Scanning for Network Vulnerabilities

Experts provide some critical tips for evaluating and using network scanners.

As any network and security manager knows, new vulnerabilities are constantly being discovered and threats against corporate networks are getting increasingly sophisticated. Proactively scanning for vulnerabilities can help identify weaknesses before they become damaging to enterprise IT environments.

Vulnerability scanners are products that regularly analyze networks and network devices and then present results to users in reports that enable them to respond quickly to potential problems. Network-based scanners look for vulnerabilities such as firewalls that have been configured incorrectly or servers that might be susceptible to Web-based threats. (These tools can help create layered defense when used in conjunction with network behavior analysis software.)

"At the 100,000-foot level, most network vulnerability scanners do pretty much the same thing: scan networks of computers, either externally or internally, to determine what hosts are running on the network and the characteristics of those hosts," such as IP address, operating system and applications that are running, says Paul Roberts, senior analyst in the Enterprise Security Practice at The 451 Group. Scanners accomplish this by sending out network traffic in a variety of formats, Roberts says.

"For example, simple PING trace features, which send out ICMP (Internet Control Message Protocol) echo request packets, might be used to determine just what hosts are on a network [or] which IP addresses in the IP address space used by the company are taken," he says. "Once hosts have been profiled, they can be probed for known vulnerabilities, configuration issues and so on."

Newer features include the ability to support enterprisewide, distributed scanning and to manage that centrally, says Chenxi Wang, principal analyst at Forrester Research. Also emerging is the ability to support some kind of risk analysis as "preprocessing" to scanning, which allows organizations to differentiate various classes of assets, she says.

Another trend is the emergence of "in the cloud" scanning services. In addition, "established [vulnerability] scanning firms are and will be bolstering their Web application scanning capabilities," Roberts says. "Otherwise, features that ease reporting and management seem key. Integration with back-end user directories to make access to [scanning tools] easier and reports geared to compliance are much in demand."

Here are steps to take when evaluating, buying and deploying these products:

1. Consider a variety of factors, not just cost and scanning capabilities, when selecting products. Experts say it's wise to look at a number of key areas before investing in a scanning product.

"A lot of it depends on your organization and what your priorities are," Roberts says. "Is cost/affordability the most important thing to you [or] do you need something that can scale across a large network with thousands of endpoints? Is compliance your main driver here or is this part of a more general effort to improve your security posture? Do you have some larger policy store [that] this needs to integrate with or will this be a standalone operation? Are you Windows only or Windows plus Linux, Mac, Unix, etc.?"

When selecting a vendor and product, be sure to consider enterprise support and scalability, Wang says.

Networks are likely to grow in terms of size and usage, and vulnerability scanning capability must be able to keep pace with that growth. Wang says other factors to consider when evaluating products include reporting capabilities, support for trending analysis and support for regulatory compliance.

Among the factors that German-based bank WestLB tested and evaluated before selecting a scanning product from eEye Digital Security were patch-level accuracy, operating system identification accuracy, scan performance and ability to check both file versions and registry. The bank then used a scorecard rating system to grade the products available, says Kenneth Pfeil, executive director and head of information security for the Americas region.

For County Bank in Fresno, Calif., ease of use was a major consideration. Among the questions the company asked before selecting a product from Qualys was how much work it would take to generate reports, how easy it is to customize reports and what the learning curve is for setting up the system.

"Some of these systems are great conceptually but they're so complex that the implementation never gets done," says Charles McClain, vice president of information security at County Bank. McClain says it's important to include the people who will be using the system in the product selection process. They can weigh in on what features might be most useful.

2. Analyze risk before analyzing network traffic. Prior to installing a vulnerability scanning system, security managers should conduct a thorough risk analysis to determine where they need to be most diligent when it comes to scanning.

Other steps to take before plunging ahead with scanning, Pfeil says, include being prepared to spend a significant amount of time getting everything running properly. Getting scans running and configured properly can take weeks.

Establish patch baselines, have scans coordinated around maintenance schedules and run small test scans on isolated systems on disparate subnets.

3. Be prepared for disruptions. "The thing to remember with [vulnerability] scanning is that it's an activity that potentially can touch and disrupt every corner of your network," Roberts says.

The tendency is to fire up a scan and see what you find, Roberts says. "That is a bad idea for a whole bunch of reasons. First of all, vulnerability scanning is a high-bandwidth kind of activity that has the potential to bring areas of your network to [its] knees, if not carried out thoughtfully."

Also, some of the tests carried out by automated or manual vulnerability scans can create denial of service or "blue screen" conditions on network hosts, application servers and the like, Roberts says. It's a good idea to get input and buy-in not just from senior management but from the various network administrators, application administrators, help desk people, etc., Roberts says.

Solicit input from the various functional groups within your organization about issues such as the right times of day to carry out scans and which processes can't be interrupted.

4. Make sure you have the skills in place to leverage scanning technology. It's important to have inside experts to interpret scanning results, Wang says. "Many scanners yield many pages of results, and it takes experts days to go through the results," she says. "It is critical to have such expertise in-house."

Even if you're the person or group that "owns" the vulnerability scanning function, "if you work at a company of any size, you probably don't have comprehensive knowledge of every nook and cranny on that network, what applications are running and when, what kind of data is being managed and so on," Roberts says.

5. Make scanning an ongoing activity. "Just starting a [vulnerability] scanning program in itself isn't going to solve your security problems or make your IT organization more efficient," Roberts says "In fact, in the short term it's going to give you a lot of new data and responsibilities to manage."

Over time, companies might need to tweak and refine scans to get the reports they need. "The visibility [scanning] will give you into your network—what hosts are running, their relative value and what their security posture is—will make it much easier for you to assess the overall security of your organization and to design programs and processes to address real versus perceived problems."


Copyright © 2009 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations