Foundstone Scanner

User Training

Observation

• There are few (if any) funny cartoons about network vulnerability scanning

Observation

• There are few (if any) funny cartoons about network vulnerability scanning

• … so make fun of Powerpoint

Why scan?

• Know what the Bad Guys (as well as students and other interested parties) see when they look at your machines

• Identify machines you are responsible for that managed to avoid your best attempts to patch them

• Interesting Factoid: A recent campus scan identified over 50 machines that were vulnerable to Conficker because of a missing patch

• Address audit points from our last audit

Scanner Info

• Foundstone FS-1000 appliance

• Accessed via web browser

• Licensed for 2500 addresses

• Currently has over 500 addresses from the border exemption database

• No interior firewall addresses at this point

The Plan

• Allow colleges/departments to scan their own machines, reduces dependency on ITSO and better utilizes the FS-1000

• Individuals identified from each of the major constituent groups (colleges, auxiliaries, departments)

• ITSO will provide FS-1000 credentials to designated users

Using the FS-1000 scanner

• Use Internet Explorer to connect to: https://eclipse.sdsu.edu

• FS does not support Firefox. Sorry, *nix folks. Don’t know about Safari.

• May need to allow pop-ups and javascript from the FS-1000.

• Portions of the FS-1000 written in java run on the client.

Let’s get started

• https://eclipse.sdsu.edu• Organization: sdsu• Credentials as assigned

Security 101: Change your password! (1)

• Menu Bar: Manage >> Users/Groups

Security 101: Change your password! (2)

• Select Run if you get a Java version alert about earlier version required

• Drill down in the tree to your workgroup and user object

• Open your user object• Set a new password

(letters, digits, special characters)

• DO NOT CHECK LOCKED!

Create a new scan (1)

• Menu Bar:Scans >> New Scan

• Start with a template, select “Use a Foundstone template”

Create a new scan (2)

• Choose the SDSU General Purpose template• Covers most systems on campus, non-intrusive

Create a new scan (3)

• IP Selection box uses java, choose Run if you get the Earlier Version alert

• Name your scan• Add IP addresses

from your assigned address pool

• Next>> or Settings

Create a new scan (4)

• May not need to change anything

• Can select or deselect entire platform

• Intrusive is not selected, know what you’re doing before using it

• Next>> or Reports

Create a new scan (5)

Other Settings• Hosts: Ports that FS uses to

determine whether a host exists• Services: Ports that FS uses when

searching for known services• Credentials: Used for Shell scans

and most Windows scans• Web Module: Can look for various

web security issues• Optimize: Modify engine settings

Create a new scan (6)

• Remediation Tickets are not implemented, uncheck• Use Internal Scan unless you know that only border-

exposed ports will be scanned• Recommend: PDF (downloadable), HTML

(downloadable and viewable online)• Next>> or Scheduler

Create a new scan (7)

• Choose One Timeor Recurring

• Active must be checked in order to run the scan. Inactive scans will be saved, but can’t be run.

• OK finishes the Scan creation process.

Deep Cleansing Breath

• We have a scan, now what?

Tech Support Tip

Start or Edit an existing scan

• Menu Bar:Scans >> Edit Scans

• Important Safety Tip: Delete removes all associated reports and vulnerability data

• Click Activate to start a saved scan

Edit a scan

• Editing is nearly the same as creating a new scan.

• Can’t change the name of a scan.

Monitoring scan progress (1)

• Menu Bar: Scans >> Scan Status

Monitoring scan progress (2)

• Status does not auto-refresh, use the Refresh button

• Often seems to hang at 50% - be patient

Let’s see the results (1)

• Menu Bar: Reports >> View Reports

Let’s see the results (2)

• Shows the report engine progress• 75% always seems to take a looooong time, not

just WPS (Watched Pot Syndrome)

Let’s see the results (3)

• Whoops, where’d the report go???

Let’s see the results (4)

• Click “Scan Reports” and it shows up• View Report (HTML only) and Download icons for

selected formats (downloads can be slow)

The Report (1)

• New IE window

The Report (2)

• In IE, View >> Text Size >> Medium

The Report (3)

• Access the various sections of the report via the Report Pages menu

</powerpoint><humor class=‘random geek bad’>

</humor>

<demo class=‘foundstone live’ />