Network Managing, Engineering and Administration with an eye toward security.
Best practices meets the real world!
Friday, January 07, 2005
Vulnerability Scanning We've been talking about this lately at work, so it's a good subject to start with.
We're all probably familiar with the 'Penetration Test' that scans external access to a network to see what vulnerabilities exist. What I'm referring to is an internal scan to see what vulnerabilities exist. Running a internal vulnerability scan can get into a debate, mostly about the differences between perimeter hardening and defense in depth. The idea with perimeter hardening is that everything malicious is stopped at the border, and internally is stopped with application or network login access rights. Defense in depth goes this one further by adding additional layers of security on the network. These layers include monitoring and testing systems for vulnerabilities, which is where we get internal vulnerability scanning. A nice article that I found over at CERT pointed out that with proper security you need to Secure, Monitor, Audit/Test, and then Manage and Improve.
I did a quick google search for vulnerability scanners and found different types of products to meet different needs. You can go from simple port scanners (nmap, superscan, etc), to vulnerability scanners (nessus, retina, etc) to specific OS scanners (hfnetchk, mbsa, etc).
I believe you can't have enough tools to perform these kinds of tests, and some of the best ways you can get a collection of these tools is through ISOs of whole systems that have been setup and designed to give you every tool you can think of. There are several of these including Knoppix, Knoppix STD, F.I.R.E., Helix, Plan-B, etc. They are great to get you started because you just boot up, and away you go, reboot and your back to your desktop. Some of them also offer forensics capabilities (which is a subject for another day). Be warned, do not use many of these tools on a production network until you know what they do. Some of them can cause problems to production systems (heck, even nmap can) even if they are fully patched.
I'm a big fan of defense-in-depth, and agree with both monitoring and testing systems. This goes hand in hand with security being a process, not a setup and forget system.
Security Quick Links:
Great CERT chart about changing focus - http://www.cert.org/governance/ges-shifts.html
Defense in Depth - http://www.nwfusion.com/columnists/2004/081604johnson.html
Email explaining Defense in Depth - http://www.securityfocus.com/archive/105/380109
Nice whitepaper at GIAC - http://www.giac.org/practical/gsec/Adam_Straub_GSEC.pdf
Link at bottom of "more that you can do" - http://www.symantec.com/smallbiz/library/depth.html
Thomas Schwarz, Santa Clara University - http://www.cse.scu.edu/~tschwarz/coen350_03/Lectures/defdep.html
posted by David | 1/07/2005 01:15:00 AM