Rollout: McAfee's Foundstone FS1000 5.0

By looking for known weaknesses in a dizzying array of OS and networking products, network-based vulnerability-assessment (VA) tools help admins find problems before bad things happen. McAfee's latest update to its flagship VA scanner, Foundstone FS1000, presents a mature platform for aiding in the vulnerability management process.

New to version 5.0 are the ability to log into systems using SSH to perform more granular vulnerability checking, an advanced notification module that allows for two-way communication to third-party ticketing systems using SNMP, and improved OS identification capabilities.

Like other products in the market, such as Qualys' Qualys Security Scan, ISS' Internet Scanner and Tenable's Nessus, Foundstone's strength is in performing network-based scans for known vulnerabilities in OSs and network devices. No longer considered rocket science, network-based OS vulnerability scanning has approached commoditization. All the products are based on a set of vulnerability-specific checks, all scan the network, all are prone to some false-positive IDs, and all report on their findings in a range of formats. Nevertheless, there are still key differences, particularly relating to ticketing, reporting and general workflow support. McAfee has identified and focused on several of these areas, and remains at the top end of the VA pack.UNDER THE HOOD

We upgraded the Foundstone FS1000 appliance at our Chicago Neohapsis facility from version 4.5 to 5.0--a painless, software-based process. The Foundstone appliance uses a Windows 2003 server build with a heavy set of hardening mechanisms and a self-contained patching and update system. Interaction with the appliance is done through a Web browser, though a Win32 console app is available for basic administration tasks.

Few scanners are as well organized as the Foundstone FS1000, however. Vulnerability checks fall into two categories--intrusive and nonintrusive. The former include testing DoS attacks, brute-force password guessing, and more involved service testing. This category is subclassified by general, wireless, Windows and local vulnerability checks. The local vulnerability checking requires host login credentials and SSH access from the Foundstone appliance, and there's an entire management menu in this area that can be configured on a per-asset basis. The interactive-login checks are grouped by platform: Cisco IOS, IBM AIX, Windows, Red Hat Enterprise and Sun Solaris.

While there is nothing particularly sexy about viewing vulnerability data, Foundstone reports actually tell you what you want to know in a format that doesn't make your head hurt. Almost all scanners let you export vulnerability data in HTML or XML--useful when you have the resources to build out your own reporting and remediation infrastructure. But Foundstone also provides good tools for navigating the greater vulnerability-management process: viewing the data, pushing action items to co-workers and providing quick visibility to the business team upstairs.We were given the full gamut of visibility in a wide range of formats: CSV, HTML, PDF and XML. The Foundstone scanner listed OS platform breakdowns, high/medium/low vulnerability charts, service percentages, and measurements from the last scan, and provided data on actual ports and banners grabbed (short of the packet dumps on the wire).

FALSE POSITIVES REMAIN TROUBLESOME

We did have challenges on the false-positive front. One of our lab systems was configured to return a modified HTML page regardless of the HTTP request--a method we used to foil some advertising-based redirect trickery. Foundstone reported this system as being vulnerable to a handful of CGI-based attacks, such as Aplio IP phone vulnerable CGI script and Armada Master index directory traversal attack. None of these vulnerabilities were related to, or even present on, the system. We believe the false-positive was the result of a simplistic method of checking for the presence of a "known-vulnerable" CGI script.

Successful risk management requires additional emphasis on mitigating application-level exposures. McAfee has begun making a rudimentary effort at tackling known Web-based vulnerabilities and common problems. At present, this capability is extremely limited in scope, as it can scan only for a static list of CGIs and perform some basic brute-forcing and SQL probing. There remains a gap between products that suit the OS and network and ones that help tackle Web application flaws. We're not holding our breath for products that tackle both, as the problem sets and the user profiles are very different--classic IT operations versus more application-development oriented professionals.

There's also a difference between finding the vulnerabilities in off-the-shelf Web apps and finding flaws in custom, in-house developed apps. Foundstone can provide some help with the former, but to address the latter, smart organizations must combine the use of app-scanning tools with skilled security professionals. The marriage of understanding and identifying network, OS and application exposures in key assets will provide the backdrop for better risk visibility, and McAfee's Foundstone provides a strong foundation to help advance the effort.Greg Shipley is the CTO of Neohapsis, an information security consultancy and enterprise IT product-testing lab. Write to him at [email protected].