Table of Contents
What is it?
Internet Security Systems' Internet Scanner (ISS) is a security product that assesses devices on a network for vulnerabilities. It goes through a long list of checks and tests, carefully gathering appropriate pieces of information and reporting vulnerabilities. It locates vulnerabilities like an intruder would - by examining a network's devices, services, and interrelationships.
Internet Scanner provides detailed information about each vulnerability found, including the vulnerable host, a description of the vulnerability, and the steps to take to eliminate the vulnerability. These findings are purely for an administrator's awareness; he/she may not agree with the finding or may decide that the finding is not applicable or something they want to remedy. The corrective actions are recommendations only, but each should be given careful consideration.
ITC has Internet Scanner running on a Windows 2000 machine.
Internet Scanner attempts to identify the operating system of the machine it's scanning by running through a list of checks. It does not produce a simple report of all software on a machine; however, it will detect the use of some software as part of scanning for known vulnerabilities in that software.
The Scanner's vulnerability database is regularly updated. These updates include recently found vulnerabilities for all operating systems. Internet Scanner can now test for over 700 vulnerabilities.
How does ITC use it?
ITC offers the scanning of devices on the U.Va. network as a free service. By default, ITC scans machines for most high and medium risk vulnerabilities. At the department's request, we can also perform a separate scan for Denial of Service vulnerabilities. There is a caution with the Denial of Service scan that there is the potential of causing an outage. These two scans have typically taken 10 to 20 minutes for a single machine; for entire subnets, they have taken 30 to 45 minutes.
While the above are scans typically done to cover most cases, we can tailor the scanning policies to suit specific needs. For example, we have used a policy specific for a Windows NT Web Server.
What happens once the scanning is done?
From the scans, reports are produced for your review. As with the scanning policies, the reports can be tailored in many ways. Typically, we produce one report that will list all vulnerabilities found by risk level. We usually also produce a variation of the same report that simply lists all machines scanned by IP address along with any vulnerabilities found on each machine. ITC makes these reports available as secure Web pages.
Please read the section "How do I interpret a scan?" before glancing at your report. When reviewing your report, if you have questions or would like to seek help, please contact the ITC Help Desk at 4-HELP (434-924-4357).
How can I request a scan?
Decide on a convenient time for the scanning. You will want to notify your users in case they see evidence of the scanning software in logs and/or a brief peak in network traffic. You also need to be sure all machines are on. Then determine if you have any specific needs for a variation of the normal scanning ITC does. Finally, email issadmin@Virginia.EDU with the IP addresses of the machines to be scanned (or a department name if you'd like all machines to be included), the time you'd like the scanning to be done, and any special needs you may have.
How do I interpret a scan?
When you are presented with the results from a scan of your computer, there are a number of items of which you should be aware. Please do not become intimidated by the report. Don't even panic over any vulnerabilities listed as High - your system may not actually be vulnerable to this particular exploit. Just read the vulnerability detected for your machine, decide if it may apply, and attempt to perform the steps listed in the ISS Fix. Hopefully, you will successfully eliminate the vulnerability. However, if you do not, then you have made a reasonable effort at closing this particular vulnerability. Other sources on the vulnerability may be available, but we have found that ISS provides fairly thorough documentation in its Fixes. After attempting the Fix, email issadmin@virginia.edu should you require any help.
The scan report should be considered only one tool among many to aid in detecting security vulnerabilities in a computer system. The scanner will not find everything. In addition, it sometimes finds things that are not applicable or just aren't possible (false positives). Keep in mind that the scanner is just like any other software; it can make mistakes and because it cannot actually get into your machine, it can make incorrect assumptions.