Internet Security Scanner (ISS)

Comparison between Internet Security Scanner (ISS) 1.x
and Internet Scanner 3.2

ISS Background

Internet Security Scanner (ISS 1.x) was developed and released as a shareware product in 1992 by Christopher Klaus. The Internet Security Scanner was designed to help administrators explore and log network security vulnerabilities associated with TCP/IP host services. This shareware product was the first of its kind and has become well known and widely used as a fundamental penetration testing tool.

Over the past three years, the Internet Security Scanner has been used in many corporations to help detect security vulnerabilities in network computing environments. Once identified, vulnerabilities can be eliminated by taking corrective action. This minimizes the risk that systems can be compromised by unauthorized users.

Internet Security Scanner (ISS 1.x) still exists as a shareware product and has not been updated in over three years. Many people are familiar with ISS 1.x as it is freely available on http://iss.net , CERT'S FTP site (ftp.cert.org), and Gene Spafford's security resource FTP site (ftp.coast.purdue.edu). Although it is still one of the most recommended and tools used for determining network security vulnerabilities (see CERT advisory CA-93:14 and CERT summaries CS-95:02 and CS-95:03), its lack of support and regular updates make it a less effective solution as new vulnerabilities are discovered.

Due to the overwhelming demand from corporate users to continuously update the tool with the latest vulnerability checks, Christopher Klaus formed Internet Security Systems in 1994 to support and update a commercial version of the security scanning technology that he pioneered. The commercial product, Internet Scanner was released in 1994 and has been completely rewritten and updated to check for the latest network security vulnerabilities. Features include the addition of a graphical user interface, improved risk assessment reporting, parallel scanning, firewall and web vulnerability checks and Microsoft NT/Win 95 vulnerability checks. Currently available as version 3.2, the Internet Scanner is updated four to six times per year and is supported commercially.

Internet Security Systems is the leading provider of commercial attack simulation and security audit tools. Having pioneered this technology, the company is primarily engaged in further enhancing its flagship product, Internet Scanner, and introducing innovative new tools for the network security marketplace.

Why conduct penetration testing?

As most security experts can tell you, if there is a single vulnerability that allows an intruder into a regular UNIX system, the entire machine becomes compromised. This means that if a single service such as E-mail on UNIX (sendmail) is vulnerable to attack, an intruder can compromise the machine and gain access to the whole machine. And if a single machine within a network is compromised, the whole network can now be easily compromised. This is true for most networks for mainly two reasons:

Sniffing - a technique used by an intruder to capture clear text passwords going over the network.
Trust authentication - certain services will provide access to an intruder based on network addresses, so that if an intruder is coming from an internal machine, another machines may not require entering a password. An intruder has an advantage being on an internal machine because there is a good chance to find users that tell passwords in Email or certain configuration files (i.e. .netrc files)

Once an intruder gets into a single machine on a network, it becomes a springboard for compromising the rest of the network. Therefore, network security is as good as the weakest link in a chain. To reduce the risk of an intruder getting into your network, it is best to fix most of your high risk vulnerabilities. To fix these vulnerabilities, you must be aware of what they are and where in your network they are located.

By doing penetration testing, you can find these vulnerability risks and take proactive steps toward corrective action. Using tools like Internet Scanner allows administrators to ask the fundamental question of "How vulnerable is my network?” and begin the steps to reduce these risks. Our philosophy in designing the Internet Scanner is that the most comprehensive penetration testing tool will be the best tool for administrators to answer that simple question. By allowing administrators to find all the possible cracks and holes in their network, they get a clear idea of how their network may be vulnerable and what needs to be done to protect from a compromise.

Internet Security Scanner (ISS 1.x) Overview

When the Internet Security Scanner (ISS 1.x) was developed, it was designed to assist administrators in finding network vulnerabilities. It was a fundamental tool with a simple command line driven interface with no GUI. The output generated was only the raw output of the results of each test performed and required an experienced administrator to interpret the results correctly and then be able to determine how to fix the security risks. Below is a list of vulnerability checks that ISS 1.x performs:

Telnet banner (Identifies Type of Host)
Sendmail (Email service for UNIX)
Aliases
Debug and Wizard Backdoor checks
FTP (File Transfer Protocol)
Anonymous FTP Check
Main directory writable check
RPC (Remote Procedure Commands)
Obtains information from portmapper (rpcinfo)
NIS (Network Information Services)
Bootparamd - Enables getting the NIS Domainname
Guess NIS domainname
Try to copy password file
Selection_svc - Allows obtaining of password file
Rexd - Allows remote access
NFS (Networked File System)
world exported file systems (showmount)
show all exported file systems
Rusers - Who is online
X25 - Possible gateway for hackers

The checks performed by ISS (1.x) are simple, widely known and often exploited vulnerabilities.

Internet Scanner Version 3.2 Improvements

The current version of the Internet Scanner (Version 3.2) was released in January 1996. Version 3.2 builds upon the extensive suite of vulnerability and usability features incorporated into the product since the first commercial version (Version 2.0) was released in 1994. This ongoing commitment to the commercial product has allowed the addition of features which the shareware version, ISS 1.x lacks. The following is a list of usability features and vulnerability tests incorporated into the Internet Scanner 3.2:

Graphical User Interface - X motif based GUI allows users to easily configure and scan a network. A curses interface menu system for configuring the Internet Scanner has been added as well.

Flexible Report Formats -Internet Scanner provides comprehensive reports detailing the vulnerabilities detected and the recommended corrective measures. Specifically, the analyzer module produces 7 seprate reports to help the administrator learn about their network:

Summary Report - General status on the number of vulnerability risks on the network
Vulnerability Report - Explains each vulnerability, corrective action, and what hosts are affected
Services Report - What services were actually found on a network. Helps administrators find which users have run their own web servers and enforce policy
Host OS Type Report - What machine types (i.e. SunOS, HPUX, AIX, Mac, Windows 95, Cisco, etc.) were found on the network
Inventory Report - What machines were alive on the network
Hosts Report - Displays all the information according to each host
Progress Report - Compares 2 scans to find out what vulnerabilities have been fixed, are still the same, and are new.

Each report generated can be in 2 formats:

ASCII based for any word processor or text editor.
HTML based for web browsers to hyperlink information together and provide links directly to CERT advisories and Patch sites within the context of each report.

Parallel Scanning - Reduce dramatically the time spent scanning the network host by host by doing scans concurrently thus substantially improving the network auditing performance.

Strict Key Licensing - Reduces the risk and liability of the Scanner by requiring customers to limit the scans to only their networks and stopping someone from accidentally scanning the wrong network.

Easy configuration files - Allows you to set up multiple configurations to do different types of scans for your networks, allowing an administrator to do a light scan daily and then a more heavy scan weekly.

Platform support - Supported on SunOS 4.1.x, Solaris 2.x Sparc, HP-UX, AIX 3.2.5, and Linux 1.2/1.3.

Stealth Scanning - Dramatically decreases the time to scan for active services on ports and provides information that packet filter based firewalls may allow through.

Expandability - Allows users to plug in their own modules to scan the network.

Vulnerabilities - This is probably the most important function of a penetration tool is what are the vulnerabilities that it can check for. The Internet Scanner dramatically increases in value as the number of vulnerability risks keep getting added to the list of checks it performs.

The Internet Scanner 3.2 now does testing for the following:

Firewall testing
UNIX TCP/IP service vulnerabilities
Windows 95, NT, WfwG with TCP/IP enabled services
Denial of service attacks
Router vulnerability risks

Comparison: ISS 1.3 and Internet Scanner Version 3.2