nCircle closes the network scanning loop

Theoretically, scanning a network should be benign. Probing workstations and servers shouldn’t interrupt the normal functionality of those systems. In practice, however, this may not be the case.

Many network scanners are not always harmless and can crash services, causing unnecessary pain. The nCircle IP360 Vulnerability Management System’s scanning appliances are designed to eliminate that problem by providing thorough and concise data on the state of system security throughout a network. The IP360 does its job quite well.

A good vulnerability scanner can determine the host OS definitively, report on services running on the host, and document any  known vulnerabilities. nCircle’s solution involves deep reflex scanning, which pairs a simple port scan with more thorough examination of each host, including registry scanning on Windows systems and true service identification to identify services at the application level. This approach means the IP360 can identify known services running on unknown ports, such as a Web server running on port 2155.

Beyond port scans

A typical IP360 deployment requires multiple hardware components: a VnE (Vulnerabilities and Exposures) engine and a DP (Device Profiler).

The VnE is the base of operations. It runs the browser-based management console and houses the database of scanning information. Based on FreeBSD 4.7, the VnE is available in two flavors, a single-CPU IDE RAID version and a dual-CPU SCSI RAID version. The former supports as many as 20 DPs; the latter can handle as many as 100.

The DP unit is a solid-state, 1U rack-mounted system with an ATX mainboard and three 10/100 network interfaces. It runs OpenBSD and boots from a readily accessible flash card on the front panel. In fact, the flash card is a bit too accessible for my taste — it could be surreptitiously replaced with another card quite easily, compromising the DP’s integrity.

Most network scanners are run intermittently because continuous scanning can take time and use significant bandwidth, especially across WAN links. Thanks to its design, the IP360 actually enables continuous scanning, both in the scanning function and deployment model, without unnecessary bandwidth consumption.

The DP units scan the network local to the DP and feed the scan results to the VnE at a central site. By doing so, network scans do not actually occur across WAN links but are conducted by the DP units at the edge sites and are relayed to the VnE.

Every interaction between the VnE and the DP units is encrypted. To deploy a DP, a key is manually copied from the DP to the VnE along with the DP’s IP address, and communication between the units is tested. This process could be simpler but is only necessary during initial configuration.

Scan configuration in the VnE Manager console is completely modular: A network is defined as an IP subnet, a DP is associated with that subnet, and a scan type is selected. Selections can be saved into a scan profile that is triggered at scheduled intervals or is set to run continuously.

I used the IP360 to scan a single class C subnet with 32 active hosts. The network segment contained Windows 2000 and 2003 servers, Linux and FreeBSD servers, Windows 2000 and XP workstations, various network switches, and an Xbox.