PowerPoint Format ()

advertisement
Improve IT Security with
Credentialed Vulnerability
Scans
Garrett Lanzy
Information Security Specialist
Office of the Chancellor
garrett.lanzy@csu.mnscu.edu
651.201.1591
http://its.mnscu.edu/security
Abstract
The MnSCU Vulnerability Management Infrastructure (VMI) service
provides the nCircle IP360 platform to institutions for scanning
networks to comply with System Guideline 5.23.1.6. This guideline
states that vulnerability scans should have authenticated
(credentialed) access to scanned devices to obtain better vulnerability
data. This session provides participants with a tutorial for setting up
credentialed scanning and insight into the resulting vulnerability data
for improving IT security.
Ground Rules
• All questions are welcome!
– feel free to ask during the presentation
– we do have a lot of material to get through
– long(er) answers may be deferred to end
• Phone/e-mail after the conference is good
Some fundamentals of
VULNERABILITY MANAGEMENT
Definition: Vulnerability
• Wikipedia: “a weakness which allows an attacker to reduce
a system’s information assurance.”
• ISO 27005: “A weakness of an asset or group of assets that
can be exploited by one or more threats.”
• RFC 2828: “A flaw or weakness in a system’s design,
implementation, or operation and management that could
be exploited to violate the system’s security policy.”
Examples of vulnerabilities
• Software bug allows unrestricted access to
network share
• Network switch installed without changing
the default administrator password
• Server application’s configuration file is
writable by anyone
Vulnerability Management
Process
Identify
Assets
Define Policy
•
•
•
Classify
Assets
5.23.1.5 – Security Patch Mgmt.
5.23.1.6 – Vulnerability Scanning
5.23.1.8 – Anti-malware Installation
and Management
Remediate/Mi
tigate
Vulnerabilities
Identify
Vulnerabilities
Classify
(prioritize)
Vulnerabilities
nCircle IP360
• Distributed, agentless vulnerability scanner
– Agentless: no software installed on devices scanned for
vulnerabilities
– Distributed: local campus scanning appliances (device profilers)
reduce network load
– Distributed: authorization model allows each campus to
maintain own network and scan definitions
• Works with nCircle Security Intelligence Hub (SIH) product
for reporting
VMI Architecture
Some Fundaments of
CREDENTIALED SCANNING
So why are we here?
Because we’re not out there!
TRACKING YOUR $: State worker retreats
Updated: 04/29/2010 11:37 PM KSTP.com By: Bob McNaney and Becky Nahm
State employees staying in cabins on the lake,
enjoying free meals and spending time relaxing during
business hours. That is what 5 EYEWITNESS NEWS
undercover cameras discovered last week.
Tax dollars paid to send 250 workers and contractors
from the Department of Employment and Economic
Development to one of Minnesota's priciest resorts-Grand View Lodge on the shore of Gull Lake.
[BLAH, BLAH, BLAH.…]
So why are we here?
Excerpt from System Guideline 5.23.1.6 – Vulnerability
Scanning:
Part 3. Guidelines.
Subpart A. Vulnerability Scans […]
3. Authenticated Scans. Scans of system-owned
devices should include authenticated access to
services and applications that would not be
accessible without authentication. [emphasis mine]
Authenticated means same as Credentialed
Why credentialed scans?
• IP360 is agentless (no special software installed on
systems being scanned)
• Normal scans can only gather information by
observing responses from “the outside”
– Severely limits what vulnerabilities can be found
– Example: most “desktop” applications are not directly
visible from the network
• browsers, Microsoft Office, Adobe Reader, Flash, ….
How does it work?
• Campus VMI admin stores a credential on the VnE
– Such as user name/password
• As each system is scanned, IP360 attempts to log in
using this credential
– If successful, IP360 then looks at system “from the inside”
(files, registry entries, …)
– Goal: obtain more complete vulnerability data
Stored password = BAD?
IP360 has multiple protections for stored credentials
(“Defense in Depth”)
• Always stored encrypted
• Always transmitted encrypted
– Except where login protocol requires plaintext transmission (i.e.,
SNMP v1) – even then, only on local network between DP and device
• No display of plaintext password or private key
• No admin access to plaintext password or private key
• Only stored on VnE (not device profiler)
nCircle Terminology
• FactoredReasoning™ - nCircle’s non-credentialed scanning technology
• Deep Reflex Testing™ (DRT) - nCircle’s credentialed scanning technology
– SMB-DRT: Windows credentialed scanning
– SSH-DRT: Secure SHell credentialed scanning
– SNMP-DRT: Simple Network Management Protocol “credentialed” scanning
• Discriminant Analysis™ - nCircle’s complete OS/service/application and
vulnerability application technology
– Stack fingerprinting + FactoredReasoning [+ DRT]
IP360 Supported Credentials
• SMB-DRT: username/password[/domain]
– Gives access to Windows systems
• SSH-DRT username/private key or username/password
– Gives access to Linux/OS X/Unix/ESX/network devices
• SNMP-DRT: SNMP v1 Community String
– Gives access to SNMP MIB data (printers, network devices, …)
– ONLY useful if you already have SNMP v1 configured (and even
then, doesn’t give much info)
Basic Setup Steps
1.
Request access to VnE Credentials role
–
Email to tac-security@mnscu.edu
2.
Define appropriate credential (type, user, authentication)
3.
Insure systems to be scanned set up with defined credential and any
necessary firewall rules
4.
Store credential on VnE
5.
Enable credential type in IP360 Scan Profile
6.
Bind credential to IP360 Network Object(s)
–
7.
Not required for Windows AD environments
Verify correct operation
Scanning with
SMB CREDENTIALS
How does it work?
For each system scanned
Identify OS
If Windows system AND scan profile specifies checking Windows credentials
Send NetBIOS query (netbios-ds, UDP port 137) to obtain system name and
domain
If a configured SMB credential matches
Attempt to log in via SMB (microsoft-ds, TCP port 445) in using
credential
If login succeeds
Query files/registry with SMB to find additional
applications, services, and vulnerabilities
Setup for simple AD domain
1.
Create Active Directory domain user for scans, assign to domain
Backup Operators group
2.
Make sure system firewall settings allow device profiler access to
these “File and Printer Sharing” ports:
UDP 137 (netbios-ds), TCP 445 (microsoft-ds)
3.
Create credential on VnE, specifying user name, password, and
domain name (short “NetBIOS” format in all lowercase)
4.
Enable Windows credentials on scan profile
5.
That’s it! (Well, after testing )
Creating IP360 scan credential
1. Select Discover
3. Select New
2. Select Credentials Management
Create AD domain credential
Enable Windows credentials on scan profile
Check Windows box
Testing: How do I know it worked?

Just to compare…
Non-AD Windows: What’s different?
• Create scan user (with same password) on each machine
– Member of Backup Operators group on versions which support it
– Otherwise must create an Administrator user
• Leave domain field blank when creating IP360 credential
• IP360 credential must be bound to all network objects where needed
– Only one credential can be bound to any network object/IP address!
– Binding rules and excluded addresses can cause conflicts
– So it’s very difficult to use different users/passwords for different systems
unless networks are well-segmented
• Windows XP: MUST run Internet Connection Wizard to properly enable
File/Print Sharing!
Create non-AD credential
Add Credential Binding (step 1)
Select New
Add Credential Binding (step 2)
Voila!
Enable Windows credentials
Check Windows box
Test results

Problem Determination
• Check firewall settings.
• Check firewall settings (again).
• Verify credential is enabled in scan profile.
• Non-AD: Verify credential is bound to correct network object.
• Check event viewer
– May need to adjust security policy to log additional security events
• Check IP360 SMB credential processing rules (next slide).
SMB Credential Processing
SMB credentials are used for scanning Windows systems. IP360 uses the following process for SMB credentials:
1.
The Device Profiler queries the Windows host. The host returns its machine name and possibly its IP address
and domain. This step uses UDP port 137.
2.
The Device Profiler first tries to find the most specific credential according to the host’s IP address and the
credential’s network binding. The DP looks for a credential that is bound to the host’s network and restricted to
an IP space that includes the host. The DP makes sure that the selected credential’s Domain (if it has been
specified) matches the host’s domain.
3.
If the DP makes no match in step 2, the DP looks for a credential that is bound, unrestricted, to the host’s
network. The DP makes sure that the selected credential’s Domain (if it has been specified) matches the host’s
domain. (There can be at most one such credential.)
4.
If the DP makes no match in step 3, the DP looks for a credential with no network binding that has a Domain
that the host belongs to.
5.
If the DP makes no match in step 4, the DP does not authenticate against the host using an SMB credential.
Warning: UDP port 137 must be available for domain-based SMB credential-matching to work.
Scanning with
SSH CREDENTIALS
SSH DRT OS support
Best (vulnerabilities for OS and vendor-supported packages):
•
RedHat Linux
•
Sun/Oracle Solaris
Some support (basic OS vulnerabilities):
•
Mac OS X
•
VMware ESX Server
Little support (software versions identified but not patches):
•
Other Linux distros (i.e., SuSE)
•
Cisco IOS
•
…
How does it work?
For each system scanned
Identify OS
If “SSH OS” AND scan profile specifies checking SSH credentials
AND an SSH credential is bound to network object
Attempt to log in via SSH (TCP port 22)
If login succeeds
Query files/settings with SSH to find additional
applications, services, and vulnerabilities
SSH credential choices
Only 1 SSH credential can be bound to a network object – either:
• User/password
• User/key
– Generate 1024-bit DSA public/private key pair
• No passphrase on private key!
• RSA keys are NOT SUPPORTED!!!
– Configure username + private key on VnE
• (then destroy private key)
– Store public key in ~user/.ssh/authorized_keys on systems to be scanned
– Best to configure user so that password cannot be used for login
Setup for SSH user/password
1.
Create user on system(s) to be scanned with desired password
–
2.
User needs to have read access to system files
Make sure system firewall settings allow device profiler access to
SSH (TCP port 22).
3.
Create credential on VnE, specifying user name and password.
4.
Bind credential to network(s) to be scanned.
5.
Enable SSH credentials on scan profile.
6.
That’s it! (Well, after testing )
Creating IP360 scan credential
1. Select Discover
3. Select New
2. Select Credentials Management
Create SSH password credential
Add Credential Binding (step 1)
Select New
Add Credential Binding (step 2)
Enable SSH credentials on scan profile
Check SSH box
Testing: How do I know it worked?

Setup for SSH user/key
1.
Create 1024-bit DSA key pair.
–
No passphrase on private key!!!
2.
Create credential on VnE, specifying user name and private key.
3.
Bind credential to network object(s) to be scanned.
4.
Create user on system to be scanned .
–
User needs to have read access to system files
5.
Copy public key to ~user/.ssh/authorized_keys
6.
Make sure SSH daemon is running and system firewall settings allow device
profiler access to SSH (TCP port 22).
7.
Enable SSH credentials on scan profile.
8.
Test.
9.
Deploy user/public key across systems to be scanned.
Creating key pair
1
3
4
2
Private key
Public key
Must be copied as a single line!!! (Best to use a
copy command instead of cut/paste.)
Create SSH key credential
Add Credential Binding (step 1)
Select New
Add Credential Binding (step 2)
Copy public key
Example: enabling SSH on OS X
Enable SSH credentials on scan profile
Check SSH box
Testing

Scanning with
SNMP CREDENTIALS
Setup for SNMP credential
1. Only useful if SNMP v1 is already set up! If you have both
read/write (“set”) and read-only (“get”) community
names, use the read-only one.
2. Create credential on VnE, specifying community name.
3. Bind credential to network(s) to be scanned.
4. Enable SNMP credentials on scan profile.
5. Test (but you may not see anything).
Create SNMP credential
Add Credential Binding (step 1)
Select New
Add Credential Binding (step 2)
Credential is bound
Enable SNMP credentials on scan profile
Check SNMP box
Testing (as it is)
… and a little more info
Summary
• SMB credential scanning is best “bang for the
buck” in most environments – especially AD
• SSH credential scanning useful for Redhat,
Solaris, OS X, and ESX systems
• SNMP credential scanning only if you already
have SNMP v1 deployed
Call to arms!
• This summer, would it be possible to:
– Set up credentialed scanning for all AD environments?
– Set up credentialed scanning for (most) critical servers?
• And maybe even non-AD workstation environments
with good desktop management capabilities (i.e.,
ZenWorks, …)?
• If you have other ideas, let’s talk!
It’s your turn!
QUESTIONS?
Please fill out the feedback survey!!!
Improve IT Security with
Credentialed Vulnerability
Scans
Garrett Lanzy
Information Security Specialist
Office of the Chancellor
garrett.lanzy@csu.mnscu.edu
651.201.1591
http://its.mnscu.edu/security
Download