This is the first in a series about the tools available to implement the SANS Top 20 Security Controls. The subsequent parts available now are:
- Part 1 - we look at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we look at Inventory of Authorized and Unauthorized Software.
- Part 3 - we look at Secure Configurations.
- Part 4 - we look at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we look at Malware Defenses.
- Part 6 - we look at Application Security
- Part 7 - we look at Wireless Access Control
- Part 8/9 – we look at Data Recovery and Security Training.
- Part 10/11 - we look at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.
- Part 12 - we look at Controlled Use of Administrative Privileges
- Part 13 - we look at Boundary Defense
- Part 14 - we look at Maintenance, Monitoring and Analysis of Audit Logs
- Part 15 - we look at Controlled Access Based on the Need to Know.
- Part 16 - we look at Account Monitoring and Control
- Part 17 - we look at Data Protection
- Part 18 - 20 we look at Incident Response and Pen Testing
The SANS Top 20 Security Controls are not standards. If you want standards and procedures, check out the NIST 800 series Special Publications (SP).
The controls are recommendations made by leading security experts in information security. Taken directly from SANS, "The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness." You can read more and view each control here.
This series is an effort to compile a list of tools (free and commercial) that can help an IT administrator comply with the Security Controls. The controls (ordered 1-20) are in order of importance. In other words, completing Control 1 will reduce the threat risk greater than completing control 2. This is in no way meant to be a complete list, therefor I invite you to add tools you find useful to the comment below!
1. Inventory of Authorized and Unauthorized Devices
1-1 - Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization's public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.
- Spiceworks - However, it does not do passive scanning, only active.
- AlienVault OSSIM - A bit difficult for new admins starting out. However, this one product meets the requirements of many controls. Inventorying is only a small part.
- OCS Inventory NG - Requires an agent on scanned devices. Does support cross platform (Win,Lin,Mac).
- OpenAudIT - All open source inventorying, and auditing platform. Also offers a framework to produce reports about software licensing, configuration changes, non-authorized devices, etc.
- OpenNSM - Open Network Management System has been around since 1999, and brings with it the maturity of a great inventorying solution. Can automate and directed discovery and provisioning, event and notification management, service assurance, performance measurement
- While there are many commercial applications out there, I wanted to point you to PWNie Express. It is hardware that finds literally EVERYTHING in, on, around, or near your network. Very thorough. You will pay for the device and yearly access to the web tool.
1-2 - Deploy dynamic host configuration protocol (DHCP) server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information.
- Windows - TechNet - This article describes DHCP server log format and events. Using tools like AlienVault OSSIM, you can detect and alert on unusual events.
- Windows DHCP Server Audit Event Tool - This tool can be used by Admins to view all the events generated by DHCP Server directly in MMC and can manage the MAC Based Filtering where you can see the list of people entering your network and be able to remotely add them to Allow/Deny list without affecting the Service.
- Linux DHCP Server Configuration and Logging - CentOS DHCP Server configuration and setup tutorial.
1-3 - Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.
- Refer to tools in section 1-1
1-4 - Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device.
- Refer to tools in section 1-1
1-5 - Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.
- Windows NPS Server Role - Technical Knowledge requirement = HIGH. Rate of return for securing devices if deployed correctly = HIGH. Requires Server, switches, firewall, DHCP, DNS, workstation, WAP configuration. Just beware that NAP is deprecated in Windows 10 so you will need a 2rd party NAP client.
- FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS. Just know that Windows, Linux, and Mac come built in with their own Supplicant. No need for a third party.
- SANS guide to deploy 802.1x - Though Cisco is not free, if you already have Cisco switches, this guide can help get become compliant.
- Group Policy for Wireless 802.1x - Group Policy for Wired 802.1x
1-6 - Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access.
- PacketFence - Flagship of open source Network Access Control (NAC). Fully featured, and well documented.
- https://sourceforge.net/projects/opennac/OpenNAC - Open source Network access control that provide secure access for LAN/WAN. Allows to apply flexible access policies based on rules. It works with wide range of clients (Windows, Mac, Linux, others...) and network devices (Cisco, Alcatel Extreme Networks and 3Com). It is based on well proven open source components like FreeRADIUS...
- Aruba ClearPass - Offers health checks before authenticating supplicants to your network. This is for wired and wireless networks.
- Forescout - CounterACT gives real-time visibility to users, devices, operating systems and applications that are connected to the network. CounterACT incorporates a comprehensive, high performance host interrogation engine and provides an abundance of information about what is on that network. Forescout was ranked a Leader in the Gartner Magic Quadrant for NAC in 2014.
1-7 - Utilize client certificates to validate and authenticate systems prior to connecting to the private network.
If you implement NAC/802.1x, you will already do so using certificates.
Stay tuned for further installments in this series!
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.