Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability Scanning Problem

From: Curt Wilson <curtw () SIU EDU>
Date: Tue, 12 Dec 2006 16:58:36 -0600
Without some type of agent on the client I don't see how you can get a
good picture of client-side hosts with network-only assessment. Perhaps
the combination of network, and something passive like p0f or commercial
equivalent (doesn't tenable offer something in this vein?) could add
extra value. I also recall experimenting with hping and being able to
bypass the windows firewall enough to get a response, but that was
probably on a flat network and might not scale well and doesn't really
solve the problem if no ports are opened, or ACL'ed.

Wyman Miles wrote:

We've seen the same phenomenon with Nessus and firewalled hosts.  If using
the default port scanner (which is just nmap under the hood), it'll try an
ICMP echo-request and a TCP SYN to a probable port like 80.  If the echo
goes unanswered, and the SYN probe isn't met with either a handshake or a
port-unreach/admin-prohibited, it concludes the host is dead.

What we've seen out of several flavors of Windows firewall, is that the
practice of eating the SYN probes in silence effectively tar-pits the
scanner.  Scans of even small networks can take unacceptably long to finish.

Coupling your scanner to ARP table mining only goes so far.  The host might
be up, but if the firewall ropes in the scanner and won't let it go, you'll
still get nothing.  And persuading the scanner to rattle off SYNs at all
possible open ports is just a recipe for boredom and dissatisfaction.

In the case of Resnet scanning, our unavoidable conclusion is that if we
can't scan, the bad guys can't either.  The host is almost assuredly
vulnerable to something underneath the firewall, but we can't tell.

In the server farm, most of the host-based firewalls (ipfilt/iptables) are
either open to the scan host or are configured to at least be moderately
friendly.

Which opens the debate of how to balance your own scanning needs with a
desire to offer as little information as possible to the bad guys...

Wy


--On Tuesday, December 12, 2006 1:52 AM -0500 Wang Cheng
<ChengW () SACREDHEART EDU> wrote:


Hi Kim,
    It seems odd to me that a vulnerability scanner would skip a host
simply because it can't ping that host.  I would ask your vendor about
that maybe it's just a misconfiguration.  You might want to take a look
at Nessus (it's free so no harm in trying) if anything else at least to
compare results.
    If your users are joined to your domain, you can push a Windows
Firewall policy to allow ICMP echo reply, then on the network side permit
ICMP only from your scanner's IP to traverse to your hosts.  I would not
recommend doing this though.

Regards,
    Wang Cheng
    Information Security Officer
    Sacred Heart University
    chengw () sacredheart edu


__________________________________________________
From: Logan, Kimberly (loganks) [mailto:LOGANKS () UCMAIL UC EDU]
Sent: Monday, December 11, 2006 3:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability Scanning Problem




Hi Everyone,



Sorry if this has already been discussed, but....



The University of Cincinnati is using Rapid7's NeXpose as our OS level
vulnerability scanner.  Last week, we scanned 57 IP addresses and only
got returns on 14.  We believe the reason is that Microsoft SP2 installed
the firewall with ICMP blocked.  We don't necessarily want to have it
unblocked for all devices, but we need to be able to scan our devices on
all subnets.  Has anyone experienced this problem and have you been able
to find any workarounds without opening things up?



Thanks,



Kim



Kim Logan

Information Security Officer

University of Cincinnati

(513)556-9070

kim.logan () uc edu






Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421


--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Previous By Date Next
Previous By Thread Next

Current thread: