So you
basically proved that their firewall works.
I have
not had good luck with external scanning even if the firewall is set to give me
full access.
The
firewall still has to look at every single packet that my system is sending and
decide whether or not to pass it. This introduces latency in the scan and
can severely punish the CPU on the firewall (or the state table, or session
table, or however it tracks connections).
Can
you honestly say you believe the Nessus results from the scan that found "no
vulnerabilities"? Would you want to take that result and publish it in the
newspaper? Why don't you ask them that question and see how they feel
about their "no vulnerabilities" scan.
I have
trouble with that mentality here, as well. Nobody cares about whether or
not systems are vulnerable, they just care about what a report says. If I
run a scan searching for a single vulnerability and no system is vulnerable,
that does not mean that the systems have "no vulnerabilities"; it just means
that none of the scanned systems were vulnerable to the specific vulnerability I
was scanning for... or that I don't have the necessary rights on the target
systems to determine level of vulnerability.
So,
there are more things to consider than just inside or outside. If the
folks around are willing to cooperate and not be stupid or boneheaded, then you
can figure out the best way.
The
fact that you found their "no vulnerabilities" report "suspect" is probably an
understatement on your part. I imagine you almost fell out of your chair
when you read their report. You are smart enough to know that any
sufficiently sized conglomeration of systems will have vulnerabilities. If
they were just trying to test their firewall, then they were successful.
But that wasn't what you were asking for and they are relying on you to either
not care about accuracy or not understand what they are pulling over on
you. Good call on your part.
-Jason
-----Original Message-----I was able to introduce an initiative whereby scans are required on a monthly basis.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of -soundlux-
Sent: Thursday, April 20, 2006 12:05 PM
To: [email protected]
Subject: Effective Location For The Scan
Department were requested to run scans agains their critical servers and send results to the security officer.
There were questionsraised as to where the scans should be ran from:
My research indicated that the threat was greatest from insiders, so my suggested approach was to require that the scans be ran from inside the network ( specifically behind the firewall.)
Other will argue that the scans should be ran from outside the firewall since the threats are mainly external.
A department that took the last approach (running the scans from outside the firewall), reported the Nessus scan results with No vulnerabilities.
I find these results suspect, considering thesize of there network.
My Question is, if the scans are run from ouside the network, should the firewall (and other security appliances) be configured in a particular way as not to distort the scans. At the very least I will expct that IP traffic from the computer executing the scans should be allowed on the network.
Advice from this list will be appreciated.
Thanks.
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
------------------------------------------------------------------------------
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee or agent responsible for delivery
of this message to the intended recipient(s), you are hereby notified that any dissemination,
distribution, or copying of this e-mail message is strictly prohibited. If you have received this message
in error, please immediately notify the sender and delete this e-mail message from your computer.
==============================================================================
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
