At 03:39 PM 1/11/2005, Firewall Administrator wrote:
Greetings!
I would like to know whether members of this list have any thoughts about
whether one could run successful Nessus scans over a VPN link. I have
read various concerns about running Nessus scans through a firewall, but
haven't seen anything about doing it through a VPN.
What would the potential problems be? Network latency causing false
positives (or false negatives)? Any thoughts from anyone who has tried this?
Thanks in advance,
TJ
I used to work at a routing/switch vendor and had a big
hand in the development of a commercial NIDS. There are
three things (maybe more) that can degrade network gear.
- if you scan the box directly, you may crash a service
launch a daemon or otherwise cause the box to do
something other than move packets around. For example,
there may be an SSH daemon running and a scan may cause
a daemon to get spawned which could chew CPU cycles.
- if you scan through the box, most hardware and software
have optimized algorithms which helps keep track of
connections. Actual vulnerability scanning does not
really add much to a state table of connections, however,
port scans and port sweeps dramatically increase the
number of pairs of source IP, destination IP, source
port and destination port.
- the scan itself will take bandwidth. I'm of the opinion
that normal of class-c networks are low bandwidth things,
but I've seen some Nessus users peg 10 Mb/s and 100 Mb/s
links.
If your VPN is also a firewall, or does sort of packet
filtering, you will obviously only be scanning what is
allowed through as well.
If you can get credential information on the remote devices,
you may consider using Nessus for host-based audits. Also,
many of Tenable's customer place several scanners on their
network and if scanners can be placed on the other side of
the VPN, you only have to pass the results back.
Ron Gula, CTO
Tenable Network Security
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
