Two views of security and vulnerability scanners

July 12, 2023

In my entry on how web server should refuse requests for random URLs, I mentioned that we have an open source security and vulnerability scanner. Among the reactions I saw to that entry was people who felt that such scanners are basically a bad idea, and in thinking about the issue I've decided that I can see two views of such scanners.

Some people have a heavily controlled and locked down environment. They know every machine on the network and every service that's supposed to be running on every machine, and they have controls that enforce that (such as 'default deny' host firewalls, so that a surprise service can't be connected to). For these people, a security scanner is extremely unlikely to discover any actual surprises; there are (or should be) no surprise hosts, no surprise services, no surprise vulnerabilities on services, and so on. Everything a security scanner reports is extremely likely to be either a false positive or something that's already known about (and sometimes both at once).

This is not our environment, which is an increasingly unusual one. Our overall network has an assortment of machines running an assortment of services, operated by an assortment of people, and internally things are mostly not locked down at the per-host level. Where we have firewall rules that block inbound traffic they can be complex, with interactions we may not have foreseen, and anyway machines and their uses can come and go, with new machines quietly inheriting the IP addresses and firewall policies of old ones.

In our environment I think of internal and external security scans as a useful cross check that verifies the actual reality against our assumptions. We certainly shouldn't have anything real exposed and vulnerable, but theory is not necessarily reality in an anarchic environment. Our security scanner mostly does have unimportant things, but with its settings adjusted it's not too noisy and the reassurance value of it not discovering any actual problems despite checking is worth the noise. In this sense, security scans are guards against error, as are some of our alerts.

(For our purposes, merely running port scans would be less effective and more noisy. At a minimum we'd have to build something to track what services we expect to be listening and exclude them from the results.)

Of course, you probably have to tune the reports from your security scanner to be useful, just as you need to tune alerts. If you're operating in an environment where you can't modify what the security scanner reports and it reports pointless junk, you have at least two problems (and my sympathies).


Comments on this page:

Vulnerability scanners primarily work at the application layer, catching misconfigurations and app-level vulnerabilities where most of the risk lies, and thus valuable even for orgs with locked-down networks.

By Opk at 2023-07-14 06:21:41:

You seem reluctant to name your Open Source security and vulnerability scanner. Does that betray that you're not especially enamored with the thing and don't want to give it publicity? At my work, managers seem to have recently come across the existence of intrusion detection systems and are wanting that installed so they can tick a box. While it'd be tempting to install literally anything and ignore the logs just to keep them happy, I am inquisitive to know what works well and what doesn't.

By cks at 2023-07-14 11:29:55:

I haven't named what we're using because I'm not all that familiar with it and the alternatives; it was chosen and set up by a co-worker, so I can't make any sort of informed comments on the options. What we currently use is OpenVAS ('Greenbone OpenVAS', which Wikipedia tells me descends through a long line of open source happenings from Nessus). It's not perfect but it seems to work okay and I don't deal with it much, except looking at the reports it generates.

Opk, I'd be a bit cautious, what Chris is talking about is not an intrusion detection system. I think you know that, but I wanted to make sure. :) There's different kinds of IDS as well, host-based and network-based. Same as with vulnerability scanners, there's a few open-source/free types, and a whole lot of commercial ones that will cost you anything from peanuts to your entire IT budget. So which is best depends on your environment, budget, which boxes bosses want ticked, and as you said, willingness/ability to look at logs and do anything based on what you find.

Rather than fill up Chris's blog here with discussion tangential to his actual post, feel free to drop me a line, mike at the domain in the URL on my post here. Always happy to talk network detection. :)

Written on 12 July 2023.
« How I move URLs between browsers in my Unix desktop environment
Some notes on errno when tracing Linux kernel system call results »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Wed Jul 12 22:20:16 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.