|
|
This chapter describes how to use the Scanner to create sessions consisting of passive network scans that look for potential vulnerabilities as well as active probes that confirm vulnerabilities. It provides a master procedure that includes configuring single-host, multiple-host, and Class C network sessions, and explains ping operation configurations.
This chapter includes the following sections:
A Scanner session consists of either a scan or a probe that you configure to search your network for potential and confirmed security weaknesses. Scans include nudges, which are not user-configurable, but rather work in the background during the scan to obtain more information. With the information gathered from a session, you can then create a comprehensive security policy that can be reassessed and updated on a regular basis. You can schedule network sessions at different days and times, as well as on a recurring basis so that you are always aware of the state of your network security.
A scan is a passive analysis technique that identifies the open ports found on each live network device and collects the associated banners from these open ports. Each port banner is compared against a database of rules to identify the network device type, its operating system, and all potential vulnerabilities.
A nudge performs additional nonintrusive queries when needed. As the Scanner scans network hosts for active TCP and UDP ports it also collects "banners" from the listening services. These banners include login prompts from Telnet servers, version messages from SMTP servers, FTP server authentication prompts, and so on. Most of this banner information is collected when the Scanner connects to the port in question and captures the response from the server. In some cases the Scanner must interrogate network services further by issuing special, protocol-specific commands, nudges, to get security relevant information. Nudges are automatically executed when the services they are designed to query are discovered on a network host.
A probe is an active analysis technique that uses the information obtained during a scan to more fully interrogate each network device. The probe uses well-known exploitation techniques to fully confirm each suspected vulnerability as well as to detect any vulnerabilities that cannot be found using passive techniques.
The main difference between a Scanner scan and a Scanner probe is that the scan is nonintrusive while the probe actively confirms the presence of known vulnerabilities.
Before the Scanner can display and report network vulnerabilities, it must first execute a session based on the criteria that you define. These criteria include the following and are defined in the Session Configuration dialog box.
You can schedule a session to run immediately upon configuring it, at random times, or on specific days and times. You can also schedule the Scanner to scan or probe your network using various recurrence patterns. See the section "Scheduling Sessions" found later in this chapter for detailed information on using the scheduling function of the Scanner.
Together, this information comprises a scan or a probe session. The Scanner comes with sample sessions. Right-click the samples under the Scanner Session folder to see the samples and become familiar with them.
To enable the Scanner to scan your network, you must configure a session in the Session Configuration dialog box. The following master procedure contains the steps for configuring a single-host session, a multiple-host session, excluding an IP address from a multiple-host session, and excluding a range of IP addresses from a multiple-host session.
 | Tips Session data can only be viewed on the machine on which the Scanner is installed. |
This section includes the following topics:
To create a session, follow these steps:
Step 1 Right-click the Scanner Sessions folder, and then click Create New Session
or
click Create New Session on the toolbar.
This opens the Session Configuration dialog box, where you configure your session.
Step 2 Click the Network Addresses tab (default).
Step 3 Select the Scan network check box (default).
See the section "Exporting and Importing Session Data" found later in this chapter for information on the Import previous scan data option.
Step 4 Select the Enable DNS Resolution check box if you want to find out whether the IP address that you are scanning is associated with a name.
Step 5 Click Add to insert a data line.
Step 6 If you are configuring a session for a single host, see Step 7. If you are configuring a session for a range of hosts, see Step 8. If you want to exclude an address from a range of hosts, see Step 9. If you are excluding a range of IP addresses from a range of hosts, see Step 10.
Step 7 For a single host:
(a) Click the IP Address Begin field and type a valid IP address of a single host.
(b) Leave the Excluded Address, IP Address End, Force Scan, Ping Timeout, and Ping Retries fields at the default settings when scanning a single IP address.
See the section "Configuring Ping Operation" found later in this chapter for more information on the ping functions of the Scanner.
Step 8 For a range of hosts:
(a) Click the IP Address Begin field and type the first (lowest) IP address.
 | Caution Make sure you type the lowest IP address in the IP Address Begin field. The Scanner does not respond to descending address ranges. |
(b) Click the IP Address End field and type the last (highest) IP address.
(c) Leave the Excluded Address, Force Scan, Ping Timeout, and Ping Retries fields at the default settings when scanning a range of IP addresses.
See the section "Configuring Ping Operation" found later in this chapter for more information on the ping functions of the Scanner.
Step 9 To exclude an address from the range of hosts:
(a) Click Add to insert another data line.
(b) Select the Excluded Address check box.
(c) Click the IP Address Begin field and type the IP address to be excluded.
(d) Leave the Force Scan, Ping Timeout, and Ping Retries fields at the default settings.
See the section "Configuring Ping Operation" found later in this chapter for more information on the ping functions of the Scanner.
Step 10 To exclude a range of addresses from a range of hosts:
(a) Click Add to insert another data line.
(b) Select the Excluded Address check box.
(c) Click the IP Address Begin field and type the (first) lowest IP address in the range to be excluded.
(d) Click the IP Address End field and type the (last) highest IP address in the range to be excluded.
(e) Leave the Force Scan, Ping Timeout, and Ping Retries fields at the default settings.
See the section "Configuring Ping Operation" found later in this chapter for more information on the ping functions of the Scanner.
Step 11 Click the Vulnerabilities tab.
Step 12 Under Discovery Settings, click the TCP Ports tab (default).
Step 13 Click one of the following options:
Step 14 Under Discovery Settings, click the UDP Ports tab.
Step 15 Click one of the following options:
| Caution Changing the default UDP port configuration can significantly increase the scan time. |
Step 16 If you are configuring a probe, follow Steps 17-19. If you are configuring a scan, continue with Step 20.
Step 17 Select the Enable active probes check box.
This allows the Scanner to probe your network and confirm vulnerabilities.
Step 18 Choose an option from the Vulnerability Profile drop-down list.
Step 19 You can either use the defaults associated with each option or you can select the check boxes next to the vulnerabilities that you want to confirm. There are thirteen categories with subcategories under each:
Step 20 Click the Scheduling tab.
Step 21 In the Time drop-down list, click the time you want to schedule the session.
See the section "Scheduling Sessions" found later in this chapter for detailed information on using the scheduling function of the Scanner.
Step 22 Select a Recurrence Pattern option: Once (default), Daily, Weekly, or Monthly.
Step 23 Type a value in the Month, Day, and Year fields.
Step 24 Click OK to begin the session.
Make sure you have configured the Network Addresses, Vulnerabilities, and Scheduling options correctly before beginning the session.
The New Session Name dialog box appears on screen.
Step 25 Type a name for your session in the New Session Name dialog box and click OK.
You are returned to the Scanner main screen. The session that you just created appears under the Scanner Sessions folder showing its name, creation date, and status. If you selected the Show Session Status check box in the Misc tab in the Preferences dialog box, a window showing the progress of the session appears in the left hand corner of your monitor screen when the session starts (see Figure 6-4 and Figure 6-5).
See Chapter 5, "Using Cisco Secure Scanner" for more information on the Preferences dialog box.
The Scanner uses ping sweeps to discover live hosts and to construct an electronic map of the network. You can use the following options on the Network Addresses tab to scan or probe unusual network configurations:
Force Scan---When you select this option, the Scanner conducts a port scan of all the IP addresses in the specified range without performing a ping sweep first. This allows you to discover hosts behind routers or firewalls that block incoming ICMP traffic.
| Tips Using the Force Scan option can slow down your scan substantially. |
You can export session results and save them in an ASCII file. Exporting session data is useful if you need to review the data remotely. The ASCII file can then be imported back into the Scanner and reanalyzed to check for newly discovered vulnerabilities as new Scanner rules or user rules are created.
Exporting session data also allows for the historical examination of data when new vulnerabilities or user rules are added. The data is saved to the file, which contains all of the port scanning data including the port banners. It does not contain any information about confirmed vulnerabilities.
 | Caution If you think that you will be using the export data to option, make sure that this check box is selected before you initiate a session. Otherwise, the data is not saved for future use. |
This section includes the following topics:
To export data, follow these steps:
Step 1 Click Create New Session.
The Session Configuration dialog box appears on screen.
Step 2 Click the Network Addresses tab (default).
Step 3 Make sure that the Scan network check box is selected.
Step 4 Select the Export data to check box.
Step 5 In the Export data to field, type the path to the file in which you want to save the data. Click Browse if you do not know this path.
Step 6 Complete the configuration of the session by following Steps 4 through 25 in "Creating a Session" found earlier in this chapter.
| Caution This option works only if you have previously exported the scan data to an ASCII file. See "Exporting Session Data" found earlier in this chapter for more information. |
To import data, follow these steps:
Step 1 Click Create New Session.
The Session Configuration dialog box appears on screen.
Step 2 Click the Network Addresses tab (default).
Step 3 Select the Import previous scan data check box.
The Import data from field appears on screen (Figure 6-6).
Step 4 In the Import data from field, type the path to the file from which you want to import the data. Click Browse if you do not know this path.
Step 5 Click OK.
You can now view port scanning and banner data from a previous session. It has been reanalyzed according to any new rules that have been added to the Scanner since the original session was run. See Appendix B, "User-defined Rules" for information on adding rules and obtaining rules updates.
You can pause a running session, disable or stop a scheduled or running session, and reenable it from the same pop-up menu.
This section includes the following topics:
To pause a running session, follow these steps:
Step 1 Right-click the name of the running session that you want to pause.
Step 2 Click Pause Session on the pop-up menu.
Paused is displayed in the Session Status field on the Scanner main window.
The session is paused until you reenable it. If you pause a session, all scanning is stopped. All scheduled sessions will wait until you delete, disable, or resume the paused session.
To disable a recurring scheduled session, follow these steps:
Step 1 Right-click the name of the session that you want to disable.
Step 2 Click Disable Session on the pop-up menu.
Inactive is displayed in the Session Status field on the Scanner main window.
The session is rendered inactive and therefore does not run at the scheduled time.
To stop a running session, follow these steps:
Step 1 Right-click the name of the session that you want to stop.
Step 2 Click Stop Session on the pop-up menu.
Inactive is displayed in the Session Status field on the Scanner main window. The session is inactive until you reenable it.
To reenable a paused, disabled, or stopped session, follow these steps:
Step 1 Right-click the name of the session that you want to reenable.
Step 2 Click Reenable Session on the pop-up menu.
The Session Status field on the Scanner main window shows either Running or the original scheduled time of the session. If the session was paused, it starts running again immediately provided no other session is currently running. If the session was running when it was disabled or stopped, it starts again provided no other session is currently running. If the session was scheduled to run at a later time when it was disabled or stopped, it is now active and will run at the scheduled time.
You can modify, delete, or rename a session from the Scanner main window. You can view the existing configuration for a session, or change the information to create a new session derived from the original.
This section includes the following topics:
After you create and schedule a new modified session, the original session is disabled. This prevents the original daily, weekly, or monthly session from running after its modified session has been created.
To modify a session, follow these steps:
Step 1 Right-click the session's folder on the Scanner main window.
Step 2 Click Modify Session Configuration on the pop-up menu.
The Session Configuration dialog box appears on screen.
Step 3 Modify the session as needed by clicking the Network Addresses, Vulnerabilities, or Scheduling tabs and making any necessary changes.
Step 4 Click OK.
The New Session Name dialog box appears on screen.
Step 5 Rename the session if desired.
To rename a session, follow these steps:
Step 1 Right-click the session's folder on the Scanner main window.
Step 2 Click Rename Session on the pop-up menu.
You can also click Rename on the toolbar to rename a session.
The New Session Name dialog box appears on screen.
Step 3 Rename the session as desired.
To delete a session, follow these steps:
Step 1 Right-click the session's folder on the Scanner main window.
Step 2 Click Delete Session on the pop-up menu.
You can also click Delete on the toolbar to delete a session.
The Scanner provides a comprehensive scheduling function so that sessions can be conducted at specific times that meet your security needs. The following procedures explain how to set the schedules for specific times.
This section includes the following topics:
To set a specific time for a session, follow these steps:
Step 1 Click the Scheduling tab.
Step 2 Click the Time drop-down list to display the time options (Figure 6-7).
Step 3 Select a specific hour for the session from the display of time options.
Step 4 Select either AM or PM from the secondary bullet selection (Figure 6-8).
Step 5 Under Recurrence Pattern, select Once.
Step 6 Under Run once, on type the date of the session in the Month, Day, and Year fields.
Step 7 Click OK to complete the session configuration.
To set a daily session, follow these steps:
Step 1 Click the Scheduling tab.
Step 2 Click the Time drop-down list to display the time options.
Step 3 Select a specific hour for the session from the display of time options.
Step 4 Select either AM or PM from the secondary bullet selection (see Figure 6-8).
Step 5 Under Recurrence Pattern, select Daily (Figure 6-9).
Step 6 Select either Every X day(s) (where X is the number of daily occurrences you type in the field) or Every weekday.
The default daily occurrence is every three days.
Step 7 Click OK to complete the session configuration.
To set a weekly session, follow these steps:
Step 1 Click the Scheduling tab.
Step 2 Click the Time drop-down list to display the time options.
Step 3 Select a specific hour for the session from the display of time options.
Step 4 Select either AM or PM from the secondary bullet selection (see Figure 6-8).
Step 5 Under Recurrence Pattern, select Weekly (Figure 6-10).
Step 6 In the Recur every X week(s) on field, type the desired number of weeks you want the session to occur.
Step 7 Select the day(s) of the week on which the session should occur.
The default weekly occurrence is every week on Wednesday and Thursday.
Step 8 Click OK to complete the session configuration.
To set a monthly session, follow these steps:
Step 1 Click the Scheduling tab.
Step 2 Click the Time drop-down list to display the time options.
Step 3 Select a specific hour for the session from the display of time options.
Step 4 Select either AM or PM from the secondary bullet selection (see Figure 6-8).
Step 5 Under Recurrence Pattern, select Monthly (Figure 6-11).
Step 6 To schedule a session on a specific day of the month, continue with Step 7. To schedule a session on a recurring monthly schedule, go to Step 8.
Step 7 To schedule a session on a specific day of the month:
(a) Under Recurrence Pattern, select Day.
(b) Type the day of the month on which you want the session to occur in the of every field.
(c) Type how many months you want the session to occur in the month(s) field.
Step 8 To schedule a session on a recurring monthly schedule:
(a) Under Recurrence Pattern, select The.
(b) Click the drop-down list to the right of The and choose either first, second, third, fourth, or last.
(c) Click the drop-down list next to of every and choose the day of the week on which the session should occur: day, weekday, weekend day, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, or Saturday (Figure 6-12).
(d) Type the monthly sequence in which you want the session to occur in the month(s) field.
Step 9 Click OK to complete the session configuration.
To set a random session, follow these steps:
Step 1 Click the Scheduling tab.
Step 2 Click the Time drop-down list to display the time options.
Step 3 Select one of the random options for a session from the display of time options (Figure 6-13).
The Scanner starts sometime within one of the specified time periods.
Step 4 Under Recurrence Pattern, select an option.
Step 5 Click OK to complete the session configuration.
Posted: Thu Jun 29 14:11:27 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.