|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Security Tools for the Budget Conscious ISP, Part II: Vulnerability Assessment and Audit
In this article we identify the tools that are available to you as you examine your system's vulnerabilities before and after an attack.
VP Core Competence, Inc. [January 30, 2004] |
 |
As described in Part 1 of this article, open source and shareware tools can help to bridge gaps between need and budget. To put together a good security toolbox, you'll want to gather a variety of security utilities, ranging from vulnerability assessment and audit to traffic analysis and forensics.
Here in Part 2, we identify both commercial products and freely-available tools in the first two categories. We also illustrate a few open source and shareware tools.
Vulnerability Scan and Assessment Services
You can conduct your own vulnerability scan or contract a third party to do
it for you. Ad hoc in-house testing can cost less, but a trained third-party
can spot vulnerabilities you might otherwise overlook and offer expert advice
on how to fix them.
When outsourcing, request an example of the report that will be delivered—it should describe executed tests, discovered problems, associated risk levels, and recommended fixes. Beware of services that add little value to shareware scanner output.
Commercial vulnerability scanning and assessment services are widely available, ranging from automated vulnerability scans to customized on-site testing and consultation. Here's a diverse, far-from-exhaustive list of commercial services:
- Cable & Wireless Vulnerability Scan Service
- Foundstone Internet Vulnerability Assessment
- Infomatika V.Scan Service
- Network Associates CyberCop ASAP
- Qualys QualysGuard
- Procinct ProSentry Network Vulnerability Testing
- ScannerX Vulnerability Assessment Services
- SecurityMetrics Vulnerability Assessments
To learn more about managed vulnerability services, see our 2003 Managed Security Service Provider Survey. A thorough vulnerability assessment is much more than just a quick scan-and-report. But, if that's all you need, here are some free vulnerability scan services:
- Gibson Research ShieldsUp is a fast, free, and rather superficial Web-based scan-on-demand service. ShieldsUp is designed for home users to check Internet-connected PCs, but can be used to scan Internet-facing firewalls and servers too. To view sample ShieldsUp output, click here.
- QualysGuard Free Scan Services include remote scans for Real-Time Top 10 vulnerabilities, SANS Top 20 CVEs, Slammer, Slapper, and Nimda. Free services are provided by Qualys to promote their more extensive commercial services.
- Secunia Online Vulnerability Scanner is a free on-line vulnerability scan-and-report service based on Nessus. Secunia also offers several commercial security services, including a vulnerability tracking service.
- Subject, Wills, and Co. offers a free "security hack" consisting of automated vulnerability testing plus up to one hour of consulting. Many firms that offer security consulting services offer free assessments like this to drum up new business.
Network Vulnerability Assessment Tools
To conduct your own in-house vulnerability assessment, you'll need some tools
to identify network nodes and the operating systems and services they appear
to be running.
You may want to conduct scans from multiple locations inside and outside your network. Start where many hackers start—outside your network, somewhere on the Internet—to learn what they can easily find out about you. Never scan a network that doesn't belong to you or that you don't have permission to scan. Beware that scans can impact target networks and systems (i.e., some scans are gentler than others). Scans usually trigger security events, generating copious log records, SNMP traps, and/or e-mail alerts, so advise your NOC staff before conducting a scan.
|
Security
Tools for the Budget Conscious ISP, Part II:
Introduction and Vulnerability Scan and Assessment Services |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
