IN THIS CHAPTER
With vulnerability announcements being released at a dizzying pace, most organizations face an uphill battle when it comes to hunting down the security holes that reside on their systems. In an attempt to aid organizations in this ongoing quest, a number of commercial and open source efforts have risen to automate the process of vulnerability discovery. These vulnerability assessment tools, or scanners, come in many shapes and sizes, with varying degrees of accuracy. This chapter will outline some of the pros and cons of using these tools, as well as identify where their use can be helpful. We will also shed some light on what’s important when selecting such a tool to aid in the never-ending war to keep your environment secure.
Turn back the calendar to the early 1990s. The Internet is off the ground and running in universities. CERT is up and operational. The World Wide Web is more or less an experiment that is creeping into Gopher’s territory. Vendors are vehemently denying most security bugs, and Unix administrators are just beginning to feel the wrath of clever attackers. Internet security practices as we know them today are in their infancy, but the blueprints for modern day tool sets are being drawn up.
In 1992, a computer science student named Chris Klaus was experimenting with Internet security concepts. He created a scanning tool called Internet Security Scanner (ISS) that could be used to remotely probe Unix systems for a set of common vulnerabilities. In Chris’s words:
ISS is a project that I started as I became interested in security. As I heard about crackers and hackers breaking into NASA and universities around the world, I wanted to find out the deep secrets of security and how these people were able to gain access to expensive machines that I would think were secure. I searched [the] Internet for relative information, such as Phrack and CERT advisories. Most information was vague and did not explain how intruders were able to gain access to most systems. At most the information told administrators to make password security tighter and to apply the vendor’s security patches. They lacked real information on how an intruder would look at a site to try to gain access. Having talked with security experts and reading CERT advisories, I started trying to look for various security holes within my domain. To my surprise, I noticed that many of machines were adequately secured, but within a domain there remained enough machines with obvious holes that anyone wanted into any machine could attack the weak ‘trusted’ machine and from there could gain access to the rest of the domain. | ||
| --Chris Klaus (ISS v1.0 readme file, 1993). | ||
Although the cynic in me is inclined to ask what has changed since then (many of Chris’s observations still ring true today), ISS was one of the early, if not the first, remote vulnerability assessment scanners to be deployed en masse on the Internet. ISS looked for a few dozen common security holes and flagged them as issues to be resolved. Although a few people were nervous about the tool’s obvious power in the wrong hands, most administrators welcomed it with open arms.
A few years later, Dan Farmer (of COPS fame) and Wietse Venema (of TCP_Wrapper fame) authored a similar tool called SATAN (Security Administrator Tool for Analyzing Networks). SATAN essentially did the same thing as ISS, but had some advancements: a more mature scanning engine, a Web-based interface, and a wider assortment of checks. Unlike ISS, however, the pending release of SATAN became a media-crazed event. So hyped was its release that in April 1995 (the month it was officially released), Time magazine published an article on it and Dan Farmer. CERT even issued an advisory on its abilities (CA-1995-06). Many people feared that the release of SATAN would bring about total chaos on the Internet.
Obviously this was not the case, as SATAN’s release did little more than cause some extra traffic for a few days as people downloaded it, but this does show how the public’s attitude toward the Internet had changed in the intervening years. By 1995, commerce had begun in earnest and the real risk of monetary losses due to security became apparent.
NOTE
Oddly enough, although Farmer lost his job at SGI over SATAN, Klaus managed to use ISS to build a multimillion dollar security products juggernaut—Internet Security Systems (ISS).
Since then, the vulnerability assessment scene has continued to grow and mature. Today, there are more than a dozen scanners in circulation, each with its own set of strengths and weaknesses. The fundamental concepts, however, have not changed much since the early days of ISS and SATAN.
As you’ll see in both the Microsoft and Unix chapters, vulnerabilities come in many flavors. However, there are primarily two classifications for operating system vulnerabilities: ones that are local exposure points (host-level), and ones that are remote exposure points (remote-level).
In addressing remote exposure points, there are a number of methods one can use to approach the task of automated vulnerability scanning. For example, one approach might involve using a port-scanning tool such as Nmap, identifying the operating system, and then logging all the listening ports. The user would then be given a list of ports (21, 25, 53, 80, and so on) and an OS type (Linux Kernel 2.2). This approach has a few problems, however, as the user is left with a ton of data (port information) and no details as to what services are actually vulnerable. The user is simply given a blueprint of the system. Identifying what those listening services are, and whether they are vulnerable, is an exercise left to the user. For example, if my data set tells me that machine X is running the Linux 2.2 Kernel and has a service listening at port 21, I still have very little idea as to whether I am vulnerable to the any of the wu-ftpd buffer-overflow bugs. In fact, I don’t even know whether this particular system is running wu-ftpd—it might be running ProFTPd or glftpd, instead. So even when hunting down a single port, I still need to
Identify what is listening at that port,
Identify what version that service is,
Research whether there are any known vulnerabilities associated with that service and version number.
Although this approach might be feasible for a dozen machines or so, it obviously won’t work in mid- to large-sized organizations where thousands of machines are present. The task at hand then moves from difficult to impossible.
A more practical approach would be to build on the previous model of port scanning and OS identification, and then add some mechanism to identify the listening service types and versions. You would then have another piece of the puzzle completed. Going back to the wu-ftpd buffer overflow example, by identifying the service version, you would now know
That the server is Linux Kernel 2.2-based,
That port 21 is listening,
What the service type and version is.
Let’s say that your service query process informs you that you are using wu-ftpd v2.4.2. This gets you even closer, as now you simply need to research whether wu-ftpd v2.4.2 has any known vulnerabilities.
NOTE
You should note the difference between port scanning and vulnerability scanning. Although most vulnerability scanners do indeed scan for open TCP and UDP ports, this is only one of their many features. In contrast, although port scanners like Nmap are capable of performing some interesting feats (such as OS fingerprinting), they rarely contain any sort of vulnerability database. In short, most vulnerability scanners take port scanning a few steps farther.
The last remaining component to this process is research—knowing what versions of what services are vulnerable. In many ways, this ties into what attackers do: scan, query, research, and exploit. In this case, it turns out that wu-ftpd v2.4.2 is indeed vulnerable to a known attack type.
Based on the sheer number of known product vulnerabilities (estimated between 2,000–3,000 to date), creating a thorough system to properly identify and track all these product vulnerabilities is a fairly daunting task. The mining and managing of this vulnerability data presents the biggest challenge and the biggest argument for using an automated tool.
Although implementation details vary, based on these examples, you can deduce that there are a number of common components throughout most scanning approaches:
The vulnerability data—. Vulnerability assessment scanners have internal databases of vulnerability information that help them accurately identify remote system exposure points.
The scanning mechanism—. The technical guts of the scanner lie in its capability to properly identify services, subsystems, and vulnerabilities. Depending on how the scanner was written, it might not be efficient at scanning large ranges of machines.
The reporting mechanism—. Finding a problem is one thing; adequately reporting on it is something entirely different. Some products are stronger than others when it comes to clearly stating what they’ve discovered.
Some scanners will break this mold, but they are more often the exception than the rule.
NOTE
A more thorough—and definitely more dangerous—approach is to create a tool that looks for vulnerabilities and actually attempts to exploit them. SNI started going down this path with its original Ballista product. In theory, this would definitively end the problems associated with misdiagnosed vulnerabilities (also referred to as false positives). However, it could also bring about some serious chaos. For example, exploiting vulnerabilities such as the BIND NXT bug crashes the DNS server. If this particular exploit were implemented, all DNS servers running vulnerable versions of BIND would be disabled during every scan!
Like any product-purchasing decision, before answering the question of which product is right, you first need to decide your specific requirements. For example, if plotting vulnerability-remediation progress over time is something you want automated, then a product’s capability to log and plot multiple scan sets is a feature you need to look for. If you have a large NetWare environment, you might want to make sure that the scanner has NetWare-specific checks. If you have to scan 50–100 hosts, efficiency might not be an issue. However, if you need to scan thousands at a time, you’ll want to make sure the scanner can scale to that range. Again, many of these issues are specific to what you’ll need your vulnerability scanner to do.
There are also some common areas of concern that all products need to address. A few of the issues that you will come into contact with in choosing a vulnerability scanner include the following:
Completeness of the vulnerability checks—. I don’t recommend falling into the trap of playing the numbers game when picking a scanner. However, the number of vulnerabilities a scanner looks for is still important. At a bare minimum, scanners should look for the known critical vulnerabilities that allow for root/administrator-level compromises.
Accuracy of the vulnerability checks—. It’s important that scanners have a good set of vulnerability checks. However, a scanner’s capability to accurately identify those vulnerabilities is also important. Missing a bunch of holes is as undesirable as being forced to sift through a report identifying hundreds of nonexistent vulnerabilities. Like intrusion detection systems, some scanning products still have problems with false positives.
Scope of the vulnerability checks—. It should be noted that most vulnerability scanners are designed to discover remote vulnerabilities, not local (host-level) vulnerabilities. However, a few products like ISS and Webtrends have system-level agents that will also look for local vulnerabilities—vulnerabilities that would otherwise be undetectable by remote scans. Although these system agents often address a greater range of vulnerabilities, they also require installation, making them a management nightmare for large environments.
Timely updates—. Although scanners will always be one step behind the vulnerability announcements, they should be updated at a fairly regular (once per month or more) interval. You’ll want to look for a scanner that has a significant R&D team behind it that is consistently updating the product.
Reporting capabilities—. Finding vulnerabilities is important, but properly describing the problems and their subsequent fixes is also important—and so is the accurate ranking of the vulnerabilities. This is of particular concern for larger organizations because they usually rely on system administrators to remediate the discovered problem. Some scanners are now offering an autofix capability to download and install the needed patches through the application. PatchLink is one of the most advanced in this area.
Licensing and pricing issues—. Some of these products are licensed per node; some per server scanned; and some are free. Some of them have an easy licensing system (like NAI); others (like ISS) require a convoluted key-cutting system. Attempting to provide accurate prices and licensing information in this book would be an exercise in futility, as the vendors are constantly changing the terms. However, it should be noted that licensing issues should be thoroughly investigated before purchasing decisions are made, as some of these pricing schemes are just downright obnoxious. When in doubt, however, there is always Nessus, which is free.
No scanner that I know of has addressed all these issues well, but Nessus and Internet Security Scanner come pretty close.
TIP
In February 2002, Network World Fusion magazine released a fairly comprehensive analysis of these tools. Based on their requirements, eEye’s Retina won NWF’s Blue Ribbon Award. Harris Security Threat Avoidance Technology (STAT) was a close second. Nessus and IIS made a good showing, but were listed in the second tier because of their speed. You can find the story at http://www.nwfusion.com/reviews/2002/0204bgrev.html.
Just about every security tool discussed in this book has had a set of fundamental problems, and vulnerability scanners are no different. Knowing their limitations is as important as knowing their strengths.
The major shortcomings of these products can be grouped into three categories: completeness, timeliness, and accuracy. First, reviews of these products have shown that many of them catch a fairly high number of known vulnerabilities, but none of them are equipped to identify all of them.
TIP
You can view the SANS Top 20 list of common vulnerabilities at http://www.sans.org/top20.htm. Although not a definitive list by a long shot, it does list some of the more common holes found on machines today. They also compare how well scanners find them at http://www.sans.org/top20/tools.pdf.
Second, none of these products can be completely up to date. From the time a new vulnerability becomes known, it takes time to incorporate it into the product and release a new version. Some products are released on an as needed basis, or a fixed regular schedule—some as long as once per quarter. If a vulnerability is announced in January, your scanner might not be equipped to detect that vulnerability until March. That leaves you with two months to fend for yourself when it comes to scanning. Now, your internal threat identification effort should be on top of this problem anyway, but the point is that these scanners should not be your primary method of defense when it comes to hunting down remotely exploitable exposures. When you really get down to the fundamentals, these products can do nothing that a well-informed security specialist can’t do manually.
Another problem is that most modern-day scanners are simply implementing “banner-grabbing” techniques to identify service versions. This technique is arguably sufficient for most environments; however, it can create some interesting scenarios. For example, by simply telnetting to port 25 (SMTP mail) and port 21 (FTP), you can identify versions of these two services.
Note that these two machines appear to be running Microsoft Exchange 5.5 and version 4.0 of the Microsoft FTP server. However, many services such as BIND, sendmail, and wu-ftpd are now allowing administrators to change these banners in their configuration files. Although this is not a security threat, changing a default wu-ftpd banner to “Fabio’s favorite FTP Server v1.0” will completely confuse most vulnerability scanning tools. The strange and disturbing moral of this story is that if you want your scanners to be effective, don’t change your default banners.
In addition to changed-banner confusion, some companies choose to run well-known services on ports other than the standard port (HTTP servers on port 8080, for example). This can cause some scanners to fail. Some address this issue and test the type of service running on each port rather than making assumptions about standards. If your organization uses nonstandard ports, be certain that the product you choose has this feature.
Finally, these products still struggle with false positives. Frequently on large and diverse networks, vulnerability scanners will misfire and report on vulnerabilities that simply do not exist. Although it’s better to be safe than sorry, this does create some overhead as personnel then have to run around trying to hunt down phantom vulnerabilities.
In an ideal world, technology-purchasing decisions would be backed by proper requirement gathering, proper testing, and realistic budgeting. However, I’ve grown to realize that people rarely have the luxury of doing things the right way. It is for this very reason that I’ve picked what I consider to be the top vulnerability scanners on the market today, and listed them here. This is not to say that the other products won’t do a sufficient job—these are just my personal favorites based on my field experiences and testing. I still encourage the reader to perform a thorough investigation when choosing a product to adopt, but the list of products in the following sections should get you started.
eEye’s Retina is a relative newcomer to the field of vulnerability scanners; however, it has quickly moved near the top of the ranks because of its easy user interface, the speed of its scans, and its daily updates. You can set the application to check for and download the latest vulnerability definitions from eEye’s Web site with each run.
Retina does not make assumptions about the service protocols running on standard ports, but analyzes the traffic to determine what services are running. It also offers a scheduling function to run at given intervals. As it is minimally intrusive on the systems being scanned, it might make sense in your organization to automate scans.
eEye has a strong R&D department that has offered initial advisories about some new vulnerabilities. Plus, it’s added a feature called CHAM (Common Hacker Attack Methods), which attempts to find unknown vulnerabilities through AI-based heuristics. Personally, I don’t expect a whole lot from this feature, but it certainly can’t hurt.
Vendor: eEye Digital Security
Platform: Windows
URL: http://www.eeye.com
NetRecon complements Symantec’s existing line of firewall and intrusion detection suites. NetRecon’s strengths are its interface, strong reporting abilities, moderately sized vulnerability database, and its capability to perform what is often referred to as secondary exploitation—using knowledge gained from one server to assess another. Although it’s rare that I’ve found this last feature useful, it is something not seen in many other products.
NetRecon has traditionally not been as thorough as Nessus, Cybercop Scanner, or ISS, but it is still a fairly comprehensive scanning tool that can be quite useful. It can also report into Enterprise Security Manager (ESM), which can be used for more general risk assessment efforts.
Vendor: Symantec (formerly Axent)
Platform: Windows
ISS initially built its company on Internet Scanner, and it has historically been regarded as the de facto standard in the industry for vulnerability scanning. Internet Scanner has a strong reporting back end, and a comprehensive set of vulnerability checks. ISS has obviously spent as much time polishing the product as they have on the back end scanning engine itself. For example, the scanner provides a significant amount of background data on each vulnerability check.
Internet Scanner uses a Microsoft ODBC–based back end to store its scan data, which can be used later for doing long-term trending. As in NetRecon’s integration with ESM, Internet Scanner integrates with the ISS Decisions product. Combined with scanner data, ISS Decisions can be used in conjunction with other security products (firewalls, intrusion detection systems, and so on) to paint a more global picture of vulnerability and threat points.
Although Internet Scanner traditionally hasn’t had as many problems with false positives as other products, it does still lag behind on the update front. The other negative point worth mentioning is that in my experience, Internet Scanner appears to have become less stable in the 6.x series of releases. I’ve had numerous problems with it crashing during large scans, and occasionally I’ll have to clear out its internal database and start again clean before it will cooperate. It has always been recoverable, however.
It should be noted that ISS also makes two other scanning products, System Scanner and Database Scanner, although both are agent-based and incapable of scanning remote systems.
Vendor: Internet Security Systems, Inc.
Platform: Windows NT Workstation v4.0
URL: http://www.iss.net
Cybercop Scanner’s roots come from NAI’s (Network Associates, Inc.) acquisition of SNI (Secure Networks, Inc.) and their Ballista product. Although Cybercop Scanner has an impressive number of vulnerability checks and moderate reporting abilities, it also comes with a number of surprisingly useful tools. Two of the tools that are of particular interest are CASL and the SMB grinder. CASL enables the GUI-based construction of IP packets, whereas the SMB grinder is similar to the password-cracking capabilities of L0phtCrack.
Cybercop’s primary downsides are its lack of some fundamentally important vulnerability checks, and its bizarre licensing scheme. NAI usually tries to sell Cybercop on a per-node basis, as opposed to a per-number-of-servers-scanned basis. This can create some horrendously high pricing schemes, depending on the alignment of the stars and the salesperson’s current commission plan.
Vendor: Network Associates, Inc.
Platform: Windows NT and Unix
URL: http://www.nai.com
Nessus was written by Renaud Deraison, an open source author living in Paris, France. Renaud discovered Linux at age 16 and has been hacking it ever since. In 1996, Renaud began attending 2600 meetings and subsequently developed a strong interest in security. This spawned a partnership between Renaud and two other programmers, and together they wrote their first auditing tool in 1997. After tackling that project, Renaud conceived Nessus in early 1998.
Nessus is quickly becoming the Linux of the vulnerability-scanning field. Driven by the open source movement, Nessus wasn’t much to speak of a few years ago, but is now gaining ground on—and sometimes surpassing—its commercial counterparts. Nessus employs an extensible plug-in model that enables the security community to add scanning modules at will. This gives Nessus a development edge, because any check that it doesn’t have can be created by anyone with some time and coding abilities on their hands.
Nessus uses a console-engine model, and the console can reside on the same computer as the scanning engine. This distributed architecture allows for some interesting flexibility, as you don’t need to be anywhere close to the scanning engine to control it.
At the time of this writing, Nessus had more than 500 vulnerability checks, some of which still aren’t available in the commercial scanning tools. Depending on how the development efforts continue to progress, Nessus could surpass commercial scanners in overall thoroughness in the near future.
Platform: Unix (Windows console available)
Whisker was written by a hacker by the name of rain forest puppy (rfp), who has carved out a niche for himself discovering Web-based vulnerabilities. Whisker doesn’t fit the general definition of a vulnerability scanner, as it is specifically focused on scanning for known vulnerable CGI scripts. In fact, the only things it looks for are vulnerable CGI scripts. However, its list of CGI checks is more comprehensive than all the commercial scanners combined. Because of this, I highly recommend you use Whisker in addition to a mainstream scanner.
Vendor: Open source—rfp labs
Platform: Windows and Unix
The following is a list of scanners that are up-and-coming (although this is not as comprehensive a list as the previous one). I encourage the reader to continue to monitor the progress of these products, and test them whenever possible.
Platform: Windows
Platform: Windows
Vendor: Cisco Systems
Platform: Windows
URL: http://www.cisco.com
Platform: Unix
URL: http://www.wwdsi.com
Vendor: Advanced Research Corporation (open source)
Platform: Unix
URL: http://www-arc.com
Vendor: Harris
Platform: Windows and Unix
URL: http://www.netiq.com
Although vulnerability scanners are by no means an all-encompassing solution to identifying vulnerabilities and locking down systems, they can still be extremely valuable tools. As with any security tool, however, one should be aware of the weaknesses these tools exhibit. They are consistently behind when it comes to vulnerability announcements, they do not always report information accurately, they have false positives, and they are not exhaustive when it comes to the depth of their vulnerability data. Using a scanner in conjunction with a solid vulnerability identification effort and a solid set of system lockdown procedures, however, will result in a strong strategy for combating the overall problem.