MySQL Database Queries Queries Queries Inser t scan data Inser t schedules MySQL Database Target network Target network Target network Nessus scans Nessus scans Nessus servers Nessus sca
Trang 1We also had to design a database schema with the tables that we would be populating with our program The NPI program was a great help in this regard, although there were new tables relating to our scheduling that we needed to add
While the dataflow was similar to that of NPI, there were some significant differ-ences We diagramed this so we could follow all the logical interactions between the sys-tems Figure 8.11 shows the logical layout of NCC
We also created a Web site and a Sourceforge page for the project The Web page is located at www.netsecuritysvcs.com/ncc While we figured we had enough talent in our group to finish the project, it never hurts to let other people in the open source community know what you are working on Also, once it was finished, we would need help in porting
it to other platforms and adding new features
So once all the preliminaries were taken care of, we got to work, usually holding weekly meetings to track the progress Because this was not a full-time effort and we all had day jobs, it took about a year to complete the program, and even that was only a beta version Still, we had something we could use, and now by leveraging the online commu-nity of developers, NCC can be extended and improved Writing NCC as an open source
Figure 8.11 NCC Logical Design
NCC MySQL Database
The ncc.pl program module queries the database and places scheduled scans in the queue The NCC client takes events out of the queue, sends the scan commands to the Nessus server(s), and posts the results The NCC front end allows viewing of the results through a standard Web browser
MySQL
Database
Queries
Queries
Queries Inser
t scan data
Inser
t schedules
MySQL Database
Target network
Target network
Target network
Nessus scans
Nessus scans
Nessus servers Nessus scans
Nessus servers
User with Web browser
NCC.PL
Checks database, loads queue
NCC Client
Checks queue, runs scans, posts results
PHP Front End
PHP Web server
Groups
Companies
Users Targets
Schedules
Trang 2project certainly required a little more work on the front end than doing it as a private project because we had to do the research on existing programs and integrate the code bases, but we were able to leverage existing code bases, which cut our total development time down considerably Also, we knew that if it became popular, it might get ported to other platforms or even used as the base for an even bigger program, which would only help us All in all, the experience was a real win/win for my company and other users out there
Installing NCC
NCC has requirements similar to those of the NPI tool described earlier in this chapter You need a PHP-compliant Web server (such as Apache), MySQL database, and a Nessus server and client NCC assumes you already have these installed and running If you don’t, refer to the sections earlier in this chapter on how to set up Apache and MySQL, and Chapter 5 for instructions on installing Nessus
When these are in place you can install NCC
1.Download the program or get it from the book’s CD-ROM
2.Unpack and unzip the program into its own directory, making sure the directory is
in your path
3.Change into the NCC directory and type /install.pl This runs the NCC installation script (You don’t have to compile NCC because it is programmed in interpreted languages such as Perl and PHP.)
The install program first checks for the presence of the Perl modules required for NCC If it doesn’t find them, you have to load the appropriate module(s) either from your distribution disks or using the CPAN utilities described in the “Installing Swatch” section earlier in this chapter
4.The program automatically initializes your database and copies all the files into the appropriate places During the installation you are prompted for some input Table 8.7 describes these installation settings
Table 8.7 NCC Installation Settings
NCC user This is a system account that NCC will run as It is recommended
that you create a special user account just for NCC
Installation directory You can choose one of the two standard locations, /usr/local/ncc or
current, or you can specify your own
NCC Administrator e-mail The e-mail address of the NCC administrator who will get all the
daily activity reports
Trang 35.You will be prompted for the NCC admin user and password combination This user will be an administrator of the entire program, so choose this login ID and password carefully
6.Create a symbolic link from the place in your public Web directories that you want
to access NCC Point this to /html in the root NCC install directory This will con-nect you to the main NCC page and to your public Web directories as well as pro-tect the other NCC files from access
From address for results The address that the reports will appear to come from (important
for spam filters)
Name of MySQL server Host name or IP address of your NCC MySQL server, which
should be localhost if is running on the same machine
Name of database for
NCC
The name of the MySQL database that will be created by the install script The default of ncc is fine for most installations
MySQL user A valid user on the MySQL system You should create one
specifi-cally for NCC
MySQL password Password for the above user
Nessus server Host name or IP address of your Nessus server This is localhost
if you are running Nessus and NCC on the same machine
Nessus port The port to connect to on the Nessus server The default of 1241 is
correct unless you have changed this on your Nessus server Nessus username A valid user on that Nessus server
Nessus password The password for the above user
Nessus path Path to the Nessus executables The default is correct for the
stan-dard Nessus installation
Temp directory Where NCC will stage results from your scans before it imports
them into the database You can look here if you want to find the raw nbe files that were used
Table 8.7 NCC Installation Settings
Trang 47.You are now ready to run NCC With the database and Web server running, open a Web browser and enter the host name of your NCC server along with the location you created above For example, if you created the symlink in /ncc of your Web root directory and your NCC server is ncc.example.com, the URL would look like this:
http://ncc.example.com/ncc
If you were accessing it on the local machine, this would work:
http://localhost/ncc This displays the NCC login page
8.Log in with the user name and password you created during the installation pro-cess
You can now begin using NCC to automate and schedule your scans
Using NCC
After you have logged in, the NCC main screen displays (see Figure 8.12) This is where you manage all of your groups, companies, scan targets, and schedules
NCC was designed to be modular and expandable For example, you can use NCC to manage multiple scans within one company However, if you are a consultant, you can
Figure 8.12 NCC Main Interface
Trang 5create scans for multiple companies that have different profiles Let’s take it one step fur-ther and say that you want to run a security ASP NCC lets you set up multiple groups, each with its own member companies for all of your individual agents and consultants selling security scans (This group management feature will eventually allow for customi-zable interfaces and front ends, but this feature is not in the beta version.)
You can choose from four main options
• System admin: These options are available only to the system administrator This is where you create your groups and perform other system-level functions
• Group admin: This option is available only to group administrators These users may add, edit, or delete a group’s company profiles You would use this function if, for example, you were setting up different companies with a set of targets each could manage Each group administrator will see only see the companies he or she has access to
• Company admin: This is where you manage the users, target files, and schedules for each company For example, you may want to have a lower-level system adminis-trator start scans for one division but not for another You can set those parameters here
• User functions: This section is available to all users Here individual users can edit their profile information and perform functions on their accounts such as changing their passwords They can also access the data from scans that have run
Let’s take a simple example and walk through the steps of adding users, adding tar-gets, and scheduling a scan For simplicity, the example assumes you don’t need multi-company and multi-group capabilities
Adding Users
1.First, you should add a user (other than the system administration user you added earlier) Under Company Admin, click on Add user to add a user who can run scans
2.Select the company they will belong to from the pull-down box and click on Add
3.On the User Management screen, fill in the information on your new user (see Fig-ure 8.13)
You can select a user name and password here The password will be starred out and stored as a MD5 hash rather than plain text Also, select a user type here: Sys-tem admin, Group admin, Company admin, and User Note that you will only be able to create users that are at or below the user level you are logged on as For example, company admins cannot create system admin level users
If you want to edit or delete an existing user, click on Edit/delete from the Main Screen under Company Management
4.Click on Add, and NCC adds your user to the database This person can now log
on and add scans as part of the company they were added to
Trang 6Adding Targets
NCC defines a target as any set of IP addresses and associated scan settings for those
addresses We made a conscious decision when designing the program to separate the tar-get objects from the schedule objects This allows the program to be much more modular and have greater flexibility For example, you may want to schedule a certain scan to run at the beginning of each month However, if a new vulnerability comes out, you might want
to scan that target in the middle of the month, just once, to check your vulnerability NCC allows you to add a one-time scan event to that target rather than changing your monthly scan and then having to change it back so that your monthly scan still runs
1.To add a target, from the main screen under Company Admin click on Target Mgmt
2.Pull down the context-sensitive menu to see all the targets that you have access to
If you are a group administrator, it will show you all the targets for every company that you are a member of
3.Click on Add and the Target Management screen displays (see Figure 8.14) Here you can select the company you are adding this target for
Give the target a text description, such as DMZ Servers This name will appear in the drop-down box, so make it specific enough that you can tell what it is
4.Select a Scan type—whether your scan is of a single address, a subnet, or an address range
Figure 8.13 NCC User Management Screen
Trang 75.Under Scan Value enter the IP address string that corresponds to your targets in Nessus-compliant syntax Recall from Chapter 5 that the allowed formats for Nessus scan strings
Figure 8.14 CC Target Management
Single IP address 192.168.0.1
IPs separated by
commas
192.168.0.1,192.168.0.2
IP ranges separated
by dashes
192.168.0.1-192.168.0.254
Using standard slash
notation
192.168.0.1/24 (a class C network of 256 addresses)
A host name myhost.example.com
Any combination of
the above separated
by commas
192.168.0.1-192.168.0.254, 195.168.0.1/24,192.168.0.1-192.168.0.254
Trang 86.Select a scan configuration The default is the Nessus default scan There are up to four other scan types you can run (Future versions will allow for uploading a cus-tom configuration file and also pasting in a text file.)
7.Click on Add, and the target is added You are now ready to schedule your scan
Scheduling Your Scan
Once you have created one or more target objects, you can apply scan schedules to them
1.On the main menu under Company Admin, click on Schedule Management The Schedule Management screen displays (see Figure 8.15)
2.Select a company and a target within that company Again, the pull-down menu selections available to you reflect the user level at which you logged in
3.Select a scan date, time, how often it should run, and how many times to recur You can have the scan run one time, daily, weekly, monthly, bi-monthly, or quarterly (Future versions will support custom recurrence strings in either cron or I-cal format.) You can also set the recurrence to happen only for a certain number
of times, for example, for a customer who has signed a one-year contract for monthly scans You can also choose to have it recur continuously, for example, for your own network’s regular monthly scans
Figure 8.15 NCC Schedule Management Screen
Trang 94.Click on Add and your scan will be scheduled
Now you can sit back and wait for the report The user who created the scan will be notified by e-mail a day before the scan happens (except for daily scans, for which you are notified an hour beforehand), and another e-mail when the report is available to view
5.Once your scan has run, you can view it by selecting View reports under User Functions on the main menu This displays the NCC Scan database screen (see Figure 8.16)
This lets you browse the scan data and create custom reports
You may notice this interface looks similar to the NPI interface reviewed earlier in this chapter This is because we used the NPI code as a reference in creating this section NPI is open source and GPL, so as long we were releasing our code GPL and included the copyright information, we were free to use this code One of the great things about open source development is that it is perfectly acceptable to build on the successes of other peo-ple And someone may build on your work to create something even better still As long as
it is open source, you have full access to any advances and improvements
This may seem like a lot of work just to do a scan, and it is if you are only doing it once But when you are managing dozens of scans with multiple users, then NCC is invaluable for keeping track of all this activity
Figure 8.16 NCC Scan Database View
Trang 10You now have the tools and the knowledge to create a complete intrusion detection and vulnerability scanning system with complex analytical functionality By using these combinations of tools, you will be able to greatly increase the security of your internal net-work and external netnet-work servers Together these tools can help you make the most of the time you spend on securing your network Next, we are going to look at tools to help you keep your data secure inside and outside your network by using encryption tools