Medium Scale Scanning Best Practices

[swlodin () iquest net]

Good day,

I'm looking for advice into best practices for periodic scanning of a network
on a medium scale.  Here are my definitions:

Frequency
---------
Continuous - near real-time
Periodic - weekly/monthly <--------- me
One time - duh

Scale
-----
Small - a few hosts or maybe a /24 network or two
Medium - many networks, up to /16 types <----------- me
Large - global Internet or many /8 types

Testing Activity **
-------------------
Footprinting
Scanning <----------- me
Enumeration
Penetration

** Taken from Hacking Exposed by the Foundstone guys

I have a global network of many /16 through /26 networks.  I'd like to develop
an inventory of, primarily, machine/OS/Services.  I'd prefer to have this relatively
up-to-date, but not manually performed.  Ultimately, I'd like to have a resource
that could help me identify vulnerable devices given the discovery of a new
vulnerability rather than having to scan the entire network each time.

For example, the next IIS vulnerability hits.  I'd like to have a quick answer
to the question, "what devices are vulnerable".  It doesn't matter if the answer
is the result of "list all Windows OS devices with port 80 or 443 open".

What are the best practices in this area?  I have a cobbled-together solution
using nmap that I'm ready to test, but if there is a better low-cost solution
I am interested.  I've seen ndiff (nmap diff), but I'm not sure that it would
be easy
to modify that to suit my requirements.  How are you dealing with
this situation?

Thanks!

Steve

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/