1

From isaca-tulsa.org/meetings.htmlTopic: OSI Model from the IT Auditor Perspective

Speaker: Mr. Ben Davies

Date: Thursday, October 23rd, 11:15 to 1:00

Venue: Flemings Prime Steak House - Utica Square

Bio: Ben Davies has been working with computers since 1985 and has been 'doing the Internet' since 1996 when he registered My Little Corner of the Universe (mlcu.com) as the very first commercial customer of the very first Montana based internet connection company. He has been an independent consultant, has run internet support operations, managed internet security at a Fortune 200 corporation and other technical and managerial responsibilities. He became a Certified Information Systems Security Professional (CISSP) in 2004 and Certified Information Systems Auditor (CISA) in 2007 and holds several other certifications.

2

OSI Model(Open System Interconnection)

and how it can be used by an IT Auditor.

By Ben Davies, CISA, CISSPben.davies@mlcu.com

© 2008, all rights reserved

3

4

PleaseDoNotThrowSausagePizzaAway

AllPeopleSeemToNeedDataProcessing

PleaseDoNotTakeSalesPeople’sAdvice

5

6

The computer and associated parts including the pretty applications live above layer 7 of the OSI model

7

8

With every item in every layer there are vulnerabilities.

With every layer there is an opportunity to apply “defense in depth”.

Establishing controls around each layer and limiting the options within each layer allows audit to reasonably assess the effectiveness of those controls

9

10

11

Seed Questions -1

1. If there is stuff above layer 7 is there anything below layer 1?

2. I don’t see how this helps audit/enforce a policy that says no FTP on the network.

3. You implied that services can run under other ports, how do I audit for that?

12

Seed Questions -2

1. So where does a ‘network sniffer’ fit in to the OSI model?

2. The sniffer shows the entire packet but how do you read it?

3. So what controls do you use to protect against a sniffer?

13

14

Seed Questions - 3

1. How does the OSI model help me audit access control devices and network devices?

2. How can I tell where a given device has inserted itself in the OSI model?

3. So how can I audit how they enforce access control policy on the network with access control devices like firewalls, routers and such?

15

Seed Questions – 4

1. If the logs are so important why are they not used more effectively?

2. Do IDS and IPS resolve many of the access control issues?

3. You just showed us how to use the OSI model to audit our way into thinking the network is completely unsecure. Is it really that insecure? . . . Drat.

16

10.123.15.0/24

Patch Pannel

Smart Switch

Firewall

Firewall

Router

RouterUsers

Hub or wall plug

UsersHub or

wall plug

Patch Pannel

10.50.60.0/24Utility Network

10.20.98.0/24Server Network

sys log Service

Intern

et Cl

oud T

he

entire

Plan

et co

nnec

ts to

this!

Home User

Home User Router\hub\firewall\cable modem

WAN Link

Appli

catio

n serv

ers,

Datab

ase e

tc

Serve

r Farm

17

18

19

20

The FUN Stuff; for some

The command prompt is your friend!netstat, ipconfig, arp, ifconfig

21

OSI Layer data point Unix / MacOS X Windows Cisco

2 ARP Cache arp -a arp -a show arp

2 Lan Information netstat -i netstat -e show interfaces

2 Show MAC address getmac

3 IP configuration ifconfig -a ipconfig /all show ip config

3 IP Routing table netstat -nr netstat -nr show ip route

4 show connections netstat -a netstat -a (n) show tcp

4 TCP/IP statistics netstat -s netstat -sshow interfacesshow ip traffic

4 trace hop by hop tracetoure w.x.y.z tracert w.x.y.z trace (will be asked for IP)

7 Check for service telnet <port> telnet <port>

7 DNS status nslookup nslookup

8 show host name hostname

8 show logged in use net user

8 show system variables set