CheckNet: A Vulnerability Scanning Network Tool

1
CheckNet A Vulnerability Scanning Network Tool

• Randy Marchany
• IT Security Lab
• VA Tech
• Blacksburg, VA 24060

2
Analogy

• Network Drivers License
• Security awareness programs
• AUP
• State Inspection
• Minimum computer standards
• UCONN, StartSafe, Checknet, SafetyNet

3
The Problem

• Students, faculty staff bring infected
  computers to our network from home or previous
  jobs
• They disrupt network operations when they connect
  to the network
• Slammer/Blaster/SoBig/Welchia caused us lots of
  problems last year during Fall Registration
  check-in

4
(No Transcript)
5
How Fast Does a Virus Spread?

• Sapphire/Slammer Worm of Summer, 2003 took 10
  minutes to probe 55 million computers.
• Took 30 minutes to infect 74K systems

6
(No Transcript)
7
(No Transcript)
8
Existing Solutions

• Grin and Bear it
• JMU StartSafe (PUSH)
• Southwesterns NetReg www.netreg.org
• UCONN version of NetReg (PUSH)
• Does normal NetReg and scans your system for
  vulnerabilities. Windows only.
• Purdue Vulnerability Scanning Cluster (PULL)
• Nessus based, on-demand
• GMU Sandbox (PUSH)
• VT SafetyNet on-demand scanning (PULL)

9
JMU Startsafe

• Performs series of automated steps
• Check audit, AV policies
• Check patch levels
• One with user interaction
• One with no interaction
• Requires client program
• Good approach to the scan/fix problem

10
UCONNs NetReg

• Redirects all DNS lookups from new machines to
  itself including windowsupdate.com
• 9100 system connected via NetReg,
• 2500 found vulnerable
• 400 infected when they arrived on campus
• User must start the scan
• Test for RPC, DCOM, MS03-026, MS03-039, i.e.,
  Blaster, welchia
• Scanning tools
• Nessus, modified rpcscan tool

11
(No Transcript)
12
(No Transcript)
13
VT CheckNet

• Extends UConns and JMU approaches
• Differences
• Scope is entire network
• All OS
• Reduce risk of wildfire attacks
• Establish minimum security standard for computers
• Increase user awareness

14
Types of Attacks

• Remote probe
• Target system is probed for weakness, if found,
  its attacked
• Slammer/Blaster/Code Red
• Client Initiated
• Client system opens attachment, downloads www
  page and triggers the attack
• MyDoom, shiny attachments, www downloads

15
We Pause for Argument

• Assumptions Non-technical issues
• Ignore user disabling firewall
• Ignore attacks on firewall
• Ignore attacks through open ports
• Ignore shiny attachment attacks
• Conditions
• Dell will be shipping all systems configured to
  CIS score of 10 soon
• AOL will build Secure Your Home Computer tool
  using CIS benchmark
• XP SP2 enables ICF by default

16
What is a Safe System?

• Working Group concludes that a firewalled system
  is acceptable minimum security
• Firewall blocks all incoming connections
• Firewall blocks traditional scanning tools
• Nessus, nmap, LanGuard, UConn DCOM, Shields Up,
  Checknet, SafetyNet
• Allows any outbound connection originating from
  the system
• Blocks Slammer/Blaster style attacks because
  system cant be scanned
• Doesnt address MyDoom, ActiveX style attacks but
  limits the damage

17
Minimum Computer Standard?

• Remember MININUM
• OS patches/hotfixes up to date
• Personal firewall configured to block unsolicited
  inbound requests (stateful)
• Updated AV software if appropriate

18
Which Systems to ScanFirst?
19
CheckNet

• We scan systems for vulnerabilities
• Send a trouble ticket to 4HELP
• Possibly restrict access to net until problem is
  fixed
• Will tie in with PID login access to network

20
CheckNet Windows Tests

• Blank Admin password
• RPC Buffer Overruns
• RPC-DCOM (Blaster, Welchia)
• Messenger Service Buffer Overrun
• Null session, open SMB shares
• SMTP Server running
• WebDAV vulnerability

21
CheckNet Windows Tests

• MS Locate Service
• Relative Shell Path Hotfix Missing
• RAS Phonebook Vulnerability
• IP fragmentation vulnerability
• Certificate Validation Flaw hotfix missing
• Reset Browser Frame Vulnerability

22
CheckNet Windows Test

• RDP Sniffing and Crashing Vulnerability
• LPC Vulnerability
• WM_TIMER Vulnerability
• Remove Registry Access
• Edonkey
• Kazaa

23
Checknet Phases

• Phase 1 Student systems (Fall 2004) RESNET ONLY
• VTNET CD installation is required
• New Student Summer orientation
• GetConnect Program
• Equivalent security settings are acceptable
• Systems scanned for specific vulnerabilities
• No action if system passes
• Trouble ticket generated if system fails
• RCC/Get Connect team visits room

24
Preliminary Stats

• 7290 DHCP resnet connections
• 1800 systems answered pings
• 4990800 new, transfer students received the
  VTNET CD during freshman orientation
• 70 machines found with vulnerabilities
• Cautious optimism reigns

25
Checknet Phases

• Phase 2 Checknet/Staging VLAN
• Checknet scans when system is connected
• Penalty box if system fails
• Phase 3 Faculty/Staff Machines placed in
  Checknet/Staging VLAN infrastructure

26
Summary

• We address a major class of threats to the VT
  network
• Establish a minimum security setting for VT
  computers
• Consistent with the overall security strategy for
  the University
• Securing the Infrastructure
• General User Education
• Technical Trainingb