June 17, 2003

Keeping the alligators out of your sewer

- by Dorian J. Cougias -
Somewhere, sometime, some goofball is going to attack your network "just because." How can you protect yourself? Among the options, you can scan your systems for possible attacks. You can scan from the outside of your organization, testing to see how much gets through your firewall, and you can scan from inside your organization, without the benefit of the firewall. I suggest that you run your tests from both directions -- and take the inside attack just as seriously as the outside attack.

This article is excerpted from the newly published third edition of The Backup Book: Disaster Recovery from Desktop to Data Center, by Dorian J. Cougias, E.L. Heiberger, and Karsten Koop.

A host of available products conduct vulnerability assessment scans. Symantec's NetRecon, the open source-based Nessus, and MacAnalysis are three very solid tools for small to medium-sized organizations. The only two tools we recommend for larger organizations are FoundScan from Foundstone, and our company's favorite, Security Analyzer from NetIQ.

Each of these packages scans either individual devices or your network, and prods the devices being scanned for open holes and potential vulnerabilities. Good stuff, but, as the immortal Jacqueline Susann taught us, once is not enough: You need to use these tools often, on a regular basis, to ensure that your software updates aren't cracking open any crevices for creepy-crawlies to slither through.

While many vulnerability assessment products can test Linux clients and servers, most run only on Microsoft or, in the case of MacAnalysis, Apple platforms. We've highlighted two that can run on Linux, and one standalone hardware device.

Shields Up!

The simplest scanner is a Web site dedicated to Internet security testing, featuring the Web-based program, Shields Up! To use it, simply click its "Test My Shields" and "Probe My Ports" buttons, and the system scans your computer (this works only on the computer you're testing) for open holes in your system.

It's a great start, but it doesn't cut the mustard for a workgroup or an organization. Corporate scanning systems should scan not only a single computer, they should run automatically and scan the entire network (adjusting for new nodes before each scan) on a regular basis. Since you're working with large-scale systems, they should include not only scanning, but problem reporting and course-of-action planning as well.

Nessus

Nessus is an open source project, which means that more programmers are working on and making it better than any proprietary program. And in its open fashion, it has a plug-in architecture. Each security test is written as an external plug-in, so that you can easily add your own tests without having to read the code of the Nessus engine.

The Nessus Security Scanner includes NASL (Nessus Attack Scripting Language) a language designed to write security tests easily and quickly. The Nessus Security Scanner is made up of two parts: a server, which performs the attacks; and a client, which is the front end. You can run the server and the client on different systems so that you can create your reports on your personal computer while the server performs its attacks from a Unix mainframe.

There are several clients: one for X11, one for Win32, and one written in Java. Nessus will not only tell you what's wrong on your network, but will, most of the time, give you the risk level of each problem found (from low to very high) and tell you how to prevent crackers from exploiting the security holes found.

The Unix client can export Nessus reports as ASCII text, LaTeX, HTML, "spiffy" HTML (with pies and graphs) and an easy-to-parse file format. And, given the power of your server, it can test a great many hosts at once.

QualysGuard Intranet Scanner

This product is the only hardware-based security scanner that we mention in our book. It's a pretty darn cool product. The device hooks into the network like any other computer and continuously monitors the goings-on, producing a Web-page front-end report that is clean and very usable.

Just minutes after turning it on, connecting it to the network, and entering a username and password (for getting updates from the parent company), administrators can begin assessing their networks for vulnerabilities. If you're looking for an appliance to run your security tests, this is a great device.

Politics and other issues of computer-driven security systems

After this quick survey of some semi-automatic security remediation products, you're probably wondering if your company will buy off on it and what the fallout might be. Let's go through a couple of issues that can hit you, so you'll be prepared to dodge.

There may be the issue of expense, though purchase cost is less of an issue with open systems. I'd balance an argument for a product against the argument of hiring additional staff to keep up with security threats. Ask for the staff first, and then add (once you get them going on the exorbitance of buying fresh bodies) that you have found a product that's cheaper and easier to manage and maintain than a human being -- that might clinch the deal.

And, since you're replacing bodies with machinery, there's bound to be a bit of a turf war in larger organizations. Decentralized companies like restaurant chains or store chains won't offer that argument because they don't have the decentralized IT staff to begin with. However, larger organizations with their own IT fiefdoms may put up a security turf barrier or two. That's where "approval" teams come into the picture.

When I was CIO of True North Communications, I dealt with about a dozen "local-division" CIOs across the world. With those based in the U.S., I held a monthly meeting to "decide" where we were going. It was like the president wrangling with Congress, but it worked, and I recommend it as a turf-war-deflection tactic. At monthly meetings, you can turn the territorial instinct aside by presenting the most current security scans along with the most current suggested remedies. Letting folks "decide" which updates should be run gives them a voice in the system, and enables to you get their backing and, potentially, some bucks if you need more budget.

For more information about securing organizations using open source software, see YoLinux.

Dorian Cougias is the founder and CEO of Network Frontiers. Previously
he served as CIO of advertising agencies
Fallon McElligott and True North Communications. Dorian has authored four
certification programs, eight books, and numerous technical articles. He¹s a
member of the University of Delaware Technology Advisory Board as well as an
adjunct professor in the HRIM and distance learning schools.

Category:

  • Security
Click Here!