Unit 5 Discussion
Vulnerability Scanning Tools:
NOTE: As two of the tools mentioned for discussion here (NMap and MBSA) are ones which I use on a rather regular basis, I will be covering these before the other tools mentioned for our discussion. Also, as I am familiar with these tools from using them frequently, some comments on them will be based upon my own personal experiences. Just thought you’d like to know this. ;-)
NMap is an open-source tool for scanning a network host (or, possibly, multiple hosts) for open (accessible) network ports (and also, possibly, security vulnerabilities). In addition, with the default source package setup of NMap, the software is capable of gathering some advanced service information from various available network services on a scanned host (for example, it can tell what web server, FTP Server, or SSH server is running on a given port). This tool is a great “starting point” for determining which services are (and are not) accessible on a given network host from varying points within that host’s network, or from the Internet. The main disadvantage of NMap is that its command-line interface may not be easily understood by every user.
MBSA (Microsoft Baseline Security Analyzer) is a freely-available tool from Microsoft that allows systems’ administrators to scan Windows-based (or Samba/CIFS Services) hosts on their networks for security vulnerabilities. This tool also easily allows network systems’ administrators to scan ranges of IP addresses for systems to test for security vulnerabilities, thus negating the need to list all machines to test before running a full-network security baseline scan. The main drawback of the MBSA is that scanning full ranges of IP addresses can take a long time (especially depending on how large the IP ranges are).
Nessus (www.nessus.org) is a software-based Network Vulnerability Scanner that runs on almost every modern computer operating system (including Mac OS X, Windows, Linux, and UNIX/BSD). It is free to use for individuals, but commercial use requires purchase of a software license. Nessus is well respected for its ability to scan for known potential security vulnerabilities in many popular desktop computer applications, as well as being able to detect and alert administrators to network-connected computers with out-of-date AntiVirus software programs (and out-of-date AntiVirus definition lists). On the downside, Nessus’ free use is (again) limited to only individual users, and on-job/in-company use requires purchase of a $1200-per-copy license, and Nessus may only perform at its best when it is given its own dedicated hardware to run on.
SAINT (www.saintcorporation.com) is a commercial-use-only tool for exploring possible vulnerabilities in a network environment. From detection of possible vulnerabilities, to the software’s ability to demonstrate the risk of detected vulnerabilities on-demand, the SAINT system is a full-service utility for both auditing, proving, and testing vulnerabilities of a network, and the effect that these unfixed vulnerabilities might cause. Upsides of this software include the ability to purchase the software from the manufacturer in a “Software as a Service” (SaaS) format, removing need to dedicate hardware to the functions of this program, as well as the ability to prove to decision-making parties the effects of not handling a software-repairable problem by using the program to non-destructively exploit detected vulnerabilities. The downside of SAINT are that there are no options for standalone, hands-on testing of the product (a trial of the software requires hands-on training from a sales representative), and the fact that such no-hands-on trial likely means a much-increased cost for ownership of this software.
LANGuard (www.gfi.com) is yet another network security and vulnerability scanner. However, unlike some of the other programs I have already covered here, this one seems to hit a very-serviceable “middle ground” between some of the other solutions. Unlike some of the other solutions, LANGuard appears to be hardware-unreliant (although it can make use of some “more special” types of hardware, if they’re available) and seems like it can run fairly reasonably on hardware that is also being used for other purposes at the same time. In addition, this software can also be used in a “freeware” fashion to test up to 5 machines on a company network or on-the-job. The only downside I see to this option for Network Security Scanning is that 5 machines isn’t really enough to cover most corporate networks (and would therefore require a user of LANGuard to purchase a software license). ;-)
Internet Scanner (www.ibm.com) is an entry from IBM into the market of Network Scanning Software. While very few specific details of the software are made available on IBM’s Product Information page for Internet Scanner, it is claimed there that it is “recognized by IDC as the worldwide market leader in network vulnerability assessment and management.” Unfortunately for IBM, there are many downsides to the way in which they have marketed this product; first, one must talk directly to IBM Sales to find out anything “concrete” about the product; and, there is the fact that a look at the “Requirements” web page for Internet Scanner seems to indicate that this is either an aging or discontinued software product.
Honeypots – Sources of Digital Vigilante Action:
Honeypots are hosts on a network whose express purpose is to appear to potential network attackers as sources of valuable information and/or resources. In fact, a honeypot is usually the opposite, instead providing a mechanism for the honeypot’s operator to obtain information on individual connecting parties that access the honeypot and/or utilize its “resources.” The legal ramifications of honeypots are mainly centered around the types of network-borne attacks that could be launched by attackers utilizing the actual resources made available to them by honeypots. For example, there are a number of available open relay SMTP honeypot programs, which spammers could use to send out sizable volumes of spam (junk) e-mail before the information the honeypots collect on them can be used against them. As with any type of vigilante justice, however, there are potential downfalls for the innocents involved.
Intrusion Prevention V. Intrusion Detection:
Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) are software or hardware solutions with a common purpose; to detect active malicious use of a network’s services. IDS serves to alert network administrators when it senses improper or malicious use of a network’s resources in-action. IPS takes the features of IDS to the “next level,” and can actively take steps to shut down malicious or unwanted network activity as it is occurring.
References:
Some of the information in this discussion posting was gleaned or referenced from the following sources:
The Web Site of the NMap Security Scanner Software:
http://nmap.org/
The MBSA (Microsoft Baseline Security Analyzer) Resource Page at Microsoft TechNet:
http://technet.microsoft.com/en-us/security/cc184923.aspx
“Honeypot (computing)” on WikiPedia:
http://en.wikipedia.org/wiki/Honeypot_%28computing%29
“Intrusion Detection System” on WikiPedia:
http://en.wikipedia.org/wiki/Intrusion_detection_system
“Intrusion Prevention System” on WikiPedia:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
PS: Just for those of us who’re wondering, I do know a thing or two about IDS; Might be worth your while to take a look at The Snort Project (www.snort.org), if you’re interested in learning more about IDS — That’s probably a somewhat decent starting-off point. :-)
