Sunday, February 28, 2010

Vulnerabilities scanners architecture in big enterprise

Let's talk about vulnerabilities scanners within corporate security infrastructure. Everybody knows that vulnerability identification is one of the major component of security risk management process. So we must be sure that information about vulnerabilities is correct and up to date .
It's easy when you scan the network from your own laptop and use direct connection to the target system. But what about huge corporate network with a lot of routers, firewalls and packet filters between you and target system?
First of all you must install multiply instances of vulnerabilities scanners across the network. why you should avoid to use one scanner for all network ?
- compromising this scanner will give possibilities to attacker easily get access to all hosts. (For same scanner it's snap - IBM ISS internet scanner only works on Windows XP SP1 , so the scanner is vulnerable himself. )
- scanning through the firewalls will impact to the scan performance and could produce firewall cpu overload.
-low accuracy of the scans results (firewalls, routers and packets filters between scanner and the target can distort the scan )
So, does installing multiply scanner fix all problems? Sure thing, not. What about scan accuracy? It's depends of scanners and network configuration. So, if you would like to get trusted result you must be sure in scanner and network configuration before run each scan. It is not easy and can consume a lot of time without any warranty. How to solve this problem? Just do the same as engineers do for the precision instruments - calibrate them using master or template.
I recommend to use a bunch of calibration systems and allocate them across the network. It could be virtual systems based on well known vulnerable distributive such as Damn Vulnerable Linux or simple unpatched Windows with a test services running.
So, before scan the target system you must choose nearest calibration system, scan it and check result for accuracy. From my experience it's very important to do this because often even very famous vulnerabilities scanners fail during simple scan.

No comments:

Post a Comment