What tools or techniques do you use to check if your server is really secure?
As an administrator you spend quite some time to secure your server but how do you actually know if it really is? Let's say you have a webserver thus port 80 would be open. Also a vpn service so you can secure connect to the server.
So apart from a simple port scan how do you test the security of your server?
Running a vulnerability scanner is a good idea (Nessus is one of them). You'll need some training to have repeatable and results and to allow you to cover a maximum of the security settings. There are firm that will come in do the scan for you. It's cheaper upfront since you pay once and get all the results but having somebody in your organization trained to do these kind of inspection will pay off on the long run since you'd want to schedule them on a regular basis. If you decide to go with a tool, I do recommend Nessus with its ProfessionnalFeed since it includes Audit plugin that will detect missing updates, etc.
Outside of vulnerability scans, you'll also want to put in place measures to ensures that your security controls are working. If you're using any type of change detection (like tripwire) to detect unauthorized change on your system you'll want to go and change a binary file on a regular basis (once a month let say) to make sure it gets picked up. If you have a firewall in place, you'll want to test that some system ports are closed. Regular checkup can make a world of difference in my experience.
You'll also want to audit your system update logs. If you are running Windows based server, running the Microsoft Baseline Security Analyzer (currently at version 2.1) on a regular basis will also help ensure your updates are in place and some of the basic policies have be applied.
In addition to using a vulnerability scanner, you might consider hitting the machine with the various features of nmap. This can help you get an idea for what a potential attacker might be able to figure out about your system before trying a real attack. As a side note, I hear that snort is very good for an Intrusion Detection System.
OpenVAS -- Free Software under GNU GPL and a fork of Nessus.
OpenVAS (Open Vulnerability Assessment System) is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.
There are some great 'BlackHat' security evaluation and testing consultancies out there, if you're serious about your business they're worth paying.
Scanning is one piece of the pie. Products like nmap will do a port scan and products like Nessus and Qualys will tell you what they detect with respect to surface area. However, the first place you should start is with a server baseline.
As the name implies, it is the baseline settings you expect your server to have. This includes things like the audit policy with respect to events, what your local security policy sets for permissions, etc. Once you have that baseline, you have something to hold all your servers to. And it makes sense to have multiple baselines, dependent on role. For instance, in the Windows Server 2003 Security Guide, there are different baselines for domain controllers versus member servers.
With a baseline in hand, you'll want to either use your own custom tools (scripting and some free tools) to verify the baseline or you'll want to use a 3rd party tool specifically designed for that, such as Symantec's (formerly BindView's) Control Compliance Suite. Do the scan periodically, check the results. The reason this is important is that there are things which a vulnerability scanner won't report on (such as how you having auditing configured) because it's designed to detect vulnerabilities. But server security involves the configuration, as well.
And with the baseline scanner, you'll want to pair it with the vulnerability scanner. It may also be a good idea to use another tool like a patch management or inventory management tool to make sure your server is kept patched up. The latter also ensures unexpected programs don't get installed without your knowledge.
Some of the open source are the best. Different tools will test different types of vulnerablities.
For external testing see http://www.hackertarget.com
They have free options include sql scans and web server scans, also openvas (open source version of nessus)
