avls notes updated

2845 BRISTOL CIRCLE, OAKVILLE, ONTARIO L6H 7H7

IT Security Proc. #:

Description AVLS Security Overview Revision #: 2 0 Page: 1 of 5

AVLS Security Overview

Risk Category: Spoofing of UDP Packets With the Verizon GX440 modems there’s a potential for hacker to eavesdrop on communication or pretend as source of information through intercepting and manipulation of data. This is due to the UDP communication protocol used from modem. Vulnerability: Use of UDP packets in Verizon network modems GX440 Risks:

The risk is interception of data traffic from modems and potential for eavesdrops or manipulation of data.

Probability: Low The probability of occurrence is low due to modems being on private Verizon network and the mitigations as highlighted below .Mitigation:

1. Adds , Moves and Changes to the modem pool on the AVLS private modem network with Verizon is controlled through limited user access to add/move or change devices. The AVLS network is Liberty account that only Liberty private modems can be on. All changes are tracked in the Verizon systems.

[2.] Static IP are used for all modems and therefore adding a device requires the issuance of an IP by Verizon.Just a side-note , we control the issuance of IPs. Verizon has just given us an IP pool ( 10.202.0.0/16). We should be controlling on the firewall as to which IPs are allowed.

2.[3.] Port filtering is used on modems 3.[4.] AVLS does not contain customer information [5.] Exposure is limited to AVLS system and the private AVLS Verizon network.

This is controlled through private VPN network to Verizon from Liberty, firewalls protection with DMZ zone for the AVLS server only, access controls and lists that limit access to AVLS server by specific address and ports.Also, just an FYI the Parent(metering) & child VPN are also firewalled.

Recommendations:[1.] IT Security recommends install of HID/P S ( Host based intrusion detection

/Protection System) or on the AVLS server in DMZ[2.] AVLS application in future should be use TCP protocol not UDP to secure the

data transmission.

Liberty Utilities




1.[3.] Liberty when selecting a new AVLS system must include security review of product choices.

Optional: As per the current vendor TransCor the Ccode on the existing GX440 modems

will have to be recompiled to accommodate TCP traffic.

Risk Category: Hardening of All Computing Devices. Vulnerability: Devices susceptible to potential Internet Attacks if not protected. Risks:

Devices can be comprised if not hardened vulnerability exposure is greater on systems which don’t have hardening enforce.

Probability: Low Recommendations:

Hardening of all devices within the network following standards such as NIST, and or Ci-security for hardening of devices.

Risk Category: Database Security Protection. Vulnerability: Database could potential be breached from DMZ access. Risks:

Database security application protect and provide and additional layer of security which is different from hardening the database.

Probability: Medium Recommendations:

Purchase database application security to provide additional security protection for machines being exposed to Internet traffic.

Risk Category: Sessions not encrypted, Client does a read only during sessionsRisks:

Sessions can be viewed over the points of the network before and after VPN tunnel is terminated.

Probability: Low

Liberty Utilities




Recommendations: Hardening of server and end point devices and ensuring Host Intrusion

(Detection ,Protection) and Network Intrusion (Detection ,Protection) Systems are in place

Risk Category: No Host Based Intrusion Detection and or Protection SystemsRisks:

Without a Host Based Intrusion Detection and or Protection Systems, the IT department will have limited visibility into, who, what, when and why issues happen. Some of the Host Based Protection systems also don’t allow any changes to be made on a Host for added protection.

Probability: Low Recommendations:

Purchase Host Based Intrusion Detection and or Protection Systems to provide value added protection for computing systems located in the DMZ or interface with DMZ traffic.

Risk Category: No SQL Server Policy to enforce password changes. Risks:

The SQL Servers don’t have a policy enforcement to protect the identity of the user authenticating to the SQL database. Users should be prompted to change their passwords on a regular basis.


Enforce password policy to prompt users to change their passwords on a regular basis.

Risk Category: Citrix Servers do not use 2 factor authentication. Risks:

The Citrix Farm only uses single factor authentication for authenticating users. With single factor authentication if a potential attacker obtains the primary password this can cause a breach in security.


Liberty Utilities




To enforce two factor authentication on the Citrix farm for more value added security.

Risk Category: Vulnerability Scans. Risks:

Currently the IT Department does not have a Vulnerability scanner to tests applications, servers and networks for vulnerabilities.

Probability: High Recommendations:

Purchase a Vulnerability Scanner for ensuring a higher degree of security within the environment.

Risk Category: Vmware ESX Server architecture. Risks: The virtual environment that traditional network security tools such as physical IDS/IPS and firewall appliances cannot solve.

Probability: Medium Recommendations:Reflex VMC provides insight into the virtual infrastructure that is not accessible to physical solutions. Reflex leverages VMsafe-compatible vTrust technology to provide security controls by integrating firewall, deep packet inspection, reporting and change control into a complete virtual security solution.

Reflex vTrust Security enables:

Monitor & secure network communications Troubleshoot security issues in minutes instead of hours Segment and partition the virtual environment for ease of management Aggregate and correlate security events with performance impact Manage security compliance and audit requirements Simplify security policy management and enforcement Purchase and or evaluate Reflex Systems Solution for ensuring a higher degree

of security within the environment.

Liberty Utilities




Liberty Utilities

avls notes updated

Documents