[unisog] Automated vulnerability tests upon host to network attachment

Gary Flynn flynngn at jmu.edu
Thu May 15 18:47:44 GMT 2003

Valdis.Kletnieks at vt.edu wrote:

> Now if you have the technical clue and hardware to back it up, *this* would
> be an interesting scenario:
> 1) When a new MAC/IP address is seen, you by default block it at the router
> level, so it can't be seen or talk to hosts off the subnet - with punchouts
> for the local DNS server and a local server that mirrors MS, RedHat, etc
> patches.
> 2) Once patched off your local server, the admin visits a local webpage that
> kicks off a vulnerability scan.
> 3) Once it passes the scan, the passing report causes more router magic that
> then lets the box talk to the rest of the net.

This would probably be fairly easy for those schools
implementing registration systems for new computers
based on vlans, DHCP, and/or 802.1x. Instead of just
registering the computer, the system would scan it
too. The only things needing to be added would be
the logic on the web server to kick off the scan if
the user is ready to register, the scanner, the
scanner scripts to automate the process, and
the network access controls widened to allow the
scanner access to the restricted vlan/address set.

Of course, the resulting delay and confusion may make
fall startup in the residence halls a bit dicey. :)

I've never met a vulnerability scanner whose default
reports didn't include nonsense, lies, and/or incomplete,
misleading, and/or irrelevent information. Certainly not
usable by the typical end user without severe massaging.
You'd have to limit the scan tests to those known to be:

1) accurate
2) relevant
3) important
4) with solutions that could be implemented by the
    end user

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list