nCircle closes the network scanning loop

IP360 Vulnerability Management System employs deep scanning to accurately ID network, application services

Theoretically, scanning a network should be benign. Probing workstations and servers shouldn’t interrupt the normal functionality of those systems. In practice, however, this may not be the case.

Many network scanners are not always harmless and can crash services, causing unnecessary pain. The nCircle IP360 Vulnerability Management System’s scanning appliances are designed to eliminate that problem by providing thorough and concise data on the state of system security throughout a network. The IP360 does its job quite well.

A good vulnerability scanner can determine the host OS definitively, report on services running on the host, and document any  known vulnerabilities. nCircle’s solution involves deep reflex scanning, which pairs a simple port scan with more thorough examination of each host, including registry scanning on Windows systems and true service identification to identify services at the application level. This approach means the IP360 can identify known services running on unknown ports, such as a Web server running on port 2155.

Beyond port scans

A typical IP360 deployment requires multiple hardware components: a VnE (Vulnerabilities and Exposures) engine and a DP (Device Profiler).

The VnE is the base of operations. It runs the browser-based management console and houses the database of scanning information. Based on FreeBSD 4.7, the VnE is available in two flavors, a single-CPU IDE RAID version and a dual-CPU SCSI RAID version. The former supports as many as 20 DPs; the latter can handle as many as 100.

The DP unit is a solid-state, 1U rack-mounted system with an ATX mainboard and three 10/100 network interfaces. It runs OpenBSD and boots from a readily accessible flash card on the front panel. In fact, the flash card is a bit too accessible for my taste — it could be surreptitiously replaced with another card quite easily, compromising the DP’s integrity.

Most network scanners are run intermittently because continuous scanning can take time and use significant bandwidth, especially across WAN links. Thanks to its design, the IP360 actually enables continuous scanning, both in the scanning function and deployment model, without unnecessary bandwidth consumption.

The DP units scan the network local to the DP and feed the scan results to the VnE at a central site. By doing so, network scans do not actually occur across WAN links but are conducted by the DP units at the edge sites and are relayed to the VnE.

Every interaction between the VnE and the DP units is encrypted. To deploy a DP, a key is manually copied from the DP to the VnE along with the DP’s IP address, and communication between the units is tested. This process could be simpler but is only necessary during initial configuration.

Scan configuration in the VnE Manager console is completely modular: A network is defined as an IP subnet, a DP is associated with that subnet, and a scan type is selected. Selections can be saved into a scan profile that is triggered at scheduled intervals or is set to run continuously.

I used the IP360 to scan a single class C subnet with 32 active hosts. The network segment contained Windows 2000 and 2003 servers, Linux and FreeBSD servers, Windows 2000 and XP workstations, various network switches, and an Xbox.

A full scan of this subnet took more than two hours, with the IP360 taking significant time on a few particular hosts. The IP360 correctly identified 95 percent of the hosts but couldn’t figure out what to make of a Dell switch, marking it as a Unix derivative system, and gave up completely on the Xbox. The misidentification of the Dell switch is probably because its SSH (Secure Shell) server is OpenSSH. These inconclusive identifications likely contributed to the long scanning time.

Next, I configured a Fedora Core 1 system with a rather odd set of services, including chargen, echo, talk, RPC (Remote Procedure Call) services, Apache, and MySQL, and scattered the ports. The IP360 correctly identified every application running on this server, regardless of TCP port, but incorrectly identified the OS as Irix.

This error aside, overall application detection accuracy was impressive. The only downside to the IP360’s deep scanning is the tendency for server logs to fill with warnings from services being probed.

In search of remediation

The IP360 includes a ticketing system that is directly tied to the scans. During network object configuration, an owner can be assigned to that network. When owners log in to the interface, they are presented with tickets created by the latest scan and referencing vulnerable hosts. As the owners resolve issues, they can close the tickets as with any help desk system.

The VnE Web interface is well laid out, intuitive, and snappy. Executive and technical reports are laden with graphs and reams of data, but drilling down to specific details on a single host is simple. Also available is the Application Probe Scripting Language, a custom scripting language that allows admins to write probe definitions to match specific applications. This is handy in shops with many custom client/server apps and can significantly boost the IP360’s overall application detection accuracy.

The feature I missed most in the IP360 is remediation — resolving found problems by applying approved patches. This feature is generally deployed only for Windows systems but saves a lot of time and resources when every enterprise desktop requires a patch. nCircle may include remediation in a future release.

The IP360 can be costly. Pricing is not straightforward, because the solution not only requires the purchase of the VnE and a suitable number of DPs but also is licensed per IP address.

Although this cost may pale in comparison to the price of an intrusion or virus outbreak, it places the IP360 beyond the budget of many organizations. For those that can afford it, however, it’s a well-designed vulnerability scanning solution that can be of great benefit.

InfoWorld Scorecard
Scalability (20.0%)
Configuration (20.0%)
Performance (30.0%)
Management (20.0%)
Value (10.0%)
Overall Score (100%)
IP360 Vulnerability Management System 9.0 8.0 9.0 9.0 8.0 8.7