[| Navigational map -- for text only please go to the bottom of the page |] [|Back Issues|] ------------------------------------------------------------- [Image] June 8, 1998 (Vol. 20, Issue 23) SECURITY WATCH BY STUART McCLURE & JOEL SCAMBRAY Freeware scanners find network holes, thwart detection solutions Defending your network from outside attack requires an intimate understanding of your enemy. One of the most important -- and most dangerous -- tools crackers will use to breach your security is a port scanner. Scanners were devised to help crackers quickly and accurately assess the portals of entry and weaknesses in targeted networks. Early scanning efforts included so-called "war dialers," which would automatically dial lists of phone numbers in search of the rare modem connection. Scanners have evolved along with the growth of network connectivity: Now some of the most powerful scanning tools around are freely available on the Internet. If you manage an enterprise-scale network with any kind of connection to the outside world, you can bet that someone has run one of these scanners against your network. Bolster your defense In order to see what crackers see when they knock at your door, it's important to test your network with freeware tools -- especially because crackers use these tools most often. You should also consider adding commercial port scanners such as Internet Security Systems' Internet Scanner and Secure Networks' (soon to be Network Associates) Ballista to your security toolkit -- we've tested both extensively. (See Enterprise Networking Product Reviews, Jan. 26, page 66C, and April 20, page 58A.) To give you an idea of what you can expect from freeware tools, we stacked up two classic freeware scanners -- strobe and pscan -- against a versatile and powerful newcomer called nmap. The nmap 1.51 scanner is available from one of Security Watch's favorite hacker haunts, Fyoder's Playhouse (http://users.dhp.com/~fyodor/nmap). This hacker has obviously done his homework to design this tool -- it offers flexibility and stealth features. Fyodor's site also has excellent information on port-scanning history, tools, and techniques (links to strobe and pscan can be found here as well). We compiled and ran each product on a 200-MHz Pentium MMX running Red Hat Linux 5.1. nmap evades detection Speed, stealth, and flexibility are the cornerstones of any good port scanner, and nmap didn't disappoint. It could target a user-defined range of addresses or port numbers and execute parallel port scanning. But stealth scanning is nmap's distinction -- comprising a variety of scans, such as Syn, FIN, ftp bounce, fragmentation, User Datagram Protocol, Internet Control Message Protocol, and reverse ident scanning. In terms of speed, both strobe and pscan swiftly cut a swath through our Class C network. Although strobe is especially fast, it doesn't offer nmap's flexibility. When we ran nmap on a network monitored by two market-leading intrusion-detection products, Abirnet's SessionWall-3 1.2.1 and Internet Security Systems' RealSecure 2.0, SessionWall-3 came out unscathed and detected every scan we threw at it, including the Syn and FIN stealth scans. It even saw the dreaded fragmentation scan that has been postulated to evade intrusion-detection products altogether. RealSecure detected the fragmented scan, but once the FIN flag was also set, it could only detect IP fragmentation and not the port scan. It also missed or gave false positives for four out of 10 scans we ran. Of course, implementing a robust firewall can thwart many probing attacks from port scanners. Nevertheless, we hope our findings alarm those of you too comfortable with your intrusion-detection solutions and encourage you to run freeware tools on your networks regularly. Otherwise someone else will do it for you -- from the wrong side of the fence. Cryptography guru Bruce Schneier summed it up appropriately on Fyoder's site: "History has taught us: Never underestimate the amount of money, time, and effort someone will expend to thwart a security system." Do you agree? What tools do you use to sleep soundly? Let us know at security_watch@infoworld.com. Test Center Support Manager Stuart McClure and Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years. They currently test dozens of security products, from firewalls to security auditing solutions, in search of new ways to improve enterprise network security. Copyright (c) 1998 InfoWorld Media Group Inc. Please direct your comments to InfoWorld Electric. | SiteMap |Search | PageOne | Conferences | Reader/Ad Services | | Enterprise Careers | Opinions | Test Center | Features | | Forums | Interviews | InfoWorld Print | InfoQuote |