 |
 |
 |
|
AVDS FAQ
General
Q: What is an Automated Vulnerability Detection System ("AVDS")?
A: The AVDS is a security solution developed to help organizations to reduce their security risks by helping them to manage their vulnerabilities. This is done in a proactive manner by periodically scanning their IT infrastructure for system and application vulnerabilities from a hacker's perspective and across the whole of their network.
The AVDS is designed to help enterprise companies and service provideds to effectively scan large networks and manage them from a single administration console via a distributed scanning architecture. It is a muilti-hierarchic system that manages multiple scanning devices, organizations and users.
Q: Is AVDS a hardware or software solution?
A: The AVDS is a hardware appliance solution, and it consists of two components: The Information Server ("IS"), and the Local Security Scanner ("LSS").
The IS appliance is responsible for storing the scanned results obtained from various scans, and generating consolidated reports from the scanned results. It is also used to control and manage all the associated LSS servers via a web interface. The IS appliance can be configured to allow multiple users to connect to the system and to read scan reports, or to schedule scan jobs.
The LSS appliance is responsible for performing vulnerability scans across the network. Based on the daily vulnerability database update, the LSS is capable of performing up-to-date vulnerability checks on all IP-based systems it is scanning.
Q: What kinds of vulnerabilities does AVDS detect?
A: There are three scenarios in which a system can be vulnerable.
The first way a system can be vulnerable is when an operating system or network applications are poorly coded, and thus allowing attackers to exploit software flaws.
The second way a system can become vulnerable is when an operating system or applications in the system are infected with viruses, trojans or worms. In these instances, malicious code may open up a TCP port for unauthorized access from across the network.
The third way a system can be vulnerable is when a system is mis-configured, such that it becomes vulnerable. One example could be that the system administrator did not employ the use of a "Password" for the administrative interface of an application.
The AVDS can comprehensively detect vulnerabilities that are caused by the above three scenarios.
Q: Does AVDS require installation of agents on the systems that are to be scanned?
A: No, AVDS does not require any software agents on any system.
Q: How does AVDS function differently from a Host Intrusion Prevention System ("HIPS")?
A: In the event of a HIPS failure, the system will become vulnerable if the operating system is unpatched, or runs unpatched network services. Running such vulnerable services on a system may compromise the network, since HIPS cannot proactively defend network exploits. The AVDS, as an independent entity in the network, will scan the vulnerable system and find vulnerable services and report. The Security Administrator will be alerted about such incidents and allow them to respond immediately. As such, the AVDS complements the HIPS in protecting the system.
Q: How does AVDS function differently from a firewall?
A: A firewall typically performs network access control at the network border. It can only protect the network from unauthorized access from external networks to internal systems or applications. However, if an external attacker attacks a system through a legitimate network access, the firewall will not be able to protect the system. AVDS, if deployed outside of the network, can scan through the firewall, and report to the Security Administrator if the system can be exploited. This happens even with the firewall in place. As such, AVDS complements the firewall in protecting the system.
Q: How does AVDS function differently from anti-virus software?
A: Anti-virus software was designed for protecting a system from malicious code (viruses, worms & trojans) from entering the system. AVDS is an agentless solution, and scans systems from across the network, and is able to see vulnerabilities from across the network. Such vulnerabilities may not be caused by infections of malicious code, but from legitimate applications that are either not patched or of poor configuration. As such, the AVDS complements the anti-virus in protecting the system.
Q: Does AVDS perform auto-patching of the operating system/software when vulnerabilities are discovered?
A: No, AVDS does not perform auto-patching or auto-remediation. Based on good ISMS principles, all patches must be tested and verified before they can be deployed. As such, AVDS is not designed to automatically remediate vulnerabilities by patching networks.
Technical
Q: Can AVDS be used for on-demand scanning?
A: Yes, AVDS supports on-demand scanning.
Q: How many concurrent systems can the LSS scan at any one time?
A: On average, the LSS can scan 8 systems concurrently.
Q: What is the average scan rate (in packets/sec) generated by the LSS during typical scanning?
A: The LSS average scan rate is 300 packets per second.
Q: What is the average throughput (in kb/sec) generated by the LSS during typical scanning?
A: The LSS average throughput rate is 60 kilobits per second.
Q: What is the number if IP address the LSS can scan in one day?
A: The LSS can perform one daily scan on about 7,500 systems. For a daily scan within a month, the LSS can scan about 225,000 systems.
Q: What is the speed of an LSS scan on a Class A, Class B and Class C network?
A: The time taken to scan a network depends on the composition of that systems network. A scan on an average network that contains a router, network printer, 4 servers and 10 workstations would be completed in approximately 8 minutes.
Q: Can the rate of scanning be limited to minimize the amount of bandwidth used for scanning?
A: Yes, AVDS allows the administrator to limit the rate of scanning.
Q: How long can the IS keep reports for a network size of one Class C network?
A: Typically, one IS can keep the scanned results of 1000 systems for 3 years.
Q: Does the AVDS support the backup of the configuration of the system?
A: Yes, the AVDS supports this function.
Q: How is AVDS typically deployed?
A: The AVDS solution is typically deployed with the LSS installed within the internal network of an organization, where it has unrestricted access to scan systems.
The IS is typically placed in a secure environment within the SOC or NOC, and where the Security Administrator can access it to monitor vulnerability detection and to generate reports.
For a more comprehensive result, another LSS can be deployed to scan across the firewall from the external network perspective to the internal network. This provides an additional value to the Security Administrator in having a detailed understanding of all the vulnerabilities (through internal scanning), and what an external attacker can see (through the external scanning).
Q: How does the LSS send the scanned results to the IS? Is it via push or pull mechanism?
A: The AVDS can be configured such that the IS can pull the results from the LSS, or the LSS can push the scanned results to the IS. Such flexibility allows the organization to deploy AVDS to fit their network access control requirements.
Q: Is there a problem if the LSS scan through a firewall? Can the LSS also operate in a NAT environment?
A: For very accurate results, the LSS needs to analyze the IP packet contents to determine if a system is vulnerable. When a scan is made through a firewall or a NAT environment, the firewall or router may modify certain essential packet contents. As such, it may lead to false positive or false negative in its reporting. The organization must be prepared for such results it the LSS scans through a firewall or a NAT environment.
Q: Does AVDS perform port-scanning as part of vulnerability detection?
A: Yes, AVDS always performs port scanning to detect all ports opened on a system.
Q: What type of firewall rules will need to be added to a firewall to allow the IS to interact with the LSS? Also, what firewall rules are needed for the Security Administrator to administer the IS?
A: The IS and LSS communicates with each other via SSL, ie TCP port 443. The web browser will connect to the IS at TCP port 443.
Q: What systems does AVDS currently check?
A: The AVDS currently scans for vulnerabilities in the following systems and applications:
- Microsoft Windows operating system
- Windows 95/98
- Windows NT 4.0 Server/Workstation
- Windows 2000 Server/Workstation
- Windows XP Workstation
- Windows 2003 Server
- UNIX
- Sun Solaris
- IBM AIX
- HP HP-UX
- SCO Unixware
- BSD (OpenBSD, NetBSD)
- Apple Mac OS X
- Linux
- Novell NDS
- Mainframes: AS-400, VMS
- Antivirus system
- Intrusion detection system
- Network devices
- Firewalls
- Routers
- Network switches/hubs
- Wireless access points
- Modems
- Remote access servers
- VoIP devices
- OSI Layer 7 applications
- Web server
- Database server
- Mail server
- FTP server
- Proxy server
- Programming languages
Q: What database system does AVDS use to store scanned results? Where does this database reside?
A: AVDS uses MySQL as the database system, and the database resides in the IS which is outside the network.
Q: How can the Security Administrator access the IS to perform administrative functions?
A: The Security Administrator can manage the IS (and the associated LSS) through a web browser.
Q: How many vulnerability checks does AVDS contain?
A: The AVDS has more than 4,200 different vulnerability checks, and approximately 100 new vulnerability checks are added to it every month.
Q: How often is the vulnerability checks database updated?
A: The AVDS will perform an update every hour. Upon discovery of any vulnerability, the AVDS can be updated with the latest vulnerability check within one hour time frame.
Q: Does the AVDS support the creation of custom signature checks?
A: No, the AVDS does not support this feature. As most users of AVDS are not involved in the business of vulnerability research, providing this feature will lead to a situation where poorly developed vulnerability check may cause a system crash when the check is being performed, or it may lead to a false positive where the check may not find the vulnerability.
Security
Q: Can the IS or LSS be hacked?
A: The IS and LSS are developed with the code audited for security vulnerabilities and are deployed with a hardened configuration. By doing so, the likelihood that the IS and LSS can be hacked is minimal.
Q: Will this device appear like a hacker to an IDS/IPS?
A: As the LSS is essentially a vulnerability assessment device, it sends out packets just like a typical hacker will do. As such, a typical IPS/IDS in the network may treat the LSS as a malicious attacker. For AVDS and IPS/IDS to work correctly together, the IPS/IDS must add the IP address of the LSS in the white list to prevent them from generating false alarms.
Customization
Q: Can the AVDS be installed on a customized hardware?
A: It is possible to configure the IS on a customized hardware with better hardware specifications, and this will come at an additional cost. The LSS will still be installed on a basic hardware configuration optimized for its purpose.
Risk Management
Q: Does the AVDS allow the organization to customize their risk portfolio?
A: Yes through the asset management feature, the AVDS allows organizations to assign a value to the asset to determine its risk value. The higher the asset value, the more important it is.
Q: Why does AVDS manage risk through the asset value rather than changing the value of the vulnerability?
A: Organizations portray the risk of a vulnerability differently among one another. Instead of changing the value of the vulnerability which could be ambiguous, changing the value of the asset is more relevant. This means that a high value asset is deemed more vulnerable than a low value asset if they have the same vulnerability.
AVDS Overview - How to buy - Request Evaluation
|
|
|
|
 |
Automated
Vulnerability
Detection
System |
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
www.SecuriTeam.com |
 |
|
|
|
|
|
|
| |
Contact Us
US: 1.800.801.2821
UK: +44.203.006.3022
|
|
beSTORM
