What’s the easiest way to audit my domain for Internet-facing remote access services so we can make sure we’re not vulnerable? Is a tool like Nmap the way to go?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
There are a few ways to audit your domain for Internet-facing remote access services. If you’re looking to audit your network perimeter with free tools, then something like Nmap would be the way to go. Do your research before firing away at your perimeter with a port scanner, though; you don’t want to inadvertently create a denial of service by pummeling the network with port scans (obviously make sure you have permission from your superiors as well). Also, when using Nmap, make sure you fingerprint the open ports you find on the network to determine what’s running behind them. Using the Nmap –sV command on a port will often times show you the application listening on the port. This comes in handy when someone is running software on a non-standard port to exit your firewall.
Another tool that’s recommended when looking to audit remote access services is Nessus. There are multiple plug-ins available that can scan your port and determine if you are running particular remote access services. However, unlike Nmap, Nessus will let you know if a particular vulnerability will allow remote access into your organization unintentionally. This tool looks for vulnerabilities, whereas Nmap gives you hard facts as to what’s listening in your environment. There are many other tools that could be used, but these two are common and come at no charge.
Another way to prevent rogue services from listening on your network is by locking down what’s allowed to leave your organization. Many people still don’t perform egress filtering on their firewalls; this is a common way to prevent botnets, misconfigurations and malicious insiders from allowing remote connections into your network. Also, filtering traffic leaving the network with an IPS or next-gen firewall (NGFW) will enable you to inspect the allowed firewall traffic for malicious use. Many times, attackers take advantage of normally open ports, such as port 80, port 443, etc., to transmit data out of your network without you noticing.
Use the tools at hand to tighten what’s currently open on your network and then perform an audit of what systems and users are allowed to leave your network and on what port. There is little reason to have user workstations accessing the external network on anything but HTTP or HTTPS. There are exceptions to the rule of course, but generally, if you limit the access internally and lock down externally, you’ll make great strides toward securing your perimeter.
This was first published in June 2012