TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
"Evans, Richard T., LIWA" wrote:
>
> Exactly. We play by your scenario #2. We assume (and know from
> experience), that there are many times when IS does not correctly ID the
> OS.. for many reasons, not all ISS's fault. We 'eat' the extra time needed
> to run a full scan on every box regardless of OS because we don't care if a)
> it is misidentified. The local sysadmin will know for sure, and b) we need
> to be able to test cross platform services anyway. Our tests showed
> previously that the extra time was usually less that 10% of the total. Of
> course, if you are scanning 7,500 systems, this can equate to an extra day,
> but we would rather be a bit more thorough and only have to scan a segment
> once, vs. several times, once for each OS.
While I understand your reasons for desiring to do things that way, not
all ISS customers have the same needs as the US Army Intelligence and
Security Command :) That is why I suggested a configurable switch.
I want to be able to scan our student population of 11,000. I definitely
do not want to try and catalog those systems manually before running
scans. (Someone else referred to an administrative nightmare and I
think this qualifies.) Besides cutting down on scanning time, "personal"
computer operators are not trained system administrators. Having false
positives due to inappropriate tests may make them tend to ignore warnings.
Cutting down on scanning time makes it practical to provide an interactive
service to our user base with minimum resources.
For this application, it would be nice to have a switch that may not provide
maximum detection but may still improve overall security by making the reports
more end user friendly.
Will it miss some systems that purposely disguise themselves? Sure. But
if the disguise was installed by the owner, they're probably knowledgeable
enough to install patches regularly and not leave their hard drive
world writable. If the disguise was installed by a system cracker, its
too late for a vulnerability check anyway. :)
When I asked for a switch to turn off inappropriate tests for the OS,
I didn't mean for it to be a dumb switch that doesn't check for
services based on OS...only vulnerability tests. It should check
for services regardless of OS...for example MS file sharing and
httpd...but only test as appropriate for the platform...don't
check SAMBA only vulnerabilities on Windows systems and don't
check IIS only vulnerabilities on Unix systems.
When I run scans on critical systems, I run all tests and I modify the
port scan configuration to scan all 65,535 ports. The default only
scans 1-1024 and in these days of port configurable remote control
trojans and rootkit installed SSH daemons I want to know whats running
up there. Of course, that results in very long scanning times.
Ideally, a scanner would try to identify open ports that it
designates as "unknown" to see what service is listening but then
we'd really be talking about long scans :)
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
