Knut Hellebø wrote:
Regards,
I have two questions regarding Nessus scanning across firewalls. We have
experienced network congestion/slowness when running Nessus inside a
firewall protected network against hosts on the "other side". We use
Nessus 3.0.4 and did not enable the nmap wrapper, ie using Nessus
internal port scanner to scan all ports (65535). We limited checks to 5
simultaneous hosts, 5 simultaneous checks. We also turned on throttle
scan and network congestion detection. Even though these precautions
were taken, the network suffered. Apparently this was caused by ports
being held open for too long during the scanning period, making the
firewall drop old connections. Unfortunately I cannot reveal further
details. Is Nessus 3 this intrusive ? What can be done to further limit
network impact when testing across firewalls ?
The question may be how well your firewall can handle separate
connections attempts from a node inside your network to the outside. If
you are scanning multiple hosts "outside" your firewall and doing
network address translation, your firewall has to track these
connections. 65k ports for each scanned host can quickly fill up a low
end firewall's NAT list. Also if your firewall is "logging" successful
connections, you may have a bottle neck there as each outbound attempt
may incur a write to a hard drive.
Try scanning less ports.
Try putting your Nessus scanner outside the firewall.
Read this Tenable blog post:
Using Nessus to Scan a Host Behind a Firewall
http://blog.tenablesecurity.com/2006/08/using_nessus_to.html
Ron Gula, CTO
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
