Security in Spades
Windows NT security tools abound in today's market. To gain market share, one strategy that large firms pursue is to develop suites of security tools. For example, Internet Security Systems (ISS), Network Associates Incorporated (NAI), AXENT Technologies, and Cisco Systems each produce a suite of information-protection tools for the enterprise, and each vendor offers a distinct line of products that contain unique tools.
Internet Security Systems
ISS offers a suite of tools called SAFEsuite. SAFEsuite includes ISS's Internet Scanner (IS), System Scanner (S2), Database Scanner, RealSecure, and SAFEsuite Decisions (SD) products.
IS. IS detects vulnerabilities from a network perspective. The latest version, IS 5.8, performs over more than vulnerability tests on network devices. IS includes three basic modules: The first scans your intranet, the second examines your firewalls, and the third inspects your Web servers. A significant benefit of using IS is that the software can probe numerous types of devices, including Windows NT, Windows 9x, and UNIX systems, as well as routers and various Web server platforms. This capability makes the product useful in a mixed OS environment. IS runs on mixed NT/UNIX systems and has a great reporting interface.
IS was easy to install and use. The installation required a path and folder name, and I had to supply a demo license key for the product to work correctly. Testing a large network takes a while, and some tests that the scanner performs can render a server unable to communicate. Make sure that you run these types of tests after hours so the tests don't affect the company's workflow.
Scanning my test network took about an hour and a half and entailed checks of two NT Server 4.0 systems, one NT Workstation 4.0 system, one Linux server, and one Win95 workstation. The scanner lets you adjust various properties that affect performance. For instance, you can configure the number of worker threads with a higher value, which helps the scanner perform more tasks simultaneously.
After the scan completed, the test results adequately revealed each machine's vulnerabilities in an easy-to-read layout. IS's reports are concise and to the point, and the information is very accessible. The two report styles I like best are the executive and technical styles. The executive summary omits technical material and presents the company's security status in layman's terms. The technical reports are suited for the people charged with managing configurations and provide details about how to remedy your system's vulnerabilities. For more information about IS, see "Internet Scanner 5.2," October 1998.
S2. S2 is similar to IS except that it works at the machine level and looks into the security of a system from a local perspective. This perspective lets the product detect security risks not visible to a network-based vulnerability scan. S2 works by installing an agent on each machine it scans. A centralized console communicates with each installed module to report on the vulnerabilities found in the system. S2 runs on NT, Win9x, and UNIX systems, and the installation process is basically the same as IS's installation process. When S2 scans UNIX systems, it can automatically generate scripts to fix a wide range of security problems. This capability saves administrators from spending a significant amount of time correcting security oversights. Another benefit of S2 is that after you secure a system, S2 can generate a digital fingerprint for the system. This fingerprint makes unauthorized tampering easier to detect.
S2 comes in a server version for NT, Win9x, and UNIX, and a limited desktop version for NT and Win9x. Using the product was as easy as using IS, and I found S2's reports to be first-rate.
Database Scanner. This product scans Microsoft SQL Server and Sybase computers for vulnerabilities such as weak passwords, dangerous embedded procedures, Y2K noncompliance, and Trojan horses. Version 3.0, which includes Oracle server support, will be available by the time you read this article. Database Scanner has a look and feel that is similar to IS and S2 and produces similar reports that include details about how to remedy existing security problems. ISS is the only company that I know of that produces this type of tool.
RealSecure. This security product is one of my favorites for pure NT networks. ISS calls the product a network- and host-based intrusion-detection and response system. The product acts as a network sentry that watches network traffic and system logs from computers on the network. RealSecure detects and responds to suspicious activity and can shut down connections that are performing suspicious actions. For example, if you don't permit the use of Telnet on your network, RealSecure can enforce that policy with a simple rule definition. The rule can watch for Telnet traffic and, when detected, force that session to reset, which effectively breaks the Telnet connection. Adding to the usefulness of this product is its ability to record sessions in a log. The session logs can record everything that happens during a session, and you can play back those recorded sessions for analysis or for use in prosecuting an intruder. RealSecure can also reconfigure Check Point's popular Firewall-1 on the fly in response to attacks.
Installing RealSecure is a bit more complex than installing ISS's other products. RealSecure has three basic components: a system agent, a network engine, and a management console. The product also has an HP OpenView snap-in, but I didn't use that component during my tests. The system agent and the network engine look for signs of intrusion. The system agent watches system log files, and the network engine watches all the network traffic on one network segment. The management console provides the console interface for RealSecure and manages the network engines and system agents. To have RealSecure monitor several segments, you must install a network agent on each of the segments. Installing the console portion required only a path and a folder name, and my choice of encryption products to authenticate and ensure secure communication between the components. To install the network engine, I had to provide the same types of information.
I tested RealSecure on a small single-segment network by installing one network agent and two system agents. Using the RealSecure policy editor, I configured RealSecure to recognize a series of predefined attack signatures, track all access to a specific Web server on my test network, and not permit Telnet sessions on the network segment. I found that RealSecure stopped Telnet sessions cold and accurately tracked every Web page access for my test server. The product is flexible and integrates well into the network. For more information about RealSecure, see "RealSecure 1.0 for Windows NT," October 1997.
SD. SD is a security support application that lets you tie in data from various sources, such as RealSecure engines. This capability lets you compare all the data from a much broader perspective to produce useful consolidated or correlated security reports.