3. Identifying Risks

You are here:
< All Topics

Identifying Risks

Risk and Warnings are generated using Policies and Requirements located in the Policy Manager.  Policies and requirements are automatically assigned to all devices when they are imported and run when network device configuration changes are identified.

The provided Policies are as follows:

  • NP-Parser Policy – triggers from device configuration files
  • NP Path Policy – triggers from the results of the path analysis
  • NP Rule Policy – triggers from access rules

Policy Management

Policies are broken down into a set of requirements that are used to identify potential network risks. By clicking in a specific Policy and Requirement, the details and Regex logic for the requirement are displayed.  Policies and Requirements are global in nature and changes made when within one workspace apply to all workspaces.  For example, if a Policy, Requirement or Device is deactivated in one workspace, that update applies to all workspaces. Policies and Requirements can be deactivated but not edited or deleted.

Default Policies and Requirements
Policy Requirement Risk Severity
NP Parser Policy Unnecessary EIGRP Network Low
Broadcast traffic permission Low
Traffic to multicast group Low
Empty Field Low
Unused ACL’s Low
Unused group Low
Mixed any and not any Low
Unassigned interface Low
Missing interfaces Low
Rule following schedule Low
NP Path Policy Any protocol path Medium
NP Rule Policy Any to any IP High
Any source IP Medium
Any destination IP High
Any protocol Medium
Any destination port Medium

CiS Benchmark

In addition to the NP-Policies, Portions of the CiS Benchmark has been provided for several manufacturers.  CiS Benchmarks provide a power set of secondary policies to help identify risk within your network.  CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted above, changes to Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.

CiS Benchmark for Check Point

Ensure Radius or TACACS+ server is configuredLow
Logging should be enabled for all Firewall RulesLow

Policy Requirement Risk Severity
CiS Benchmark for Check Polint Ensure ‘Login Banner’ is set Low
Ensure CLI session timeout is set to less than or equal to 10 minutes Low
Ensure Check for Password Reuse is selected and History Length is set to 12 or more Low
Ensure DHCP is disabled Low
Ensure DNS server is configured Low
Ensure Deny access after failed login attempts is selected Low
Ensure Deny access to unused accounts is selected Low
Ensure Disk Space Alert is set Low
Ensure Force users to change password at first login after password was changed from Users page is selected Low
Ensure Host Name is set Low
Ensure IPv6 is disabled if not used Low
Ensure Maximum number of failed attempts allowed is set to 5 or fewer Low
Ensure Minimum Password Length is set to 14 or higher Low
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server Low
Ensure Password Complexity is set to 3 Low
Ensure Password Expiration is set to 90 days or less Low
Ensure Telnet is disabled Low
Ensure Warn users before password expiration is set to 7 days or less Low
Ensure Web session timeout is set to less than or equal to 10 minutes Low
CiS Benchmark for Cisco

Ensure ‘trusted NTP server’ existsLow
Ensure Enable Password is setLow
Ensure Java applet filtering is enabledLow
Ensure Logon Password is setLow
Ensure known default accounts do not existLow

Policy Requirement Risk Severity
CiS Benchmark for Cisco Ensure ‘Domain Name’ is set Low
Ensure ‘Failover’ is enabled Low
Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutes Low
Ensure ‘Host Name’ is set Low
Ensure ‘LOGIN banner’ is set Low
Ensure ‘MOTD banner’ is set Low
Ensure ‘NTP authentication key’ is configured correctly Low
Ensure ‘Password Policy’ is enabled Low
Ensure ‘Password Recovery’ is disabled Low
Ensure ‘SNMP community string’ is not the default string Low
Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutes Low
Ensure ‘TACACS+/RADIUS’ is configured correctly Low
Ensure ‘console session timeout’ is less than or equal to ‘5’ minutes Low
Ensure ‘local username and password’ is set Low
Ensure ‘logging with timestamps’ is enabled Low
Ensure ‘logging’ is enabled Low
Ensure ActiveX filtering is enabled Low
Ensure DHCP services are disabled for untrusted interfaces Low
Ensure DOS protection is enabled for untrusted interfaces Low
Ensure Master Key Passphrase is set Low
Ensure email logging is configured for critical to emergency Low
Ensure explicit deny in access lists is configured correctly Low

Risk Assessment Grading

At any given time, a monitored firewall can have one or more open risks or warnings. This information is used by our Grading algorithm to provide each router with a letter grade. The quantity, criticality and type of open risks and warnings go into the calculation. This grade informs the users of which devices have the highest security or compliance risks. The lower the letter grade, the higher the risk.

The grade for each monitored router can be seen by clicking on a router on the topology map and reviewing the Risk Assessment Grading on the device menu. Clicking on the menu item displays the details that went into the grade. An depiction of the data flow is as follows:

Next: Reports & Dashboards

Next, please proceed to the Reports & Dashboards section to learn about Network Perception workspace reports. If you have any question, please don’t hesitate to contact support@network-perception.com.

Table of Contents