August 2005Vulnerability AssessmentTechnology ReportRapid7 – NeXpose
Vulnerability Assessment Technology Report 2_______________________________________________________ContentsTest Specifications 3Vulnerabilities 5The Product 6Test Report 8Test Results 14West Coast Labs Conclusion 15Security Features Buyers Guide 16Appendix 17West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.org
Vulnerability Assessment Technology Report 3_______________________________________________________Test SpecificationsThe aim of this Technology Report is to evaluate solutions in the field of Vulnerability Assessment.Test EnvironmentParticipants in the technology report were invited to provide a vulnerability assessment of aheterogeneous network, together with proposals and recommendations for remediation.The network set up by West Coast Labs for evaluation of solutions comprised 24 distinct hosts,including routers, managed switches, network servers and client machines.Web applications were installed on relevant servers. A variety of Operating Systems were used on thenetwork, on different hardware platforms. A small number of virtual hosts were included.In building the network, some of the servers were installed with default settings. Various levels ofpatching were applied. In addition a number of common misconfigurations were made in setting up theservers, and in deploying particular services.Every host on the test network was imaged, and restored to its start state before each round of testingfor individual solutions.The test network was protected by a router. ACLs were set on the router to restrict access to the testnetwork from IP addresses specified by the participating vendor, if appropriate. Where the solutionunder test was an appliance or software solution then the router was configured to block all accessfrom the internet for the period of test.The test network was available to each solution for 2 days. The final report, containing the results ofthe Vulnerability Assessment and any recommendations are addressed in the Test Results that follow.Appliances were provided to WCL in the default shipping state. WCL engineers configuredappliances in accordance with documentation provided. Software solutions state the desiredspecification and OS of the hardware on which the software is to be installed. WCL engineers installedand configured software in accordance with documentation provided.All participating solutions were provided together with documentation supplied to a normal user.
Vulnerability Assessment Technology Report 4_______________________________________________________Test SpecificationsWCL evaluation of the Vulnerability Assessment ReportVulnerabilities on the target network were classified under 4 headings:● Critical vulnerabilities – those that allow an attacker with minimal knowledge or skill tocompromise the integrity of the network. This may include gaining control of a server or networkdevice, gaining illegitimate access to network resources or disrupting normal network operations.● Severe vulnerabilities – those that allow illegitimate access to, or control over, network resources,but that require considerable knowledge or skill on the part of the attacker.● Non-critical vulnerabilities – those that allow attackers to gain access to specific information storedon the network, including security settings. This could result in potential misuse of network resources.For example, vulnerabilities at this level may include partial disclosure of file contents, access tocertain files on hosts, directory browsing, disclosure of filtering rules and security mechanisms.● Information leaks – these allow attackers to collect sensitive information about the network and thehosts (open ports, services, precise version of software installed etc.)Each report was assessed on:● The ease of deployment of the solution● The number of vulnerabilities correctly identified in each class● The completeness of the report, including identification of any network changes made● The clarity of presentation of the findings● The clarity of advice on remediationWCL also comments on the level of technical knowledge required to understand and act on theinformation contained in the final report.Participants in the Technology Report will be eligible for the Checkmark certification forVulnerability Assessment.In order to achieve the Standard Checkmark Certification, the candidate solution must identify at aminimum 100% of the Critical Vulnerabilities and 75% of the Serious Vulnerabilities. However,those developers identifying 100% of the Critical Vulnerabilities and a minimum 90% of the SeriousVulnerabilities will be awarded the Premium Checkmark Certification for Vulnerability Assessment.All solutions must also provide accurate advice on mitigating the risks posed by the vulnerabilities.
Vulnerability Assessment Technology Report 5_______________________________________________________VulnerabilitiesSo that the test network would mirror that found in many businesses, a variety of operating systems,on different hardware platforms, were included. A Windows domain was set up with three servers anda mix of workstations running Windows XP and Windows 2000 professional. Some Sun Serversrunning Solaris 2.8 provided web services and file storage, assorted Linux boxes running Mandrakeand RedHat distributions, and a Mac completed the mix.Some of the servers were installed with default settings and varying levels of patching were applied:some hosts were patched fully up to date while others had been left out of the process. Also, a numberof common misconfigurations were made in setting up servers, and deploying particular services. Forexample, Windows servers were configured with open network shares, ftp servers with anonymouswrite access, smtp servers configured as open proxies. These are configuration errors that can haveprofound effects on network security but can easily be implemented by a hard-pressed administrator asa “temporary” quick fix to a connectivity problem.On the Windows 2000 PDC we installed TightVNC as a service without tunnelling through SSH,SQLServer with a blank SA password, Active Directory, and IIS 5.0 with the demo applications. TheBDC had Exchange 2000 and Active Directory installed. DNS was provided by the remainingWindows 2003 server. DNS was configured to allow zone transfers. In addition, IIS5.0 was installedwith demo applications, and a vulnerable web application that was specially crafted in-house.The server was also running Unreal Tournament GOTY edition (version 436) along with the UT webinterface running on an unusual high port. There were user shares available on the wwwroot andftproot directories and a world-writable FTP server. One of the Sun Blade servers had a VirtualLearning Environment (VLE) installed. The VLE had a default admin username and password as wellas being installed with an old version and vulnerable version of Apache. Vulnerabilities included SSHaccess, Apache installations, Samba and a writable FTP directory.Each of the “user” workstations was patched to a different level using official Microsoft ServicePacks, historical patches and Windows Update. These machines then had different applicationsinstalled, ranging from Unreal Tournament client and TightVNC through to IIS 5.0 and remote admin.Some machines were included in the Windows Domain. Back Orifice was installed on one machine ona high end port.An HP printer was added with default settings and open to administrative access via telnet and HTTP,a Cisco router configured with default settings, default username/password and open web admintooland an Apple Mac Power G3 running OS 8.6. If changes were made to the default settings, over allthese devices passwords were set to be blank or easily guessable.Our test network thus consisted of a series of machines with differing hardware specifications,operating systems, patch levels, and software installations, and multiple vulnerabilities. All machineswere returned to a known start configuration before the commencement of each round of tests.
Vulnerability Assessment Technology Report 6_______________________________________________________The ProductRapid7 have developed NeXpose as an enterprise-level vulnerability assessment and risk managementproduct that has been designed to accurately identify security weaknesses in a networked environment,helping security personnel more easily find and fix security weaknesses while ensuring policy andregulatory compliance.Rapid7 say that the product delivers advanced, automated features and artificial intelligencetechnology in one software package to enable non-stop, flexible protection from network securitythreats.As one component of anoverall security plan, Rapid7 claim thatNeXpose can help find the weakestlink in a network, showing where firewalls, routers, and clients may have left the door open forunwanted access.Rapid7 says…about the product.NeXpose provides enterprise-level vulnerability assessment and risk management to IT and securityprofessionals concerned with the security and exposure of their company’s software and applicationsto internal and external intruders.http://www.rapid7.com/nexpose-vulnerability-assessment.htmRapid7 says…about the NeXpose Business Benefits.NeXpose is a sophisticated enterprise vulnerability management solution designed to eliminate falsepositives and provide faster and more accurate reporting across the entire enterprise network. NeXposecombines vulnerability assessment, risk management, policy and compliance reporting, remediationguidance, artificial intelligence and automated ticketing into one integrated software package, enablingnon-stop, flexible protection from network security threats.NeXpose reduces the time, risk and cost associated with finding and fixing security vulnerabilities;helps organizations assess and maintain strong network security and comply with mandatoryregulations; and ensures that all of your systems, databases and applications are secured without thecost of multiple products.www.rapid7.com/nexpose-advantage.htm
Vulnerability Assessment Technology Report 7_______________________________________________________The ProductRapid7 says…about the NeXpose Technical Benefits.NeXpose is a secure and flexible solution that scales from one to millions of nodes. Its unique scanengine uses a built in expert system that gathers intelligence about your systems to determine the riskassessment more accurately and quickly, virtually eliminating false positives. A single console imagewith distributed scanning can scan your network from inside and outside the firewall.NeXpose audits operating systems, databases, applications and Web servers from a single product.NeXpose, available as a software product or hardware appliance, runs on Linux and Windowplatforms and self manages internal database, program and vulnerability library updates.www.rapid7.com/nexpose-architecture.htm
Vulnerability Assessment Technology Report 8_______________________________________________________Test ReportRapid7’s NeXpose can be installed on a Windows 2000 or 2003 Server box (although not WindowsXP) or various Linux distributions.The minimum specifications for both the system requirements and for running the scan engine aresurprisingly low, so one of the old machines that many companies have lying around could be put togood use rather than just scrapped.Of course, the faster the machine that NeXpose runs on the quicker the scans may be completed, but ifspeed is not an issue then it is good to know that older machines will not go to waste.For testing purposes we installed the Rapid 7 solution on a Windows 2003 Server platform running ona Dell PowerEdge 1750 running a single 3.06GHz Intel processor and 1.0 Gb of RAM in a 1Urackmount configuration.InstallationThe Installation and Quick Start guide that is available from the Rapid 7 website walks the userthrough the set up for both Windows and Linux, obtaining a license, and running the first scans.Installation is straightforward and well documented for both Windows and Linux, with referencesmade to the need to be logged in as an administrator or root account that are clearly stated.The prerequisite packages that are needed for some distributions of Linux are also detailed, and Rapid7 provide copies of these packages for download from their own website.This ensures that the user knows they are getting the correct version. The Linux installation routineuses Install Shield in an X environment or can be performed in a console window. Windows uses astandardised Setup.exe file to install the componentsLicensing is dealt with via a call-response type system, and is detailed both for systems that haveexternal internet access and for those that do not. The procedure needs a valid email address, and oncea license request has been made, a license file is sent via email to the specified address.This file should then be placed in a subdirectory of the installation as specified in the manual, and theservice has to be restarted. This is a rather nice way of dealing with the licensing without having totype in a forty character serial number, and we found it to be both easy and quick.
Vulnerability Assessment Technology Report 9_______________________________________________________Test ReportThe Security ConsoleThe service itself appears to run as a “Security Console” – on our test Windows environment it ran in acommand prompt window.There is a link to this from a desktop icon, and instructions on how to set the service up to run atsystem boot, which we elected to do. Corresponding instructions for starting the service and creating adaemon on Linux are also detailed and comprehensive.It is possible to enter various commands in thiswindow, however these are more SystemAdministrator type tasks rather than setting up andrunning scans.There are various directives that can be executed hereincluding log rotation, licensing, update of thedefinitions, showing the currently active scans, theversion number of the scan engine and the usual ping and traceroute networking troubleshooter tools.The Main Scan InterfaceOnce the Security Console has started it is possible to access the main interface to the scan engine, andthis is web delivered. The web service runs over HTTPS on a dedicated port that is set to 3780 bydefault.The Installation and Quick Start guide details where this port needs to be changed in case there areconflicts with services already running on that port, and notes that the port used to access the serviceneeds to be changed accordingly.The Web Management Interface (WMI) is aesthetically pleasing – it is attractive and clean, with lotsof space given over to making sure that the controls, options and data are not crushed together. The useof only a few colours works in the WMI’s favour, and it is encouraging to see that work has gone intomaking sure that the differences can be easily identified inside lists by the use of alternate white andpale grey backgrounds for each line.After logging in to the WMI for the first time using the ID and password specified during the set up,the user is greeted with an entry page with a menu across the top, and a summation of Sites, Tickets,and Asset Groups. Also included is a search facility, a list of Hot Spots which details those machinesthat figure highest in the at-risk list, and a list of current scan activities.
Vulnerability Assessment Technology Report 10_______________________________________________________Test ReportIt should be noted that the online helpthat can be called at any stage fromwithin the WMI is detailed and focussed,explaining terms and procedures insimple and clear to understand languageso that if a user gets stuck there is alwaysa reference that can be called upon toassist.The search facility can be used to searchthrough affected sites for particularvulnerabilities, and then lists allvulnerabilities in the database that matchthe search string with the affected OS,Severity rating, Category of vulnerabilityand number of devices affected.Finally there is a menu option for Administration of the system – this allows extra users to be givenaccess to the NeXpose interface, some Server Settings to be altered via the interface rather than theSecurity Console, and some diagnostics to be performed to gather troubleshooting information andsend the logs to the Rapid 7 technical support team.There is also a rather practical option that allows Groups of Devices to be set up and altered along withaccompanying permissions of users who are allowed to perform scans upon them. This is good forenforcing restrictions on network wide scanning if the system administrator needs to open up theinterface to other users.ScanningIn order to start a scan, the user can follow a wizard process to define either a Site or an Asset Groupby name and devices, decide which scan template to use or define a proprietary scan, schedule a timefor the scan, and configure any real time alerting. It is then possible to either start off this scanimmediately if required.The set up and creation of a basic scan is a very uncomplicated process - we were able to get acommon ports and vulnerabilities scan running over our entire network in just a few seconds. Morecomplex scans with our own templates took slightly longer as we defined the parameters that were tobe used, but these still only took a couple of minutes to create. It is also possible to set up scanning tobe performed by a Rapid7 hosted scan engine, although we did not try this feature.
Vulnerability Assessment Technology Report 11_______________________________________________________Test ReportThe scan set up is trivial – the user enters a name for the site or asset group, and decides whether touse the internal scanning engine or the aforementioned Rapid7 hosted engine, and enters a riskmultiplier – we used a multiplier of 1 for all scans. It is then possible to add the devices either by IPaddress or DNS name, by IP address range or in a freeform list of addresses and ranges. It is alsopossible to upload a text file containing this data.The next section allows a user to choose from a range of supplied scan templates or create one forthemselves. After this, the schedule options appear and it is possible to set a scan to run at set intervalsdefined either by time or date. Finally, real time notifications can be enabled using SMTP, SNMP or asyslog server.When all these options have been specified it is possible to create a site report or run the scan straightaway - this is useful for setting up quick ad hoc liability tests against particular hosts.Creating a proprietary template for use in a scan consists of defining a template name and description,specifying whether a firewall exists and if so whether it blocks certain types of traffic, port selectionfor both TCP and UDP with several default options as well as being able to define a custom list, theTCP port scan method, check for default logins and add extra user specified login/passwordcombinations to be tested.These can be restricted by device, so that known Windows accounts are not tested against Solaris forexample. The next step is to define an account lockout threshold and minimum password length.Following this, it is possible to set the number of concurrent scans to run and the inter-packet delaytime, enable or disable the network discovery and penetration components, enable or disable Denial ofService attacks, include dynamic web site checks and limit the level of spidering available, and finallyset up an external email address to attempt Spam tests.ReportingDuring the running of a scan, it is possible to see a scan summary that refreshes every ten seconds, andthis gives an estimated time of completion. Once a scan has been completed, a brief summary of theresults is displayed and it is possible to then look at the vulnerabilities that have been discovered.The reports created by the system are available online within the WMI or for offline perusal in severalformats including XML, HTML, .CSV, .PDF, plain text, and as an export to a database. We used theonline reports and offline HTML format for ease of use and comparison.It is possible once a scan has completed to create a report for offline study immediately or leave theresults and come back to it at a later date. The process is very simple - it involves going into thereporting screen, choosing a set of results from a list of scans by the name that has been previouslydefined in the initial set up, and clicking the Generate Now button.
Vulnerability Assessment Technology Report 12_______________________________________________________Test ReportThere is also the ability within the reporting screen to view previously generated reports. It is alsopossible to specify one of the several differing end formats using the Create Report option. Once thereport has been generated it can be shown on screen if in a suitable format, or downloaded to a localdirectory. Reports are also stored in a subdirectory location of the Rapid 7 install directory.The online reports are like the rest of the system –elegant, well presented, and clean. The main screenpresents a list of discovered IP addresses ordered by aCurrent Risk score.This list also includes a DNS name, an OperatingSystem guess as well as the network aliases for anydevice and the number of vulnerabilities detected.Further details are available by clicking on any of thelinks by IP address that appear. This then gives a furtherlist of liabilities by IP address, with accompanyingresolutions upon a further click on the relevant link.This ability to drill down through the data in the online reports by IP address to view the currentvulnerabilities grouped by severity into Critical, Severe, Moderate or Warnings gives easy navigationto the necessary detail. Those vulnerabilities that occur in the SANS Top 20 list are marked clearlywith a small SANS logo so that they are easy to pick out and resolve.There are several other sections contained here including Discovered Services – this is a list of openports, service name, and protocols. Discovered Users and Groups presents a list of users with accountson the device – this is useful for auditing purposes as well as spotting if there are users getting accessthat they are not entitled to.Other sections include Installed Software, Discovered Databases, Discovered Files and Directorieswhich lists any open shares, Policy Evaluations, and results from Spidered Web Sites.Clicking through each of the vulnerabilities gives a separate description with an explanation of whatthe problem is and remediation suggestions. Wherever possible, the developers have included links toexternal Web content- this is a welcome addition and can provide valuable background reading ontopics of which an Administrator is unsure.Theoffline reports are to a certain extent more static and, by their very nature, less interactive.
Vulnerability Assessment Technology Report 13_______________________________________________________Test ReportBoth the offline HTML and the PDF reports startwith an executive summary at the top that gives anoverview of the parameters along with a series ofcoloured bar charts for various groups of statisticsincluding Vulnerabilities by Severity, Nodes byVulnerability Severity, Most Prevalent Services andVulnerabilities by Service.There is also a brief textual overview of some of themost relevant statistics - for example, the mostprevalent service, how many hosts had criticalvulnerabilities, how many vulnerabilities occur ineach category, and which service had the most vulnerabilities overall.TicketingAlthough we did not test this functionality within the scope of this assessment, NeXpose has theability to assign and resolve issues using a ticketing system. There is a rather nice option to interfaceNeXpose with a third party solution for ticketing such as BMC’s Remedy using the Ticketing APIupon purchase of a separate plug in module.
Vulnerability Assessment Technology Report 14_______________________________________________________Test ResultsThe online reports are very easy to use and the data is easily accessible in a number of different waysand via a number of different routes. This makes them the ideal accompaniment to hands on problemsolving on a test network.The offline reports offer a different method of looking at the results - all the data that is present in theonline version is also available here, although the interactive element is somewhat reduced. Whilst thePDF version splits each of the sections into separate chapters in the overall document which gives anextra level of control over the data that is displayed at any one time, the HTML is presented as just onesingle static document.Of some slight concern was the identification of two separate Windows 2000 devices as Linux 1.3distributions. It should be noted that the resolutions for any vulnerabilities on these systems, however,did relate to the correct OS. This seemed to occur whenever a full port scan took place and did notseem to be consistently wrongly detected using other scan configurations.Both the HP 4050TN printer and the Apple Power Macintosh G3 using OS8.6 that were in our testnetwork were picked up as active devices, although no guess was made at the OS version – looking atthose particular results came back with an “Unknown OS” message, although the results still listedopen ports, services, and mitigation advice.The results are ordered by severity in the offline version and cannot be ordered by IP address, althougheach severity has a list of which nodes are affected. However, we suspect that the offline reports arereally intended for printed copy audit reasons, and that intention is for the day-to-day usage of thesystem to be concentrated on the interface itself, so this is really only a minor irritation.NeXpose successfully detected 100% of the Critical vulnerabilities and over 90% of the Seriousvulnerabilities on the West Coast Labs test network. NeXpose has been awarded the PremiumCheckmark Certification for Vulnerability Assessment.
Vulnerability Assessment Technology Report 15______________________________________________________West Coast Labs ConclusionOverall the Rapid 7 solution has a smart, attractive, and inherently usable interface and a soliddependable engine.The scan set up is straightforward and quick, with only minimal specification and configurationneeded to run scans straight out of the box.As such, NeXpose can be recommended as a solution that makes major steps towards making anetwork more secure.West Coast Labs, William Knox House, Britannic Way, Llandarcy,Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.www.westcoastlabs.org
Vulnerability Assessment Technology Report 16_______________________________________________________Security Features GuideAs stated by Rapid71.Centralized web console interface2.Multiple distributed scan engines reporting to centralized console3.Organize assets into physical and/or logical groupings4.Access to asset groupings via access control5.Real time alerting6.Policy and compliance scanning7.Application vulnerability scanning8.Wide range of built in scan templates9.Extensive built in reporting capabilities10.Customizable reports11.Customizable scan templates12.Full audit and/or incremental scanning13.Automated ticketing and remediation workflow14.Extensive library of vulnerabilities with references and remediation information15.Built in Expert System to target and optimize vulnerability scanning16.Automatic updates to vulnerability library and software17.Data export in multiple formats18.Reports available in HTML, PDF, XML format19.Ability to create custom vulnerabilities in XML20.Application API for customized integration21.Secure user model to distribute responsibilities throughout the organization22.Scan engines can scan from inside and outside the firewall23.Software only or appliance24.Runs on Windows and Linux platforms25.Scans a broad set of platforms, devices, applications, Web servers
Vulnerability Assessment Technology Report 17_______________________________________________________AppendixVelnerability Assessment Premium Level CertificationWithin the framework of the testing carried out in this Technology Report, those developersidentifying 100% of the Critical Vulnerabilities and a minimum 90% of the SeriousVulnerabilities are awarded the Premium Checkmark Certification for VulnerabilityAssessment.http://westcoastlabs.org/cm-briefingdocs.asptlabs.org/cm-briefingdocs.asp