RE: Vulnerability analysis tools
Actually, in most scenarios I've seen the DB server is behind the trusted, and the web server is in the DMZ. This has three benefits: 1) There is no direct access to the DB server from the Internet, all access is really through the webserver, which queries the DB server. 2) You only need to open the DB ports between the webserver and the DB server. If the DB server was on the DMZ, and the web server was compromised, there's the potential to jumping over to the DB server easily. 3) Trusted users that need to access the DB server on the programming level don't need to go through the firewall. M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com <http://www.ccgsecurity.com> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > -Original Message- > From: Aaron C. Newman (Application Security, Inc.) > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 24, 2002 1:31 PM > To: Mario Behring; [EMAIL PROTECTED] > Subject: RE: Vulnerability analysis tools > > > Mario, > > >- Should I create a DMZ and put this DB server there ? > > Definitely you want your Oracle database behind a firewall. > Even Oracle will tell you the database is not meant to be > exposed to the internet directly. Lots of pretty simple DOS > attacks if you aren't totally patched and even more serious > attacks exist in the external procedure server, listener, and > database instance. > > From the database perspective, you can download a free > evaluation of AppDetective for Oracle from > www.oraclesecurity.net. It does pen testing and va against an > Oracle database. Takes both an inside-out (security from > valid user perspective) and outside-in approach (security > from unauthorized attacker perspective). > > Regards, > Aaron > > Aaron C. Newman > CTO/Founder > Application Security, Inc. > Tel: 212-490-6022 > Fax: 212-490-6456 > E-mail: [EMAIL PROTECTED] > Web: http://www.appsecinc.com > - Protection Where it Counts - > > > -Original Message- > From: Mario Behring [mailto:[EMAIL PROTECTED]] > Sent: 22 January 2002 07:52 > To: [EMAIL PROTECTED] > Subject: Vulnerability analysis tools > > > Hi list, > > Does anybody know some good tool for testing a small > environment for vulnerabilities ? > > I have the following scenario: > > 1- A web server hosted at an IDC (Internet Data Center) > 2- A router connected to the IDC via a link (T1 or something) > 3- One Microsoft ISA Server running as a firewall with 2 > NICs, one connected to the Router described on item 2 and the > other connected to the internal network. > 4- A Database server - Oracle running on Windows 2000 Server > in the internal network. This DB will be accessed by Internet > users that visit the website (located at the web server > described in item 1) depending on the options they choose at > the web page. > > > I need to analyse the vulnerabilities in such a scenario and > report them. Is there any tool (freeware or not) that analyse > this scenario from various points of view ? For instance, I > have to analyse this from the perspective of someone > accessing the web page and then accessing the DB server at > the internal network. > > I have some other questions: > > - Should I put a real firewall in place (Firewall-1 or Raptor > for example) > > instead of this ISA Server ? > - Should I create a DMZ and put this DB server there ? > > Thanks in advance. > > Mario > > > __ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > >
RE: Vulnerability analysis tools
Mario, >- Should I create a DMZ and put this DB server there ? Definitely you want your Oracle database behind a firewall. Even Oracle will tell you the database is not meant to be exposed to the internet directly. Lots of pretty simple DOS attacks if you aren't totally patched and even more serious attacks exist in the external procedure server, listener, and database instance. >From the database perspective, you can download a free evaluation of AppDetective for Oracle from www.oraclesecurity.net. It does pen testing and va against an Oracle database. Takes both an inside-out (security from valid user perspective) and outside-in approach (security from unauthorized attacker perspective). Regards, Aaron Aaron C. Newman CTO/Founder Application Security, Inc. Tel: 212-490-6022 Fax: 212-490-6456 E-mail: [EMAIL PROTECTED] Web: http://www.appsecinc.com - Protection Where it Counts - -Original Message- From: Mario Behring [mailto:[EMAIL PROTECTED]] Sent: 22 January 2002 07:52 To: [EMAIL PROTECTED] Subject: Vulnerability analysis tools Hi list, Does anybody know some good tool for testing a small environment for vulnerabilities ? I have the following scenario: 1- A web server hosted at an IDC (Internet Data Center) 2- A router connected to the IDC via a link (T1 or something) 3- One Microsoft ISA Server running as a firewall with 2 NICs, one connected to the Router described on item 2 and the other connected to the internal network. 4- A Database server - Oracle running on Windows 2000 Server in the internal network. This DB will be accessed by Internet users that visit the website (located at the web server described in item 1) depending on the options they choose at the web page. I need to analyse the vulnerabilities in such a scenario and report them. Is there any tool (freeware or not) that analyse this scenario from various points of view ? For instance, I have to analyse this from the perspective of someone accessing the web page and then accessing the DB server at the internal network. I have some other questions: - Should I put a real firewall in place (Firewall-1 or Raptor for example) instead of this ISA Server ? - Should I create a DMZ and put this DB server there ? Thanks in advance. Mario __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
RE: Vulnerability analysis tools
Hi Mario... Let's try to respond in a good order to your questions. First of all, you should have a look to nessus.org; as mentionned earlier. But in any tools you use (Have a look at securityfocus in tools... ) you should do it from a remorte location.. So you are sure you're in the same position as an attacker. On commercial side, you can take a look to Eeye's tools (www.eeye.com). GFI (www.gfi.com) make also a free scanning tools : Languard. It's really easy to use. Be carefull that in this case, you are just taking 1 snapshot of your security status. I would recommend to do the test a least once a week. Qualys sells via partner a very good Automated vulnerabilities assesment service. (www.qualys.com) A firewall ? Yes definitively you should put a real Firewall before your ISA. Keep both, this a dual barrel, 2 differents. ISA a a fairly good proxy service, but I wouldn't bet my right hand on his security and his packet filtering capabilities. Depending on your budget, and the price you can afford, you can find really good firewall. This will add a little more to the security. (Firewall-1, or some appliance, already named in this list..) DMZ ? You should really put all Internet-Accessible machine in a DMZ. So if an attacker can take such a sertver, he is not yet in your network. And if you can , add an IDS. Putting a DB accessible to public via a web server, is a serious thing. And, why not requesting the servicves of an independent security consulting company? HOpe this help. Should you need more info, contact me off list... Max -Original Message- From: Mário Behring [mailto:[EMAIL PROTECTED]] Sent: mardi 22 janvier 2002 13:52 To: [EMAIL PROTECTED] Subject: Vulnerability analysis tools Hi list, Does anybody know some good tool for testing a small environment for vulnerabilities ? I have the following scenario: 1- A web server hosted at an IDC (Internet Data Center) 2- A router connected to the IDC via a link (T1 or something) 3- One Microsoft ISA Server running as a firewall with 2 NICs, one connected to the Router described on item 2 and the other connected to the internal network. 4- A Database server - Oracle running on Windows 2000 Server in the internal network. This DB will be accessed by Internet users that visit the website (located at the web server described in item 1) depending on the options they choose at the web page. I need to analyse the vulnerabilities in such a scenario and report them. Is there any tool (freeware or not) that analyse this scenario from various points of view ? For instance, I have to analyse this from the perspective of someone accessing the web page and then accessing the DB server at the internal network. I have some other questions: - Should I put a real firewall in place (Firewall-1 or Raptor for example) instead of this ISA Server ? - Should I create a DMZ and put this DB server there ? Thanks in advance. Mário __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ Visit our website! http://www.nbb.be "DISCLAIMER: The content of this e-mail message does not constitute a commitment of the National Bank of Belgium (NBB) except where provided for in a written agreement between you and the NBB or where confirmed with a written form approved according to the internal regulations of the NBB. Besides, the statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of the NBB. The e-mail message contains proprietary information intended for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on any part of this e-mail message."
Re: Vulnerability analysis tools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Jan 2002, Mário Behring wrote: > Does anybody know some good tool for testing a small environment for > vulnerabilities ? nessus, nmap, tcpdump, iptraf, hunt, dsniff, so on. you can find all of these by google. > 1- A web server hosted at an IDC (Internet Data Center) what web sw software? if you are not the want to run this host then it is untrusted for you. > 2- A router connected to the IDC via a link (T1 or something) who runs it? you or the IDC? > 3- One Microsoft ISA Server running as a firewall with 2 NICs, one > connected to the Router described on item 2 and the other connected to the > internal network. No comment. > 4- A Database server - Oracle running on Windows 2000 Server in the > internal network. This DB will be accessed by Internet users that visit > the website (located at the web server described in item 1) depending on > the options they choose at the web page. well, is it used for other purposes too? put it in dmz. > - Should I put a real firewall in place (Firewall-1 or Raptor for example) well, because none of these have real oracle sql proxy, I don't recommend to use them. You may try gauntlet which has a real sgl-gw. or if you want a tcp-plug or just stateful packet filter, then use linux 2.4.17 or later instead. it's for free. > - Should I create a DMZ and put this DB server there ? yes. it's not a question. I suggest you move from w2k to some unix or linux for the oracle server too. - - Narancs v1 IT Security Administrator Warning: This is a really short .sig! Vigyazat: ez egy nagyon rovid szig! -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxPu54ACgkQGp+ylEhMCIV3SwCggiKkjjM3Efbq0ux5VVBxZDWe F4QAniP7Pv2Mhb1JWU1rWrYas0LiZuXj =XZiT -END PGP SIGNATURE-
RE: Vulnerability analysis tools
I want to add that I too use and recommend Nessus. I am using it in production and for many test and papers I write. I also recommend the following tools in addition to nessus: 1. nmap - services listening and open 2. whisker 3. ettercap - while this isn't a security analysis tool, I use it to demonstrate and determine ease of use of tools attackers have. and I use hping and snort for other analysis. All of these are free and all perform the job well. Charles The information contained in this message is intended only for the recipient, may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's