esigning a managed security solution (MSS) for your Web servers will cost you, but it doesn't have to be money. Time and diligence are the only things you need to expend when you deploy various freely available tools that you can use to build your Web server MSS.
First of all, to build a complete MSS you need to be aware of any unauthorized activity on your network and your Web servers. Use port scanners to footprint your environment and determine whether you've left doors open to intruders via the Web. These scanners detect rogue machines running on your server and even rogue servers running on your network by initiating TCP connections to the ports and IP address ranges that you specify and checking whether each port has an open connection.
Make sure you specify only the ports that make sense for you on your target scan list. You probably don't want to scan the entire range of 65,535 available ports, so limit the your target range to the ones that most concern you (e.g., ports 80, 8080, 443, and 3128 are common Web-related services ports).
The port scanners will return a wealth of data. Some of them can identify the operating system running on a target machine or even retrieve the banner off a connected, but unauthorized, server. However, the most useful information a scanner will produce for security purposes is server IP addresses, corresponding open ports, and banners from the servers. With these three pieces of data, you can gain a big picture understanding of the Web-related activity on your network.
The following is a list of freely available port scanners you can download implement into your managed security solution:
- NmapNmap is the best known port scanner. It can perform various scans, identify a target machine's operating system, and even tell you whether the TCP ISN it generates is random enough for strong security. Nmap runs on both Windows and Unix platforms, but it does not retrieve the port banner.
- FScan and SuperScanFScan is a small, fast command-line tool that runs only on the Windows platform. It grabs banners, if any exist. SuperScan also is a free scanner that runs on Windows. It offers a graphic user interface through which you control your scans and view your results.
- NessusNessus is more than just a port scanner. It scans for client/server architecture vulnerabilities as well. You can use it as a port scanner to scan your specified IP range and port, and then run it as a vulnerability scanner afterwards.
- WotWebThis small tool written and released freely by Robin Keir not only scans ports but also generates a list of IP addresses, open ports, and the banners it grabs from open ports. Because its results are in the ASCII format, you can easily import them into a spreadsheet for future reference.
What's It All Mean?
You have to understand your port scanner's output format so you can grab just the information you need. For example, with FScan, you can use the '-o' switch to generate its output to a text file. When it detects an open port on a certain host, the following result would be shown:
HTTP/1.1 400 Bad Request[0D][0A]Server: Microsoft-IIS/4.0[0D][0A]Date: Mon
, 15 Oct 2001 20:04:00 GMT[0D][0A]Content-Type: text/HTML[0D][0A]Content-L
parameter is incorrect. </body></HTML>
The first line displays the IP address and the port number (80 in this case). Now you can extract the information we need using this regular expression:
The first variable will be the IP address, and the second will be the port number. You will then have a list of servers and the ports open on them. The same method can be applied to the other port scanners.