Introduction
This article describes an Arachni vulnerability scan of a Linux - Exchange 2010 messaging and collaboration system. A Linux workstation will perform the scan of a Linux security appliance in the DMZ that protects an Exchange infrastructure in the private network.Several articles are prerequisite reading for this one:
Postfix Mail Gateway to Exchange
Apache Reverse Proxy Server to Exchange Client Access Web Services
Linux Security Appliance for Microsoft Services
Installing Suricata, Barnyard2 and Snorby
Background
The illustration below depicts the test environment. A Linux workstation equipped with OpenVAS will scan the address servicing HTTP/HTTPS and SMTP services. A Linux Security appliance is located in the DMZ and services these traffic types and then forwards them to the Exchange Edge Services (also HTTP/HTTPS and SMTP). This traffic is then managed by the Exchange infrastructure.Suricata is installed on a hub in the DMZ. Hubs operate at Layer 1 of the OSI model and forward all traffic to every port on the device. The attached servers and workstations then decide what traffic to accept or reject based upon the destination MAC address in the Ethernet frame; they also negotiate media access.
Switches operate at Layer 2 of the OSI model. They maintain a table of connected MAC addresses and forward traffic only to the port to which the destination MAC address is attached. In this example, a switch would only forward inbound Internet traffic to the port to which the Linux Security Device is attached. However, higher-end switches also support port forwarding, in which specified traffic is also forwarded to a defined port, which in this case would be the Suricata server's port.
For an IDS to see traffic if interest, it must either be on a hub or a switch with port forwarding enabled and configured to forward to the Suricata server's port.
Arachni Results
Arachni operates primarily at higher layers of the OSI model, targeting applications running only on HTTP and HTTPS servers. In this case, it was able to identify the /owa redirect from the Apache reverse proxy to Exchange 2010 Outlook Web Access. This information, alone, is adequate to identify well-known targets to further investigate.Scans of the default Exchange Client Access Services web directories (/owa, /Microsoft-Server-ActiveSync and /ecp) disclosed significant vulnerabilities. The most serious was a cross-site request forgery vulnerability present on the unpatched Exchange 2010 Client Access Server.
A PDF of the scan results is available here.
Suricata Results
Suricata detected none of the Arachni scans. Arachni only used valid HTTP requests to enumerate directories present below the web root. Additional scans were conducted using the SSL-encrypted HTTPS protocol; Suricata can not decrypt this traffic and was unable to read, let alone fingerprint, potentially malicious traffic.Discussion
In this case, a well-crafted vulnerability scan was conducted that disclosed significant risks and was not detected by the IDS. In a previous article, Suricata IDS -- OpenVAS Vulnerability Scan, the security appliance and IDS identified a generalized reconnaissance and vulnerability scan. However, a more precisely-conducted Arachni vulnerability scan went completely undetected.IDS systems as implemented in this model are not effective at identifying well-crafted vulnerability scans. Information may be enumerated using valid HTTP requests and the actual penetration conducted using encrypted HTTPS that Suricata can not read.
Under these circumstances, Suricata may provide a false sense of security. Patch management of the targeted Exchange system is required in addition to IDS systems.
The video below documents the Arachni scan and Suricata-Barnyard2-Snorby IDS logging.
No comments :
Post a Comment