A stroke of luck: Whoever set up the PCs in the training room in which I spent four days forgot to remove the games from Windows. A combination of FreeCell, Minesweeper and Solitaire helped get me through the dull bits of the course.
Information technology courses are often a bit dull because the material is so dry, but that mostly wasn't the case with this one. I trained for several days on Internet Scanner and System Scanner from Internet Security Systems Inc. (ISS) in Atlanta, and the products appear to be extremely good and very interesting.
Both products are technical-vulnerability scanners - or what I call "gurus in a box." Run either of the products on your local environment, and they'll give you a detailed list of all the security vulnerabilities on that box, along with instructions on how to close those vulnerabilities.
 | | | This Week's Links This page on ISS's Web site includes information about the company's SafeSuite scanning software, which is a software bundle that includes both the Internet Scanner and System Scanner products. Readers of previous columns will recall that I'm also evaluating a new version of our encryption software. For new security managers who need some background on encryption technology, here are a few links I have found helpful: Ron Rivest's page of cryptography links is an excellent resource. Bert-Jaap Koops' page of cryptography links includes a particularly useful survey of cryptography law worldwide. San Jose-based Counterpane Internet Security Inc.'s Web site is the online home of Bruce Schneier, author of Applied Cryptography (John Wiley & Sons, 1996), the best crypto textbook published, in my opinion. |
| |||
This will be exceptionally useful to me. I don't have any spare staff to conduct detailed technical reviews of servers and network segments. Now, instead of having to buy more human technical expertise, I can just point and click and get a clear, concise and reliable report of all the problems.
One Slick Scanner
Internet Scanner will give me visibility of all network security issues on TCP/IP segments, and System Scanner will tell me all I need to know about Windows NT and Unix servers. Between the two of them, they'll cover about 95% of our environment, leaving out only a few legacy Macintoshes, IBM AS/400s and so on.
Even better, ISS has a department called the X-Force that continually updates these scanners in much the same way antivirus companies update antivirus scanners.
Internet Scanner is so slick and simple that you can tell ISS has been through many iterations of the product, refining it at every step. If I want to scan a network segment, I install the software on a laptop, patch the laptop into that network segment, select one of the predefined scanner policies and hit "Go." It's really that simple.
These predefined scanner policies tell the scanner what to look for, and ISS supplies five incremental policies that should satisfy most requirements.
The first policy just maps the network segment and tells you what operating systems are running on each network entity. The second policy gives you more details about the services each host is running, and the third finds glaring holes that even an amateur could get through.
The fourth finds holes that automated hacking tools could get through, and the fifth finds all possible vulnerabilities on the network segments.
In fact, when I ran Policy 5 on the classroom network, it quickly showed the hidden firewall that (presumably) separated that subnet from the rest of the building, and it even suggested a few ways of breaking through it.
These five main policies make it easy to build up security on a network one piece at a time, rather than swamping you with information right from the start. Alternatively, you can use strong policies to protect public-facing network segments and weaker policies to protect low-risk internal segments. All the functionality is there to modify or create your own policies to match your environment.
In fact, it's hard to find anything to complain about with the product. It does support only one database format for storing the results of scans (Microsoft Access 97), but that's a trivial issue. Maybe I'll find more problems with it when I start using it in our production environment.
System Scanner is quite different from Internet Scanner. It's designed to scan servers for detailed operating system vulnerabilities. One way of looking at the difference between the two scanners is that Internet Scanner shows you how hackers might break into your network, while System Scanner shows you what they could do once they have broken in - or even what insiders could do if they put their minds to it.
Digging Deeper
System Scanner operates at a much deeper level than Internet Scanner and is a younger and more complicated product - and it shows. The two days we spent on that product were plagued by crashes, application errors and strange inconsistencies in results that frequently stumped our otherwise knowledgeable trainer - and that was on a simple, controlled training network.
Although the technical-vulnerability scanning appears to have all the features you could need, the ancillary functions are somewhat lacking. Of course, the vulnerability scanning is the most important function, so you could say that as long as that works, then everything's fine.
However, the ancillary functions are what make a product usable and effective in the long run, and that's where System Scanner fails. The graphical user interface is poorly designed, in stark contrast to that of Internet Scanner.
The client/server/console architecture is poor; the server and console are combined into one application, making it very difficult to scale up implementations for large corporate environments. ISS issues regular product updates - a combination of application patches and scanner updates to look for new vulnerabilities - but the application has no means of checking which updates you've installed on which agent. (ISS says Version 4.1 can check the update level for each component.)
There's a feature to mark reported vulnerabilities as known "exceptions" - which is equivalent to saying, "I know about that vulnerability, and there's nothing I can do about it at the moment, so stop reporting it" - but there's no way to review or amend exceptions once they've been set. (ISS disputes this, but our trainer acknowledged that it can be unreliable.)
These are only examples - there are plenty of small problems like them, problems that individually are no more than irritations but that, en masse, build up to make the product look unprofessional and difficult to manage. That's a pity, because it will be very useful indeed, and I can see that we'll use it extensively.
That said, given the professional job ISS has done on Internet Scanner, I'm sure it will bring System Scanner up to par in the next couple of releases.
So, given that the products are so interesting, why was the training course so dull? Well, as in many application training courses, the instructors seem to have tried to expand the content to fill the available space. A cynic might say that was to justify charging more for the privilege of attending.
I spent four days training on two applications, and I feel the instructors could have probably covered the same material in one day if they'd pushed a bit.
I'm not going to let any of this put me off from using the applications, but next time, I'll skip the training and hire a consultant for a day or two to go through it with us on-site.
• This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager - let's call him Jude Thaddeus - better solve security problems. Contact Jude at jude.t@lycos.com or click on Computerworld.com's Security Watch community forum to participate in discussion topics.