Cisco Secure Scanner Features
The Cisco Secure Scanner (formerly Cisco NetSonar) is a software application that offers a complete suite of network scanning tools designed to run on either Windows NT or Solaris.
Network scanning is the process in which a specific host is configured as a scanner and scans all or just configurable parts (depending on the scanner) of the network for known security threats. The design and operation of the scanner makes it a valuable asset to have in your quest for Internet security.
Cisco Secure Scanner follows a six-step process to identify any possible network vulnerabilities:
Step 1. |
Network mapping |
Step 2. |
Data collection |
Step 3. |
Data analysis |
Step 4. |
Vulnerability confirmation |
Step 5. |
Data presentation and navigation |
Step 6. |
Reporting |
Step 1: Network Mapping
Network mapping is the process that the Cisco Scanner uses to identify hosts. At this point, you have to provide a range of IP addresses that make up the network that you wish to scan. These addresses do not have to be your local network. They can be any remote IP address, as long as you have network layer access, that is, as long as you can run a successful network layer connectivity test such as ping.
Cisco Secure Scanner allows you to enter either single IP addresses or a complete range of IP addresses. You also have the option to exclude IP addresses or ranges to further simplify your scan.
Figure 7-1 shows you the network mapping configuration screen from the Cisco Secure Scanner.
Figure 7-1. Network Mapping Screen
You can see in Figure 7-1 that a session has been created for the IP address range 194.73.134.1 to 194.73.134.255. This is covered in the first configuration line. Note that the second and third configuration lines both have the Excluded Address checkbox selected. This means that the addresses specified thereafter are excluded from the address range. The second configuration line just excludes one address because IP Address Begin and IP Address End are the same. The third configuration line excludes the range of IP addresses 194.73.134.211 to 194.73.134.214. The addresses that will be included in the scan are shown in Table 7-1.
| IP Address Begin | IP Address End |
|---|---|
| 194.73.134.1 | 194.73.134.199 |
| 194.73.134.201 | 194.73.134.210 |
| 194.73.134.215 | 194.73.134.255 |
Now there is a range of IP addresses that are going to make up the scan.
There are two ways of selecting how the network map is devised. The first and standard method is to use the network tool ping. The second and optional method is to force the scan.
You have created your range of IP addresses for the scan, but are you really sure that all of those IP addresses are valid hosts? The default resolution to this is for the scanner to test every IP address for basic network connectivity. The simplest way to do this, and the one the scanner employs, is simply to send an Internet Control Message Protocol (ICMP) Echo Request to the configured IP addresses. This is commonly known as a ping. If the scanner receives an ICMP Echo Reply, it assumes that the IP address is a valid host and adds it to the network map.
This process seems like a simple and constructive test for the scanner, preventing the waste of time and resources in scanning against a range of addresses that either do not exist or do not have powered-up network hosts configured to them.
However, this is not always the case. Many firewalls, especially those used to protect Internet services, are configured to deny all ICMP traffic to protected interfaces, those where security policies are defined to protect resources that are resident on those interfaces from external networks.
The simple Internet service displayed in Figure 7-2 shows this scenario.
Figure 7-2. Simple Web Service
You can see in Figure 7-2 that the Internet firewall blocks all TCP, UDP, and ICMP traffic destined for the internal network. Only HTTP port 80 traffic is allowed through the firewall. In this instance, a standard scan against 194.73.134.100 would fail, because the scanner software would send an ICMP Echo Request packet to the IP address 194.73.134.100 and no ICMP Echo Reply would be received. The scanner software would presume that there is no host associated with the IP address 194.73.134.100 and simply move on to the next IP address.
Figure 7-3 slightly complicates Figure 7-2 by adding another interface to the firewall, the DMZ, and also an Internet mail server on the DMZ firewall interface.
Figure 7-3. Expanded Simple Web Service
There are now two basic firewall rules in the security policy: to restrict all traffic except TCP port 80 to the internal interface, and to allow all traffic to the DMZ interface. These two distinct rules will alter the way the network map is created.
Cisco Secure Scanner has a feature where you can force a scan against an address. This is exactly the feature you need in this case because it circumvents the problem. When you force a scan, the IP address is probed without sending an ICMP echo.
Figure 7-4 shows the correct session configuration to scan the networks shown in Figure 7-3.
Figure 7-4. Session Configuration
You can see that two ranges have been defined. The first range is for the Web server farm, 194.73.134.100 to 194.73.134.110. Note that the Force Scan checkbox is selected. This means that all of these hosts will be probed, regardless of whether they are active. The second range identifies the Internet mail server on 194.73.134.111. An ICMP Echo Request will be sent to this machine to ascertain whether or not the machine is running.
Cisco Secure Scanner is licensed based on the number of hosts available to any one network. The version used here is the 2500 host license that allows you to scan up to 2500 hosts in one session.
Step 2: Data Collection
Once the network mapping stage is completed, and the scanner has a valid range of IP addresses that have either been verified with a successful ICMP echo or set to be forced at the network mapping stage, the scanning software gathers data from these hosts.
Running a series of port scans against the valid hosts collects the data.
NOTE
A port scan can be defined as a way of identifying which services are running on a remote machine by testing connections to each port on the remote machine. Most network services have a well-known port, either TCP, UDP, or both, associated to them. These ports and associated services can be found in the Services text file located in the /etc directory on a UNIX box or in the C:winntsystem32driversetc folder on a Windows NT system.
The port scan will identify which services are running on the remote hosts. This information is added to the scanner's database for analysis.
Cisco Secure Scanner provides a configurable set of options for data collection. Figure 7-5 shows the data capture configuration screen.
You can see in Figure 7-5 that there are five possible choices for the TCP data collection phase or port scan:
None— This setting does not run a port scan for data collection, therefore, no data is recorded. The hosts are only checked against the scanner probes looking for well-known vulnerabilities.
Low Ports— The ports 1 to 1024 are considered low ports, and most default network services operate here. For example, HTTP is TCP port 80, SMTP is TCP port 25, and Telnet is TCP port 23.
Well-Known Ports— This setting selects ports that have well-known services associated to them. This includes all ports that can be found in the Services file.
Low Plus Well-Known Ports— With this setting, all ports from 1 to 1024 are scanned, as well as well-known ports above 1024.
All Ports— This scans all available ports from 1 to 65,535. This is a very time-consuming port scan, but it will guarantee that you scan the port you are looking for.
UDP is slightly more restrictive in what you can scan for, because UDP is classed as a connectionless service and therefore not as reliable as TCP. Even though UDP does have advantages over TCP, most network applications rely on the more robust TCP as their transport protocol.
The UDP options are:
None— This setting does not run a port scan for data collection, therefore no data is recorded. The hosts are only checked against the scanner probes looking for well-known vulnerabilities.
Well-Known Ports— This setting selects ports that have well-known services associated with them. This includes all ports that can be found in the Services file.
Once you have selected the required ports for both TCP and UDP, the port scan is ready to commence.
Step 3: Data Analysis
At this stage, the network map is complete and the valid hosts have been scanned for the network services running on them. This data has been collected and is stored in the internal scanner database. The Cisco Secure Scanner now analyzes this stored information for the following:
Network devices— All network devices within the network map are identified. The software can identify routers, switches, firewalls, network servers, printers, desktops, and workstations.
Operating systems— The scanner uses proven methods to identify the operating system that is running on the host.
Network services— All network services running on the specific hosts are analyzed. All hosts, unless protected by a firewall, have network services running, as these services provide access to the host from the required clients.
Potential vulnerabilities— Through passive analysis, Cisco Secure Scanner identifies potential vulnerabilities based on the data that has already been collected at the data collection stage. These passive vulnerabilities include:
- Known security vulnerabilities in operating systems such as Windows NT and Linux
- Misconfigured network devices such as firewalls and routers
- Service-based vulnerabilities for public services such as File Transfer Protocol (FTP) and Remote Shell (RSH)
- Problems with the Sendmail UNIX application
- System misconfiguration
- Reconnaissance services, such as finger, that might be used by hackers
The analysis is carried out by comparing the data with the built-in rules base. This operates in a method similar to that of a virus detection application. The data is checked against the rules base, and any matches indicate a potential vulnerability. Once the vulnerabilities have been identified, the next step actively checks the hosts and confirms these vulnerabilities.
Step 4: Vulnerability Confirmation
Cisco Secure Scanner contains a very advanced vulnerability exploit engine that can be used to actively probe the network to confirm the presence of known vulnerabilities. These probes run against all hosts identified at the network mapping stage, as well as any other host where the decision has been made to carry out a forced scan.
Cisco Secure Scanner has nine built-in active probe profiles:
All Heavy— The All Heavy profile selects all of the active probes for both UNIX and Windows machines.
All Light— The All Light profile selects the active probes that are considered to be common known problems for both UNIX and Windows machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
All Severe— The All Severe profile selects the active probes that are considered to be severe known problems for both UNIX and Windows machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
UNIX Heavy— The UNIX Heavy profile selects all of the active probes for UNIX machines.
UNIX Light— The UNIX Light profile selects the active probes that are considered to be common known problems for UNIX machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
UNIX Severe— The UNIX Severe profile selects the active probes that are considered to be severe known problems for UNIX machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
Windows Heavy— The Windows Heavy profile selects all of the active probes for Windows machines.
Windows Light— The Windows Light profile selects the active probes that are considered to be common known problems for Windows machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
Windows Severe— The Windows Severe profile selects the active probes that are considered to be severe known problems for Windows machines. This probe profile is a lot less resource- and time-intensive than the All Heavy profile.
Each of these profiles contains a preconfigured selection of the active probes.
In addition to the built-in probes, you can also create a customized probe by selecting an existing profile and then adding or removing individual probes.
NOTE
By default, the active probes are disabled. You have to enable the active probes and then choose your profile. The All Heavy profile is the default active probe profile.
Figure 7-6 shows the active probe configuration screen.
Figure 7-6. Active Probe Configuration
In Figure 7-6, you can see that active probes are enabled. This is indicated by the selection of the Enable active probes checkbox. Beneath this checkbox is the Active Probe Profile drop-down list. The figure provided is using the All Heavy profile.
NOTE
The nature of the active probes at the vulnerability confirmation stage makes them intrusive to the network on which the scan is run. This is important to understand, because active probes could raise alarms with any intrusion detection software that is configured on the network. Even though the probe is intrusive, no denial of service (DoS) type of probe that has destructive implications will be carried out.
After configuring the active probe profile, the scan is fully configured. Clicking the OK button as shown in Figure 7-6 will start the scan.
The scan will start by mapping the network, then it will collect and analyze the data. At this point, the data is ready for presentation and reporting.
Step 5: Data Presentation and Navigation
By now, the data has been collected and analyzed. To make the scan worthwhile, you can view the results of the network scan.
Cisco Secure Scanner provides the most sophisticated reporting tools of any network scanner on the market. There are three presentation tools:
Grid browser
Charts
Network Security Database (NSDB)
The following three sections look at each of these tools and provide samples of each.
Grid Browser
The grid browser is a spreadsheet that contains all of the data that has been collected and analyzed from the preceding four stages.
Figure 7-7 shows the grid browser.
The grid browser in Figure 7-7 has been configured to display the Service/Host relationship. The identified services are shown down the left side (y-axis), and the identified hosts that make up the network map are on the top (x-axis). The presence of a 1 in the grid indicates that the specified service was found on the specified host.
From this example, you can see that the host 194.73.134.2 had the following services running:
NT domain controller
FTP
Windows server service
Windows workstation service
It is pretty easy to see that this machine is a Windows NT server running as a domain controller within a Windows NT domain.
Overall, there are 42 prebuilt grid configurations that you can select to view your data. There are numerous controls that can change the way the data is viewed within each grid configuration. Figure 7-8 shows a different grid configuration.
Figure 7-8. An Alternate Grid Browser Configuration
The example in Figure 7-8 shows the OS/Host relationship with the totals turned on. You can quickly see that there were three unknown operating systems, four Windows operating systems, one Windows NT 4.0 operating system, and one Windows NT 5 (Windows 2000) operating system, giving a total of nine hosts in the scan.
The grid data can be saved, creating an HTML report that is an exact replica of the grid that was viewed.
Charts
Besides viewing the data in the grid, you can also create charts from it. To do this, you first have to define the grid browser to display the data you want to chart. The Chart button on the toolbar becomes active when you select the data required for the chart from the grid browser. The following types of charts can be created:
Area
Line
3-D bar graph
Pie chart
2.5-D column
3-D column
3-D horizontal row
Stacked bar
Stacked area
The charts provide a graphical representation of the grid data and can be used later at the reporting stage to add more clarity to printed and electronic reports.
Network Security Database (NSDB)
The NSDB is provided as a HTML-based resource that is installed when you install the Cisco Secure Scanner. The NSDB contains information regarding the known vulnerabilities, as well as other links to security resources on the Internet. Figure 7-9 shows the main screen of the NSDB.
Figure 7-9 shows the main NSDB index page. You can see that this main index page displays the vulnerability index. The Warning icon is the severity level, and the title is the name of the actual vulnerability. Clicking any of the listed vulnerabilities will give you further information on that vulnerability. Figure 7-10 shows the information received after clicking the Default Dangerous Accounts vulnerability.
You can see in this example that the NSDB provides you with a description of the exploit along with the consequences and countermeasures that can be taken to correct the vulnerability. The NSDB is an excellent resource and can be used to gain a good overview of the current vulnerabilities. It can also be used as a source of information, providing many links to security resources available on the Internet.
Step 6: Reporting
Cisco Secure Scanner has a built-in reporting wizard that can be used to create various reports based on the collected and analyzed data. These reports add real value to the collected data and provide you with a professional-looking report that can be used to explain the findings of the scan both technically and nontechnically.
Three main report types can be created:
Executive Summary— The Executive Summary provides a brief executive-level report on the findings of the scan. The content is not very technical in nature and is geared toward senior nontechnical management.
Brief Technical Report— The Brief Technical Report is a concise technical report without the Executive Summary and other explanatory sections. It presents a basic technical report of the findings and vulnerabilities, along with the required action to remedy the vulnerabilities.
Full Technical Report— The Full Technical Report contains the Executive Summary and other explanatory sections, as well as the full technical aspects regarding the discovered vulnerabilities. This can be a lengthy document if the findings are copious, but in the author's opinion, this is the most useful of the three reports.
Figure 7-11 shows the result of a Full Technical Report.
All of these reports can be customized using the wizard to add and remove content. Previously saved grid browsers and charts can also be incorporated within the report, further enhancing the quality of the report.