Vulnerability scanning is a process of remotely examining hosts on a network for known, detectable vulnerabilities and misconfigurations. The types of vulnerabilities found depend on the scanner used, the way the scanner is configured (the "scan policy"), and the amount of information the target host or network reveals to the scanner. In a typical network vulnerability scan, the scanner will attempt to connect to hosts in the target network in various ways to determine which ones are responsive ("host discovery"). Discovered hosts are subsequently interrogated to find open ports for the scanner to probe ("port scanning"). Any open ports will be tested for specific vulnerabilities that match the type of service detected on that port. Since many tests rely on self-reporting by the host (such as software version numbers reported by the host), there is a potential for false positives and false negatives in any scan. One way to address this is through credentialed scanning, where the scanner is provided with an account to log in to the target host and directly query the status and configuration of the operating system and installed software.
Monthly Scanning Service
IIA offers a free monthly scanning service to units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure. This service is an appropriate option for networks that are accessible from campus, or where the scanner can be allowed through a firewall.
Scans for Recent Vulnerabilities
IIA occasionally performs very narrowly-targeted scans of all campus networks to find high-risk vulnerabilities that pose an imminent threat. When this occurs, an e-mail notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.
IIA performs network vulnerability scans using the Nessus vulnerability scanner. Scans are generally performed from hosts with "iia-scanner" in the name for easy identification. When campus-wide scans are performed, every effort will be made to notify network owners in advance. Units that observe unexpected scan traffic may contact firstname.lastname@example.org with the relevant source and target IP address to determine whether an IIA scan is the root cause.
IIA does not provide licenses to units for specific vulnerability scanners. If a unit would like to perform regular vulnerability scans, we recommend first evaluating the IIA monthly scanning service to see if it will meet those needs.
For units that wish to obtain a scanner for RECON security tests or small ad-hoc scans:
IIA recommends using the Retina Community Edition vulnerability scanner, which can be used for network vulnerability scans of up to 32 IP addresses at a time. Retina Community Edition can be downloaded from eEye Digital Security. The product is free, but completing a registration process prior to download is required.
For units that wish to perform scans of large private networks:
IIA recommends the Nessus vulnerability scanner. The Nessus scanner can be downloaded and installed for free, but requires the purchase of a ProfessionalFeed subscription to obtain access to the plugins that check for vulnerabilities. A one-year subscription is $1,200 and can be purchased through Tenable Network Security.
The monthly scanning service is free to U-M units, and offers:
Units may use the service to scan U-M-owned networks that are reachable from IIA's scanning server. For networks that are not normally reachable due to a firewall, an exception would need to be created for the scanner in order to obtain full visibility of the target network.
To request a scan, contact email@example.com, and include the following information:
A default scan policy will be provided as a starting point for the scan configuration. Units may supply their own Nessus scan policy if desired.
How is the monthly scanning service different from the quarterly vulnerability scan performed by IIA?
The quarterly vulnerability scan looks at the entire U-M network space from an external Internet location. It was designed to test for a subset of vulnerabilities that are remotely exploitable, require no authentication, impact confidentiality or integrity, and are considered high or medium in severity. In addition, the quarterly scan only checks a list of commonly-observed ports to find services to test, and is performed from an Internet address outside of the campus network (which limits the scanner's visibility). Since the quarterly scan is performed on a very large scale from the Internet, it cannot provide as accurate a vulnerability assessment as one generated by a more local customized scan. By contrast, the monthly scan by default runs all safe tests available in Nessus, probes a much larger number of ports, and is conducted from a server on the campus network.
Staff eligible to request a monthly scan must be listed as an owner, administrator, or contact for the target network in the NetInfo database.
Any U-M-owned network can be scanned. Any type of host or device that is assigned an IPv4 address on the target network can be scanned, although the level of testing possible will depend on the specifics of the host. At this time, we do not offer IPv6 scanning or scanning of U-M-owned hosts that reside on non-U-M networks (such as at other universities or in third-party data centers).
While most units choose to have scans recur monthly, in practice you may request your scan to run at any frequency you choose.
As of August 2011, IIA uses version 4.4.1 of the Nessus vulnerability scanner.
I have heard that scans sometimes cause problems on the hosts/networks targeted by the scanner. How can I reduce the risk of this happening?
Hosts sometimes react in unexpected ways when scanned. Scanning commonly causes a negative impact on:
IIA's default scan policy is configured to stop scanning hosts if the scanner identifies them as printers or Netware devices. For other types of devices listed above, the scan policy can be modified to scan more slowly overall or exclude specific IP addresses from the scan. Running one or more test scans during off-peak hours may help determine if there are hosts that will be adversely impacted. IIA will work with subscribers to determine the best unit-specific scanning option.
Yes! However, if you want the scanner to have full visibility into your network, you will need to add an exception for the scanner's IP address. A special policy will be developed for your scan that accounts for crossing the firewall, and testing will take place in advance of scheduling your scan to mitigate the risk of performance degradation while scanning.
The scan policy can be configured to your needs. When making your request for a new scan, include details of your requirements, and the analyst assigned to assist will determine whether Nessus is able to support those natively.
An non-credentialed baseline policy is used as a starting point for new scans that enables all safe tests (plugins), discovers hosts with a TCP and ICMP ping scan, performs a TCP port scan and an SNMP scan, enables CGI scanning, and uses conservative defaults for most settings. From there, IIA can configure the policy to fit your needs.
The default scan policy does not include credentialed scanning, compliance checks (such as for PCI-DSS), or web application tests. If you are interested in any of these options, be sure to note it in your scan request.
Credentialed scanning is supported. We recommend credentialed scans in cases where the impact of non-credentialed scanning to the network or host would be undesirable. Credentialed scans may also be preferred on hosts that have few ports/services open, or when determining the status of installed client software is a priority.
The scanning service is not a good fit if you wish to scan networks that are not visible (i.e., not routable) from the scanner, which is located in the ASB data center.
To view a sample vulnerability scan (actual IP addresses have been removed), click here.
For questions or help with troubleshooting, contact firstname.lastname@example.org.
|Last modified January 24, 2013|