I think a combination of both will give a better security audit - that is nessusd on the DMZ to test the host machines and nessusd from the internet to test the PIX. PIX scan results diffed from DMZ scan results will yield the overall internet exposure.
I have also noticed that the PIX does not tolerate nmap TCP scanning for long. I have a client with a class C full of about 150 web servers protected by a PIX and my nmap scan could not even find one. I will working on this and I can let you know if I figure anything out. Devin Harris Abraxis Networks http://www.Abraxis.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michel Arboi Sent: Thursday, February 21, 2002 3:42 AM To: [EMAIL PROTECTED] Subject: Re: Problems scanning through a PIX Jason Haar <[EMAIL PROTECTED]> writes: > This appears to only kick in if the PIX receives more than one such > erroneous packet from a host in a small period of time. That's why scanning through a firewall is unreliable. > That's good of course - but I still want to know our Internet > perimeter area is as secure as we think it is. Then run nessusd directly on the DMZ. > Has anyone else seen this, and are there ways around it - besides > toning down scanners to send one packet per minute - I don't have a > spare year to wait for the results... :-) nmap is really smart and will adapt to this. You can speed up scans using one of those tricks: http://msgs.securepoint.com/cgi-bin/get/nessus-0202/6.html As far as Nessus is concerned, you cannot do much at this time but increase delay_between_tests and plugins_timeout
