RE: Effective Location For The Scan ---- What is the minimum requirement to insure scans are not distorted.

[Paul Hanson]

I have always scanned from the outside in.  That is, scan the external network first with a remote penetration audit, and then scan from inside the network.  This would show to your prospective customer the associated risks from internal and external threats.  I’ve also typically started the external penetration audit without using any of the data the customer has provided me.  I always attempt to find their IP addresses via information creep.  Use email headers and web server IP’s or domain registrations to attempt to find the IP range.   Then use the IP’s provided to compare what information creep is out there.  This will help you evaluate how difficult it is for an attacker to target the customer vs. just stumbling onto the vulnerability.   The first scan will show you what the script kiddies would see, the second set of results would should you what an attacker would see if they are inside the network either through an inside job or some type of threat such as a Trojan or root kit.    Also, as a result of the two reports, you can compare your data to see what your firewall/IPS and other security controls are reporting and how well they are performing.      If you throw both results into a report you can then help your customer with a risk assessment to deem how real an internal and external threat is.     Do they need to spend the money on implementing new controls to mitigate risks such a Trojans, root kits and viruses?  Do they need an IDS/IPS on internal and external segments of their networks?  Do they need to throw their servers into a DMZ or secondary network?   Do they need a better firewall than a SOHO router with NAT?   Best regards, Paul Hanson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of -soundlux- Sent: Friday, April 21, 2006 8:40 AM To: nessus@list.nessus.org Subject: RE: Effective Location For The Scan ---- What is the minimumrequirement to insure scans are not distorted.   I appreciate the feedback so far... But assuming that they insist that the Nessus scan must be run from outside the firewall, the question is: Is there configuration setting/requirement that must exist on the the firewall (or any other security appliance) to ensure that Nessus scans from a box outside the firewall  won't be block or the resultant scan results wont't be distorted? I will appreciate continued feedback. Len Jay Jacobson <[EMAIL PROTECTED]> wrote: [snip] > My research indicated that the threat was greatest from > insiders, so my suggested approach was to require that the scans be ran > from inside the network ( specifically behind the firewall.) > > Other will argue that the scans should be ran from outside the > firewall since the threats are mainly external. [snip] I agree with most of the thoughts on this thread, but thus far the replies have all missed a very critical point. When considering external or internal scanning, the real answer is BOTH. A network device (router, IDS, whatever), or even the target host, may react very differently depending on the source of the scan and the architecture of the network between the scanner and the target. It is very possible to scan the same target from both the inside and the outside, and get two very different results. ~Jay -- .. .. Jay Jacobson .. Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com .. .. Private-Labeled Managed Vulnerability Assessment Services .. _______________________________________________ Nessus mailing list Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus   Celebrate Earth Day everyday! Discover 10 things you can do to help slow climate change. Yahoo! Earth Day

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus