Getting the best bargain on network vulnerability scanning

Enterprise-class vulnerability scanning systems, such as Qualys Inc.'s QualysGuard and Tenable Network Security's Security Center, offer many advantages over freely available security tools. They often combine database-driven, trend-tracking capabilities with reporting facilities designed to meet the demands of both technical professionals and executive management. However, the products often come with a hefty price tag based upon the number of IP addresses covered by their licenses. In larger installations, the cost of implementing such a system may quickly rise into the low six figures.

For the vast majority of networks, widespread deployment of an expensive scanning product is overkill; security dollars are better spent elsewhere. These systems provide value, but I instead advocate a hybrid model: use an expensive tool where it delivers the most value, and deploy an open-source one for the vast majority of the network. I've seen several organizations successfully implement a combined approach to optimize use of security resources.

For more information Michael Cobb examines how a solid application vulnerability scanner can be a valuable part of an enterprise's development strategy. Need more help with Nmap? Learn how to scan ports and services. Find out the top five freeware tools that can spot your network vulnerabilities.

Why do multiple vulnerability scanners work?
On most networks, productivity workstations comprise the bulk of network-connected computers. In many organizations, security configuration standards limit the network exposure of those systems to a very small set of ports -- if any at all! If you run a network vulnerability scan against a system configured in this manner, it's merely confirming that the firewall is functioning properly. This verification is valuable, but there's a cheaper way to accomplish the same objective: use the time-tested tool that holds a place of honor in every security practitioner's toolkit: Nmap.

The hybrid approach to vulnerability scanning requires the prioritization of assets into two groups: servers and workstations. (Alternatively, you could divide them into categories based upon other value-ranking criteria: strength of data assets, importance of operating system, or anything that makes sense in your business environment.) Use a commercial scanning tool to keep tabs on your high-value server assets. They're a more likely source of potential exposures, as they're intended to offer services to other systems.

Meanwhile, use Nmap to handle the remaining workstations and lower-value assets. Write a simple script that periodically runs Nmap scans against your network, finds open ports, and stores the results in a database. You can use the language of your choice, but I prefer to use Perl and the free Nmap::Scanner library. Here's the pseudocode to scan a network:

1. Start an Nmap scan of the system, using parameters tuned for your environment.
2. Remove any ports from the results that are part of your standard workstation build, such as remote administration ports.
3. Retrieve prior scan results from the database and remove any ports from the results that were previously reported.
4. If any ports remain in the results, report them to the administrator to either accept or investigate.
5. Move on to the next system.

Once you've done this a couple of times, you should have a pretty stable baseline. There should be only occasional reports, most likely the result of a system exposing a new service that differs from the baseline build. When this occurs, examine the system and determine which of three cases applies:

1. The system is actually a server and should be added to the enterprise scanner.
2. The system is a workstation that is not authorized to offer the service and should be remediated.
3. The system is a workstation that is authorized to offer the service, and this should be noted in the database to prevent future false positive reports.

With this approach, it Is possible to miss a vulnerability on a workstation. Nmap doesn't perform vulnerability assessment; it's only a port scanner. If something more sophisticated is needed to spot flaws, consider using an automated Nessus-based approach instead. However, this open-source and commercial product combination will surely satisfy the Pareto principle, allowing you to achieve many of the enterprise scanning system benefits for a fraction of the cost.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Open Source Security Tools Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities What are best practices for creating an IDS and maintaining a signature database? How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Nessus 3 Tutorial Screencasts: On-screen demonstrations of today's IT tools Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Ophcrack: Password cracking made easy Will Cisco's plan to open access to the IOS improve network security? Network Scanning What are the best ways to hide system information from network scanning software? How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Nessus 3 Tutorial Screencast: Using Nessus to scan for vulnerabilities Web scanning and reporting best practices Can a firewall alone effectively block port-scanning activity? PING: Fyodor Juniper UAC to deliver Shavlik patch management technology Sourcefire, Nmap deal to open vulnerability scanning RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Back Orifice  (SearchSecurity.com) Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) Snort  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.