Previous | Table of Contents | Next |
A scanner is an IDS that performs a periodic assessment of risks on your system. An IDS looks for vulnerabilities that might open up your system to threats. Intrusion detection scanners look for potential problems with your system that might result from the following:
In this chapter, you will learn about some vulnerability scanners that look for weaknesses in UNIX systems. (NT scanners are discussed in Chapter 10, which deals exclusively with NT IDSs.) When you complete the chapter, you should be able to identify the role of vulnerability scanners in your environment. You will see the types of problems that scanners can detect, how they can be spoofed, and why they are an important security product to have in your arsenal.
First, you should know that scanning intrusion detection products are not the same as network sniffers. Vulnerability scanners do not look at network traffic in real time. Instead, they are run periodically against systems to look for problems. A product that looks at intrusions as they occur in real time is really dealing with threats, not with vulnerabilities. Real-time IDSs catch hackers while they are on your system. Scanners examine your systems for cracks that someone can sneak through or for evidence of intrusions after they have occurred.
Two main types of scanners are available:
A scanner might be probing multiple systems in the network. In doing so, network attacks are attempted against the target node to look for potential holes in the target. Although network packets are sent from the scanning system to the target, the scanner itself is not actively sniffing all network packets to look for problems.
Local and remote scanners share common characteristics. Rather than looking for events as they occur in real time, scanners examine the state of a system periodically. One potential advantage of interval scanning is that resource utilization is less on the average than that required for real-time monitoring. Intuitively, this is easy to see because you are consuming resources only when the scanner is active rather than constantly watching events as they occur.
Scanners make a sweep of the systems configuration to look for vulnerabilities. Scanning the system for problems will reveal weaknesses or holes that lead to cracks. A real-time monitor will miss configuration problems because it is primarily designed to catch hackers in the act, rather than to look for vulnerabilities that can be exploited later. For example, a real-time detector is not much help in finding problems with a fresh, out-of-the-box configuration. Thus, scanners and real-time IDSs are complementary.
Because the scanners are run periodically, they will not be able to detect events as they occur. Vulnerability scanners try to prevent problems by alerting you to flaws in advance. If a hacker manages to bypass your security defenses and introduce a vulnerability in your system, the scanner should detect the exposure the next time it is activated. For example, if the scanner looks for root equivalent accounts on a system, it will detect that a hacker has created a root account on the system the next time a scan is performed. How do scanners improve your security?
Of course, the hackers challenge is to know what the scanner looks for and to cover tracks to avoid detection. Because many vendors publish the list of problems they look for, a wise cracker can use this information to avoid activities that will be flagged.
When you look at scanning products, its important to know that some types of weaknesses can be found only by running the scan locally on the node of interest. If the system is locked down so that no network attacks are possible, local file system permission problems or SUID programs may still lead to system compromise. Even if you have a system that is not connected to a network and has only directly attached terminals, you can have vulnerabilities.
One desirable feature of scanners is that they do not introduce new data sources. System-level IDSs require that you turn on auditing or syslog if you are not already doing so. Scanners discover vulnerabilities by looking at configuration data or by attempting to carry out an attack.
Previous | Table of Contents | Next |