Smart Scanning

by Fred Avolio, Avolio Consulting, Inc.

There is one thing I can, without knowing you, state with near-certainty about your networking environment: it is getting more, rather than less, complex. To keep a lid on the ever-increasing threats and weekly announcements about vulnerabilities with the widely deployed software on which our enterprises rely, we install patches and change security parameters.

But, how do we know we made the correct changes? How do we know we did not break something else? Can we be sure that the changes we made, even if they were faultless, remain in place 10 minutes later? Very often the correct answer is, "I'm not sure." This is a very significant answer when asking security questions. (See http://www.avolio.com/weblog/security/SignificantAnswers.html.) This is why any security policy should include verification testing, both at mechanism-deployment time and periodically thereafter. Vulnerability scanning must be part of our verification arsenal. By implementing a continuous vulnerability scanning program, you will be able to proactively protect your enterprise from emerging threats.

Types of tools

We can categorize vulnerability scanners by where they sit on the network and how they scan. Many vulnerability scanners actively probe systems on a network. Given an IP address space, the scanner probes each reachable address, looking for open network ports. That is where a simple port scanner stops. A vulnerability scanner goes a step further. It may try to connect to every discovered port on each system testing for known vulnerabilities based on the service assigned to that port.

If a scan turns up an SSL listener on port 443, it might try to determine which SSL server is running. If it discovers a known server with a known vulnerability (for example OpenSSL 0.9.7), the scanner notes it. Some scanners will go further, actually trying to exploit those vulnerabilities, confirming that the vulnerability exists. And we want to be sure that we really are, or are not, vulnerable to particular threats. Unfortunately, more aggressive probes increase the likelihood of taking down - crashing - a critical system. We would all agree that would be a "Bad Thing".

Passive vulnerability scanners watch traffic on the network, sniffing packets off the wire. They look for patterns indicating an in-progress attack or evidence of already compromised systems. They do not look at particular systems, and so they may miss not-yet-exploited vulnerabilities. But, they will not crash a system. What should we do?

To do

First, you really do need to do some "pre-work." You need to know what systems and networks to check. You also should know a little about your security policy, because one reason to use vulnerability scanner, as I mentioned above, is to verify policy implementation.

The pre-work entails the following:

  1. Classify systems. You can make up your own classifications, for example "firewalls," "e-mail servers," "web servers," "application servers," "inside desktops," "mobile desktops," etc.
  2. Know what operating systems you have.
  3. Know what should and should not be on your network. For example, should there be traffic from user desktop systems making connections to port 25 (Internet e-mail)? Probably. Should they be attempting those connections to outside computers? Probably not. They should connect to your internal e-mail server.
  4. Configure scanners to match 1-3.

Once you've done these, you are ready to actually scan. (I assume you have the responsibility, authority, and permission to do this.) Start small and slowly at first. I'd start with an active scanner aimed at a few representative systems in your network, to get a feel for how the scanner works and to see the reports produced. Once you see how it works, and have a high level of assurance that it will not crash systems, add more systems. (Only use vulnerability scanners that allow you to adjust "aggressiveness." Think of an automatic clothes washing machine; to start with, we want to run the scanner on the equivalent of gentle cycle for delicate garments.)

Gradually scan additional systems. If you mix active and passive scanning, you will not need to actively scan all systems. Your managed security service provider is probably already passively scanning key areas of your network. I recommend starting with, or even sticking to, your key server systems and security devices (e.g., firewalls).

Set up a schedule for scanning that will eventually cover your whole network (or the key systems your policy cares about). It's your schedule. It's your network. You get to change this if you need to. But the schedule is security-relevant. Ask someone to review your assumptions and work. You can ask your managed security service provider or someone else in your security or IT organization.

Finally, you will need to actually look at the results of the scans. This may be intimidating. Initially, just look at what the vulnerability scanning tool flags as a problem, and read the commentary. Not all things flagged as vulnerabilities are vulnerabilities. Not all real vulnerabilities are important ones. You'll want to compare the results with what you already know about your network. Something might be flagged as a vulnerability because you misconfigured the scanner. Understand whatever you did not originally understand by asking your managed security service provider for help or conducting research on the Internet. After perusing a number of these reports and tuning your scanners, you will begin to know what normal is. And, so, you will soon quickly spot the abnormalities.

Implementing an effective, continuous scanning program will proactively protect your key, business-critical systems from potential security threats. In the dynamic IT environment in which we all live, scanning must occur to stay abreast of the vulnerabilities in your enterprise. This will also help you evaluate your level of exposure to threats. Whether you follow the steps above to build your own scanning program or subscribe to a vulnerability scanning service provided by your managed security service provider, organizations must implement an effective scanning program to truly protect your enterprise from security threats.