Organizations cannot manage or patch devices that have not been detected. And a lack of network visibility means any number of devices are unknown, leak paths go unchecked, and the environment is likely compromised by policy and segmentation violations.
This application note describes FireMon's end-to-end solution for leak path detection, firewall clean-up, and compliance reporting using Lumeta Leak Discovery and Security Manager.
Leak Discovery is not intended for use in the cloud. For discovery within cloud environments, use CloudVisibility.
What is a Leak & Leak Discovery
A leak is an unauthorized inbound or outbound connection route to the internet or to sub-networks. A leak goes through the network perimeter or between secure zones. It may take the form of an unsecured forwarding device exposed to the internet, for example, or it could manifest as a forgotten open link to a former business partner. Leak paths can be especially hard to detect in cloud environments, where there is less network visibility and fewer security controls.
Leak Discovery is Lumeta's indirect method of uncovering potential leak paths in a zone. It identifies Layer-3, stateless connections and reports network devices that were reachable via a particular, prohibited port. Leak Discovery is typically used between internal segments of a network to test the defenses of secure zone configurations to ensure enclaves are secure. It is also used to determine if any of the devices on targeted networks have connectivity to the Internet. Leak discovery is capable of spotting leaks in the network infrastructure such as router and firewall configuration issues.
How does Leak Discovery Work?
In Leak Discovery, two Lumeta devices work together to provide spoofed source addresses for leak testing. This process is performed with all discovered IP addresses to determine which hosts are leaking. Specialized markers are used within the discovery packets to ensure that Scouts identify packets involved in Leak Discovery.
|
|
Mobile devices that come onto a network only periodically, would be discovered nevertheless in Lumeta's rounds of continuous monitoring. These too would be included in the scope of Leak Discovery and continuously monitored for risks.
In the event a device is not reachable after three rescan intervals, Lumeta designates it as inactive and removes it from the rounds of Leak Discovery collection.
What's the Process?
Leak Discovery is performed as follows:
- A Leak Scout and its attendant collector are positioned within an enclave-of-interest (e.g., inside that zone's firewall). To test for leaks between internal network enclaves, for example, a Lumeta Command Center would be connected to a Leak Scout deployed inside one of the enclaves.
- Configure Host Discovery and Leak Discovery on Lumeta and let them run.
Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. For this reason, Host and Leak Discovery tabs are enabled at this point in the process. - Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall. It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
Communication Considerations
Communication between a Command Center (CC) and a Scout performing Leak Discovery (aka Leak Scout) takes place over an encrypted SSL connection on TCP port 443, as it does for all Lumeta communications. When the CC needs to communicate with the Scout to deliver an instruction, it creates an HTTPS session over TCP port 443 to the Scout. Once the instruction is executed, the Scout no longer stores the instruction or the data. If there is a firewall between the CC and the Scout, TCP port 443 must be open and return packets must be permitted.
Perimeter Controls and Stateful Inspection
A firewall is designed to block unauthorized network access while permitting authorized communications based on a set of rules and other criteria. Most routers include rudimentary access control lists which in some cases include simple stateful inspection. These perimeter controls should stop leaks from occurring. In addition, firewalls and routing devices can (and should) be used to examine the correct progression of the state of a connection, especially session establishment. In the context of Leak Discovery, Lumeta is specifically requesting the devices being tested (e.g., hosts) to "reply." However firewalls and other devices tracking a packet's state will have not seen a request, and therefore should drop any replies. In the event stateful inspection is off, misconfigured, or unavailable on the routing device, the device will push the reply packet out to the Leak Scout and this stateless reply will be recorded and returned to the Command Center for reporting. All intermediary devices must cooperate in the communication process to ensure a leak is properly tracked. For example, if a discovery packet is sent to a host and a router is blocking its reply, this host will not be targeted for leak discovery.
Lumeta
Lumeta is a real-time visibility and risk management solution that enables cloud, network, and security teams to find unknown networks, devices, and connections. Through active, passive, and indirect methods, Lumeta uses a unique, patent-pending technology to recursively discover a network’s state. Customers gain visibility into their entire infrastructure, including cloud instances and assets, and including IPv4/IPv6 connections and devices. Lumeta provides authoritative data about the network and its devices in real-time, and at a fine level of granularity. It synthesizes device responses, performs analyses to surface risk, and alerts both systems and people with the power to remediate so they can take action immediately.
Lumeta amplifies the value of asset-, breach-, EDR-, HVM-, alert-, risk- and network-management applications by supplying them with better foundational data. It delivers superior results and superior security intelligence: The broadest reach and most comprehensive network coverage in the industry, authoritative visibility, enterprise-grade user management, and a visual way to grasp the significance of events, trends, security gaps, threats, and misconfigurations. Use it alongside your firewalls and integrate it with your security applications to achieve the full value of your network security ecosystem.