Sunbelt Network Security Inspector User Guide

Sunbelt Network Security Inspector Quick Start Guide

Sunbelt Network Security Inspector™ v.2.0 User Guide 2 http://www.sunbeltsoftware.com/support Copyright© 2004-2008 Sunbelt Software, Inc. All rights reserved. [email protected] Other product and company names herein may be trademarks of their respective companies. Toll-free Technical Support: 877-673-1153

Use of this software is subject to the End User License Agreement found in the product directory (C:\Program Files\Sunbelt Software\SNSI\eula.rtf). By installing the software, you agree to accept the terms of the License Agreement. Sunbelt Network Security Inspector™ v.2.0. Copyright (c) 2004-2008 Sunbelt Software, Inc. All rights reserved. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, transmitted, or translated into any language without the prior written permission of Sunbelt Software, Inc.



Table of Contents

Chapter 1: Introduction .............................................................................................................................4 System Requirements ............................................................................................................................................ 4 SNSI's User Interface ............................................................................................................................................ 5

Chapter 2: Configuring SNSI's Options ...................................................................................................7 Registering SNSI................................................................................................................................................... 7 Updating Vulnerability Definitions ....................................................................................................................... 8 Configuring the Proxy Settings ............................................................................................................................. 9 Configuring the SNSI Interface........................................................................................................................... 10 Configuring Logging Settings ............................................................................................................................. 12

Chapter 3: Getting Started.......................................................................................................................13 Chapter 4: Working with Groups ...........................................................................................................14

Creating Authentication Groups.......................................................................................................................... 15 Vulnerabilities ..................................................................................................................................................... 16 Port Groups.......................................................................................................................................................... 21

Chapter 5: Working with Policies ...........................................................................................................23 Creating a Policy ................................................................................................................................................. 23 Working with the Policy Wizard ......................................................................................................................... 25 Configuring the Policy Settings........................................................................................................................... 33

Chapter 6: Working with Scans ..............................................................................................................34 Scanning Overview ............................................................................................................................................. 34 Running a Scan.................................................................................................................................................... 34 Scan History Page ............................................................................................................................................... 36 Assessment Levels............................................................................................................................................... 39 Drilling-down in the Scan History....................................................................................................................... 40

Chapter 7: Working with Reports...........................................................................................................42 Executive Summary Report................................................................................................................................. 43 Scan Summary Report......................................................................................................................................... 44 Vulnerability Detail Report ................................................................................................................................. 45 Vulnerability Details by Target Report ............................................................................................................... 46

Appendix I: Glossary................................................................................................................................47 Appendix II: Contacting Customer Support..........................................................................................51



Chapter 1: Introduction Welcome! Sunbelt Network Security Inspector™ (SNSI) is a network vulnerability scanner that enables system administrators to quickly and accurately identify network security holes, offering proactive protection from hackers, viruses, and other threats. SNSI scans for security risks on any networked machine, including Windows servers, workstations, and printers that have IP addresses.

There are three ways to get information about SNSI: The Quick Start Guide covers the basic information needed to get SNSI up and running so that you can start scanning and protecting your network right away. The Online Help is your primary resource for answers to questions you may have while using SNSI. The Help contains overviews and procedural information about the tasks you can perform in the application, as well as descriptions of each screen and dialog box in the application with detailed information about each field they contain. The User Guide contains the same information as the Online Help structured in a way that is to be used as a reference manual.

System Requirements Your computer must meet the following system requirements in order to run SNSI effectively:

Administrator Requirements

• 1 GHz Processor, minimum 2 GHz or higher processor, recommended

• Windows XP Professional SP2 • Windows Server 2003 SP1 • .NET 2.0 SP1 • 20 GB available disk space • 1 GB RAM, minimum

2 GB RAM or higher, recommended • Monitor resolution 1024 x 768 or higher • PDF reader (for reports)

Target Computer Requirements Target computers should have one of the following platforms:

• Windows Server 2003 • Windows 95 / 98 / Me / 2000 / XP Pro and Home / Vista • Windows NT 3.51 / 4.0 • Red Hat® Linux® • Red Hat Enterprise Linux 2.1 and later • Red Hat Fedora • Mandrake Linux™ • Mac OSX


• SUSE Linux™ • Sun™ Solaris™ 2.5.1 and later • HP-UX 10, 11 and later • HP Printers • Cisco® Routers

SNSI's User Interface SNSI has two main panes: the Explorer Pane and the Page pane. The first page displayed, before any actions are made, is the Start Page as shown below.

By default arrangement, the Explorer Pane is located on the left side of the computer screen, running vertically. The Page Pane is located to its right. This pane divides the displayed pages horizontally as more details exist for a selected item. For instance, if you were to select a vulnerability, details about that vulnerability will be displayed as shown below.



Notice that there are now two tabs at the top of the Page Pane. Each time a page opens, a new tab is shown. This allows you to keep recent work open and pull them up with a single click of a tab.



Chapter 2: Configuring SNSI's Options

General options for SNSI are available from the SNSI Toolbar, and selecting Tools>Options. From the Options dialog box, you can register the product, get updates, and configure the proxy, user interface, and logging.

Note: You can configure the Options at any time while working with SNSI.

Registering SNSI There are certain features that are unavailable in SNSI until you have a License Key. To get a License Key, call Sunbelt Sales at 888-688-8457. To register SNSI, you must have the program installed and open. You also need to have an Internet connection.

To register SNSI:

1. From the SNSI Toolbar, select Tools>Options>Registration tab. The Registration tab displays.

2. Enter your License Key that you received from Sunbelt. 3. Click Register Product. Your product is registered, allowing full access to all of SNSI's features. 4. Click OK to exit out of the dialog box.



Updating Vulnerability Definitions SNSI can regularly check for updates for the vulnerability definitions. You can also check for definitions updates manually, as well as loading the definitions from a stored location.

To setup auto updates for vulnerability definitions:

1. From the SNSI Toolbar, select Tools>Options>Vulnerability Updates tab. The Vulnerability Updates tab displays.

2. Select Automatic. The time field below enables. 3. Enter a time for SNSI to automatically check for updates.

To manually update vulnerability definitions:

1. Select Tools>Options>Vulnerability Updates tab. The Vulnerability Updates tab displays. 2. Click Update Now. SNSI connects to Sunbelt Software and gets the most recent updates.

-or- Click Load File. Locate the definitions file from the stored location.

3. Click OK. The vulnerability definitions are now updated and the dialog box closes.



Configuring the Proxy Settings SNSI requires access to the Internet in order to perform certain operations, such as vulnerability updates, software updates, and registration. If you connect to the Internet through a proxy server, enter the information in the Proxy Settings tab.

To configure the proxy settings:

1. From the SNSI Toolbar, select Tools>Options>Proxy Settings tab. The Proxy Settings tab displays.

2. Select Use a proxy server and input your server's address and port. 3. Enter the authentication information, if required. 4. Click Test. SNSI verifies that the proxy information is correct. The result of the test is displayed

in the box below the button. 5. If the test fails, verify the information you entered is correct and try again. 6. If the test is successful, click OK. Your proxy settings are set and the Options dialog box closes.



Configuring the SNSI Interface You can configure SNSI's user interface to display with customized presets.

To configure the user interface:

1. From the SNSI Toolbar, select Tools>Options>User Interface.

2. Optionally, make your desired selections for the following areas:

• Explorer Settings: o Remember size and position - retains explorer size and location from the last time being

used. o Open each policy in a new tab - select to keep multiple policy pages open in the Page

pane. Unselect for only one policy page to be open at a time. o Open each group in a new tab - select to keep multiple group pages open in the Page

pane. Unselect for only one group page to be open at a time. o Open each report in a new tab - select to keep multiple report pages open in the Page

pane. Unselect for only one report page to be open at a time. • Wizard Welcome Pages - these options allow you to choose whether to display the welcome

page for the corresponding wizard. • Main Window:




o Remember size and position - retains window size and location from the last time being used

o Override explorer settings and always use a single tab - overrides the Open tab < > in a new tab settings in the Explorer Settings section above.

3. Click OK. Saves your settings and closes the dialog box.


Configuring Logging Settings SNSI uses logging to record system events. You can specify the size and location of the log files.

Note: We recommend that the Level be set to the default "Error" unless you are working with Technical Support.

To setup SNSI's logging settings:

1. From the SNSI Toolbar, select Tools>Options>Logging tab. The Logging tab displays.

2. If working with Technical Support, set the Level. Otherwise, leave the default setting "Error." 3. Set the log file size. Once the file reaches this size, another file is created. The recommended size

is 150 MB. 4. Set the Directory location where you want the log files stored. 5. Click OK. The Logging settings are saved and the Options dialog closes.

Note: You can click Reset to revert back to the default logging settings.




Chapter 3: Getting Started

SNSI scans your network based on user-defined policies. A policy consists of User Defined Groups—Authentication, Vulnerability, and Port groups. Once you create these groups, you can create a Policy with any combination of these groups.

SNSI' high-level workflow:

1. Create an Authentication Group - set the authentication parameters so that SNSI can access your machines.

2. Optionally, create a Vulnerability Group - you can create user-defined groups of vulnerabilities or select from a list of default groups when you create a policy in Step 4.

3. Optionally, create a Port Group - you can create user-defined groups of ports or select from a list of default groups when you create a policy in Step 4.

4. Create a Policy - a policy brings together the configured settings of the User Defined Groups above. Select targets to be scanned, and then configure your scan for Vulnerability, Port, and Authentication groups.

5. Run a scan by right-clicking on the policy and selecting Scan Now. 6. View the status and results of the scan by clicking on Scan History under the policy. 7. Generate a report.



Chapter 4: Working with Groups

Customizing scans are done by using groups. Groups allow you to compile the specific areas over your network that you want SNSI to look at during a scan. With groups you can assign devices and ports to scan, as well as the specific vulnerabilities to look for on your network. There are two types of groups in SNSI:

Default Groups A Default Group is your starting point for customizing your own user-defined groups and creating your Policies. There are two types:

• Default Vulnerability Groups make up SNSI's vulnerability database. This database is broken up into groups, including SANS Top 20, UNIX, LINUX, XP, High (risk level), and so forth. You can select any of these groups or individual vulnerabilities to place into your User Defined Vulnerability Groups. You can view the contents of each Vulnerability Group in the database by expanding the Default Groups subfolder under Vulnerability Groups in the Explorer pane and selecting a group. The group's contents populate the Page pane to the right. You can view details of any particular vulnerability by selecting one in the Page pane; the detailed information displays in the frame below the list.

• Default Port Groups: o Default Discovery comprises of basic ports that allow the discovery of a machine. o All scans all ports from 1 – 65535. These are all possible ports that could exist on the

network. This option can increase the scan time. o Default comprises of a list of ports that a typical machine could have running (this could

detect possibly web servers on port 80, an open email server on port 25, and an FTP site on port 21)

User Defined Groups A User Defined Group is a customized group that is created by selecting the desired groups or specific items from either of the Default Groups. There are three types:

• Authentication Groups contain the individual user accounts to gain access to the network devices by the scan engine. These groups have Windows, Unix, and SNMP accounts and may list more than one account for each area. The accounts are used one at a time in the order listed. An account can be included in more than one group.

• Vulnerability Groups consist of groups of related vulnerabilities. Vulnerability Groups are divided into "User Defined" and "Default" categories. User Defined Groups are created by the end-user. It is possible for a vulnerability to be listed in more than one group. Vulnerability Default Groups are provided by the scan engine and cannot be modified.

• Port Groups consist of individual ports or port ranges that the Policy scans. Port Groups are divided into "User Defined" and "Default" categories. As with Vulnerabilities, Port Default Groups are provided by the scan engine and cannot be changed. User Defined Groups are created by the end-user. It is possible for a port or port range to be listed in more than one group.


Creating Authentication Groups You create an Authentication Group for access rights to devices (machines, printers, etc.) that require passwords. Without proper logon credentials, the machines will not be scanned.

Tip: You can create authentication groups based on the operating system devices are on, including Windows, Unix/Linux, and Simple Network Management Protocol (SNMP). Tip: To get a listing of all devices on your network, run a scan on a policy with Null Credential selected for the Authentication group. This scans the network for the devises it contains without actually scanning the devises.

To create an Authentication Group:

1. Click the Group Explorer tab located at the bottom of the Explorer pane. The Group Explorer displays.

2. Right-click on Authentication Groups and select New Authentication Group from the menu. The Authentication Group Wizard displays.

3. In the Group Name text box, enter a unique name for your authentication group (e.g., Domain Admin, Windows XP, etc.).

4. Optionally, enter a description for this group in the Description box. 5. Click Next. The Windows Accounts window displays.

6. If you have windows devices to be scanned, click the New Windows credential icon . and enter the credentials in the dialog box

7. If you have Unix/Linux devices to be scanned, click the Add New Unix Credential icon and

enter the credentials in the dialog box.

8. If you have SNMP devices to be scanned, click the Add New SNMP Credential icon and enter the credentials in the dialog box.

9. Click Next. The Completing the Authentication Group Wizard window displays. 10. Click Finish. Your newly created group now exists within the Authentication Groups folder of

the Group Explorer.

You are now ready to create a user-defined vulnerability and/or port group, or use default groups and create a policy.




Vulnerabilities By definition, a vulnerability is a security risk that exists within an operating system, network or other system software or application software component. Vulnerabilities are any potentialities of compromise to a system or network if exploited. They represent things that could potentially allow a malicious user/intruder to access a system without permissions when, by design, they should not be able to be accessed. A vulnerability can also represent any inappropriate access to data on a server or the potential for a malicious user to assume administrative control on a machine. Sunbelt Network Security Inspector lets you select some or all of the known security risks (vulnerabilities) from its database. This means that you can create groups of vulnerabilities for scanning specific devices (machines, groups of machines, printers, partial entire networks...). You are able to pick and choose any number of default vulnerability groups from SNSI's database for the customized vulnerability groups that you create. Then, further scan customization can be made by adding or removing any particular vulnerabilities from those default groups. You can do the following with Vulnerability Groups:

• Create a new Vulnerability Group • Add vulnerabilities to an Existing Vulnerability Group • Remove vulnerabilities from an existing Vulnerability Group

Note: You must work in the Vulnerability Groups folder within the Groups Explorer pane in order to create Vulnerability Groups.

SNSI's Vulnerability Database SNSI contains a database of over 4,000 known security risks (vulnerabilities). The term "Vulnerability," in this aspect, means the security risks that are searched for on a computer network. When we refer to vulnerabilities in this user guide, we are speaking of this respect – known risks that can be scanned for on a system to find out whether any exist in the system in present time.

About Vulnerability Groups A Vulnerability Group is a folder which contains vulnerabilities that have been chosen from SNSI’s vulnerability database. This ability to group vulnerabilities of choice enables administrators to scan with exactly the vulnerabilities needed. There is no limitation to how many groups can be created. Once created, these folders (groups) can be assigned to different machine groups to scan more efficiently.


Creating Vulnerability Groups You can create a user-defined vulnerability group based on pre-existing Default Groups.

To create a Vulnerability Group:

1. Click the Groups tab at the bottom of the Explorer pane. The Groups Explorer pane displays. 2. Right-click on Vulnerability Groups and select New Vulnerability Group from the menu. The

Vulnerability Group Wizard opens, starting at the Existing Group window. 3. To create a group from scratch, select Start with a blank group.

-or- To start with an existing group of vulnerabilities, click Use an existing group and select a group from the list.

Note: Each group includes a description of the type of vulnerabilities in each group. For example, SANS contains the vulnerabilities that are in the SANS Top 20 list.).

4. Click Next. The Group Name window opens. 5. Enter a Group Name and Description, and then click Next. The Vulnerabilities window

displays, listing all of the vulnerabilities in the group you selected. You can sort this list further by ID, Name, Category, Type, or Severity columns.

Tip: You can remove any item from the list or view its details by selecting it and clicking the appropriate icon above the list.

6. To add more vulnerabilities to this group, click the Add Additional Vulnerabilities icon . The Advanced Find dialog box displays allowing you to search for vulnerabilities to be added.

• Enter your search term in the Search word or phrase text box and click Find Now. SNSI searches for your search criteria in the Vulnerability database and displays your search results below.

• Select one or more vulnerabilities and click the Add Additional Vulnerabilities icon . The selected vulnerabilities are added to the list.

7. Click Next and then click Finish. Your new Vulnerability Group is created and displayed under the User Defined Groups in the Group Explorer.

You are now ready to create a user-defined port group, or use a default group and create a policy.



Adding Vulnerabilities to a User Defined Group With the ability to customizing your vulnerability scans, you have the option of adding any particular vulnerabilities to your User Defined Vulnerability Groups. You can add entire default groups or hand select vulnerabilities from any of the default groups in the database.

Note: To keep from degrading the vulnerability groups in the database, you cannot add vulnerabilities or alter groups directly from the SNSI vulnerability database.

Vulnerabilities can be added to a User Defined Vulnerability Group in two ways:

• during the process of creating a User Defined Vulnerability Group or • after a User Defined Vulnerability Group has already been created.

Note: To add vulnerabilities while creating a new Vulnerability Group, follow the procedure for creating a User Defined Vulnerability Group.

To add vulnerabilities to an existing group, follow the procedure below.

To add vulnerabilities to an existing group:

1. If you are not already in the Groups Explorer pane, click the Groups tab at the bottom of the Explorer pane. As a result, the Groups Explorer pane displays.

2. Expand the Vulnerability Groups folder. The Default Groups and User Defined Groups subfolders become visible in the Explorer pane.

3. Expand User Defined Groups and select the vulnerability group that you want to add vulnerabilities to. You will see the vulnerabilities that are contained in that group populate in the Page pane to the right.

4. Right-click in the Page pane's vulnerability list area and select Add Additional Vulnerabilities. -or-

Click the Add Additional Vulnerabilities icon in the top left corner. The Advance Find window opens. 5. Run a search for the vulnerabilities you want by ID, Category, Description, Name, Severity (risk level) or

Type, and click the Find Now button.



Removing Vulnerabilities from a Group With the ability to customizing your vulnerability scans, you have the option of removing any particular vulnerabilities from your User Defined Vulnerability Groups. This allows you to save time and free up network resources by scanning only for the vulnerabilities appropriate to your needs.

Note: To keep from accidentally deleting vulnerabilities, you cannot remove vulnerabilities or alter groups directly from the SNSI vulnerability database.

To add vulnerabilities to an existing group, follow the procedure below.

To remove vulnerabilities from a user defined vulnerability group:

1. If you are not already in the Groups Explorer pane, click the Groups tab at the bottom of the Explorer pane. As a result, the Groups Explorer pane displays.

2. Expand the Vulnerability Groups folder. As a result, the Default Groups and User Defined Groups subfolders become visible in the Explorer pane.

3. Expand User Defined Groups and click the group that you want to manipulate. You will see the vulnerabilities contained in that group populate in the pane to the right.

4. Select the vulnerabilities you want removed from the group.

Note: Holding down the Control key on your computer's keyboard allows you to select vulnerabilities anywhere in the list, all at the same time. Also, if you want to select a block of vulnerabilities consecutively in a row, you can click the first item, hold down the Shift key, scroll down the list as far as you want and select the last item.

5. Right-click over the selected vulnerabilities and select Remove or click the Remove icon in the upper right corner.

Note: You can also change the name and description of the group from this pane by simply retyping the information. To see that Group's name updated in the Explorer pane, right-click anywhere in the pane and click Refresh.

6. Once you are done making your changes to the group, click the Apply button located at the top of the pane. Click Discard if you want to disregard your changes.




About Vulnerability Risk Levels Vulnerabilities are classified into five different levels of risk: High - Grants unauthorized root access or administrative access, and an exploit is available. Medium - Grants unauthorized access sensitive data and may lead to unauthorized root access or administrative access. Low - Security issues as information gathering or denial of service that so not result in the compromise of a device. Warning - Best security practice is not implemented. Information - Network information of general interest to security administrators and managers. Not related to a vulnerability.

About Vulnerability Scanning Vulnerability scanning is the continual process of discovering the present status of vulnerability for an environment. For obvious reasons, it is important to be aware of how vulnerable your network or systems are, where vulnerabilities exist, and what to do to fix problems when they are found. SNSI utilizes a database of over 4,000 vulnerabilities that check for possible weaknesses. As new vulnerabilities are found, updates to the database occur automatically to keep you as current with vulnerabilities as possible.



Port Groups Hackers are known to probe locations for vulnerabilities using port scanning as a technique for finding services that they can break into. Just the same, port scanning is also a method for providing assurance of the security level of your systems. A port scan basically consists of sending a message to each port, one at a time. This is also known as "pinging." Potentially vulnerable computers run services on well-known ports. These are potential weaknesses that can be exploited. By assessing these weaknesses, you can help prevent breaches and potential damage or loss often associated with a successful compromise. The Port Groups feature in SNSI lets you scan by ports. There are three Default Port Groups: A port scan using "All" ports will try each of the 65,535 (1- 65535) available ports on the target system to see which are open. Narrower scans can be made by using the "Default" port scan option, which looks only for the more popular services hackers know how to best exploit (web servers on port 80, an open e-mail server on port 25, an FTP on port 21, and so forth). Also, SNSI lets you also scan a single machine on a network with the "Default Discovery" port scanning option.

Creating Port Groups In order for a policy to scan ports, you need to select a port group. There are several default groups to choose from; however, you can create a user defined port group that will scan for 1 or more ports. Port scanning allows you to check for open ports that should not be open on host machines. You can use the predefined Port Groups already established in SNSI as they are, or create user-defined Port Groups.

Note: You are able to include port scanning in conjunction with vulnerability scans for security risks by including port scanning in your Policies.

To create a port group:

1. Click the Groups tab at the bottom of the Explorer pane. The Groups Explorer pane displays. 2. Right-click on Port Groups and select New Port Group from the menu. The Port Group

Wizard opens, starting at the Existing Group window. 3. To create a group from scratch, select Start with a blank group.

-or- To start with an existing group, click Use an existing group and select a group from the list.

Note: The default groups are All, Default, Default Discovery, and None.

4. Click Next. The Group Name window displays. 5. Enter a Group Name and Description, and then click Next. The Ports to Scan window displays.

• Choose Select from a predefined list and select a port. Port details display in the Port Detail area to the right. -or- Choose Enter a custom port or port range. The Port Editor options change, as pictured


below.

1. Enter a single port number or select a port range. 2. Select one or more port types and click OK. Your selections are entered and you are

returned back to the Ports to Scan window of the Port Group Wizard.

6. To remove ports from the group, select the port(s) and click the Remove icon above the list. -or- To view the details of a port, select a port and click the View Details icon above the list. -or- To add additional ports to this group click the Add New Ports icon . The Port Editor dialog box displays.

7. Click Next and then click Finish. Your port group is created and is displayed in the Group Explorer under User Defined Groups.



Chapter 5: Working with Policies

A scan is based on a policy that consists of several selections including vulnerabilities, ports, authentications, targets (devices), and other items. Policies generally only need to be configured once, however, you can go back and make changes to a policy at any time. You can set your Policies to run at scheduled times. Policies are independent of each other, allowing you to have an unlimited number of Policies for an unlimited number of different types of scans. More than one Policy can scan the same set of devices and/or the same set of vulnerabilities or ports. Policies can also contain a list of authorized user accounts for Windows, Unix, and SNMP devices. The scan engine uses this list of accounts while it is running. Each account is tried once in the order listed until access is granted or the list is exhausted. Nonetheless, the Policy is not required to list authorized accounts in order to perform a scan. The easiest way to use SNSI for scanning is to use the default groups for ports and vulnerabilities. Once you are more familiar with the product, you can customize your own groups.

Creating a Policy Once you have created an Authentication Group and then have either created a Vulnerability Group and Port Group (or plan to choose from the Default Groups), you are then ready to create a Policy. The Policy Wizard is used to create a policy.

Tip: To get a listing of all devices on your network, run a scan on a policy with Null Credential selected for the Authentication group. This scans the network for the devises it contains without actually scanning the devises.

To create a policy:

1. Click the Policy Explorer tab located at the bottom of the Explorer pane. The Policy Explorer displays.

2. Right-click on Policies and select New Policy from the menu or click the New Policy icon . The Policy Wizard displays.

3. To begin from a scratch, select Start with a blank policy. -or- To use an existing policy as a template, select Use an existing policy and then select a policy from the list.

Tip: Once you create one policy, you can use it as a template to create additional policies. Instead of starting with a blank policy, select the policy you want to start with.

4. Click Next. The Policy Name window displays. 5. Enter a name in the Policy Name box (for example, Windows XP Machines). 6. Enter a description for this policy (for example, search for vulnerabilities on Windows XP

machines) and then click the Next button. The Discovery Methods window displays.



7. In the Discovery Methods window, click the Add New Target icon in the toolbar or right-click within the white box area and select Add New Target. The Discovery Target Editor window displays.

8. From the Discovery Target Editor, select the method(s) for identifying targets. (See the Policy Wizard: Discovery Target Editor section)

9. Click Next. The Discovery Configuration and Ping Options window displays. 10. Select the scan parameters for searching the machines on your network. (See the Policy Wizard:

Discovery Configuration and Ping Options section) 11. Click Next. The Scan Configuration window in the Policy Wizard displays. 12. Define the vulnerability, port groups and Windows scanning options and click Next. The Scan

Schedule window displays. 13. Set the desired schedule and click Next. The Completing the Policy Wizard window opens.

Note: The Scan Schedule option is only available with a license key.

14. Click Finish. The Policy Wizard closes and your policy is created, displaying in the Policy Explorer.

Note: Once created, you can edit a policy by expanding it from the Policy Explorer and then clicking Settings.



Working with the Policy Wizard Policy Wizard: Discovery Target Editor The Discovery Target Editor allows you to select one of seven different methods for identifying targets. Explanations for each of these methods are given below.

Note: Multiple discovery methods may be used in combination.

Active Directory Active Directory (AD) discovery does a Lightweight Directory Access Protocol (LDAP) query to collect machine lists stored in the AD domain controller. Engines read the list of machines returned by the AD controller by matching various parameters of the organizational unit (OU) that you specify. When scanning with AD discovery, the engine will spawn a task for each target and enumerate requested attributes, such as DNS and MAC’s. It will also refine the Window’s OS if checked. One thing to watch for is that unresponsive targets will be added to the scan list if verify with ping was not selected.

• Canonical Name - the DNS domain name of the Domain Controller (DC) containing the OU’s to be scanned. A CN is the DNS domain name of the DC that contains the OU’s to be scanned. A domain member named testbox.joe.user.com would have a canonical name of joe.user.com.

• Organizational Unit - this is the object in the LDAP query. Enter from the most specific to broader OU (reverse order).

Warning: Double check these entries carefully for spelling errors. “Object cannot be found” errors indicate the OU as specified in the text field does not exist on the DC. Tip: To search for all OU's of the AD, leave the OU blank.

• Domain Controller - To find the Domain Controller IP address use Ping and the canonical name of the AD’s DC.




Note: An ADS search is only as accurate as the DC, and if it holds a list of stale accounts with non-existing targets, these will be included in the discovery list results. Scanning stale entries slows down scans with useless connection attempts until the selected timeout parameters are exceeded.

IP Address Discover a single IP Address by entering a single IP address into the text box and clicking OK. Wild card characters (*) are also supported. For example, IP 192.168.0.* will scan an entire class C subnet.

IP Address Range This option lets you set a range of IP addresses to search in. SNSI will begin with the first IP address posted in the Starting Address text box and run through to the last address posted in the Ending Address text box.

Named Target The Named Target method allows you to use the name of a machine to scan. To use this method, type the machine's name in the text box and click OK.

Network Neighborhood Network Neighborhood discovery collects target discovery information from the WINS server. With this discovery method the list of domains and targets mirrors those seen by clicking on My Network Places on the host’s desktop. The Windows Internet Name Service (WINS) system provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on a network. A WINS maps NetBIOS names to IP addresses resolves problems arising from NetBIOS name resolution in routed environments. When you select Network Neighborhood, all of your domains will populate in the white table. You are able to select a single domain and scan every machine joined to that domain. To use this method, select a domain and click OK.

File Import Use this option if you already have a list of machines to scan, whether by IP or by Netbios name. You can then import the list to be added to the discovery targets. Use lists of individual addresses or lists of address ranges. Valid octets within an address list may be represented by use of any combination of the following:

• Single integers (10.1.1.2) • Double integers (10.10.11.22) • Full octets (131.24.156.202) • Integers separated by a comma to represent a set of addresses. (10.10.11.1,22) will scan addresses

10.10.11.1 and 10.10.11.22. • Integers separated by a “-“, representing a range of addresses within an IP octet. (10.10.11.1-15)

Scans addresses from 10.10.11.1 through 10.10.11.15. • Octet groups separated by a “>” to represent a range of addresses (10.10.10.1 > 10.10.30.255)

Scans all IP addresses in sequence from 10.10.10.1 through 10.10.30.255.



• An “*” asterisk, representing a wild card for 0-255 in that position (10.10.11.*) scans all addresses on the 10.10.11.0-255 subnet.

Examples of valid IP Address lines in a .TXT file:

• The address line “10.2-4.5.9” would be interpreted as if the addresses “10.2.5.9,10.3.5.9,10.4.5.9” had been typed as individual lines into the text file.

• The address line “10.5.2-4,7.1” is interpreted as the following IP addresses: 10.5.2.1 10.5.3.1 10.5.4.1 10.5.7.1

• The following are examples of valid octets placed in a text file of IP addresses used to scan various addresses on a “10.10.11.x” subnet:

• 10.10.11.2,3 • 10.10.11.14-25. • 10.10.11.66,77-8 • 10.10.11.99,110,111-120 • 10.10.11.139-149,155,163-185


Policy Wizard: Discovery Configuration and Ping Options This page of the wizard allows you to configure how SNSI discovers the targets on your network.

Note: One or more options may be selected from the Discovery Options and the Name Resolution areas.

Discovery Configuration ICMP The ICMP (Internet Control Message Protocol) discovery option sends targets a series of echo, information, and address mask requests and compares the responses to a list of known ICMP fingerprints. This option is less effective than Port Scan Discovery when discovering targets that may have ICMP responses disabled such as network devices, security-hardened machines, Mac OSX, HP-UX 11, and Solaris 10. This feature does not require credential sets. Port Scan Discovery Port scan discovery performs a limited port scan of FTP, Telnet, SSH, SMTP, and HTTP ports to check their application banners, which are then used to identify the operating systems. This option introduces some latency to the discovery process and should only be selected for machines that are difficult to identify, such as network devices, security-hardened machines, Mac OSX, HP-UX 11, and Solaris 10. This feature does not require credentials assigned to the scan job. SNMP Discovery The SNMP (Simple Network Management Protocol) discovery option provides the best discovery results for network devices such as switches, routers, printers and wireless access points. This option connects to remote targets with the user specified SNMP community strings stored in a Job's assigned credential set. If no SNMP credentials were stored in the credential set the connect attempt community string defaults to “public.”




Windows Credentials Discovery The Windows credential discovery option provides the best results for Windows operating systems. Windows Credential Discovery attempts to authenticate to remote network targets to precisely identify the specific type of Windows operating system (Windows 95/98, Windows 2000, Windows XP, or Windows 2003). If this option is deselected all Windows targets will be identified as generic “Windows OS”. Windows Credential Discovery should be used in conjunction with the ICMP Discovery option or Port Scan Discovery option. This discovery option uses an authentication group.

Name Resolution Resolve NetBIOS Names SNSI can also collect target data through use of WINS NetBIOS mapping. In Windows® networks, NetBIOS is used over TCP/IP protocol to perform computer name to IP address mapping and name resolution. When selecting machines using IP address scanning, SNSI assigns a host name to an IP based on the naming priorities of the scan engine system. Windows 2000 and WinXP systems will choose DNS over NetBIOS if a DNS name was also returned.

NetBIOS Discovery Concerns Windows 2000/XP/2003 hardened networks will often disable NetBIOS over TCP/IP. View current NetBIOS settings by right-clicking on My Network Places, selecting Properties and right-clicking on the appropriate Local Area Connection icon and selecting Properties. From the main window, select Internet Protocol (TCP/IP) > Properties, and then click the Advanced button. In the Advanced TCP/IP window, select the WINS tab and then verify Enable NetBIOS over TCP/IP is enabled. Windows Firewall settings available with Windows XP Professional SP2 may also block NetBIOS collection. Adjust firewall settings as necessary to permit NetBIOS communication. Stale NetBIOS names A scanner engine uses the WINS name cache, NetBIOS over TCP/IP protocol, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. If a name cache is stale, an administrator can manually refresh it and the names registered with Windows Internet Name Service (WINS) by using the nbtstat command with -RR. This command releases and then refreshes the NetBIOS name cache on the local computer with what is currently registered with the WINS server. Once refreshed, use Ping an IP Address to verify that the target’s correct name is now listed.

Resolve MAC Addresses MAC (Media Access Control) addresses are stored in hardware and uniquely identify each network node. SNSI collects MAC information from the network interface card discovered during scan time. Although MAC addresses are subject to spoofing and may be changed, it is uncommon for this to occur on managed networks. Keeping a close watch on Network Inventory reports adds additional protection against MAC spoofing. When reviewing scan reports, remember that there may be more than one MAC address available or reported on multi-homed or multi-networked targets depending on which network interface card was used during the scan. MAC address/DNS name/IP address correlation may assist in confirming scan target identification on DHCP (Dynamic Host Configuration Protocol) networks.



Resolve DNS Names A DNS (Domain Name Server) query returns node information stored in the local DNS server. DNS servers supply name-to-address resolution data used as additional identification information about scan targets. To refresh your DNS name cache, open a Command Prompt (Start>Run>cmd>OK) and type: ipconfig/flushdns.

Ping Options Verify with ping Ping discovery requires target systems accept and respond to ICMP requests. Some virus protection software and Host firewalls in default configuration block these requests. If scan discovery is being blocked, adjust configuration to allow ICMP communication from the assigned Scan Engine. ICMP echo request is the standard method for finding active targets on a network. The Ping program commands an IP stack to send out an ICMP Echo Request (type 8) packet and waits for an ICMP Echo Reply (type 0) to be returned. If the destination IP address target is active and uses the IP stack, an ICMP Echo Reply is returned to request’s originator. A Ping sweep of IP addresses can quickly determine which network targets are active as long as they are not sitting behind a device blocking ICMP echoes (i.e. a firewall). After discovery, non-active systems may be removed from scan target lists or made active before launching a scan. Ping is also useful in finding time-to-live (TTL) information, packet size, and timeout characteristics of network communications. This option collects targets’ response to ICMP echo request 0/8 (Ping) before adding a system to the job’s scan list. This option may be deselected when discovering targets operating with ICMP Ping disabled. If not selected, all targets on a discovery list will be scanned, and the scanner will have to wait for time-outs from non-active systems before advancing through checks. This feature does not require credential sets. Timeout (ms) The number of milliseconds to wait between SNMP retries on a network device. Setting this value too high may result in abnormally long scan times for devices that are not returning SNMP responses. Setting this too low may result in false-negative results when devices may not have time to respond. Options are between 500 and 2000 ms in 500 intervals. Retries The number of times to attempt to query the target. Setting this value too high may result in abnormally long scan times for devices that are not returning SNMP responses. Setting this too low may result in false-negative results when devices may not have time to respond. Options are between 1 and 4 retries.


Policy Wizard: Scan Configuration Window Below are the options for the Scan Configuration window on the Policy Wizard and descriptions for each.

Vulnerability group There are 38 vulnerability groups in alphabetical order to choose from and reflect different operating systems and types of vulnerabilities. If you are running through the Quick Start Guide for the first time to get started and running a scan as quickly as possible, select Quick Scan in the drop-down menu. Or select any desired group in the list.

Port group

• Default Discovery - Selected ports that will discover whether or not the device is alive. • All - All ports from 1-65335 will be scanned.

Note: Selecting "All" will significantly increase the scan run time.

• Default - This is a list of default ports. It is longer than the Default Discovery list. • None - No port scan occurs.

Authentication group This group shows all authentication groups that have been created to date. Click the "Authentication group" down arrow and select the desired group from the list.




Vulnerability scan timeout (seconds) If a scan fails on a vulnerability, this option tells SNSI whether to try again or abort and move on to the next vulnerability. A " 0 " (zero) causes infinite retires. Choosing one or more seconds will cause SNSI to retry for that duration (1 second, 6 seconds, 120 seconds, etc.). And then if the vulnerability continues to fail, SNSI will abort and continue on to the next vulnerability.

Windows Scan Options

• Services - select to scan for any services running on the machine and show the results your scan reports.

• Shares - select to populate any shares on the machine in your scan reports. • Users - select to populate all users in your scan reports.


Configuring the Policy Settings Policy Settings lets you view and edit policy settings of policies you've created.

To configure policy settings:

1. From the Policy Explorer, click on the sign of a policy listed in the tree and the policy expands to show Settings and Scan History.

2. Select Settings and the Settings page opens in the right pane. This page shows all of the settings that you made when creating that policy. From this page, you can change your policy settings by selecting and deselecting check boxes and choosing different items in the drop-down lists.

3. Once you make a change, a bar opens at the top of the Settings page offering two buttons: Discard and Apply. Click the Apply button to save your changes or click Discard if you want to ignore your current alterations and retain the original settings.

To delete a policy:

1. Within the Policy Explorer, right-click on the policy that you want to delete. 2. Select Delete from the menu.



Chapter 6: Working with Scans

Scanning Overview Sunbelt Network Security Inspector (SNSI) lets you scan for security risks (vulnerabilities) on a single machine, an entire network, or a selection of devices. Scans are started in the Policy Explorer. Once you have a License Key, you can schedule scans to run automatically when you want, for instance during low-use times. In order to effectively and efficiently conduct scans, there are four things that need to be established: authentication rights, the vulnerabilities to search for, ports to look for, and policies.

Running a Scan Once you have established your Authentication, Vulnerability and Port groups and set up a Policy, you can run a scan. Follow the procedure below to complete a scan.

To run a scan:

1. Click the Policy tab at the bottom of the Explorer pane to reveal the Policy Explorer.

2. Right-click over a Policy and select Scan Now in the menu that opens. SNSI begins scanning.



3. Click the sign for your Policy in the Policy Explorer and select Scan History.

As a result, the scan status and results display in the Scan History page located to the right of the Explorer pane.

4. You can observe your scan's progress or look at past scans from the View Scans tab bar, located at the top

right of the Scan History page.




Scan History Page The Scan History page displays the status of your scans and the history of scan your activity. It is accessed by expanding a Policy from the Policy Explorer pane and clicking the Scan History folder. In the upper right corner of the Scan History page are the View Scans tabs. You can monitor the status of the scans from three scan views. These three viewing modes are called scan views. Clicking each tab reveals the following information in the Scan History page:

Running Tab If the policy selected from the Policy Explorer is currently running a scan, the Running view will show the progress of that scan.

Completed Tab The Completed view shows information of a scan that has been completed for the selected policy.

Scheduled Tab The Scheduled view shows information on any scheduled scans that have been set for the selected policy.

Note: To schedule scans you must have a License Key.

When you click on a completed scan in the list, more drill-down information shows in the frame below it. The image below is an example of a three-level drill-down (three tiers) of scan information.


First Tier

• Scan Scheduled Date - Date the scan was scheduled. • Scan Date - Date the scan actually ran. • Last Status - Status of the scan, be it incomplete, finished, etc. • Frequency - How often the scan will run. • Targets Found - The number of Targets found in the scan.

Second Tier

• Access - Displays the different access levels from "none" to "full." • IP - Displays the IP address of the machine scanned. • DNS - Displays the Domain Name Service. • OS - The operating system of the machine scanned. • High - The number of High level vulnerabilities found during the scan. • Medium - The number of Medium level vulnerabilities found during the scan. • Low - The number of Low level vulnerabilities found during the scan. • Warning - The number of Warning level vulnerabilities found during the scan. • Information - The number of Information level vulnerabilities found during the scan.



• Unassessed - The number of machines that were not scanned. • Criticality - Represents the degree of importance of an asset, determined by the operating

system. • Score - A score is assigned to the overall scan based on a number system with values running

between 1 and 100. The criteria are vulnerabilities found, their respective risk levels, and the importance of the device scanned.

• Phase - Shows the progress of the sequences of actions such as ports scanned, vulnerabilities scanned, etc., also includes "Completed" and "Skipped."

Third Tier This information is in table form and is printable. Whether you have the items expanded or contracted, the table will print just the way you have it. The information in the table is as follows:

• Assessment Level - Level of access by the authentication attempt into each target device. Access is affected by network and system settings as well as the credentials used during the scan. There are five Assessment Levels.

• Risk Score - Same as "Score" above. A score is assigned to the overall scan based on a number system with values running between 1 and 100. The criteria are vulnerabilities found, their respective risk levels, and the importance of the device scanned.

• DNS - Displays the Domain Name Service. • NetBIOS - Displays the NetBIOS. • IP Address - Displays the IP address of the machine scanned. • MAC Address - Displays the MAC address. • Ports - The number of Ports found in the scan. • Services - The number of Services that were found in the scan. • Shares - The number of Shares that were found in the scan. • Users - The number of Users found in the scan. • Vulnerabilities - The number of Vulnerabilities found in the scan. • Ports, Services, Shares, Users and Vulnerabilities expand out more information by clicking the

symbols.




Assessment Levels Assessment levels represent the level of access by SNSI's authentication attempt into each target device. Access is affected by network and system settings as well as the credentials used during the scan. The five levels of assessment are as follows: Level 0 - Not found Level 0 represents that a target was included on the discover list but did not respond to any selected discovery methods. No scan results were returned. These targets are not listed in reports. Level 1 - Remote anonymous Level 1 reflects that SNSI scanner defaulted to a Null Credential scan. This is because either no credentials were selected for the Policy or the credential used failed to authenticate the target device. Results will include Banners and Ports/Services information if selected for the scan. Other information might be returned if the targets devices were configured to permit "anonymous logon." Level 2 - Partial access into Windows registry Usually returned as the result of Remote Registry Service stopped or WinReg permissions denying access. Not applied to POSIX collection results. Level 3 - Remote read-only was successful Remote read-only was successful into the target's Windows registry and file system, full read-only into POSIX systems, or SNMP Read Community String authenticated access for Network Devices such as Routers/Switches/Printers. Indicates full access to gather scan data. Targets that drop off-line or encounter problems after scan authentication may not return full results even though the scan access level shows level 3.

Note: Targets that have fingerprinted with an incorrect OS or were assigned a generic “Windows” OS by default may indicate "Level 3" access but will not actually assess. To resolve this, duplicate the job and manually assign the correct OS before rescanning, or make adjustments to Discovery Settings to better resolve the correct OS during the Discovery phase of the scan process.

Level 4 - Remote full (read/write/execute) credential authentication to the registry and file systems This level is returned only from SNSI Hosts.


Drilling-down in the Scan History The View Scans feature in Scan History allows for drilling down for more details about your scans.

To drill down for more information:

1. Once your scan has been completed, click the Completed tab from the View Scans tab bar and your scan information populates in the top frame.

2. When you select the item in the list, more information about the scan is displayed in the second

frame below it.



3. By clicking on the information in the second frame, more information populates in the third frame located at the bottom of the Scan History page.

4. Even further drill-down information can be viewed by clicking the signs in the third Scan

History frame for Ports, Services, Shares, Users and Vulnerabilities.



Chapter 7: Working with Reports SNSI has four predefined reports that can be run on any completed scan. The reports can be accessed by clicking the Report Explorer tab located at the bottom of the Explorer pane. Once created, full-color reports may be printed. The reports are automatically saved in SNSI, allowing you to access them again later.

• Executive Summary - Gives a high-level summary of the vulnerabilities found in a network or machine. • Scan Summary - Provides a list of scans and vulnerabilities found. • Vulnerability Details - The Vulnerability Detail report shows a list of vulnerabilities found, sorted by risk

level - highest to lowest - and provides a description of each. • Vulnerability details by Target - Gives a high-level summary of all vulnerabilities sorted by target.

Note: A PDF reader is required to view reports.

To generate a report: 1. Click the Report Explorer tab located at the bottom of the Explorer pane. 2. Select one of the four reports from the Report Explorer. The policies that have been created to

date will populate in the top area to the right of the Explorer pane. 3. Select a policy. The completed scans for this policy to date will populate in the pane below it. 4. Select a scan and click Generate Report. The report is generated and displays in the PDF viewer.



Executive Summary Report The Executive Summary report gives a high-level summary of the total vulnerabilities found to be present in a network or machine. It is useful in determining the total security posture of your system.

The data in the Executive Summary report gives an easily viewable pie chart description of the vulnerability results. This report allows for appropriate presentation to management, showing at a glance the different vulnerability levels on your system. Its contents are designed to provide general network status. Below is a copy of what this report looks like:



Scan Summary Report The Scan Summary report informs you, among other things, when a full vulnerability assessment could not be made due to insufficient permissions. It also gives a list of IP Addresses, Machine Names, MAC Addresses, Operating Systems, vulnerabilities -segregated by their risk levels - and the number if unassessed vulnerability tests for each target. Below is what this report looks like:



Vulnerability Detail Report The Vulnerability Detail report is a powerful report. It shows a list of vulnerabilities found, sorted by risk level - highest to lowest - and provides a description of each. Also included are solutions for vulnerabilities, descriptions, lists of targets not found, a list of vulnerabilities scanned but not found and special information.



Vulnerability Details by Target Report The Vulnerability Detail by Target report, like the Vulnerability Details report, this is another powerful report. It shows a list of vulnerabilities found per target, sorted by risk level - highest to lowest - and provides a description of each. Also included are solutions for vulnerabilities, descriptions, lists of targets not found, a list of vulnerabilities scanned but not found and special information.




Appendix I: Glossary

AUDITING, AUDITS Auditing is the collection and monitoring of events on servers and networks for the purpose of tracking security violations and to keep track of how systems are used. A network auditing system logs details of what users are doing on the network so that malicious or unintended activities can be tracked. When auditing is in place, vast amounts of information may be recorded and even archived for future reference. Some audit systems provide event alarms to warn administrators when certain levels or conditions are met.

AUDIT TRAIL An audit trail is a record activity such as routine queries and many other authorized activities. Monitoring of these and other activities is very useful when attempting to track a cracker or errant employee.

AUTHENTICATION Authentication is the process of determining whether something or someone is who or what it is declared to be. The most common form of authentication is the use for logon passwords, the weakness of which is the passwords can often be forgotten, stolen or accidentally revealed. The tokens in this category offer more stringent forms of authentication so that users need to have both something (the token) and know something (the PIN or password) to gain access.

CATEGORY We refer to a category in SNSI as being a main or high-level item in a navigation tree. The Main Navigation Tree in SNSI, for instance, has five categories: Computers, Vulnerabilities, Reports, Scan History and Settings. (See also: “Subcategory” and “Item”).

CVE ID There have been many sources for sharing the detection of new vulnerabilities in the world of computer programming and networking. But historically these sources (companies, agencies, institutions, etc.) have used their own particular systems for classifying their information about the vulnerabilities found. As with any method that shares multiple resources, there comes the necessity for codification and standardization in order to create a platform for all to use and to eliminate any confusions and inconsistencies within the source data that inherently exists in this type of environment. The CVE (Common Vulnerabilities and Exposure) codification system was created in 1999, among other things, as a means of bridging the gap of inconsistencies of vulnerabilities. CVE is an international, communal effort of codifying more than 1,600 entries (also known as "names"). This also includes 1,800 candidates (CANs) which are vulnerabilities under consideration for acceptance into CVE’s standardized list. Through open discussions, members of the CVE Editorial Board decide which vulnerabilities will be included in CVE. Once vulnerabilities are accepted into the list, the Board determines the common name, description and references for each entry. The list of unique vulnerabilities for consideration is growing by as much as 100 new candidates per month from newly discovered issues.

EVENT An action initiated either by the user or the computer. An example of a user event is any mouse movement or a keystroke. An example of an internally generated event is a notification based on the time of day.



EVENT MANAGEMENT SYSTEM Software that monitors servers, workstations, and network devices for routine and non-routine events. For example, routine events such as logons help determine network usage, while unsuccessful logons are warnings that crackers may be at work or that the network access system is failing. Event managers provide real time information for immediate use and log events for summary reporting used to analyze network performance. An event management system is typically made up of client agents that reside in the remote devices, a central component for gathering the events, an event database and a reporting system to deliver the results in various formats.

ITEM An “item” is a third level category in an SNSI navigation tree. An example of a third level item is in the Main Navigation Tree under Domains and Groups within the Computers Category. Expanding either Domains or Groups will reveal third level items. (See also: “Category” and “Subcategory”)

MACHINE For our purposes with SNSI, a machine is a computer on a network.

PORT A Port, when regarding Internet communications, is a software-type gateway using transmission control protocol/Internet protocol (TCP/IP). It is essentially how computers communicate with a network server; it allows a client program to specify a certain server program on a computer within a network.

PORT NUMBER A Port Number is basically an address of a particular computer and tells a server where to send information over a network.

QUICK SCAN A scan which utilizes all vulnerabilities as the default setting. This default setting can be changed with by the creation of a new vulnerability group and the assignment of this group as the Default Quick Scan group.

REFRESH A term used to describe the action of SNSI going out onto a network to search for and locate all machines and machine changes. Whenever a domain is chosen for the first time ever in SNSI, it automatically refreshes that domain. The auto-refresh feature only works on a domain the very first time it is chosen because auto-refreshing every time can cause unnecessary and potentially timely use of SNSI’s resources. SNSI cashes machine/domain data for faster performance. Therefore, when there are changes in machine populations on a domain, a manual refresh should be made so SNSI can cash the latest snapshot of the domain, keeping the cash information up to date. To manually refresh a domain follow the procedure in “Refreshing Domains” below.

RISK ASSESSMENT “Risk” is a combination of the likelihood that an incident will occur and the damage that will result. Risk Assessment provides an understanding and analysis of these two factors using processes and tools.

SANS An acronym from SysAdmin, Audit, Network, Security.



SCAN GROUP A Scan Group is a group of machines or domains created in SNSI to be later scanned by vulnerabilities (see also “Vulnerability Group” for comparison).

SECURITY SCAN A test of a network's vulnerabilities; a security scan searches to find areas of vulnerability within a network or on a single machine.

SERVICES Services are work performed or offered by a (Windows only) server.

SNMP SNMP (Simple Network Management Protocol) facilitates the exchange of management information between devices on a network. With it, administrators are able to manage network performance, find and solve network issues and plan for network expansion.

SUBNET A subnet is a smaller network within a larger network. It also refers to a number (or sub-address) when a portion of a network shares an IP address with another part of a network. In this case, this portion of the network sharing an IP address is distinguished by a subnet number.

TARGET A device, machine, printer, terminal, port, etc. on a network to be scanned.

TCP (Transmission Control Protocol) TCP is one of the main communication protocols of which the Internet communications protocols that the Internet works off of.

VULNERABILITY A vulnerability is a security risk that exists within an operating system, network or other system software or application software component. Vulnerabilities are any potentialities of compromise to a system or network if exploited. It represents something that could potentially allow a malicious user/intruder to access a system without permissions when, by design, they should not be able to be accessed. A vulnerability can also represent any inappropriate access to data on the server or the potential for a malicious user to assume administrative control on the machine. SNSI contains a database of over 4,000 known security risks (vulnerabilities). Vulnerability, in this aspect, means the security risks that are searched for on a computer network. When we refer to vulnerabilities in this manual, we are speaking of this respect – known risks that can be scanned for on a system to find out whether any exist in on the system present time.

VULNERABILITY GROUP A Vulnerability Group is a folder which contains vulnerabilities (see “vulnerability” above) that have been selected from SNSI’s database. This ability to group vulnerabilities of choice enables administrators to scan with exactly the vulnerabilities needed. There is no limitation to how many groups that can be created. Once created, these folders (groups) can be assigned to different devices (machines, groups of machines, etc.) to scan more efficiently.

VULNERABILITY RISK CATEGORY These are the risk levels of the vulnerabilities within the vulnerability database used in SNSI. The risk categories are High, Medium, Low and Warning. Each category contains the appropriate vulnerabilities by these categories.



VULNERABILITY SCANNING An automated process of testing areas to identify vulnerabilities of computing machines, systems and applications on a network in order to determine if and where a system could be exploited and/or threatened through unauthorized access. SNSI is a vulnerability scanning software program that seeks out security flaws within a computer system based on a database of known flaws. Tests for the occurrence of these flaws are run and reports are generated of the findings that can be used to tighten the network’s security.



Appendix II: Contacting Customer Support

Note: If you encounter any issues with SNSI v.2.0, you will need to supply Technical Support with your log files to resolve the issue. By default, log files are stored in the following location: C:\Documents and Settings\All Users\Application Data\Sunbelt Software\Network Security Inspector\logs.

Online Technical Support http://www.sunbeltsoftware.com/Support/

Email Technical Support: [email protected]: [email protected]

Phone Main: (727) 562-0101 Toll-free technical support: 877-673-1153

Address Sunbelt Software, Inc. 33 N. Garden Ave., Ste. 1200 Clearwater, FL 33755

http://www.sunbeltsoftware.com/Support

mailto:[email protected]?subject=Help%20with%20Sunbelt%20Network%20Security%20Inspector%202.0

mailto:[email protected]?subject=Sales%20for%20Sunbelt%20Network%20Security%20Inspector

Sunbelt Network Security Inspector User Guide

Documents

Transcript of Sunbelt Network Security Inspector User Guide