cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dgillette
Newcomer I

Kali Linux in the Enterprise

Anyone have any thoughts about how Kali Linux should be deployed in an Enterprise environment?

 

Here's a rough draft I came up with. Am I missing anything? The OS will be installed on a laptop.

 

 

  1. Permanent install on HD
    1. Advantage: Work is saved between boots
    2. Disadvantage: Entire reinstall is required for fresh copy
  2. Live boot from USB
    1. Advantage: Fresh install on each boot. Nothing is saved to HD. USB can be easily locked away or destroyed.
    2. Disadvantage: Work is not saved between boots
  3. VM on Windows server
    1. Advantage: Can be destroyed between client assessments 
    2. Disadvantage: Wireless testing not possible without external antenna. Windows is (arguably) less secure than Linux.          

 

 

  1. Access control
    1. MFA
    2. PAM
    3. IPTABLES

 

  1. Physical  segmentation
    1. <how/where will the laptop be secured?>

 

  1. Logical segmentation
    1. No access to internet except for upgrades
    2. Static IP
    3. Do not join to the company domain

 

  1. Security
    1. Full Disk Encryption
    2. System files verification checks
    3. Disable all external network services unless needed (disabled by default). Disable when no longer needed.  

 

  1. User qualifications
    1. <certifications?>

 

  1. Availability
    1. Only connected to the network when in use
      1. Advantage: Not available to be used for nefarious purposes
      2. Disadvantage: Remote staff shut out if on-site staff unavailable
    2. Connected to the network at all times
      1. Advantage: Available for staff to use whenever needed
      2. Disadvantage: Available to be used for nefarious purposes

 

  1. Logging
    1. Log all user activities and processes to Splunk
    2. Alert on all user activity. Throttle for estimated duration of work if authorized.

 

12 Replies
Da
Newcomer II

I doubt about "should".

IMHO it is question of risk models, what used it your company.

For me Kali is useful pack of UNTRASTED tools (penetration testing etc).

Ergo- using only in dirty areas (untrusted).

Useful in external penetration/vulnerability testing.

Can be used in some external audit scenarios.

Results export as text/xml files and using in trusted systems.

Baechle
Advocate I

David,

 

I read some of the back and forth with other folks in the discussion and I have a few suggestions and comments.

 

SUGGESTION: You're connected through a VPN.  Can your design incorporate running Kali from your location across the VPN (other than say running NMAP from different physical locations on the network)?  That alleviates having the test system permanently deployed on-site, and making the client responsible for connecting and securing it.

 

COMMENT(S):

 

There is nothing "wrong" with using Kali.  It's an "easy button" of sorts, and comes with a significant amount of professionally published literature on its responsible use, and is the basis of the OSCP qualification.  I would be more likely to run Kali and spend time customizing it as a single source for penetration testing on it's own firewall burb, VLAN, etc. than purpose building 30 different systems and then turning around and having to audit 30 separate systems.

 

The tools that Kali provides academically increases the attack surface, much in the same way that professionals have been chanting about how longer passwords academically increase the security of login credentials.  For someone to use your Kali deployment, you've technically already lost the enterprise before the attacker even finds your deployment.  If the person is on the outside, then they would have had to breach nearly every control out there (firewall, VPN, access control, etc.) and move laterally through several systems and networks to reach your Kali deployment - and likely could have just as easily installed the tools themselves.  If the person is on the inside with access to Kali, well...  Cue Chopin's Funeral March.

 

Sincerely,

 

Eric B.

 

 

 

CISOScott
Community Champion

Also something to keep in mind, if someone has physical access to the box changing the root password is not hard without signing in. A previous CISO left his KALI machine here with no password given to me. Within 30 seconds I had reset the root password to something of my choosing.

 

So don't count on authorized users being the only ones to be able to access this box.