RE: Vulnerability Scanning - Prioritising Remediation

["Mikhail A. Utin" <mutin () commonwealthcare org>]

It all depends on your IDS/IPS configuration and vulnerability scanner as well. Sometimes you even cannot change 
features you do not want at all (see below).
 VSs (and port scanners as well) use SYN half-open.  So, IDS/IPS can react on SYN packets as "SYN flood" and block 
them. Thus, a part of port scanning could be disabled.
Some appliance, for instance SonicWALL, can make your life miserable by disabling both scanning and entire network. 
SonicWALL IDS cannot be removed if comes together with firewall in one appliance. If IPS is enabled (having license) 
then it will block your SYN packets (unless configured otherwise). If IPS is disabled (say, no license for) then IDS 
will be active anyway. It has limited stack for all TCP connections (16K) and will be overloaded by SYN packets pretty 
fast (depends on "insanity" of port scanning). Thus, all other your local network TCP connections will be dropped by 
IDS. No Internet, no email, etc.
That is the example how IDS can affect scanning, and local network as well.

Mikhail A. Utin, CISSP


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Morrison
Sent: Wednesday, September 21, 2011 4:20 AM
To: J Teddy
Cc: Securuty Basics Mailing List
Subject: Re: Vulnerability Scanning - Prioritising Remediation

If you have an IPS as part of your security system should you not scan with it switched on? It is one of your controls. 
If you run a VA scan without the IPS won't you get incorrect results?

What do other subscribers to this list do?

Regards




John

On 20 September 2011 06:37, J Teddy <jteddylists () gmail com> wrote:
> I'm currently documenting how to prioritise remediation efforts from 
> my last vulnerability scan.  As my assets have all had information 
> risk assessments conducted, I can easily calculate my CVSS score using 
> the CVSS2 calculator.
>
> I then started thinking about compensating controls in my network 
> where I could possibly lower the priority of the remediation.  For 
> example the SSH vulnerability priority may be lowered as there is a 
> signature for prevention on my IPS.
>
> The question I can not answer is if my IPS has prevention for such a 
> signature, and I'm running a vulnerability scan through that IPS, will 
> my IPS block those packets, with the end result being my VA scan does 
> not detect the vulnerability?
>
> Thanks.
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it 
> benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------