Auditing Physical Network Components

cisamaqing

New IT Auditor\r\n  \r\nAuditing Physical Network Components\r\nBy Alan Oliphant, FBCS, FIIA, MIIA, QiCA, MBA \r\n\r\n\r\n\r\nConversations with IT technical experts tend to be bizarre. Auditors try to ask simple questions but receive answers peppered with a plethora of acronyms and arcane terms. Understanding what these terms mean can give new IT auditors the knowledge they need to ask follow-up questions that produce simpler and clearer answers.\r\n\r\nAlthough new IT auditors shouldn\'t be expected to have the same expertise about choosing network hardware as a properly qualified network engineer, they should have a good knowledge of the types and characteristics of those components. Auditors need to be aware of the particular risks and exposures raised by certain types of networking components.\r\n\r\nThis article provides a simple explanation of some of the physical network devices that auditors will come across and some of the issues they should consider when auditing the hardware components of a data communication network. These include devices that process data network communications and server computers and other devices that provide services across networks. Finally, while not a physical component of data communications networks, there is also a short section on two of the newer data communications protocols that the new IT auditor will come across.\r\n\r\nNETWORK CONNECTION DEVICES\r\nThe following devices are the physical components that process data network communications and allow computer equipment to be connected to these networks.\r\n\r\nNetwork Adapter. A circuit card in a personal computer (PC) or intelligent workstation that connects a computer’s hardware to the network. Network adapters, or network interface cards (NIC), can often support multiple types of cabling and can automatically sense which type is in operation. \"Smart\" network adapters have an on-board processor that enables them to work without demanding resources from a PC. Network adapters have a unique hardware identification number called a media access control (MAC) address.\r\n\r\n\r\nModem. A device that transmits data over telephone lines at speeds of up to 56 kilobits per second (kbps). Modems convert the digital signal used by the computer into an analog signal that can be transmitted over public-switched telephone networks (PSTN). They also compress data; automatically detect and switch between voice, fax, and data transmissions; and perform error correction via hardware. Most large organizations have stopped using modems on their networks in recent years because they are difficult to secure and high-speed direct Internet connections provide faster access. Unless there are very good business reasons, modems should rarely be used for external network access.\r\n\r\nMultiplexer. A device that allows several communications devices to share a single communications channel by combining the data each device sends into a single stream of information. Multiplexers are installed at each end of a circuit, so that three inputs multiplexed at one end are split (de-multiplexed) into three output streams at the other (see diagram). They effectively maximize the capacity of a single circuit as single devices do not normally use the full capacity of a line at all times. Older mainframe systems tend to use multiplexers through private network circuits.\r\n\r\n\r\n\r\nFront-End Processor (FEP). A device situated between a host computer and the network that relieves the host of the load of processing communications, freeing it to perform other work (see diagram). The FEP is really a computer and will often have the ability to process code that can be applied to all data transmissions it handles. However, the FEP can be used to apply potentially fraudulent code to all network transmissions. Often, organizations have little or no change control over code that runs on an FEP.\r\n\r\n\r\n\r\nNetwork Controller. A device that provides a communications processing interface on behalf of a group of terminals or workstations (see diagram). Network controllers are typically used on networks where the workstations are \"dumb terminals\" and are usually found in traditional mainframe environments. Network controllers need good physical protection, not only to prevent accidental or deliberate damage, but also to help prevent anyone from deliberately changing the configuration of the network.\r\n\r\n\r\n\r\nHub. A device that connects network components together at a common point (see diagram). Hubs form the basis of structured network wiring systems in modern buildings. The connections are normally similar to a standard telephone cable plug to make connection and disconnection easier. Most hubs can be remotely managed, which means that physical access to the equipment is not necessary to change configurations. Hubs need to be physically protected against the same threats as network controllers.\r\n\r\n\r\n\r\nSwitch. While a hub connects components such as personal computers to a network passively, a switch makes intelligent connections between the sender\'s and receiver\'s MAC addresses, creating a virtual circuit for the duration of the connection.\r\n\r\nRouter. Routers are even more intelligent than switches. While a switch looks at MAC addresses to make physical connections, a router looks at the network address content of the transmission, which enables it to pick the optimal route based on a table of rules. Routers can also deal with different protocols and can compress data like modems. Routers are often responsible for making the connection between an internal local area network (LAN) and an external wide area network (WAN) and contain security features such as authentication to protect against external attack.\r\n\r\nBridges and Brouters. A bridge is a device that links two subnetworks and may incorporate intelligence or security features that allow it to filter traffic in one or both directions. A brouter is a router and bridge combined into one device.\r\n\r\nSERVERS\r\nA server is a computer that provides common services to all other computers within a network. These can include file servers that store the data that is used by all network users and application servers that provide access to the application systems as they are needed by each user. In the data communications world, there are also other specialized servers.\r\n\r\nName Server. A name server translates Internet domain names into Internet protocol (IP) addresses. For example, a name server would convert the domain name \"mair-international.com\" to the IP address 212.227.118.96.\r\n\r\nProxy Server. A server that acts as a barrier between an internal network and the outside world. A proxy server does this by substituting its own IP address in place of any other internal IP addresses embedded in outgoing transmissions, which prevents outsiders from seeing the internal addresses. This helps protect an organization\'s internal IP addresses when it connects its internal networks to the Internet.\r\n\r\nFirewall. A physical server or software product that acts as a proxy server but also has configurable rules that determine which types of transmissions can be allowed to enter or pass out of an organization\'s network. Firewalls are one of the primary methods of protecting internal networks from outside hacking activity from the Internet.\r\n\r\nGateway. A computer that provides a bidirectional connection service between two or more systems — typically between an internal local network and an external public network. For example, a gateway is used to connect an internal Ethernet LAN to the Internet.\r\n\r\nWeb Server. A server that stores HTML-formatted Web pages that can be accessed remotely by users through a Web browser.\r\n\r\nFTP Server. A file transfer protocol (FTP) server enables authorized users to upload and store files or download files over an internal network or the Internet.\r\n\r\nNETWORK PROTOCOLS\r\nIn addition to understanding the various network hardware components, auditors should have a basic understanding of the network protocols that make data communications possible. A network protocol specifies the format of messages that are sent between computers. It also establishes a standard way for computers to acknowledge that they have received a message and to check that message content was not corrupted in transmission (i.e., its integrity).\r\n\r\nThe most common network protocol is TCP/IP (see \"Data Networking Basics\". However, IT auditors will also come across many other protocols. A good reference to all protocols can be found at  http://www.protocols.com/protoc.shtml, which provides detailed technical specifications that are too complex to be covered at this stage. However, the new IT auditor will probably come across the two commonly used protocols on network audits: frame relay and asynchronous transfer mode (ATM).\r\n\r\nFrame Relay. A networking protocol that simplifies the processing of data transmissions between two networks by eliminating a number of the processing stages and error checks, yielding an overall increase in performance. This protocol uses virtual circuits rather than fixed physical circuits. This allows many virtual circuits to exist on a physical link simultaneously, thus greatly increasing transmission speeds by making better use of bandwidth.\r\n\r\nATM. A high-performance switching and multiplexing protocol that uses fixed-length packets (48 bytes) to carry different types of traffic. A good description of ATM can be found at   http://www.iec.org/online/tutorials/atm_fund/.\r\n\r\nAUDITING NETWORK HARDWARE\r\nAt the start of a network hardware audit, the first thing that any auditor should do is learn the physical configuration of the network by asking the technical staff and examining network diagrams and other documentation. However, auditors should understand that network configurations change frequently. Organizations add new components and reconfigure or remove existing components regularly. Network diagrams and other documentation may not be current — if they exist at all.\r\n\r\nAuditors should focus on issues such as:\r\n\r\nIdentifying the key hardware components of the network.\r\nEnsuring that a full inventory of these components is maintained.\r\nEnsuring that these components are physically and logically secure and accessible only to authorized individuals.\r\nUnderstanding where these components fit into the network infrastructure and how they function.\r\nDetermining whether these components conform to published networking standards.\r\nEvaluating whether these components improve or weaken controls over transmission.\r\nEnsuring that records are kept of routine maintenance and errors that are reported and cleared.\r\nEnsuring that there is adequate insurance coverage for all owned components.\r\nEnsuring that there are reasonable contingency arrangements.\r\nHARDWARE AUDITS PROVIDE ASSURANCE\r\nMuch can be gained by looking at the physical structure of the networks, identifying the components, and making an assessment of the physical security over them. Reviewing these components will provide some assurance to the IT auditor that the critical network components are properly protected against accidental and deliberate threats and that the network is resilient.\r\n\r\n http://www.theiia.org/itaudit/in ... =forum&fid=5423