Even the best scanners cant predict the future. In fact, given the numerous incidents of new attacks and worm and virus outbreaks, it appears that vulnerability scanners make lousy prognosticators. Cenzic Inc.s Hailstorm 3.0 takes a completely different—though often complementary—approach.
IT administrators and security specialists can use Hailstorm, which shipped early this month and costs $30,000 per unit (single machine), to inject faults into any part of the network unto find vulnerabilities before crackers can. Fault injections via Hailstorm make it possible to stress any part of a system—including Web servers, network devices and firewalls—find the vulnerabilities in those systems and discover how those flaws affect the rest of the network.
Hailstorm brings fault injection to the general IT market for the first time, but the concept is not new. It has been used in the airline industry for years. For example, jet manufacturers need to know not only how to stress and break individual components of jet engines but also what else will be affected during the process.
The software industry has adopted this concept in the application development area, but it is typically categorized as software quality assurance or as a generic life-cycle management capability. Fault injection in the security world has been discussed before, but, mainly, it has been stuck in research.
Knowing What You Dont Know
Traditional vulnerability scanners, including the ones evaluated throughout this package, access a database of previously documented vulnerabilities. They then profile the packets and generate similar traffic patterns to check for holes in whatever systems are being tested.
The vendors of these products are also responsible for keeping their databases up-to-date. Since most vulnerabilities are already registered, these tools do an excellent job at securing more than 95 percent of the flaws that could lead to a system compromise.
However, vulnerability scanning tools are ineffective at discovering flaws that have not been reported. Suffice it to say, the total number of documented flaws at any given moment pales in comparison with the entire set of flaws that have not been discovered.
The goal of Hailstorm is to help security professionals and developers tighten security to prevent unauthorized users from taking advantage of undiscovered flaws.
Because of its design, Hailstorm may miss some of the thousands of previously reported vulnerabilities. Therefore, companies highly concerned about security should consider Hailstorm complementary to tools such as Foundstone Inc.s FoundScan.
All security assessment tools can be used as weapons in the wrong hands, so Cenzic has a fairly strict registration policy. eWeek Labs had to register the product to use it, and during the registration process, we had to list the IP ranges that we would be testing against.
In addition, Hailstorm must be connected to a network to function, a safeguard that might cause some welcome annoyances down the road.
Hailstorm presented us with a list of four generic tests: Web application, network device, intrusion detection system signature and firewall.
These tests categorize the types of traffic that Hailstorm can generate. For example, the firewall test includes ICMP, or Internet Control Message Protocol; TCP; and UDP, or User Datagram Protocol, traffic, while the network device test stresses equipment that maintains static TCP state tables.
Its important to note that this is just a starting point. Hailstorm includes facilities for generating any kind of traffic against any kind of device.
Because Hailstorm is flexible, its inherently more difficult to use than traditional vulnerability scanners. It can be far more powerful, however. In tests, we could run SQL Parser scripts against a database, inject commands into any Unix device or run buffer overflows into any networked system.
We could also schedule these transactions to happen at any time. More important, we could capture our own traffic and use Hailstorm to profile it.
The traffic profiling capability, meanwhile, allowed us to run Hailstorm as a load testing system, similar to NetIQ Corp.s Chariot or Caw Networks Inc.s WebAvalanche.
However, because Hailstorm runs solely on the Windows platform using Microsoft Corp.s embedded database engine, it cannot generate the same kind of loads that Chariot or WebAvalanche can and is not a direct competitor.