A scanner is an IDS that performs a periodic assessment of risks on your system. An IDS looks for vulnerabilities that might open up your system to threats. Intrusion detection scanners look for potential problems with your system that might result from the following:

In this chapter, you will learn about some vulnerability scanners that look for weaknesses in UNIX systems. (NT scanners are discussed in Chapter 10, which deals exclusively with NT IDS.) When you complete the chapter, you should be able to identify the role of vulnerability scanners in your environment. You will see the types of problems that scanners can detect, how they can be spoofed, and why they are an important security product to have in your arsenal.

First, you should know that scanning intrusion detection products are not the same as network sniffers. Vulnerability scanners do not look at network traffic in real time. Instead, they are run periodically against systems to look for problems. A product that looks at intrusions as they occur in real time is really dealing with threats, not with vulnerabilities. Real-time IDS catch hackers while they are on your system. Scanners examine your systems for cracks that someone can sneak through or for evidence of intrusions after they have occurred.

A scanner might be probing multiple systems in the network. In doing so, network attacks are attempted against the target node to look for potential holes in the target. Although network packets are sent from the scanning system to the target, the scanner itself is not actively sniffing all network packets to look for problems.

Local and remote scanners share common characteristics. Rather than looking for events as they occur in real time, scanners examine the state of a system periodically. One potential advantage of interval scanning is that resource utilization is less on the average than that required for real-time monitoring. Intuitively, this is easy to see because you are consuming resources only when the scanner is active rather than constantly watching events as they occur.

Scanners make a sweep of the system's configuration to look for vulnerabilities. Scanning the system for problems will reveal weaknesses or holes that lead to cracks. A real-time monitor will miss configuration problems because it is primarily designed to catch hackers in the act, rather than to look for vulnerabilities that can be exploited later. For example, a real-time detector is not much help in finding problems with a fresh, out-of-the-box configuration. Thus, scanners and real-time IDS are complementary.

Because the scanners are run periodically, they will not be able to detect events as they occur. Vulnerability scanners try to prevent problems by alerting you to flaws in advance. If a hacker manages to bypass your security defenses and introduce vulnerability in your system, the scanner should detect the exposure the next time it is activated. For example, if the scanner looks for root equivalent accounts on a system, it will detect that a hacker has created a root account on the system the next time a scan is performed. How do scanners improve your security?

Of course, the hacker's challenge is to know what the scanner looks for and to cover tracks to avoid detection. Because many vendors publish the list of problems they look for, a wise cracker can use this information to avoid activities that will be flagged.

When you look at scanning products, it's important to know that some types of weaknesses can be found only by running the scan locally on the node of interest. If the system is locked down so that no network attacks are possible, local file system permission problems or SUID programs may still lead to system compromise. Even if you have a system that is not connected to a network and has only directly attached terminals, you can have vulnerabilities.

One desirable feature of scanners is that they do not introduce new data sources. System-level IDSs require that you turn on auditing or syslog if you are not already doing so. Scanners discover vulnerabilities by looking at configuration data or by attempting to carry out an attack.

A scanner probes for weaknesses in your system or network by comparing its database of known vulnerabilities against data about your configurations. Most scanners enable you to configure what you want to scan and when you want to scan for it. Extensibility is another important feature to look for in a scanner. You want to be able to add your own scanning routines to look for site-specific application weaknesses that concern you.

Under the general category of systems management, your scanner should provide for optional centralized reporting. If you have two or three systems, running a local scan on each node and reading the reports on each node may be tolerable. Sites with dozens of systems or more want consolidated reports on a central server. Other capabilities such as the grouping of nodes into scan groups, flexible output report formats, and customized scan options are valuable for large environments.

Using a scanner is actually simple. If you don't require any customization, by default the scanner will look for a preconfigured list of vulnerabilities and report the results to you. Usually, the results are saved in a file so that you can come back later to review the findings. The scanner works by either examining attributes of objects, such as owner and permissions for files or by emulating the hacker. To act as a hacker, the scanner runs a variety of scripts that try to exploit weaknesses in the target node. To keep the systems and networks from being overloaded, you should give careful thought to what you want to scan and when you want to scan for it. Otherwise, you might find that your entire site becomes sluggish because the mission-critical servers are busy responding to a simulated SYN Flood attack.

Scanning is not limited to computers. Routers and other switching devices also can be scanned, because they, too, have been exposed in the public news forums for containing security flaws.