Put yourself on equal ground with potential intruders
Slowly but surely, organizations are paying more attention to the security of their networks. As complex as it is crucial, network security typically warrants the attention of a dedicated specialist. However, economic reality forces many companies to add network security to the responsibilities that busy network and systems administrators already shoulder. If you're in this situation, you might be wondering how to maintain security in an environment in which new threats evolve so quickly.
A useful tool that can substantially ease your burden is a network-based vulnerability scanner. This type of scanner uses the network to actively probe other devices and discover security holes. The scanner typically resides on one host, from which it launches probes, collects results, and compares the results with a database of vulnerability fingerprints. In this sense, a vulnerability scanner is similar in function to a virus scanner. A host-based vulnerability scanner's capabilities, however, are more sophisticated and the tool is more introspective, determining whether the host on which it resides complies with established security policy.
From a fairly crowded field of competitors, I looked at three products for scanning heterogeneous networks. These three products were Internet Security Systems' (ISS's) Internet Scanner 6.2, Network Associates' Distributed CyberCop Scanner 2.0 (a new release based on the older CyberCop Scanner 5.5), and Symantec's NetRecon 3.5.
Determining Value
The cost of most commercial vulnerability scanners is substantial. However, you must weigh the purchase price against the potential damage that a compromised network can cause. (You can also find some effective public-domain vulnerability scanners on the Web. For information about one such solution, see the sidebar "Nessus: An Open-Source Option," page 54.)
The first casualties of a successful attack are a company's data, uptime, and reputation. With those concerns in mind, consider the benefits of a vulnerability scanner:
- A vulnerability scanner puts you on even footing with potential intruders. Tools that are functionally equivalent to those that intruders use reveal the same vulnerabilities that intruders recognize and exploit.
- A vulnerability scanner answers the what, where, and how of your network's security vulnerabilities. You discover what the threat is, where it's located, and how you can fix it. (Answers to who and when are better suited to other tools, such as intrusion-detection utilities.) You also need to consider the tool's educational benefit. Good vulnerability scanners provide ample documentation about each vulnerability's nature, as well as links to Web sites that offer further information and fixes. You'll learn a great deal about security as you discover and repair system vulnerabilities. After you're familiar with the pattern of security vulnerabilities, you'll find yourself incorporating your security practices into other areas.
- A vulnerability scanner can help you stay up-to-date on security threats and countermeasures. You'll quickly learn that the flow of new security information on the Web is overwhelming. (For a list of essential security Web sites, see Michael Otey, Top 10, "Security Resources on the Web," November 2001, InstantDoc ID 22556.) The available information increases almost exponentially with each additional network OS you support. To counter this trend, most vulnerability scanners provide a mechanism for regularly updating their vulnerability databases. If the scanner offers any level of automation, you'll be able to reduce the administrative burden of staying current with new security threats, as long as the vendor supplies timely, reliable updates.
Into the Lab
I used several networks and hosts to test the products. I approached the testing from the point of view of an average administrator and used testing criteria based on the value propositions I described earlier. I looked at how well each product discovered and enumerated the what and where of my networks' vulnerabilities and whether the product provided the how of fixing vulnerabilities. I also considered how easy each product was to set up, use, and maintain.
Each product's ease of installation and setup depended on its architecture. As Figure 1 shows, network-based vulnerability scanners generally comprise a scan engine, a vulnerability database, a results database, and an administrative console. Both Internet Scanner and NetRecon install these components on one host, and both products use the Microsoft Jet database engine and Microsoft Access databases to store scan results. This type of combined architecture gives you the advantage of an easy installation. I had NetRecon and Internet Scanner installed and running in minutes. However, such products can create administrative hurdles in large organizations that need to distribute the product across many networks yet maintain central control.
Network Associates has designed CyberCop's architecture for scalability and central administration. The core of CyberCop is a robust scan engine that you can distribute to hosts across your enterprise. For optimal scanning results, the company recommends placing a scan engine on each subnet. The database can use either Microsoft Data Engine (MSDE) or Microsoft SQL Server 7.0 and gives you the flexibility of single or multiple databases that can be centralized or distributed. MSDE is available on the CyberCop CD-ROM.
Previous
Register
