Welcome Guest. | Log In| Register | Membership Benefits

News In Review

May 24, 1999

CyberCop Patrols On Linux

Network Associates scanner detects security, system vulnerabilities

By Diane E. Levine

Related links:
  • Security Coordinator

  • Networking Resource Center
    • And from our sister publications:
  • Network Computing Defending the Enterprise

  • Data.com Assessing the Risks, Assigning the Fix
    • First LookFor Linux to succeed as a business platform, IT departments need some utilities that haven't been commercially available. One of those missing pieces is now available: a network scanner.

    Network Associates Inc. has shelved its Sun Microsystems Solaris network scanner and replaced it with a version for Linux. CyberCop Scanner 2.5 is the first commercially available Linux network scanner.

    CyberCop Scanner 2.5 scans and audits an entire network or individual hosts to verify and report on network and system security vulnerabilities before they become problems. CyberCop tests for more than 540 vulnerabilities and provides summaries, detailed reports, and advice. Network Associates provides monthly engine, resolution, and vulnerability database updates via its AutoUpdate technology. Because intrusion attacks sometimes evade network intrusion-detection sensors, host monitoring with CyberCop provides information on events and system behaviors, compares these against a rules database, and identifies possible intrusion attempts.

    Installation of CyberCop requires no special training. A novice security or auditing person can easily use it. Because CyberCop locates and explains security glitches that may be overlooked during system checks, the product actually enhances the user's knowledge.

    However, less-experienced users should be very careful. The vulnerability database is crucial; tampering with it may render the product inoperable. A warning informs the user of the database's sensitivity.

    After activating the scanner, I was presented with a screen showing several tabs across the top. The Scan Configuration tab let me specify important file locations, domain name, and machine IP ranges. Alternatively, I tested without supplying this information and let CyberCop search the host and the network and capture what existed. The scanner did a thorough job of detecting and reporting vulnerabilities in both cases.

    Through the Module Configuration tab, I was able to select from the more than 540 tests in the vulnerability database. Twenty-six techniques to attack network intrusion-detection systems are included in the tests.

    I ran several scans, selecting different tests to include for each. These selections provided a direct look into the vulnerability database and the systems information related to the problems. I was also able to create custom scans to reflect a specific security policy.

    After completing the configuration file, I began a scanning routine predicated on the vulnerabilities in the file. Another tab, Scan Progress, provided realistic module monitoring so I could know which modules were running and what was being scanned. The scanner displayed and highlighted on-screen all located vulnerabilities. The Reports tab helped to generate reports and graphs of the scan in HTML, RTF, ASCII, or CSV formats. The product also produced differential reports for comparisons.

    CyberCop's distinct features include the ability to audit a domain name server for cache-corruption attacks. I used the intrusion-detection system testing capability of customized attack scripts to test the product's efficiency. This also provided a listing of the scripts displayed in the screen's left window, with a detailed description of each script in the right. The Custom Audit Scripting Language provided a method for constructing attack packets for situations that are unique to an environment.

    Keep Testing
    You need to test repeatedly, because changes in the system alter its vulnerabilities. I tested after making fixes, system changes, and upgrades. The scanner found discrepancies during the new scans following changes to the system and indicated definite vulnerabilities with suggested solutions.

    Based on CyberCop's ease of use and the results it produces, it's a definite tool of choice for detecting system and network vulnerabilities. Pricing is based on a per-node-scanned basis. A Windows NT 4 version of the product is also available.

    CyberCop Scanner makes it easier to avoid hiring a consultant to find vulnerabilities. However, fixing the problems located is another matter.

    Diane E. Levine is president of Strategic Systems Management Ltd., a New York security and business continuity consulting firm. She can be reached at maitrise@earthlink.net.


    Back to This Week's Issue

    Send Us Your Feedback

    Top of the Page