IBM Proventia® Network Enterprise Scanner - West Coast Labs

Test Report November 2007IBM Proventia ® NetworkEnterprise ScannerVulnerability AssessmentTechnology Report

IBM Proventia ® Network EnterpriseScannerVendor DetailsName: IBM Internet Security SystemsAddress: 6303 Barfield Road, Atlanta, GA 30328Telephone: +1-404-236-2700Website: www.iss.netProduct: IBM Proventia ® Network Enterprise ScannerTest Laboratory DetailsName: West Coast Labs, Unit 9 Oak Tree Court, Mulberry DriveCardiff Gate Business Park, Cardiff, CF23 8RS, UKTelephone: +44 (0) 29 2054 8400 Date: November 2007Issue: 1.0Author: Chris EliasContact PointContact name: Chris EliasContact telephone number: +44 (0) 29 2054 8400Vulnerability Assessment Technology Report www.westcoastlabs.com2

IBM Proventia ® Network EnterpriseScannerContentsTest Network 4Test Methodology 5Checkmark Certification 6Vulnerabilities Classification 7The Product 9Test Report 10Test Results 17West Coast Labs Conclusion 18Security Features Buyers Guide 19Vulnerability Assessment Technology Report www.westcoastlabs.com3

IBM Proventia ® Network EnterpriseScannerTest NetworkFor this Technology Report, West Coast Labs engineers createda network infrastructure similar to that found in most corporate ITenvironments. Each solution entered into this Technology Report wasrequired to perform vulnerability tests against this network.The network used by WCL consisted of between 20 and 30 distincthosts, and included routers, managed switches, network servers,client machines, and printers. Included within the available serviceswere web servers, mail servers, file and database servers. Customizedweb applications, designed by engineers at West Coast Labs andcontaining common scripting errors, were installed on servers acrossthe network.A variety of Operating Systems were used on the network, on differenthardware platforms. A number of virtual hosts were also included.In building the network, some of the machines and services wereinstalled with default settings. Various levels of patching were appliedacross the range of Operating Systems. In addition, a number ofcommon mis-configurations were made in setting up and deployingparticular services. Every host on the test network was imaged prior totesting, and restored to the original state before each round of testingfor the individual solutions.The test network was protected by a router, and ACLs were set torestrict access to the test network to and from IP addresses specifiedby the participating vendor, if appropriate. If the solution under testneeded no Internet connectivity then the router was configured toblock all access to and from the Internet for the period of test.The test network was available to each solution for a 48 hour period.Vulnerability Assessment Technology Report www.westcoastlabs.com4

IBM Proventia ® Network EnterpriseScannerTest MethodologyWCL have assessed the individual vulnerability assessment reports fromeach solution on the following basis, with Vulnerabilities on the targetnetwork classified under 4 headings:Critical vulnerabilities – those that allow an attacker with minimalknowledge or skill to compromise the integrity of the network: thismay include gaining control of a server or network device, gainingillegitimate access to network resources or disrupting normal networkoperations.Severe vulnerabilities – those that allow illegitimate access to, orcontrol over, network resources, but that require considerableknowledge or skill on the part of the attacker.Non-critical vulnerabilities – those that allow attackers to gain accessto specific information stored on the network, including securitysettings. This could result in potential misuse of network resources. Forexample, vulnerabilities at this level may include partial disclosureof file contents, access to certain files on hosts, directory browsing,disclosure of filtering rules and security mechanisms.Information leaks – these allow attackers to collect sensitiveinformation about the network and the hosts (open ports, services,precise version of software installed etc.)The performance of each solution under test was evaluated on thefollowing criteria:• The ease of deployment of the solution• The number of vulnerabilities correctly identified in each class• The completeness of the report, including identification of anynetwork changes made• The clarity of presentation of the findingsVulnerability Assessment Technology Report www.westcoastlabs.com5

IBM Proventia ® Network EnterpriseScannerCheckmark CertificationSoilutions under test in this Technology Report areeligible for the Checkmark Vulnerability Assessmentcertification.In order to achieve the Standard CheckmarkCertification for Vulnerability Assessment thecandidate solution must identify at a minimum 100%of the Critical Vulnerabilities and 75% of the SeriousVulnerabilities.However, those developers identifying 100% of the CriticalVulnerabilities and a minimum 90% of the Serious Vulnerabilities willbe awarded the Premium Checkmark Certification for VulnerabilityAssessment.www.check-mark.comVulnerability Assessment Technology Report www.westcoastlabs.com6

IBM Proventia ® Network EnterpriseScannerVulnerabilities - ClassificationAs a basis of the test program, West Coast Labs engineers built a seriesof known vulnerabilities in the network on which each of the solutionswas installed. To mimic those vulnerabilities found in many corporateIT environments, the risk level of these varied between Critical, Serious,and Minimal.As part of the scope of testing and certification, particular attentionwas paid to how each of the products detected and classified thosevulnerabilities deemed by West Coast Labs to be of either Critical orSerious risk.So that the performance of each product can be clearly understood,this report contains some examples of the types of vulnerability listed asCritical and Serious.Critical Vulnerabilities• FTP server with anonymous, writeable access• Publicly available file shares using NetBIOS and Samba• Blank Administrator passwords• Back Orifice installations• Open SMTP relays• Completely unpatched operating systems (base installs)• Base install of Windows Media Player 9 with no security patches• Sun Solaris RPC vulnerabilitiesSerious Vulnerabilities• Partially patched operating systems to known levels• Default or weak passwords• VNC serversVulnerability Assessment Technology Report www.westcoastlabs.com7

IBM Proventia ® Network EnterpriseScanner• Popular game servers with known vulnerabilities• FTP servers with non-writeable anonymous access• Web sites with back-end scripting vulnerabilities• Instant Messaging clients• Virtual office software• Microsoft Desktop Remote AccessThe classification of the above vulnerabilities is based on informationprovided by external sources including the SANS Top 20, Bugtraq, andother well known vulnerability lists and sites.Vulnerability Assessment Technology Report www.westcoastlabs.com8

IBM Proventia ® Network EnterpriseScannerThe ProductIntroductionThe ISS Proventia ES1500 is a 1U rack mountable appliance containingISS’ patented vulnerability assessment technology. The applianceis capable of scanning a vast range of different operating systems- Windows and various *nix flavours are covered including both Linuxand Unix.The front fasciaof the devicecontains thenetwork portsspecifically forscanning (thereare currently2 in use with 3 addtional ports reserved for future expansion), amanagement port, a serial connection for the console, 2 USB ports andan LCD status screen.Aimed at Enterprise level networks, this solution promises to highlightpotentially unknown network vulnerabilities along with providingadvice on remediation and reports aimed at a variety of levels frommanagement board to technical operative.Vulnerability Assessment Technology Report www.westcoastlabs.com9

IBM Proventia ® Network EnterpriseScannerInstallation and ConfigurationISS provided West Coast Labs with a device that had been previouslyconfigured by their engineers to meet the network specification asprovided by West Coast Labs. ISS’ customers may configure theirown devices via the console port, and the appliance is convenientlyshipped with a Quick Start Card to aid them in the installation process.This Quick Start Card is comprised of two main sections, a fullyannotated diagram of the appliance and a Getting Started section.The Getting Started section includes six important set up steps thataid the administrator in the correct set up and configuration of theappliance.The Prerequisites section lists important dependencies that arerequired in the operation and set up of the ES1500 appliance. Oneof the many important dependencies required is the SiteProtectorsoftware interface - this is downloaded from the ISS website and allowsAdministrators to perform scanning tasks, analyse previous scans,and monitor the network status. SiteProtector may be installed to aWindows client on the network running an instance of either MSDE orSQL Server. MSDE may be installed as part of the installation process ifthere is no database already present.To configure the device to fit in with the network, the administratoris required to connect to the device via a console connection.After entering the default username and password that is providedon the Quick Start Card, the device begins a Setup Wizard whereAdministrators are required to enter basic network settings includingIP addresses, Subnet mask, Default Gateway, DNS servers and ahostname for the appliance.Vulnerability Assessment Technology Report www.westcoastlabs.com10

IBM Proventia ® Network EnterpriseScannerAfter this portion of the setup is complete, the next step is to register aproduct license with the device in order to receive product updatesand full scanning functionality. This is achieved via an SSL-secured webinterface called Proventia Manager. This interface is initially accessiblethrough a static IP address that has to be specified during the consoleconnection stage of the device setup.After successfullyregistering a License,the next step isto authenticatethe appliancewith SiteProtector.When couplingthe appliance withSiteProtector it isnecessary to specifythe IP address,hostname and fulllogin credentialswhere theSiteProtector is installed.Vulnerability Assessment Technology Report www.westcoastlabs.com11

IBM Proventia ® Network EnterpriseScannerOperations and FeaturesProventia Manager provides the administrator with various tools withwhich to further configure and interact with the solution, includingApplication Diagnostics, System Diagnostics, Logs, Backup andRecovery, Licensing and Updates. Application Diagnostics includedescriptions of various services running on the appliance including SSH,SNMP and SMB.System Diagnostics include information relating to Processes, DiskUsage, Services, Local Interfaces, IPCS (Interactive Problem ControlSystem) and Memory Usage statistics. These diagnostics are useful toIBM ISS Customer Support should a problem arise with the appliance,and a method with which the administrator can constantly view theperformance of both the solution and the network.A useful feature the appliance offers is the Backup and Recoverysystem. This allows the administrator to perform two types of backup- Settings Backup and Full Backup. The former backs up the agentconfiguration settings, whilst the latter provides the additional abilityof backing up the entire Operating System and configuration settings.After a full backup has been performed there is an option to restorethe system to this previous state.The appliance may be configured to update either manually orautomatically, and can be scheduled to run at a specific time anddate. When performing an update task the device connects to theIBM’s servers and searches for firmware and Assessment Scannerupdates. One of the key features of the Update system is its ability tobe integrated with the Backup utility – allowing a Full Backup to beperformed automatically before any updates are applied.Vulnerability Assessment Technology Report www.westcoastlabs.com12

IBM Proventia ® Network EnterpriseScannerAfter successfully authenticating SiteProtector with the appliance,the interface can be used to create a variety of scanning tasks forthe ES1500 device. For this round of testing, ISS engineers requestedthat they perform the scanning tasks for West Coast Labs and thenprovided WCL with reports subsequently. Any discovered networkassets are shown within a tree format with assets branching off fromthe root domain, thus enabling rapid distinction between multipledomains. The ES1500 offers two main methods of scanning - a defaultscan called Ad Hoc can be configured to start immediately, whilst ascheduled background scan can be set to run at a specific time ordate.Setting up these scans is a simple process, and each of these scantypes has several areas within which the user may specify dataparameters. Discovery of the network nodes allows administratorsto enter a list of IP ranges to scan. Assessment contains vulnerabilityexploitation methods that may be used against each network area.Within this section it isalso possible to enterport ranges for whichthe appliance willscan. The AssessmentCredentials featureallows user namesand passwords tobe entered to allowfor a more detailedinspection of eachclient node.Vulnerability Assessment Technology Report www.westcoastlabs.com13

IBM Proventia ® Network EnterpriseScannerScans may be further customised through the ability to specify portexclusions within the scanning tasks and Scan Windows, which allowfor continuous scanning of the network via scheduled tasks throughthe use of a time window system.Upon completion of a network scan, it is possible to create a ticketfor the assets that require attention. The Administrator must entersupplemental data such as a Priority level, who is responsible for fixingthe problem, and a due date. There are also two boxes where it ispossible to make further notes on the problem synopsis and actions.Vulnerability Assessment Technology Report www.westcoastlabs.com14

IBM Proventia ® Network EnterpriseScannerReportingUpon completion of the network scans, ISS engineers provided WestCoast Labs with detailed reports in Adobe PDF format. A wide rangeof reports are available from within the interface, and each of thesereports lays out clearly the overall status of the appropriate informationin a variety of formats, including high level management reports, rightdown to very technical reports aimed at staff in the IT departmentwho are likely to be tasked with fixing and resolving any machines thatcould lay a corporation open to liability.The Top Vulnerabilities report, for example, displays an overview of themost common vulnerabilities, whilst Vulnerabilities By Asset contains fulldetails of the vulnerabilities on a per network node basis. Various otherreports offer a range of information presented in different mannersto be targeted at different audiences. Reports such as Top Attacksand Attacks by Group may be more suited for mid-level to seniormanagement who may have some overview of the infrastructurewithout knowing thedetail, whereas reportssuch as VulnerabilitySummary by Assetsand Assets AssessmentDetail are more suitedto technical staff whoare likely to be involvedin the remediation ofsuch vulnerabilities.Vulnerability Assessment Technology Report www.westcoastlabs.com15

IBM Proventia ® Network EnterpriseScannerWithin each of thetechnical reports ISS offerscomprehensive and detailedremediation advice for eachvulnerability. A useful featureof Proventia is the ability tooffer validation of the fixingfor each potential liabilitybased around the ticketingsystem that is implemented,thus allowing administratorsto set up a workflow for eachindividual vulnerability, assignit to a technician and thenmonitor the progress of the resolution.Vulnerability Assessment Technology Report www.westcoastlabs.com16

IBM Proventia ® Network EnterpriseScannerResultsIBM ISS Enterprise Scanner ES1500 detected 100% of the criticalvulnerabilities and over 90% of the serious vulnerabilities on the West CoastLabs test network. West Coast Labs is pleased to announce that the IBMISS Enterprise Scanner ES1500 appliance has been awarded the PremiumCheckmark Certification for Vulnerability Assessment.Vulnerability Assessment Technology Report www.westcoastlabs.com17

IBM Proventia ® Network EnterpriseScannerConclusionIBM ISS Enterprise scanner ES1500 uses a hardened Linux operatingsystem with powerful hardware specifications to track down networkvulnerabilities, and the solution offers a comprehensive and wide-rangingset of tools. Integration with the SiteProtector interface is straightforwardand painless, and allows the solution to begin scanning a corporatenetwork almost immediately.There are a vast amount of reports available, which is sure to satisfysecurity conscious organizations that wish to tackle network vulnerabilitieshead on.The Quick Start card allows for rapid installation of the appliance andis complemented by the other documentation which is available fordownload from ISS’ website.The range of reporting functionality that complements this, along with thedetailed remediation advice, ensures that the Proventia can be a majorasset in securing a corporate network from threats.Vulnerability Assessment Technology Report www.westcoastlabs.com18

IBM Proventia ® Network EnterpriseScannerSecurity Features Buyers GuideEnterprise Scanner helps ensure the availability of your revenue producingservices and protects your corporate data by identifying where ITvulnerabilitiesexists, prioritizing and assigning protection activities, andreporting on results.url : (http://www.iss.net/products/Proventia_Network_Enterprise_Scanner/product_main_page.htmlVulnerability Assessment Technology Report www.westcoastlabs.com19

IBM Proventia ® Network EnterpriseScannerSecurity Features Buyers GuideBusiness Benefits….as stated by ISSKey business value and benefits of IBM Proventia® Network EnterpiseScanner :• Allows IT resources to focus on strategic security and network initiatives• Provides a means of quantifying and demonstrating security riskimprovement on a regular basis• Protects availability of critical revenue producing business services andsystems• Scan and block technology with IPS integration protects organizationsfrom the financial impact of a security breach• Lowers cost of ownership by leveraging existing IT infrastructure.Vulnerability Assessment Technology Report www.westcoastlabs.com20

IBM Proventia ® Network EnterpriseScannerSecurity Features Buyers GuideTechnical Benefits….as stated by ISSEnterprise Scanner allows automation of the front end process ofvulnerability assessment scanning through automatic product/securitycontent updates, scan windows/reoccurance, and automatic policyupdates. This lets organizations focus more on evaluating the risk in theirenvironment and tracking its resolution through ticketing and reports)Vulnerability Assessment Technology Report www.westcoastlabs.com21

IBM Proventia ® Network EnterpriseScannerSecurity Features Buyers GuideAdditional Noteworthy Product Features• Dynamic Check Assignment - Checks always run against the righttarget systems and the right ports. Hidden web server running on aSMB port? No problem!• Native Load-Balancing - No more manually distributing jobsbetween different scan engines.• Open Ticketing API and native Remedy integration - SystemAdministrators do not have to use yet another console to find outwhat needs to be fixed.• Asset centric data storage - Results are stored against each asset sothe way you scan does not have to be the way you report.• Scan Windows and Cycles - By defining your scanning policy you nolonger have to manually track and maintain huge numbers of scanjobs.Vulnerability Assessment Technology Report www.westcoastlabs.com23

Proventia ES1500 Enterprise ScannerUS SALEST +1 (717) 243 5575EUROPE SALEST +44 2920 548 400GLOBAL HEADQUARTERSWest Coast LabsUnit 9 Oak Tree CourtMulberry DriveCardiff Gate Business ParkCardiffCF23 8RS, UK