As the complexity of an enterprise network increases (either LAN network or WAN network), so do its vulnerabilities. Heterogeneous operating systems, each with their own configuration quirks, run myriad devices and applications in a high-speed, highly connected environment. The upshot is a maelstrom of code, with unexpected holes, glitches, and back doors. Oftentimes, network administrators aren’t aware such breaches exist until an intruder uses them to gain unauthorized access to network resources.
Scanning is one way to root out possible weak points in your network. A host of software-based scanning tools are available to probe your network for known vulnerabilities in operating systems, applications, passwords, and so on. In fact, would-be intruders use these tools to scope out a network before attacking, so scanning is also a proactive security measure that lets you find the chinks in your armor before someone else does.
Depending on the level of technical expertise available to you, you’ll have to decide whether to conduct your own scans or hire a scanning service. If you conduct your own scan, you can choose among commercial, open-source, and freeware tools.
Many of the open-source and freeware tools, such as Nmap, are written by hackers. Why would a legitimate administrator use hacker tools? Good question. A good answer is because such products can be highly effective. You may also find it instructive to learn just how intruders go about casing your network. However, commercial software packages perform the same functions and have easy-to-use interfaces and reporting capabilities.
Pings And Ports
A vulnerability scan takes a hacker’s-eye view of your network. Seemingly harmless communication between two machines reveals information pointing to potential vulnerabilities. The scanning tools match this information against a database of exploits to determine which ones may be present on your network.
A vulnerability scan consists of three basic steps. The first is network discovery, which uses the Ping utility to discover active devices on the network. The Ping utility sends Internet Control Message Protocol (ICMP) packets to a target system, looking for a response. A positive response, such as an ICMP ECHO_REPLY (Type 0) means the target is alive. This creates a basic map of live hosts that an intruder can target individually.
The second step is a port scan, which identifies ports in listening mode as well as those that may have exploitable active services. Port scans also identify the operating system on a target, including which service packs or kernel releases have been installed. This information permits an intruder to launch very precise exploits against a target. Be aware that simply finding a listening port doesn’t imply vulnerability. Sometimes, an intruder must follow up with further packet manipulation to tease out potentially damaging information. The sidebar at the end of this tutorial describes several of these techniques.
In the final step, the scanner analyzes the data and generates a report detailing potential vulnerabilities and fixes. Because the report data is so crucial, you’ll want to choose a solution that displays the results clearly and usefully to you. It’s worth your time to review sample reports before buying or using any scanner.
Password Crackers
Password auditing software is another assessment tool available to both intruders and administrators. An administrator uses such a tool to audit his users’ passwords to ensure they’re following good password policy. A number of open-source password crackers are available on the Internet, and many commercial security scanners include password auditing.
Scan The Scanners
Before purchasing or downloading the latest and greatest network scanner, take some time to search for tools that will meet your objectives.
A good starting point is to determine the product’s ease of use. If you prefer GUIs to command line interfaces, you’ll likely lean toward commercial products. However, there’s nothing stopping you from using both off-the-shelf and freeware tools.
When choosing a product, make sure it prioritizes vulnerabilities. A full-blown scan may generate an 800-page report filled with hundreds of exploits. Addressing such a gargantuan list will be more manageable if you know which ones must be dealt with immediately.
Be aware that a scan will affect your network’s performance—to what degree depends on the depth of the scan and the number of devices. Schedule your scans when they’re least likely to impact essential business services. Also, look for tools that allow you to target specific systems. You may want to scan particular segments of your network more frequently than others, and there’s no sense in blasting every device you own with resource-consuming packets.
Find out how frequently the vulnerability database is updated. Just like viruses, new exploits appear all the time, so your tools should stay abreast of the latest attacks. That said, there are different ways of listing and counting exploits, so don’t be dazzled by high numbers. Product A may claim to spot 10,000 vulnerabilities while Product B detects 5,000, but this doesn’t mean Product A is a more comprehensive solution.
You may also want to inquire where the vendor gets its vulnerability information. While every vendor makes use of public postings from organizations such as CERT, BugTraq, and the SANS Institute, many also have in-house research teams that alert you to security holes before they’re posted at large.
Clean Sweep
Let’s say you’ve scoured your network from top to bottom. You’ve found the holes, read the reports, and applied the patches. Now your network is one hundred percent secure—at least until an inventive coder discovers an entirely new way to slip packets through your firewalls.
Vulnerability scanning is not a one-time fix. Clever and industrious hackers constantly discover new exploits. In addition, clever and industrious software vendors are constantly releasing new versions of their products; even software that comes fully baked from the shop probably has unforeseen holes, or will interact in unexpected ways with your own network.
The frequency of your scans should depend on your security posture, as well as on the lifecycle of your network devices. If you have a relatively stable architecture with few changes or upgrades, you’ll likely require fewer scans (assuming you patched the holes you discovered the first time around). However, particularly sensitive segments of your network, such as the Demilitarized Zone (DMZ), may warrant more frequent check-ups.
Overall, be prepared to invest a good deal of time both for the scan and the clean-up afterwards. It makes no sense to discover vulnerabilities if you simply ignore them.
Scan And Deliver
In a normal TCP communications sequence, a client machine and server must go through a three-step “handshake” to establish a connection. The client initiates the handshake by sending a SYN packet to the server. If the server is available, it acknowledges the communication with a SYN/ACK packet. Finally, the client sends its own ACK packet and makes a connection.
Intruders can manipulate this handshake sequence to glean essential information based on the server’s response, including miss-configured operating systems or software versions with known vulnerabilities.
TCP Connect scan. This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK, and ACK). It is easily detected by the target system.
TCP SYN scan. This technique is called half-open scanning because a full TCP connection is not made. Instead, a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state. If a RST/ACK is received, it usually indicates that the port isn’t listening. A RST/ACK will be sent by the system performing the port scan so that a full connection is never established. This technique has the advantage of being stealthier than a full TCP connect, and it may not be logged by the target system.
TCP FIN scan. This technique sends a FIN packet to the target port. Based on RFC 793 (www.ietf.org/rfc/rfc0793.txt), the target system should send back an RST for all closed ports. This technique usually only works on Unix-based TCP/IP stacks.
TCP Xmas Tree scan. This technique sends a FIN, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports.
TCP Null scan. This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed ports.
TCP ACK scan. This technique maps out firewall rule sets. It helps determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advanced packet filtering.
TCP Window scan. This technique may detect open as well as filtered/non-filtered ports on some systems (for example, AIX and FreeBSD) due to an anomaly in the way the TCP window size is reported.
TCP RPC scan. This technique is specific to Unix systems and detects and identifies Remote Procedure Call (RPC) ports and their associated programs and version numbers.
Related articles:
Information Security Standard Policy Provides A Framework For Management To Implement And Maintain A Level Of Information Security That Is Commensurate With Information Security Risks.
Information security management, Information is an asset which, like other important business assets, has value to the corporate and consequently needs to be suitably protected.
See also:
- general router connections
- business firewalls
- networking security essentials
- home networking firewalls
- how to select the best wireless routers gor your need
Recent Comments