Intrusion Detection: Network Security Beyond the Firewall:Vulnerability Scanners









































function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);









        






























 



Keyword
Title
Author
ISBN
Publisher
Imprint


Brief
Full

 Advanced      Search
 Search Tips














Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security

UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive


























To access the contents, click the chapter and section titles.


Intrusion Detection: Network Security beyond the Firewall


(Publisher: John Wiley & Sons, Inc.)

Author(s): Terry Escamilla

ISBN: 0471290009

Publication Date: 11/01/98



function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();

}












Search this book:
 





















Previous
Table of Contents
Next




Improving Your Security with Scanners
Dan Farmer introduced COPS while working with Gene Spafford at Purdue University. The popularity of this public domain tool is hard to estimate. Literally thousands of people use COPS today to periodically examine their systems for security weaknesses. Commercial derivatives have appeared over the last several years. This section focuses on the ISS SAFESuite scanners, which are positioned as vulnerability assessment tools.
When Chris Klaus was a graduate student, he put together the Internet Security Scanner and gave it away for free on the Internet. After seeing how much interest the product generated, he decided to start the company with Tom Noonan now known as Internet Security Systems or ISS for short. In addition to delivering security products, ISS sponsors a number of newsgroups (www.iss.net/vd/maillist.html), provides useful Web site links, and backs security research at universities. Sitting on the fence between target and perpetrator, ISS also provides funding for DEFCON and maintains a good rapport with the underground.
ISS SAFESuite
Currently ISS scanners come in two main flavors. You can get the System Security Scanner (S3) or the Internet Scanner. Inside the Internet Scanner, you will find separately charged features for a Web scanner, a firewall scanner, and an intranet scanner. Before looking at the features of the product you might be interested in the following details:

•  The ISS scanners are not invasive—they do not intercept or replace operating system calls.
•  Scans are run on an interval basis. This means that they look for problems at the time of the scan. If you also are interested in detecting intrusions when they occur, think about adding a real-time intrusion detection product.
•  Both system and network problems are analyzed. For example, checking for weak user passwords is a system probe, while IP port scanning looks for network configuration weaknesses.
•  No additional security model is layered into the environment. ISS has not added complexity by introducing its own subjects, objects, ACLs, and reference monitor.

The product family supports a client-server and heterogeneous configuration. By now you should automatically wonder how secure communications are handled between nodes. ISS provides shared-secret, challenge-response authentication between nodes. When messages are exchanged between nodes, the traffic is encrypted as well.

System Security Scanner
The important features of S3 to examine are its alternative configurations, its reporting capabilities, and the set of vulnerabilities it handles. The initial screen for S3 is shown in Figure 7.1.


Figure 7.1  Initial S3 screen.
Local and Remote Scan Configurations
S3 can be run on a single node to scan for and report on security weaknesses on that node. Each system in the network that requires scanning must be installed with a separate copy of S3. If the number of scanned nodes is small, this might be a preferred configuration because network traffic is minimized during scanning and reporting. This design tradeoff is desirable.

If the administrative model at the site is centralized, one or more scanning engine workstations can be configured to control distributed target nodes. Each target requires the sssd daemon. Luckily, ISS also does not introduce its own software distribution framework for propagating these daemons. Note that S3 does not scan the node remotely. Instead, the distributed configuration enables you to manage S3 configuration files remotely and to receive scan results from other nodes. The engine on the central node processes the results files.
Target nodes can be combined into groups, and a node can belong to more than one group. Groups can be scanned at different times, and variations in the vulnerabilities inspected may be specified for each group. This process enables you to scan some nodes deeper than others. If you have many users on some systems, you can look for user configuration weaknesses on those nodes. However, if you have servers with no user accounts, you can configure the scans for that group to omit looking for most user vulnerabilities. Scan options for each node or group are managed through configuration files.
One efficient feature is caching. For example, when password brute force attacks are run, S3 optionally will omit trying passwords that have previously failed. You also can customize the cracking dictionary.
Whether scans are local or remote, activities are controlled via a GUI or CLI. Some of the scans accept parameters, and these values can be entered in the GUI or by editing configuration files directly. Examples of parameters include permission bits for application files that ISS would not know by default.
Detect and Respond
When a system is scanned by S3, a fix script is incrementally composed with recommended corrective actions. You can customize this script or run it as is to eliminate the vulnerabilities identified by the scan. S3 also creates an unfix script that enables you to undo the fix script.
Internode Authentication in S3
In distributed mode, S3 is installed on a central engine that performs the scan, and a separate daemon (sssd) is configured on each target node. To establish trust for remote communications between the engine and the target, a shared authentication secret is defined. The secret also is used as a key for encrypting results transmitted back to the engine for reporting.

An authentication file on the engine declares the shared secret and host name association. A different shared secret can be configured for each host. The recommendation is to pick a pass phrase rather than a simple password. On each target node, a corresponding authentication file must contain the same shared secret entered on the engine. Because the same secret controls information flowing in both directions, the authentication protocol could be open to replay attacks and reflection attacks assuming IP address impersonation is possible (see Chapter 4, “Traditional Network Security Approaches”).



Previous
Table of Contents
Next






























Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home


Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.