Information Security all in one place!

network management security

Network Scanning: Concerns and Countermeasures


 

Network Scanning Concerns and Countermeasures

Daniel Saucier (Student of the InfoSec Industry, March 2012) – Network vulnerability scanning can not be more important than it is, right now in this day and age of internet computing. As technology grows the architectures are not catching up quite as fast as most would like. This article written below assumes you have basic networking knowledge, and assumes no responsibility for actions taken from this article. It’s sole purpose is to educate the savvy portion of the internet community with different protection types and threat preventive measures for today’s networking environments.

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective scanning techniques and there applications: These options can be found in most advanced configuration options on most downloadable network scanners.

ICMP scanning and Probing:

>| By launching an ICMP ping sweep, you can effectively identified poorly protected hosts ( as security conscious administrator such as myself, filter inbound ICMP messages) and perform a degree of OS fingerprinting and reconnaissance by analyzing responses to the ICMP probe.

Half-open SYN flag TCP port scanning:

>| A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is very fast, which allows large networks to be scanned rather quickly.

Inverse TCP port scanning:

>| Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type is not useful for large networks. Use this scan type for testing individual host or small network segments‘ security. Make sure your code is as up to date as possible and apply any manual workarounds to protect gear from this type of scan. Some if not all of these type of scans identify weak components because of the cost of business.

Third-party TCP port scanning:

>| Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benenfits: hiding the true source of the TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, this can be proved to be very effective when applied correctly.

UDP port scanning:

>| Identifying accessible UDP services can be undertaken easily, only if ICMP type 3 Code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). Make sure you are locking these down!!

IDS evasion and filter circumvention:

>| Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (IPsec) can sometimes be bypassed using specific source TCP or UDP port, source routing, or stateful attacks.

Using the different scanning methods mentioned above you can harden you network pretty well, however. Change is always a factor, what if you need to undertake a major network overhaul and start exposing different types of protocols to the network. The following list will help you when considering modifications to your components and minimize risk of re-exposing vulnerable services.

>| This list could be used as a baseline, guideline in some cases on any network configuration.

  1. Filter inbound ICMP message types at the border, or perimeter if you DMZ any servers on any routers and firewalls. This will force an attackers to use full-blown out TCP scans against all of your IP addresses to map effectively.
  2. Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and firewalls to prevent UDP port scanning and firewalking from being effective. Firewalking – process of identifying firewalls in the scanning enumerations
  3. Consider configuring Internet firewalls so they can identify ports scans and throttle the connections accordingly. You can configure such as Check Point, NetScreen, and Watchguard appliances to name a few to prevent fast port scans and SYN floods from being launched against your network. However, this can back fire if the attacker is using a spoofed source address, resulting in DoS. PortSentry as an Open Source option is pretty effective as well in identifying scanns against your network.
  4. Asses the way that your network firewall or IDS devices handle fragmented IP packets by using tools such as fragtest and fragroute. Such devices can be taken down by being flooded with high volumes of fragments being processed. Bring your findings to the vendors attention……
  5. Ensure that your routing and filtering appliances (both routers and firewalls) can’t be bypassed using specific source ports or source routing techniques.
  6. If you run FTP services; ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands
  7. If a commercial firewall is being used, ensure the following:
  • Latest code is installed, consider replacement is you can not comply
  • Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces

8.  Investigate the use of reverse proxy services if high security is a must. Fragments and malforms are not getting  by these guys, thus mitigating low level recon.

Wrapping up this article I would like to mention; be aware of your own network configurations and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It really is surprising how many companies large and small still do not undertake proper scanning exercises.

Happy Hardening!

-DS

Advertisements

SonicWall: Expansion of Security Services; Kaspersky Anti-Virus


Kaspersky Lab

Intelligent network security and data protection solutions provider, SonicWall, has expanded its suite of firewall security services with the addition of Kaspersky Anti-Virus to its Enforced Client Anti-Virus and Anti-Spyware solution.

SonicWall Firewalls are designed to ensure easy  deployment, provisioning and enforcement of the client on endpoint devices  through a unique policy-driven engine.

SonicWall Next-Generation and Unified Threat Management  firewalls already provide gateway anti-virus through SonicWall’s proprietary  reassembly-free deep packet inspection anti-malware solution, protecting the  perimeter, wireless and VPNs. But, according to SonicWall, viruses can still enter the  network through laptops, thumb drives or other unprotected systems. Protection  at multiple layers is the best defence against sophisticated modern threats,  however, maintaining, enforcing and deploying the right security software on  endpoint devices can put a strain on IT resources and budgets. SonicWall firewalls are designed to provide an innovative  multi-layered anti-malware strategy consisting of its anti-malware solution at  the gateway and enforced anti-virus solution at the endpoints.

When a non-compliant end-point within the network tries  to connect to the internet, the firewall will redirect the user to a web page to  install the latest SonicWall Enforced Client Anti-Virus and Anti-Spyware  software. The firewall is also designed to ensure that all the  end-point clients are automatically updated with the latest anti-virus and  anti-spyware signatures without end-user intervention. The updated clients can  remediate infections by cleansing the endpoint systems and thus preventing  further propagation of the threat throughout the network. SonicWall has integrated Kaspersky technology into its  enforced client solution. The software resides on endpoint computers and  delivers critical protection against viruses, spyware, Trojans, worms, rootkits  and more. “Deploying, maintaining and enforcing the right security  software on endpoint devices within a network can be difficult,” said Swarup  Selvaraman, product line manager at SonicWall. “Our innovative SonicWall  solution simplifies this process and gives IT managers’ easy-to-deploy  anti-virus and anti-spyware protection across any number of devices using  policy-based management and reporting. Kaspersky support bolsters our existing  offering and gives customers more opportunities to choose the anti-virus  solution that best meets their needs.” The solution is designed to support Microsoft Windows PCs  and laptops and is ideal for deployments scaling from a few to thousands of  end-points.


Qualys: Going Public with IPO?


Vulnerability assessment and management company Qualys has announced plans for an IPO later this year.

In a recent article posted on Network World,  Qualys; a security firm specializing in vulnerability scanning and assessment says they are ready to go public. Based on my experience with the product I would have to agree that this would be a good decision. Regarding the fact that I have used, and currently using Qualys on a contract position, many hours have been spent using and abusing these appliance(s). I have witnessed first hand the ways the scanning engines have morphed into a dependable tool with low false positives. Offering more asset control to the administrator than in recent years, and the overall performance issues that have been handled through it’s generations have made this product ready for prime time. Apparently I am not the only one who thinks so – with over 5,000 appliances currently running on production environments world wide.

Qualys

“‘We are ready,’ says Qualys CEO Philippe Courtot,” writes Network World’s Ellen Messmer. “He says the company, which he founded in 1999, has achieved profitability and is increasing revenues.”

“Courtot says the company did about $76 million in revenue last year, showing profitability, and expects to see revenues grow to $94 million this year,” Messmer writes. “Its variety of products, and scanning and compliance services, have become widely used by about 5,000 organizations around the world.”

For the full story click here: http://www.networkworld.com/news/2012/022112-qualys-ipo-256396.html

 

 

 


5 Steps for analyzing your WLAN


Assessing Your Wireless Network Security

Wireless network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects. Regularly performing penetration tests helps enterprises uncover WLAN network security weaknesses that can lead to data or equipment being compromised or
destroyed by exploits (attacks on a network, usually by “exploiting” a vulnerability of the system),Trojans (viruses), denial of service attacks, and other intrusions.

Here is a great article I was reading on Cisco blogs and found it useful to post. Enjoy!

5 Steps for Assessing Your Wireless Network Security

Sampa Choudhuri – Network security is a never-ending task; it requires ongoing vigilance. Securing your wireless network can be particularly tricky because unauthorized users can quietly sneak onto your network, unseen and possibly undetected. To keep your WLAN secure, it’s important to stay on top of new wireless vulnerabilities. By regularly performing a vulnerability assessment on your wireless network, you can identify and close any security holes before a hacker can slip through them.

With a WLAN vulnerability assessment, you’re figuring out what your wireless network looks like to the outside world on the Internet. Is there an easy way in to your network? Can unauthorized devices attach themselves to your network? A WLAN vulnerability assessment can answer these questions—and more.

Teaser:

1. Discover wireless devices on your network. You need to know everything about each wireless device that accesses your network, including wireless routers and wireless access points(WAPs) as well as laptops and other mobile devices. The scanner will look for active traffic in both the 2.4GHz and 5GHz bands of your 802.11n wireless network. Then, document all the data you collect from the scanner about the wireless devices on your network, including each device’s location and owner.

English: A Linksys wireless-G router.

2. Hunt down rogue devices. Rogue devices are wireless devices, such as an access point, that should not be on your network. They should be considered dangerous to your network security and dealt with right away. Take your list of devices from the previous step and compare it to your known inventory of devices. Any equipment you don’t recognize should be blocked from network access immediately. Use the vulnerability scanner to also check for activity on any wireless bands or channels you don’t usually use.

Read the 5 Steps here:

http://blogs.cisco.com/smallbusiness/5-steps-for-assessing-your-wireless-network-security/


Researchers Warn:Trojan evolving through ‘open source’ development


Trojan malware evolving swiftly as hackers customise code according to their needs

 

Source: http://www.computerworld.com/s/article/9224112/Citadel_banking_malware_is_evolving_and_spreading_rapidly_researchers_warn

 Citadel banking Trojan evolving through ‘open source’ development

Citadel, a computer Trojan that targets online banking users, is evolving and spreading rapidly because its creators have adopted an “open source” development model, according to researchers from cyberthreat management firm Seculert. The new piece of malware is based on ZeuS, one of the oldest and most popular online banking Trojans. ZeuS was abandoned by its creator in late 2010 and its source codeleaked online a few months later.

English: I constructed this image using :image...

“Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011,” the security company claimed. “The level of adoption and development of Citadel is rapidly growing.”

Seculert has identified over 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said.

The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects. “Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement,” Seculert said.


Love and Security: Microsoft Sends us Both


Happy Patch Day

Instead of giving you the same breakdown of the recent critical fixes I have decided to go a different route. NSIT has compiled a list of websites that discuss the vulnerabilities in depth. Microsoft has release fixes for some critical exploits, know what they are is just half of what you need to know. How applying these updates affects your current environment is critical. Read On and keep patching!!

Microsoft’s Security Websitehttp://technet.microsoft.com/en-us/security/bulletin/ms12-feb

CIO Today:

Andrew Storms, director of security operations at nCircle, quipped that IT security teams are not getting any candy hearts from Microsoft for Patch Tuesday. Instead, every version of Internet Explorer gets a security update. Another analyst pointed to the HTML Layout and GDI Access Violation vulnerabilities as particularly important patches.

Read More: http://www.cio-today.com/news/No-IT-Valentines-on-Patch-Tuesday/story.xhtml?story_id=0320013QGOXS&full_skip=1

CSO Blogs:

English: Windows Internet Explorer 9 wordmark

Microsoft has just released its February 2012 security updates. Here’s some analysis from the folks at Symantec, McAfee and Qualys.

Read More: http://blogs.csoonline.com/network-security/2031/patch-tuesday-notes-february-2012

InfoPackets:

Microsoft will be offering fixes for a wide range of flaws affecting the company’s Internet Explorer (IE) web browser, every version of its Windows operating system (OS), as well as Microsoft Office.

Read More: http://www.infopackets.com/news/business/microsoft/2012/20120213_microsoft_patch_tuesday_fixes_21_security_flaws.htm

Your feedback is encouraged http://feedback.netsecurityit.com

Related articles


Yahoo! Messenger v11.5 – Buffer Overflow Vulnerability


Yahoo! Messenger v11.5 – Buffer Overflow Vulnerability

Severity: High         Risk: High

Area of Impact: Drag & Drop – Message Box

Details of the Vulnerability:

Yahoo! Messenger Icon

Image via Wikipedia

A Buffer Overflow vulnerability has been detected on Yahoo Instant Messenger v11.5 client software.
The bug is located on the drag & drop message box function of the software when processing special crafted file transfers.
The vulnerability allows an local attacker to crash the software & all bound yahoo components.

Thus creating the buffer overflow

Proof of Concept: Testing purposes only!!

This vulnerability can be exploited by security enthusiasts. More details can be found here:

http://www.vulnerability-lab.com/get_content.php?id=432  
****The information provided in this advisory is provided as it is without any warranty.

Hack in Progress: Watch the vulnerability in action

No report from Yahoo as of yet. We will keep you posted on all the details.