Vulnerability Scanners

  

October 2004

  
 

How to use vulnerability scanners to secure a server:

Selecting a Vulnerability Scanner:

There are is a wide range of vulnerability scanners available; many of them offering scans of all known vulnerabilities. It is important, however, to select one that will meet your specific needs. This document includes a list of all the vulnerability scanners we have reviewed including descriptions and ratings to help you choose what works best for your situation as well as to understand what is most likely to be used by an attacker. Read the description of each tool to get a good feel for their strengths and weaknesses. Most of the scanners offer a short trial period, we recommend you try a number of scanners both commercial and open source to find the scanner that fits your specific server configurations and weaknesses perfectly. Here are some points to think about while selecting a scanner:

  • Which ports need to be scanned?
    • If the only port that is open is HTTP (80) a web vulnerability scanner may fit your needs more closely than a more general server scanner. Otherwise coupling a web scanner with a free open source server scanner can be a winning combination.
  • Are services running on non-default ports?
    • Some scanners search for vulnerabilities only on the default ports, if you have services on non-default ports be sure to use a scanner that can scan for any service on any port.
  • Will the server be scanned internally or externally?
    • If the server can be scanned internally you might be able to find more security bugs than an external only scanner. While a firewall should always be used tunneling techniques may be employed to mitigate them, therefore a server should be able to stand up to attacks without relying on the firewall. A hacker may also find another way to get onto the network and then scan the machine in question; it should always be assumed that the machine could be scanned internally.
  • Does your server require authentication?
    • If certain parts of your website require authentication you should use a scanner that has the ability to input usernames and passwords to gain further access to your server.
  • What is your budget for vulnerability scanners?
    • There are many open source and free scanners available, however these tend to be more difficult to use, require more time to learn and do not come with as much documentation or support.
  • What is the timeframe before the site goes live?
    • If the system administrator or another employee can be dedicated to securing a server then it might be good to use a more powerful scanner. While it may take more time to learn and get properly configured, the solution will ultimately yield a better result. If you cannot dedicate as much time, look for a scanner that can give you good results out of the box with very little setup.

Default Scans

Most scanners come ready to scan out of the box. Simply download and specify the server's IP or URL and a port range to begin scanning. These default scans are a good place to start because they usually include the most likely attacks a hacker will employ to gain access to your server.

Advanced Scans

Advanced Scans will vary from scanner to scanner, however they all share some common characteristics. They tend to take longer to setup, and they also take longer to complete and analyze the actual scan. Avanced scanning techniques usually include the ability to give the scanner as much information as possible which results in a more complete scan. Extra information that may be helpful to the scanner is directory structure, usernames and passwords, list or open ports and services, operating system type and web server type. When creating an advanced scan it is important to find as many security holes as possible, then decide which need to be patched. It is often the case that False Positives are worse than False Negatives as they will give you a false sense of security.

Reporting

When the scanner has completed its scan of the server it will generate a report to relay the possible security problems it finds. The report usually includes the following information:

  • Damage Potential
    • A rating that takes into consideration if this vulnerability was exploited what the hacker could possibly do. This can range from simple information gathering techniques to taking full control over the server
  • Simplicity
    • A rating of how easy it is to exploit this vulnerability. Once again if a hacker really wants to take over the server they will be able to easily learn the necessary skills to exploit it.
  • Description
    • A description of the actual packet that was sent and how the server responded to it. Often this also includes how the server should have responded
  • Recommendation
    • This is the first step the vulnerability scanner recommends you take to secure the server from the discovered vulnerability. Often this includes a link to a bugtraq database article, or release notes from the vendor. Bugtraq is an online security vulnerability database containing many exploit articles from Security Focus, for more information see: http://www.securityfocus.com/archive/1 .

Patching

Once a vulnerability has been found follow the links in the recommendation section of the report. If no recommendation is available you must research a fix on your own. Hacker websites or the vendor website may be able to answer your questions. If the scanner finds a security vulnerability on a port that is unused or finds a service that is not required consider closing the port and turning off the service. Every open port or running service is another method for a hacker to gain access to your server.

<<Previous 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Next>>

Provided by: Security Innovation, The Application Security Company