Theoretically, scanning a network should be benign. Probing workstations and servers shouldn’t interrupt the normal functionality of those systems. In practice, however, this may not be the case.
Many network scanners are not always harmless and can crash services, causing unnecessary pain. The nCircle IP360 Vulnerability Management System’s scanning appliances are designed to eliminate that problem by providing thorough and concise data on the state of system security throughout a network. The IP360 does its job quite well.
A good vulnerability scanner can determine the host OS definitively, report on services running on the host, and document any known vulnerabilities. nCircle’s solution involves deep reflex scanning, which pairs a simple port scan with more thorough examination of each host, including registry scanning on Windows systems and true service identification to identify services at the application level. This approach means the IP360 can identify known services running on unknown ports, such as a Web server running on port 2155.
Beyond port scans
A typical IP360 deployment requires multiple hardware components: a VnE (Vulnerabilities and Exposures) engine and a DP (Device Profiler).
The VnE is the base of operations. It runs the browser-based management console and houses the database of scanning information. Based on FreeBSD 4.7, the VnE is available in two flavors, a single-CPU IDE RAID version and a dual-CPU SCSI RAID version. The former supports as many as 20 DPs; the latter can handle as many as 100.
The DP unit is a solid-state, 1U rack-mounted system with an ATX mainboard and three 10/100 network interfaces. It runs OpenBSD and boots from a readily accessible flash card on the front panel. In fact, the flash card is a bit too accessible for my taste — it could be surreptitiously replaced with another card quite easily, compromising the DP’s integrity.
Most network scanners are run intermittently because continuous scanning can take time and use significant bandwidth, especially across WAN links. Thanks to its design, the IP360 actually enables continuous scanning, both in the scanning function and deployment model, without unnecessary bandwidth consumption.
The DP units scan the network local to the DP and feed the scan results to the VnE at a central site. By doing so, network scans do not actually occur across WAN links but are conducted by the DP units at the edge sites and are relayed to the VnE.
Every interaction between the VnE and the DP units is encrypted. To deploy a DP, a key is manually copied from the DP to the VnE along with the DP’s IP address, and communication between the units is tested. This process could be simpler but is only necessary during initial configuration.
Scan configuration in the VnE Manager console is completely modular: A network is defined as an IP subnet, a DP is associated with that subnet, and a scan type is selected. Selections can be saved into a scan profile that is triggered at scheduled intervals or is set to run continuously.
I used the IP360 to scan a single class C subnet with 32 active hosts. The network segment contained Windows 2000 and 2003 servers, Linux and FreeBSD servers, Windows 2000 and XP workstations, various network switches, and an Xbox.
| Test Center Scorecard | ||||||
|---|---|---|---|---|---|---|
 |  |  |  |  |  | |
| 30% | 20% | 20% | 20% | 10% | ||
| IP360 Vulnerability Management System | 9 | 8 | 9 | 9 | 8 |
8.7
Very Good
|
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
