You should consider at least two different types of network scanning. First type would be to scan all your IP address range to identify all host. While it is very time consuming you should consider scanning all TCP and UDP ports. To aid system detection you can use nmap -O option (it can be also very time consuming, so in some cases it is wise to run two instances of nmap; one for tcp/upd port scan and other for os detection). You can also look at tools like X and siphon for OS detection. Siphon is very fast as it is based on passive os fingerprinting. Results of full scan will provide you with several valuable information. Consider this: some services might not be listen on typical ports. Scanning of all ports range can provide you with such information. If you find some strange ports open, you can try to connect to them using tools like netcat to verify you scanning results. This process will allow you to enumerate hosts and services and server version. After enumeration you can use nmap again (even in daily manner) to perform quick scans for vulnerable services. As in previous post on this subject: you could also implement nessus scanner and IDS based on snort. In terms of IIS it is a wise idea to use IISLockDown tool and URLScan, to protect IIS web server. IIS FTP server could be quite secure (in terms of FTP server) as long as Inetpub is on separate NTFS partition with properly setup ACLs. It is also very important to properly configure authentication option for IIS services. You should also consider turning on logging for IIS services. Tools like snort allows you to detect a new attacks. If you see a lot of HTTP request with strange parameters it could be indication of an attack. One of snort rules detect packets with Intel nop instruction. nop is used in many buffer overflows, so seeing a lot of those packets could also be some tip for you. If you consider using free, open-source tools, I would use nmap+nessus+netcat+snort (nessus can integrate with nmap as well as SARA, but I would say that SARA is better suited for Unix networks). For Windows networks I would also use Winfigerprint to scan for network shares, etc. You can also use hfnetchk from Microsoft (it's not open-source but it is free and quite useful). Hope this helps Best Regards, Aleksander Czarnowski AVET INS ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 16:42:37 PST