 |
|
|
Whenever a company connects its network to the Internet, it opens up a whole can of worms regarding security. As the network grows, it will play host to numerous bugs and security loop holes of which you have never heard - but you can bet intruders have. Many organisations are recognising the value of a good security policy to define what is and is not allowed in terms of network and Internet access Then they deploy a number of tools to enforce that security policy � usually in the form of a firewall or two. Firewalls may be billed as commodity items, but the �shrink wrap� element certainly doesn�t extend to their configuration. A detailed knowledge of what a hacker can do and what should and shouldn�t be allowed through the firewall is required before embarking on the configuration adventure, and a slip of the mouse is all it takes to open up a hole big enough for your average hacker to drive the proverbial bus through. The problem is, a badly configured firewall can be worse than no firewall at all, since it will engender a false sense of security. To protect an organisation completely, therefore, it is necessary to audit the network on a regular basis, and in order to achieve this, a whole new category of software has emerged in the last few years: Vulnerability Assessment (VA). Intrusion Detection and Vulnerability Assessment are becoming increasingly important as the stakes become higher. In the 1980s and early 1990s, denial-of-service (DoS) attacks were infrequent and not considered serious. Today, successful DoS attacks can shut down e-commerce-based organisations like online stockbrokers and retail sites. VA products � also known as �risk assessment products� � take two forms. The first is a �passive� or �host� scanner, which usually allows the network administrator to define a security policy for the machines on his network (perhaps a different policy for each operating system or type of server). The scanner then audits every machine automatically, producing a report that details exactly where each machines security settings differ from the defined policy and what needs to be done to fix the problem. The second type of VA scanner takes quite a proactive stance � a sort of �hacker in a box� � providing a number of known attacks (Web server exploits, Denial of Service attacks, and so on) with which a network administrator can probe his or her network resources. By probing a network with an �active� or �network� scanner, the network administrator can often obtain a clear picture of potential weaknesses in his system, and even an indication as to how those weaknesses can be eliminated. Some of these systems will make multiple passes of a network, using information gleaned on early passes to effect a more comprehensive attack in subsequent attempts. For example, a scanner may find an unprotected password file on a desktop machine in one pass. In the next pass it could actually use those passwords on the same � and other � hosts in an attempt to gain access to protected resources as an administrator. You would be surprised how often this works! Once you have your IDS and VA tools deployed and working effectively, that is not the time to sit back and relax. In fact it is only the beginning of a cycle that must be constantly repeated if security is to be maintained. Intrusion Detection and Vulnerability Assessment are valuable components of an organisation�s security plan, but they are just that � components. The first point of defence may well be the firewall, and behind the Network and Network Node IDS system may well be additional port monitoring and File Integrity Assessment products to alert you as to when an intrusion attempt has been successful. All of these components must operate within the confines of a strict security policy, which should determine what is and is not allowed on the corporate network. This, in turn, will help specify how the individual components are to be deployed and configured, as well as offer guidelines as to how alerts are to be handled. There is no point in using the latest IDS technology only to have it log intrusion attempts to a file that is only examined once a month. There should be differing levels of importance assigned to different types of intrusion attempts, and the alert and response procedure should be scaled accordingly. There is little point in raising the roof should you discover your network is being port scanned by someone using nmap - that happens all the time, and it is enough to log that for periodic examination just to make sure it is not happening too often within a set time interval. On the other hand, a successful BackOrifice ping that elicits a reply from somewhere within your organisation indicates a serious compromise, and for that you may deem it appropriate to page the security administrator any time day or night. Between those two extremes are various other possible responses such as e-mail, SNMP alerts, session termination, firewall reconfiguration, and so on � use them to the full, and make sure that your security staff take the time to examine the various log files at regular intervals to keep tabs on the more mundane intrusion attempts. Intrusion Detection Systems are good at sounding alarms, but unless there is someone around who is prepared � and trained - to respond, it is no better than a car alarm that everyone ignores. An effective response is every bit as important as detecting the attack in the first place. Maintenance is equally important. Security is certainly not static, and new vulnerabilities are being discovered and exploited all the time. This should result in new signatures for your IDS and VA tools, patches for your operating systems and updates for your firewalls. Even so, it is a wise security administrator that keeps an eye on the various underground hacking sites and security alert mailing lists for himself. Between the point of discovery to the point where a patch is issued and applied, there is a window of opportunity for the hacker to exploit. It is up to the security administrator to minimise this window as much as possible. If an OS vendor is slow in bringing out a patch for a new vulnerability, for example, perhaps the administrator can reconfigure the corporate firewall to eliminate the sort of traffic that could exploit that vulnerability, or add a temporary custom signature to the IDS in order to detect it. Certainly as soon as new IDS signatures are made available from the vendor, they should be downloaded and deployed to every appropriate sensor on the network. Finally, you should be using Vulnerability Assessment tools to continually test your defences and update your security policies accordingly. A VA scan may well highlight additions or changes to the network and its applications which might necessitate a rethink on how IDS sensors are deployed and which signatures are monitored by each sensor. Monitor - evaluate � modify. Then back to the beginning. It is a cycle that must be repeated over and over if you want to keep your network as secure as possible. Only by continual vigilance and refinement will you stay one step ahead of (or at least no more than one step behind) the hackers. In this section of the report we move from general VA information to detailed evaluations of some of the market-leading products. For this significant group test we invited all the major vendors in the VA market place. Four agreed to take part, with some vendors entering multiple products In total, we tested five products, including: BindView bv-Control for Internet Security V3 Network Associates CyberCop Scanner 5.5 Symantec Enterprise Security Manager 5.1 Vendors will also be encouraged to submit new releases for testing, thus allowing us to update this report at regular intervals and maintain an accurate appraisal of the VA market place. New products this year include BindView bv-Control and VIGILANTe SecureScan NX. We also hope that those vendors who declined to participate in this group test will agree to put products forward for the next one in 2002. The testing methodology will be enhanced considerably in the coming months, and we would like to see all the existing products retested using our new methodology alongside new entries over the next 12 months. This is a relatively immature, yet fast-moving market place, and potential customers need as much information as they can acquire when selecting and deploying such an important component in their security systems. Feedback confirms we are providing a major source of much needed information and advice to security professionals, and The NSS Group VA Report is considered the definitive guide to the VA market place. Click here to return to Table of Contents |
Security Testing |
Send mail to webmaster
with questions or
|