RE: vulnerability scanner

[Jason Diesel <JDiesel () axent com>]

After reading Markus's rules on about the group, I am afraid to mention
Axent (the company that I work for), but there is a vendor who does all
these together. 

As Christopher points out, just the network is not enough, and just the
databases are also not enough, what about the routers, the web servers, the
mail servers, the file servers, etc. Are your policies being maintained, if
there has been a breach in a pre-defined policy, what will alert you to
this. If your router configuration has been modified, will you be alerted?
etc.

I heard a great analogy a while back, it goes something like this:
- A 'naughty' person breaks into your house, wanders around the corridors
and into a couple of rooms.
That is what a Network Scanning tool will find out.
- But you have seen that that naughty person went into your cupboard? Did
you see that they went through your drawers?
That is what a host based intrusion detection tool will tell you.

Then of course, if they moved your gold bracelet from the left side of the
shelf to the right, you want to have it be placed in its original position
again. You want some pro-active tool to do this for you.

Jason

> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Ray Hooker
> Sent: 25 March 1999 15:45
> To: owner-firewall-wizards () nfr net
> Subject: RE: vulnerability scanner
>
>
> Excellent description of the various layers of vulnerability/ 
> policy tools
> as well as intrusion detection.  I am always concerned when 
> vendors indicate
> that they have a complete suite of tools, when in fact they 
> do not cover all
> of the bases.  If they bundle the tools together, that is 
> fine but no one
> vendor has a complete suite yet.  That may change over the 
> next 2 years, but
> not now.
>
> Ray Hooker
>
> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Christopher Klaus
> Sent: Wednesday, March 24, 1999 7:46 PM
> To: Sandy Green; firewall-wizards () nfr net
> Subject: Re: vulnerability scanner
>
>
> Sandy Green wrote:
> > Besides ISS and Cybercops , is there any tool
> > which does a host based vulnerability analysis
> > and also attacks the system based on known
> > attacks like IP spofing, tear drop, land attack, etc.
>
> To shed a little more light on the subject and make a distinction in
> these tools to help people better evaluate the vulnerability analysis
> tools, here's some additional information:
>
> ISS typically classifies Internet Scanner, CyberCop, SATAN, etc as
> network based vulnerability analysis and policy enforcement 
> tools.  The
> reason is that they look for security issues over the network 
> and mostly
> find isssues at the network service level.
>
> ISS classifies System Scanner, COPS, etc as a host based analysis and
> system policy tool. They search for security issues as an 
> agent sitting
> on the actual host.  System Scanner type tools do a more indepth
> analysis of the file system, backdoors, patches, etc that 
> compliment and
> provide a comprehensive overview of the entire host and 
> servers together
> with network based assessment tools.
>
> ISS classifies Database Scanner as an application based vulnerability
> and security policy tool.  This type of product looks at 
> security issues
> within Sybase and MS SQL Server.  This area of vulnerabilities is
> majorly overlooked by most organizations, but the crown jewels of a
> company are often stored in wide-open databases.  As E-Commerce is
> taking off, more applications are relying on these databases and they
> need to be routinely checked for good security.
>
> Many people are not aware of the different layers of vulnerability
> analysis between network, host, and application and that 
> there are tools
> that address all three.  When compiling your list, depending on how
> comprehensive you want to make it, it might make sense to include
> Internet Scanner (IS), System Scanner (S2), and Database Scanner (DBS)
> that exist to cover a wider range of vulnerability analysis. 
> These type
> of tools can help not only find security issues, but help build a
> security policy of what is or is not acceptable, and make it 
> easier for
> compliance and enforcement of that policy.
>
> -------------------------------------------------
> Christopher Klaus
> Founder and Chief Technology Officer
> cklaus () iss net
>
> Internet Security Systems, Inc.
> (678) 443-6000 /fax (678) 443-6477
> 6600 Peachtree-Dunwoody Road NE
> 300 Embassy Row, Atlanta, GA  30328
> www.iss.net
> NASDAQ: ISSX
>
> "Adaptive Security for the Networked Enterprise"