Educause Security Discussion mailing list archives
Re: Vulnerability Scanning Problem
From: Curt Wilson <curtw () SIU EDU>
Date: Tue, 12 Dec 2006 16:58:36 -0600
Without some type of agent on the client I don't see how you can get a good picture of client-side hosts with network-only assessment. Perhaps the combination of network, and something passive like p0f or commercial equivalent (doesn't tenable offer something in this vein?) could add extra value. I also recall experimenting with hping and being able to bypass the windows firewall enough to get a response, but that was probably on a flat network and might not scale well and doesn't really solve the problem if no ports are opened, or ACL'ed. Wyman Miles wrote:
We've seen the same phenomenon with Nessus and firewalled hosts. If using the default port scanner (which is just nmap under the hood), it'll try an ICMP echo-request and a TCP SYN to a probable port like 80. If the echo goes unanswered, and the SYN probe isn't met with either a handshake or a port-unreach/admin-prohibited, it concludes the host is dead. What we've seen out of several flavors of Windows firewall, is that the practice of eating the SYN probes in silence effectively tar-pits the scanner. Scans of even small networks can take unacceptably long to finish. Coupling your scanner to ARP table mining only goes so far. The host might be up, but if the firewall ropes in the scanner and won't let it go, you'll still get nothing. And persuading the scanner to rattle off SYNs at all possible open ports is just a recipe for boredom and dissatisfaction. In the case of Resnet scanning, our unavoidable conclusion is that if we can't scan, the bad guys can't either. The host is almost assuredly vulnerable to something underneath the firewall, but we can't tell. In the server farm, most of the host-based firewalls (ipfilt/iptables) are either open to the scan host or are configured to at least be moderately friendly. Which opens the debate of how to balance your own scanning needs with a desire to offer as little information as possible to the bad guys... Wy --On Tuesday, December 12, 2006 1:52 AM -0500 Wang Cheng <ChengW () SACREDHEART EDU> wrote:Hi Kim, It seems odd to me that a vulnerability scanner would skip a host simply because it can't ping that host. I would ask your vendor about that maybe it's just a misconfiguration. You might want to take a look at Nessus (it's free so no harm in trying) if anything else at least to compare results. If your users are joined to your domain, you can push a Windows Firewall policy to allow ICMP echo reply, then on the network side permit ICMP only from your scanner's IP to traverse to your hosts. I would not recommend doing this though. Regards, Wang Cheng Information Security Officer Sacred Heart University chengw () sacredheart edu __________________________________________________ From: Logan, Kimberly (loganks) [mailto:LOGANKS () UCMAIL UC EDU] Sent: Monday, December 11, 2006 3:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vulnerability Scanning Problem Hi Everyone, Sorry if this has already been discussed, but.... The University of Cincinnati is using Rapid7's NeXpose as our OS level vulnerability scanner. Last week, we scanned 57 IP addresses and only got returns on 14. We believe the reason is that Microsoft SP2 installed the firewall with ICMP blocked. We don't necessarily want to have it unblocked for all devices, but we need to be able to scan our devices on all subnets. Has anyone experienced this problem and have you been able to find any workarounds without opening things up? Thanks, Kim Kim Logan Information Security Officer University of Cincinnati (513)556-9070 kim.logan () uc eduWyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421
-- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Vulnerability Scanning Problem Logan, Kimberly (loganks) (Dec 11)
- <Possible follow-ups>
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)