Re: Vulnerability scanning across Firewall

From: Volker Tanger (vtlists@wyae.de)
Date: Mon Jun 05 2006 - 14:23:21 EDT


On 5 Jun 2006 15:24:51 -0000
tarunthenut@gmail.com wrote:

> I wanted to know if there is any concern scanning for vulnerabilities
> across firewalls.
>
> We are scanning our critical servers segment from the user LAN
> segment. The two segments are seperated by a stateful firewall.

If the FW team does not know of the scan it can have quite some impact
if it is good and fast on its feet - my personal speed record: a bit
less than 10 minutes after start of scan the room's network connection
was down and security was coming through the door.

That aside you usually cannot scan for vulnerabilities that might be
hidden behind filtered ports. Well, some packet filters might not check
for interface spoofing, so you might try to idle-scan from other
network(segment)s or hosts you suspect being allowed to.

Then define "stateful firewall" - that could be anything from a simple
stateful packet filter (plain iptables) to fully-fledged dual-homed
application-level filtering-proxies. These might filter out critical
test packets, or even block you after finding that your IP means trouble
(e.g. by overstepping a threshold of maximum errors per time).

You (and the client) should be aware that you are only testing that
attack vector - the servers might still be vulnerable from an other
network segment.

So automated scans often have a problem properly handling/assessing
firewalled systems, so you'll probably have to run a number of manual
tests and re-program your scaners accordingly.

Good luck!

Volker

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT