It is possible that you may have heard of the IS Security team performing security scans of servers or networks. Those rumours are true. Of course what you may not be aware of is that other even nastier people are also performing security scans of the University servers! We do use tools to scan the network and specific servers looking for security holes, so that we can double-check the security of critical services. Whilst security hardening is part of any project to install a service, to double-check the security of a server we scan it from the network to see how it looks to a potential attacker.
Are We Being Scanned ?
The short answer to this, is yes we are … all the time … 24 hours a day, 7 days a week and 52 days a year. One minor example of this are the number of “invalid user” login attempts made to just one server … and a minor little known one at that :-
Number of Login Attempts | Date |
---|---|
2 | Feb 1 |
4 | Feb 2 |
189 | Feb 4 |
47 | Feb 5 |
52 | Feb 6 |
989 | Feb 7 |
263 | Feb 9 |
162 | Feb 10 |
These invalid login attempts are just to attack the ssh service looking for certain usernames with poor passwords set. There is plenty of other scanning going on. More details available on ssh scanning can be obtained from the Dragon Research Group
What Scanning Does
A network security scanner performs a scan by performing a number of checks against each server it is asked to scan (or discovers for itself). These checks include :-
- Determining what network services are running – such as web servers, or ssh servers.
- If a particular network service is running, it obtains information about that service by probing it. Most network services have some sort of “announcement” which may include useful information about versions in use, etc. Or it could be a lot more obscure such as it announces that it supports certain versions of the protocol – for example, ssh has two different levels of the protocol and a service may announce the fact that it supports the old (and vulnerable) SSH1 protocol.
- For some network services, the scanner can attempt to use the services to determine if appropriate access restrictions are in place. For example, mail servers often have extra debugging commands that can leak information useful to spammers – these commands should be allowed internally but not externally.
- If given authentication credentials, it may also login to the server to determine more information about the services that are running.
The more aggressive network scanners (i.e. those used by attackers) may attempt to exploit services.
When finished, network security scanners produce a report to be distributed amongst technical staff to highlight what has been discovered. In most cases, the report needs to be assessed to determine which items are of concern and which are not. Some vulnerabilities that may be discovered could be less serious than a network security scanner determines, and some may even be more serious!
Is It Disruptive?
Most network security scanners are written to be non-disruptive. Even those written by attackers who want to break in and cause damage are intended to cause no disruption because disruption is obvious and an attacker will not want the defences raised before they have broken in. However there are no guarantees in this world, and it is always possible for a network security scanner to unintentionally cause disruption. We have seen this ourselves in a very small number of situations – either fragile network devices, or misconfigured servers that get overloaded.
Disruption is very rare and probably occurs in less that 1% of all scans. If disruption does occur, it tends to be of a temporary nature – a server gets overloaded whilst the scan is going on.
So the answer to that question is that scanning could be disruptive, but it is very unlikely.
Scan Scheduling
Official network scans are scheduled formally being incorporated into the IS change control process and in consultation with the Business Owner of the system being scanned. Official network scans are only performed by suitable IS staff – specifically staff within EPS/IS who have undergone suitable training and who are familiar with the procedure for performing network security scans.
“Unofficial” scans are prohibited, which does not stop them happening when performed by an outsider of course.
Why Do We Scan?
In an ideal world, with an infinite amount of time to configure servers properly there well be no need for performing network security scans. As we have yet to manage to create a perfect world, network security scans are very useful for assessing the security of our servers. They allow us to identify misconfigured services, and services where configuration improvements could be made.
We do not blindly follow the recommendations of a network security scan, but identifying areas of improvement does allow us to target work on improving servers.
And yes we do need to spend time on making services more secure – allowing an attacker to obtain access to our servers has a number of negative consequences which can have legal consequences. Up to and including rather large fines from the Information Commissioner!