KEEPING THE SYSTEM UP-TO-DATEMINIMUM SYSTEM SPECIFICATIONS FOR SECU...

Question

4. Keeping the system up-to-dateMinimum System Specifications for Secure Scanner V2.0Secure Scanner runs on NT 4.0 (Service Pack 3), Solaris 2.5.x, 2.6-2.8 witha Sun SPARC 5 station (or Solaris x86 if using an Intel CPU). All platformsrequire at least 64MB RAM, 2GB disk space, a network card with a TCP/IPhttps://traloihay.netstack, and a display capable of at least 800x600. A recent HTML browseris also essential.NOTEEach Secure Scanner license is not tied to a specific IP address range. Thisallows you to point the same scanner at multiple IP address ranges. Witha single license you can scan up to 2,500 devices.Searching the Network for Vulnerabilities Once Secure Scanner has been installed you can create and initiate aScanner session to search your network for vulnerabilities. The sessioncan be designated as either a non-intrusive and passive scan or an intru-sive and active probe (used to confirm any vulnerabilities found). Sessionscan also be scheduled to start on recurring or specific dates and times, orat random.Using your session configuration you can initiate an automatic dis-covery of host devices (all devices running a TCP/IP stack) and services onyour network. TCP/UDP port interrogation and SNMP queries are used togather information, which is compiled into a database. The latter can beused to develop and verify security policies as well as find unexpectedmachines and services on your network. WARNINGIt is possible to render a service or device unavailable by initiating aprobe on the network. Active probing sessions should either run outsidepeak network usage hours or should omit sensitive devices to preventloss of service/user disruption. Although general clients may be unaware that a session is inprogress, it is possible that a performance drop may occur. This is espe-cially likely if a probe has been selected with a heavy vulnerability profile.When you select the page icon from the main screen, the SessionConfiguration box opens (see Figure 7.4). This screen allows you to definemultiple address ranges in a session. You can configure ranges to beaggressively scanned, to exclude certain ranges, to import data from pre-vious session runs, as well as export data to files.Intrusion Detection • Chapter 7 313Choose the Vulnerability folder to see the screen in Figure 7.5. Hereyou can select the ports you want to scan, turning active probing on or off,and choose a predefined Active Probe profile that selects settings for 13 dif-ferent categories of vulnerability.Figure 7.4 Specifying network addresses.Figure 7.5 Specifying vulnerabilities.The following categories are available; each has further subcategoriesavailable for more specific selection:■ DNS■ NFS■ Telnet■ Finger■ NT security■ TFTP■ FTP■ Rlogin■ X Window■ HTTP■ SMTP■ RSHThe Network Security Database (NSDB) contains in-depth informationabout these items. We will discuss this in more detail later in the section.It is possible to configure user-defined and custom vulnerability rules.This could be useful if you are scanning for unique devices or non-stan-dard port numbers. Once a custom rule has been defined then youshould distribute that rule throughout the enterprise to ensure consis-tency across the scanners. Further details on how to create user-definedrules can be found at https://traloihay.netcsscan/csscan2/csscug/userrule.htm#13881.Viewing the ResultsFollowing the completion of a session, a result set folder is created in themain Secure Scanner screen. The result set contains folders for charts,grids, and reports. Right-click on the Results folder and then select ViewGrid Data; once you save the grid you can just select it by double-clickingfrom the main screen.Intrusion Detection • Chapter 7 315Grid BrowserThe grid browser is used to view session results and is very flexible. Youcan change axes to refer to different data, drill down into cells to highlightspecific factors, view host details, create totals or percentages for rows orcolumns, and create charts. It is also possible to save multiple gridbrowser views and charts for later use or incorporation into reports. Tofind out more about the icons you can just hold the mouse over each todisplay its function.The grid is a 2-D matrix showing the information returned from thesession. In Figure 7.6 the columns on the right represent the IP addressesof the hosts and the rows represent the vulnerabilities that were tested for;the six columns on the left detail the vulnerability details. Let’s examine arow from left to right. Column one shows an overall classification for vul-nerabilities. Column two shows a value that represents the severity level ofthe exploit (the higher the number the worse). Column three designates thetype of exploit. Column four is the name of the exploit. Column five detailswhether the vulnerability is confirmed (Vc) or potential (Vp). Column sixshows the corresponding ID in the NSDB database. The value of 1 indi-cates the number of intersections of a row and column value; in this con-text this value is always 1.Figure 7.6 NetSonar grid browser.In Figure 7.6, you can see the pull-down menu; this changes the gridview. Let’s say you want to change the grid to display the number ofexploits and vulnerability types for hosts. Right-click on column 3 andthen select Zoom Out, then right-click again and choose Show, Totals. Asyou can see from Figure 7.7, the cell values change to the number of vul-nerabilities exhibited by each Host of each type. Along the bottom you cansee the total number of vulnerabilities per host.Figure 7.7 NetSonar grid browser—number of vulnerability types.This allows you to represent the data found graphically. Using thewizard, you can create many different types of charts including 2-D and3D, line, pie, and bar. You can also export the chart for use in a MicrosoftPowerPoint slide show. From our grid browser example in Figure 7.6, you would create a chartby selecting the cells required then choosing the “create chart” button fromthe tool bar. Once created selecting the right mouse button on the chartwill allow you to customize the view completely. The chart shown in Figure 7.8 is based on the grid view we just createdin Figure 7.7. For this example, I’ve picked only a few stations for clarity, butyou can easily select more and rerun the wizard. The chart is simple touse—right-click offers you most options, and by clicking around the chartyou can tilt and pan the view. In our example, the height of the bars repre-sents the number of vulnerability types exhibited by a host. Once you saveda graph, it can be incorporated into a NetSonar report or used externally asa .bmp or .gif file.Intrusion Detection • Chapter 7 317Figure 7.8 NetSonar Chart from grid selection.Reports and WizardsSecure Scanner includes a flexible reporting and analysis tool. Three typesof HTML reports can be generated from Secure Scanner: executive, brieftechnical, and full technical. As the names suggest, each type of report isaimed at different groups of people—the executive presents a high-levelsummary whereas the full technical provides an in-depth review of allsecurity vulnerabilities found on the network.Information layout is straightforward; it’s easy to insert grids andcharts into reports. Results can be ported to Microsoft Word for editing andprinting, or to other platforms that support HTML format. By selecting the options on the screen (see Figure 7.9) you can navigatethe report easily.Keeping the System Up-to-DateRegular updates to the vulnerability scanner are easy to download andinstall directly from the Cisco Web site. Cisco employs a team called theCisco Countermeasure Research Team (C-CRT) who work to ensure thatSecure Scanner is up-to-date. C-CRT maintains the NSDB, which is agoldmine of information against intrusions and attacks.The NSDB is accessible from within the application by selecting theicon from the main screen. It contains updates and fixes as well as links to other vendor’s Web sites (see Figure 7.10).Figure 7.9 NetSonar Report main menu.Figure 7.10 The NSDB Vulnerability Index.You can select items on the index to view further details for a specificvulnerability. Let’s select 208—Anonymous FTP (see Figure 7.11).For a comprehensive guide on usage of NetSonar go to https://traloihay.netunivercd/cc/td/doc/product/iaabu/csscan/csscan2/csscug/index.htm.Intrusion Detection • Chapter 7 319Figure 7.11 NSDB vulnerability details.For IT ProfessionalsUsage Tips for Cisco SecureScannerLike any tool, Secure Scanner is most effective when used properly.Here are some general tips that you can use for maximum benefit. Thesame person or people should perform the scan each time; this mayeven lead to the creation (or enhancement) of a central team in yourorganization responsible for security. They should be the ones to takeaction on the results; this will have the additional effect of creating orenforcing security standards in your organization.■ The Scanner session should be run when the network trafficlevels are low as well as during busy hours when all devicesare powered up in order to give you a more comprehensiveset of results.■ Run unscheduled scans to increase the likelihood of catchingdevices that may be switched on only occasionally. Anexample might be the PC of a traveling salesman who comesto the office only once a week.Continued■ As soon as new devices are added to the network, a scanshould be run. This process should be integrated into thecompany change management system.■ Report any anomalies or new vulnerabilities you have foundto Cisco Systems using the NSDB reporting mechanism. As aresponsible user of the system you could help protect othercompanies from similar attacks.Cisco Secure Intrusion Detection System(NetRanger)NetRanger was originally developed by Wheelgroup Inc. but is now owned byCisco Systems. We will tackle this product by dividing it into five sections:

Answer

4. Keeping the system up-to-dateMinimum System Specifications for Secure Scanner V2.0Secure Scanner runs on NT 4.0 (Service Pack 3), Solaris 2.5.x, 2.6-2.8 witha Sun SPARC 5 station (or Solaris x86 if using an Intel CPU). All platformsrequire at least 64MB RAM, 2GB disk space, a network card with a TCP/IPhttps://traloihay.netstack, and a display capable of at least 800x600. A recent HTML browseris also essential.NOTEEach Secure Scanner license is not tied to a specific IP address range. Thisallows you to point the same scanner at multiple IP address ranges. Witha single license you can scan up to 2,500 devices.Searching the Network for Vulnerabilities Once Secure Scanner has been installed you can create and initiate aScanner session to search your network for vulnerabilities. The sessioncan be designated as either a non-intrusive and passive scan or an intru-sive and active probe (used to confirm any vulnerabilities found). Sessionscan also be scheduled to start on recurring or specific dates and times, orat random.Using your session configuration you can initiate an automatic dis-covery of host devices (all devices running a TCP/IP stack) and services onyour network. TCP/UDP port interrogation and SNMP queries are used togather information, which is compiled into a database. The latter can beused to develop and verify security policies as well as find unexpectedmachines and services on your network. WARNINGIt is possible to render a service or device unavailable by initiating aprobe on the network. Active probing sessions should either run outsidepeak network usage hours or should omit sensitive devices to preventloss of service/user disruption. Although general clients may be unaware that a session is inprogress, it is possible that a performance drop may occur. This is espe-cially likely if a probe has been selected with a heavy vulnerability profile.When you select the page icon from the main screen, the SessionConfiguration box opens (see Figure 7.4). This screen allows you to definemultiple address ranges in a session. You can configure ranges to beaggressively scanned, to exclude certain ranges, to import data from pre-vious session runs, as well as export data to files.Intrusion Detection • Chapter 7 313Choose the Vulnerability folder to see the screen in Figure 7.5. Hereyou can select the ports you want to scan, turning active probing on or off,and choose a predefined Active Probe profile that selects settings for 13 dif-ferent categories of vulnerability.Figure 7.4 Specifying network addresses.Figure 7.5 Specifying vulnerabilities.The following categories are available; each has further subcategoriesavailable for more specific selection:■ DNS■ NFS■ Telnet■ Finger■ NT security■ TFTP■ FTP■ Rlogin■ X Window■ HTTP■ SMTP■ RSHThe Network Security Database (NSDB) contains in-depth informationabout these items. We will discuss this in more detail later in the section.It is possible to configure user-defined and custom vulnerability rules.This could be useful if you are scanning for unique devices or non-stan-dard port numbers. Once a custom rule has been defined then youshould distribute that rule throughout the enterprise to ensure consis-tency across the scanners. Further details on how to create user-definedrules can be found at https://traloihay.netcsscan/csscan2/csscug/userrule.htm#13881.Viewing the ResultsFollowing the completion of a session, a result set folder is created in themain Secure Scanner screen. The result set contains folders for charts,grids, and reports. Right-click on the Results folder and then select ViewGrid Data; once you save the grid you can just select it by double-clickingfrom the main screen.Intrusion Detection • Chapter 7 315Grid BrowserThe grid browser is used to view session results and is very flexible. Youcan change axes to refer to different data, drill down into cells to highlightspecific factors, view host details, create totals or percentages for rows orcolumns, and create charts. It is also possible to save multiple gridbrowser views and charts for later use or incorporation into reports. Tofind out more about the icons you can just hold the mouse over each todisplay its function.The grid is a 2-D matrix showing the information returned from thesession. In Figure 7.6 the columns on the right represent the IP addressesof the hosts and the rows represent the vulnerabilities that were tested for;the six columns on the left detail the vulnerability details. Let’s examine arow from left to right. Column one shows an overall classification for vul-nerabilities. Column two shows a value that represents the severity level ofthe exploit (the higher the number the worse). Column three designates thetype of exploit. Column four is the name of the exploit. Column five detailswhether the vulnerability is confirmed (Vc) or potential (Vp). Column sixshows the corresponding ID in the NSDB database. The value of 1 indi-cates the number of intersections of a row and column value; in this con-text this value is always 1.Figure 7.6 NetSonar grid browser.In Figure 7.6, you can see the pull-down menu; this changes the gridview. Let’s say you want to change the grid to display the number ofexploits and vulnerability types for hosts. Right-click on column 3 andthen select Zoom Out, then right-click again and choose Show, Totals. Asyou can see from Figure 7.7, the cell values change to the number of vul-nerabilities exhibited by each Host of each type. Along the bottom you cansee the total number of vulnerabilities per host.Figure 7.7 NetSonar grid browser—number of vulnerability types.This allows you to represent the data found graphically. Using thewizard, you can create many different types of charts including 2-D and3D, line, pie, and bar. You can also export the chart for use in a MicrosoftPowerPoint slide show. From our grid browser example in Figure 7.6, you would create a chartby selecting the cells required then choosing the “create chart” button fromthe tool bar. Once created selecting the right mouse button on the chartwill allow you to customize the view completely. The chart shown in Figure 7.8 is based on the grid view we just createdin Figure 7.7. For this example, I’ve picked only a few stations for clarity, butyou can easily select more and rerun the wizard. The chart is simple touse—right-click offers you most options, and by clicking around the chartyou can tilt and pan the view. In our example, the height of the bars repre-sents the number of vulnerability types exhibited by a host. Once you saveda graph, it can be incorporated into a NetSonar report or used externally asa .bmp or .gif file.Intrusion Detection • Chapter 7 317Figure 7.8 NetSonar Chart from grid selection.Reports and WizardsSecure Scanner includes a flexible reporting and analysis tool. Three typesof HTML reports can be generated from Secure Scanner: executive, brieftechnical, and full technical. As the names suggest, each type of report isaimed at different groups of people—the executive presents a high-levelsummary whereas the full technical provides an in-depth review of allsecurity vulnerabilities found on the network.Information layout is straightforward; it’s easy to insert grids andcharts into reports. Results can be ported to Microsoft Word for editing andprinting, or to other platforms that support HTML format. By selecting the options on the screen (see Figure 7.9) you can navigatethe report easily.Keeping the System Up-to-DateRegular updates to the vulnerability scanner are easy to download andinstall directly from the Cisco Web site. Cisco employs a team called theCisco Countermeasure Research Team (C-CRT) who work to ensure thatSecure Scanner is up-to-date. C-CRT maintains the NSDB, which is agoldmine of information against intrusions and attacks.The NSDB is accessible from within the application by selecting theicon from the main screen. It contains updates and fixes as well as links to other vendor’s Web sites (see Figure 7.10).Figure 7.9 NetSonar Report main menu.Figure 7.10 The NSDB Vulnerability Index.You can select items on the index to view further details for a specificvulnerability. Let’s select 208—Anonymous FTP (see Figure 7.11).For a comprehensive guide on usage of NetSonar go to https://traloihay.netunivercd/cc/td/doc/product/iaabu/csscan/csscan2/csscug/index.htm.Intrusion Detection • Chapter 7 319Figure 7.11 NSDB vulnerability details.For IT ProfessionalsUsage Tips for Cisco SecureScannerLike any tool, Secure Scanner is most effective when used properly.Here are some general tips that you can use for maximum benefit. Thesame person or people should perform the scan each time; this mayeven lead to the creation (or enhancement) of a central team in yourorganization responsible for security. They should be the ones to takeaction on the results; this will have the additional effect of creating orenforcing security standards in your organization.■ The Scanner session should be run when the network trafficlevels are low as well as during busy hours when all devicesare powered up in order to give you a more comprehensiveset of results.■ Run unscheduled scans to increase the likelihood of catchingdevices that may be switched on only occasionally. Anexample might be the PC of a traveling salesman who comesto the office only once a week.Continued■ As soon as new devices are added to the network, a scanshould be run. This process should be integrated into thecompany change management system.■ Report any anomalies or new vulnerabilities you have foundto Cisco Systems using the NSDB reporting mechanism. As aresponsible user of the system you could help protect othercompanies from similar attacks.Cisco Secure Intrusion Detection System(NetRanger)NetRanger was originally developed by Wheelgroup Inc. but is now owned byCisco Systems. We will tackle this product by dividing it into five sections: