If you are responsible for finding vulnerabilities on large or small enterprise networks, you are faced with a variety of political and technical challenges in doing your job. Fortunately, there have been a variety of new developments in the art of enterprise vulnerability detection that make use of new and old technologies.

The Old Model
Traditionally, corporations schedule yearly vulnerability assessments which are conducted by an internal security team or a third party. These teams use vulnerability scanners to discover the network and the underlying security issues. They use this information to attempt to compromise key systems to demonstrate security weaknesses.

This approach is still in use by many organizations today, but mostly to fulfill a requirement for third party audits. However, these audits can have an impact on operational servers. It is very common for penetration teams to inadvertently crash key servers such as databases, as well as stress network infrastructure such as DNS (domain name system), switches, and routers. Very often, the way vulnerability scanners discover network devices and services can crash network hardware or systems that are not robust. Legacy or outdated machines are particularly susceptible to such crashes.

Although the results of these scans are useful, they are only a snapshot of any network?s weaknesses at a given point in time. They do not capture the subtle changes that a network undergoes each day, such as a vulnerable host being added to a DMZ (demilitarized zone).

Instant, Continuous, and Daily Scanning
To get a near real-time view of what is on the network, many organizations are simply scanning more often. Most vulnerability management solutions allow for either daily scanning or continuous scanning. As new systems and vulnerabilities are discovered, alerts can be sent directly to security and operational network teams.

This approach has several positive implications. First, it is very accurate. Any host on the network with a known vulnerability should be discovered. Second, any host or network device that is fragile and easily crashed by scanning will be discovered very quickly. Once these issues are remediated, the network itself will be more robust and resistant to network scanning, as well as worm outbreaks.

An emerging trend is to scan hosts as they are added to the network. For example, if a laptop is plugged into the network, the port that it is connected to is only allowed to talk to a vulnerability scanner. Once a scan of the new laptop is completed, it is allowed to enter the network if no vulnerabilities are found.

Asset-Based Alerting
Some organizations, politically, cannot afford to conduct daily scans of their network infrastructure. An alternative to performing a vulnerability scan is to subscribe to feed of new vulnerability information that is classified by asset types. For example, a company may subscribe to a service and request vulnerability information on Windows 2000, HP-UX 10, Solaris 9, and Red Hat Enterprise 2.1. As new vulnerabilities emerge for these operating systems, the company is notified.

This type of service is very efficient and has no impact on the operational network. However, there are many limitations to this approach. First, the accuracy of the service is totally dependent on what asset information is requested. It also does not take into account any changes to the network. Second, the fidelity of how systems are configured also needs to be taken into consideration. Someone may have 250 RedHat Enterprise 2.1 servers, but 50 of them may be running Apache 1.3, another 50 running Apache 2.0, and 10 of those may be running a MySQL database. If the vulnerability subscription service does not allow for this fidelity of asset descriptions, a false sense of security may result.

An additional variation on this type of method is to use the results of old vulnerability scans to estimate when new vulnerability checks will likely find vulnerable servers. For example, a vulnerability scan may detect 500 Microsoft IIS Web servers. A day later, a new vulnerability check may be available to detect a slightly different Microsoft IIS Web server security issue. Based on the results from the last scan, it may be possible to automatically estimate that some or all of those 500 Web servers are also vulnerable to the new security issue. This type of technology allows security managers to estimate how often they need to scan and make political arguments for launching those scans. If daily scans are already in progress, this sort of technology is not needed.

Passive Vulnerability Discovery
A very recent technology that has been introduced to the market is a set of network traffic analyzers which produce very accurate lists of vulnerabilities. They are commonly known as passive vulnerability scanners. These solutions are deployed much like a sniffer or network intrusion detection system. The technology works by analyzing network traffic to produce a list of active clients and servers, determining which ports they are browsing, the types of applications in use, and vulnerabilities associated with those applications. Very often, these solutions observe how low-level network connections occur to make an accurate guess as to the underlying operating system.

Passive vulnerability detection technology has huge political advantages as there is no impact on the networks that are being monitored. If someone installs an additional server to a DMZ, a passive detection system will observe and report it as soon as it starts to communicate on the network. With an active scan, the system would not be discovered until the next scan was completed. If the system disappeared before the next active scan, it would never be discovered. For this technology to work properly, it is dependent on network traffic. If a backup DNS server is installed and no one makes use of it, the passive technology will not see it.

Although the initial reaction to passive scanning may be that active scans are more accurate, this is often not the case. Most active scans are highly tuned. They look for a limited port range or a specific range of network addresses. They also only look for server-side vulnerabilities. A passive scanner waits for any network traffic and observes both sides of the network session to identify both the client and server.

A practical example of this is the outbreak of the Sasser worm. This worm placed a daemon on port 5554. Before the outbreak of Sasser, this was not a port normally scanned by vulnerability scanners and a worm would likely not be discovered by daily port scans or vulnerability sweeps. However, a passive technology would readily identify new activity on the port. Similarly, with the rash of security alerts occurring in Microsoft e-mail and Web clients, the only way to really audit a network for these vulnerabilities is to get onto the host and see which clients are in use. With a passive technology this information can be gathered directly from the network traffic.

Host-Based Configuration Checking
Security teams are also beginning to deploy technologies that assess the vulnerabilities and configurations of systems directly on the hosts being monitored. Traditionally, most security teams maintain an adversarial relationship with server administrators because they are continuously pointing out problems and creating work for them.

This type of perception is changing. A wide variety of host-based technologies exist which can be deployed with or without agents that give highly accurate reports about vulnerabilities, configurations, and compliance issues. Instead of pointing out long laundry lists of vulnerabilities, these technologies can be used to show which systems are in compliance with audit standards such as Sarbanes-Oxley.

Conducting an audit of access lists and configurations is a huge undertaking for most server administrators. If the security team can do this with an automated tool, it saves an immense amount of time for the administrators. The security team also has the benefit of knowing the exact configuration and patch level of the systems being monitored. This allows them to also be much more accurate in recommending an efficient solution when attempting to mitigate known vulnerabilities.

Conclusions
Each of these technologies has a variety of political and operational advantages and disadvantages. Choosing one, some, or all for your vulnerability assessment needs can result in more accurately determining your security exposures as well as increasing the ties between the security team and network administrators.