Transcript Slide 1
From isaca-tulsa.org/meetings.html
Topic: OSI Model from the IT Auditor Perspective
Speaker: Mr. Ben Davies
Date: Thursday, October 23rd, 11:15 to 1:00
Venue: Flemings Prime Steak House - Utica Square
Bio: Ben Davies has been working with computers since 1985 and has
been 'doing the Internet' since 1996 when he registered My Little
Corner of the Universe (mlcu.com) as the very first commercial
customer of the very first Montana based internet connection
company. He has been an independent consultant, has run internet
support operations, managed internet security at a Fortune 200
corporation and other technical and managerial responsibilities. He
became a Certified Information Systems Security Professional
(CISSP) in 2004 and Certified Information Systems Auditor (CISA) in
2007 and holds several other certifications.
1
OSI Model
(Open System Interconnection)
and how it can be used by an IT Auditor.
By Ben Davies, CISA, CISSP
[email protected]
© 2008, all rights reserved
2
3
All
People
Seem
To
Need
Data
Processing
Please
Do
Not
Throw
Sausage
Pizza
Away
Please
Do
Not
Take
Sales
People’s
Advice
4
5
The computer and associated parts including the pretty
applications live above layer 7 of the OSI model
6
7
With every item in every layer
there are vulnerabilities.
With every layer there is an
opportunity to apply “defense in
depth”.
Establishing controls around
each layer and limiting the
options within each layer
allows audit to reasonably
assess the effectiveness of
those controls
8
9
10
Seed Questions -1
1. If there is stuff above layer 7 is there
anything below layer 1?
2. I don’t see how this helps audit/enforce a
policy that says no FTP on the network.
3. You implied that services can run under
other ports, how do I audit for that?
11
Seed Questions -2
1. So where does a ‘network sniffer’ fit in to
the OSI model?
2. The sniffer shows the entire packet but
how do you read it?
3. So what controls do you use to protect
against a sniffer?
12
13
Seed Questions - 3
1. How does the OSI model help me audit access
control devices and network devices?
2. How can I tell where a given device has
inserted itself in the OSI model?
3. So how can I audit how they enforce access
control policy on the network with access
control devices like firewalls, routers and
such?
14
Seed Questions – 4
1. If the logs are so important why are they not
used more effectively?
2. Do IDS and IPS resolve many of the access
control issues?
3. You just showed us how to use the OSI model
to audit our way into thinking the network is
completely unsecure. Is it really that insecure?
. . . Drat.
15
Smart Switch
10.123.15.0/24
Firewall
Users
Patch
Pannel
Hub or
wall plug
Router
WAN Link
Router
10.50.60.0/24
Utility Network
Firewall
Users
Hub or
wall plug
Patch
Pannel
sys log
Service
Home User
Internet Cloud The
entire Planet connects
to this!
Application servers,
Database etc
Server Farm
10.20.98.0/24
Server Network
Home User Router\hub\
firewall\cable modem
16
17
18
19
The FUN Stuff; for some
The command prompt is your friend!
netstat, ipconfig, arp, ifconfig
20
OSI Layer
data point
Unix / MacOS X
Windows
Cisco
2
ARP Cache
arp -a
arp -a
show arp
2
Lan Information
netstat -i
netstat -e
show interfaces
2
Show MAC address
3
IP configuration
ifconfig -a
ipconfig /all
show ip config
3
IP Routing table
netstat -nr
netstat -nr
show ip route
4
show connections
netstat -a
netstat -a (n)
show tcp
4
TCP/IP statistics
netstat -s
netstat -s
show interfaces
show ip traffic
4
trace hop by hop
tracetoure w.x.y.z
tracert w.x.y.z
trace (will be asked for IP)
7
Check for service
telnet <port>
telnet <port>
7
DNS status
nslookup
nslookup
8
show host name
hostname
8
show logged in use
net user
8
show system variables
set
getmac
21