4. Getting started: Performing an audit

Introduction

Security scans enable systems administrators to identify and assess possible risks within a network. Through GFI LANguard N.S.S. this is performed automatically, without all the unnecessary repetitive and time-consuming tasks related to performing them manually.

In this chapter you will discover how to perform security scans using default and custom settings, how to start scans directly from the toolbar and how to configure scan ranges.

To perform a security audit the scanning engine requires you to specify three primary parameters:

1. Target computer(s) to scan for security issues.

2. Scanning profile to use (specifies vulnerability checks/tests to be done against the specified targets).

3. Authentication details to be used to log on to the target computer(s).

For a thorough security scan use the ‘Full Scan’ option.

About authentication credentials

When performing a security scan GFI LANguard N.S.S. must authenticate to the target computer(s) in order to execute the vulnerability checks and retrieve system information.

To achieve this, GFI LANguard N.S.S. must ‘physically’ log on to the target computer(s) with administrative rights i.e. using a local administrator account, domain administrator, enterprise administrator account or any other account that has administrative privileges over the target computer(s). Different systems often require different authentication methods. For example, to scan Linux systems you are often required to provide a private key file instead of the conventional password string.

NOTE 1: For more information about authentication methods refer to the ‘Computer Profiles’ section in the ‘Configuring GFI LANguard N.S.S.’ chapter.

NOTE 2: For more information about Public Key authentication, refer to the ‘About SSH Private Key file authentication’ section in the ‘Configuring GFI LANguard N.S.S.’ chapter.

About the scanning process

The target computer scanning process has three distinct stages.

Stage 1: Determine availability of target computer:

During this stage, GFI LANguard N.S.S. will determine whether a target computer is available for vulnerability scanning. This is achieved through connection requests that are sent in the form of NETBIOS queries, SNMP queries and/or ICMP pings.

NOTE: By default, GFI LANguard N.S.S. will NOT scan the devices that fail to respond to the connection requests sent via NETBIOS queries/SNMP queries/ICMP pings.

Stage 2: Establish connection with target device:

In the second stage of its target scanning process, GFI LANguard N.S.S. will establish a direct connection with the target computer by remotely logon on to it. This is achieved using the scan credentials configured in step 5 of the new scan wizard.

Stage 3: Execute vulnerability checks:

During this final stage, GFI LANguard N.S.S. will execute the vulnerability checks configured within the selected scanning profile. This will result in the identification and reporting of specific weaknesses present on your target computer.

NOTE 1: GFI LANguard N.S.S. ships with a default list of scanning profiles that are preconfigured with vulnerability checks. Nevertheless you can also customize both the scanning profiles and the vulnerability checks contained within. For more information on how to achieve this refer to the ‘Scanning Profiles’ chapter.

NOTE 2: Please note that if any type of Intrusion Detection Software (IDS) is running during scans, GFI LANguard N.S.S. will set off a multitude of IDS warnings and intrusion alerts in these applications. If you are not responsible for the IDS system, make sure to inform the person in charge about any planned security scans.

NOTE 3: Along with the IDS software warnings, kindly note that a lot of the scans will show up in log files across diverse systems. UNIX logs, web servers, etc. will all show the intrusion attempts made by the computer running GFI LANguard N.S.S. If you are not the sole administrator at your site make sure that the other administrators are aware of the scans you are about to run.