TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Having a switch as an option would be debatable. The main problem is
Internet Scanners (IS) inability to correctly determine the Operating System
100% of the time. Depending on just how smart some SA's are, they can change
banners, etc, to mask the true OS and miss configurations of systems
attribute to more. We find about 80% accuracy on OS determination. Depending
on IS to determine OS and then running separate scans is an administrative
mess and doesn't address the problem of running cross OS services on
systems. SAMBA on UNIX or NTFS on Windows. We just run it all... and wind
up with some false positives anyway, because IS can't make up its mind.
Originally I thought ISS said in it's docs that they only ran tests
pertinent to the OS so it would be faster.. I guess it doesn't.
We typically do what we call a MAP scan, just to get a count of
systems by subnet (no tests). This host list is then divided up into
approximately 4 hour long scans. Our lap tops can scan approximately 100
systems per hour, so we set up each scan for 350-400 systems. We baseline
our hardware whenever it changes. The customer's normal operational time is
divided into two segments: 30 min into work start till noon, noon to 30 min
before close, which typically works out to 07:30-11:30, and 11:30-15:30. The
map scan results are then divided into segments of approximately 100 times
the number of hours in a single scan.. in our case 100 * 4= 400. And away
we go.
If you happen to run over because of traffic or boxes hanging, just
pause the scan and continue the next day. Scanning after close of business
is just scanning dead air unless the customer keeps their systems up 24 x 7.
Since ISS finally fixed the performance problem with Windows 2000
and IS 6.1, it is now back to running scans like NT 4.0 did with IS 6.01.
What would be nice is either a maximum timeout for systems (for hangs) or
the ability to terminate the scan connection on an individual host WITHOUT
terminating the whole scan.
Hope this helps...
Richard T. Evans SSCP
Chief, Computer Defense Assistance Branch
Army Computer Emergency Response Team
US Army Intelligence and Security Command
Land Information Warfare Activity
Fort Belvoir, Virginia 22060-5246
Com: (703) 706-2057 DSN: 235-2057
Unclassified Fax - (703) 806-1003
Classified Fax - (703) 806-1165 or DSN 656-1004
NIPRNET [EMAIL PROTECTED]
"Real hackers don't die, their TTL expires."
"Black holes are where God divided by zero."
"Security is an illusion. It's really just called 'risk management'."
-----Original Message-----
From: Gary Flynn [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 27, 2001 11:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Internet Scanner: Estimating time required to complete a
scan.
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
"Wheeler, Patrick (ISSAtlanta)" wrote:
>
> Thanks for the question. "Divide and conquer" is the best approach -
divide
> up your hosts into host lists based on OS, and then scan the host lists
with
> the appropriate OS-specific policy.
Does anyone else here think it unreasonable that a scanner detect the OS and
run tests appropriate for the discovered OS? Could this be an on/off switch
enabling this behavior for those who like to run all tests against all
platforms?
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
