In-Depth

How Secure is Your Network?

Seven network scanners test your security before the crackers do.


Network scanning is one of the most misinterpreted terms in computer security. As technology continues to evolve, its definition changes. Network scanning is sometimes confused with system scanning, application scanning or even modem scanning (sometimes called war dialing). Sometimes, network scans are referred to as penetration testing or even hacking. Strictly speaking, a network scan is a systematic test of an operating system's network stack. A stack is a set of system applications or services that allow one system to communicate with other systems connected to the same wired or wireless medium. For example, the TCP/IP protocol is implemented as a network stack. This type of a scan is often called a port scan.

In the current IT environment, we expect network scanners to perform a lot more than just a port scan. Additional functionality may include network discovery (finding all devices on a network), OS identification (also called fingerprinting), and vulnerability checking (searching for common security flaws such as configuration errors and Trojan horses). For this article, I'll look at tools that perform network discovery, OS identification, port scanning and vulnerability checking of common network services such as FTP and DNS. Such a tool should perform all these actions without being physically installed on the computer being scanned, and even without logging onto the computer. Here's what we look at this month:

Some scanners are more sophisticated than others about checking systems to which they connect. Scanners with application-level checks (such as CGI scanners) are designed to understand higher-level protocols (for example, HTTP), and the input/output application parameters are most often available via an HTML page. Using a Web site as an example, a network scanner could find an HTTP server on a certain port and check for vulnerabilities (for example, unpatched security holes), while an application scanner would be able to browse Web pages and try to test the strength of exposed scripts. Some of the scanners discussed in this article provide application scanning.

To test the scanners, we scanned a default installation of Windows 2000 Advanced Server that included these components:

  • IIS 5.0 running a Web site on port 80 and another Web site on port 8086. Traffic was split between the two sites based on host headers. No virtual IP addresses were assigned.
  • An FTP site allowing Read and Write permissions to the root directory to anonymous users.
  • Telnet server.
  • Simple Network Management Protocol (SNMP) with public string as Read-Only and private string as Read and Write.
  • DNS server.
  • DHCP server.
  • Terminal Services.
  • Service Pack 2.

After the first round of testing, we installed Back Orifice 2000 remote management software (a multi-functional Trojan) from Cult of the Dead Cow and retested the scanners for their ability to detect this potentially malicious application on the host computer.

10 Steps for a Successful Scan

Pre-Execution

  1. Determine the overall scan objective and pick the right tools. During this stage, determine what you’re going to scan. Is it a firewall scan, intrusion-detection test, bastion host assessment, or “cracker” emulation attack? Make sure you always try to scan the most important link in your security—firewall, Web server, Web application, scripts—as well as the most vulnerable links. Based on this determination, choose the right tool.
  2. Train all personnel who will perform scans on how to use the software. Always test the scanner in a lab environment prior to using it, but after you update it with the latest vulnerability probes (if any).
  3. Contact the parties involved in a scan and obtain their agreement for a scan. Note that the use of scanners may result in denial of service (DOS). Without permission, your “attack” may be reported to a security authority such as CERT, or there might be other legal consequences.
  4. Analyze the architecture of the target network. Ideally you should know about intrusion detection systems (IDS) and other alarms on the network that you scan (some IDSs can disable your scanner). Load balancers, proxy servers, firewalls and other network equipment can potentially interfere with the scan.

Execution

  1. Monitor the scan and be available to turn it off (should the circumstances demand). If possible, run a sniffer on a target subnet to make sure the scanner “hits” your target as expected (this may also be useful in analyzing scanning traffic and identifying “false positives,” something most scanners can produce).
  2. Let all parties involved know the scan’s over.

Post-Execution

  1. Verify the scanner’s accuracy based on OS recognition and overall responses. Analyze the results and filter false positives.
  2. Explore any serious vulnerabilities in depth. System settings may have to be examined to confirm the findings. Some scanners, such as Hailstorm or Nessus, allow you to create custom packets to do further testing.
  3. Compare the results with previous scans. This is called trending. Keep a copy of the results for the future. Only a few tools allow you to do this, but you can construct a simple database to store your results quickly.
  4. Forward a completed copy to those who got scanned as a good-faith move and make yourself available to answer questions.

—Greg Saoutine

Choosing the Right Scanner
Good network scanning tools can enable network administrators to perform quick and fairly efficient assessments of their networks on a periodic basis. They can also help in keeping track of the latest vulnerabilities. More sophisticated tools such as ISS, Nessus and Retina can “probe” vulnerabilities by sending actual attacks (or more often, by sending probes simulating an attack) to targets. The most sophisticated scanners also provide engines that allow more experienced users to create custom attacks.

You should realize, though, that network scanners aren’t infallible. None of the scanners we reviewed was able to detect the Back Orifice Trojan that was installed on a non-standard port. It’s quite a challenge to detect such Trojans because the scanner would need to check every listening port for every known Trojan. Note, though, that the scanners we reviewed reported an unknown service on the port where we installed Back Orifice. If you’re auditing your own server, finding such unknown services should be treated as a warning bell.

When choosing a network scanner, you need to understand your environment and capabilities of various products. If a quick inventory scan with information-gathering elements and basic password checks are required, one of the free, basic products (such as LANguard) can be used. For a more comprehensive, targeted assessment, more sophisticated products should be used: ISS, Retina, and even Nessus provide IT professionals with an easy, “point-and-click” solution, regular vulnerability database updates and excellent reporting. When choosing a vendor, don’t forget to ask about the frequency of updates to the scanner’s database.

For a more sophisticated user who wants to have full control over the test or needs to customize testing for complex network components (such as intrusion detection systems), tools with scripting capabilities (such as Nessus or Hailstorm) are ideal.

Finally, while it’s a good idea to have a relationship with a commercial vendor, several free products are available on the Internet. Some of the free products have advanced features that may not even be available in your vendor’s product.

comments powered by Disqus

Reader Comments:

Sat, Sep 13, 2008 Anonymous Anonymous

JAJA, UPYACHKA! UG NE PROIDET, BLYA!

Sun, May 12, 2002 Anonymous Anonymous

Good overview on Vulnerability Scanning. Needs more work on the testing side of the featured scanners.

Mon, Feb 4, 2002 Jeff Mason Nashville, TN

PUT A *DATE* ON THE ARTICLE(S)!
Geez, how can we now how current the article is, if it doesn't have a date?

Tue, Oct 2, 2001 Geoffrey Chilanga Johannesburg

Very good article

Tue, Sep 25, 2001 Thomas L Andersen Anonymous

Excellent Article,
I hope he continues writing us about this sometimes hard-to-understnad security stuff, Are there more in the works from this author?

Tue, Sep 25, 2001 Salvatore Cagliari Germany

Great Informations at the right time. I have to begin a Securtity Scan soon. Thank you.

Fri, Sep 7, 2001 Anonymous Anonymous

i do not see the value of this article

Mon, Sep 3, 2001 Anonymous Anonymous

Excellent Info

Fri, Aug 31, 2001 Mike Siliconhell.com

Excellent article, explains stuff in an easy manner

Wed, Aug 29, 2001 Dean Mayo Edmonton, Canada

Excellent article. Very informative and well-written. This article has definitely narrowed down my own choice of scanning software.

Wed, Aug 29, 2001 Aaron Bell Thousand Oaks

Great article, well written & easy to understand.
Appears to be written from someone with experience that knows a good deal about the hacking tools that are out there and available to others.

Wed, Aug 29, 2001 Anonymous Anonymous

Very informative, great comparison of more than 3 products. Help in my decision to test port scanners.

Wed, Aug 29, 2001 Anonymous Anonymous

Clear and to the point. I found this article very useful.

Wed, Aug 29, 2001 Anonymous Anonymous

Concise and informative - very good.

Fri, Aug 24, 2001 Anonymous Anonymous

I wish I found this article earlier, it would have saved me an enormous amount of time!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.