VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION



Similar documents
1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CMPT 471 Networking II

allow all such packets? While outgoing communications request information from a

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview. Firewall Security. Perimeter Security Devices. Routers

Networking for Caribbean Development

Payment Card Industry (PCI) Data Security Standard

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

My FreeScan Vulnerabilities Report

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How to protect your home/office network?

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network and Host-based Vulnerability Assessment

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Design Principles Firewall Characteristics Types of Firewalls

Chapter 9 Firewalls and Intrusion Prevention Systems

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Overview. Packet filter

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Firewalls. Chapter 3

Linux Network Security

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Security Type of attacks Firewalls Protocols Packet filter

Firewalls and Software Updates

Firewalls (IPTABLES)

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Security Technology: Firewalls and VPNs

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Chapter 4 Firewall Protection and Content Filtering

An Introduction to Network Vulnerability Testing

Basics of Internet Security

A Decision Maker s Guide to Securing an IT Infrastructure

INTRODUCTION TO FIREWALL SECURITY

- Basic Router Security -

8. Firewall Design & Implementation

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

Looking for Trouble: ICMP and IP Statistics to Watch

CIT 380: Securing Computer Systems

FortKnox Personal Firewall

Networking Basics and Network Security

Chapter 8 Security Pt 2

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Firewalls. Network Security. Firewalls Defined. Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Web App Security Audit Services

Installing and Configuring Nessus by Nitesh Dhanjani

Gaurav Gupta CMSC 681

Penetration Testing Report Client: Business Solutions June 15 th 2015

Classification of Firewalls and Proxies

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Host Discovery with nmap

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Internet Security Firewalls

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Firewall Firewall August, 2003

Security and Access Control Lists (ACLs)

Chapter 15. Firewalls, IDS and IPS

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

HoneyBOT User Guide A Windows based honeypot solution

Course Title: Penetration Testing: Security Analysis

Abstract. Introduction. Section I. What is Denial of Service Attack?

Firewalls, IDS and IPS

Cisco IPS Tuning Overview

Lab PC Network TCP/IP Configuration

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Network Security and Firewall 1

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

8 Steps for Network Security Protection

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

8 Steps For Network Security Protection

Firewall VPN Router. Quick Installation Guide M73-APO09-380

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Architecture Overview

Global Partner Management Notice

Security Audit Report for ACME Corporation

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Understanding Security Testing

Stateful Firewalls. Hank and Foo

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Transcription:

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION copyright 2003 securitymetrics

Security Vulnerabilities of Computers & Servers Security Risks Change Daily New and diverse computer security threats are being discovered every day. They come as software bugs that affect the software we use to communicate, connect to the Internet, share files, etc. A sampling of the many companies and products that have had security bugs reported include: 3com, Apache, Checkpoint, Cisco, Coldfusion, Compaq, Computer Associates, Groupwise, HP, IBM, IIS, Informix, Internet Explorer, Lotus, Microsoft, Napster, Netscape, Nortel, Novell, NT, Oracle, Pix, Realserver, Redhat, Roxen, Samba, Shiva, Solaris, Sun, Suse, Tektronix, Tripwire, Ultraseek, Webalizer, Webcart, Webshield, Wingate, and Zeus. These discoveries (bugs) are published on the Internet to keep responsible users aware of new threats. Unfortunately, the hackers are also aware of these bugs. Each month programs are written and distributed on the Internet to help users identify and fix these issues in their systems. Sometimes hackers are the source for these programs. These discovery programs average about one per business day. Subsequently, each month hackers have new ways to automatically test for holes and vulnerabilities on your computer or network. Remember, these new security weaknesses didn't exist the month,week, or day before their discovery. Thus, ANY SOLUTION FOR SECURING DATA OR PROTECTING NETWORKS MUST BE UPDATED REGULARLY TO PROPERLY PROTECT YOUR SYSTEM FROM THESE NEW THREATS. Most Attacks are Automated Because of the millions of computers on the web, many people will tell themselves that their small organization or home system is nothing of consequence and should not be threatened by hackers. This would be true if it wasn't so easy to automate an attack on millions of computers though programming. Hackers will write a computer program called an Internet virus or worm, which can indiscriminately test millions of different computers for weaknesses. Upon discovery of a computer with a weakness, the worm will copy itself to the target computer and begin probing a different set of randomly selected computers. Optionally, the worm may use the security weakness it discovered to run commands on the target computer and simply destroy the target by deleting key system files. You may have heard of worms like Code-red, Slammer, and Nimda. These are all Internet-based viruses that cost billions in destroyed data, repair labor, and lost productivity. Many computer users understand the concept of computer viruses. Virus detection software is designed to test for the presence of a virus file. Since many of these attacks will never copy themselves to the target computer, it's important to understand that VIRUS PROTECTION SOFTWARE ALONE WILL NOT PROTECT YOU FROM THESE NETWORK-BASED SECURITY THREATS! The best protection is to identify weaknesses before hackers and worms are able to exploit them. securitymetrics Vulnerability Assessment White Paper 1

Doesn t My Firewall Protect My Computer? The function of a firewall is to block ports. If you have absolutely no ports open and they are all stealth, your system is reasonably secure (there are still some potential threats). If you open a port because you need some service on your server or computer, you expose your system to all possible attacks associated with that service or port. ONCE YOU OPEN UP PORTS ON A FIREWALL, MOST FIREWALLS NO LONGER PROTECT YOUR COMPUTER FROM ANY ATTACKS ON THAT PORT. Additionally, many firewalls require extensive configuration. The only way to confirm that your firewall is performing as you believe is to test the operation of your firewall from the Internet side. SecurityMetrics offers a Free Server Firewall test. In case after case, network administrators are surprised either by open ports or exposed vulnerabilities that they thought were protected by their firewall. There is no substitute for making sure your firewall is performing correctly. You do this by testing the firewall, and any other accessible machines behind your firewall (in your DMZ), from the hackers point of reference. How Do I Test My Computer? You can use the same automated programs hackers use to test your own computers, identify possible weaknesses, and fix vulnerabilities before they become a problem. SecurityMetrics provides testing services, which are updated nightly, so that you can test your computers, servers, or other network devices like firewalls for the latest security weaknesses. In order to determine what tool to use to test your computer(s), you need to understand a few basic concepts about how computers communicate. Every computer that communicates on the Internet uses an Internet Protocol (IP) address. Some IP addresses are Public and others are Private. Any computer with a Public IP address means that it is directly accessible from any other computer on the Internet. Any computer can present information requests or commands, which it can either deny or accept, and respond accordingly. You could relate this to direct dialing with the telephone where any direct marketing salesperson or other individual could dial this number directly. When a computer is behind a router, firewall or proxy server, it may be using a Private IP address. This means that any requests for information or commands must pass through the router, firewall, or proxy server in order to be delivered to the destination computer. These security measures provide a good layer of protection. You could relate this to dialing into a company switchboard in order to connect to someone within the organization. All employees can dial out through the switch as they wish, but direct marketers or other undesirable calls have to come to the switchboard to ask permission to speak with someone inside the organization. If you have a Public IP address, you should use the SecurityMetrics Site Certification, Perimeter Check, or Desktop Check service to test your computer or server. If you have a Private IP address, you need the SecurityMetrics Appliance at your site to test your computer or server. The simplest way to determine if your computer uses a public or private IP address is to use the Free Port Scan at www.securitymetrics.com/portscan.adp. Select the "Home Office/Personal Firewall Test" option. At the top of the portscan results, it will indicate whether or not there is a securitymetrics Vulnerability Assessment White Paper 2

firewall, router or proxy between your computer and the Internet. If so, you are using a Private IP address. If not, you are using a Public Address. Automatic Connection Analyzer Your computer reported an IP address of 256.61.45.256, but your actual IP address is 10.0.0.100. There is a router, proxy, or firewall between you and the Internet. Your port scan results may reflect the security of your router, firewall or proxy instead of your computer. In the case above, the 10.0.0.100 is your computer and it's using a private IP address. Automatic Connection Analyzer Internet attackers and worms can directly probe your computer for open ports and vulnerabilities, because your computer (256.63.145.199) is connected directly to the Internet. In this case, the 256.63.145.199 is your computer and it is directly connected to the Internet with a public IP address. SecurityMetrics Vulnerability Assessment Technology The vulnerability assessment security testing provided by SecurityMetrics is a superior service. SecurityMetrics combines multiple types of security tests into a single testing environment. These testing components are the most up-to-date technologies available for vulnerability assessment. The SecurityMetrics Appliance uses five components in each vulnerability assessment scan: Port scan of up to 20,000 TCP ports and the most common UDP ports Vulnerability assessment of over 1,500 industry standard vulnerabilities Brute force testing of 698 of the most common default username/password combinations on FTP and Telnet ports Mail open-relay testing which determines if your system is being used as a mail relay Website spidering two levels deep to find HTML errors or XSS code securitymetrics Vulnerability Assessment White Paper 3

Vulnerability assessment is perhaps the most ignored security technology today. It is inexpensive and deadly to IT administrators who have never used the technology for their systems. One of our favorites quotes on the use of vulnerability assessment is found on page 125 in Linux Exposed : There is one simple countermeasure that will protect you, should a hacker scan your machines with a [vulnerability assessment scanner] scan your own systems first. Make sure to address any problems reported by the scanner, and then a scan by a hacker will give him no edge. It is difficult to beat a good vulnerability assessment system. It is hard to recover from the use of a poor VA system. False-positives can become extremely time consuming, frustrating and a waste of time. A good vulnerability assessment system will point out holes you could never have found yourself and tell you of password problems, programming errors and basic architecture issues without the high price tag of a security consultant. Concise Reporting Which Includes Solution Instructions All security components are launched at each target when a test is initiated. Concise security reports are available when all the various security components finish analyzing the target. Large disorganized reports hinder the security resolution process. SecurityMetrics reports contain instructions, security patch links, and helpful information needed to immediately repair identified issues. SecurityMetrics has also developed a Pass/Fail scoring system for vulnerability assessments. Each security issue is rated according to its risk to your security. If your computer or server passes our tests, you can be assured that you are protected from thousands of potential hacking attacks. Anyone in a large organization who has to manage hundreds or thousands of computers understands that a 20-page report per computer system is unmanageable. securitymetrics Vulnerability Assessment White Paper 4

Below is a sample report illustrating SecurityMetrics Vulnerability Assessment reports. Executive Summary Test Result: Fail Date: 2003-05-22 Target IP: 10.0.0.31 Test ID: 33 Test Length: 1.20 Minutes DNS Entry: No DNS entry Total Risk: 14 Start Time: 13:55:35 Finish Time: 13:56:48 Full OS Description: Windows NT 3.51 SP5, NT4 or 95/98/98SE The computer fails because a risk of 4 or more was found. Look in the Security Vulnerabilities section below for instructions to reduce your security risk. Attackers typically use foot printing, port scanning and security vulnerability testing to find security weaknesses on computers. This report provides information on all these categories. Footprinting Find public information regarding this IP, which an attacker could use to gain access: IP Information Port Scan Attackers use a port scan to find out what programs are running on your computer. Most programs have known security weaknesses. Disable any unnecessary programs listed below. Port Scan Protocol Port Program Status Summary Turn Off ALL Firewall Absent ICMP Ping Accepting UDP 137 netbios-ns Open UDP 138 netbios-dgm Open TCP 139 netbios-ssn Open Your computer does not appear to be behind a firewall. We recommend installing and using a properly configured firewall. Your computer is answering ping requests. Hackers use Ping to scan the Internet to see if computers will answer. If your computer answers then a hacker will know your computer exists and your computer could become a hacker target. You should install a firewall or turn off Ping requests. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. NBNS does not specify a method for authenticating communications, and as such, machines running NetBIOS services are vulnerable to attacks. The Netbios Datagram Service exposes characteristics of the system. A hacker can use the information exposed to break into the system. If you are a dial up user then turn off NetBeui for your dial up connection. Turn off file sharing if possible. NetBIOS is a networking protocol used by Microsoft Windows to provide easy networking. If this port is open, any computer with Microsoft Windows can connect to yours and potentially use shared resources on your computer. This makes it possible for an attacker to copy, delete, or modify your data or install malicious programs on your computer. securitymetrics Vulnerability Assessment White Paper 5

Security Vulnerabilities An attacker probes your computer for weaknesses using vulnerability detection tools. The following section lists all security vulnerabilities detected on your computer. Each vulnerability is ranked by risk on a scale of 0 to 9, with 9 being critical. The computer will fail if any vulnerability has a risk of 4 or more. Security Vulnerabilities Protocol Port Program Risk Summary tcp 0 general/tcp 7 udp 137 netbios-ns 3 icmp 0 general/icmp 1 icmp 0 general/icmp 1 tcp 0 general/tcp 1 tcp 0 general/tcp 1 The remote host has predictable TCP sequence numbers. An attacker may use this flaw to establish spoofed TCP connections to this host. Solution : If the remote host is running Windows, see http://www.microsoft.com/technet/security/bulletin/ms99-046.asp Risk Factor : High CVE : CVE-1999-0077 The remote host has the following MAC address on its adapter : 0x4a 0x42 0x20 0x20 0x20 0x20 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk Factor : Serious Low CVE : CAN-1999-0621 The remote host answered to an ICMP_MASKREQ query and sent us its netmask (255.255.255.0) An attacker can use this information to understand how your network is set up and how the routing is done. This may help him to bypass your filters. Solution : reconfigure the remote host so that it does not answer to those requests. Set up filters that deny ICMP packets of type 17. Risk Factor : Low CVE : CAN-1999-0524 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk Factor : Low CVE : CAN-1999-0524 The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk Factor : Low The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk Factor : Low tcp 0 general/tcp 0 Remote OS guess : Windows NT4 or 95/98/98SE CVE : CAN-1999-0454 Evaluate For Yourself Those who have public IP addresses can evaluate the SecurityMetrics Vulnerability Assessment service by running the Free Server Firewall Test found at www.securitymetrics.com/portscan.adp. Select the "Business Server/Firewall Test" option and follow the instructions. A 30-day evaluation is available for organizations that would like to assess the SecurityMetrics Appliance Intrusion Detection/Prevention System. securitymetrics Vulnerability Assessment White Paper 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information