?? 209-211.html
字號:
<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
<option value="/reference/dir.userinterfaces.html">UI
<option value="/reference/dir.webservices.html">Web Services
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=7//-->
<!--PAGES=209-211//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch06/206-208.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="211-214.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 7<BR>Vulnerability Scanners
</FONT></H2>
<P>A scanner is an IDS that performs a periodic assessment of risks on your system. An IDS looks for vulnerabilities that might open up your system to threats. Intrusion detection scanners look for potential problems with your system that might result from the following:
</P>
<DL>
<DD><B>•</B> The back level of a software program that is known to have an exploit
<DD><B>•</B> A configuration error resulting from an out-of-the-box installation with known holes
<DD><B>•</B> An administrative error that places the system in an unsafe state, with the problem residing in either an operating system configuration <I>or</I> an application configuration
<DD><B>•</B> Known rogue programs that someone may have planted on your system
</DL>
<P>In this chapter, you will learn about some vulnerability scanners that look for weaknesses in UNIX systems. (NT scanners are discussed in Chapter 10, which deals exclusively with NT IDSs.) When you complete the chapter, you should be able to identify the role of vulnerability scanners in your environment. You will see the types of problems that scanners can detect, how they can be spoofed, and why they are an important security product to have in your arsenal.
</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">What Is a Scanner?</FONT></H3>
<P>First, you should know that scanning intrusion detection products are <I>not</I> the same as network sniffers. Vulnerability scanners do not look at network traffic in real time. Instead, they are run periodically against <I>systems</I> to look for problems. A product that looks at intrusions as they occur in real time is really dealing with <I>threats</I>, not with <I>vulnerabilities</I>. Real-time IDSs catch hackers while they are on your system. Scanners examine your systems for cracks that someone can sneak through or for evidence of intrusions after they have occurred.</P>
<P>Two main types of scanners are available:</P>
<DL>
<DD><B>•</B> A local scan is run on a node by a software program that resides on the node itself. This operation is introspective because the node is examining itself.
<DD><B>•</B> A remote scan is run over the network <I>against</I> the target node by probing it for vulnerabilities. The IDS software is actually running on an administrative system and scanning the target across the network.
</DL>
<P>A scanner might be probing multiple systems in the network. In doing so, network attacks are attempted against the target node to look for potential holes in the target. Although network packets are sent from the scanning system to the target, the scanner itself is not actively sniffing all network packets to look for problems.
</P>
<H3><A NAME="Heading3"></A><FONT COLOR="#000077">Characteristics of Scanners</FONT></H3>
<P>Local and remote scanners share common characteristics. Rather than looking for events as they occur in real time, <I>scanners examine the state of a system periodically</I>. One potential advantage of interval scanning is that <I>resource utilization is less</I> on the average than that required for real-time monitoring. Intuitively, this is easy to see because you are consuming resources only when the scanner is active rather than constantly watching events as they occur.</P>
<P>Scanners make a sweep of the system’s configuration to look for vulnerabilities. Scanning the system for problems will reveal weaknesses or holes that lead to cracks. A real-time monitor will miss configuration problems because it is primarily designed to catch hackers <I>in the act</I>, rather than to look for vulnerabilities that can be exploited later. For example, a real-time detector is not much help in finding problems with a fresh, out-of-the-box configuration. Thus, scanners and real-time IDSs are complementary.</P>
<P>Because the scanners are run periodically, they will not be able to detect events as they occur. Vulnerability scanners try to prevent problems by alerting you to flaws in advance. If a hacker manages to bypass your security defenses and introduce a vulnerability in your system, the scanner should detect the exposure the next time it is activated. For example, if the scanner looks for root equivalent accounts on a system, it will detect that a hacker has created a root account on the system the next time a scan is performed. How do scanners improve your security?</P>
<DL>
<DD><B>•</B> Scanners prevent intrusions and misuses by alerting you to vulnerabilities in advance, even if they result from accidental configuration errors.
<DD><B>•</B> Scanners detect vulnerabilities that arise in your system as a consequence of an intrusion or misuse.
</DL>
<P>Of course, the hacker’s challenge is to know what the scanner looks for and to cover tracks to avoid detection. Because many vendors publish the list of problems they look for, a wise cracker can use this information to avoid activities that will be flagged.
</P>
<P>When you look at scanning products, it’s important to know that some types of weaknesses can be found only by running the scan locally on the node of interest. If the system is locked down so that no network attacks are possible, local file system permission problems or SUID programs may still lead to system compromise. Even if you have a system that is not connected to a network and has only directly attached terminals, you can have vulnerabilities.</P>
<P>One desirable feature of scanners is that they do not introduce new data sources. System-level IDSs require that you turn on auditing or syslog if you are not already doing so. Scanners discover vulnerabilities by looking at configuration data or by attempting to carry out an attack.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch06/206-208.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="211-214.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -