Considerations for Vulnerability Scanning

Now that you fully understand all the options, you are ready to start scanning. But before you let loose with the packets, here are a few words on responsible scanning. While I have mentioned some of these issues in Chapter 4, there are additional considerations for vulnerability testing. Port scanning is a fairly innocuous activity, although it is annoying when you see the activity showing up in your logs. Vulnerability testing, however, can be quite a bit more disruptive, crashing servers, taking down Internet connections, or even deleting data (for example, the Integrist test). Many of the Nessus tests are specifically designed to cause a denial-of-service attack. Even with the safe checks option turned on, the tests can cause problems with some systems. There are several morals to this story.

Scan with Permission

You should never scan a network that is not under your direct control or if you don't have explicit permission from the owner. Some of the activity initiated by Nessus could be legally considered hacking (especially with the denial-of-service checks turned on). Unless you want to take the chance of being criminally charged, sued civilly, or having a complaint lodged against you by your ISP, you should always scan with permission. Noncompany outsiders such as consultants should make sure to obtain written permission with all the legal disclaimers necessary. There is a sample waiver form in Appendix D. Internal personnel should make sure they have authority to scan all the machines in the range they are scanning. Coordinate with other departmental personnel as necessary, such as firewall administrators and security staff.

Make Sure All Your Backups Are Current

You should always make sure your backups are current anyway, but it is doubly important when vulnerability scanning, just in case the scan causes a problem with a server. Doing a Nessus scan right after you run backups will ensure that you can restore the most current version. But also make sure you aren't running your scan during a backup. Not only could you cause a corruption of your backup data, but both processes will slow to a crawl.

Time Your Scan

Along the lines of the last comment, make sure you coordinate your scan to get the results you want with minimal impact on other employees. Scanning the mail server at 8:00 a.m. when everyone is getting their e-mail will probably not make you very popular with the staff. Schedule scans on always-up servers for off-hours, and be sure to avoid overlapping with other system administration and general activity levels (scanning an accountant's network on April 14^th is not a good idea). If you are scanning internal machines, you will probably want to do it during the day unless you can arrange for everyone to leave their machines on at the end of the day. The best time to do it during business hours is generally around the lunch hour, as a minimal number of people will be using the network.

Don't Scan Excessively

Schedule your scans as often as you feel is necessary, but don't automatically think that nightly scans are going to make your network more secure. If you can't interpret and respond to scan reports on a daily basis, then don't do the scan; all it will do is put additional traffic on your network. Base your frequency on the capability of your staff to deal with the results. I recommend doing it at least once a month, but if you have a particularly busy network, you may want to do it weekly. Similarly, if you have a very small external network, you may feel comfortable with quarterly scans. Daily scans are probably excessive unless you have dedicated staff to handle the remediation work. If you have that much need for up-to-the minute protection, then use an intrusion detection system to supplement your vulnerability testing.

Place Your Scan Server Appropriately

If you want a true test of your external vulnerability (from the Internet), you should make sure your Nessus server is located outside your firewall. This can be on a home Internet connection, at a data center that is outside your company network, or at another company (perhaps you can negotiate a trade to use another company's facilities for scanning and let them use yours for the same). Remember, because of the Nessus client-server architecture, you can still control your scans from inside your firewall. Just make sure you enable the SSL support so communications between your client and the server are encrypted.

If you are scanning your internal network, your server will have to be located inside your firewall. Loading Nessus on a laptop can facilitate doing scans from both inside and outside your network without requiring multiple machines.