Computer security professionals know that to defeat malicious intruders, you need to know how to attack like one. Intruders spend much of their time searching for systems with known vulnerabilities: All they need is patience and a chunk of exploit code to succeed in cracking a system. They use Ping or some other utility to locate potential victim machines by IP address or domain name. Then, they find out which OS and applications the hosts are running and run the related exploit code. Or, an intruder's worm creation can whip across the Internet, knocking on every door and working its tricks against every machine without even trying to find out whether the host contains the necessary software for the exploit to succeed. If the SQL Slammer (aka Sapphire) worm is any indication, this cracker strategy succeeds.
Vulnerability assessment tools automate the cracker exploration process and let network administrators assess the security readiness of their networks. Security policies, ACLs, and signed user agreements mean little if your systems are full of exploitable holes. If you can find the holes before a malicious intruder can, and close them, you've gone a long way toward making your network safer. Let's discuss vulnerability assessment tools in general; popular vulnerability assessment tools for Windows systems, which Table 1, page 34, lists; and trends in protecting against intrusion.
The vulnerability assessment tool market comprised only a few major players 2 years ago but now includes more than 40 vendors. A few products have come and gone, and some of the major network security vendors have abandoned their initial efforts because consumer demand for vulnerability assessment tools didn't meet expectations. Although host-based vulnerability assessment tools are still the most popular products, the greatest vendor growth has been in specialty scanners, such as those that scan Microsoft SQL Server databases, Web servers, and wireless LANs (WLANs). Most vulnerability assessment tools fall into one of a few different categories: host-based, application-layer (database or Web), and password and account checkers.
Host-Based Vulnerability Assessment Tools
When people think about vulnerability assessment tools, they usually have host-based tools in mind. A host-based vulnerability assessment tool finds and identifies the OS running on a particular host computer and tests it for known deficiencies. A host tool can tell the difference between a Windows 2000 system and a UNIX box and test accordingly. Most of these tools will look for and test common applications and services on each platform. For example, if a vulnerability assessment tool finds a UNIX host, it might test for daemons, Sendmail, or Samba shares. If a tool finds a Win2K host, it might test for Microsoft IIS, open NetBIOS shares, and search for weak passwords.
A Windows-based vulnerability assessment tool should understand the operational differences among different Windows versions. For example, testing IIS exploits or remote procedure call (RPC) Denial of Service (DoS) attacks against a Windows 98 machine is pointless. Several popular vulnerability assessment tools have UNIX roots: They excel at testing UNIX and Linux systems and test Windows systems as a byproduct. If your network contains nothing but Windows machines, make sure the vulnerability assessment tool you pick focuses on Microsoft platforms.
Application-Layer Vulnerability Assessment Tools
Most application-layer vulnerability assessment tools are directed toward Web servers or databases. The difficulty of correctly securing a public Web server can't be overstated. During the past few years, at least a half dozen "security contests" offered would-be intruders cash prizes to attack extremely hardened Web servers. Dream teams of security talent configured the Web servers, which ran hardware protection that most companies can't afford. Yet by my count, in five out of six contests, the system succumbed to dedicated crackers within a few days. Most Web servers fell because of exploits in the underlying OS or holes in the e-commerce application. If the best of the best can't properly secure a Web server, how can the lay Web master secure one? The answer is to run a vulnerability assessment tool built specifically for testing Web servers.
Web-server vulnerability assessment tools are usually targeted to IIS, Apache, or iPlanet. IIS-oriented vulnerability assessment tools will attack poorly configured anonymous user accounts, incorrect directory rights, leftover sample code, and privileged services such as Internet Server API (ISAPI) filters. Apache and iPlanet tools check for chunk code file exploits, attacks against the cgi-bin directory, or directory transversal attacks against /etc/passwd. Vulnerability assessment tools for any Web server will always check for sensitive information stored in hidden fields, stored passwords, cross-site scripting, unchecked inputs, and buffer overflows.
The appearance of SQL injection attacks, and now the Slammer worm, prompted several vendors to produce application-layer tools that specifically test the most popular databases: SQL Server, Microsoft Exchange Server, Oracle, IBM Lotus Domino, Oracle PL/SQL, Sybase, IBM DB2, and MySQL. The tools test for missing or default passwords, injection problems, and poorly configured security.