Educause Security Discussion mailing list archives
Re: Scanning Notices
From: Tim Doty <tdoty () MST EDU>
Date: Wed, 31 Aug 2011 14:09:22 -0500
On Wed, 2011-08-31 at 10:16 -0400, Matt Marmet wrote:
Hello Everyone, Here at Armstrong we are looking in to scanning our internal networks (desktop and server networks). I was wondering if other institutions were doing this and with what frequency? Also, do you notify the campus that these scans are going to be taking place and, if so, how much lead time do you give the campus? What kind of email or disclaimers do you send out letting people know what the scan includes? We are only looking at basic port scans and such at the moment. Everything we would be doing is non-invasive and not "invading" the users desktops looking for personal data. Thanks for your replies.
We did and sort of still do constantly scan campus, including the residential networks. It was/is non-stop scanning via nessus so there were no particular notifications of scanning. At one time we kept the "these IP's are used as sources for scanning" on a public page, but no one outside of IT security really cared so we stopped updating it. As alluded to above, we have largely stopped scanning. The primary reason for this is the return has been rapidly diminishing. When we first started it up the automated notices to users were helpful in raising awareness and a three-strikes rule (automatic notification to security group) caught those who blew it off. Windows has few externally visible vulnerabilities any more, its all crunchy on the outside and soft and chewy on the inside where malvertising and web-based malware in general hit it. At the height of the scanning we managed to go through our entire network about twice a day (notifications were throttle to at least 24 hours between). When we first started scanning we would get (a very small number of) complaints from students. "You're trying to hack my system!" some would say. They were especially proud if they had verbose logging/intrusive alerting to every probe. Good for them. But I don't recall getting a scanning related complaint in at least a year. One thing to be ready for is that *anything* and *everything* will be blamed on the scanning. I've had people claim they could tell when they were being scanned because their computer would slow down. When pressed for specific times they never matched up to scanning. I scanned the be-jesus out of my system as a test bed for everything and I couldn't tell any impact -- and I knew when the scan was actually occurring. But scanning is a popular scapegoat. Printers and scanning are an especially sore point. We use nessus and it has very good printer detection and you can configure it to stop scanning as soon as the printer is detected as being such. Every time a printer hiccuped we would receive a complaint that our "scanning broke the printer." Most of the time I could show that the printer was not being scanned at the time. The most common real issue is some printers dump everything sent to a particular port to the output (print a page) so the web server scanning plugin would cause a page to print. In the end I added functionality to our in-house management app to preclude scanning of listed IP's, IP ranges, hostnames, etc. It wasn't much utilized (amazing how rarely it is actually a problem given the number of complaints) but it sure helped smooth feathers to have a way to stop the scans from occurring. Tim Doty
Current thread:
- Scanning Notices Matt Marmet (Aug 31)
- Re: Scanning Notices Bob Bayn (Aug 31)
- Re: Scanning Notices Bradley, Stephen W. Mr. (Aug 31)
- Re: Scanning Notices Roger A Safian (Aug 31)
- Re: Scanning Notices Matt Marmet (Aug 31)
- Re: Scanning Notices Roger A Safian (Aug 31)
- Re: Scanning Notices Mike Porter (Aug 31)
- Re: Scanning Notices Valdis Kletnieks (Aug 31)
- Re: Scanning Notices Matt Marmet (Aug 31)
- Re: Scanning Notices Bob Bayn (Aug 31)
- Re: Scanning Notices Tim Doty (Aug 31)
- <Possible follow-ups>
- Scanning Notices Mike Fox (Sep 01)