Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kinder, Gentler Security Scans?

Posted by Cliff on from the but-the-hackers-won't-send-a-memo dept.

klausner asks: "I'm working at a large company that is trying to be more thorough about things like network security scanning. When Security told Operations they were planning to do this, there were immediate screams of anguish, and insistence that scans could only be done in the maintenance window, only with prior notice, and with a bunch of other restrictions. Needless to say, this is less than ideal. Given the size of the network, it would take weeks to do a single scan set. However, it is reasonable to take steps to ensure that the scans do not interrupt business traffic, or cause undesirable side effects like crashing target systems. What sort of limits are the readers out there using to ensure safe scanning? Limiting the bandwidth to a fixed percentage? Limiting the number of simultaneous tests? What other kinds of things can I do to limit the scans effect on network performance?"

5 of 54 comments (clear)

  1. Heh, ignore 'em. by itwerx · · Score: 2, Interesting

    99% of the stuff you'll be scanning for won't affect them. Sure, keep the DOS tests for after-hours and keep your probe timing to something reasonable (e.g. don't flood-ping across a dial-up) but the rest can be done any time with zero impact...

  2. Re:For starters you could model your network by foidulus · · Score: 2, Interesting

    I'm just saying that you should figure out from past incidents where the danger spots are. You can't predict everything, but handling the most active hotspots would give you an advantage.
    A lot like police work in the real world, they cannot be everywhere at once, but (provided they are honest) they tend to congregate around areas were they have had lots of trouble in the past. This obviously doesn't stop all crime, and it might not even deter all crime in the areas they are patroling. However, given the impossibility of patroling(scanning) everywhere, you concentrate most of your effort on ensuring that the most dangerous areas are protected, while not neglecting everyone else.

  3. Don't piss off the users by Anonymous Coward · · Score: 1, Interesting

    Every time there's a new worm the IT geeks for a certain department at a certain Big 10 school port scans the network and throws off computers that haven't installed the latest patch. Then they take weeks to come by and fix the machines. It wouldn't be bothersome if it weren't for the fact that the last time they did this they assured us that we were now set to automatically update patches. I guess unless you run update every hour instead of every couple days you can't win.

  4. fun fun by m00by · · Score: 2, Interesting

    I perform this function on a network with around 2000 user workstations (don't scan those. I shudder at the thought, but it's not *my* job/area) and about 130+ windows servers. the aix and netware stuff I don't worry so much about, but the aix stuff still gets weekly scans. at the moment, we use ISS internet scanner (http://www.iss.net) which I think sucks big donkey schlong. my prefferred scanner is nessus, but I can't use linux on the production network. I weep, like a young child with a skinned knee... but that is beside the point =D I use scheduled batch files to run the scans (within the limitations of the reporting, i.e. 4 hosts at a time) late at night, so as to not impact the users. stuff always gets scanned before going on the network (servers that is, since I build most of them anyway) and sometimes, people even act on the reports of vulnerabilities that I give them! we are moving toward ca vulnerability manager, so it will keep track of all this crap for us, and so I don't have to run the scans. I think.... either way, I'd rather have nessus running on a host on the network, so I could use THAT to schedule scans, or even to do them myself, just to get something that reports accurately, and deeper than stupid ISS... "duh.. you have a vulnerability... I hear that that's bad... you should fix it..." stupid software!!!!!!!!!!!!!!!!!!

  5. If you are responsible for security... by jgardn · · Score: 2, Interesting

    Get your job description signed by your boss and verified by the upper-ups. You are responsible for:

    (1) Insuring that your network is as resistant to attacks of any sort as possible.

    (2) Identifying any attacks and investigating the cause thereof.

    (3) Mitigating the effects of attacks while they are being done.

    With this setup, you should have one more clause: That security specialists should be allowed to do whatever is necessary to fulfill the above three items, even using unconventional methods, provided that:

    (1) They receive (written) permission from the person in charge of all security before implementing a new method.

    (2) Their methods do not interefere with normal business unless required by (3) above (eg, shutting down mail access in the case of a mail storm.)

    With those goals outlined, the security team should be able to use pretty much whatever methods they chose to do their job.

    --
    The radical sect of Islam would either see you dead or "reverted" to Islam.