Title: Vulnerability Scanners
1Vulnerability Scanners
Jeffrey Savoy, Information Security Officer
2Roadmap
- Background of vulnerability scanners
3Background of vulnerability scanners
Vulnerability scanning definition
The automated process of proactively
of identifying vulnerabilities of computers
systems in a network in order to determine if a
system can be exploited with known flaws.
4Background of vulnerability scanners (cont)
Not the same as a formal IT risk assessment but
rather a component.
5Background of vulnerability scanners (cont)
How fit into the IT security controls picture?
Vulnerability scanners
Firewalls
Intrusion detection systems
VPN
Virus protection
File integrity
6Background of vulnerability scanners (cont)
Vulnerability scanning software categories
7Background of vulnerability scanners (cont)
Network scan
Possible issue with host based?
Since need to install software, possible
problem with printer, hub and other OSes
8Background of vulnerability scanners (cont)
In general, network scans most effectively
implemented by IT staff and not end users.
Complexities that we will discuss
However, results may be of interest to some end
users.
9Background of vulnerability scanners (cont)
- Scan Steps
- Planning
- Scanning
- Action
10Scanning Steps
Illustrate with ISS Internet Scanner 7.0
Similar concepts with other scanners, eg Nessus
Major change from Internet Scanner 6.2.1
11Scanning Steps (cont)
Planning
Scanning perspectives (outer vs inner)
Bonus note Scanning engines can help verify
other security controls, eg nids.
12Scanning Steps (cont)
Scanning software install
Install highlights
Windows 2000 Professional or XP
MSDE needed before Internet Scanner
install Microsoft SQL Desktop Engine sp 3 Can
download from ISS www.iss.net/download
13Scanning Steps (cont)
Need an Internet Scanner license file to perform
more than loopback (127.0.01) scans.
Loopback scans useful! May contain additional
info
14Scanning Steps (cont)
Installing Internet Scanner license
C\program files\iss\scannerconsole\licenses
License file needs .isslicense ending!
15Scanning Steps (cont)
Confirm license install
16Scanning Steps (cont)
Run before each scan!
Start menu
ISS/Internet Scanner 7.0/X-Press Update Install
Most current XPU for version 7 is 7.2
17Scanning Steps (cont)
Create a Scan Session
Set Session Properties
18Scanning Steps (cont)
Choices to learn if a host is alive for
subsequent scan
- Scan if Ping Successful
- Scan if Open Ports Discovered
- Scan Always
Factors to consider Time and Firewalls
19Scanning Steps (cont)
Choose Scan Policy
Basic levels Discovery, L3, L4 and L5
20Scanning Steps (cont)
Review and/or copy existing policy and update
Key Blank -gt No options selected Gray -gt Some
options selected Checked -gt All options selected
21Scanning Steps (cont)
Details available for each option
22Scanning Steps (cont)
Vulnerabilities
Denial of Service
Standard
23Scanning Steps (cont)
Many Windows vulnerability checks need
administrator rights!
Review and unselect as appropriate
24Scanning Steps (cont)
Adding account information to scans
25Scanning Steps (cont)
Make sure that SmartScan enabled Common
Settings/NT Logon Sessions
26Scanning Steps (cont)
Enter IP address(es) to scan
27Scanning Steps (cont)
Almost ready to start scanning!
Did you send out an message to the owners of the
machines being scanned?
28Scanning Steps (cont)
Run Scan!
Time to complete scan can range from minutes to
an hours
- Number and type of vulnerabilities chosen
29Scanning Steps (cont)
30Scanning Steps (cont)
Generate Report!
31Scanning Steps (cont)
Can choose any past scan session
Stored in SQL database
32Scanning Steps (cont)
Different formats available
33Scanning Steps (cont)
Sample report entry
34Scanning Steps (cont)
Report issues
- Machine location and owner?
35Case Studies
Examples of scanner use at UW-Madison?
36Case Studies (cont)
Ad hoc scans
- DoIT Security does scans upon campus request
- Useful in determining status of compromised
machine
37Case Studies (cont)
Self scans
- Purchased a site license for Internet Scanner
- Campus can request license keys via web form
38Case Studies (cont)
Centralized scanning
We started a process in which we scan the campus
networks for well-known higher risk exposures
(100 items).
A best effort and supplemental service
Process consists of
- Identifying machine contacts
39Case Studies (cont)
Review automated scanning
Scanning engine is Internet Scanner
Controlling linux machine
Middleware bridges scan engine and linux machine
Provided by security staff at Indiana
itso_at_indiana.edu
Explain by building
40Case Studies (cont)
41Case Studies (cont)
42Case Studies (cont)
43Case Studies (cont)
44Case Studies (cont)
45Case Studies (cont)
46Case Studies (cont)
47Case Studies (cont)
48Case Studies (cont)
49Case Studies (cont)
50Case Studies (cont)
51Case Studies (cont)
52Case Studies (cont)
53Case Studies (cont)
Controller automatically ran scans between
8am-3pm M-F
- Ran in blocks of approximately 128 hosts
- Took two weeks to complete
54Case Studies (cont)
Get results out to campus!
Need contact information
Campus Whois database
55Case Studies (cont)
Once had contact information we emailed alerts
56Case Studies (cont)
Lessons learned?
- Assisted to have procedure posted
57Case Studies (cont)
Lessons learned?
- Not perfect at identifying machines
dhcp, open network jacks, etc
- Testing before scans was good!
Dictionary attacks lockout some machines
58Case Studies (cont)
Web form scan requests
Built for WiscNet
Nessus scan engine
Results sent via email to the recipient
59Case Studies (cont)
Nessus WiscNet Scan Request Form
60Case Studies (cont)
Example email sent back to requestor
61Case Studies (cont)
Future plans
- Increased centralized scan frequency
- Offer Internet Scanner and Nessus scans via web
forms
62Wrap-up
- Background of vulnerability scanners
Questions?