Improve IT Security with Credentialed Vulnerability Scans Garrett Lanzy Information Security Specialist Office of the Chancellor garrett.lanzy@csu.mnscu.edu 651.201.1591 http://its.mnscu.edu/security Abstract The MnSCU Vulnerability Management Infrastructure (VMI) service provides the nCircle IP360 platform to institutions for scanning networks to comply with System Guideline 5.23.1.6. This guideline states that vulnerability scans should have authenticated (credentialed) access to scanned devices to obtain better vulnerability data. This session provides participants with a tutorial for setting up credentialed scanning and insight into the resulting vulnerability data for improving IT security. Ground Rules • All questions are welcome! – feel free to ask during the presentation – we do have a lot of material to get through – long(er) answers may be deferred to end • Phone/e-mail after the conference is good Some fundamentals of VULNERABILITY MANAGEMENT Definition: Vulnerability • Wikipedia: “a weakness which allows an attacker to reduce a system’s information assurance.” • ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.” • RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.” Examples of vulnerabilities • Software bug allows unrestricted access to network share • Network switch installed without changing the default administrator password • Server application’s configuration file is writable by anyone Vulnerability Management Process Identify Assets Define Policy • • • Classify Assets 5.23.1.5 – Security Patch Mgmt. 5.23.1.6 – Vulnerability Scanning 5.23.1.8 – Anti-malware Installation and Management Remediate/Mi tigate Vulnerabilities Identify Vulnerabilities Classify (prioritize) Vulnerabilities nCircle IP360 • Distributed, agentless vulnerability scanner – Agentless: no software installed on devices scanned for vulnerabilities – Distributed: local campus scanning appliances (device profilers) reduce network load – Distributed: authorization model allows each campus to maintain own network and scan definitions • Works with nCircle Security Intelligence Hub (SIH) product for reporting VMI Architecture Some Fundaments of CREDENTIALED SCANNING So why are we here? Because we’re not out there! TRACKING YOUR $: State worker retreats Updated: 04/29/2010 11:37 PM KSTP.com By: Bob McNaney and Becky Nahm State employees staying in cabins on the lake, enjoying free meals and spending time relaxing during business hours. That is what 5 EYEWITNESS NEWS undercover cameras discovered last week. Tax dollars paid to send 250 workers and contractors from the Department of Employment and Economic Development to one of Minnesota's priciest resorts-Grand View Lodge on the shore of Gull Lake. [BLAH, BLAH, BLAH.…] So why are we here? Excerpt from System Guideline 5.23.1.6 – Vulnerability Scanning: Part 3. Guidelines. Subpart A. Vulnerability Scans […] 3. Authenticated Scans. Scans of system-owned devices should include authenticated access to services and applications that would not be accessible without authentication. [emphasis mine] Authenticated means same as Credentialed Why credentialed scans? • IP360 is agentless (no special software installed on systems being scanned) • Normal scans can only gather information by observing responses from “the outside” – Severely limits what vulnerabilities can be found – Example: most “desktop” applications are not directly visible from the network • browsers, Microsoft Office, Adobe Reader, Flash, …. How does it work? • Campus VMI admin stores a credential on the VnE – Such as user name/password • As each system is scanned, IP360 attempts to log in using this credential – If successful, IP360 then looks at system “from the inside” (files, registry entries, …) – Goal: obtain more complete vulnerability data Stored password = BAD? IP360 has multiple protections for stored credentials (“Defense in Depth”) • Always stored encrypted • Always transmitted encrypted – Except where login protocol requires plaintext transmission (i.e., SNMP v1) – even then, only on local network between DP and device • No display of plaintext password or private key • No admin access to plaintext password or private key • Only stored on VnE (not device profiler) nCircle Terminology • FactoredReasoning™ - nCircle’s non-credentialed scanning technology • Deep Reflex Testing™ (DRT) - nCircle’s credentialed scanning technology – SMB-DRT: Windows credentialed scanning – SSH-DRT: Secure SHell credentialed scanning – SNMP-DRT: Simple Network Management Protocol “credentialed” scanning • Discriminant Analysis™ - nCircle’s complete OS/service/application and vulnerability application technology – Stack fingerprinting + FactoredReasoning [+ DRT] IP360 Supported Credentials • SMB-DRT: username/password[/domain] – Gives access to Windows systems • SSH-DRT username/private key or username/password – Gives access to Linux/OS X/Unix/ESX/network devices • SNMP-DRT: SNMP v1 Community String – Gives access to SNMP MIB data (printers, network devices, …) – ONLY useful if you already have SNMP v1 configured (and even then, doesn’t give much info) Basic Setup Steps 1. Request access to VnE Credentials role – Email to tac-security@mnscu.edu 2. Define appropriate credential (type, user, authentication) 3. Insure systems to be scanned set up with defined credential and any necessary firewall rules 4. Store credential on VnE 5. Enable credential type in IP360 Scan Profile 6. Bind credential to IP360 Network Object(s) – 7. Not required for Windows AD environments Verify correct operation Scanning with SMB CREDENTIALS How does it work? For each system scanned Identify OS If Windows system AND scan profile specifies checking Windows credentials Send NetBIOS query (netbios-ds, UDP port 137) to obtain system name and domain If a configured SMB credential matches Attempt to log in via SMB (microsoft-ds, TCP port 445) in using credential If login succeeds Query files/registry with SMB to find additional applications, services, and vulnerabilities Setup for simple AD domain 1. Create Active Directory domain user for scans, assign to domain Backup Operators group 2. Make sure system firewall settings allow device profiler access to these “File and Printer Sharing” ports: UDP 137 (netbios-ds), TCP 445 (microsoft-ds) 3. Create credential on VnE, specifying user name, password, and domain name (short “NetBIOS” format in all lowercase) 4. Enable Windows credentials on scan profile 5. That’s it! (Well, after testing ) Creating IP360 scan credential 1. Select Discover 3. Select New 2. Select Credentials Management Create AD domain credential Enable Windows credentials on scan profile Check Windows box Testing: How do I know it worked? Just to compare… Non-AD Windows: What’s different? • Create scan user (with same password) on each machine – Member of Backup Operators group on versions which support it – Otherwise must create an Administrator user • Leave domain field blank when creating IP360 credential • IP360 credential must be bound to all network objects where needed – Only one credential can be bound to any network object/IP address! – Binding rules and excluded addresses can cause conflicts – So it’s very difficult to use different users/passwords for different systems unless networks are well-segmented • Windows XP: MUST run Internet Connection Wizard to properly enable File/Print Sharing! Create non-AD credential Add Credential Binding (step 1) Select New Add Credential Binding (step 2) Voila! Enable Windows credentials Check Windows box Test results Problem Determination • Check firewall settings. • Check firewall settings (again). • Verify credential is enabled in scan profile. • Non-AD: Verify credential is bound to correct network object. • Check event viewer – May need to adjust security policy to log additional security events • Check IP360 SMB credential processing rules (next slide). SMB Credential Processing SMB credentials are used for scanning Windows systems. IP360 uses the following process for SMB credentials: 1. The Device Profiler queries the Windows host. The host returns its machine name and possibly its IP address and domain. This step uses UDP port 137. 2. The Device Profiler first tries to find the most specific credential according to the host’s IP address and the credential’s network binding. The DP looks for a credential that is bound to the host’s network and restricted to an IP space that includes the host. The DP makes sure that the selected credential’s Domain (if it has been specified) matches the host’s domain. 3. If the DP makes no match in step 2, the DP looks for a credential that is bound, unrestricted, to the host’s network. The DP makes sure that the selected credential’s Domain (if it has been specified) matches the host’s domain. (There can be at most one such credential.) 4. If the DP makes no match in step 3, the DP looks for a credential with no network binding that has a Domain that the host belongs to. 5. If the DP makes no match in step 4, the DP does not authenticate against the host using an SMB credential. Warning: UDP port 137 must be available for domain-based SMB credential-matching to work. Scanning with SSH CREDENTIALS SSH DRT OS support Best (vulnerabilities for OS and vendor-supported packages): • RedHat Linux • Sun/Oracle Solaris Some support (basic OS vulnerabilities): • Mac OS X • VMware ESX Server Little support (software versions identified but not patches): • Other Linux distros (i.e., SuSE) • Cisco IOS • … How does it work? For each system scanned Identify OS If “SSH OS” AND scan profile specifies checking SSH credentials AND an SSH credential is bound to network object Attempt to log in via SSH (TCP port 22) If login succeeds Query files/settings with SSH to find additional applications, services, and vulnerabilities SSH credential choices Only 1 SSH credential can be bound to a network object – either: • User/password • User/key – Generate 1024-bit DSA public/private key pair • No passphrase on private key! • RSA keys are NOT SUPPORTED!!! – Configure username + private key on VnE • (then destroy private key) – Store public key in ~user/.ssh/authorized_keys on systems to be scanned – Best to configure user so that password cannot be used for login Setup for SSH user/password 1. Create user on system(s) to be scanned with desired password – 2. User needs to have read access to system files Make sure system firewall settings allow device profiler access to SSH (TCP port 22). 3. Create credential on VnE, specifying user name and password. 4. Bind credential to network(s) to be scanned. 5. Enable SSH credentials on scan profile. 6. That’s it! (Well, after testing ) Creating IP360 scan credential 1. Select Discover 3. Select New 2. Select Credentials Management Create SSH password credential Add Credential Binding (step 1) Select New Add Credential Binding (step 2) Enable SSH credentials on scan profile Check SSH box Testing: How do I know it worked? Setup for SSH user/key 1. Create 1024-bit DSA key pair. – No passphrase on private key!!! 2. Create credential on VnE, specifying user name and private key. 3. Bind credential to network object(s) to be scanned. 4. Create user on system to be scanned . – User needs to have read access to system files 5. Copy public key to ~user/.ssh/authorized_keys 6. Make sure SSH daemon is running and system firewall settings allow device profiler access to SSH (TCP port 22). 7. Enable SSH credentials on scan profile. 8. Test. 9. Deploy user/public key across systems to be scanned. Creating key pair 1 3 4 2 Private key Public key Must be copied as a single line!!! (Best to use a copy command instead of cut/paste.) Create SSH key credential Add Credential Binding (step 1) Select New Add Credential Binding (step 2) Copy public key Example: enabling SSH on OS X Enable SSH credentials on scan profile Check SSH box Testing Scanning with SNMP CREDENTIALS Setup for SNMP credential 1. Only useful if SNMP v1 is already set up! If you have both read/write (“set”) and read-only (“get”) community names, use the read-only one. 2. Create credential on VnE, specifying community name. 3. Bind credential to network(s) to be scanned. 4. Enable SNMP credentials on scan profile. 5. Test (but you may not see anything). Create SNMP credential Add Credential Binding (step 1) Select New Add Credential Binding (step 2) Credential is bound Enable SNMP credentials on scan profile Check SNMP box Testing (as it is) … and a little more info Summary • SMB credential scanning is best “bang for the buck” in most environments – especially AD • SSH credential scanning useful for Redhat, Solaris, OS X, and ESX systems • SNMP credential scanning only if you already have SNMP v1 deployed Call to arms! • This summer, would it be possible to: – Set up credentialed scanning for all AD environments? – Set up credentialed scanning for (most) critical servers? • And maybe even non-AD workstation environments with good desktop management capabilities (i.e., ZenWorks, …)? • If you have other ideas, let’s talk! It’s your turn! QUESTIONS? Please fill out the feedback survey!!! Improve IT Security with Credentialed Vulnerability Scans Garrett Lanzy Information Security Specialist Office of the Chancellor garrett.lanzy@csu.mnscu.edu 651.201.1591 http://its.mnscu.edu/security