The Birth of an Open Source Project 269 We also had to design a database schema with the tables that we would be populating with our program. The NPI program was a great help in this regard, although there were new tables relating to our scheduling that we needed to add. While the dataflow was similar to that of NPI, there were some significant differ- ences. We diagramed this so we could follow all the logical interactions between the sys- tems. Figure 8.11 shows the logical layout of NCC. We also created a Web site and a Sourceforge page for the project. The Web page is located at www.netsecuritysvcs.com/ncc. While we figured we had enough talent in our group to finish the project, it never hurts to let other people in the open source community know what you are working on. Also, once it was finished, we would need help in porting it to other platforms and adding new features. So once all the preliminaries were taken care of, we got to work, usually holding weekly meetings to track the progress. Because this was not a full-time effort and we all had day jobs, it took about a year to complete the program, and even that was only a beta version. Still, we had something we could use, and now by leveraging the online commu- nity of developers, NCC can be extended and improved. Writing NCC as an open source Figure 8.11 NCC Logical Design NCC MySQL Database The ncc.pl program module queries the database and places scheduled scans in the queue. The NCC client takes events out of the queue, sends the scan commands to the Nessus server(s), and posts the results. The NCC front end allows viewing of the results through a standard Web browser. MySQL Database Queries Queries Queries Insert scan data Insert schedules MySQL Database Target network Target network Target network Nessus scans Nessus scans Nessus servers Nessus scans Nessus servers User with Web browser NCC.PL Checks database, loads queue NCC Client Checks queue, runs scans, posts results PHP Front End PHP Web server Groups Companies Users Targets Schedules Howlett_CH08.fm Page 269 Thursday, June 24, 2004 9:54 PM 270 Chapter 8 • Analysis and Management Tools project certainly required a little more work on the front end than doing it as a private project because we had to do the research on existing programs and integrate the code bases, but we were able to leverage existing code bases, which cut our total development time down considerably. Also, we knew that if it became popular, it might get ported to other platforms or even used as the base for an even bigger program, which would only help us. All in all, the experience was a real win/win for my company and other users out there. Installing NCC NCC has requirements similar to those of the NPI tool described earlier in this chapter. You need a PHP-compliant Web server (such as Apache), MySQL database, and a Nessus server and client. NCC assumes you already have these installed and running. If you don’t, refer to the sections earlier in this chapter on how to set up Apache and MySQL, and Chapter 5 for instructions on installing Nessus. When these are in place you can install NCC. 1. Download the program or get it from the book’s CD-ROM. 2. Unpack and unzip the program into its own directory, making sure the directory is in your path. 3. Change into the NCC directory and type ./install.pl . This runs the NCC installation script. (You don’t have to compile NCC because it is programmed in interpreted languages such as Perl and PHP.) The install program first checks for the presence of the Perl modules required for NCC. If it doesn’t find them, you have to load the appropriate module(s) either from your distribution disks or using the CPAN utilities described in the “Installing Swatch” section earlier in this chapter. 4. The program automatically initializes your database and copies all the files into the appropriate places. During the installation you are prompted for some input. Table 8.7 describes these installation settings. Table 8.7 NCC Installation Settings Settings Descriptions NCC user This is a system account that NCC will run as. It is recommended that you create a special user account just for NCC. Installation directory You can choose one of the two standard locations, /usr/local/ncc or current, or you can specify your own. NCC Administrator e-mail The e-mail address of the NCC administrator who will get all the daily activity reports. Howlett_CH08.fm Page 270 Thursday, June 24, 2004 9:54 PM The Birth of an Open Source Project 271 5. You will be prompted for the NCC admin user and password combination. This user will be an administrator of the entire program, so choose this login ID and password carefully. 6. Create a symbolic link from the place in your public Web directories that you want to access NCC. Point this to /html in the root NCC install directory. This will con- nect you to the main NCC page and to your public Web directories as well as pro- tect the other NCC files from access. Settings Descriptions From address for results The address that the reports will appear to come from (important for spam filters). Name of MySQL server Host name or IP address of your NCC MySQL server, which should be localhost if is running on the same machine. Name of database for NCC The name of the MySQL database that will be created by the install script. The default of ncc is fine for most installations. MySQL user A valid user on the MySQL system. You should create one specifi- cally for NCC. MySQL password Password for the above user. Nessus server Host name or IP address of your Nessus server. This is localhost if you are running Nessus and NCC on the same machine. Nessus port The port to connect to on the Nessus server. The default of 1241 is correct unless you have changed this on your Nessus server. Nessus username A valid user on that Nessus server. Nessus password The password for the above user. Nessus path Path to the Nessus executables. The default is correct for the stan- dard Nessus installation. Temp directory Where NCC will stage results from your scans before it imports them into the database. You can look here if you want to find the raw .nbe files that were used. Table 8.7 NCC Installation Settings Howlett_CH08.fm Page 271 Thursday, June 24, 2004 9:54 PM 272 Chapter 8 • Analysis and Management Tools 7. You are now ready to run NCC. With the database and Web server running, open a Web browser and enter the host name of your NCC server along with the location you created above. For example, if you created the symlink in /ncc of your Web root directory and your NCC server is ncc.example.com, the URL would look like this: http://ncc.example.com/ncc If you were accessing it on the local machine, this would work: http://localhost/ncc This displays the NCC login page. 8. Log in with the user name and password you created during the installation pro- cess. You can now begin using NCC to automate and schedule your scans. Using NCC After you have logged in, the NCC main screen displays (see Figure 8.12). This is where you manage all of your groups, companies, scan targets, and schedules. NCC was designed to be modular and expandable. For example, you can use NCC to manage multiple scans within one company. However, if you are a consultant, you can Figure 8.12 NCC Main Interface Howlett_CH08.fm Page 272 Thursday, June 24, 2004 9:54 PM The Birth of an Open Source Project 273 create scans for multiple companies that have different profiles. Let’s take it one step fur- ther and say that you want to run a security ASP. NCC lets you set up multiple groups, each with its own member companies for all of your individual agents and consultants selling security scans. (This group management feature will eventually allow for customi- zable interfaces and front ends, but this feature is not in the beta version.) You can choose from four main options. • System admin: These options are available only to the system administrator. This is where you create your groups and perform other system-level functions. • Group admin: This option is available only to group administrators. These users may add, edit, or delete a group’s company profiles. You would use this function if, for example, you were setting up different companies with a set of targets each could manage. Each group administrator will see only see the companies he or she has access to. • Company admin: This is where you manage the users, target files, and schedules for each company. For example, you may want to have a lower-level system adminis- trator start scans for one division but not for another. You can set those parameters here. • User functions: This section is available to all users. Here individual users can edit their profile information and perform functions on their accounts such as changing their passwords. They can also access the data from scans that have run. Let’s take a simple example and walk through the steps of adding users, adding tar- gets, and scheduling a scan. For simplicity, the example assumes you don’t need multi- company and multi-group capabilities. Adding Users 1. First, you should add a user (other than the system administration user you added earlier). Under Company Admin, click on Add user to add a user who can run scans. 2. Select the company they will belong to from the pull-down box and click on Add. 3. On the User Management screen, fill in the information on your new user (see Fig- ure 8.13) You can select a user name and password here. The password will be starred out and stored as a MD5 hash rather than plain text. Also, select a user type here: Sys- tem admin, Group admin, Company admin, and User. Note that you will only be able to create users that are at or below the user level you are logged on as. For example, company admins cannot create system admin level users. If you want to edit or delete an existing user, click on Edit/delete from the Main Screen under Company Management. 4. Click on Add, and NCC adds your user to the database. This person can now log on and add scans as part of the company they were added to. Howlett_CH08.fm Page 273 Thursday, June 24, 2004 9:54 PM 274 Chapter 8 • Analysis and Management Tools Adding Targets NCC defines a target as any set of IP addresses and associated scan settings for those addresses. We made a conscious decision when designing the program to separate the tar- get objects from the schedule objects. This allows the program to be much more modular and have greater flexibility. For example, you may want to schedule a certain scan to run at the beginning of each month. However, if a new vulnerability comes out, you might want to scan that target in the middle of the month, just once, to check your vulnerability. NCC allows you to add a one-time scan event to that target rather than changing your monthly scan and then having to change it back so that your monthly scan still runs. 1. To add a target, from the main screen under Company Admin click on Target Mgmt. 2. Pull down the context-sensitive menu to see all the targets that you have access to. If you are a group administrator, it will show you all the targets for every company that you are a member of. 3. Click on Add and the Target Management screen displays (see Figure 8.14). Here you can select the company you are adding this target for. Give the target a text description, such as DMZ Servers . This name will appear in the drop-down box, so make it specific enough that you can tell what it is. 4. Select a Scan type—whether your scan is of a single address, a subnet, or an address range. Figure 8.13 NCC User Management Screen Howlett_CH08.fm Page 274 Thursday, June 24, 2004 9:54 PM The Birth of an Open Source Project 275 5. Under Scan Value enter the IP address string that corresponds to your targets in Nessus-compliant syntax. Recall from Chapter 5 that the allowed formats for Nessus scan strings. Figure 8.14 CC Target Management Single IP address 192.168.0.1 IPs separated by commas 192.168.0.1,192.168.0.2 IP ranges separated by dashes 192.168.0.1-192.168.0.254 Using standard slash notation 192.168.0.1/24 (a class C network of 256 addresses) A host name myhost.example.com Any combination of the above separated by commas 192.168.0.1-192.168.0.254, 195.168.0.1/24,192.168.0.1-192.168.0.254 Howlett_CH08.fm Page 275 Thursday, June 24, 2004 9:54 PM 276 Chapter 8 • Analysis and Management Tools 6. Select a scan configuration. The default is the Nessus default scan. There are up to four other scan types you can run. (Future versions will allow for uploading a cus- tom configuration file and also pasting in a text file.) 7. Click on Add, and the target is added. You are now ready to schedule your scan. Scheduling Your Scan Once you have created one or more target objects, you can apply scan schedules to them. 1. On the main menu under Company Admin, click on Schedule Management. The Schedule Management screen displays (see Figure 8.15). 2. Select a company and a target within that company. Again, the pull-down menu selections available to you reflect the user level at which you logged in. 3. Select a scan date, time, how often it should run, and how many times to recur. You can have the scan run one time, daily, weekly, monthly, bi-monthly, or quarterly. (Future versions will support custom recurrence strings in either cron or I-cal format.) You can also set the recurrence to happen only for a certain number of times, for example, for a customer who has signed a one-year contract for monthly scans. You can also choose to have it recur continuously, for example, for your own network’s regular monthly scans. Figure 8.15 NCC Schedule Management Screen Howlett_CH08.fm Page 276 Thursday, June 24, 2004 9:54 PM The Birth of an Open Source Project 277 4. Click on Add and your scan will be scheduled. Now you can sit back and wait for the report. The user who created the scan will be notified by e-mail a day before the scan happens (except for daily scans, for which you are notified an hour beforehand), and another e-mail when the report is available to view. 5. Once your scan has run, you can view it by selecting View reports under User Functions on the main menu. This displays the NCC Scan database screen (see Figure 8.16) This lets you browse the scan data and create custom reports. You may notice this interface looks similar to the NPI interface reviewed earlier in this chapter. This is because we used the NPI code as a reference in creating this section. NPI is open source and GPL, so as long we were releasing our code GPL and included the copyright information, we were free to use this code. One of the great things about open source development is that it is perfectly acceptable to build on the successes of other peo- ple. And someone may build on your work to create something even better still. As long as it is open source, you have full access to any advances and improvements. This may seem like a lot of work just to do a scan, and it is if you are only doing it once. But when you are managing dozens of scans with multiple users, then NCC is invaluable for keeping track of all this activity. Figure 8.16 NCC Scan Database View Howlett_CH08.fm Page 277 Thursday, June 24, 2004 9:54 PM 278 Chapter 8 • Analysis and Management Tools You now have the tools and the knowledge to create a complete intrusion detection and vulnerability scanning system with complex analytical functionality. By using these combinations of tools, you will be able to greatly increase the security of your internal net- work and external network servers. Together these tools can help you make the most of the time you spend on securing your network. Next, we are going to look at tools to help you keep your data secure inside and outside your network by using encryption tools. Howlett_CH08.fm Page 278 Thursday, June 24, 2004 9:54 PM . public Web directories that you want to access NCC. Point this to /html in the root NCC install directory. This will con- nect you to the main NCC page and to your public Web directories as well. By using these combinations of tools, you will be able to greatly increase the security of your internal net- work and external network servers. Together these tools can help you make the most. Next, we are going to look at tools to help you keep your data secure inside and outside your network by using encryption tools. Howlett_CH08.fm Page 278 Thursday, June 24, 2004 9:5 4 PM