Educause Security Discussion mailing list archives

Re: Vulnerability Scanning Problem

From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 12 Dec 2006 09:07:39 -0600

The University of Cincinnati is using Rapid7's NeXpose as our 
OS level vulnerability scanner.  Last week, we scanned 57 IP 
addresses and only got returns on 14.  We believe the reason 
is that Microsoft SP2 installed the firewall with ICMP 
blocked.  We don't necessarily want to have it unblocked for 
all devices, but we need to be able to scan our devices on 
all subnets.  Has anyone experienced this problem and have 
you been able to find any workarounds without opening things up?


We hit a similar problem, with scans slowing down to a halt, a couple
of years back, although at the time the cause was slightly different
(had to do with VLANs, never quite worked out the details of why!)

A hack solution that worked for us was to scan on the fly as soon
as we became aware of the presence of an IP address which we got
from a sniffer at the edge of the network.  You need to be careful
not to do this *every* time an IP pops up, but you also need to
catch change of IP/ARP pairs from people asking for a new DHCP
allocation.  It can get tricky.  arpwatch is fairly useful; also
arpscan if you have access to all your internal segments with no
routers between you.  If you *do* have routers in the mix, it's
actually relatively easy to enumerate the routers' arp tables
with snmp and get all the info you need that way.

I guess a system that never communicated externally would never be
detected, but how many systems never even do a DNS lookup???

We tweaked the source of nmap a little to handle timeouts in a more
friendly way and to reduce timeout periods to something appropriate
for a fast internal network.

As has been pointed out, with so many Windoze PCs now running soft
firewalls, the utility of internal scanning is greatly reduced.  You
need to start looking at other methods of network management, such
as 802.1x, locking down switch ports, and Active Directory and SMS
management.

And remember, if someone has opened a port and is up to no good, there's
a chance that they've restricted access to that port to a specific set
of IPs, so again you need to rely on a sniffer rather than a scanner
because your scanner won't be able to connect to it.


G

Current thread:

Vulnerability Scanning Problem Logan, Kimberly (loganks) (Dec 11)
- <Possible follow-ups>
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)