I've been following the thread on nmap/udp scans, Nessus TCP scans and other issues relating to scanning causing network devices to cease functioning, and thought I'd share a Nessus safe scan experience from last Friday.
After analyzing the client network (a community bank with about 25 workstations, a half dozen servers, a dozen terminal server clients, and a dozen misc. appliances, printers and network storage), I ran Nessus in safe mode. The result of the assessment: 1. A Sonicwall Pro with current firmware had its configuration blown away and had to be defaulted and have the backup loaded to recover (rebooting did not work - this behavior from a device marketed and sold as a security appliance? Good grief, Sonicwall!). 2. A Cisco 1600 router (with old IOS) link to a remote branch failed on both ends, including requiring rebooting of workstations on the remote side. Cisco's defense is that this was tired old IOS on an unmaintained device. 3. A Ricoh "Savin" network fax ceased operation and had its configuration erased. A service technician had to reload firmware and reprogram to recover. No response from Ricoh tech support, other than an amusing FAQ on "scanning" documents in response to my inquiry. Plus countless other devices ceased proper operation and required various levels of intervention to recover. Going into this, I expected a potential issue with the old Cisco IOS, though safe mode presumably should be "safe". We actually did conduct a preliminary assessment in order to avoid disrupting production services. A current load of Sonicwall and other appliances with current loads, on the other hand, is exceptionally disappointing (especially when Sonicwall has had two years to address this problem). My question is this: is it reasonable to expect LAN devices to be resistant to network scans? If so, is Nessus making any efforts to organize information regarding vendor status and compliance? I would argue that just as the bank's financial records are subject to auditor scrutiny and it wouldn't be appropriate to restrict audits for fear of discovering bad activities, network resources should survive the same level of scrutiny. Safe scans at a minimum should be passable, but realistically, intrusive scans should also be tolerated without device meltdown. DoS/DDoS are known risks that network-connected devices should be resistant to. Clearly, the lack of network device security standards has caused many vendors like Sonicwall to apparently ship inferior products without challenge. Going forward, I'm going to recommend clients not introduce network components into their network until they pass a Nessus scan in the lab. Proactive vendors reading this list may seek to independently certify their equipment and let buyers know of this status (a Nessus "compliant technologies" portion of the website would be of value). We've gone ahead and set up a lab for our clients for this testing and I'd be happy to share information about these results if others would be interested in it. Jamie _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
