How Vulnerable Is Your Network?
According to an old adage, “it takes a thief to catch a thief.” The guiding tenet behind the expression is that a thief knows best how a thief thinks and acts. The same basic premise applies to hackers, crackers and malicious code writers. By viewing your network from the offender’s perspective, vulnerability scanners aim to detect where your network is most susceptible to infiltration.
Vulnerability scanners level the playing field by giving you the same vantage point as the malicious code writer or hacker. Intruders rely on readily available tools and schemes to uncover the system’s weak points. Those same tools and techniques are equally available to your own security team. The precise locations of your network security vulnerabilities can first be laid bare and subsequently corrected. In other words, a vulnerability scanner will play devil’s advocate and alert you as to where you are most vulnerable before a hacker or malicious code can do the same.
In order to plug security holes, you need to know where they exist. Today’s vulnerability scanners go beyond simple “patch management” and actually search for misconfigured applications and network components. In addition to looking out for outdated applications, unused open ports and other potential security holes, they’ll also seek out applications or services that are enabled by default, yet may not be needed (such as the UDP ECHO on Windows NT).
Traditionally, network security scanners tend to concentrate solely on the services “listening” on the network. However, with malicious code propagating (thanks to flaws in mail clients or Web browsers), this concept of security is becoming outdated. Enter a freeware product called Nessus. According to its Web site, Nessus is the only security scanner that is able to detect not only the remote flaws of the hosts on your network, but also local flaws and missing patches, whether you’re running Windows, Mac OS X or a UNIX system. Nessus can run on a single CPU with low memory all the way up to a multi-CPU with gigabytes of RAM. (The more hardware resources offered to Nessus, the faster it can scan your network.) For more information or to download a copy, visit www.nessus.org.
For our Windows-only brethren, there’s GFI’s LANguard Network Security Scanner (N.S.S.). More than a vulnerability scanner, LANguard N.S.S. is both a security scanning and patch management product. According to Angelica Micallef Trigona of GFI, LANguard N.S.S. checks for possible security vulnerabilities by scanning your entire network for missing security patches, service packs, open shares, open ports, unused user accounts and more. With this information (displayed in customizable reports), you can easily lock down your network. GFI LANguard N.S.S. also can remotely deploy missing patches and service packs in applications and operating systems. GFI LANguard N.S.S. also includes a fast TCP/IP and UDP port-scanning engine, allowing you to scan your network for unnecessary open ports. This product even comes in a “scaled down” limited freeware version, if a “no-frills” product is all you need. For additional information, visit www.gfi.com.
With another handy freeware tool for Windows users, Microsoft offers a streamlined method of identifying common security misconfigurations in the form of a free download called Microsoft Baseline Security Analyzer (MBSA). MBSA runs on Windows 2000, Windows XP and Windows Server 2003 systems, and scans for common system misconfigurations. For more information, visit www.microsoft.com/technet/security/tools/mbsahome.mspx.
While they’re not available free of charge, there are several other popular “industrial strength” network vulnerability scanners you might also want to consider:
- SAINT by SAINT Corp. (www.saintcorporation.com).
- Internet Scanner by Internet Security Systems (www.iss.net).
- Retina by eEye Digital Security (www.eeye.com).
The bottom line is, any good vulnerability scanner will provide a detailed analysis about each vulnerability’s nature and provide links to Web sites that offer additional information and fixes. In the end, you’ll be surprised at the amount you’ll learn about system security when you attempt to locate and repair your system vulnerabilities. After you’re familiar with the pattern of security vulnerabilities, you’ll find yourself incorporating your newfound technical prowess in other areas of network security as well.
Douglas Schweitzer, A+, Network+, i-Net+, CIW, is an Internet security specialist and the author of “Securing the Network From Malicious Code” and “Incident Response: Computer Forensics Toolkit.” He can be reached at firstname.lastname@example.org.