Previous | Table of Contents | Next |
Vulnerabilities Remotely Scanned by ISS
Earlier we mentioned that most remote scanners cannot peer into your system like local scanners do. Actually, some protocols, such as RPC and NIS, can be used by remote scanners to peek inside your system much like local processes. For example, in older implementations of NIS, you could get a copy of the password file by running ypcat on remote nodes in the NIS domain. Remote vulnerability scanners use some of these protocol techniques to look for weaknesses in your systems, too.
Where Is ISS Headed?
By the time this book is published, you can expect to find ISS rounding out its offerings with a system-level IDS as well. Other vendors are acquiring or developing complementary technologies, too, to offer scanners, network, and system IDSs individually or as part of a suite. When this occurs, you will benefit from common configuration files, similar user interfaces, and a common management framework (or console).
A number of other scanners are in the market today. Two others are mentioned here. The list of competitors is growing almost daily. Ballista, developed by Secure Networks, Inc., is now owned and marketed by Network Associates. The IBM Network Security Auditor (NS Auditor) is another alternative primarily for UNIX systems.
Developed under the leadership of Alfred Huger, Ballista boasts the largest list of vulnerabilities detected for UNIX systems. Although systems management and scalability features are clearly important to many customers, there seems to be a laundry-list factor in how purchase decisions are made. Whether the list of attacks scanned becomes the distinguishing feature for the market leader in scanners remains to be seen.
Ballista is a remote scanner that provides informative graphical reporting on results. The list of attacks is too long to include here, but you can find it at www.secnet.com or at www.neta.com (the Network Associates site). Not only does Ballista have an impressive list of recognized vulnerabilities, but the IDS is based on an extensible architecture known as CAPE. This leads to some very interesting possibilities. You can build your own attack patterns to scan or plug Ballista into other products.
The IBM Firewall is packaged with the Network Security Auditor remote scanner as an added bonus. The NS Auditor has its roots in the days of the Internet Worm incident. Two scientists at IBM Research were nose down in graduate school at Texas A&M University when the Worm hit. Not long after that incident, several other attacks were launched on the Internet. Dave Safford and Doug Schales were involved in discovering, monitoring, and repairing the damage caused by these attacks. The results of their efforts are widely distributed as the TAMU Tiger package. These two are also the initial authors of NS Auditor.
The NS Auditor is unique in that it uses heuristics (AI techniques) to make some decisions during its scanning phase. A wide range of options also can be specified for controlling the scan, including the following:
At this time, IBM does not offer NS Auditor as a separate product, although the tool is used by IBM consultants. The version of NS Auditor that ships with the firewall is limited to scanning an individual subnet of addresses rather than being wide open to scanning any addresses. Other scanners impose the same limitations using a license-key mechanism. The reason is simplethe difference between a network assessment and a network penetration attempt depends on the person running the scanner. A scanner with no limitations on network addresses for targets could be used to probe systems throughout the Internet.
Most scanners rely on knowledge of historical problems rather than on predictive capabilities. Because a new exploit is discovered at least every week, keeping the scanning database up to date is necessary. Companies that aggressively market intrusion detection products often maintain a skilled set of researchers who monitor newsgroups, communicate with the underground, and generate original results to find new hacks to add to the products. The X-Force team is one good example (www.iss.net/xforce). Others include the squads at Secure Networks Inc. (SNI, now part of Network Associates) and the WheelGroup (now part of Cisco). L0pht Heavy Industries is particularly skilled and has reported many important findings.
Previous | Table of Contents | Next |