Unfortunately I can't find the thread where somebody recommended www.securityspace.com so I can't point you to it. Having made some significant changes to my systems in recent days I thought I'd go ahead and see what this company has to say about my "most exposed" system. Bear in mind this is not the first security audit I have done on this box since the changes and nor will it be the last.

So off I go and sign up for the two free tests, (the basic and the "No Risk"). The basic test is a simple portscan to tell me what ports are open. Ok, I can live with that. So I moved on to the "No Risk" which is their full scan with the results being "crippled" until you pay them ca$h....

The things I _know_ about the box are:-

1. It's a standard Win2k server, SP2, all patches
2. It is only allowed to accept connections from anywhere on ports 21, 25, 80 and 3389 due to the IP filtering I have in place.
3. The firewall blocks all but 21 and 25 to that box from the public network.
4. Port 80 is closed on that box at present.
5. Port 3389 can only be accessed from a short list of machines on the trusted network, (this box is in the DMZ).
6. Port 25 is managed by Microsoft's SMTP server under IIS 5. No effort has been made to hide this.
7. Port 21 is managed by a proprietary FTP server, fully patched, no attempt made to obfuscate the system.

The security scan took two hours to come up with the following findings:-

Low risks, (Which it laid out for me): 3
Medium risks, (hidden from me) : 0
High risks, (hidden from me) : 5

The scan claims to do some 2000 checks of my system and says up front it uses NMap and Nessus for the exploit scans. I specifically told the scan _not_ to perform any kind of DoS attack.

Notable things about this company and it's "product":-

1. Even though I specifically stated "No DoS" the scan was so noisy that they claim my firewall must have blocked their scan. BS. The firewall logs clearly show their attacks on the FTP server, (which they concentrated on almost exclusively), being allowed in from the start of the period right to the end.

2. Their scan was _very_noisy and triggered the Snort sensors immediately. (OK, that's not a problem insofar as I authorized the scan - but why make it noisy if you then accuse me of blocking you - which I didn't!!!! It's MY security I'm testing, not your ability to scan me more quickly!!!!!

3. The first "low risk" they mention is the fact that the SMTP port is open and that information can be gleaned from the header they pulled..... "220 SMTP service ready" is the banner.... Yep, I gave the game away there.

4. The second "low risk" was the same as for the SMTP port. The banner they pulled there was "220 ftp.mydomain.com"..... Damn, I'm just giving it all away today.

5. Get this one...... They can run a tracert...... Bugger me!!!!!!

(To scare me they then threw in 7 items that need consideration.....

6. They can resolve the IP to an FQDN - thats a bit of a bugger too.... It is a mail server!!!!!!

7. This one makes me laff......
smtpscan was not able to reliably identify this server. It might be:
Symantec Enterprise Firewall 7.04 (Windows)
Symantec Velociraptor 1.5
Postfix-20010228-pl08
The fingerprint differs from these known signatures on 2 point(s)

If you known precisely what it is, please send this fingerprint
to [email protected] :
:503:250:501:250:553:250:452:214:252:252:500:500:500:250:250
It's IIS for god's sake!!!!!

8. Now I'm just giggling.....
Remote OS guess : Linux 2.0.32-34

CVE : CAN-1999-0454

This plugin determines which operating system
the remote host is running.

Guessing the remote operating system allows
an attacker to make more focuses attacks and
to achieve his goal more quickly
This plugin uses the code from Nmap - see www.nmap.org
Risk factor : None
OMG..... I scan it with NMap - don't ping - OS detection - stealth scan, (which they used per my Snort logs), normal speed - very verbose, and it tells me Win2k SP4 or WinXP SP1.... Funny that, huh?

9. I'm really not getting this one....
Nessus cannot reach any of the previously open ports of the remote
host at the end of its scan.

This might be an availability problem related which might be
due to the following reasons :

- The remote host is now down, either because a user turned it
off during the scan or a selected denial of service was effective against
this host

- A network outage has been experienced during the scan, and the remote
network cannot be reached from the Nessus server any more

- This Nessus server has been blacklisted by the system administrator
or by automatic intrusion detection/prevention systems which have detected the
vulnerability assessment.


In any case, the audit of the remote host might be incomplete and may need to
be done again
I did nothing to stop it. There are no active defense systems except the firewall blocking all communication with the attacker - which it didn't do, it allowed connections right up to the end of the audit. The FTP server will automatically ban users who attempt certain exploits, it didn't. The firewall did strip attempted buffer overflows which the scanner tried for _ever_ but it never gave up and moved to a different test...... But the FTP log shows the scanner opening connections right to the last minute of the audit too...... So it was getting to the server!!

10. They then go on to repeat things already mentioned to scare me more I guess and then there are two pages of how to mitigate issues that it didn't even find.... What's that all about?????

My Assessment of this "Product"

It is a badly done scan/audit with tools being used improperly. I dread to think what the 5 "High Risk" vulnerabilities are.... But I'm pretty sure they aren't worth $49 to find out. It identified 2 open ports yet managed to fill some eight pages of a report with what I can only describe as "scare tactics", repetitive "vulnerablilities" and mitigation techniques for vulnerabilities it doesn't find, (they are a "canned' script they add to the end of the report to bulk it out).

In short..... Buyer BEWARE!!!!!