KEEPING THE SYSTEM UP-TO-DATEMINIMUM SYSTEM SPECIFICATIONS FOR SECU...
4. Keeping the system up-to-date
Minimum System Specifications for
Secure Scanner V2.0
Secure Scanner runs on NT 4.0 (Service Pack 3), Solaris 2.5.x, 2.6-2.8 with
a Sun SPARC 5 station (or Solaris x86 if using an Intel CPU). All platforms
require at least 64MB RAM, 2GB disk space, a network card with a TCP/IP
https://traloihay.net
stack, and a display capable of at least 800x600. A recent HTML browser
is also essential.
NOTE
Each Secure Scanner license is not tied to a specific IP address range. This
allows you to point the same scanner at multiple IP address ranges. With
a single license you can scan up to 2,500 devices.
Searching the Network for Vulnerabilities
Once Secure Scanner has been installed you can create and initiate a
Scanner session to search your network for vulnerabilities. The session
can be designated as either a non-intrusive and passive scan or an intru-
sive and active probe (used to confirm any vulnerabilities found). Sessions
can also be scheduled to start on recurring or specific dates and times, or
at random.
Using your session configuration you can initiate an automatic dis-
covery of host devices (all devices running a TCP/IP stack) and services on
your network. TCP/UDP port interrogation and SNMP queries are used to
gather information, which is compiled into a database. The latter can be
used to develop and verify security policies as well as find unexpected
machines and services on your network.
WARNING
It is possible to render a service or device unavailable by initiating a
probe on the network. Active probing sessions should either run outside
peak network usage hours or should omit sensitive devices to prevent
loss of service/user disruption.
Although general clients may be unaware that a session is in
progress, it is possible that a performance drop may occur. This is espe-
cially likely if a probe has been selected with a heavy vulnerability profile.
When you select the page icon from the main screen, the Session
Configuration box opens (see Figure 7.4). This screen allows you to define
multiple address ranges in a session. You can configure ranges to be
aggressively scanned, to exclude certain ranges, to import data from pre-
vious session runs, as well as export data to files.
Intrusion Detection • Chapter 7 313Choose the Vulnerability folder to see the screen in Figure 7.5. Here
you can select the ports you want to scan, turning active probing on or off,
and choose a predefined Active Probe profile that selects settings for 13 dif-
ferent categories of vulnerability.
Figure 7.4 Specifying network addresses.
Figure 7.5 Specifying vulnerabilities.
The following categories are available; each has further subcategories
available for more specific selection:
■
DNS
■
NFS
■
Telnet
■
Finger
■
NT security
■
TFTP
■
FTP
■
Rlogin
■
X Window
■
HTTP
■
SMTP
■
RSH
The Network Security Database (NSDB) contains in-depth information
about these items. We will discuss this in more detail later in the section.
It is possible to configure user-defined and custom vulnerability rules.
This could be useful if you are scanning for unique devices or non-stan-
dard port numbers. Once a custom rule has been defined then you
should distribute that rule throughout the enterprise to ensure consis-
tency across the scanners. Further details on how to create user-defined
rules can be found at https://traloihay.net
csscan/csscan2/csscug/userrule.htm#13881.
Viewing the Results
Following the completion of a session, a result set folder is created in the
main Secure Scanner screen. The result set contains folders for charts,
grids, and reports. Right-click on the Results folder and then select View
Grid Data; once you save the grid you can just select it by double-clicking
from the main screen.
Intrusion Detection • Chapter 7 315Grid Browser
The grid browser is used to view session results and is very flexible. You
can change axes to refer to different data, drill down into cells to highlight
specific factors, view host details, create totals or percentages for rows or
columns, and create charts. It is also possible to save multiple grid
browser views and charts for later use or incorporation into reports. To
find out more about the icons you can just hold the mouse over each to
display its function.
The grid is a 2-D matrix showing the information returned from the
session. In Figure 7.6 the columns on the right represent the IP addresses
of the hosts and the rows represent the vulnerabilities that were tested for;
the six columns on the left detail the vulnerability details. Let’s examine a
row from left to right. Column one shows an overall classification for vul-
nerabilities. Column two shows a value that represents the severity level of
the exploit (the higher the number the worse). Column three designates the
type of exploit. Column four is the name of the exploit. Column five details
whether the vulnerability is confirmed (Vc) or potential (Vp). Column six
shows the corresponding ID in the NSDB database. The value of 1 indi-
cates the number of intersections of a row and column value; in this con-
text this value is always 1.
Figure 7.6 NetSonar grid browser.
In Figure 7.6, you can see the pull-down menu; this changes the grid
view. Let’s say you want to change the grid to display the number of
exploits and vulnerability types for hosts. Right-click on column 3 and
then select Zoom Out, then right-click again and choose Show, Totals. As
you can see from Figure 7.7, the cell values change to the number of vul-
nerabilities exhibited by each Host of each type. Along the bottom you can
see the total number of vulnerabilities per host.
Figure 7.7 NetSonar grid browser—number of vulnerability types.
This allows you to represent the data found graphically. Using the
wizard, you can create many different types of charts including 2-D and
3D, line, pie, and bar. You can also export the chart for use in a Microsoft
PowerPoint slide show.
From our grid browser example in Figure 7.6, you would create a chart
by selecting the cells required then choosing the “create chart” button from
the tool bar. Once created selecting the right mouse button on the chart
will allow you to customize the view completely.
The chart shown in Figure 7.8 is based on the grid view we just created
in Figure 7.7. For this example, I’ve picked only a few stations for clarity, but
you can easily select more and rerun the wizard. The chart is simple to
use—right-click offers you most options, and by clicking around the chart
you can tilt and pan the view. In our example, the height of the bars repre-
sents the number of vulnerability types exhibited by a host. Once you saved
a graph, it can be incorporated into a NetSonar report or used externally as
a .bmp or .gif file.
Intrusion Detection • Chapter 7 317Figure 7.8 NetSonar Chart from grid selection.
Reports and Wizards
Secure Scanner includes a flexible reporting and analysis tool. Three types
of HTML reports can be generated from Secure Scanner: executive, brief
technical, and full technical. As the names suggest, each type of report is
aimed at different groups of people—the executive presents a high-level
summary whereas the full technical provides an in-depth review of all
security vulnerabilities found on the network.
Information layout is straightforward; it’s easy to insert grids and
charts into reports. Results can be ported to Microsoft Word for editing and
printing, or to other platforms that support HTML format.
By selecting the options on the screen (see Figure 7.9) you can navigate
the report easily.
Keeping the System Up-to-Date
Regular updates to the vulnerability scanner are easy to download and
install directly from the Cisco Web site. Cisco employs a team called the
Cisco Countermeasure Research Team (C-CRT) who work to ensure that
Secure Scanner is up-to-date. C-CRT maintains the NSDB, which is a
goldmine of information against intrusions and attacks.
The NSDB is accessible from within the application by selecting the
icon from the main screen. It contains updates and fixes as well as links
to other vendor’s Web sites (see Figure 7.10).
Figure 7.9 NetSonar Report main menu.
Figure 7.10 The NSDB Vulnerability Index.
You can select items on the index to view further details for a specific
vulnerability. Let’s select 208—Anonymous FTP (see Figure 7.11).
For a comprehensive guide on usage of NetSonar go to https://traloihay.net
univercd/cc/td/doc/product/iaabu/csscan/csscan2/csscug/index.htm.
Intrusion Detection • Chapter 7 319Figure 7.11 NSDB vulnerability details.
For IT Professionals
Usage Tips for Cisco Secure
Scanner
Like any tool, Secure Scanner is most effective when used properly.
Here are some general tips that you can use for maximum benefit. The
same person or people should perform the scan each time; this may
even lead to the creation (or enhancement) of a central team in your
organization responsible for security. They should be the ones to take
action on the results; this will have the additional effect of creating or
enforcing security standards in your organization.
■
The Scanner session should be run when the network traffic
levels are low as well as during busy hours when all devices
are powered up in order to give you a more comprehensive
set of results.
■
Run unscheduled scans to increase the likelihood of catching
devices that may be switched on only occasionally. An
example might be the PC of a traveling salesman who comes
to the office only once a week.
Continued■
As soon as new devices are added to the network, a scan
should be run. This process should be integrated into the
company change management system.
■