TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
David,
Exactly. We play by your scenario #2. We assume (and know from
experience), that there are many times when IS does not correctly ID the
OS.. for many reasons, not all ISS's fault. We 'eat' the extra time needed
to run a full scan on every box regardless of OS because we don't care if a)
it is misidentified. The local sysadmin will know for sure, and b) we need
to be able to test cross platform services anyway. Our tests showed
previously that the extra time was usually less that 10% of the total. Of
course, if you are scanning 7,500 systems, this can equate to an extra day,
but we would rather be a bit more thorough and only have to scan a segment
once, vs. several times, once for each OS.
Rick
Richard T. Evans SSCP
Chief, Computer Defense Assistance Branch
Army Computer Emergency Response Team
US Army Intelligence and Security Command
Land Information Warfare Activity
Fort Belvoir, Virginia 22060-5246
Com: (703) 706-2057 DSN: 235-2057
Unclassified Fax - (703) 806-1003
Classified Fax - (703) 806-1165 or DSN 656-1004
NIPRNET [EMAIL PROTECTED]
"Real hackers don't die, their TTL expires."
"Black holes are where God divided by zero."
"Security is an illusion. It's really just called 'risk management'."
-----Original Message-----
From: Yong, David [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 01, 2001 1:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Internet Scanner: Estimating time required to complete a
scan.
Well that depends on how it is implemented. Ideally you should have the
scanner detect OS and scan for vulnerabilities connected with that OS. Here
are the possibilities that go with each scenario as it currently works with
other vendors:
1) The scanner detects the OS accurately:
The scanner detects the OS accurately, and scans the machine with the
appropriate vulnerability checks. This saves time and finds everything it
would have if you ran all scans on it.
2) IF the scanner does not detect the OS because of one thing or another:
By default, the scanner runs all scans. This may take longer, but it will
find anything that IS is designed to find.
3) The scanner detects the wrong OS:
There are two scenarios in which the scanner would incorrectly detect the OS
(it found NT, and the OS is actually Solaris), accidental or malicious.
This is rare with current scanners out on the market, sometimes it won't
detect the OS, but detecting the wrong one is rare. If this happens you
simply need to turn off the OS Auto-detect when scanning that area. The
first couple times you run it, just pay attention to the signature that it
comes up with and check whether or not it is the correct OS. In either case
of malicious or accidental, you will want to check it out, and actually
because a note for alarm anyways.
I also agree with Richard however that there should also be an option to
cancel an individual scan in real time to keep from banging against hosts
that you know aren't there, while letting the full scan continue.
-----Original Message-----
From: Evans, Richard T., LIWA [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 01, 2001 7:02 AM
To: 'Gary Flynn'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Internet Scanner: Estimating time required to complete a
scan.
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Having a switch as an option would be debatable. The main problem is
Internet Scanners (IS) inability to correctly determine the Operating System
100% of the time. Depending on just how smart some SA's are, they can change
banners, etc, to mask the true OS and miss configurations of systems
attribute to more. We find about 80% accuracy on OS determination. Depending
on IS to determine OS and then running separate scans is an administrative
mess and doesn't address the problem of running cross OS services on
systems. SAMBA on UNIX or NTFS on Windows. We just run it all... and wind
up with some false positives anyway, because IS can't make up its mind.
Originally I thought ISS said in it's docs that they only ran tests
pertinent to the OS so it would be faster.. I guess it doesn't.
We typically do what we call a MAP scan, just to get a count of
systems by subnet (no tests). This host list is then divided up into
approximately 4 hour long scans. Our lap tops can scan approximately 100
systems per hour, so we set up each scan for 350-400 systems. We baseline
our hardware whenever it changes. The customer's normal operational time is
divided into two segments: 30 min into work start till noon, noon to 30 min
before close, which typically works out to 07:30-11:30, and 11:30-15:30. The
map scan results are then divided into segments of approximately 100 times
the number of hours in a single scan.. in our case 100 * 4= 400. And away
we go.
If you happen to run over because of traffic or boxes hanging, just
pause the scan and continue the next day. Scanning after close of business
is just scanning dead air unless the customer keeps their systems up 24 x 7.
Since ISS finally fixed the performance problem with Windows 2000
and IS 6.1, it is now back to running scans like NT 4.0 did with IS 6.01.
What would be nice is either a maximum timeout for systems (for hangs) or
the ability to terminate the scan connection on an individual host WITHOUT
terminating the whole scan.
Hope this helps...
Richard T. Evans SSCP
Chief, Computer Defense Assistance Branch
Army Computer Emergency Response Team
US Army Intelligence and Security Command
Land Information Warfare Activity
Fort Belvoir, Virginia 22060-5246
Com: (703) 706-2057 DSN: 235-2057
Unclassified Fax - (703) 806-1003
Classified Fax - (703) 806-1165 or DSN 656-1004
NIPRNET [EMAIL PROTECTED]
"Real hackers don't die, their TTL expires."
"Black holes are where God divided by zero."
"Security is an illusion. It's really just called 'risk management'."
-----Original Message-----
From: Gary Flynn [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 27, 2001 11:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Internet Scanner: Estimating time required to complete a
scan.
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
"Wheeler, Patrick (ISSAtlanta)" wrote:
>
> Thanks for the question. "Divide and conquer" is the best approach -
divide
> up your hosts into host lists based on OS, and then scan the host lists
with
> the appropriate OS-specific policy.
Does anyone else here think it unreasonable that a scanner detect the OS and
run tests appropriate for the discovered OS? Could this be an on/off switch
enabling this behavior for those who like to run all tests against all
platforms?
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
