Slowly but surely, organizations are paying more attention to the security of their networks. As complex as it is crucial, network security typically warrants the attention of a dedicated specialist. However, economic reality forces many companies to add network security to the responsibilities that busy network and systems administrators already shoulder. If you're in this situation, you might be wondering how to maintain security in an environment in which new threats evolve so quickly.
A useful tool that can substantially ease your burden is a network-based vulnerability scanner. This type of scanner uses the network to actively probe other devices and discover security holes. The scanner typically resides on one host, from which it launches probes, collects results, and compares the results with a database of vulnerability fingerprints. In this sense, a vulnerability scanner is similar in function to a virus scanner. A host-based vulnerability scanner's capabilities, however, are more sophisticated and the tool is more introspective, determining whether the host on which it resides complies with established security policy.
From a fairly crowded field of competitors, I looked at three products for scanning heterogeneous networks. These three products were Internet Security Systems' (ISS's) Internet Scanner 6.2, Network Associates' Distributed CyberCop Scanner 2.0 (a new release based on the older CyberCop Scanner 5.5), and Symantec's NetRecon 3.5.
The cost of most commercial vulnerability scanners is substantial. However, you must weigh the purchase price against the potential damage that a compromised network can cause. (You can also find some effective public-domain vulnerability scanners on the Web. For information about one such solution, see the sidebar "Nessus: An Open-Source Option," page 54.)
The first casualties of a successful attack are a company's data, uptime, and reputation. With those concerns in mind, consider the benefits of a vulnerability scanner:
- A vulnerability scanner puts you on even footing with potential intruders. Tools that are functionally equivalent to those that intruders use reveal the same vulnerabilities that intruders recognize and exploit.
- A vulnerability scanner answers the what, where, and how of your network's security vulnerabilities. You discover what the threat is, where it's located, and how you can fix it. (Answers to who and when are better suited to other tools, such as intrusion-detection utilities.) You also need to consider the tool's educational benefit. Good vulnerability scanners provide ample documentation about each vulnerability's nature, as well as links to Web sites that offer further information and fixes. You'll learn a great deal about security as you discover and repair system vulnerabilities. After you're familiar with the pattern of security vulnerabilities, you'll find yourself incorporating your security practices into other areas.
- A vulnerability scanner can help you stay up-to-date on security threats and countermeasures. You'll quickly learn that the flow of new security information on the Web is overwhelming. (For a list of essential security Web sites, see Michael Otey, Top 10, "Security Resources on the Web," November 2001, InstantDoc ID 22556.) The available information increases almost exponentially with each additional network OS you support. To counter this trend, most vulnerability scanners provide a mechanism for regularly updating their vulnerability databases. If the scanner offers any level of automation, you'll be able to reduce the administrative burden of staying current with new security threats, as long as the vendor supplies timely, reliable updates.
Into the Lab
I used several networks and hosts to test the products. I approached the testing from the point of view of an average administrator and used testing criteria based on the value propositions I described earlier. I looked at how well each product discovered and enumerated the what and where of my networks' vulnerabilities and whether the product provided the how of fixing vulnerabilities. I also considered how easy each product was to set up, use, and maintain.
Each product's ease of installation and setup depended on its architecture. As Figure 1 shows, network-based vulnerability scanners generally comprise a scan engine, a vulnerability database, a results database, and an administrative console. Both Internet Scanner and NetRecon install these components on one host, and both products use the Microsoft Jet database engine and Microsoft Access databases to store scan results. This type of combined architecture gives you the advantage of an easy installation. I had NetRecon and Internet Scanner installed and running in minutes. However, such products can create administrative hurdles in large organizations that need to distribute the product across many networks yet maintain central control.
Network Associates has designed CyberCop's architecture for scalability and central administration. The core of CyberCop is a robust scan engine that you can distribute to hosts across your enterprise. For optimal scanning results, the company recommends placing a scan engine on each subnet. The database can use either Microsoft Data Engine (MSDE) or Microsoft SQL Server 7.0 and gives you the flexibility of single or multiple databases that can be centralized or distributed. MSDE is available on the CyberCop CD-ROM.
A big change in this new version of CyberCop is the integration of Network Associates' ePolicy Orchestrator (ePO), an enterprise-management interface originally designed for distributing and managing McAfee antivirus products. Network Associates has incorporated a modified ePO interface that includes CyberCop's enterprise-management console. Figure 2 shows ePO and the Distributed CyberCop Scanner configuration window. You can use ePO to push CyberCop to hosts throughout your enterprise and to schedule jobs, retrieve results, and create reports. However, you need to be aware of a few shortcomings.
CyberCop's distributed architecture requires more time to plan, install, and configure the product. Whereas I installed Internet Scanner and NetRecon in a few minutes, I needed more than an hour to install and configure all the CyberCop components. I was then disappointed to realize that ePO depends on Microsoft's master browse list to locate hosts on the network for distributing the scan engine. Networks that don't use NetBIOS—and Microsoft networking clients that don't use the Server service—are invisible to ePO. This drawback isn't a showstopper because it's a limitation of the management interface rather than the scan engine. However, it hampers your ability to distribute CyberCop without relying on other deployment techniques, such as visiting hosts in person.
|Distributed CyberCop Scanner 2.0|
Contact: Network Associates * 972-308-9960 or 800-764-3337
Price: $23 per node with purchase of 5000 nodes or more
Using the Scanners
My reviews of the products' user experience are mixed. Internet Scanner and NetRecon are both intuitive and easy to use. CyberCop isn't difficult to use but is sometimes frustrating because of its nonintuitive menus and an architecture that doesn't lend itself to trial and error. According to Network Associates engineers, CyberCop's ePO interface isn't so much designed for interactive scanning as for configuring policies that CyberCop runs automatically. As a result, I found myself tapping my fingers while waiting for scan jobs to execute without a way to view realtime progress.
Because CyberCop uses a distributed architecture, the ePO console pushes a scan's details to the scan engine on an adjustable polling interval. After the CyberCop scanning engine gets its orders, it executes them and passes results back to the ePO console in 250KB chunks. When the scan is complete, you can request a report of the results—but you can't reliably predict when the software will run the report. I often had to wait 10 minutes to view the results of a single-host scan that took only 2 or 3 minutes to run.
Both Internet Scanner and NetRecon can launch a scan immediately and update the interface as the scan progresses. If I configured a scan incorrectly in my testing, an error message or a lack of data in the interface's results pane let me realize my mistake immediately.
All three products let you scan a range of hosts based on IP addresses that you manually define or import from a HOSTS file. Each product can also perform a blind inventory of an IP range that you can then use as the basis for a HOSTS file, adding or deleting hosts as you see fit. One complaint: Internet Scanner had an annoying tendency of finding host "ghosts" of systems that I'd long since removed from my network. This problem required that I perform a manual cleanup of the HOSTS file before importing it.
Another important aspect of the user experience is configuring scanning policies. Scanning policies let you define the precise boundaries of your scans. All three products list hundreds of vulnerabilities and attacks in their databases, and all the products let you define filters based on OSs, IP ranges, subnets, services, timers, and more. The ability to customize your scans can save you time and network bandwidth. CyberCop offers extensive policy templates and optional configurations that let you meticulously define a scan. Impressively, CyberCop also lets you query the Windows event log to check for compliance with security or business policies.
All the products also let you create custom policies. Figure 3, page 56, shows Internet Scanner's built-in Policy Editor. The left pane shows the hierarchy of categories and vulnerabilities that the base template includes. The right pane shows a particular vulnerability check's configuration details. The detail is excellent but overwhelming when you consider that this base template lets you define and configure policies for 942 vulnerabilities. Fortunately, each product offers several predefined policy templates that you can use and modify without investing too much time.
Let the Scans Begin
I used each product against hosts on internal networks and hosts residing across a firewall. To test each product's ability to discover common vulnerabilities, I used the SANS Institute's "SANS/FBI Top Twenty Internet Security Vulnerabilities," which is available at http://www.sans.org/top20.htm. These vulnerabilities, which are specific to various versions of Microsoft IIS, include Internet Server API (ISAPI) Extension Buffer Overflows (e.g., the CodeRed exploit), Remote Data Services (RDS) exploits, Unicode Vulnerability (e.g., the Nimda exploit), and existing Common Gateway Interface (CGI) script samples. On my internal domain controllers (DCs) and workstations, I looked for unprotected shares, blank passwords, unauthorized active services, and the capability to connect through null sessions. I also checked out each product's ability to locate potential rogue clients from an inventory of all hosts on the network.
Testing each product's ability to identify threats was more difficult than I anticipated. Each product has a unique method for identifying security vulnerabilities. The reason for these different approaches is that a standard language for identifying and reporting vulnerabilities is only now emerging: MITRE has taken the lead in this development, creating the Common Vulnerabilities and Exposures (CVE) list, which uses a CVE number to catalog security vulnerabilities. The CVE number, which corresponds to a detailed description of the threat, will give the security world a common reference model. Although the vendors of the products I tested advocate CVE, their vulnerability scanners don't yet use CVE numbers as the primary means for identifying threats. Instead, each product uses a proprietary cataloging method while using CVE numbers in its references. Although these differing approaches complicated my attempts to compare scans, they won't be a major problem for you in your everyday operations. However, you'll undoubtedly run into a situation in which identifying a threat will be a hassle.
Each product admirably identified the top security threats on my list, and each recognized the Nimda and CodeRed worms' exploits—and several lesser threats—as high risk. Their interfaces let me easily sort scan results based on the client, the threat, and the threat's severity. All three products identified my non-Windows hosts and the Cisco Systems Cisco 2514 router I used to segment my networks. Each product offered a vulnerability scan specifically for the router and recognized vulnerabilities in the SNMP community names that I'd assigned. All the products dutifully identified vulnerabilities and vulnerability locations.
I was impressed by Internet Scanner's identification of a Cisco Aironet 802.11b Access Point (AP) on my network—as well as the product's determination that the AP didn't have Wired Equivalent Privacy (WEP) encryption enabled. If the product had discovered the same vulnerability on the Dell, Intermec Technologies, and Intel APs I was using, I would have been even more impressed. However, wireless networks are popping up like dandelions, so the presence of any 802.11 devices in Internet Scanner's vulnerability database is worthy of note.
Aside from the importance of identifying real threats, a product's ability to avoid false positives or duplicates is also important. Although I found a few erroneous items in each product's scan results, NetRecon delivered bloated reports most consistently. One common redundancy was multiple listings that showed access gained to the same network resource. After some digging, I discovered that NetRecon's Smart Scan feature—which captures vulnerable passwords and uses them to gain access—would list a vulnerability each time a password successfully opened a share. As the Smart Scan password list grew, so did the duplicate listings on the scan report. Symantec is working on a filter for this problem.
|Internet Scanner 6.2|
Contact: Internet Security Systems * 404-236-2600 or
Price: $999 for 10 IP addresses, plus $200 maintenance fee
Pros: Is very responsive; has smart card capability for more security; provides two Universal Serial Bus ports; documentation is excellent and detailed
Cons: Display is hard on the eyes, even at the same resolution as other devices; has only one serial port; offers no sound support; carries a high price for what you get
All three products handle reports similarly. On their interfaces, NetRecon and Internet Scanner display immediate scan results. The results are temporary until you save them. CyberCop stores its results directly to a database and lets you access them through several predefined reports.
Each product uses Crystal Decisions' Crystal Reports as its report generator. The actions you take to generate and export reports are nearly identical in NetRecon and CyberCop. Both let you view and print reports, and you can save reports to several formats—for example, HTML, Microsoft Word, Microsoft Excel, Comma Separated Value (CSV), and Rich Text Format (RTF). Internet Scanner can export reports in HTML and RTF formats and also offers Adobe Systems' PDF format.Because of the volume of data that vulnerability scans typically generate, expect a few Crystal Reports—generated error messages if you attempt to export a large report to Word or Excel. When I attempted to push Crystal Reports beyond its limits, I received the typical Out of memory error messages.
Because each product uses a common reporting tool, I focused on the resources each product provides for the how of fixing a known vulnerability. Internet Scanner's GUI lets you display and sort vulnerabilities in several ways. You can then right-click a vulnerability to obtain an HTML Help window that describes the vulnerability and offers proposed fixes, a CVE identifier, and links to Web sites that offer related security bulletins. The detail in Internet Scanner's vulnerability definitions and fix procedures is excellent.
NetRecon's vulnerability-fix features are similar to those of Internet Scanner. In the interface, I could double-click a listed vulnerability and obtain detailed information and links to pertinent Web sites. One feature that I found particularly helpful was NetRecon's Path Analysis, which Figure 4 shows. Path Analysis provides a unique display of the thread of actions leading to a vulnerability. This display can give you a new security-dependency perspective that you don't typically get by reading a vulnerability's description or proposed remedy. Thus, you can gain a better grasp of the way security threats can be interconnected rather than isolated and separate.
Whereas the other two products provide immediate scan results, you must rely strictly on CyberCop's report generator for access to vulnerability and fix information. After CyberCop completes a scan, you can customize a report that contains information about how to fix a vulnerability. However, displaying scan results that pair discovered vulnerabilities with details and fix information wasn't an intuitive process. I needed time to learn how to use the report generator to create useful reports. Until I learned the process, I found that CyberCop's Policy Configuration interface was the best place to review detailed information about specific vulnerabilities. CyberCop provided helpful vulnerability details, CVE classification, and links to Web sites that contain security bulletins and patches.
Network-based vulnerability scanners can play a vital role in any security strategy. Although you can't neglect the importance of virus protection, firewalls, and secure policies and practices, you still need a tool to discover your network's vulnerabilities. All three of the products that I evaluated offer enterprise capabilities and can scan multiple OSs. If you administer a Windows-only network, you might want to consider Harris's STAT Scanner or NetIQ's Security Manager. A good network-based vulnerability scanner can help you level the security playing field and can help you sleep better at night—after you fix all the vulnerabilities you find.
Contact: Symantec * 541-345-3322 or 800-441-7234
Price: $1495 for a Single Engagement license; $3995 for a 254-node license; $19,995 for an Unlimited license