> Caute_cautim (Contributor III) posted a new topic in Tech Talk on 09-19-2018

>    One of the techniques to counter the advancement of malware within
> servers, network devices etc is to use "Characterisation"
> “characterisation” is a synonym for “unique identifier”.

Another name for it is signature, and it is used in a wide variety of applications in security.

> This is
> typically applied to an operating system,  programme, library or other
> programmatic element in the form of a checksum which can be calculated from a
> “known good” component and stored for comparison should there be any concern
> that components have been damaged or compromised.

Checksum, CRC, parity bit, hash, signed hash, or even just "existence at a known good state."  Change detection was one of the original three antiviral technologies Fred Cohen identified in his original work back in 1983.  As well as change detection, it was often known as integrity checking, although I always felt that name promised more than it actually delivered.  (See "Authenticode.")

Despite the name, I always felt Integrity Master was a very effective change detection program for applications.  My favourite, though, was DiskSecure, which checked the operating system and initial load, was extremely simple, and worked to secure the platform in a wide variety of dangerous situations.  (It once saved my bacon when I was reviewing a not very good antivirus and security program.)

>    Application Whitelisting is defined as: An approach in which
> all executables and applications are prevented from executing by default, unless
> explicitly permitted.   So okay, I can apply Characterisation to authorised
> download sites from vendors and check them with MD5 or SHA512 hashes and I can
> create baselines for authorised Operating Systems, and other applications etc.
>   Servers - I can use both Open Source, and Vendors solutions from CFEngine,
> Carbon Black, Trip Wire for various operating systems - Microsoft Windows uses
> Applocker etc.   But how does one do the same with Network Devices:

Basically, on every device you have to start with a trusted platform (a realistically trusted platform, not just something with "TP" in the name), and do the initial check, and subsequent checks, locally.  This can be backed up across the net for reporting and comparison for additional security, but you do have to engage additional safeguards to secure the communications.

Microsoft once tried to do it the quick and cheap way with Authenticode.  Authenticode used digital signing (by the author) of code, but a) didn't actually guarantee that the code was safe (see "Internet Exploder"), and b) didn't make any provision for certificate revocation.  By the time Microsoft lost two keys signing key certificates Authenticode was already seen as weak, and thereafter lost all credibility.

>   Types
> traditional network devices - firewall, routers, switches etc   Then how about
> Virtual network devices, and then think about - how do you apply it to Network
> Functional Virtualisation?   I am looking for practical suggestions, as a
> practical framework to manage these.   I have looked at the NIST guidance, and
> Australian Security Directorate approaches as well.   Suggestions please?

Well, note as above.

I have a scenario in which to prove to an auditor the Application White-listing has been applied to Network Devices to satisfy a government mandated control.  

Perhaps the auditor is equating "white-listing" with validating against a list of "authorized applications/versions". Maybe you could gather the output of "show version" from each router and demonstrate that the operating system version is within your allowed range.

In other words, you would be demonstrating effectiveness of your patching program as opposed to looking for indicators of compromise.