User:Tperlin/Network Vulnerability Assessment

Network Vulnerability Scanning refers to a process, primarily supported by software tools, for enumerating the vulnerabilities present on servers and applications within network. Network vulnerability scanning is a subset of the larger process of vulnerability scanning distinguished by its focus on targets attached to a network. While it may seem confusing, network vulnerability scanning commonly includes operating systems, applications, and hardware appliances.

History of Network Vulnerability Scanners
Network Vulnerability Scanners began as software tools designed to automate a manual process. They have since evolved into a core technology supporting the process of Vulnerability management in enterprises both large and small.

The initial vulnerability assessment products, more accurately called vulnerability scanners, were Internet Scanner, Cybercop Scanner, and Nessus.

The first notable Network Vulnerability Scanner to appear in computer security was Internet Scanner developed by Christopher Klaus. It was initially developed at the Georgia Institute of Technology and continued to commercial success at ISS, which was ultimately acquired by IBM. The Internet Scanner product remains available from IBM.

In the late 1990s, Network Associates, now McAfee, introduced Cybercop Scanner as a competitive product to Internet Scanner. At the time, there were only two commercially viable network vulnerability scanners on the market Ultimately, Network Associates was unable to achieve commercial success with Cybercop Scanner and pronounced the product "End of Life" in July of 2002

Nessus (software) The "Nessus" Project was started by Renaud Deraison in 1998 to provide to the Internet community a free remote security scanner. Nessus was an open-source and freely available product initially. While it was able to develop a large user base on these principles, Deraison was never able to maintain a robust number of contributing developers. For this reason and commercial pressure from competing vendors, on October 5, 2005, Tenable Network Security, the company Renaud Deraison co-founded, changed Nessus 3 to a proprietary (closed source) license. The Nessus 3 engine is still free of charge, though Tenable charges a subscription fee per scanner for the content developed to run on the Nessus engine.

The Nessus 2 engine and a minority of the plugins are still GPL, leading to forked open source projects based on Nessus like OpenVAS and Porz-Wahn. Tenable Network Security has still maintained the Nessus 2 engine and has updated it several times since the release of Nessus 3.

The Nessus product, supported by Tenable Network Security, remains competitive in the market place. On April 9, 2009, Tenable released Nessus 4.0.0.

eEye Digital Security

Foundstone

Qualys

nCircle

Nmap Nmap presents a special case for this article. It is commonly referenced with the topic of Vulnerability management, but Nmap is more accurately a Network enumerator. Nmap does not scan for vulnerabilities.

Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included. Further development included better algorithms for determining which services were running, code rewrites (C to C++), additional scan types and protocol support (e.g. IPv6, SCTP ). Nmap reached version 4.0 in January 2006 and version 4.5 in December 2007. Version 5.0 came out in July 2009. Changes in each release are recorded in the Nmap Changelog.

Typical Network Vulnerability Scanning Process
Network vulnerability scanning processes vary across different scanning tools, and the relative merits of various technical details can be hotly debated. That being said, there is a common general process that a network vulnerability scanning tool follows. Individual tools allow various levels of configuration and modularization of this process, but there are very few that do not include capabilities in each of these areas.

Target Discovery
While it is possible to assess an individual known target, it is very common to enumerate the target assets in some set of IP space in order to determine which IP addresses require further assessment. This initial phase of a vulnerability scan might be referred to as host discovery, network discovery, or network inventory scanning. The purpose of this phase is to produce a list of populated IP addresses for scanning from a larger set of IP space (i.e. a range, network or CIDR block).

Target Discovery Methods
Target discovery may be performed using a number of methods.

ICMP
The use of an ICMP echo request and detection of a corresponding echo response is a very common and very fast method of detecting a live host on a target IP address. While this 'ping' technique is common, it can be unreliable in many cases. The ICMP protocol is often blocked by firewalls and other access control systems. Other ICMP methods can also be used to detect live hosts, but the 'ping' technique is the most common.

Port Scanning
The process of attempting to detect an open port on a target IP address is commonly referred to as port scanning. There are a number of standalone port scanning tools available, such as nmap and netcat. In many cases, these tools will also provide other methods of target discovery, application detection and operating system detection. They can be confused with network vulnerability scanners because of their wide range of capabilities, but they do not provide vulnerability detection.

Port scanning may be performed over TCP or UDP, with some significant differences. TCP provides for confirmed responses to queries over a specific port, and so can be used to determine either an open or closed state on a given port. UDP is a stateless protocol, and as such does not guarantee a response from a port. While there are various methods of performing UDP port scanning, the reliability of the results may also vary.

Passive Discovery
Passive discovery is a method of target discovery where a sensor intercepts network traffic and produces a list of live hosts based on traffic analysis. While this method is not generally used as part of a vulnerability scan, it can be used in conjunction with a vulnerabilty scanner to provide target discovery.

Target Enumeration
Once a list of active IP addresses has been produced or obtained, a vulnerability scanner generally performs some type of enumeration of each target host in order to better inform the vulnerability testing itself. This phase of a scan may include extensive port scanning, service detection, application detection and operating system detection. There is fairly wide variability on how these methods are applied and how successful they are across network vulnerability scanners. Because there are many thousands of known vulnerabilities with a CVE reference, it is simply not feasible to test every one of them against every target asset. The target enumeration process is intended to allow the vulnerability scanner to filter the set of tests it must perform against each target.

A network vulnerability scanner may filter the vulnerabilities tested based on the operating system detected, based on a static link of open port to service (e.g. TCP port 80 is HTTP), based on dynamically detected service, based on application detected, or based on some combination of these criteria.

Port Scanning
Port scanning for target enumeration is intended to expand the list of known port states on a target from those discovered during Target Discovery. See the Port Scanning section in Target Discovery for details.

Service Detection
During the target enumeration phase, a network vulnerability scanner may attempt to determine what services are actually running on discovered open ports. A service is the primary protocol listening on an open port, and is the method of communication that an application uses. For example, the application Sendmail would listen on TCP port 25 using the SMTP protocol.

Application Detection
Services are not the same thing as applications, and the application present for a given service can be used to better determine what vulnerabilities may be relevant for testing on an asset. The process of application detection is not a requirement for vulnerability assessment and is not employed by all tools. Additionally, tools may employ application detection to varying degrees. Ultimately, however, the results of any application detection done by a vulnerability assessment tool are used to filter or determine what vulnerabilities to actually test for. For example, a vulnerability that affects the Apache HTTP Server should not be tested against Microsoft's Internet Information Server.

Operating System Detection
There are a number of known methods of remotely detecting the operating system of an asset on a network. NMAP is well known for pioneering methods such as TCP/IP stack fingerprinting and for maintaining a large database of TCP stack fingerprints. Many vulnerability assessment tools use NMAP directly or employ the same methods. Operating system can be used to filter or limit the vulnerabilities tested as well. For example, a vulnerability that only affects Apache running on Windows should not be tested against a server running Apache on Linux.

Vulnerability Testing
The end result of a vulnerability assessment is just that, an assessment of vulnerabilities. As such, all vulnerability scans end with actual testing for vulnerabilities. The method of testing varies depending on the type of testing configured or supported by the tool, and on the actual vulnerability being tested. Inference. Introduce concepts of directness and mutability.

Well Known Network Vulnerability Scanners
There are a number of well known network vulnerability scanners available today.
 * Nessus (Commercial)
 * McAfee Foundstone (Commercial)
 * Sara (Open Source)
 * Internet Scanner (Commercial)
 * nCircle IP360 (Commercial)
 * Qualys Qualysguard (Commercial)
 * Beyond Security (Commercial)
 * Rapid7 NeXpose (Commercial)
 * Critical Watch (Commercial)
 * eEye Retina (Commercial)
 * Lumension (Commercial)
 * StillSecure (Commercial)
 * Trustwave (Commercial)