James, Excellent post. I too have been troubled by the ability of Nessus to completely bork otherwise reliable network devices. Indeed it does illustrate the lack of quality control that many network equipment vendors have. A recent experience I have had is that a Nessus scan of our DR network took down an entire DS3 Mux. Luckily this was our DR network and no traffic was currently routed through it, but the effects of over 500 simultaneous voice circuits going dead as the Mux suffered from a buffer overflow and rebooted itself would have been devastating in our production environment. Well, now I know not to scan that device any more... :-)
One of the real issues I face is a loss of credibility with other departments in the company that I'm responsible for scanning. All it takes is one small outage caused by a Nessus scan and now I'm responsible and the other department is understandably paranoid about being scanned again. "What will it break this time?" is something I've heard before. Since I'm the one individual in my company that is tasked with running scans, this is definitely a hot-button issue. If you would like to volunteer to run some type of web-based database of network equipment that may be vulnerable to Nessus scans, I would applaud this effort. I would also be happy to contribute to it, and I think it would benefit a lot of us, especially the consultants on this list that use Nessus to scan many different organizations. Regards, Luke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Saker Sent: Tuesday, March 15, 2005 12:46 PM To: [EMAIL PROTECTED] Subject: Safe scans and DoS I've been following the thread on nmap/udp scans, Nessus TCP scans and other issues relating to scanning causing network devices to cease functioning, and thought I'd share a Nessus safe scan experience from last Friday. After analyzing the client network (a community bank with about 25 workstations, a half dozen servers, a dozen terminal server clients, and a dozen misc. appliances, printers and network storage), I ran Nessus in safe mode. The result of the assessment: 1. A Sonicwall Pro with current firmware had its configuration blown away and had to be defaulted and have the backup loaded to recover (rebooting did not work - this behavior from a device marketed and sold as a security appliance? Good grief, Sonicwall!). 2. A Cisco 1600 router (with old IOS) link to a remote branch failed on both ends, including requiring rebooting of workstations on the remote side. Cisco's defense is that this was tired old IOS on an unmaintained device. 3. A Ricoh "Savin" network fax ceased operation and had its configuration erased. A service technician had to reload firmware and reprogram to recover. No response from Ricoh tech support, other than an amusing FAQ on "scanning" documents in response to my inquiry. Plus countless other devices ceased proper operation and required various levels of intervention to recover. Going into this, I expected a potential issue with the old Cisco IOS, though safe mode presumably should be "safe". We actually did conduct a preliminary assessment in order to avoid disrupting production services. A current load of Sonicwall and other appliances with current loads, on the other hand, is exceptionally disappointing (especially when Sonicwall has had two years to address this problem). My question is this: is it reasonable to expect LAN devices to be resistant to network scans? If so, is Nessus making any efforts to organize information regarding vendor status and compliance? I would argue that just as the bank's financial records are subject to auditor scrutiny and it wouldn't be appropriate to restrict audits for fear of discovering bad activities, network resources should survive the same level of scrutiny. Safe scans at a minimum should be passable, but realistically, intrusive scans should also be tolerated without device meltdown. DoS/DDoS are known risks that network-connected devices should be resistant to. Clearly, the lack of network device security standards has caused many vendors like Sonicwall to apparently ship inferior products without challenge. Going forward, I'm going to recommend clients not introduce network components into their network until they pass a Nessus scan in the lab. Proactive vendors reading this list may seek to independently certify their equipment and let buyers know of this status (a Nessus "compliant technologies" portion of the website would be of value). We've gone ahead and set up a lab for our clients for this testing and I'd be happy to share information about these results if others would be interested in it. Jamie _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
