Performing an IT Audit of the DMZ
By: Mitchell H. Levine, CISA - Audit Serve, Inc.
When performing a Network Security IT Audit, it is important to focus on the DMZ because these are the components and services which are external facing.
The first area to review is to ensure that internal applications systems are not directly accessible from the outside which is the reason why a DMZ is established in the first place. This is performed through the review of the firewall rules which identifies the traffic which is permitted or denied from and to the outside, DMZ and the internal network. An analysis should be performed of all components in the DMZ to determine whether they need to be accessible from the outside. In addition, all internal components need to be reviewed to determine whether they need to be in the DMZ because they are required to be accessed from the outside. There are several types of services which should always be placed within the DMZ which includes web mail, FTP which is accessed externally, VPN Concentrators and web servers. Telnet access to the DMZ from the outside needs to be disabled.
One common control issue found in smaller organizations using 3rd party vendor products is the situation of having the web server and the database and or data files on the same server which is external facing. The proper security design would consist of not having any data on the web server but instead be located inside the network behind the firewall. Audit compliance testing of web servers should include the browsing of directories to identify the presence of data files which would indicate that data is accessible to outside attackers.
Most auditors perform reviews of their Windows 2003 Default Domain Controller security policies to assess the logon and password security settings along with the review of the Active Directory listing to ensure that Domain Admins are appropriately assigned. However, this type of review would not cover the servers which are included in the DMZ. The first question is to determine whether there is a domain established within the DMZ in which all of the servers are part of. If not, then network administrators are probably sharing the administrator account for each of the servers in the DMZ. This would be an audit issue because they are sharing an ID with no accountability for an individual’s actions.
The administrator account is of a concern because this is the one ID which cannot be suspended regardless of the lockout rules. For this reason, the proper control is to rename the administrator ID so hackers will not be able to hijack the ID. This leads to another control which is to monitor all privileged IDs used on the DMZ for brute force attacks. System processes need to be assigned IDs which are referred to as Service Accounts. If these Service Accounts are used to run applications, then a case could be made not to set them up to suspend after successive invalid logon attempts to since the application would be shutdown if the ID was locked. If the Service Accounts are not locked after successive invalid logon attempts, then a real-time monitoring process needs to occur to identify attempted brute force attacks to these privileged IDs. It is not acceptable to review the system logs the next day to disclose brute force attacks. An example of a real-time monitor would consist of email sent to designated support personnel.
The IT Audit of the DMZ should also include a compliance test to ensure that the ability to connect to the DMZ domain or member servers (i.e., assuming no domain established) is restricted to the appropriate support personnel. This can be defined in the firewall rules which restrict access from the internal network to specific IP addresses of the network support personnel.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2009, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.