General

Security Tools for the Budget Conscious ISP, Part II: Network Vulnerability Assessment Tools

by Lisa Phifer VP Core Competence, Inc. [January 30, 2004]

Internet scanning is obvious, but why scan from inside? Statistics show that insider attacks are actually more prevalent than outsider attacks. Moreover, if an attacker "gets root" on an Internet-facing server, that server can become a platform for penetrating deeper into your network, so it's a good idea to minimize how much can be seen from anywhere. Inside scans often identify services you didn't know were running—even hosts you didn't realize existed.

For software that can help you conduct your own network vulnerability assessment, here's a non-exhaustive list of commercial scanners:

• Cycorp CycSecure Scanner
• eEye Retina Network Security Scanner
• Foundstone Professional Scanner
• GFI LANguard Network Security Scanner
• ISS Internet Scanner
• SAINT Vulnerability Scanner
• Symantec NetRecon Scanner

Typically, you install scanner software on a test platform and use a discovery module to map target network(s), starting from specified subnets or hostnames. You then scan discovered nodes, controlling scope and depth by selecting from built-in tests. Results may be written to report files or a database for later comparison. Commercial scanners usually make it easy to start with built-in tests, define a scan profile, establish a baseline, and repeat that scan at intervals to spot changes.

Some commercial scanners use open source tools as a foundation, wrapping them inside more friendly graphical interfaces, automated sequencing and scheduling, stronger reporting features, and extended result analysis. But if you'd rather roll-your-own and invest a little elbow grease, here are some handy no-cost network scan tools:

• Foundstone ScanLine is for those who prefer a command line tool for highly-parallel scanning of very large networks. This free Windows-based utility supports ICMP timestamp scanning, TCP scanning, UDP scanning, and banner grabs.
• Foundstone's SuperScan is a very fast, multi-threaded, asynchronous TCP-based port scanner, ICMP pinger, and hostname resolver. This free tool can scan any IP or port range (including built-in port lists) and automatically connect to any discovered port with configurable "helper" applications. Free companion tools include Trout, MessengerScanCheck, SQLScan, BOPing, CIScan, and RPCScan. To view sample SuperScan output, click here.
• Internet Security Scanner was originally developed as shareware before being commercialized by ISS; old unsupported-but-free software is still available from several Web sites. This popular command line scanner checks for common vulnerabilities related to services like Telnet, Sendmail, FTP, NIS, and NFS.
• Nessus is a very popular, easy-to-use open source security scanner. Nessus Server source code and binaries are available for just about any *NIX system. The Nessus GUI Client runs separately on *NIX or Win32 hosts. Over 1200 security tests have been developed as Nessus plug-ins. Or you can also write your own tests using the Nessus Attack Scripting Language.
• Nmap ("Network Mapper") is a popular open source tool for exploring networks, large and small. Nmap uses raw IP packets to identify hosts, operating systems, services, software versions, and configured filters. Nmap and NmapFE (an X-Windows GUI) are available in many formats, including source code, Windows (95/98/NT/ME/2K/XP), MacOS X, Linux RPM, FreeBSD, OpenBSD, Solaris, and HP-UX. To view sample Nmap output, click here.
• Router Audit Tools (RAT) are a suite of freely-available command line tools that can scan devices running Cisco IOS for compliance with security settings recommended by the Center for Internet Security (CIS). RAT can run from any Windows or *NIX host with access to router config files. The RAT distribution includes a security configuration guide, questionnaire, and benchmark to help you get started.
• SARA (Security Auditor's Research Assistant) is a free updated version of the older Security Administrator Tool for Analyzing Networks (SATAN). SARA checks nodes for known vulnerabilities, including CVEs and the FBI/SANS Top 20. Results are stored in a database, viewed through any browser. SARA uses Perl and runs on most *NIX platforms.