SN Vulnerability Manager (SNVM)

Introduction

Stormshield Network Vulnerability Manager is a module that allows network administrators to gather information in real time and to analyze it in order to spot possible vulnerabilities that may compromise the security of their networks. Among other things, it also allows raising alarms generated by the intrusion prevention engine and thus to maintain an optimal security policy.

Stormshield Network Vulnerability Manager collects and archives in particular, information relating to the operating system, to various active services as well as to the different applications that have been installed. As a result, descriptive profiles can be made of network elements.

Stormshield Network Vulnerability Manager aims to:

Configure your company network’s security policy.
Analyze the status of the risk.
Optimize the level of security.
Report security events.

The procedure is as follows:

Description: 1 Stormshield Network’s intrusion prevention engine (ASQ) extracts data in real time using network protocols that it knows.

$Description: C:\Users\virginie.ragons\MyCloud\Graphisme\Applications\UserGuide\d2h\medias\ButtonsAndIcons\2.png$ Vulnerability Manager then combines and weights these data.

Description: 3 The vulnerability found can then be fixed using databases that have been indexed dynamically. Once all this information has been collected, they will be used in Monitor so that flaws on the network can be corrected, or prohibited software can be detected, or the real risk relating to the attack can be identified in real time.

Description: 4 The profile is therefore complete.

Description: 5 One or several solutions can thus be considered.

Example

A company has a public website that it updates twice a month via FTP. At a specific date and time, a vulnerability that affects FTP servers is raised and Monitor immediately takes it into account, enabling the network administrator to detect it at practically the same time.

This vulnerability is represented by a line that indicates the number of affected hosts and whether a solution is available.

By deploying this line, details of the hosts concerned will appear, as well as the service that has been affected by the vulnerability. Help, in the form of links, may be suggested to correct the detected flaw.

Once the network administrator becomes aware of the vulnerability, he can correct it at any moment, quarantine the affected host(s) and generate a report.

When you click on the Vulnerability Manager menu in the menu directory, the scan window will consist of the following:

A Vulnerabilities tab.
An Applications tab.
An Information tab.

"Vulnerabilities" tab

$Description: C:\Documentations\Modifications\Guide\RealTimeMonitor\Images-FR\Figure32.png$

Figure 31: Vulnerability Manager

This screen consists of 3 views:

A view of the list of vulnerabilities.
A view of the list of hosts affected by this vulnerability.
A hidden help view that you can display by clicking on "Show help" (top left of the screen). This allows working around the selected vulnerability, if a solution exists.

“Vulnerability(ies)” view

This view allows you to view all the vulnerabilities that the firewall has detected. Each line represents a vulnerability.

REMARK

The number of vulnerabilities is displayed in the tab’s label.

The information provided in the “vulnerability” view is as follows:

Firewall	Serial number or name (if known) of the firewall at the source of the vulnerability.
Severity	Indicates the level of severity on the host(s) affected by the vulnerability. There are 4 levels of severity: Low, Moderate, High, Critical.
Name	Indicates the name of the vulnerability.
Affected hosts	Number of hosts affected by the vulnerability.
Family	Family to which the vulnerability belongs.
Target	One of 2 targets: Client or Server.
Exploit	Access may be local or remote (via the network). It allows exploiting the vulnerability.
Workaround	Indicates whether a workaround exists.
Discovered on	Date on which the vulnerability was detected. WARNING This refers to the date on which the vulnerability was discovered and not the date on which it appeared on the network.
ID	Allows a unique identification of the vulnerability.

"Hosts" view

This view allows you to view all the vulnerabilities for a given host. Every row represents a host.

The "Hosts" view displays the following data:

Assigned	Date on which the host was assigned.
Name	Name of the host affected by the attack (if it exists).
Address	IP address of the host affected by the attack.
Application	Name and version of the application (if available).
Type	Application type (Client/Server/Operating system).
Details	Name of the service prone to being affected by the vulnerability.
Operating system	Vulnerable host’s operating system.
Port	Number of the port on which the vulnerability had been detected.
Internet Protocol	Name of the protocol used.

The Actions button makes it possible to perform certain actions on the selected event (for further information, please refer to the section Pop-up menu on rows):

View host,
Add the host to the Object base,

Help zone

The help zone allows you to get more details relating to the attack. Thus the administrator can correct the vulnerability.

Click on the Show help button to show or hide the help zone associated with a vulnerability.

Typically, help comes in the form of a descriptive file that contains explanations, links to the publisher’s site or to bug fixes.

$Description: C:\Documentations\Modifications\Guide\RealTimeMonitor\Images-FR\Figure33.png$

Figure 32: Help

"Applications" tab

$Description: C:\Documentations\Modifications\Guide\RealTimeMonitor\Images-FR\Figure34.png$

Figure 33: Vulnerability Manager - Applications

The Applications tab provides information on the application detected within the enterprise.

Two types of application may be detected:

Products: these are client applications installed on the host (e.g.: Firefox).
Services: these are server applications that are attached to a port (e.g.: lighttpd).

Using information detected by the ASQ engine, Stormshield Network Vulnerability Manager generates information about the detected applications. The design of this feature allows grouping applications by family, so by pairing such information with the vulnerability database, Stormshield Network Vulnerability Manager also suggests probable security loopholes linked to these applications.

This tab offers features that include filtering, optional column display, resizing to fit contents and copying of data to the clipboard. It displays information on the detected applications through the columns that can be seen in the window below:

This screen consists of 2 views:

A view that lists the applications.
A detailed view that lists the hosts.

“Application(s)” view

This view allows you to see the applications that the firewall detects. Each line represents an application.

REMARK

The number of applications is displayed in the tab’s name.

The Applications tab displays the following data:

Firewall	Serial number or name (if known) of the firewall.
Name	Name of the software application. The version is not specified except for the operating systems.
Family	The software application’s family (e.g.: “web client”).
Type	Software type (Client: the software does not provide any service – Server: the software application provides a service – Operating system).
Instance	Number of software applications detected in the monitored networks. For a server, the same service may be suggested on several ports. E.g.: an Apache http server which provides its services on port 80 and port 8080 (web proxy) would appear twice.

"Hosts" view

This view allows you to see all the applications for a given host. Every row represents a host.

The "Hosts" view displays the following data:

Name	Host name.
IP address	IP address of the host.
Application	Name of the software as well as its version, if available.
Type	Software type (Client: the software does not provide any service – Server: the software application provides a service – Operating system).
Operating system	Host’s operating system.
Port	Port that the software application uses (if it uses any).
Protocol	Internet protocol of the software (if it uses any).

The Actions button makes it possible to perform certain actions on the selected event (for further information, please refer to the section Pop-up menu on rows):

View host,
Add the host to the Object base,

"Events" tab

$Description: C:\Documentations\Modifications\Guide\RealTimeMonitor\Images-FR\figure35.png$

Figure 34: Vulnerability Manager - Events

The Information tab informs you of your network’s activity. You can therefore see the programs that are at risk of generating attacks.

This screen consists of 3 views:

List of programs.
List of hosts.
Help zone.

“Events” view

This view allows you to see all the events that the firewall detects. Each line represents an event.

REMARK
The number of events is displayed in the tab’s name.

The “Information” view displays the following data:

Firewall	Serial number or name (if known) of the firewall.
Name	Name of the detected OS or a server (e.g.: SSH server).
Family	Host family. Example SSH
Affected hosts	Number of hosts affected. These hosts are identified in the Hosts view in this tab. REMARK The number of hosts indicated in the column "Affected hosts" is not always the same as the number of elements indicated in the "Hosts" zone in this window. In fact, the same service may use several ports. For example, the service thhtpd_server_2.25b can listen to 2 different ports, thus increasing the number of elements.
ID	Identifier.

"Hosts" view

This view allows you to see all the events for a given host. Every row represents a host.

The "Hosts" view displays the following data:

Assigned	Date and time of the event’s occurrence.
Name	Host name.
Address	IP address of the host.
Application	Name of the software as well as its version, if available.
Type	Software type (Client: the software does not provide any service – Server: the software application provides a service – Operating system).
Details	Details about the operating system.
Operating system	Host’s operating system.
Port	Port that the software application uses (if it uses any).
Internet Protocol	Internet protocol of the software (if it uses any).

The Actions button makes it possible to perform certain actions on the selected event (for further information, please refer to the section Pop-up menu on rows):

View host,
Add the host to the Object base,

Help zone

The help zone allows you to get more details relating to the attack. Thus the administrator can correct the vulnerability.

Click on the Show help button to show or hide the help zone associated with an event.

Typically, help comes in the form of a descriptive file that contains explanations, links to the publisher’s site or to bug fixes.

REMARK
Refer to the Stormshield Network Security user guide to configure Vulnerability Manager.