SlideShare a Scribd company logo

Oval Internetworking Devices

Download as PPTX, PDF
C
c3i

A presentation discusses adding support for Juniper Junos devices to the Open Vulnerability and Assessment Language (OVAL). It proposes a new OVAL schema, content, and tool called jOVALdi for the Junos platform. The session will compare the Junos schema to the existing Cisco IOS schema and demonstrate a prototype by evaluating Junos definitions, tests, and objects using jOVAL and remote connectivity to a Junos device. Challenges discussed include the lack of participation from networking vendors in OVAL and slow adoption to non-Windows/Linux platforms.

1 of 26
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
OVAL for Inter-networking Devices Security Automation Developer Days July 12, 2012 Project Martini Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
OVAL for Inter-networking Devices The OVAL specification currently supports a diverse set of platforms. We see Windows and a variety of UNIX operating systems supported of which there is only one Inter-networking platform. Inter- networking devices are routers and switches that connect the Internet. Currently Cisco is only vendor and platform that is represented in the area of inter-networking devices. In this session we propose a new platform to be supported by the OVAL specification. The session will cover new schema, content and tool (jOVALdi) associated with the new platform. The session will also compare similarities between the Cisco IOS schema and the new platform schema. 2 www.apexassurance.com © 2012 Apex Assurance Group
jOVAL SecPod Apex Assurance  Collaboration with alignment of interests.  Apex Assurance – Juniper is a good customer to Apex. This was a worth while effort to get Juniper on the SCAP map and also contribute to the community.  jOVAL – Natural to further extend the tool to other networking platforms.  SecPod – Further expand in content capabilities.  We encourage others to collaborate on common interests. 3 www.apexassurance.com © 2012 Apex Assurance Group
Project Martini Goals  Get Juniper Junos supported in OVAL  Proof of concept  “rough consensus and running code” – Tool – jOVAL(jovaldi, Xpert) – Content OVAL, XCCDF, CCE, CPE – Junos OVAL schema  Acceptance of prototype concept into official OVAL release  Think big but keep it simple 4 www.apexassurance.com © 2012 Apex Assurance Group
Current list platforms supported on OVAL Candidate Platform 5 www.apexassurance.com © 2012 Apex Assurance Group
Ingredients to making this work  Specification support for Junos within OVAL  Content – STIG, SCAP (OVAL, CPE, CCE, XCCDF) – SCAP 1.2 data streams  Tool – jOVAL – Xpert – Jovaldi 6 www.apexassurance.com © 2012 Apex Assurance Group
Juniper Junos OVAL Schema Junos definition schema Junos system characteristics 7 www.apexassurance.com © 2012 Apex Assurance Group
OVAL tests (Inter-networking devices) 8 www.apexassurance.com © 2012 Apex Assurance Group
DISA Network Infrastructure STIG  Cisco IOS specific checklists (XCCDF)  Juniper Junos specific checklists (XCCDF) 9 www.apexassurance.com © 2012 Apex Assurance Group
Juniper Junos Content – SCAP 1.2 data stream • sp- junos-cce-xccdf.xml • sp-junos-cce-oval.xml • sp-junos-cpe-oval.xml • sp-junos-cpe-dictionary.xml OVAL CCE Junos XCCDF CPE 10 www.apexassurance.com © 2012 Apex Assurance Group
DISA STIG NET0400 test  STIG ID NET0400 – Interior routing protocols are not authenticated  Sample Junos CCE  Junos command line interface (CLI) output  Curly brace CLI example [edit protocols ospf] ospf { area 0.0.0.0 { interface em0.0 { authentication { md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN”; } } } }  set CLI example set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN" 11 www.apexassurance.com © 2012 Apex Assurance Group
DISA STIG NET0340 test  STIG ID NET0340 – Login banner is non-existent or not DOD approved  Sample Junos CCE  Simple check  Variable  Junos command line interface (CLI) output  set CLI example set system login message “test banner page” 12 www.apexassurance.com © 2012 Apex Assurance Group
demo XCCDF OVAL CCE/CPE SCAP CONTENT TOOL Results Junos Remote Offline 13 www.apexassurance.com © 2012 Apex Assurance Group
Demo Content  OVAL JunOS schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 14 www.apexassurance.com © 2012 Apex Assurance Group
Challenges and Lessons Learned  Lack of inter-networking vendors participation in the specifications  The focus of the specifications on Windows and Linux Operating Systems. Slow adoption to other platforms.  Incentives to adopt 15 www.apexassurance.com © 2012 Apex Assurance Group
Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 16 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript >xpert -d defsp-junos-netconf-datastream-1.1.xml -p xccdf_org.secpod_profile_stig_junos -plugin remote -config remote-junos.properties -l 1 SCAP 1.2 ---------------------------------------------------- data stream XPERT by jOVAL.org XCCDF Profile XCCDF Processing Engine and Reporting Tool Version: 5.10.1.1_Dev Build date: Fri Jun 22 11:57:19 CDT 2012 Plug options for Remote and Copyright (C) 2012 - jOVAL.org offline capabilities Plugin: jOVALRemotePlugin by jOVAL.org(TM) Version: 5.10.1.1_Dev Copyright (C) 2011, 2012 - jOVAL.org ---------------------------------------------------- 17 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Start time: Tue Jun 26 13:07:38 EDT 2012 Loading defsp-junos-netconf-datastream-1.1.xml Selected stream scap_org.secpod_datastream_sp-junos-netconf-datastream.zip Selected benchmark scap_org.secpod_comp_sp-junos-cce-netconf-xccdf.xml Setting org.joval.ssh.system.SshSession: conn.timeout=3000 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: conn.retries=3 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: attach.log=false [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: exec.retries=1 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 Auth: Banner Page 18 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Established SSH connection to host 172.16.177.25 Starting process: pwd Starting process: show version Junos CLI “show version details” Setting org.joval.os.juniper.system.JunosSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 19 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) There are 4 rules to process for the selected profile Starting process: request support information Determining system applicability... CPE check Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 NETCONF session ID: 1441 NETCONF session Passed def oval:org.secpod.devel.oval:def:10 The target system is applicable to the specified XCCDF 20 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Creating engine for href sp-junos-cce-netconf-oval.xml Evaluating definition oval:org.secpod.devel.oval:def:300 Evaluating OVAL rules Evaluating oval:org.secpod.devel.oval:def:300 Beginning scan Evaluating test oval:org.secpod.devel.oval:tst:300 Evaluating definitions Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating definition oval:org.secpod.devel.oval:def:303 Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating oval:org.secpod.devel.oval:def:303 Scan complete Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 Evaluating test oval:org.secpod.devel.oval:tst:303 Scanning object oval:org.secpod.devel.oval:obj:303 OVAL checks Scanning object oval:org.secpod.devel.oval:obj:303 Evaluating definition oval:org.secpod.devel.oval:def:302 Evaluating oval:org.secpod.devel.oval:def:302 Evaluating test oval:org.secpod.devel.oval:tst:302 Scanning object oval:org.secpod.devel.oval:obj:302 Scanning object oval:org.secpod.devel.oval:obj:302 Evaluating definition oval:org.secpod.devel.oval:def:301 Evaluating oval:org.secpod.devel.oval:def:301 Evaluating test oval:org.secpod.devel.oval:tst:301 Scanning object oval:org.secpod.devel.oval:obj:301 Scanning object oval:org.secpod.devel.oval:obj:301 21 www.apexassurance.com © 2012 Apex Assurance Group
Xpert output transcript (continued) Completed evaluating definitions Evaluating SCE rules Script Check Engine SSH disconnecting from host 172.16.177.25 xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1001: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1002: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1003: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1004: PASS XCCDF processing complete. Saving report: .xccdf-results.xml Transforming to HTML report: xccdf-result.html Finished processing XCCDF bundle 22 www.apexassurance.com © 2012 Apex Assurance Group
Junos OVAL vulnerability results 23 www.apexassurance.com © 2012 Apex Assurance Group
Xpert Junos STIG XCCDF results 24 www.apexassurance.com © 2012 Apex Assurance Group
Network Infrastructure STIG Topology 25 www.apexassurance.com © 2012 Apex Assurance Group
Lack of support for Inter-networking devices  OVAL board members: Tool Vendors, OS Vendors, Others  No Incentives?  Is there demand for (OVAL) routers and switches? Yes 26 www.apexassurance.com © 2012 Apex Assurance Group

More Related Content

PDF
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
Shing Wai Chan
 
PPTX
ITSAC 2011 SCAP for Inter-networking Devices
c3i
 
PDF
As novidades do Java EE 7: do HTML5 ao JMS 2.0
Bruno Borges
 
PDF
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Cisco Canada
 
PDF
Ora10g Rac Best Practices
vasanthkp
 
PDF
Maximize the power of OSGi
David Bosschaert
 
PDF
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
David Bosschaert
 
PDF
OSGi-based Workflow Engine
yocaba
 
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
Shing Wai Chan
 
ITSAC 2011 SCAP for Inter-networking Devices
c3i
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
Bruno Borges
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Cisco Canada
 
Ora10g Rac Best Practices
vasanthkp
 
Maximize the power of OSGi
David Bosschaert
 
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
David Bosschaert
 
OSGi-based Workflow Engine
yocaba
 

What's hot (19)

PDF
Challenge for GlassFish Builpack
Kenji Kazumura
 
PDF
Using OSGi to Build Better Software
yocaba
 
PDF
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
David Buck
 
PDF
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
PDF
Testbench Linter: Automated Rule Checker Framework for Testbenches
DVClub
 
PDF
Opti x osn 7500 product description
naserdodo
 
PPTX
How to Choose a JDK
Simon Ritter
 
PDF
Skyfire log files100411
navaidkhan
 
PDF
OSGi-enabled Java EE Applications using GlassFish
Arun Gupta
 
PDF
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
David Bosschaert
 
PDF
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
オラクルエンジニア通信
 
PDF
Spring Performance Gains
VMware Tanzu
 
PPTX
O Mundo Oracle e o Que Há de Novo no Java
Bruno Borges
 
PPTX
A Groovy Kind of Java (San Francisco Java User Group)
Nati Shalom
 
PDF
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Arun Gupta
 
PDF
HTML5 Websockets and Java - Arun Gupta
JAX London
 
PDF
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
David Buck
 
PDF
OSGi for mere mortals
Bertrand Delacretaz
 
PPTX
DPTF - Dataflow Programming Tools Framework
fliordache
 
Challenge for GlassFish Builpack
Kenji Kazumura
 
Using OSGi to Build Better Software
yocaba
 
Hangs, Slowdowns, Starvation—Oh My! A Deep Dive into the Life of a Java Threa...
David Buck
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Testbench Linter: Automated Rule Checker Framework for Testbenches
DVClub
 
Opti x osn 7500 product description
naserdodo
 
How to Choose a JDK
Simon Ritter
 
Skyfire log files100411
navaidkhan
 
OSGi-enabled Java EE Applications using GlassFish
Arun Gupta
 
What's cool in the new and updated OSGi Specs (EclipseCon 2014)
David Bosschaert
 
Jakarta EE 最前線 - Jakarta EEの現在、ロードマップなど
オラクルエンジニア通信
 
Spring Performance Gains
VMware Tanzu
 
O Mundo Oracle e o Que Há de Novo no Java
Bruno Borges
 
A Groovy Kind of Java (San Francisco Java User Group)
Nati Shalom
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Arun Gupta
 
HTML5 Websockets and Java - Arun Gupta
JAX London
 
Java Concurrency, A(nother) Peek Under the Hood [Code One 2019]
David Buck
 
OSGi for mere mortals
Bertrand Delacretaz
 
DPTF - Dataflow Programming Tools Framework
fliordache
 
Ad

Similar to Oval Internetworking Devices (20)

PPTX
SCAP and NETCONF
c3i
 
PDF
Junos High Availability Best Practices For High Network Uptime 1st Edition Ja...
manfulenda
 
PPTX
2010-12 SCAP Explained
Raleigh ISSA
 
PDF
Information Assurance, A DISA CCRI Conceptual Framework
James W. De Rienzo
 
PPTX
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
PDF
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
PPTX
Juniper SD-WAN ENABLES Secure Access Service Edge
DiogoGaglioni
 
PDF
Are You Ready to Ace Your DevSecOps Interview?
Azpirantz Technologies
 
PDF
Top 20 DevSecOps Interview Questions and Answers
priyanshamadhwal2
 
PDF
Top 20 DevSecOps Interview Questions.pdf
infosec train
 
PDF
𝐓𝐨𝐩 𝟐𝟎 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
InfosecTrain
 
PDF
Top 20 DevSecOps Interview Questions.pdf
infosec train
 
PDF
🚨 𝐀𝐫𝐞 𝐘𝐨𝐮 𝐑𝐞𝐚𝐝𝐲 𝐭𝐨 𝐀𝐜𝐞 𝐘𝐨𝐮𝐫 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰? 🚨
Mansi Kandari
 
PDF
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 
PDF
Next Generation Security Solution
MarketingArrowECS_CZ
 
PDF
1.Exam Guides to Juniper JNCIA-Junos (Associate) Certification.pdf(SLIDES).pdf
maheshbabus5
 
PDF
Guide to Juniper JNCIA-Junos Certification.pdf
maheshbabus5
 
PDF
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
Shawn Wells
 
PDF
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
PDF
Cisco Base Environment Overview
DVClub
 
SCAP and NETCONF
c3i
 
Junos High Availability Best Practices For High Network Uptime 1st Edition Ja...
manfulenda
 
2010-12 SCAP Explained
Raleigh ISSA
 
Information Assurance, A DISA CCRI Conceptual Framework
James W. De Rienzo
 
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Juniper SD-WAN ENABLES Secure Access Service Edge
DiogoGaglioni
 
Are You Ready to Ace Your DevSecOps Interview?
Azpirantz Technologies
 
Top 20 DevSecOps Interview Questions and Answers
priyanshamadhwal2
 
Top 20 DevSecOps Interview Questions.pdf
infosec train
 
𝐓𝐨𝐩 𝟐𝟎 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
InfosecTrain
 
Top 20 DevSecOps Interview Questions.pdf
infosec train
 
🚨 𝐀𝐫𝐞 𝐘𝐨𝐮 𝐑𝐞𝐚𝐝𝐲 𝐭𝐨 𝐀𝐜𝐞 𝐘𝐨𝐮𝐫 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰? 🚨
Mansi Kandari
 
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 
Next Generation Security Solution
MarketingArrowECS_CZ
 
1.Exam Guides to Juniper JNCIA-Junos (Associate) Certification.pdf(SLIDES).pdf
maheshbabus5
 
Guide to Juniper JNCIA-Junos Certification.pdf
maheshbabus5
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
Shawn Wells
 
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
Cisco Base Environment Overview
DVClub
 
Ad

Oval Internetworking Devices

  • 1. OVAL for Inter-networking Devices Security Automation Developer Days July 12, 2012 Project Martini Luis Nuñez – Apex Assurance Group David Solin - jOVAL Chandrashekhar Basavanna - SecPod
  • 2. OVAL for Inter-networking Devices The OVAL specification currently supports a diverse set of platforms. We see Windows and a variety of UNIX operating systems supported of which there is only one Inter-networking platform. Inter- networking devices are routers and switches that connect the Internet. Currently Cisco is only vendor and platform that is represented in the area of inter-networking devices. In this session we propose a new platform to be supported by the OVAL specification. The session will cover new schema, content and tool (jOVALdi) associated with the new platform. The session will also compare similarities between the Cisco IOS schema and the new platform schema. 2 www.apexassurance.com © 2012 Apex Assurance Group
  • 3. jOVAL SecPod Apex Assurance  Collaboration with alignment of interests.  Apex Assurance – Juniper is a good customer to Apex. This was a worth while effort to get Juniper on the SCAP map and also contribute to the community.  jOVAL – Natural to further extend the tool to other networking platforms.  SecPod – Further expand in content capabilities.  We encourage others to collaborate on common interests. 3 www.apexassurance.com © 2012 Apex Assurance Group
  • 4. Project Martini Goals  Get Juniper Junos supported in OVAL  Proof of concept  “rough consensus and running code” – Tool – jOVAL(jovaldi, Xpert) – Content OVAL, XCCDF, CCE, CPE – Junos OVAL schema  Acceptance of prototype concept into official OVAL release  Think big but keep it simple 4 www.apexassurance.com © 2012 Apex Assurance Group
  • 5. Current list platforms supported on OVAL Candidate Platform 5 www.apexassurance.com © 2012 Apex Assurance Group
  • 6. Ingredients to making this work  Specification support for Junos within OVAL  Content – STIG, SCAP (OVAL, CPE, CCE, XCCDF) – SCAP 1.2 data streams  Tool – jOVAL – Xpert – Jovaldi 6 www.apexassurance.com © 2012 Apex Assurance Group
  • 7. Juniper Junos OVAL Schema Junos definition schema Junos system characteristics 7 www.apexassurance.com © 2012 Apex Assurance Group
  • 8. OVAL tests (Inter-networking devices) 8 www.apexassurance.com © 2012 Apex Assurance Group
  • 9. DISA Network Infrastructure STIG  Cisco IOS specific checklists (XCCDF)  Juniper Junos specific checklists (XCCDF) 9 www.apexassurance.com © 2012 Apex Assurance Group
  • 10. Juniper Junos Content – SCAP 1.2 data stream • sp- junos-cce-xccdf.xml • sp-junos-cce-oval.xml • sp-junos-cpe-oval.xml • sp-junos-cpe-dictionary.xml OVAL CCE Junos XCCDF CPE 10 www.apexassurance.com © 2012 Apex Assurance Group
  • 11. DISA STIG NET0400 test  STIG ID NET0400 – Interior routing protocols are not authenticated  Sample Junos CCE  Junos command line interface (CLI) output  Curly brace CLI example [edit protocols ospf] ospf { area 0.0.0.0 { interface em0.0 { authentication { md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN”; } } } }  set CLI example set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$FYPx3tOylMWxdWLkPfQCAxNdV4Z.PQz6Az3vLXN2g69AtIcWLN" 11 www.apexassurance.com © 2012 Apex Assurance Group
  • 12. DISA STIG NET0340 test  STIG ID NET0340 – Login banner is non-existent or not DOD approved  Sample Junos CCE  Simple check  Variable  Junos command line interface (CLI) output  set CLI example set system login message “test banner page” 12 www.apexassurance.com © 2012 Apex Assurance Group
  • 13. demo XCCDF OVAL CCE/CPE SCAP CONTENT TOOL Results Junos Remote Offline 13 www.apexassurance.com © 2012 Apex Assurance Group
  • 14. Demo Content  OVAL JunOS schema  OVAL definition  XCCDF – based on DISA STIG  CPE  CCE 14 www.apexassurance.com © 2012 Apex Assurance Group
  • 15. Challenges and Lessons Learned  Lack of inter-networking vendors participation in the specifications  The focus of the specifications on Windows and Linux Operating Systems. Slow adoption to other platforms.  Incentives to adopt 15 www.apexassurance.com © 2012 Apex Assurance Group
  • 16. Thanks Reference  www.apexassurance.com  www.joval.org – Tool download http://joval.org/download/mitre  www.secpod.com – Content download http://scaprepo.com/  Junos STIG reference – http://www.c3isecurity.com/home/junos-hardening 16 www.apexassurance.com © 2012 Apex Assurance Group
  • 17. Xpert output transcript >xpert -d defsp-junos-netconf-datastream-1.1.xml -p xccdf_org.secpod_profile_stig_junos -plugin remote -config remote-junos.properties -l 1 SCAP 1.2 ---------------------------------------------------- data stream XPERT by jOVAL.org XCCDF Profile XCCDF Processing Engine and Reporting Tool Version: 5.10.1.1_Dev Build date: Fri Jun 22 11:57:19 CDT 2012 Plug options for Remote and Copyright (C) 2012 - jOVAL.org offline capabilities Plugin: jOVALRemotePlugin by jOVAL.org(TM) Version: 5.10.1.1_Dev Copyright (C) 2011, 2012 - jOVAL.org ---------------------------------------------------- 17 www.apexassurance.com © 2012 Apex Assurance Group
  • 18. Xpert output transcript (continued) Start time: Tue Jun 26 13:07:38 EDT 2012 Loading defsp-junos-netconf-datastream-1.1.xml Selected stream scap_org.secpod_datastream_sp-junos-netconf-datastream.zip Selected benchmark scap_org.secpod_comp_sp-junos-cce-netconf-xccdf.xml Setting org.joval.ssh.system.SshSession: conn.timeout=3000 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: conn.retries=3 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: attach.log=false [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: exec.retries=1 [org.joval.intf.ssh.system.ISshSession] Setting org.joval.ssh.system.SshSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.ssh.system.SshSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 Auth: Banner Page 18 www.apexassurance.com © 2012 Apex Assurance Group
  • 19. Xpert output transcript (continued) Established SSH connection to host 172.16.177.25 Starting process: pwd Starting process: show version Junos CLI “show version details” Setting org.joval.os.juniper.system.JunosSession: debug=false [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.small=15000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.large=900000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.medium=120000 [org.joval.intf.system.IBaseSession] Setting org.joval.os.juniper.system.JunosSession: read.timeout.xl=3600000 [org.joval.intf.system.IBaseSession] Credential set for 172.16.177.25 19 www.apexassurance.com © 2012 Apex Assurance Group
  • 20. Xpert output transcript (continued) There are 4 rules to process for the selected profile Starting process: request support information Determining system applicability... CPE check Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 NETCONF session ID: 1441 NETCONF session Passed def oval:org.secpod.devel.oval:def:10 The target system is applicable to the specified XCCDF 20 www.apexassurance.com © 2012 Apex Assurance Group
  • 21. Xpert output transcript (continued) Creating engine for href sp-junos-cce-netconf-oval.xml Evaluating definition oval:org.secpod.devel.oval:def:300 Evaluating OVAL rules Evaluating oval:org.secpod.devel.oval:def:300 Beginning scan Evaluating test oval:org.secpod.devel.oval:tst:300 Evaluating definitions Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating definition oval:org.secpod.devel.oval:def:303 Scanning object oval:org.secpod.devel.oval:obj:300 Evaluating oval:org.secpod.devel.oval:def:303 Scan complete Evaluating definition oval:org.secpod.devel.oval:def:10 Evaluating oval:org.secpod.devel.oval:def:10 Evaluating test oval:org.secpod.devel.oval:tst:10 Scanning object oval:org.secpod.devel.oval:obj:10 Scanning object oval:org.secpod.devel.oval:obj:10 Evaluating test oval:org.secpod.devel.oval:tst:303 Scanning object oval:org.secpod.devel.oval:obj:303 OVAL checks Scanning object oval:org.secpod.devel.oval:obj:303 Evaluating definition oval:org.secpod.devel.oval:def:302 Evaluating oval:org.secpod.devel.oval:def:302 Evaluating test oval:org.secpod.devel.oval:tst:302 Scanning object oval:org.secpod.devel.oval:obj:302 Scanning object oval:org.secpod.devel.oval:obj:302 Evaluating definition oval:org.secpod.devel.oval:def:301 Evaluating oval:org.secpod.devel.oval:def:301 Evaluating test oval:org.secpod.devel.oval:tst:301 Scanning object oval:org.secpod.devel.oval:obj:301 Scanning object oval:org.secpod.devel.oval:obj:301 21 www.apexassurance.com © 2012 Apex Assurance Group
  • 22. Xpert output transcript (continued) Completed evaluating definitions Evaluating SCE rules Script Check Engine SSH disconnecting from host 172.16.177.25 xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1001: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1002: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1003: FAIL xccdf_org.secpod_rule_xccdf_netconf_junos_rule_scap_for_internetwork_devices_CCE-JunOS- 1004: PASS XCCDF processing complete. Saving report: .xccdf-results.xml Transforming to HTML report: xccdf-result.html Finished processing XCCDF bundle 22 www.apexassurance.com © 2012 Apex Assurance Group
  • 23. Junos OVAL vulnerability results 23 www.apexassurance.com © 2012 Apex Assurance Group
  • 24. Xpert Junos STIG XCCDF results 24 www.apexassurance.com © 2012 Apex Assurance Group
  • 25. Network Infrastructure STIG Topology 25 www.apexassurance.com © 2012 Apex Assurance Group
  • 26. Lack of support for Inter-networking devices  OVAL board members: Tool Vendors, OS Vendors, Others  No Incentives?  Is there demand for (OVAL) routers and switches? Yes 26 www.apexassurance.com © 2012 Apex Assurance Group

Editor's Notes

  • #6: Discussion on currently supported platforms in OVAL and security automation specifications.
  • #7: General formula to get new platform support.
  • #10: Quick overview of DISA Network Infrastructure STIG. Decompose the various check lists that make the STIG. Emphasis on the various roles inter-networking devices play on the network.
  • #11: Discussion on junos content and 1.2 data stream format.