1

A group of student have been asked to do a bit of network security testing at college. Basically the college have just invested in some android tablets, more macs and more net books. The IT admins wants to just double check everything before they put the new equipment out. What would be the main things to check when doing some testing with all these devices? Such as what are common flaws / settings that people easily overlook. Obviously there are a few networked drives which students shouldn't have access too but teachers do so this is the main thing to test to see if it can be gotten around. The servers they use are microsoft and Linux servers. Any tips on things to look out for? Ps. This is not a question about how to maliciously hack the college network it's genuinely some penetration testing.

Regards

Ross.

Dr.Pepper
  • 241
  • 3
  • 7
  • I'm a little confused as to whether you concerned about pen testing for the newly acquired devices or the campus network and servers. If the latter, then can you please elaborate on what the new devices have to do with the situation? Cheers. – logicalscope Dec 09 '11 at 00:33
  • It's basically, can the new devices be used in a way that they shouldn't be, for example to gain access to any part of the network that they shouldn't be able to. A friend of mine and fellow student has already started on the mac side of things and has been Working closely with the IT admins and have closed many holes in the security – Dr.Pepper Dec 09 '11 at 00:37
  • Why would the NEW devices be any different than existing devices or from end-user personal devices that requires a penetration test specifically around their acquisition and distribution? – logicalscope Dec 09 '11 at 00:45
  • This is the first time they have had android devices for example so they want to test whether they are properly locked down in accordance to the college rules etc. – Dr.Pepper Dec 09 '11 at 00:46
  • I guess I still don't get it. To use an extremely limited example set, do you want to prevent people from, say, installing software on these new devices, or do you want to prevent them from accessing data on remote college servers that they shouldn't have access to? Because the former is a client-device specific issue, and the latter is a server/network issue. If the answer is "both", then you probably want to focus on the server side first because it is the more serious of the two (depending of course on how you value your assets). – logicalscope Dec 09 '11 at 01:03
  • 3
    Perhaps, I can restate my concerns in a more succinct way: if you are trying to configure the clients to restrict access to servers and networked resources, then you are approaching it wrong. A client device is generally never in a position of trust. The server (and network) protects its own. Locking down client devices to *help* is but one layer of an otherwise multi-layered security onion. So if you are asking for guidance to lock down client devices to support additional security controls, then you aren't really looking for pen testing of a *network* but rather hardening of the client. – logicalscope Dec 09 '11 at 01:12

1 Answers1

1

If you want a general security test of your servers i recommend using OpenVAS (the new open source Nessus). This tool will look at version numbers and for some services it can test for misconfiguration.

In terms of the mobile devices them selves, I don't see how this changes your attack surface. Just like any end user system, you still have to worry about keeping these devices up to date. It should be noted that Android introduced ASLR in Ice Creme Sandwich (A bit late don't you think?), so update to this version as soon as possible.

rook
  • 46,916
  • 10
  • 92
  • 181