Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Identifying Risks

Risk and Warnings are generated using Policies and Requirements located in the Policy Manager.  NP policies and requirements are automatically assigned to all devices when they are imported and run when network device configuration changes are identified.

The following default policies are provided for all Compliance modules:

  • NP-Parser Policy – triggers from device configuration files
  • NP Rule Policy – triggers from access rules

CiS Benchmarks are provides as part of the Best Practices Module

  • CiS Benchmark for Check Point
  • CiS Benchmark for Cisco
  • CiS Benchmark for Juniper
  • CiS Benchmark for Palo Alto

Policy Management

Each policy is broken down into a set of requirements that are used to identify potential network risks.

By clicking on a specific Policy and Requirement, the details and Regex logic for the requirement is displayed.

Policies and Requirements are global in nature and changes made when within one workspace apply to all workspaces.  For example, if a Policy, Requirement or Device is deactivated in one workspace, that update applies to all workspaces. Default policies and requirements can be “Enabled or Disabled” by clicking the blue bubble and “Run” by clicking the “Run” button. Default policies and requirements cannot be edited or deleted.

PolicyRequirementRisk Severity
NP Parser PolicyUnnecessary EIGRP NetworkLow
 Broadcast traffic permissionLow
 Traffic to multicast groupLow
 Empty FieldLow
 Unused ACL’sLow
 Unused groupLow
 Mixed any and not anyLow
 Unassigned interfaceLow
 Missing interfacesLow
 Rule following scheduleLow
NP Rule PolicyAny protocol pathHigh
 Any to any IPMedium
 Any source IPHigh
 Any destination IPMedium
 Any protocolMedium
 Any destination portMedium

CiS Benchmark

In addition to the NP-Policies, portions of the CiS Benchmark has been provided for several manufacturers.  CiS Benchmarks provide a power set of secondary policies to help identify risk within your network.  CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted above, changes to Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.

The below requirements were derived from the CiS Check Point Firewall Benchmark v1.1.0 – 06-29-2020.

RequirementRisk Severity
Ensure ‘Login Banner’ is setLow
Ensure CLI session timeout is set to less than or equal to 10 minutesLow
Ensure Check for Password Reuse is selected and History Length is set to 12 or moreLow
Ensure DHCP is disabledLow
Ensure DNS server is configuredLow
Ensure Deny access after failed login attempts is selectedLow
Ensure Deny access to unused accounts is selectedLow
Ensure Disk Space Alert is setLow
Ensure force users to change password at first login after password was changed from Users page is selectedLow
Ensure Host Name is setLow
Ensure IPv6 is disabled if not usedLow
Ensure Maximum number of failed attempts allowed is set to 5 or fewerLow
Ensure Minimum Password Length is set to 14 or higherLow
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP serverLow
Ensure Password Complexity is set to 3Low
Ensure Password Expiration is set to 90 days or lessLow
Ensure Telnet is disabledLow
Ensure Warn users before password expiration is set to 7 days or lessLow
Ensure Web session timeout is set to less than or equal to 10 minutesLow
Ensure Radius or TACACS+ server is configuredLow
Logging should be enabled for all Firewall RulesLow

The below requirements were derived from the CiS Cisco Firewall Benchmark v4.1.0 – 01-16-2018. Supporting ASA 8.x and 9.x.

RequirementRisk Severity
Ensure ‘Domain Name’ is setLow
Ensure ‘Failover’ is enabledLow
Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘Host Name’ is setLow
Ensure ‘LOGIN banner’ is setLow
Ensure ‘MOTD banner’ is setLow
Ensure ‘NTP authentication key’ is configured correctlyLow
Ensure ‘Password Policy’ is enabledLow
Ensure ‘Password Recovery’ is disabledLow
Ensure ‘SNMP community string’ is not the default stringLow
Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘TACACS+RADIUS’ is configured correctlyLow
Ensure ‘console session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘local username and password’ is setLow
Ensure ‘logging with timestamps’ is enabledLow
Ensure ‘logging’ is enabledLow
Ensure ActiveX filtering is enabledLow
Ensure DHCP services are disabled for untrusted interfacesLow
Ensure DOS protection is enabled for untrusted interfacesLow
Ensure Master Key Passphrase is setLow
Ensure email logging is configured for critical to emergencyLow
Ensure explicit deny in access lists is configured correctlyLow
Ensure ‘trusted NTP server’ existsLow
Ensure Enable Password is setLow
Ensure Java applet filtering is enabledLow
Ensure Logon Password is setLow
Ensure known default accounts do not existLow

The below requirements were derived from the CiS Cisco Juniper Benchmark v2.1.0 – 11-23-2020. Supporting JunOS v15.1.

RequirementRisk Severity
Forbid Dial in AccessLow
Ensure VRRP authentication-key is setLow
Ensure proxy-arp is disabledLow
Ensure EBGP peers are set to use GTSMLow
Ensure authentication check is not suppressedLow
Ensure loose authentication check is not configuredLow
Ensure RIP authentication is set to MD5Low
Ensure BFD Authentication is SetLow
Ensure BFD Authentication is Not Set to Loose-CheckLow
Ensure SNMPv1/2 are set to Read OnlyLow
Ensure “Default Restrict” is set in all client listsLow
Ensure AES128 is set for all SNMPv3 usersLow
Ensure SHA1 is set for SNMPv3 authenticationLow
Ensure Accounting of LoginsLow
Ensure Accounting of Configuration ChangesLow
Ensure Archive on CommitLow
Ensure NO Plain Text Archive Sites are configuredLow
Ensure external AAA is usedLow
Ensure TCP SYN/FIN is Set to DropLow
Ensure TCP RST is Set to DisabledLow
Ensure Minimum Session Time of at least 20 secondsLow
Ensure Lockout-period is set to at least 30 minutesLow
Ensure login message is setLow
Ensure local passwords require multiple character setsLow
Ensure at least 4 set changes in local passwordsLow
Ensure local passwords are at least 10 charactersLow
Ensure External NTP Servers are setLow
Ensure Strong Ciphers are set for SSHLow
Ensure Web-Management is not Set to HTTPLow
Ensure Web-Management is Set to use HTTPSLow
Ensure Web-Management is Set to use PKI Certificate for HTTPSLow
Ensure Session Limited is Set for Web-ManagementLow
Ensure Telnet is Not SetLow
Ensure Reverse Telnet is Not SetLow
Ensure Finger Service is Not SetLow
Ensure Log-out-on-disconnect is Set for ConsoleLow
Ensure Autoinstallation is Set to DisabledLow
Ensure Hostname is Not Set to Device Make or ModelLow
Ensure Password is Set for PIC-Console-AuthenticationLow

The below requirements were derived from the CiS Palo Alto Firewall 9 Benchmark v1.0.0 – 03-23-2020.

RequirementRisk Severity
Ensure ‘Idle timeout’ is less than or equal to 10 minutes for device management’ is setLow
Ensure ‘Login Banner’ is setLow
Ensure ‘Minimum Length’ is greater than or equal to 12Low
Ensure ‘Minimum Lowercase Letters’ is greater than or equal to 1Low
Ensure ‘Minimum Numeric Letters’ is greater than or equal to 1Low
Ensure ‘Minimum Password Complexity’ is enabledLow
Ensure ‘Minimum Special Characters’ is greater than or equal to 1Low
Ensure ‘Minimum Uppercase Letters’ is greater than or equal to 1Low
Ensure ‘New Password Differs By Characters’ is greater than or equal to 3Low
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabledLow
Ensure ‘Permitted IP Addresses’ is set to those necessary for device managementLow
Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwordsLow
Ensure ‘Required Password Change Period’ is less than or equal to 90 daysLow
Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not existLow
Ensure HTTP and Telnet options are disabled for all management profilesLow
Ensure HTTP and Telnet options are disabled for the management interfaceLow
Ensure System Logging to a Remote HostLow
Ensure alerts are enabled for malicious files detected by WildFireLow
Ensure redundant NTP servers are configured appropriatelyLow
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zonesLow
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zonesLow
Ensure that the Certificate used for Decryption is TrustedLow
Ensure valid certificate is set for browser-based administrator interfaceLow
Syslog logging should be configuredLow

 

Risk Assessment Grading

At any given time, a monitored device can have one or more open risks or warnings. This information is used by our Grading algorithm to provide each device with a letter grade. The quantity, criticality and type of open risks and warnings go into the calculation.

This grade informs the users which devices have the highest security or compliance risks. The lower the letter grade, the higher the risk.

The grade for each monitored device can be seen by clicking on a device on the topology map and reviewing the Risk Assessment Grading on the device menu. Clicking on the menu item displays the details that went into the grade.

An depiction of the data flow is as follows:

The Device Risk Grade is calculated using the following weights:

  • High = 5
  • Medium = 3
  • Low = 1

The Device Risk Grade is calculated using a simple equation, for example: (5 high * 5) + (1 low * 1) = 26 -> 100 – 26 = 74 -> C

  • 90 -> 100 = A
  • 80 -> 89 = B
  • 70 -> 79 = C
  • 60 -> 69 = D
  • Else F

Issue Status is used to exclude both Resolved and Fixed issues from the calculation.

Table of Contents