cc/td/doc/product/iaabu/csscan/csscan2
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

About This Guide

About This Guide

This preface describes:

Document Objectives

The guide explains how to install and use Cisco Secure Scanner (formerly sold as NetSonar), the vulnerability scanning and network mapping software.

Audience

This guide is intended for users who have either purchased or are evaluating the Scanner. This guide provides information for those users who need to perform the following tasks:

Document Organization

This guide is organized into the following chapters and appendixes:

Important Terms Used in This Guide

This section defines various terms denoting Scanner-specific functions and capabilities used throughout this guide.


AAA

authentication, authorization, and accounting (pronounced "triple a").

Active Audit

The systematic implementation of the security policy. To actively audit, verify, detect intrusion and anomalies, and report findings.

address

Data structure or logical convention used to identify a unique entity, such as a particular process or network device.

anonymous FTP

Allows a user to retrieve documents, files, programs, and other archived data from anywhere on the Internet without having to establish a userid and password. By using the special userid of anonymous, the network user will bypass local security checks and will have access to publicly accessible files on the remote system. See FTP.

API

Application Programming Interface. Specification of function-call conventions that defines an interface to a service.

ASCII

American Standard Code for Information Interchange. 8-bit code for character representation (7 bits plus parity). A text file containing only letters, numbers, and symbols. An ASCII file contains no formatting.

authentication

The verification of the identity of a person or process.

axis

The vertical rows and horizontal columns in the Grid Browser.

chart

The Scanner uses charts (pie, bar, column, and so forth) to display session data.

Client/Server Computing

Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Both terms (client and server) can be applied to software programs or actual computing devices. Also called distributed computing (processing).

confirmed vulnerability (vc)

The Scanner uses active probing techniques to confirm the vulnerability.

data pivoting

The ability to change your perspective on the data in the Grid Browser, for example, to view all hosts running a particular service, all services associated with one host, all vulnerabilities associated with one host, or all hosts with a particular vulnerability.

DNS

Domain Name System. System used in the Internet for translating names of network nodes into addresses.

DoS

Denial of service. One user takes up so much of a shared resource that none of the resource is left for other users. Denial of service attacks compromise the availability of the resources, for example, processes, disk space, percentage of CPU, printer paper, modems, or the time of a system administrator. This results in degradation or loss of service.

drilling down

Double-clicking an object, icon, or token on a tree that brings you "down" to the next level below that object. For example, in the Grid Browser you can drill down from a cell to view host-level detail.

electronic map

A profile of all live hosts at the particular time a Scanner session is run.

encryption

The process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission or when it is stored on a transportable magnetic medium.

exploit

A set of one or more procedures that takes advantage of one or more vulnerabilities in order to gain access to a system, deny system services to valid users, or collect system information that may reveal additional vulnerabilities.

firewall

Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.

FTP

File Transfer Protocol. Application protocol, part of the TCP/IP protocol stack, used for transferring files between network nodes. FTP is defined in RFC 959.

Grid Browser

The Scanner's patent-pending, multidimensional database that shows the results of a given Scanner session in tabular form. It uses a hyperlinked spreadsheet to present the data accumulated per session.

host

Any device that is attached to a network and uses TCP/IP.

HTML

Hypertext Markup Language. Simple hypertext document formatting language that uses tags to indicate how a given part of a document should be interpreted by a viewing application, such as a Web browser.

HTTP

Hypertext Transfer Protocol. The protocol used by Web browsers and Web servers to transfer files, such as text and graphic files.

ICMP

Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in
RFC 792.

IP

Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly, and security. Defined in RFC 791.

IP Address

Internet Protocol Address. Used to identify a node on a network and to specify routing information. Each node on the network must be assigned a unique IP address, which is made up of the network ID plus a unique host ID assigned by the network administrator. This address is typically represented in dotted decimal notation with the decimal value of each octet separated by a period (for example, 172.16.0.0).

LAN

Local Area Network. A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network.

MD5

Message Digest 5. Algorithm used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness. See also SNMP2.

NFS

Network File System. A service for distributed computing system that provides a distributed file system thus eliminating the need for keeping multiple copies of files on separate computers.

NSDB

Network Security Database. A Cisco-proprietary, HTML database that is a comprehensive repository of vulnerability rules that identifies known security risks. It explains the impact a particular vulnerability can have on your network, gives potential countermeasures, and links to specific web sites for more information.

nudge

Nonintrusive queries that the Scanner uses to get security-relevant information. The Scanner interrogates network services by issuing special, protocol-specific commands when simply connecting to an active network service does not yield the vulnerability information for which is it searching.

packet

Logical grouping of information that includes a header containing control information and (usually) user data. Packets are most often used to refer to network layer units of data. The terms datagram, frame, message, and segment are also used to describe logical information groupings at various layers of the OSI reference model and in various technology circles.

password

A security measure used to restrict logons to user accounts and access to computer systems and resources. A password is a unique string of characters that must be provided before a logon or access is authorized.

ping

packet internet groper. ICMP echo message and its reply. Often used in IP networks to test the reachability of a network device.

port

Interface on an internetworking device (such as a router).

port scan

An attempt to count the services running on a machine by probing each port for a response. Also known as a port sweep.

potential vulnerability (vp)

Information retrieved from the target host that suggests the vulnerability may exist. The Scanner has not attempted to exploit it in order to confirm it. The Scanner shows potential vulnerabilities based solely on the fact that a certain version of an operating system or application has been found in a certain scanned host.

probe

A probe is an intrusive analysis technique that uses the information obtained during scanning to more fully interrogate each network device. The probe uses well-known exploitation techniques to fully confirm each suspected vulnerability as well as to detect any vulnerabilities that cannot be found using nonintrusive techniques.

protocol

Formal description of a set of rules and conventions that govern how devices on a network exchange information.

report

The Scanner generates reports that contain the session data. There are three default report types available in The Scanner's Report Wizard: executive report, brief technical report, and full technical report. You can also create custom reports.

report template

An HTML template that the Scanner uses to generate reports with information gathered from Scanner sessions. You can customize the templates according to your needs.

Report Wizard

The Scanner uses a report wizard to generate reports. With the Report Wizard, you can choose which report components you need in your report and in which order you want them to appear.

RFC

Request For Comments. Document series used as the primary means for communicating information about the Internet. Some RFCs are designated by the IAB as Internet standards. Most RFCs document protocol specifications such as Telnet and FTP, but some are humorous or historical. RFCs are available online from numerous sources.

rlogon

remote logon. Occurs when a user is already logged on to a user account and makes a network connection to another computer.

router

Network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information. Occasionally called a gateway (although this definition of gateway is becoming increasingly outdated).

RPC

remote-procedure call. Technological foundation of client-server computing. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients. See also Client/Server Computing.

rsh

remote shell. Protocol that allows a user to execute commands on a remote system without having to log in to the system. For example, rsh can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server.

scan

A scan is a nonintrusive analysis technique that identifies the open ports found on each live network device and collects the associated port banners found as each port is scanned. Each port banner is compared against a table of rules to identify the network device, its operating system, and all potential vulnerabilities.

security policy

A comprehensive corporate policy that outlines your plans for network security.

Security Wheel

A symbol that depicts the constant need to follow five steps to maintain network security---create a corporate security policy; secure the network; monitor the network and respond to attacks; test existing security safeguards; and manage and improve corporate security.

service

A process that performs a specific system function and often provides an application programming interface (API) for other processes to call. Windows NT services are RPC-enabled, meaning that their API routines can be called from remote computers.

SGMP

Simple Gateway Monitoring Protocol. Network management protocol that was considered for Internet standardization and later evolved into SNMP. Documented in RFC 1028. See also SNMP.

SMTP

Simple Mail Transfer Protocol. SMTP is a member of the TCP/IP suite of protocols that governs the exchange of electronic mail between message transfer agents.

SNMP

Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. See also SGMP and SNMP2.

SNMP2

SNMP Version 2. Version 2 of the popular network management protocol. SNMP2 supports centralized as well as distributed network management strategies, and includes improvements in the SMI, protocol operations, management architecture, and security. See also SNMP.

SPA

Security Posture Assessment. A comprehensive security analysis of large-scale, distributed client networks conducted by Cisco Systems engineers.

TCP

Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.

TCP/IP

Transmission Control Protocol/Internet Protocol. Common name for the suite of protocols developed by the U.S. DoD in the 1970s to support the construction of worldwide internetworks. TCP and IP are the two best-known protocols in the suite.

Telnet

Standard terminal emulation protocol in the TCP/IP protocol stack. Telnet is used for remote terminal connection, enabling users to log in to remote systems and use resources as if they were connected to a local system. Telnet is defined in RFC 854.

TFTP

Trivial File Transfer Protocol. Simplified version of FTP that allows files to be transferred from one computer to another over a network.

UDP

User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768.

user rules

Rules written by the user that are part of the vulnerability rules. These rules run after all other Scanner rules have run. They are useful for finding company-specific strings and for writing rules for new vulnerabilities between Scanner rules updates.

vulnerability

One or more attributes of a computer or a network that permit a subject to initiate patterns of misuse on that computer or network.

vulnerability rules

Rules used to flag a potential vulnerability, for example, a rule that identifies what the scanned host's operating system is, which ports it has open, and so forth.

zooming

The ability of the Scanner to expand or compress the Grid Browser up/down or right/left thus showing more or less data detail. This increase and decrease of data resolution within the grid is analogous to how a zoom lens provides greater or less magnification of an image.

Related Documentation

In addition to this guide, other printed and online documentation is available to assist you in learning about and using the Scanner.

Document Conventions

This guide uses the following conventions:

Click Show>Context on the Security menu.
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in the manual.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Tips Means the following are useful tips.

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can access CCO in the following ways:

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or
http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Jun 29 14:06:22 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.