A New Tool For Security Scans

To fend off network attackers you need tools that identify vulnerable systems across multiple OSs and provide guidelines for remediation before holes can be exploited. Vulnerability scanners help, but many are vendor-specific and expensive. There's a better way: Nessus, a free, frequently updated open-source utility.

A Nessus vulnerability assessment has three phases. During scanning discovery, Nessus queries a range of network IP addresses to determine active hosts. For example, vulnerability-assessment software can send ICMP (Internet Control Message Protocol) echo requests to find active hosts; however, devices that don't respond aren't necessarily dead--they may be behind a firewall or have a host firewall that doesn't respond to ICMP.

Port scanning can determine which hosts are alive and which ports are open. The results are used to create sets of host targets for the second phase, analysis. During this phase, vulnerability software queries network services on each host to obtain banners containing software and OS version information. The final phase of vulnerability detection involves probing remote services to test them against a list of known vulnerabilities, such as buffer overflows and system-configuration errors.

Nessus uses client-server technology, which lets a console server perform the scanning and testing while results are monitored and reviewed on distributed clients. The server-side component, nessusd, provides a central repository in which all vulnerability security checks (plug-ins) are registered and accessed across the network by client components. The server component is Unix-based--using a Linux server makes installation simple. Nessus clients are available for both Windows and Unix X Windows. The Nessus server and client will each run in console mode on the Macintosh OS X.Before scanning your network, map out your deployment to avoid the pitfalls common to Nessus scanning--namely, network slowdowns and system crashes. Measuring your network's bandwidth requirements is paramount. Assemble an inventory of assets and define who's responsible for each and who should receive vulnerability-assessment results. Tell the IT staff and appropriate business-unit managers of your plans.

No matter how sincere your intentions, scanning is visible to IDS products and sniffers, so your scan could be perceived as an attack on your network. Although the goal of port scanning is to detect open ports, make sure the software applications and hardware being scanned will tolerate the port scan. Aggressive port scanning can freeze host systems and result in downtime.

Now you're ready to schedule scans, but start with small steps to ensure you don't slow down the network or crash systems. Run your first scan on a test network or a small subnet of non-business-critical machines. Make sure you know the IP address range of your network and which devices are assigned to which IP addresses. Don't add deny rules at first. After you get a couple of successful scans under your belt, start denying systems, like printers, from scans. Don't use nmap, but rather the default sysscan.nasl plug-in. Starting with port range 1 to 1024, enable safechecks and ping each host. If you find your first scan is taking too long, reduce the number of targets and plug-ins.

After you've scanned, analyze the results, which you can view using the Unix (Nessus GUI) or Windows (NessusWx) client, or by exporting the data to an external program. Within the NessusWx client, select a session and go to Session/Manage Results. The results can be viewed using the View command, or written to a text, HTML or PDF file.

In our step-by-step instructions, we start by configuring a Nessus server so we can run a vulnerability scan and identify nonpatched systems. We assume the Nessus server is installed on our Linux server.If your Nessus server is not installed, you can download the four files from www.nessus.org/download: nessus-libraries, libnasl, nessus-core and nessus-plugins. Install these files in their listed order by executing "tar xzf" on each file to create a directory for each component.

Now you can start the configuration and compilation steps. For each directory, run the following commands:

$ [as non root] cd ../{file name}

$ [as non root] ./configure$ [as nonroot] make

$ su

Password:

# make install

Joanne VanAuken is a technology editor for Secure Enterprise. She has 14 years' experience in computer operations and systems administration. Write to her at [email protected].

1. Create a Nessus Server Certificate An administrator must execute additional steps for a nessusd Nessus server to communicate with a Nessus client. First, create a Nessus server certificate for secure communication between the server and client by executing the following command on the server: # nessus-mkcert.

If OpenSSL is installed, executing this command will force you to be queried for common items related to certification identification. You can use the lifetime values we used or enter your own. You'll then see a screen displaying the files that contain the public and private keys used for encryption.

2. Create a user account Once your server certificate has been created, you must create a user by executing the # nessus-adduser command on the server and entering a user name. Decide what type of authentication method to use: "pass" or "cert." If you choose "pass," as I did, the password won't appear on the screen as it is typed; if you choose "cert," you'll be asked for additional certificate-related information. Next, enter any rules that apply to this user. For example, I wanted to let the user scan only hosts between 192.168.0.0 and 192.168.0.024, so I entered the appropriate accept/deny rules. Hit when you've finished entering rules for each user created.

3. Modify the nessusd.conf file The last step to configuring your Nessus server is to modify the /etc/nessus/nessusd.conf file using the vi text editor. Many items can be modified in this configuration file, but an important one is max_ thread, which determines the total simultaneous Nessus tests to run. The default is 15, but I used 25. Test different figures to determine the performance impact on your network. Scale it back if you experience performance problems. The port_range variable sets the default range of ports to scan, and by entering 0-65535, we're ensuring a comprehensive (though long) scan. Ping_hosts tells Nessus whether it should scan only hosts that respond to ping requests. Setting this variable to "no" means it'll scan hosts that don't respond to a ping, increasing scanning time. Save the file and exit the text editor.

4. Define your scan You can download the Nessus client for Windows from www.nessus.org. Once the client is installed, double-click on your desktop's NessusWX icon. From the Communications menu, select Connect to open the corresponding dialog box. Enter the user name you created on the Nessus server in the login text box. You can use the DNS name of your server or the IP address to make a connection. The default port is 1241, but it can be modified through the server configuration file. The server will prompt you for your password, then authenticate you. You'll see how many plug-ins have been loaded for the client to use during scans.

5. Start scanning You can start a scanning session by selecting Session/New and entering a session name. Define the parameters you want for this scan in the Session Properties dialog box. You can add targets by clicking Add and entering a target type of a single host, a subnet or an address range. Next select the Options tab. Until you're familiar with Nessus, make sure the Safe Checks option is checked. This will cause Nessus to rely on version information from network service banners to determine vulnerability; however, this may result in false positives. But it's a good option to use if you need to scan a host or series of hosts whose uptime is mandatory.

6. Scanning options Nessus offers many options, but it's not possible to cover them all in this article. Here's overview of some. The Port Scan tab lets you define specific ports or ranges of ports to be scanned. Click the Configure Services button if you want to run a scan to find out whether a particular service is running or if your want to specify certain scanners. The Connection tab lets you use logins and passwords for your scan parameters and specify encryption methods. Select Plugins tab/Configure Plugins button to see the configurable options Nessus offers. Each plug-in has a default setting that can be changed.

7. Executing your scan When you're finished defining your scan, double-click it to execute. Scans are saved as part of the database Nessus creates (NessusDB). Reports can be viewed at the end of a scan or saved as text or HTML files. By default, reports are saved in the NessusWX folder. You can import scan results to a spreadsheet or as graphical presentation. The above screen displays partial results of a scan. The offending service, severity level and information about the vulnerability are reported. Web links provide more detailed information.0