Vulnerability Assessment Technology Report

Transcription

1 August 2005 Vulnerability Assessment Technology Report Rapid7 NeXpose

2 Vulnerability Assessment Technology Report 2 Contents Test Specifications 3 Vulnerabilities 5 The Product 6 Test Report 8 Test Results 14 West Coast Labs Conclusion 15 Security Features Buyers Guide 16 Appendix 17 West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : , Fax :

3 Vulnerability Assessment Technology Report 3 Test Specifications The aim of this Technology Report is to evaluate solutions in the field of Vulnerability Assessment. Test Environment Participants in the technology report were invited to provide a vulnerability assessment of a heterogeneous network, together with proposals and recommendations for remediation. The network set up by West Coast Labs for evaluation of solutions comprised 24 distinct hosts, including routers, managed switches, network servers and client machines. Web applications were installed on relevant servers. A variety of Operating Systems were used on the network, on different hardware platforms. A small number of virtual hosts were included. In building the network, some of the servers were installed with default settings. Various levels of patching were applied. In addition a number of common misconfigurations were made in setting up the servers, and in deploying particular services. Every host on the test network was imaged, and restored to its start state before each round of testing for individual solutions. The test network was protected by a router. ACLs were set on the router to restrict access to the test network from IP addresses specified by the participating vendor, if appropriate. Where the solution under test was an appliance or software solution then the router was configured to block all access from the internet for the period of test. The test network was available to each solution for 2 days. The final report, containing the results of the Vulnerability Assessment and any recommendations are addressed in the Test Results that follow. Appliances were provided to WCL in the default shipping state. WCL engineers configured appliances in accordance with documentation provided. Software solutions state the desired specification and OS of the hardware on which the software is to be installed. WCL engineers installed and configured software in accordance with documentation provided. All participating solutions were provided together with documentation supplied to a normal user.

4 Vulnerability Assessment Technology Report 4 Test Specifications WCL evaluation of the Vulnerability Assessment Report Vulnerabilities on the target network were classified under 4 headings: Critical vulnerabilities those that allow an attacker with minimal knowledge or skill to compromise the integrity of the network. This may include gaining control of a server or network device, gaining illegitimate access to network resources or disrupting normal network operations. Severe vulnerabilities those that allow illegitimate access to, or control over, network resources, but that require considerable knowledge or skill on the part of the attacker. Non-critical vulnerabilities those that allow attackers to gain access to specific information stored on the network, including security settings. This could result in potential misuse of network resources. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on hosts, directory browsing, disclosure of filtering rules and security mechanisms. Information leaks these allow attackers to collect sensitive information about the network and the hosts (open ports, services, precise version of software installed etc.) Each report was assessed on: The ease of deployment of the solution The number of vulnerabilities correctly identified in each class The completeness of the report, including identification of any network changes made The clarity of presentation of the findings The clarity of advice on remediation WCL also comments on the level of technical knowledge required to understand and act on the information contained in the final report. Participants in the Technology Report will be eligible for the Checkmark certification for Vulnerability Assessment. In order to achieve the Standard Checkmark Certification, the candidate solution must identify at a minimum 100% of the Critical Vulnerabilities and 75% of the Serious Vulnerabilities. However, those developers identifying 100% of the Critical Vulnerabilities and a minimum 90% of the Serious Vulnerabilities will be awarded the Premium Checkmark Certification for Vulnerability Assessment. All solutions must also provide accurate advice on mitigating the risks posed by the vulnerabilities.

5 Vulnerability Assessment Technology Report 5 Vulnerabilities So that the test network would mirror that found in many businesses, a variety of operating systems, on different hardware platforms, were included. A Windows domain was set up with three servers and a mix of workstations running Windows XP and Windows 2000 professional. Some Sun Servers running Solaris 2.8 provided web services and file storage, assorted Linux boxes running Mandrake and RedHat distributions, and a Mac completed the mix. Some of the servers were installed with default settings and varying levels of patching were applied: some hosts were patched fully up to date while others had been left out of the process. Also, a number of common misconfigurations were made in setting up servers, and deploying particular services. For example, Windows servers were configured with open network shares, ftp servers with anonymous write access, smtp servers configured as open proxies. These are configuration errors that can have profound effects on network security but can easily be implemented by a hard-pressed administrator as a temporary quick fix to a connectivity problem. On the Windows 2000 PDC we installed TightVNC as a service without tunnelling through SSH, SQLServer with a blank SA password, Active Directory, and IIS 5.0 with the demo applications. The BDC had Exchange 2000 and Active Directory installed. DNS was provided by the remaining Windows 2003 server. DNS was configured to allow zone transfers. In addition, IIS5.0 was installed with demo applications, and a vulnerable web application that was specially crafted in-house. The server was also running Unreal Tournament GOTY edition (version 436) along with the UT web interface running on an unusual high port. There were user shares available on the wwwroot and ftproot directories and a world-writable FTP server. One of the Sun Blade servers had a Virtual Learning Environment (VLE) installed. The VLE had a default admin username and password as well as being installed with an old version and vulnerable version of Apache. Vulnerabilities included SSH access, Apache installations, Samba and a writable FTP directory. Each of the user workstations was patched to a different level using official Microsoft Service Packs, historical patches and Windows Update. These machines then had different applications installed, ranging from Unreal Tournament client and TightVNC through to IIS 5.0 and remote admin. Some machines were included in the Windows Domain. Back Orifice was installed on one machine on a high end port. An HP printer was added with default settings and open to administrative access via telnet and HTTP, a Cisco router configured with default settings, default username/password and open web admintool and an Apple Mac Power G3 running OS 8.6. If changes were made to the default settings, over all these devices passwords were set to be blank or easily guessable. Our test network thus consisted of a series of machines with differing hardware specifications, operating systems, patch levels, and software installations, and multiple vulnerabilities. All machines were returned to a known start configuration before the commencement of each round of tests.

6 Vulnerability Assessment Technology Report 6 The Product Rapid7 have developed NeXpose as an enterprise-level vulnerability assessment and risk management product that has been designed to accurately identify security weaknesses in a networked environment, helping security personnel more easily find and fix security weaknesses while ensuring policy and regulatory compliance. Rapid7 say that the product delivers advanced, automated features and artificial intelligence technology in one software package to enable non-stop, flexible protection from network security threats. As one component of anoverall security plan, Rapid7 claim thatnexpose can help find the weakest link in a network, showing where firewalls, routers, and clients may have left the door open for unwanted access. Rapid7 says about the product. NeXpose provides enterprise-level vulnerability assessment and risk management to IT and security professionals concerned with the security and exposure of their company s software and applications to internal and external intruders. Rapid7 says about the NeXpose Business Benefits. NeXpose is a sophisticated enterprise vulnerability management solution designed to eliminate false positives and provide faster and more accurate reporting across the entire enterprise network. NeXpose combines vulnerability assessment, risk management, policy and compliance reporting, remediation guidance, artificial intelligence and automated ticketing into one integrated software package, enabling non-stop, flexible protection from network security threats. NeXpose reduces the time, risk and cost associated with finding and fixing security vulnerabilities; helps organizations assess and maintain strong network security and comply with mandatory regulations; and ensures that all of your systems, databases and applications are secured without the cost of multiple products.

7 Vulnerability Assessment Technology Report 7 The Product Rapid7 says about the NeXpose Technical Benefits. NeXpose is a secure and flexible solution that scales from one to millions of nodes. Its unique scan engine uses a built in expert system that gathers intelligence about your systems to determine the risk assessment more accurately and quickly, virtually eliminating false positives. A single console image with distributed scanning can scan your network from inside and outside the firewall. NeXpose audits operating systems, databases, applications and Web servers from a single product. NeXpose, available as a software product or hardware appliance, runs on Linux and Window platforms and self manages internal database, program and vulnerability library updates.

8 Vulnerability Assessment Technology Report 8 Test Report Rapid7 s NeXpose can be installed on a Windows 2000 or 2003 Server box (although not Windows XP) or various Linux distributions. The minimum specifications for both the system requirements and for running the scan engine are surprisingly low, so one of the old machines that many companies have lying around could be put to good use rather than just scrapped. Of course, the faster the machine that NeXpose runs on the quicker the scans may be completed, but if speed is not an issue then it is good to know that older machines will not go to waste. For testing purposes we installed the Rapid 7 solution on a Windows 2003 Server platform running on a Dell PowerEdge 1750 running a single 3.06GHz Intel processor and 1.0 Gb of RAM in a 1U rackmount configuration. Installation The Installation and Quick Start guide that is available from the Rapid 7 website walks the user through the set up for both Windows and Linux, obtaining a license, and running the first scans. Installation is straightforward and well documented for both Windows and Linux, with references made to the need to be logged in as an administrator or root account that are clearly stated. The prerequisite packages that are needed for some distributions of Linux are also detailed, and Rapid 7 provide copies of these packages for download from their own website. This ensures that the user knows they are getting the correct version. The Linux installation routine uses Install Shield in an X environment or can be performed in a console window. Windows uses a standardised Setup.exe file to install the components Licensing is dealt with via a call-response type system, and is detailed both for systems that have external internet access and for those that do not. The procedure needs a valid address, and once a license request has been made, a license file is sent via to the specified address. This file should then be placed in a subdirectory of the installation as specified in the manual, and the service has to be restarted. This is a rather nice way of dealing with the licensing without having to type in a forty character serial number, and we found it to be both easy and quick.

9 Vulnerability Assessment Technology Report 9 Test Report The Security Console The service itself appears to run as a Security Console on our test Windows environment it ran in a command prompt window. There is a link to this from a desktop icon, and instructions on how to set the service up to run at system boot, which we elected to do. Corresponding instructions for starting the service and creating a daemon on Linux are also detailed and comprehensive. It is possible to enter various commands in this window, however these are more System Administrator type tasks rather than setting up and running scans. There are various directives that can be executed here including log rotation, licensing, update of the definitions, showing the currently active scans, the version number of the scan engine and the usual ping and traceroute networking troubleshooter tools. The Main Scan Interface Once the Security Console has started it is possible to access the main interface to the scan engine, and this is web delivered. The web service runs over HTTPS on a dedicated port that is set to 3780 by default. The Installation and Quick Start guide details where this port needs to be changed in case there are conflicts with services already running on that port, and notes that the port used to access the service needs to be changed accordingly. The Web Management Interface (WMI) is aesthetically pleasing it is attractive and clean, with lots of space given over to making sure that the controls, options and data are not crushed together. The use of only a few colours works in the WMI s favour, and it is encouraging to see that work has gone into making sure that the differences can be easily identified inside lists by the use of alternate white and pale grey backgrounds for each line. After logging in to the WMI for the first time using the ID and password specified during the set up, the user is greeted with an entry page with a menu across the top, and a summation of Sites, Tickets, and Asset Groups. Also included is a search facility, a list of Hot Spots which details those machines that figure highest in the at-risk list, and a list of current scan activities.

10 Vulnerability Assessment Technology Report 10 Test Report It should be noted that the online help that can be called at any stage from within the WMI is detailed and focussed, explaining terms and procedures in simple and clear to understand language so that if a user gets stuck there is always a reference that can be called upon to assist. The search facility can be used to search through affected sites for particular vulnerabilities, and then lists all vulnerabilities in the database that match the search string with the affected OS, Severity rating, Category of vulnerability and number of devices affected. Finally there is a menu option for Administration of the system this allows extra users to be given access to the NeXpose interface, some Server Settings to be altered via the interface rather than the Security Console, and some diagnostics to be performed to gather troubleshooting information and send the logs to the Rapid 7 technical support team. There is also a rather practical option that allows Groups of Devices to be set up and altered along with accompanying permissions of users who are allowed to perform scans upon them. This is good for enforcing restrictions on network wide scanning if the system administrator needs to open up the interface to other users. Scanning In order to start a scan, the user can follow a wizard process to define either a Site or an Asset Group by name and devices, decide which scan template to use or define a proprietary scan, schedule a time for the scan, and configure any real time alerting. It is then possible to either start off this scan immediately if required. The set up and creation of a basic scan is a very uncomplicated process - we were able to get a common ports and vulnerabilities scan running over our entire network in just a few seconds. More complex scans with our own templates took slightly longer as we defined the parameters that were to be used, but these still only took a couple of minutes to create. It is also possible to set up scanning to be performed by a Rapid7 hosted scan engine, although we did not try this feature.

11 Vulnerability Assessment Technology Report 11 Test Report The scan set up is trivial the user enters a name for the site or asset group, and decides whether to use the internal scanning engine or the aforementioned Rapid7 hosted engine, and enters a risk multiplier we used a multiplier of 1 for all scans. It is then possible to add the devices either by IP address or DNS name, by IP address range or in a freeform list of addresses and ranges. It is also possible to upload a text file containing this data. The next section allows a user to choose from a range of supplied scan templates or create one for themselves. After this, the schedule options appear and it is possible to set a scan to run at set intervals defined either by time or date. Finally, real time notifications can be enabled using SMTP, SNMP or a syslog server. When all these options have been specified it is possible to create a site report or run the scan straight away - this is useful for setting up quick ad hoc liability tests against particular hosts. Creating a proprietary template for use in a scan consists of defining a template name and description, specifying whether a firewall exists and if so whether it blocks certain types of traffic, port selection for both TCP and UDP with several default options as well as being able to define a custom list, the TCP port scan method, check for default logins and add extra user specified login/password combinations to be tested. These can be restricted by device, so that known Windows accounts are not tested against Solaris for example. The next step is to define an account lockout threshold and minimum password length. Following this, it is possible to set the number of concurrent scans to run and the inter-packet delay time, enable or disable the network discovery and penetration components, enable or disable Denial of Service attacks, include dynamic web site checks and limit the level of spidering available, and finally set up an external address to attempt Spam tests. Reporting During the running of a scan, it is possible to see a scan summary that refreshes every ten seconds, and this gives an estimated time of completion. Once a scan has been completed, a brief summary of the results is displayed and it is possible to then look at the vulnerabilities that have been discovered. The reports created by the system are available online within the WMI or for offline perusal in several formats including XML, HTML,.CSV,.PDF, plain text, and as an export to a database. We used the online reports and offline HTML format for ease of use and comparison. It is possible once a scan has completed to create a report for offline study immediately or leave the results and come back to it at a later date. The process is very simple - it involves going into the reporting screen, choosing a set of results from a list of scans by the name that has been previously defined in the initial set up, and clicking the Generate Now button.

12 Vulnerability Assessment Technology Report 12 Test Report There is also the ability within the reporting screen to view previously generated reports. It is also possible to specify one of the several differing end formats using the Create Report option. Once the report has been generated it can be shown on screen if in a suitable format, or downloaded to a local directory. Reports are also stored in a subdirectory location of the Rapid 7 install directory. The online reports are like the rest of the system elegant, well presented, and clean. The main screen presents a list of discovered IP addresses ordered by a Current Risk score. This list also includes a DNS name, an Operating System guess as well as the network aliases for any device and the number of vulnerabilities detected. Further details are available by clicking on any of the links by IP address that appear. This then gives a further list of liabilities by IP address, with accompanying resolutions upon a further click on the relevant link. This ability to drill down through the data in the online reports by IP address to view the current vulnerabilities grouped by severity into Critical, Severe, Moderate or Warnings gives easy navigation to the necessary detail. Those vulnerabilities that occur in the SANS Top 20 list are marked clearly with a small SANS logo so that they are easy to pick out and resolve. There are several other sections contained here including Discovered Services this is a list of open ports, service name, and protocols. Discovered Users and Groups presents a list of users with accounts on the device this is useful for auditing purposes as well as spotting if there are users getting access that they are not entitled to. Other sections include Installed Software, Discovered Databases, Discovered Files and Directories which lists any open shares, Policy Evaluations, and results from Spidered Web Sites. Clicking through each of the vulnerabilities gives a separate description with an explanation of what the problem is and remediation suggestions. Wherever possible, the developers have included links to external Web content- this is a welcome addition and can provide valuable background reading on topics of which an Administrator is unsure. The offline reports are to a certain extent more static and, by their very nature, less interactive.

13 Vulnerability Assessment Technology Report 13 Test Report Both the offline HTML and the PDF reports start with an executive summary at the top that gives an overview of the parameters along with a series of coloured bar charts for various groups of statistics including Vulnerabilities by Severity, Nodes by Vulnerability Severity, Most Prevalent Services and Vulnerabilities by Service. There is also a brief textual overview of some of the most relevant statistics - for example, the most prevalent service, how many hosts had critical vulnerabilities, how many vulnerabilities occur in each category, and which service had the most vulnerabilities overall. Ticketing Although we did not test this functionality within the scope of this assessment, NeXpose has the ability to assign and resolve issues using a ticketing system. There is a rather nice option to interface NeXpose with a third party solution for ticketing such as BMC s Remedy using the Ticketing API upon purchase of a separate plug in module.

14 Vulnerability Assessment Technology Report 14 Test Results The online reports are very easy to use and the data is easily accessible in a number of different ways and via a number of different routes. This makes them the ideal accompaniment to hands on problem solving on a test network. The offline reports offer a different method of looking at the results - all the data that is present in the online version is also available here, although the interactive element is somewhat reduced. Whilst the PDF version splits each of the sections into separate chapters in the overall document which gives an extra level of control over the data that is displayed at any one time, the HTML is presented as just one single static document. Of some slight concern was the identification of two separate Windows 2000 devices as Linux 1.3 distributions. It should be noted that the resolutions for any vulnerabilities on these systems, however, did relate to the correct OS. This seemed to occur whenever a full port scan took place and did not seem to be consistently wrongly detected using other scan configurations. Both the HP 4050TN printer and the Apple Power Macintosh G3 using OS8.6 that were in our test network were picked up as active devices, although no guess was made at the OS version looking at those particular results came back with an Unknown OS message, although the results still listed open ports, services, and mitigation advice. The results are ordered by severity in the offline version and cannot be ordered by IP address, although each severity has a list of which nodes are affected. However, we suspect that the offline reports are really intended for printed copy audit reasons, and that intention is for the day-to-day usage of the system to be concentrated on the interface itself, so this is really only a minor irritation. NeXpose successfully detected 100% of the Critical vulnerabilities and over 90% of the Serious vulnerabilities on the West Coast Labs test network. NeXpose has been awarded the Premium Checkmark Certification for Vulnerability Assessment.

15 Vulnerability Assessment Technology Report 15 West Coast Labs Conclusion Overall the Rapid 7 solution has a smart, attractive, and inherently usable interface and a solid dependable engine. The scan set up is straightforward and quick, with only minimal specification and configuration needed to run scans straight out of the box. As such, NeXpose can be recommended as a solution that makes major steps towards making a network more secure. West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : , Fax :

16 Vulnerability Assessment Technology Report 16 Security Features Guide As stated by Rapid7 1.Centralized web console interface 2.Multiple distributed scan engines reporting to centralized console 3.Organize assets into physical and/or logical groupings 4.Access to asset groupings via access control 5.Real time alerting 6.Policy and compliance scanning 7.Application vulnerability scanning 8.Wide range of built in scan templates 9.Extensive built in reporting capabilities 10.Customizable reports 11.Customizable scan templates 12.Full audit and/or incremental scanning 13.Automated ticketing and remediation workflow 14.Extensive library of vulnerabilities with references and remediation information 15.Built in Expert System to target and optimize vulnerability scanning 16.Automatic updates to vulnerability library and software 17.Data export in multiple formats 18.Reports available in HTML, PDF, XML format 19.Ability to create custom vulnerabilities in XML 20.Application API for customized integration 21.Secure user model to distribute responsibilities throughout the organization 22.Scan engines can scan from inside and outside the firewall 23.Software only or appliance 24.Runs on Windows and Linux platforms 25.Scans a broad set of platforms, devices, applications, Web servers

17 Vulnerability Assessment Technology Report 17 Appendix Velnerability Assessment Premium Level Certification Within the framework of the testing carried out in this Technology Report, those developers identifying 100% of the Critical Vulnerabilities and a minimum 90% of the Serious Vulnerabilities are awarded the Premium Checkmark Certification for Vulnerability Assessment.