Educause Security Discussion mailing list archives
Re: Vulnerability Scanning Problem
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 12 Dec 2006 09:07:39 -0600
The University of Cincinnati is using Rapid7's NeXpose as our OS level vulnerability scanner. Last week, we scanned 57 IP addresses and only got returns on 14. We believe the reason is that Microsoft SP2 installed the firewall with ICMP blocked. We don't necessarily want to have it unblocked for all devices, but we need to be able to scan our devices on all subnets. Has anyone experienced this problem and have you been able to find any workarounds without opening things up?
We hit a similar problem, with scans slowing down to a halt, a couple of years back, although at the time the cause was slightly different (had to do with VLANs, never quite worked out the details of why!) A hack solution that worked for us was to scan on the fly as soon as we became aware of the presence of an IP address which we got from a sniffer at the edge of the network. You need to be careful not to do this *every* time an IP pops up, but you also need to catch change of IP/ARP pairs from people asking for a new DHCP allocation. It can get tricky. arpwatch is fairly useful; also arpscan if you have access to all your internal segments with no routers between you. If you *do* have routers in the mix, it's actually relatively easy to enumerate the routers' arp tables with snmp and get all the info you need that way. I guess a system that never communicated externally would never be detected, but how many systems never even do a DNS lookup??? We tweaked the source of nmap a little to handle timeouts in a more friendly way and to reduce timeout periods to something appropriate for a fast internal network. As has been pointed out, with so many Windoze PCs now running soft firewalls, the utility of internal scanning is greatly reduced. You need to start looking at other methods of network management, such as 802.1x, locking down switch ports, and Active Directory and SMS management. And remember, if someone has opened a port and is up to no good, there's a chance that they've restricted access to that port to a specific set of IPs, so again you need to rely on a sniffer rather than a scanner because your scanner won't be able to connect to it. G
Current thread:
- Vulnerability Scanning Problem Logan, Kimberly (loganks) (Dec 11)
- <Possible follow-ups>
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)