 |
|
|
Networks Vigilance NV e-secure V2.1 Networks Vigilance NV e-secure is a vulnerability scanner with a difference. In addition to providing the usual host scanning capabilities, it also provides remote probes to test networks on both sides of a firewall, as well as testing the filtering rules of the firewall itself. NV e-secure is the only VA product we have come across that has anything different in the way of “architecture”. Whereas most VA products are single-point devices designed to scan individual or multiple remote IP hosts, NV e-secure provides a distributed console-agent architecture which allows not only scanning of subnets behind a firewall, but also a complete evaluation of the firewall filtering rules in place between scanning agent and console. The Console is the “command control centre” for all security testing, reporting and problem solving. From this point, the administrator can define a testing environment, configure a testing session, monitor a test, and generate reports. There are various modules that plug-in to the NV e-secure Console: Network – provides the capability to scan for vulnerabilities on all hosts across the network, regardless of operating system. Vulnerabilities are reported in detail, with guidelines provided to fix the problems immediately. The network scanner consists of a number of modular “Test Cases” which probe all network hosts, just as a hostile attacker would, and quickly report on which hosts are vulnerable and why. Test cases act like any intruder - attempting to obtain information about the system, and then trying any open backdoor through an unsecured service or inherent weakness in a particular version. System - specifically targeted at OS performance. The System module tests the OS to make sure that it is free from security weaknesses, following which it will recommend the steps needed to remove the weakness. This may be anything from directing the administrator to the appropriate upgrade or OS patch resides on a vendor site, to a complete restructuring of the system itself. Firewall - Allows the administrator to create security policies for testing a remote network, separated from the Console host by one or more firewalls or routers. In order to do this, the Firewall module utilises an installed component on both Intranet and Internet sides of the network, giving the ability to automatically analyse the filtering rules currently defined in the Firewall or filtering equipment located between itself and its probe. The Firewall module does not simply scan the firewall’s IP address, therefore, but provides end-to-end testing of the Firewall's security readiness. The NV e-secure Firewall Probe is installed on the Intranet side of the firewall or on the DMZ, and all communication between Console and Probe is conducted over TCP on a designated open port (9999). All such communication is encrypted using SSL3. The Probe acts as a client to connect to the Console, and this prevents the creation of a potential security hole, since the connection is always made from inside the firewall – the Probe will not accept a connection at all, and will only participate in sessions which it initiates. The Probe must, of course, have the correct permissions to connect to the Console, and the Probe also handles masquerading of internal IP addresses. When the Probe has connected to the Console, the Console can instruct it to scan the internal network and create an internal map of hosts and active services. The Console can then play the network test cases to check for operating system and server vulnerabilities. The Probe also plays a part in the automatic detection of the firewall's filter rules. The purpose of this phase is to automatically detect which rules have been implemented in the firewall to block or reject packets. The Console and the Probe can both monitor their local network, so each of them can detect whether or not a packet sent by the other one passed through the firewall. The packets that are sent by the Console or the Probe are either standard packets (which are used to determine a global rule such as “Deny all ICMP requests”) or calculated packets. Calculated packets are built from the Probe's internal scanning results, and are used to find logical rules such as “Allow incoming connection to port 80/tcp of server S only” (this is usually implemented as two physical rules). The probe cannot find 100 per cent of the filtering rules -� in particular, rules based on the source IP address are not detected. Thus if the firewall protects an Intranet without any server, the generated report could be very small. As with the Firewall Probe, the Distributed Scanning Engine is installed on remote subnets (usually behind a firewall) and acts as a client to the Console. In order to facilitate communication through firewalls, all data transmitted between Engine and Console is passed over TCP on port 9999 (this port can be changed) and encrypted using SSL3. Any number of Engines (depending on the license) can be controlled from a single Console, and once an Engine has connected to the Console, it can be instructed to scan the internal network and create an internal map of hosts and active services. Via the Console, the administrator will determine the scanning policy and the appropriate Test Cases are passed to the remote Engine. The Engine then runs the scans to check for operating system and server vulnerabilities, and passes the results back to the Console. Networks Vigilance NV e-secure is the only commercial VA scanner we know of which provides this distributed client-server architecture in order to facilitate scanning through firewalls, as well as firewall rule verification. The ability to divide scanning tasks between multiple machines across multiple subnets also allows NV e-secure to scale much better in large corporate environments. Installation of NV e-secure is simple. It requires a Windows NT/2000 platform on which to run (though it can naturally scan any TCP/IP host, no matter what OS it runs), and uses the familiar InstallShield process.During set-up, three installation options are provided: Console, Firewall Probe, and Distributed Scanning Engine. All necessary raw packet drivers are installed automatically if either of the latter two are selected. Once the remote Probe/Engine has been installed, all that is required is to start it running, and enter the IP address of the Console and the port on which to communicate (defaults to 9999). One problem we did note – which is a known problem – is that on a multi-homed host, both the Console and remote scanning Engines will bind to the first available network adapter. This can cause problems with the Probe and Engine since there is no way to specify to remote components which network addresses they should operate one. You may therefore find that when asking a Probe to perform a network scan for available hosts, it actually looks at the wrong subnet. It can also cause problems with licensing, since the MAC address of the host is used to generate the license information. If you should remove an adapter from a multi-homed machine – or even change an adapter in a single NIC machine – NV e-secure will no longer run. This is a ridiculous restriction to put on licensing – a NIC could fail, or a complete host could fail, and it should not be necessary to obtain a new license key before the software can be installed on another machine. In other respects, NV e-secure is licensed by IP address range per class C type subnet. For one license, you thus have the ability to scan all the available hosts on that subnet. All configuration and management is performed via the NV e-secure Console, which has an extremely useful and intuitive interface, if a little busy when all the windows are on view. Toolbar buttons for “instant toggle” of individual windows allow you to tidy things up when you need to focus on one particular area, and we really like the full-screen-view toggle button – every application should have one. When first starting the Console, you are presented with the session dialogue box, allowing you to choose between the predefined or user-defined sessions. There are only three predefined sessions: two generic Safe Scans using either the Network or Firewall modules (see Architecture) or “New Session”, which allows you to define your own. The “Existing Sessions” tab enables you to load previous scan sessions – including individual job results – for further analysis. When creating a new session, the administrator is guided through a Wizard. After naming the session, and selecting whether to use the Firewall Probe or perform a straight Network scan, you are given a choice between a LAN or WAN-based scan. At present, the only difference between the two is more lax timeouts on a WAN session to cope with potentially slower links, but in future releases, there will be different Test Cases introduced depending on this selection.
The next screen allows selection of the scan “perimeter”, which is simply a range of network addresses. A new perimeter can be defined at this point if required, and any number can be defined within the license range, thus allowing logical groupings of machines for scanning purposes. Note that the perimeter only specifies the range of addresses which are available for scanning, the actual selection of machines to scan occurs later. The Policies screen provides a small selection of pre-defined Policies from which to choose: Safe (all Test Cases except the Crash and DoS), Quick and Safe (all high vulnerability Test Cases excluding Crash and DoS), and Full (all Test Cases). Each Policy contains a set of Test Cases (vulnerabilities) sorted according to various categories, and it is possible to define your own custom Policies. NV e-secure allows you scan for vulnerabilities by: Impact – Attack, Crash, Denial of Service, Gather Info, Gain Root, Full Log Risk – High, Medium, Low Platform – Windows, Linux, various flavours of Unix, numerous hardware devices Service – All common services such as HTTP, FTP, SNMP, SMTP and so on ID name� Within each sub-category are a large number of Test Cases which represent the individual vulnerabilities to check for, but the Policy definition screen only allows Policy to be defined down to the sub-category level. For example, it is possible to create a Policy that just performs Information Gathering Test Cases, and nothing else, but you cannot specify that you only want to perform banner checks. A future release will allow Policy definition down to individual Test Case level, and this would be a very welcome addition. It would also be nice to be able to manage Policies from the main NV e-secure program – at present, they can only be created in the initial Session Wizard, and they cannot be subsequently edited or deleted, which is not particularly efficient.
Once the wizard has finished, you are deposited in the main NV e-secure screen, which contains a number of panes: Shortcuts bar - displays icons that allow you to start a test run or generate reports of test results. Policies pane - shows the tests that you can run under the current security policy Perimeters pane - allows you to specify the host machines that you want to test. Results pane - displays the results of running the test cases you selected against the hosts you selected, in a variety of formats. Output pane - displays messages logging the progress of NV e-secure, and messages about its report generation. As we have mentioned before, the screen can get rather cluttered making some of the windows difficult to read, but it is possible to toggle all of the windows on or off via toolbar buttons, as well as toggle a full-screen view. The Policy pane lists all the test cases that are available, sorted into the sub-categories mentioned previously, and allows the administrator to select which ones are to be run by checking and un-checking boxes. New Test Cases can be downloaded from the Networks Vigilance SecureServices Web site and incorporated into NV e-secure automatically. An entire category of Test Cases can be selected by checking the category box (such as Denial of Service, for example), or individual Test Cases can be selected as required. It is also possible to view the properties of the current Policy, where the administrator can set ping timeout values and high/low ports for port scans, amongst other things. Double-clicking on individual Test Cases brings up a very detailed description of the vulnerability plus, unusually, a description of the test method itself.
Whenever applicable, a Parameters tab allows important settings to be modified for each Test Case (such as first port, last port, packet count and inter-packet delay for the Land attack). These parameters are set to sensible values and are fairly well hidden, thus keeping them out of the way of the less security-literate user who just wants to select the “Quick Scan” Policy and run off the resulting reports. For the real “hacker”, however, NV e-secure provides a simple way to explore the methodology behind the individual Test Cases, as well as a means to tweak the operational parameters. Unfortunately, once you have finished modifying the currently selected Policy, it is not possible to save it – when you finish the scanning session and exit from NV e-secure, all the changes are lost (this “feature” will be rectified in release 2.2, which should be available by the time this report is published). The only place to make permanent Policy changes is thus when you first create them and, as we mentioned before, at that stage it is not currently possible to select individual Test Cases (or the parameters that apply to them). Policy definition is thus too inflexible at present, though this is the only area where we could find serious fault with NV e-secure. The address range(s) available for scanning are listed in the Perimeter pane, and it is possible to add individual hosts or multiple hosts manually within the Perimeter, or NV e-secure can perform a network scan to determine which hosts are available. Once the Perimeter pane has been populated with the available hosts, one or more can be selected by using the check boxes alongside each one, following which the scan can be triggered. When performing a Firewall probe (or when using the Distributed Scanning Engine), the Probe tab is used instead of the Perimeter tab, and it is necessary to select at least one host located on the opposite side of the firewall to the Console. This time it is the remote Probe that will be performing the scanning process (allowing hosts on the inside of the firewall to be scanned, as well as the inside of the firewall device itself), and in addition, it will also attempt to pass packets backwards and forwards between itself and the Console in order to determine which packets (if any) are allowed through the firewall. The scan itself is split into two phases. The first phase involves ping sweeps and port scans to determine which hosts are alive and what services they are running. From this, NV e-secure determines the likely operating system and the potential vulnerabilities, and thus can decide which Test Cases are to be run against which hosts. During the scanning process, NV e-secure keeps you well informed with an extremely useful real-time display consisting of several parts. The Control tab in the Output pane contains detailed text messages informing you of the port scan status, which ports were found, which test cases are being run against which hosts, and what results are returned. This can be saved as a plain text log to provide further analysis at a later date if required.
The Scan Results tab shows a real-time graph of the port scanning status – number of TCP/UDP ports scanned and number of active services found – along with a list of the scan results broken down by host. The Test Case Results tab shows another real-time graph of the number of Test Cases that have found vulnerabilities, along with a list of vulnerabilities found broken down by host. Right clicking on any host entry brings up detailed information about that particular host, including host name, IP address, operating system and full list of available services amongst other things. The Hosts Results tab is probably the most important. This displays a list of hosts, along with their current status and details of how many vulnerabilities were found. Selecting any one of them will bring up a list of Test Cases that produced a vulnerability, encountered a system or network error or have an undetermined status. It reports the Test Case ID, the result of the test, the risk that the Test Case presents, the type of impact it has (attack, info gathering only, etc.), whether there is further information available (such as when banner text has been returned) and the port on which access was obtained.
Selecting any individual Test Case brings up the properties of that Case with full details of the vulnerability tested for, how it was tested, and what results were returned. Release 2.2 of NV e-secure will provide filtering on this window allowing only “found” vulnerabilities to be displayed, and eliminating the clutter of “errors” and “undetermined” when required. The final tab only comes into play when a Firewall Probe has been run. The Filters tab is similar in look and operation to the Host Results tab, except this time we are looking at missing filter rules in the firewall configuration between the Probe and the Console. With a Firewall Probe, the Test Cases work by trying to send a packet through the firewall. If the Result column shows “Found”, then the packet in question was able to get through, which may indicate a security failure. Not every successful Test Case indicates a security failure, of course, but the results presented by NV e-secure should be consistent with your own security policy. By clicking on the Generate Filer Rules button once the test has completed, NV e-secure will display the filter rules it has been able to identify based on the test cases it has run. These rules can be saved in Linux/ipchains, Linux/ipfwadm or Cisco IOS 11 format. The firewall testing capability of NV e-secure is unique amongst VA scanners as far as we are aware, and is an incredibly useful feature. Once a scan has been completed, the results are saved automatically in the underlying SQL database for reporting purposes. Each set of saved scan results is known as a job, and each time a previously-saved session is recalled and a scan run then a new job is created. Any job can be loaded into NV e-secure for historical reporting purposes, and NV e-secure will compare multiple jobs to provide trend and comparison reports. The Manage Sessions option allows the administrator to delete previously-saved sessions once they are no longer required. From there, it is also possible to schedule sessions for regular unattended runs, and the reports can be e-mailed automatically to the administrator at the end of each run. The reporting section of NV e-secure Console allows you to generate several types of reports from the latest job that has been run (or loaded into the Console from previous sessions). The following reports are available: General – top level “index” that provides hyperlinked access to each of the other reports. There is also a link to the Vulnerabilities List, with a list of all vulnerability ID’s and descriptions in the NV e-secure database. Administrator - detailed information for each host, each vulnerability, and all the steps necessary to resolve problems discovered Delta – a report of new vulnerabilities that have been detected on the network since the last time the report was run Host Report – summary of each host tested, listing active services and all vulnerabilities found on that host Manager – high level (non-technical) summary of vulnerabilities that exist on the network, sorted in descending order of seriousness Services Report – lists vulnerabilities found in any services on the hosts that were tested Historical – shows the results of a number of runs of the same test, listing host status and the number of vulnerabilities detected of each type for each job selected. Filter Rule – summary of the filter rule Test Cases that succeeded in sending a packet across the firewall (only appears following a Firewall Probe scan) All reports are generated in HTML format, and are displayed in the default Web browser, as well as being saved automatically to disk. The only way to print them out, however, is via the browser’s own print facility, which is not exactly the best way to do it. Each vulnerability carries detailed information against it (the same information that is available when viewing from the console) and also provides hyperlinks back to the SecureServices Web site to provide more up-to-date information and detailed instructions on how to eliminate the vulnerability wherever possible.
The NV e-secure reporting is clear, comprehensive and easy to read. Some might object to the fact that it is not possible to create new reports or customise the existing ones, but there is enough information presented within the eight standard reports to suit most purposes. Networks Vigilance is not the best known name in the Vulnerability Assessment market place (the company is a spin-off from Cyrano – itself not particularly well known), and on this showing it is hard to see why that should be the case. NV e-secure is a well-crafted piece of software with a simple-to-use, intuitive user interface, and a wide range of vulnerability signatures backed up by regular Web-based updates (probably the most frequent updates of all the products we have seen in the last year). These signatures do seem to focus on real “hacking attacks” as opposed to OS vulnerabilities (such as misconfigured guest accounts, inadequately secured administrator accounts, or poor password policy), so some sites might like to consider running NV e-secure alongside an OS auditing tool of some sort for complete coverage if this is an issue. The only part of the product that is something of a let down in the current release is the Policy definition, which is neither completely intuitive, nor flexible enough for a product of this stature.� Reports too, whilst excellent, might benefit from being replaced by the ubiquitous Crystal Reports, to provide more flexibility and scope for expansion (especially since there is a full-blown SQL database underpinning the product). Finally, we would like to see the licensing process divorced from the host MAC address. However, these minor niggles aside, NV e-secure offers the most comprehensive real-time analysis tools we have seen on any product of its kind, together with a perfectly adequate set of reports that are well presented and easy to read. It provides a basic set of default policies which can be run with little or no “hacking” knowledge, yet also makes available detailed descriptions of the vulnerability checks and the means to tweak the operational parameters for those who know what they are doing. NV e-secure seems to strike a rare balance between ease of use for the novice, and power and flexibility for the security expert. Where NV e-secure really scores, however, is with its distributed architecture that allows remote scanning of large networks from a single, central console via multiple Scanning Engines. In addition, the Firewall Probe provides similar remote scanning capabilities which allows it to not only scan hosts on the inside of a firewall, but also use a number of special Test Cases to attempt to pass packets from Probe to Console – and vice versa - through the firewall, thus determining the effectiveness of the filter rules in place. To our knowledge, the distributed scanning and firewall probing capabilities are unique amongst commercial firewall tools at the time of writing, and these make it an ideal tool for scanning large, distributed corporate networks from a single location, right down to scanning the local subnet for half a dozen hosts. This should be considered an essential part of any security administrator’s tool kit - if you want to perform VA scans, you should be looking at NV e-secure. Company name:
Networks Vigilance S.A. Address: The US, UK, and French distributor for e-secure is Cyrano.� Addresses follow: Cyrano Inc. Cyrano UK Cyrano France Click here
to return to the Networks Vigilance NV e-secure Questionnaire
|
 |
Send mail to [email protected] with
|
