I have always scanned from the outside in. That is, scan the external
network first with a remote penetration audit, and then scan from inside
the network. This would show to your prospective customer the
associated risks from internal and external threats. I've also
typically started the external penetration audit without using any of
the data the customer has provided me. I always attempt to find their
IP addresses via information creep. Use email headers and web server
IP's or domain registrations to attempt to find the IP range. Then use
the IP's provided to compare what information creep is out there. This
will help you evaluate how difficult it is for an attacker to target the
customer vs. just stumbling onto the vulnerability.
The first scan will show you what the script kiddies would see, the
second set of results would should you what an attacker would see if
they are inside the network either through an inside job or some type of
threat such as a Trojan or root kit. Also, as a result of the two
reports, you can compare your data to see what your firewall/IPS and
other security controls are reporting and how well they are performing.
If you throw both results into a report you can then help your customer
with a risk assessment to deem how real an internal and external threat
is. Do they need to spend the money on implementing new controls to
mitigate risks such a Trojans, root kits and viruses? Do they need an
IDS/IPS on internal and external segments of their networks? Do they
need to throw their servers into a DMZ or secondary network? Do they
need a better firewall than a SOHO router with NAT?
Best regards,
Paul Hanson
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of -soundlux-
Sent: Friday, April 21, 2006 8:40 AM
To: nessus@list.nessus.org
Subject: RE: Effective Location For The Scan ---- What is the
minimumrequirement to insure scans are not distorted.
I appreciate the feedback so far...
But assuming that they insist that the Nessus scan must be run from
outside the firewall, the question is:
Is there configuration setting/requirement that must exist on the the
firewall (or any other security appliance) to ensure that Nessus scans
from a box outside the firewall won't be block or the resultant scan
results wont't be distorted?
I will appreciate continued feedback.
Len
Jay Jacobson <jay@edgeos.com> wrote:
[snip]
My research indicated that the threat was greatest from
insiders, so my suggested approach was to require that the scans be
ran
from inside the network ( specifically behind the firewall.)
Other will argue that the scans should be ran from outside the
firewall since the threats are mainly external.
[snip]
I agree with most of the thoughts on this thread, but thus far the
replies
have all missed a very critical point. When considering external or
internal scanning, the real answer is BOTH.
A network device (router, IDS, whatever), or even the target host, may
react very differently depending on the source of the scan and the
architecture of the network between the scanner and the target. It is
very
possible to scan the same target from both the inside and the outside,
and
get two very different results.
~Jay
--
..
.. Jay Jacobson
.. Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com
..
.. Private-Labeled Managed Vulnerability Assessment Services
..
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
________________________________
Celebrate Earth Day everyday! Discover 10 things you can do to help slow
climate change. Yahoo! Earth Day
<http://us.rd.yahoo.com/mail_us/taglines/earthday/*http:/earth.yahoo.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
