Educause Security Discussion mailing list archives

Re: Vulnerability Scanning Problem

From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Fri, 15 Dec 2006 17:41:25 -0500

I've been lurking long enough so I thought I'd throw in my .02.
Forgive the list format but it is Friday afternoon :-).

1. We have a minimum security requirements set for any computer connecting to
our campus. This is defined as a University IT policy. This is the basis for
our vulnerability scans. The requirements are simple:
        - host based access control - usually a host based firewall
        - automated patch updates
        - Antivirus software if appropriate to the OS
Our vulnerability scans primarily check for the host based firewalls.

2. Define the vulnerability scan goals. The debate on whether to allow pings
or not depends on the goal of the ping block. If the goal is to prevent
network mapping, then the goal fails since there are numerous techniques such
as inverse mapping that will allow you to map the network. If the goal is to
verify an established firewall policy blocking pings, then the vulnerability
scan can achieve the goal. If the goal is to verify only allowed ports are
open on hosts, then the vulnerability scan can achieve the goal.

Am I looking for www vulnerabilities? Am I looking for unused services/ports?
You get the idea.

3. There are a variety of scanning strategies/tools in the freeware world.
Tools such as nessus, nmap, Metasploit, hping2, cheops, nxscan (nice),
Purdue's VSC package, paros, webscarab provide you with ways to scan your
nets.  There are certainly a number of good commercial scanners that
accomplish the same thing. I suggest using the the freeware tools first in
order to get the experience to evaluate a commercial tool properly.

4. If my scan isn't able to access the device (Host firewall block), then
that's not a bad thing. If I can't see the system easily with my scanner,
chances are a script kiddie scanner won't either. Is this bad? I don't think
so.
However, if the machine doesn't show on one scan and then shows up on a later
scan, there is cause for worry.

        -Randy Marchany
        VA Tech IT Security Office

Current thread:

Re: Vulnerability Scanning Problem, (continued)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)