Mike,
Parallelism is one way to cut scanning time. I used to scan about
200,000 nodes at a certain bank and for that I had eight boxes running batch
scans (Console mode scans) on 24/7 basis. I could scan about 1,000 IP
addrs per batch job when scanning for everything, which two years ago was about
half as many checks as there are now. After much fiddling, I settled on
running five checks per round of scanning. I wrote some simple SQL that
would enumerate all of the IP addrs in my WAN and then randomaly dump them into
host files of about 8000 each. Each host file would be called by a
different line in a batch file. One or two machines would usually crap out
before they finished, but then I'd reboot the boxes restart the jobs.
This was quite a while ago, and so I'm certain that the scanner has become more
stable.
The
thing that takes the most time is enumerating shares on domain
controllers. If you can determine where your domain controllers are and if
they don't change IP addresses, then you may want ot dedicate one scanner box to
scanning just those machines. At the bank, I simply avoided any checks
that would cause netbios enumeration, but that was a strange
case.
Another problem may be disk space for logs and swap space. Make
sure that storage isn't a problem. Memory helps too. My boxes were
400Mhz Compaq Deskpro EN machines with 384MB of ram.
BTW, I
work for a company that competes with ISS on the intrusion detection side of
things, but I really like ISS Internet Scanner. IMO it's a pretty
nifty network vulnerability scanner.
Cheers,
Peter
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sacchi Mario
Sent: Monday, December 02, 2002 1:01 PM
To: Wisniewski, Michael; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Optimizing Internet Scanner[Sacchi Mario] CPU power is always almost non-relevant to such an application as Internet Scanner is. You can try monitoring CPU usage of your two machines running a scan, and you will surely notice that the processor is idle all the time.Speeding up a scan depends greatly on the network you are scanning. If you are scanning your LAN (the one you are directly connected to, for instance), you could try shortening timeouts and reducing retry counts where possible. You don't need a muscular PC to wait for an ICMP probe to time out if there was no host at that address...If you are scanning over a narrow channel, maybe the bottleneck is bandwidth? (unlikely unless you're using a slow modem, but doesn't seem to be your case since you're talking of gigabit ethernet).Try configuring the scanner to probe more addresses in parallel, this should be the trick - twice the machines, half the time.HTHMario-----Original Message-----
From: Wisniewski, Michael [mailto:[EMAIL PROTECTED]]
Sent: luned� 2 dicembre 2002 15.37
To: '[EMAIL PROTECTED]'
Subject: [ISSForum] Optimizing Internet ScannerHi! I was wondering if anybody had any tips or tricks to make Internet Scanner run faster. I'm very confused and wished that it would speed things up. We've upgraded our scanning systems to a P4, 1.8 GHz, 256 meg ram, and gigabit fiber nic, and the scans still run at the same pace as our 500 MHz, 256 meg ram, and 100mbps nic. If anybody has any ideas or tips to optimize the scans, that would be great! Thanks!---------------------------------------------------------------Michael WisniewskiCyber Security Analyst- Sans GIAC Security Essentials Certified -- Internet Security Systems Certified -Argonne National LaboratoryOffice of the Chief Information Officer630-252-7560 (Work)630-514-2874 (Mobile)
