Q: What is an Automated Vulnerability Detection System ("AVDS")?
A: The AVDS is a security solution developed to help organizations to reduce their security risks by helping them to manage their vulnerabilities. This is done in a proactive manner by periodically scanning their IT infrastructure for system and application vulnerabilities from a hacker's perspective and across the whole of their network.
The AVDS is designed to help enterprise companies and service provideds to effectively scan large networks and manage them from a single administration console via a distributed scanning architecture. It is a muilti-hierarchic system that manages multiple scanning devices, organizations and users.
Q: Is AVDS a hardware or software solution?
A: The AVDS is a hardware appliance solution. It comes either as a standalone appliance for small or medium organizations ("AVDS Scanner") or as separate scanning and management components for larger organizations: The Information Server ("IS"), and the Local Security Scanner ("LSS").
The IS appliance is responsible for storing the scanned results obtained from various scans, and generating consolidated reports from the scanned results. It is also used to control and manage all the associated LSS servers via a web interface. The IS appliance can be configured to allow multiple users to connect to the system and to read scan reports, or to schedule scan jobs.
The LSS appliance is responsible for performing vulnerability scans across the network. Based on the daily vulnerability database update, the LSS is capable of performing up-to-date vulnerability checks on all IP-based systems it is scanning.
Q: What kinds of vulnerabilities does AVDS detect?
A: There are three scenarios in which a system can be vulnerable.
The first way a system can be vulnerable is when an operating system or network applications are poorly coded, and thus allowing attackers to exploit software flaws.
The second way a system can become vulnerable is when an operating system or applications in the system are infected with viruses, trojans or worms. In these instances, malicious code may open up a TCP port for unauthorized access from across the network.
The third way a system can be vulnerable is when a system is mis-configured, such that it becomes vulnerable. One example could be that the system administrator did not employ the use of a "Password" for the administrative interface of an application.
The AVDS can comprehensively detect vulnerabilities that are caused by the above three scenarios.
Q: Does AVDS require installation of agents on the systems that are to be scanned?
A: No, AVDS does not require any software agents on any system.
Q: How does AVDS function differently from a Host Intrusion Prevention System ("HIPS")?
A: In the event of a HIPS failure, the system will become vulnerable if the operating system is unpatched, or runs unpatched network services. Running such vulnerable services on a system may compromise the network, since HIPS cannot proactively defend network exploits. The AVDS, as an independent entity in the network, will scan the vulnerable system and find vulnerable services and report. The Security Administrator will be alerted about such incidents and allow them to respond immediately. As such, the AVDS complements the HIPS in protecting the system.
Q: How does AVDS function differently from a firewall?
A: A firewall typically performs network access control at the network border. It can only protect the network from unauthorized access from external networks to internal systems or applications. However, if an external attacker attacks a system through a legitimate network access, the firewall will not be able to protect the system. AVDS, if deployed outside of the network, can scan through the firewall, and report to the Security Administrator if the system can be exploited. This happens even with the firewall in place. As such, AVDS complements the firewall in protecting the system.
Q: How does AVDS function differently from anti-virus software?
A: Anti-virus software was designed for protecting a system from malicious code (viruses, worms & trojans) from entering the system. AVDS is an agentless solution, and scans systems from across the network, and is able to see vulnerabilities from across the network. Such vulnerabilities may not be caused by infections of malicious code, but from legitimate applications that are either not patched or of poor configuration. As such, the AVDS complements the anti-virus in protecting the system.
Q: Does AVDS perform auto-patching of the operating system/software when vulnerabilities are discovered?
A: No, AVDS does not perform auto-patching or auto-remediation. Based on good ISMS principles, all patches must be tested and verified before they can be deployed. As such, AVDS is not designed to automatically remediate vulnerabilities by patching networks.
Technical
Q: Can AVDS be used for on-demand scanning?
A: Yes, AVDS supports on-demand scanning.
Q: How many concurrent systems can the AVDS Scanner/LSS scan at any one time?
A: On average, the LSS can scan 8 systems concurrently.
Q: What is the average scan rate (in packets/sec) generated by the AVDS Scanner/LSS during typical scanning?
A: The average scan rate is 300 packets per second.
Q: What is the average throughput (in kb/sec) generated by the AVDS Scanner/LSS during typical scanning?
A: The average throughput rate is 60 kilobits per second.
Q: What is the number of IP addresses a single scanner can scan in one day?
A: Each scanner can perform one daily scan on about 2,500 systems. If scanning only once a month, the AVDS Scanner/LSS can cover about 75,000 systems. When using the IS/LSS combination you can place multiple scanner servers to perform daily scans on more machines.
Q: How much time does it take to scan a Class A, Class B and Class C network?
A: The time taken to scan a network depends on the composition of that systems network. A scan on an average network that contains a router, network printer, 4 servers and 10 workstations would be completed in approximately 8 minutes.
Q: Can the rate of scanning be limited to minimize the amount of bandwidth used for scanning?
A: Yes, AVDS allows the administrator to limit the rate of scanning.
Q: How long can the IS keep reports for a network size of one Class C network?
A: Typically, one IS can keep the scanned results of 1000 systems for 3 years.
Q: Does the AVDS support the backup of the configuration of the system?
A: Yes, the AVDS supports this function.
Q: How is AVDS typically deployed?
A: The AVDS solution is typically deployed with the LSS installed within the internal network of an organization, where it has unrestricted access to scan systems.
The IS is typically placed in a secure environment within the SOC or NOC, and where the Security Administrator can access it to monitor vulnerability detection and to generate reports.
For a more comprehensive result, another LSS can be deployed to scan across the firewall from the external network perspective to the internal network. This provides an additional value to the Security Administrator in having a detailed understanding of all the vulnerabilities (through internal scanning), and what an external attacker can see (through the external scanning).
Q: How does the LSS send the scanned results to the IS? Is it via push or pull mechanism?
A: The AVDS can be configured such that the IS can pull the results from the LSS, or the LSS can push the scanned results to the IS. Such flexibility allows the organization to deploy AVDS to fit their network access control requirements.
Q: Is there a problem when scanning through a firewall? Can the scanner also operate in a NAT environment?
A: For very accurate results, the scanner needs to analyze the IP packet contents to determine if a system is vulnerable. When a scan is made through a firewall or a NAT environment, the firewall or router may modify certain essential packet contents. As such, it may lead to false positive or false negative in its reporting. The organization must be prepared for such results if scanning through a firewall or a NAT environment.
Q: Does AVDS perform port-scanning as part of vulnerability detection?
A: Yes, AVDS always performs port scanning to detect all ports opened on a system.
Q: What type of firewall rules will need to be added to a firewall to allow the IS to interact with the LSS? Also, what firewall rules are needed for the Security Administrator to administer the IS?
A: The IS and LSS communicates with each other via SSL, ie TCP port 443. The web browser will connect to the IS at TCP port 443.
Q: What systems does AVDS currently check?
A: The AVDS currently scans for vulnerabilities in the following systems and applications:
Microsoft Windows operating system
Windows 95/98
Windows NT 4.0 Server/Workstation
Windows 2000 Server/Workstation
Windows XP Workstation
Windows 2003 Server
UNIX
Sun Solaris
IBM AIX
HP HP-UX
SCO Unixware
BSD (OpenBSD, NetBSD)
Apple Mac OS X
Linux
Novell NDS
Mainframes: AS-400, VMS
Antivirus system
Intrusion detection system
Network devices
Firewalls
Routers
Network switches/hubs
Wireless access points
Modems
Remote access servers
VoIP devices
OSI Layer 7 applications
Web server
Database server
Mail server
FTP server
Proxy server
Programming languages
SQL
ASP
PHP
CGI
Q: How can the Security Administrator access the IS to perform administrative functions?
A: The Security Administrator can manage the IS (and the associated LSS) through a web browser.
Q: How many vulnerability checks does AVDS contain?
A: The AVDS has more than 6,000 different vulnerability checks that cover over 11,000 vulnerabilities. There are approximately 100 new vulnerability checks added every month.
Q: How often is the vulnerability checks database updated?
A: The AVDS will perform an update every hour. Upon discovery of any vulnerability, the AVDS can be updated with the latest vulnerability check within one hour time frame.
Q: Does the AVDS support the creation of custom signature checks?
A: No, the AVDS does not support this feature. As most users of AVDS are not involved in the business of vulnerability research, providing this feature will lead to a situation where poorly developed vulnerability check may cause a system crash when the check is being performed, or it may lead to a false positive where the check may not find the vulnerability.
Security
Q: Can the IS or LSS be hacked?
A: The IS and LSS are developed with the code audited for security vulnerabilities and are deployed with a hardened configuration. By doing so, the likelihood that the IS and LSS can be hacked is minimal.
Q: Will this device appear like a hacker to an IDS/IPS?
A: As the scanner is essentially a vulnerability assessment device, it sends out packets just like a typical hacker will do. As such, a typical IPS/IDS in the network may treat the LSS as a malicious attacker. For AVDS and IPS/IDS to work correctly together, the IPS/IDS must add the IP address of the Standalone Scanner or LSS in the white list to prevent them from generating false alarms.
Customization
Q: Can the AVDS be installed on a customized hardware?
A: It is possible to configure the IS on a customized hardware with better hardware specifications, and this will come at an additional cost. The LSS will still be installed on a basic hardware configuration optimized for its purpose.
Risk Management
Q: Does the AVDS allow the organization to customize their risk portfolio?
A: Yes through the asset management feature, the AVDS allows organizations to assign a value to the asset to determine its risk value. The higher the asset value, the more important it is.
Q: Why does AVDS manage risk through the asset value rather than changing the value of the vulnerability?
A: Organizations portray the risk of a vulnerability differently among one another. Instead of changing the value of the vulnerability which could be ambiguous, changing the value of the asset is more relevant. This means that a high value asset is deemed more vulnerable than a low value asset if they have the same vulnerability.
beSTORM
