Specifying the Rules for Security Scanners


Security scanners detect vulnerabilities rather than attacks, and operate at pre-defined times — this has a specific influence on their operation. For IDSs, it is possible to compose a list of operating systems used within the protected network segments (depending on the size of the segment); this is impossible for security scanners. This is especially true for scanning remote hosts that are far away from the scanning host and have dynamically assigned IP addresses (via DHCP).

In comparing various security scanners and the documentation supplied with them, I have noticed that not many vendors pay sufficient attention to strategies for the deployment, operation, and maintenance of their products. A pleasing exception to this rule is ISS, which pays significant attention to all of these aspects, both in its documentation [ISS7-00] and in its training course. In particular, ISS' documentation provides a useful table, which outlines the main steps to be performed by IS specialists when operating the Internet Scanner system, and which provides brief descriptions of the goals achieved by performing each step (Table. 11.3). The same approach can be easily extended to other security scanners.

Table 11.3. Measures to Be Taken by IS Personnel

Step

Goal


Notifying users

You should notify the owners of the scanned devices before starting this procedure, to reassure them that the scanning is not being performed by an intruder. Moreover, the scanning will enable them to adequately evaluate and eliminate the vulnerabilities detected.

Changing scanning time and intervals

It is best to perform scanning at different times, and with different intervals, in order to compose a more detailed pattern and eliminate the time dependence.

Performing test scanning

After careful scanning of network devices and eliminating all critical vulnerabilities, it is recommended that you perform periodic test scans in order to make sure that these devices have not become more vulnerable.

Scanning new systems

New network devices should be scanned as soon as possible, in order to prevent the security level of the existing network configuration from decreasing.

Denial of scanning

In some cases, specific network devices might not be scanned (for example, if another organization is responsible for maintaining that device).

Testing for Denial of Service vulnerability

Tests of this type might cause malfunctions and/or failures of the devices being tested, and should only be performed if the device owners are notified beforehand. Besides this, it is necessary to perform certain steps — such as backup procedures — to prevent malfunctions and failures.

Scanning Strategy

The scanning strategy depends on the collected information stored in the network map. As mentioned earlier, when the network map is created, all hosts within the network are grouped by various distinguishing features (whether they belong to a physical or a logical segment, location, importance, vulnerability to specific attacks, etc.). These groups of hosts must be described in sufficient detail in order to avoid extra checks. On the other hand, a sufficient number of devices must be included in order to minimize the total number of required tests and the processing of the test results. In a specific organization, the devices included in these groups may vary, depending on the problems being solved and on the organization's field of activity. For example, in financial institutions, the group may consist of the servers of the accounting system, while, in a factory, these might be the components of the scheduling system. Following are some suggested grouping variants (note that some devices may be included in several groups simultaneously):

  • All devices connected to the network (including the whole range of equipment used in the organization)

  • Routers and other perimeter network equipment

  • Switches, routers, concentrators, bridges and other internal network equipment

  • DMZ devices (DNS, SMTP, FTP, web servers and so on)

  • Firewalls and other perimeter protection tools (IDSs, authentication servers, certificate servers, etc.)

  • Internal network protection tools (security servers, authentication servers, keygeneration servers, LDAP servers)

  • Workstations and servers involved in the organization's daily activities

  • Workstations and servers involved in the organization's business-critical tasks (database servers, critical application servers, scheduling and management system components, accounting system servers, administrators' workstations)

  • Internal web servers, intended to help in the organization's day-to-day tasks (for example, internal informational portals)

Fig. 11.10 shows an example of grouping the protected resources into six groups in the RealSecure SiteProtector system:

click to expand
Fig. 11.10. Grouping protected devices in RealSecure SiteProtector

  • Top management (Chiefs)

  • Demilitarized zone (DMZ)

  • Marketing department (Marketing Department)

  • All servers (Servers)

  • All printers (Printers)

  • Demonstration facility (Stend)

Furthermore, you need to coordinate the scanning strategy with top management or other responsible people, and with the administrators of the scanned hosts. When implementing the scanning strategy, you will have to:

  • Cooperate with the administrators of the scanned hosts or network segments and inform them of the scanning results, thereby allowing them to be on top of the security situation of the resources that they protect

  • Coordinate all aspects of eliminating the detected vulnerabilities with top management

At the stage of performing initial scanning, and after developing and implementing a strategy for eliminating vulnerabilities, it is necessary to:

  • Test specific groups of devices periodically, in order to detect new vulnerabilities and eliminate vulnerabilities detected during previous checks

  • Detect new devices within the network, and apply to them all the above-listed operations for scanning

Scanning Tactics

Using security scanners, with the exception of tests for DoS vulnerability (and even this is not always true) has practically no influence on the performance of the devices within a corporate network. However, when performing a large number of tests, network traffic may intensify significantly, the workload of the tested devices may increase, and log files may grow in size. If the template used during scanning does not correspond to the type and/or configuration of the scanned devices, up to 80 percent of the test results will be practically useless. The efficiency of scanner usage increases significantly when performing so-called "selective scanning," which is geared toward specific devices within the corporate network.

From this point of view, after developing a scanning strategy — which implies classifying all the devices in the network into scanning groups and defining priorities for each group — it is recommended that you draw up a scheme for applying the strategy: in other words, tactics. The key tactical factor is the scanning goal for each group of devices. Recommended checks, including taking into account the probability of the presence of specific vulnerabilities, are configured according to the general principle adopted for typical corporate networks. If specific products or services — such as NCR Unix or Compaq Tru64 — are detected, the appropriate modifications must be introduced into the template.

Additionally, the same group of devices can be scanned with different goals in mind or, by way of contrast, different groups can be scanned for the same purpose, such as performing an equipment inventory, or detecting compromised hosts (e.g., hosts infected by Trojans).

Appropriate measures must be specified in the scanning plan. The scanning plan can be a table with columns listing the groups of "listening" devices and rows containing the scanning goals. The table's cells must contain information on the scanning goals and frequency (Table 11.4).

Table 11.4. An Example of a Scanning Plan

Goal

Device groups


 

All network devices

Accounting system servers

Network equipment

Database servers

External Web servers

Inventory and classification

Weekly

    

Network checks

  

Monthly

  

Average number of checks

 

Monthly

 

Quarterly

Monthly

Maximum number of checks

 

Quarterly

 

When bringing into operation

 

Web checks

    

Monthly

Denial of Service

 

Quarterly

   

Port scanning (1-65535)

Monthly

Weekly

 

Weekly

Quarterly

The scanning frequency for specific device types depends on the importance of the devices included in the specific group, the frequency of configuration changes, the amount of free resources in the corporate network, etc. Recommended scanning goals and appropriate time intervals are outlined below.

  • All devices within the corporate network or a specific segment (to perform inventory and classification): weekly. This process will detect new hosts within the network, as well as identify changes in the configuration of existing hosts.

  • All hosts within the corporate network (to detect compromised hosts or traces of remote attacks): daily. Because of the significant time expenses and network traffic overload incurred, it is not recommended that you perform this check (including checking remote devices) from the central management console. Furthermore, this check becomes difficult to implement when the difference in time zones between the scanning and the scanned hosts reaches 8 to 9 hours.

  • Important network devices (to detect traces of internal attacks or unauthorized configuration changes): weekly or monthly.

  • Critical network hosts (in order to control availability): daily or hourly.

  • Elements of active network equipment: quarterly, or when upgrading or replacing the equipment or software.

  • DMZ devices: weekly, or when modifying the configuration.

  • Perimeter protection tools: weekly or daily, as well as when introducing configuration changes.

  • Most critical servers and workstations: selective testing, in order to detect vulnerabilities to Denial of Service attacks. Recommended when bringing the equipment into operation, reinstalling or upgrading the OS, introducing significant configuration changes, and when performing regular testing.

The same principles that apply to systems operating at a lower level apply to host-level security scanners, but with allowances made for the specific features of detected vulnerabilities.




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net