From the experience I have, many firewalls behave poorly when nessus hits
them.
It sounds like what you are seeing is a drop and retry problem, where the
host behind the firewall never gives a response back, not even a rejection
and this causes nessus to retry. It'll retry several times, and your
firewall is forced to deal with it, every time, and it ramps up the cpu, or
fills a queue on the firewall.
Recently, I ran into a cisco firewall-on-a-blade when scanning. Several
networks were behind this firewall, and one of them was known by the
firewall, but was disconnected. This caused the CPU on the firewall to ramp
up, as it had to write out logs. Even with the logging turned off, it kicked
the cpu up to 70%.
What we did was to put a nessus scanner behind each of the major firewalls
in our facilities. Then the scanning traffic doesn't cross it. We put in
some allow and deny rules to further prevent accidents (we had some of
those).
Sometimes, we will scan across, and generally, we have to turn it way down.
We might also turn off the port scan, which seems to work alright. Another
option would be to run an nmap scan first, in a very slow setting, and then
import the results into nessus.
I hope this helps.
On 1/26/07, Knut Hellebø <Knut.Hellebo@nho.hydro.com> wrote:
Regards,
I have two questions regarding Nessus scanning across firewalls. We have
experienced network con,gestion/slowness when running Nessus inside a
firewall protected network against hosts on the "other side". We use
Nessus 3.0.4 and did not enable the nmap wrapper, ie using Nessus
internal port scanner to scan all ports (65535). We limited checks to 5
simultaneous hosts, 5 simultaneous checks. We also turned on throttle
scan and network congestion detection. Even though these precautions
were taken, the network suffered. Apparently this was caused by ports
being held open for too long during the scanning period, making the
firewall drop old connections. Unfortunately I cannot reveal further
details. Is Nessus 3 this intrusive ? What can be done to further limit
network impact when testing across firewalls ?
***********************************************************************
NOTICE: This e-mail transmission, and any documents, files or previous
e-mail messages attached to it, may contain confidential or privileged
information. If you are not the intended recipient, or a person
responsible for delivering it to the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of
any of the information contained in or attached to this message is
STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify the sender and delete the e-mail and attached
documents. Thank you.
***********************************************************************
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
--
Doug Nordwall
Unix, Network, and Security Administrator
Noise proves nothing. Often a hen who has merely laid an egg cackles as if
she laid an asteroid. -- Mark Twain
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
