Kinder, Gentler Security Scans?

klausner asks: "I'm working at a large company that is trying to be more thorough about things like network security scanning. When Security told Operations they were planning to do this, there were immediate screams of anguish, and insistence that scans could only be done in the maintenance window, only with prior notice, and with a bunch of other restrictions. Needless to say, this is less than ideal. Given the size of the network, it would take weeks to do a single scan set. However, it is reasonable to take steps to ensure that the scans do not interrupt business traffic, or cause undesirable side effects like crashing target systems. What sort of limits are the readers out there using to ensure safe scanning? Limiting the bandwidth to a fixed percentage? Limiting the number of simultaneous tests? What other kinds of things can I do to limit the scans effect on network performance?"

For starters you could model your network

[foidulus]

Identify nodes that are more likely to have security holes(ie phb's desktop), identify the nodes whose performance is most critical, etc.
That should give you a clue of who to scan and how often to scan them. Probably more intelligent than scanning your whole network all the time.

Profile your network

[arrow]

First run a slow portscan across your network, with clean connection tear-down (i.e. send QUIT to a SMTP server insted of just closing the connection) and look over your results. Operations shouldn't have too much of a problem with this if you do it right.

Second look at the least common ports. These will be the oddball services that an administrator tossed up to test, or an engineer was trying to sneak past security with, and are most likely to be overlooked when updates are released.

Third, look at the most common ports. If you have a lot of machines with port 80 open, you should invest some time into researching web vulnerabilities. Same for other protocols. Based on these results you can launch smaller scans within maitnence windows to check for say, open relays on all machines listening on port 25.

Building apon this process and fitting it to your situation would be a good course of action. This obviously isn't as indepth as a good auditing plan should be, but it will get you going in the right direction.

Also realize that yout operations team has a good point, regardless of how concerned about security you are. Don't do like I did and take a off the shelf application (Nessus or Cisco Security Scanner) and blast away at your network. I ended up taking down a dozen mission critical devices because the vendor of the hardware in question didn't account for portscans. The devices ended up hanging because they received a connection with no command in it.

Get a Good Scanner First

[illectro]

The biggest threat is that many scanners have a habit of crashing services which the developers have never encountered. Sadly, for the open source fans out there, Nessus is particularly bad with their QA and crashes all sorts of stuff even when the DoS tests are turned off. Of the commercial applications Qualysguard (www.qualys.com) does a great job of playing softly softly with the network while still detecting more than anything else out there (at least according to the size of their database). Don't bother considering anything else, other commercial scanners are less capable than nessus or qualys. But..... if you're worried that a security scan is going to cause adverse effects then you've clearly got security issues with your network. If a system dies under the load of a scan, or if some scan script triggers a DoS on your code then it's a sign that your developers and admins aren't doing their job correctly. Look upon it as a challenge, you should be saying 'Bring it on!'. If you're not confident that an automated security scan won't cause trouble with your system then you should be having nightmares about what a real hacker could do to your network.

Re:fun fun

[Trepalium]

What about the windows port of Nessus, NeWT? NeWT Pro is a little on the pricy side ($6000), but is only needed by those that will need to scan multiple subnets.

Screw operations.

[ngoy]

I work as a contractor for big 5 letter chip company. I can tell you that security is only second to the fab, and that is because the fab makes money. Unless something crashing is going to cause you millions of dollars an hour, someone needs to decide what is more important, your network being slow because it is being scanned for unpatched systems, or having a nasty version of Sasser erase data, send out confidential information, and completely crash the whole network. And they are even pickier about fab security, because if something does get infected and go down, they are out big bucks

Is security in charge of making sure everything is patched also, or is operations in charge and they are trying to cover their ass by making you forewarn them of your scan?

Your production network should be segmented from the general network, and critical portions of the general network (say, helpdesk, hr, etc) should be on their own segments. This allows you to scan one entity at a time and if something does break, you have a defined area for your desktop support team to work in.

Regardless of if you must wait for a maintenance window for production equipment, who will get the blame if something breaks? Do the scan on the weekend, on test servers, whatever you can do the easiest first. You should have a standard build for servers, desktops, etc... and be able to test those systems and see the effects.

The release time between an exploit being found and being exploited is growing shorter all the time. What was the leadtime for sasser? Two, three weeks? The netops people here are shutting off the ports of systems that are not patched at the switch level already. The network comes to a crawl while they are doing the scans. And guess what? They do them during the day. Why? Because that is when people are at work! A maintenance window is useless if you cannot guarantee what percentage of your population you are going to hit. So if your window is 1am to 3am, you better be scanning a network full of Indian helpdesk agents.