 |
|
|
NAI CyberCop Scanner 5.5 CyberCop Scanner is the Vulnerability Assessment offering from Network Associates, which offers a number of unique features such as a hostile DNS server, Custom Audit Scripting Language (CASL) and extensive IDS evasion testing capabilities. CyberCop Scanner can run on either a Windows (NT or 2000) or Unix (Red Hat Linux) platform, and can be used either as a stand alone scanner or as a component product within the Active Security suite. The Active Security integrated product family is comprised of the following Network Associates products: CyberCop Scanner is the network security assessment component that can scan devices on the network for more than 700 vulnerabilities. CyberCop Scanner should be configured to search for the vulnerabilities that are of particular concern in accordance with the corporate security policy. CyberCop Scanner is known as a sensor component because it is essentially concerned with monitoring and collecting data. Event Orchestrator receives messages from sensors on the network and then, based on the security policy, processes them and decides whether to send action messages to the Active Security actor components in response to them. Event Orchestrator is configured to respond to particular vulnerabilities in a manner that best enforces the corporate security policy. Event Orchestrator is known as an arbiter. In addition to delegating actions to external actor components, Event Orchestrator is able to take certain kinds of action on its own. For example, it can send out an email message about a vulnerability it’s been informed of, run a custom Visual Basic script, or raise a trouble ticket via the McAfee HelpDesk product (available separately). Gauntlet Firewall for Windows NT and Unix are known as actor components, because they are capable of acting on events supplied by arbiters. Gauntlet takes instructions from the arbiter and responds in a manner designed to enforce security policy – for example, by restricting access to certain servers or services. Net Tools PKI Server supports secure, strongly authenticated communication among the sensor, the arbiter, and the actors by furnishing each product with X.509 certificates. Another component installed as part of the CyberCop Scanner package is the Security Management Interface (SMI). This provides a single console window, called the SMI console window, from which it is possible to manage all NAI security applications, whether they are installed on local or remote computers. An NAI security application is inserted into the SMI console as a “snap-in” program. The SMI console can then be used to install, configure and run the snap-in program on network hosts. From an SMI console, it is possible to:
On Windows platforms (as tested) installation is simply a matter of inserting the CD and following the installation Wizard, or activating the self-extracting EXE file if downloaded from the Internet. During installation, both CyberCop Scanner and SMI components are installed. All packet driver components necessary for the correct operation of CyberCop Scanner are also installed automatically. Oddly enough, if you wish to use the CASL interpreter, you must manually add an environment variable to point to it once everything else has been installed. It seems strange that this could not have been automated during the main installation routine. There is an excellent Getting Started Guide which provides all the information you need to get you going with CyberCop Scanner. This is provided in electronic format as a PDF, and as a hard copy version in the box. The user interface has changed somewhat in the latest release of CyberCop Scanner, though it retains – and even improves upon - the ease of use factor that has characterised previous versions.
There are three sets of configuration options to be concerned with when starting a scan: scan settings, module settings and application settings. A Wizard steps you through most of the important stuff when defining a new scan job, or it is possible to configure everything manually. Application settings cover basic operational parameters such as scanner working directories, main screen display attributes, and how to report results (always, never or vulnerable modules only). Scan settings cover operational settings pertaining to the current job, such as host range to scan, whether to perform operating system identification and whether to disable or enable scan modules based on the OS found. Four of the available tabs are there to allow the administrator to define security policies relating to user accounts, system auditing, legal captions and browser zones. These will be compared against corresponding settings on every Windows platform in order to report on deviations from standard security policy. The final tab provides the means to control a number of important settings relating to the security modules, such as the DNS domain name, TCP and UDP port scan ranges, which password files to use during password cracking operations, and so on. Scan settings can be saved in Template files for recall and reuse at a later date if required. This provides the means to have a specific group of policy settings for a specific range of hosts saved in a single template file.
Module settings allow you to determine which attack signatures will be employed during the scan. CyberCop Scanner works by running security modules against a target system. Modules are pieces of code that either check for vulnerabilities on the target system or attempt to exploit the vulnerabilities of the target system. They are grouped into module classes according to their function – Denial of Service, information gathering, Web, FTP, and so on. There are also a group of tests for checking the effectiveness of firewall filtering rules, which are used in conjunction with a special remote “listening” utility that is installed behind the firewall. CyberCop Scanner includes operating system detection capabilities which can identify the operating system types of hosts on a network. Once operating system types are identified, CyberCop Scanner can optionally disable modules not pertaining to specified operating systems when scanning hosts. Other modules initiate hostile Denial of Service attacks, which look for vulnerabilities that can only be detected properly if an attack is actually launched against a target host. There are over 700 modules in the current vulnerability database, and additional checks can be added via the automated module update capability. This can be achieved via an FTP or LAN connection, and can be scheduled for automatic regular update. Network Associates is one of the few vendors which makes it simple for you to download an update file from the FTP site once, place it on an intranet server, and then update all copies of CyberCop Scanner from that one update file. This means it is not necessary for every CyberCop Scanner user to go to the NAI FTP site independently to perform updates, making the whole process much more efficient.
Modules are grouped together into their module classes, and individual attacks or entire groups can be selected via a single check box against an attack or group heading. Selecting an individual attack brings up an excellent detailed description of the vulnerability together with suggested fixes, and complex configurations can be saved as Template files to be used repeatedly. It is also possible to edit the entry in the vulnerability database by right-clicking on a vulnerability, though this is aimed more at altering the way the information is presented on screen and in reports than changing functionality in any way. Having created template files for module and scan settings, the combination can be saved as a “configuration file”. When starting a new scanning operation, opening a single configuration file will automatically apply all the appropriate settings in one go. Once configuration is complete, all module settings and variables can be confirmed in the Current Configuration tab, which can also be printed out for reference. Once all the settings have been established, the tool bar provides buttons for “begin scan” and “begin probe”. Probes detect responsive hosts on a network without scanning them for vulnerabilities. The probe will be performed on the hosts specified in the currently loaded configuration file, and this feature can be used to generate a network map and to troubleshoot hosts. For each host, probing identifies if the host is responsive, determines the operating system type, and performs a trace route to generate a network map. Results during a probe can be viewed on the Scan Progress tab, which will list hosts that are found to be responsive (together with their operating system type, if OS identification is enabled), along with unresponsive hosts that have been skipped. Clicking on “begin scan” performs a full-blown vulnerability scan of all hosts specified in the scan settings, using all modules specified in the module settings. It is possible to restrict CyberCop to performing only the scans that apply to the OS identified for a particular host, and modules for which a target is found vulnerable will return data specific to that test – an SMTP or FTP banner, for example, or a list of shares enumerated.
During a scan, progress is monitored in the Scan Progress window, and a real-time indication of vulnerabilities found in the scanned hosts can be seen in the Scan Results tab if this has been activated. Once the scan is complete, results can be queried immediately on-screen via the Scan Results tab. Here, a tri-pane display shows a hierarchical tree display of all the hosts which have vulnerabilities, with all the vulnerabilities listed against each host. Selecting an individual vulnerability will bring up a display of the output produced from that module, and a full description of the vulnerability and suggested fixes. Certain modules are designated as “Fix It” modules used in conjunction with Windows NT Registry checks. These modules can perform a fix to Registry values to correct potential vulnerabilities detected by CyberCop Scanner. After a scan is completed, Fix It modules are highlighted with a blue “wrench” icon, and individual modules (or all those found in a single scan) can be selected for automatic fixing. Unfortunately, there does not appear to be an “undo” function, so this feature should be employed with care. CyberCop Scanner makes use of the SMI event database for storing security results during a scan. Once a scan is completed, SMI provides a report viewer which allows you to query the database, preview data, and generate reports. This can be accessed either from the SMI console or from the standard CyberCop Scanner console in the View Reports menu. There are a few other features and tools which are available from the console menus. CyberCop Scanner includes two programs - Crack and SMBGrind - that use brute force password guessing functions to determine if user accounts on a network are vulnerable to intruders. The Crack program attempts to break into a computer by guessing a user’s encrypted password. It does this by comparing a list of possible passwords with an actual account file for a network, thereby potentially gaining access to a user account. The SMBGrind program actually attempts to log on to a computer remotely by grinding through a list of possible passwords. If a match is found it then logs on to the computer. Note that there is no password decryption utility providing Lophtcrack-type functionality – only brute force methods are available. The remaining features are unique to CyberCop Scanner in the VA market place. The first is the hostile DNS server, which allows you to audit a DNS server for cache corruption attacks. There is also a set of tests specifically designed to exercise Intrusion Detection software. The IDS testing tool provides a basic attack signature that can be represented in a number of ways on the wire that are designed specifically to evade detection by IDS programs. It does this by fragmenting packets, sending fragments out of order, introducing additional SYN packets, overlapping fragments, and so on. A “baseline” script provides the means to ensure that the basic attack can be seen by the IDS, following which you can run the remaining scripts to determine the effectiveness of your IDS system against such evasion techniques. The final feature worthy of note is the Custom Audit Scripting Language (CASL) that allows you to construct your own TCP/IP packets and attacks. Individual TCP/IP packets can be constructed in the CASL GUI tool within CyberCop Scanner and broadcast across the network, or entire attacks can be scripted in a text editor using the high-level scripting language, details of which are provided in the documentation. In fact, some of the attacks within CyberCop Scanner itself – the IDS tests and firewall packet filtering tests - are CASL scripts. Following a scan, the Network Map window provides a graphical view of the network as determined during the scan, which – apart from looking pretty - serves no useful purpose as far as we can see. The real meat is in the various reports that can be generated which are extensive, clear and easy to read. The following reports are available: Differential Report by Host - Allows comparison of results for two hosts specified by IP address. Differential Report by Scan Session - Allows comparison of results for two scan sessions specified by date and time. Graphical Summary - Provides a graphical summary report with pie charts for different report categories (Complexity, Ease of Fix, Impact, Popularity, Risk Factor, Root Cause). For example, the Risk Factor pie chart shows the proportion of vulnerabilities found with Low, Medium, and High risk factors. Graphical Summary is a management report which contains only general network status information for a scan.
Report by Complexity - Displays results by the difficulty involved in exploiting a vulnerability (Low, Medium, High). Report by Ease of Fix - Displays results by the ease of fixing a vulnerability (Trivial, Simple, Moderate, Difficult, Infeasible). Report by Host - Displays results by host IP address. Report by Impact - Displays results by the specific threat posed by a vulnerability (System Integrity, Confidentiality, Accountability, Data Integrity, Authorisation, Availability, Intelligence). Report by OS Type - Displays results by operating system type. Report by Policy Violation - Displays results by type of policy violation. Report by Popularity - Displays results by the likelihood that a vulnerability will be exploited (Obscure, Widespread, Popular). Report by Risk Factor - Displays results by the severity of the threat posed by a vulnerability (Low, Medium, High). Report by Root Cause - Displays results by the underlying cause of a vulnerability (Configuration, Implementation, Design). Report by Scan Session - Displays results by scan session date and time. Report by Vulnerability ID - Displays results by module number. Vulnerability Guide - Displays an indexed tree view of all modules in the Vulnerability Database. It is possible to click on a module number to view a detailed module description, or the entire Vulnerability Guide can be printed as a report. Limited customisation options are available when generating reports. Customising a report allows the administrator to specify which database records will be included in the report, which database fields will be included for those records, and how the database fields will be sorted. It is also possible to remove repeated information from the body of a report and display it in an appendix at the end. When a report is generated, it is first displayed in a preview window which includes an indexed tree view of sections in the report. The indexed tree can be used to navigate quickly to different sections in the report and the previewed report can be filtered to create sub-reports for easier viewing on-screen. Reports can be printed direct from the viewer, or can be exported for use by other applications. Reports can be exported in a variety of formats, including DOC (Microsoft Word), RTF (Rich Text Format), and HTML (Web Browser). The latest release of CyberCop Scanner shows some minor, but nice, improvements over the previous one. The user interface is as clean and easy to use as ever, and the reporting is extensive and very readable. CyberCop Scanner offers a policy definition interface that combines ease of use with flexibility, and the scans are fast and accurate. In addition, CyberCop offers a host of features over and above simply scanning for vulnerabilities. The hostile DNS server provides the means to scan effectively for a host of DNS-related vulnerabilities, and it is possible to use the public version which NAI has made available in the Internet, or to install your own internally. The ability to test IDS products using various packet fragmentation techniques is a first for commercial VA scanners, as is the CASL scripting tool that allows you to create and run your own custom attacks. The excellent user interface, detailed reports, open licensing model and additional features such as these still make CyberCop Scanner one of the best VA scanners on the market. Company name:
PGP Security, A Network Associates Business Click here
to return to the NAI CyberCop Scanner Questionnaire |
Security Testing |
Send mail to webmaster
with questions or
|
