorly-configured firewall rules or vulnerabilities in devices which may span multiple sections of your networks can provide a way for an attacker to pivot an attack between networks that were designed to be isolated. Depending on the networks in use, this could present a significant risk to an organisation and could lead to an attacker being able to pivot an attack across the network between trusted and untrusted networks.
Network Segregation is required by PCI-DSS and is also a recommended control under ISO 27001. It also plays an important role in an organisations defence against ransomware.
Methodology
Using a combination of automated and manual testing, a series of tests are conducted which are designed to exploit known vulnerabilities or configuration weaknesses that are common in firewalls, network switches or “multi-homed” servers which connect to more than one segment of the network.
The following tests are included as part of the overall test methodology:
Active Firewall Rule Assessment
An automated port scan is conducted from each network against a SecureTeam network device which has been installed in the adjacent network(s). The network device is configured to listen on all TCP and UDP ports; therefore, any network ports that are returned as ‘open’ on the port scan indicate that segregation is not in place and the test identifies the network ports that are being permitted through the firewall or VLAN.
Network Traffic Capture
During the assessment, network traffic is passively captured from all networks to identify if any broadcast or multicast network traffic is being ‘leaked’ through the firewall. If firewalls have not been configured to allow complete network isolation, it is possible that broadcast traffic may be passed through the firewall, which could allow an attacker to get useful information such as the hostnames or IP address ranges in use.
Checks are also made for any network protocols (such as Cisco Discovery Protocol (CDP) or VLAN Trunking Protocol (VTP)) which may assist an attacker in identifying useful VLAN information, such as VLAN tags or management IP addresses of network switches.
VLAN Hopping
Attempts will be made to circumvent VLAN segregation in network switches through a process known as ‘VLAN Hopping’. Although ‘VLAN Hopping’ is an attack which is rarely possible these days, misconfigurations in network switches can make it possible for an attacker to access other VLANs that they should not have access to. This could allow the attacker to gain access to other network subnets, with the potential to exploit vulnerable hosts and further their attack.
Vulnerabilities in Multi-Homed Devices
‘Multi-Homed’ devices are devices which contain multiple network interfaces, which may often be connected between adjacent networks. If vulnerabilities are present in the host (such as Port Forwarding), it may be possible for an attacker to use the ‘multi-homed’ device as a router and to use it access hosts on other adjacent networks. During the assessment, specific testing will be conducted to identify hosts that may be ‘multi-homed’ and to identify any exploitable vulnerabilities on them.
Prerequisites
- A signed and completed testing consent form
- An architectural diagram of the network(s)
- List of the IP ranges that are in use within each of the networks to be tested
- Network access to each of the in-scope networks
- A copy of PCI-DSS or ISO 27001 scope documents so we can validate the segregation matches the certification scope. (if applicable)
Deliverables
Engaging with SecureTeam for your Network Segregation test will provide you with the following:
In-flight Support
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of your network configuration. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or infrastructure and any evidence in our results that indicates a security breach may have already taken place.
Reporting
Once the project has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities are explained to a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information and mitigation advice can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring that you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff. It provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders the technical staff who will be tasked with applying the recommended course of action.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.