Goal of Vulnerability Assessment
Goal of network vulnerability assessment is to verify whether all deployed applications / special purpose servers are working normally without any major vulnerability/flaws or not. If we look at basic network structure we have some Antivirus , HIPS (Host based intruder prevention system), NIDS (Network based intruder detection system), NIPS(Network based intruder prevention system). We can verify these applications/servers by assessing then against various known vulnerability.
Scan for live HOST:
To assess any network for vulnerability we need to map the network. Network mapping can be done by scanning the network for live hosts. People do prefer some tools like NMAP which are capable of scanning the HOST against known vulnerability, operating system, services, known ports scanning, some worms/viruses like conflicker.
NMAP creates some RAW packets and send it to HOST and after getting reply from HOST it measures whether vulnerability exist or not. In most of the cases any vulnerability scanner uses NMAP as backend application to scan vulnerability. NMAP mostly works with command line but for beginners and windows users ZENMAP is the GUI version of NMAP. GUI version has some extra facility like profile save, tabbed environment.
As beginner I would prefer to go with ZENMAP but once you are expert of using NMAP move to command line to explore more of NMAP. We will look at more about how to use NMAP or ZENMAP in special post. Following are the screenshots from NMAP command line which will help to understand the look and feel.
Some systems may be disconnected from the network, make sure to scan those systems as well. For example there is one system with windows XP sp2 and that is not connected to network, This system may have firewire exploit within it. One can attach firewire device and try to exploit it. This vulnerability is not a network vulnerability it is OS level vulnerability and should be fixed.
As above image shows we require various types of vulnerability scanners. For example at user level we need to verify Anti-virus, Anti-adware, Anti-Spyware and Anti phishing, at Transport layer we need to verify protocol level vulnerability, At Access layer we need to check for Access control, Authentication, Cryptography, Firewalls, VPN, Web Application Firewalls. At network layer we need to access Firewall, Network Scanners, VPN and Intrusion Detection. At last At application layer we need to verify application vulnerability and source code.
Any vulnerability scanner consists of following major components.
- Database of known vulnerability
- Scan engine
- Administrator Console
- Scan results
When vulnerability scanner administrator starting any scan it will first of all check the database available for scanning, it will then start sending specially crafted packets to target hosts and try to get details about the vulnerability. It is required to update vulnerability database on daily basis / before starting any scanning.
In next post we will look at
- Local Scan Vs. Central Scanning
- Defense in Depth
- Tools for Vulnerability Scanning