Chapter 7
Vulnerability Scanners

A scanner is an IDS that performs a periodic assessment of risks on your system. An IDS looks for vulnerabilities that might open up your system to threats. Intrusion detection scanners look for potential problems with your system that might result from the following:

•  The back level of a software program that is known to have an exploit

•  A configuration error resulting from an out-of-the-box installation with known holes

•  An administrative error that places the system in an unsafe state, with the problem residing in either an operating system configuration or an application configuration

•  Known rogue programs that someone may have planted on your system

In this chapter, you will learn about some vulnerability scanners that look for weaknesses in UNIX systems. (NT scanners are discussed in Chapter 10, which deals exclusively with NT IDSs.) When you complete the chapter, you should be able to identify the role of vulnerability scanners in your environment. You will see the types of problems that scanners can detect, how they can be spoofed, and why they are an important security product to have in your arsenal.

What Is a Scanner?

First, you should know that scanning intrusion detection products are not the same as network sniffers. Vulnerability scanners do not look at network traffic in real time. Instead, they are run periodically against systems to look for problems. A product that looks at intrusions as they occur in real time is really dealing with threats, not with vulnerabilities. Real-time IDSs catch hackers while they are on your system. Scanners examine your systems for cracks that someone can sneak through or for evidence of intrusions after they have occurred.

Two main types of scanners are available:

•  A local scan is run on a node by a software program that resides on the node itself. This operation is introspective because the node is examining itself.

•  A remote scan is run over the network against the target node by probing it for vulnerabilities. The IDS software is actually running on an administrative system and scanning the target across the network.

A scanner might be probing multiple systems in the network. In doing so, network attacks are attempted against the target node to look for potential holes in the target. Although network packets are sent from the scanning system to the target, the scanner itself is not actively sniffing all network packets to look for problems.

Characteristics of Scanners

Local and remote scanners share common characteristics. Rather than looking for events as they occur in real time, scanners examine the state of a system periodically. One potential advantage of interval scanning is that resource utilization is less on the average than that required for real-time monitoring. Intuitively, this is easy to see because you are consuming resources only when the scanner is active rather than constantly watching events as they occur.

Scanners make a sweep of the system’s configuration to look for vulnerabilities. Scanning the system for problems will reveal weaknesses or holes that lead to cracks. A real-time monitor will miss configuration problems because it is primarily designed to catch hackers in the act, rather than to look for vulnerabilities that can be exploited later. For example, a real-time detector is not much help in finding problems with a fresh, out-of-the-box configuration. Thus, scanners and real-time IDSs are complementary.

Because the scanners are run periodically, they will not be able to detect events as they occur. Vulnerability scanners try to prevent problems by alerting you to flaws in advance. If a hacker manages to bypass your security defenses and introduce a vulnerability in your system, the scanner should detect the exposure the next time it is activated. For example, if the scanner looks for root equivalent accounts on a system, it will detect that a hacker has created a root account on the system the next time a scan is performed. How do scanners improve your security?

•  Scanners prevent intrusions and misuses by alerting you to vulnerabilities in advance, even if they result from accidental configuration errors.

•  Scanners detect vulnerabilities that arise in your system as a consequence of an intrusion or misuse.

Of course, the hacker’s challenge is to know what the scanner looks for and to cover tracks to avoid detection. Because many vendors publish the list of problems they look for, a wise cracker can use this information to avoid activities that will be flagged.

When you look at scanning products, it’s important to know that some types of weaknesses can be found only by running the scan locally on the node of interest. If the system is locked down so that no network attacks are possible, local file system permission problems or SUID programs may still lead to system compromise. Even if you have a system that is not connected to a network and has only directly attached terminals, you can have vulnerabilities.

One desirable feature of scanners is that they do not introduce new data sources. System-level IDSs require that you turn on auditing or syslog if you are not already doing so. Scanners discover vulnerabilities by looking at configuration data or by attempting to carry out an attack.