Leak Discovery is not intended for use in the cloud. For discovery within cloud environments, use CloudVisibility.
What is a Leak & Leak Discovery
A leak is an unauthorized inbound or outbound connection route to the internet or to sub-networks. A leak goes through the network perimeter or between secure zones. It may take the form of an unsecured forwarding device exposed to the internet, for example, or it could manifest as a forgotten open link to a former business partner. Leak paths can be especially hard to detect in cloud environments, where there is less network visibility and fewer security controls.
Leak Discovery is Lumeta's indirect method of uncovering potential leak paths in a zone. It identifies Layer-3, stateless connections and reports network devices that were reachable via a particular, prohibited port. Leak Discovery is typically used between internal segments of a network to test the defenses of secure zone configurations to ensure enclaves are secure. It is also used to determine if any of the devices on targeted networks have connectivity to the Internet. Leak discovery is capable of spotting leaks in the network infrastructure such as router and firewall configuration issues.
How does Leak Discovery Work?
In Leak Discovery, two Lumeta devices work together to provide spoofed source addresses for leak testing. This process is performed with all discovered IP addresses to determine which hosts are leaking. Specialized markers are used within the discovery packets to ensure that Scouts identify packets involved in Leak Discovery.
In the event a device is not reachable after three rescan intervals, Lumeta designates it as inactive and removes it from the rounds of Leak Discovery collection.
What's the Process?
Leak Discovery is performed as follows:
- A Leak Scout and its attendant collector are positioned within an enclave-of-interest (e.g., inside that zone's firewall). To test for leaks between internal network enclaves, for example, a Lumeta Command Center would be connected to a Leak Scout deployed inside one of the enclaves.
- Configure Host Discovery and Leak Discovery on Lumeta and let them run.
Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. For this reason, Host and Leak Discovery tabs are enabled at this point in the process.
- Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall. It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
Communication between a Command Center (CC) and a Scout performing Leak Discovery (aka Leak Scout) takes place over an encrypted SSL connection on TCP port 443, as it does for all Lumeta communications. When the CC needs to communicate with the Scout to deliver an instruction, it creates an HTTPS session over TCP port 443 to the Scout. Once the instruction is executed, the Scout no longer stores the instruction or the data. If there is a firewall between the CC and the Scout, TCP port 443 must be open and return packets must be permitted.
Perimeter Controls and Stateful Inspection
A firewall is designed to block unauthorized network access while permitting authorized communications based on a set of rules and other criteria. Most routers include rudimentary access control lists which in some cases include simple stateful inspection. These perimeter controls should stop leaks from occurring. In addition, firewalls and routing devices can (and should) be used to examine the correct progression of the state of a connection, especially session establishment. In the context of Leak Discovery, Lumeta is specifically requesting the devices being tested (e.g., hosts) to "reply." However firewalls and other devices tracking a packet's state will have not seen a request, and therefore should drop any replies. In the event stateful inspection is off, misconfigured, or unavailable on the routing device, the device will push the reply packet out to the Leak Scout and this stateless reply will be recorded and returned to the Command Center for reporting. All intermediary devices must cooperate in the communication process to ensure a leak is properly tracked. For example, if a discovery packet is sent to a host and a router is blocking its reply, this host will not be targeted for leak discovery.
Lumeta is a real-time visibility and risk management solution that enables cloud, network, and security teams to find unknown networks, devices, and connections. Through active, passive, and indirect methods, Lumeta uses a unique, patent-pending technology to recursively discover a network’s state. Customers gain visibility into their entire infrastructure, including cloud instances and assets, and including IPv4/IPv6 connections and devices. Lumeta provides authoritative data about the network and its devices in real-time, and at a fine level of granularity. It synthesizes device responses, performs analyses to surface risk, and alerts both systems and people with the power to remediate so they can take action immediately.
Lumeta amplifies the value of asset-, breach-, EDR-, HVM-, alert-, risk- and network-management applications by supplying them with better foundational data. It delivers superior results and superior security intelligence: The broadest reach and most comprehensive network coverage in the industry, authoritative visibility, enterprise-grade user management, and a visual way to grasp the significance of events, trends, security gaps, threats, and misconfigurations. Use it alongside your firewalls and integrate it with your security applications to achieve the full value of your network security ecosystem.
Performing Leak Path Discovery
To perform Leak Path Discovery, do the following:
- Position a Leak Scout and its attendant collector outside your zone of interest (e.g., exterior to that zone's firewall). For example, to test for leaks between internal networks and the Internet, select a Leak Scout that has been placed outside the internal networks' firewalls.
Configure Host Discovery and Leak Discovery and let them run.
Note that Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. Therefore, complete both the Host and Leak tabs at this point in the process.
If you change the collector interface used in Leak Path indexing, be sure to update the Interface field on the Leak Path tab to display the current correct interface. The Interface field displays the name of the previous interface until you change it.
- Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall.
It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
In the following illustration, Lumeta identifies leaks in a dual-homed Windows desktop. To elicit all possible responses, the firewall and all packet-forwarding capabilities have been disabled so that response packets are forwarded according to the routing table. On the outbound interface, ensure there are no firewalls restricting egress.
When Leak Path Discovery is configured, the parameters are forwarded onto the nominated Leak Scout and a packet spoofing the Leak Scout is sent from the source Scout to the target IP address of the Leak Scout. If a response is received by the Leak Scout, it is reported back to the Command Center via the pre-established SSL link.
Configuring Leak Discovery
If you would like to maximize the speed of Leak Path Discovery, consider also configuring Broadcast Discovery (i.e., set all boxes to yes). This has the effect of sending discovered devices immediately into the Leak Discovery process without waiting for the completion of a whole discovery cycle, as it would otherwise do.