Organizations cannot manage or patch devices that have not been detected. And a lack of network visibility means any number of devices are unknown, leak paths go unchecked, and the environment is likely compromised by policy and segmentation violations.
This application note describes FireMon's end-to-end solution for leak path detection, firewall clean-up, and compliance reporting using Lumeta Leak Discovery and Security Manager.
Leak Discovery is not intended for use in the cloud. For discovery within cloud environments, use CloudVisibility.
What is a Leak & Leak Discovery
A leak is an unauthorized inbound or outbound connection route to the internet or to sub-networks. A leak goes through the network perimeter or between secure zones. It may take the form of an unsecured forwarding device exposed to the internet, for example, or it could manifest as a forgotten open link to a former business partner.
Leak Discovery is Lumeta's indirect method of uncovering potential leak paths in a zone. It identifies Layer-3, stateless connections and reports network devices that were reachable via a particular, prohibited port. Leak Discovery is typically used between internal segments of a network to test the defenses of secure zone configurations to ensure enclaves are secure. It is also used to determine if any of the devices on targeted networks have connectivity to the Internet. Leak discovery is capable of spotting leaks in the network infrastructure such as router and firewall configuration issues.
How does Leak Discovery Work?
In Leak Discovery, two Lumeta devices work together to provide spoofed source addresses for leak testing. This process is performed with all discovered IP addresses to determine which hosts are leaking. Specialized markers are used within the discovery packets to ensure that Scouts identify packets involved in Leak Discovery.
Mobile devices that come onto a network only periodically, would be discovered nevertheless in Lumeta's rounds of continuous monitoring. These too would be included in the scope of Leak Discovery and continuously monitored for risks.
In the event a device is not reachable after three rescan intervals, Lumeta designates it as inactive and removes it from the rounds of Leak Discovery collection.
What's the Process?
Leak Discovery is performed as follows:
- A Leak Scout and its attendant collector are positioned within an enclave-of-interest (e.g., inside that zone's firewall). To test for leaks between internal network enclaves, for example, a Lumeta Command Center would be connected to a Leak Scout deployed inside one of the enclaves.
- Configure Host Discovery and Leak Discovery on Lumeta and let them run.
Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. For this reason, Host and Leak Discovery tabs are enabled at this point in the process.
- Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall. It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
Communication between a Command Center (CC) and a Scout performing Leak Discovery (aka Leak Scout) takes place over an encrypted SSL connection on TCP port 443, as it does for all Lumeta communications. When the CC needs to communicate with the Scout to deliver an instruction, it creates an HTTPS session over TCP port 443 to the Scout. Once the instruction is executed, the Scout no longer stores the instruction or the data. If there is a firewall between the CC and the Scout, TCP port 443 must be open and return packets must be permitted.
Perimeter Controls and Stateful Inspection
A firewall is designed to block unauthorized network access while permitting authorized communications based on a set of rules and other criteria. Most routers include rudimentary access control lists which in some cases include simple stateful inspection. These perimeter controls should stop leaks from occurring. In addition, firewalls and routing devices can (and should) be used to examine the correct progression of the state of a connection, especially session establishment. In the context of Leak Discovery, Lumeta is specifically requesting the devices being tested (e.g., hosts) to "reply." However firewalls and other devices tracking a packet's state will have not seen a request, and therefore should drop any replies. In the event stateful inspection is off, misconfigured, or unavailable on the routing device, the device will push the reply packet out to the Leak Scout and this stateless reply will be recorded and returned to the Command Center for reporting. All intermediary devices must cooperate in the communication process to ensure a leak is properly tracked. For example, if a discovery packet is sent to a host and a router is blocking its reply, this host will not be targeted for leak discovery.
Lumeta is a real-time visibility and risk management solution that enables cloud, network, and security teams to find unknown networks, devices, and connections. Through active, passive, and indirect methods, Lumeta uses a unique, patent-pending technology to recursively discover a network’s state. Customers gain visibility into their entire infrastructure, including cloud instances and assets, and including IPv4/IPv6 connections and devices. Lumeta provides authoritative data about the network and its devices in real-time, and at a fine level of granularity. It synthesizes device responses, performs analyses to surface risk, and alerts both systems and people with the power to remediate so they can take action immediately.
Lumeta amplifies the value of asset-, breach-, EDR-, HVM-, alert-, risk- and network-management applications by supplying them with better foundational data. It delivers superior results and superior security intelligence: The broadest reach and most comprehensive network coverage in the industry, authoritative visibility, enterprise-grade user management, and a visual way to grasp the significance of events, trends, security gaps, threats, and misconfigurations. Use it alongside your firewalls and integrate it with your security applications to achieve the full value of your network security ecosystem.
Performing Leak Path Discovery
To perform Leak Path Discovery, do the following:
- Position a Leak Scout and its attendant collector outside your zone of interest (e.g., exterior to that zone's firewall). For example, to test for leaks between internal networks and the Internet, select a Leak Scout that has been placed outside the internal networks' firewalls.
Configure Host Discovery and Leak Discovery and let them run.
Note that Leak Discovery leverages Host Discovery insofar as collectors configured to perform Leak Discovery "understand" where to go by ingesting the results of Host Discovery. A leak collector receives its discovery scope from Host; it does not autonomously target devices. Therefore, complete both the Host and Leak tabs at this point in the process.
If you change the collector interface used in Leak Path indexing, be sure to update the Interface field on the Leak Path tab to display the current correct interface. The Interface field displays the name of the previous interface until you change it.
- Analyze the results.
This would involve determining the direct source of any leak paths found, which is often a misconfigured firewall.
It would also involve validating that the associated forwarding and filtering devices' vulnerabilities are benign in nature and not a violation of your company's security policies.
In the following illustration, Lumeta identifies leaks in a dual-homed Windows desktop. To elicit all possible responses, the firewall and all packet-forwarding capabilities have been disabled so that response packets are forwarded according to the routing table. On the outbound interface, ensure there are no firewalls restricting egress.
When Leak Path Discovery is configured, the parameters are forwarded onto the nominated Leak Scout and a packet spoofing the Leak Scout is sent from the source Scout to the target IP address of the Leak Scout. If a response is received by the Leak Scout, it is reported back to the Command Center via the pre-established SSL link.
Configuring Leak Discovery
If you would like to maximize the speed of Leak Path Discovery, consider also configuring Broadcast Discovery (i.e., set all boxes to yes). This has the effect of sending discovered devices immediately into the Leak Discovery process without waiting for the completion of a whole discovery cycle, as it would otherwise do.
Protocol-specific scenarios include:
To ensure that the received packets can be associated with the targeted address, the original targeted IP address is the first 8 bytes of the ICMP echo payload.
UDP High Port, DNS, SNMP
When UDP, DNS or SNMP Leak Path tests target an unreachable port, the target generates an ICMP unreachable message. These messages have the first 28 octets of the original packet (the IP header plus 8) which includes the original targeted address. If the device replies to one of those protocols, the targeted address will be the same as the replying address which is taken from the payload and may indicate unexpected behavior.
Use Custom TCP Ports
During TCP Leak Path Discovery a TCP SYN packet is sent to the designated target IP address and port. If this packet reaches a non-listening port, the TCP stack generates a TCP Reset. If the device (or something between it and the Leak Path Scout) is network address translating, Lumeta will report the IP address for both the targeted and responding IP address. If the device is listening on the targeted port it will generate a TCP SYN/ACK packet which will have the same potentially unexpected behavior. This behavior is based on the IP stack and not any intervening service such as a firewall which could be configured to detect and drop spoofed packets or silently drop the request.
Users can opt to perform inbound leak path discovery, outbound leak path discovery, or both.
During Leak Path Discovery a single packet is sent per protocol selected (1 per ICMP, 1 per UDP), except for TCP where a reset packet is sent to close a connection when an acknowledgement is received (2 per TCP).
Mobile devices that come onto a network only periodically are discovered in Lumeta's rounds of continuous monitoring. These mobile devices are then added to Lumeta's targets for Leak Path Discovery and continuously monitored for vulnerabilities.
In the event a device is not reachable after three rescan intervals, Lumeta designates it as inactive and removes it from the rounds of Leak Path Discovery collection.