Kinder, Gentler Security Scans?

klausner asks: "I'm working at a large company that is trying to be more thorough about things like network security scanning. When Security told Operations they were planning to do this, there were immediate screams of anguish, and insistence that scans could only be done in the maintenance window, only with prior notice, and with a bunch of other restrictions. Needless to say, this is less than ideal. Given the size of the network, it would take weeks to do a single scan set. However, it is reasonable to take steps to ensure that the scans do not interrupt business traffic, or cause undesirable side effects like crashing target systems. What sort of limits are the readers out there using to ensure safe scanning? Limiting the bandwidth to a fixed percentage? Limiting the number of simultaneous tests? What other kinds of things can I do to limit the scans effect on network performance?"

What are your companies priorities

[MerlynEmrys67]

Ok, does security have a priority at your company... Of course it does, doesn't it - No, I mean REALLY have a priority. Do you have a mandate to shut anything down that doesn't follow a certain policy, why isn't monitoring in that policy.

Security is a range, it isn't a switch. If maximum compute power is of upmost important to you - go ahead, turn off all your virus scanners, personal firewalls, etc. . However, if you need security - turn those services on, monitor their compliance, and take the overhead that it requires.

Scanning for security vulnerabilities at night won't do you any good if the PHB takes his laptop home w/ him, or joe user powers off his virus ridden PC every night before heading home. You must scan during the day (again, if that is important to your business).

Experiences

[harikiri]

We've found that certain applications running on erm, VMS or something here at work - will allow only a certain number of connections to a service - and if they aren't closed down properly, will hang. This is perhaps the worst thing we've discovered after performing network scans.

If your company want's you to do scheduled scans during maintenance windows, that is rather simple however. You can implement this with Nessus in command-line mode, called from crontab. Just be certain that when you are configuring your scan, that you do not perform any potential denial of service scans.

But to be honest, I've been blase' a few times and on a whim pointed my Nessus box at our internal exchange server and highly expensive monitoring cluster and scanned away - nothing horrible has come of it - apart from discovering about 10 remote root vulnerabilities on each. That is the main concern from these people I believe, that the security scans will highlight something they know they're slack in - regular patching.

If you run into any departments who point at a particular system and say "don't scan that - it's mission critical", get the highest manager responsible for that system and get him to personally sign off that he's unwilling to allow a scan. Then remind him of recent privacy laws that have come into force. If that mission critical server is holding customer data, and it gets cracked, he or the company may be liable for failing to perform due diligence with regards to securing their data. And you'll have their signoff on paper. ;)

just go slow, and let them get used to it.

[anon+mouse-cow-aard]

Do it in reserved time for the first couple of runs. Have them involved in evaluating the impact of the scans, show them the results. After it is done a few times with no impact, theyll get bored^h^h^h^h^h comfortable with scans and you may be able to schedule them during the day.

They should be scheduled, so that if something does go wrong they can at least ask you to scan again and reproduce the problem, or eliminate your work from the list of suspects. If you do it without telling them and it causes problems that they spend hours or days figuring out, you can bet you will be confined to 3am forever thereafter.

Before sending a single packet

[anticypher]

Know your network!

Before starting, make sure your tools can be configured to avoid scans of sensitive equipment during work hours. You should know exactly where each server and router is on your network, and run scans against them during maintenance windows, when a crash will not impact the company and the admins are available to bring the systems back up.

For lesser important servers, scans should be run only once in a great while. For the vast majority of your IP space, where luser PCs lie, then security scans should be run during the time they will most likely be on, which is during normal work hours.

When you can categorize all of the IP space into levels of importance to corporate revenue, then you need to tune your tools to have as little impact as possible on important systems. This means turning off nasty parts of Nessus, and addressing those threats via other means (mandatory patch rollouts, system level reports). You should not be trying to make anything crash, because that is counter to good security practices. A DoS from the security group is just as effective as a DoS from some blackhats.

If the network is large enough, there should be a budget for multiple scanning machines. Since it can take 20 to 40 minutes to politely scan a single machine, you will need to have machines local to each segment of your network and scan in parallel. There are a number of commercial scanners which will consolodate the reports to a central server.

Automated scans against PCs should run during the day. Some automated scans need to run against infrastructure machines, but since those machines are on 24x7, the scans can be run at night. Manually scan important machines when the admins who can fix them are on hand to see and patch any problems found.

the AC