In-Depth

How a Network Scan Can Improve Your Security

A scan can improve the security of your network, but be sure you know the law before you decide to do so.

• By Greg Saoutine
• 09/01/2001

Some folks compare scanning to walking down a strip mall and looking for vulnerabilities and weaknesses in the stores' physical security. By itself, such activity isn't illegal, and the automatic assumption of malicious intent is premature. Different jurisdictions are taking different positions regarding this matter; understand the law, both where you are and where the target's located, even if you think you're fully authorized to perform a scan.

A network scan can provide you information about the host similar to information "received" by a malicious individual. That may include the type of OS running on the target (fingerprinting), applications/services running on the target and advertising themselves to the network (port scan), and possible vulnerabilities present in the OS and applications on the target (OS and application vulnerability scan). Also, some scanning tools allow you to execute denial of service (DOS), buffer overflow, fault injection and other attacks against the target system. This functionality built into the scanners helps you perform rigorous testing on pre-production systems in a controlled manner.

On the "black-hat" side, the information obtained about the target gives hackers an understanding of how to plan and perform an attack. The more information about the OS, applications and vulnerabilities present on your hosts that malicious intruders have, the more they can focus their efforts toward a specific platform and/or application. For example, if an attacker's able to see that you're running IIS 4.0 on a Windows NT 4.0 server without some of the recent patches, they can immediately exploit vulnerabilities such patches were designed to fix. Databases of such vulnerabilities are often easily accessible via the Internet.

A popular misperception in the industry is that hackers can always get away with using scanners, since there are mechanisms built into the scanners to "mask" the scan. Most of the time, it's possible to detect scanning activity in the firewall and/or OS logs, but sometimes it's hard to say what kind of scanner was used, especially because a malicious attacker may be able to run a raw script probing your host from the command line. Also, many scanners provide capabilities for "stealth" (SYN) scans, where a TCP/IP connection never gets established with the target and, therefore, the investigation of malicious activity is harder, if not impossible (depending on the type of network technologies used around the target). Some scanners (especially commercial products) specifically identify themselves on the network to facilitate investigations of unauthorized scans and protect the software vendors from the legal consequences of unauthorized use of their software.