Hi all,
This question seeks confirmation on how we believe an application proxy firewall (example: Raptor or Checkpoint) impacts Nessus scanning results. We periodically do Nessus scans from outside of networks against target servers inside the same networks behind a firewall. Most recently the Nessus Scan was done from outside the target network going through a Raptor (application proxy) Firewall loaded on a windows server, pointed at target system (a web server running Windows/IIS). The Nessus scan reported only three warnings (and no vulnerabilities). We separately examined the Windows Software on the target web server device. The web server's Windows operating system had many vulnerabilities (sample listed below by CVE#) - it was woefully behind schedule for installation of software updates/patches/fixes. Initially, we could not account for why the Nessus scan missed the large number of windows related vulnerabilities. We then came up with this theory on what limited what the the Nessus Scan found........Nessus scanning will not work if a target server is being scanned through an application proxy firewall, since these type firewalls check packet formatting at higher OSI model layers. For example, for a buffer overflow attack, the application firewall detects packet malformation, drops the packet, the packet(s) never reach the target, so the Nessus scan engine gets no feedback from target server. CVE-2006-5758 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5758> CVE-2006-3443 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3443> CVE-2006-3444 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3444> CVE-2006-2379 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2379> CVE-2006-2373 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2373> CVE-2006-2371 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2371> CVE-2006-2370 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2370> CVE-2006-1313 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1313> CVE-2006-0034 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0034> CVE-2006-0012 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0012> CVE-2006-1591 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1591> CVE-2006-0010 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0010> CVE-2006-0143 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0143> Preferences Used for This Scan: slice_network_addresses no plugin_upload_suffixes .nasl, .nasl3, .inc, .inc3, .nbin plugin_upload yes kb_max_age 864000 kb_dont_replay_denials no kb_dont_replay_attacks no kb_dont_replay_info_gathering no kb_dont_replay_scanners no only_test_hosts_whose_kb_we_have no only_test_hosts_whose_kb_we_dont_have no kb_restore no save_knowledge_base yes use_mac_addr no silent_dependencies yes auto_enable_dependencies no safe_checks yes plugins_timeout 320 non_simult_ports 139, 445 checks_read_timeout 5 language english optimize_test yes port_range 1-1024 cgi_path / cgi-bin log_whole_attack yes throttle_scan yes max_checks 10 max_hosts 16 auto_update_delay 24 auto_update no ntp_save_sessions yes ntp_detached_sessions yes server_info_nessusd_version 3.0.1 server_info_libnasl_version 3.0.1 server_info_libnessus_version 3.0.1 server_info_thread_manager fork server_info_os Linux server_info_os_version 2.6.13-15-smp reverse_lookup no ntp_keep_communication_alive yes ntp_opt_show_end yes save_session yes detached_scan no continuous_scan no
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
