Full text

Performing a network security audit is like going to the dentist's office: It's hard to find time to do it, and when you finally do get around to it, you can only look forward to bad news. Of course, the benefits of an audit are much like those of a dental checkup -- advance notice of problems can prevent them from becoming very serious if ignored.

The goal of a security audit is to get an understanding of where the vulnerabilities are, how severe they are, and what needs to be done to fix them. It may sound like sacrilege, but there really are security holes that do not need to be fixed or, at least, can be prioritized as a small risk, which would take an inordinate amount of work to overcome. Putting things in perspective is almost as much work as the audit itself.

One key to understanding the relative importance of any given security flaw is to ask yourself, "Is this the only way, or the most vulnerable way, this breach could occur?" After all, if someone is so intent on stealing your data that they're likely to "brute force" a password, aren't they just as likely to dress like a janitor and rifle through your filing cabinets at night?

GETTING MORE SLEEP AT NIGHT. As hard as it might be to swallow, the first step to securing your company's information systems is admitting that the job will never be finished. If history has taught us anything, it is that the human mind can, and will, find a way into any box, no matter how tightly sealed. The quicker you come to grips with this reality, the more sleep you will likely get at night.

That said, there are things you can do to ensure that your network is as secure as possible, given the constraints of time and the manpower shortages every IT shop faces. A security audit is a great place to start, and based on its results you may decide to invest further resources in actually upgrading security - but at least you'll know where you stand today.

Until recently, the tools available to help secure a network required an in-depth understanding of everything from TCP/IP to a Unix kernel's treatment of user rights. On top of that, the tools themselves were almost universally immature and ornery. Just getting them to work required some pretty serious Unix expertise - as if the only dentist in town worked in an unmarked building, had no phone listing, and only gave diagnoses in Latin.

AN EVERYDAY TASK. Because of that, security has been one of those topics that everyone agreed was important, but which no one seemed willing to do much about, except in those rare situations in which a security breach could cause huge amounts of damage. Fortunately, security tools are getting friendlier, and performing a security audit is less of a black art and more of a doable, everyday IS task. In fact, it has to be an everyday task; securing a network is an ongoing process, not a one-time effort. Changes are made to the network every day. The most that any tool can give you is a snapshot in time, and for a tool to be useful you will need to make security auditing part of normal network maintenance.

In this Test Center Analysis, we set out to establish a blueprint for performing a comprehensive network security audit in addition to testing the best tools to do the job. We decided the most useful way to achieve this goal would be to carry out an actual security audit using these tools on a "typical network" in the Info World Test Center. The tools tested include Enterprise Security Manager 4.4 from Axent Technologies, Internet Security Scanner 5.0 for Windows NT from Internet Security Systems, a beta version of WheelGroup's NetSonar, and finally, from the freeware sphere, Security Administrator's Tool for Auditing Networks, or Satan. To widen our market scope, we also assessed an outsourced security offering. Internetworking and Security Consulting Services, a wing of International Network Services, came to our test lab to perform its own security audit. (See "Outsourcing your security problems," page 62). Our test network is made up of various hosts, including Windows, Unix, and Novell platforms, as well as other critical pieces of network infrastructure - a WAN router, a remote-access server, and a firewall, all of which run TCP/IP.

ANALYSIS ISSUES TESTED

When possible we make specific recommendations, but as many of the things we discovered may not be applicable to every network, our main intention is to be informative about the general steps that should be taken to secure your network. (See "Security audit resource guide,' page 60, and "Security audit checklist," page 62.) By our journey's end, you should have an adequate battle plan for conquering your network security demons and a snappy answer when you get that memo from your CEO asking how secure the enterprise network really is.

Conclusions

There is no question that the tools we tested do a tremendous job of lessening the workload of a comprehensive security audit, as well as keeping IT staff up to date on the latest vulnerabilities in new technology. In looking at the available tools, we found there really is no magic bullet that will alert you to every possible security issue-and there probably never will be. Like any good craftsman, a savvy administrator will rely on a complete set of tools, using each one whenever it is appropriate. However, if you rely solely on these tools you will be building a false sense of security. Simply put, security auditing tools are the distillation of the combined knowledge of determined and creative hackers the world over into a "tame" package with a simple-to-use GUI, and they shouldn't be regarded as a replacement for common sense and human vigilance.

Test Center Analysis contents

RELATED ARTICLES COMING UP CONTRIBUTORS

The market leader in this space, Internet Scanner 5.0 for Windows NT from Internet Security Systems, showed us an impressively detailed and comprehensive list of vulnerabilities on our test network. Internet Scanner helpfully explained and referenced these vulnerabilities in appealing graphical reports. We were particularly impressed by the array of current NT denial-of-service weaknesses that Internet Scanner found. This was unmatched by any other product. However, Internet Scanner did not catch everything, which points to the necessity for additional tools when assessing the security of an enterprise network (hostbased tools in particular). Some omissions included its incapability to adequately probe our NetWare server and remoteaccess server. Internet Scanner's network-centric viewpoint limited its capacity to assess hostbased file system and configuration vulnerabilities. Overall, Internet Scanner is a must-have tool, and it can bring even those wholly unfamiliar with security concepts quickly up to speed on the state of security on their network.

Axent's Enterprise Security Manager (ESM) 4.4 employs a manager/agent mechanism, as opposed to Internet Scanner's remote-probe approach. If you can get around the idea of having an additional piece of software residing on your machines, ESM will identify the host-based holes that Internet Scanner may have missed. Even better, it has agents for almost all flavors of Unix, VMS, NT, and NetWare (Bindery and Novell Directory Services). Axent also makes available agents for Oracle databases and AS/400, and it plans to release agents for firewalls, routers, and Web servers.

WheelGroup's recently released NetSonar scanner currently runs only on the Sun Solaris OS, but it supports a lessrestrictive licensing arrangement than Internet Scanner and has the benefit of WheelGroup's considerable experience in IS security. We used an early beta of NetSonar to scan our test networks and it found a number NT vulnerabilities in addition to the standard TCP/IP fare. On the downside, the beta release took noticeably longer to complete its scan of our network than the other tools and had difficulty functioning when we changed the IP address of the workstation on which it was installed.

Dan Farmer and Wietse Venema's wellknown freeware utility, Security Administrator's Tool for Auditing Networks (Satan), showed similar configuration idiosyncrasies. Satan is a handy and free TCP/IP scanning tool but it's certainly beginning to show its age compared to the new breed of auditing tools that are updated on a consistent basis.

If your company doesn't have the resources or expertise to conduct your own security audit, you should consider outsourcing this task to a qualified consultant. Even if you have the necessary in-house capabilities,the wisdom and unbiased viewpoint of a consultant can provide additional benefits. Our experience with International Network Services security auditing service was eyeopening even in light of our previous scans with off-the-shelf auditing tools. (See related article on page 62.)

Finally, it is important to recognize that a security audit is just one part of a continuing process to secure corporate information assets. Knowing and learning about other aspects of security is paramount.

Fortunately, there is a large amount of publicly available information on computer security, thanks mostly to a thriving community of researchers, developers, and users that generously share their knowledge and experience on the Internet. We highly recommend that IT staff at all levels tap into this flow, and in our Security audit resource guide on page 60, we provide some key launch points for a quick self-education in how to think like a security administrator.