In-Depth
How a Network Scan Can Improve Your Security
A scan can improve the security of your network, but be sure you know the law before you decide to do so.
- By Greg Saoutine
- September 01, 2001
While people usually associate scans with either crackers (malicious
hackers) or expensive consultants, they can be very useful in helping
busy IT professionals keep their networks secure. A growing perception
in the industry is that scanning isn't necessarily a bad thing. But in
some cases, the legal aspects of scanning have been called into question.
Some folks compare scanning to walking down a strip mall and looking
for vulnerabilities and weaknesses in the stores' physical security. By
itself, such activity isn't illegal, and the automatic assumption of malicious
intent is premature. Different jurisdictions are taking different positions
regarding this matter; understand the law, both where you are and where
the target's located, even if you think you're fully authorized to perform
a scan.
A network scan can provide you information about the host similar to
information "received" by a malicious individual. That may include the
type of OS running on the target (fingerprinting), applications/services
running on the target and advertising themselves to the network (port
scan), and possible vulnerabilities present in the OS and applications
on the target (OS and application vulnerability scan). Also, some scanning
tools allow you to execute denial of service (DOS), buffer overflow, fault
injection and other attacks against the target system. This functionality
built into the scanners helps you perform rigorous testing on pre-production
systems in a controlled manner.
On the "black-hat" side, the information obtained about the target gives
hackers an understanding of how to plan and perform an attack. The more
information about the OS, applications and vulnerabilities present on
your hosts that malicious intruders have, the more they can focus their
efforts toward a specific platform and/or application. For example, if
an attacker's able to see that you're running IIS 4.0 on a Windows NT
4.0 server without some of the recent patches, they can immediately exploit
vulnerabilities such patches were designed to fix. Databases of such vulnerabilities
are often easily accessible via the Internet.
A popular misperception in the industry is that hackers can always get
away with using scanners, since there are mechanisms built into the scanners
to "mask" the scan. Most of the time, it's possible to detect scanning
activity in the firewall and/or OS logs, but sometimes it's hard to say
what kind of scanner was used, especially because a malicious attacker
may be able to run a raw script probing your host from the command line.
Also, many scanners provide capabilities for "stealth" (SYN) scans, where
a TCP/IP connection never gets established with the target and, therefore,
the investigation of malicious activity is harder, if not impossible (depending
on the type of network technologies used around the target). Some scanners
(especially commercial products) specifically identify themselves on the
network to facilitate investigations of unauthorized scans and protect
the software vendors from the legal consequences of unauthorized use of
their software.
About the Author
Greg Saoutine, MCSE, is an IT Consultant working in New York City.