[unisog] OS Vuln Scanners
Stephen John Smoogen
smooge at unm.edu
Wed May 7 19:18:10 GMT 2008
Nipper, Johnny R. wrote:
> Hello all,
> We are a new security department in the beginning stages of discovering vulnerabilities as well as rogue servers on our network. We are discovering as we go and learning from our mistakes. One issue we are tackling is departmental servers outside of our central IT. We do not have a comprehensive list of every system. I have been using different techniques for discovering servers and working with each administrator individually to do routine scans. Recently we began running Nessus on the entire network one subnet at a time. During this time, systems have crashed with our "safe scan" option set. This undoubtedly helps us discover systems as well as vulnerabilities, but in the meantime this causes issues. We would like to notify departmental administrators prior to each scan. Our issue is, we did not previously know about these systems.
> We have already sent out a communiqué with a protocol for every administrator to run scans on their system and report them to the security department. The ones that are having issues now are systems that were not disclosed during our initial request several months ago.
> How would everyone tackle this situation? Would you send out a communication to the entire campus in advance for all scans? When would you run your scans? Do you make this part of your change control procedure? Any help would be very appreciated.
At my former job, my first step is to get mac addresses and ip addresses
showing up on the border routers and switches to departments. This can
give an idea on how many systems there are and what is out there. Then
we would do an nmap scan of the subnet to get an idea of what was there
that might not be seen on the routers/etc.. correlate the two to see
what works better and faster for a network.
After that, we would get a working plan of what networks were to be
scanned, in what order and what we were going to possibly see. We would
then send out notices to those departments with what nmap found and let
them know when the 'authorized' nessus scan would occur. This usually
got the "oh craps don't scan our entire network" emails which we would
then work through the proper political channels to get it either down to
specific hosts, or similar agreements (well we are happy to give up
our funds for X for you not scanning us.), etc.
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
Phone: (505) 277-8219 Email: smooge at unm.edu
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog