Re: Problems scanning across firewalls, Nessus 3.0.4

["Doug Nordwall" <raleel@gmail.com>]

>>From the experience I have, many firewalls behave poorly when nessus hits them.

It sounds like what you are seeing is a drop and retry problem, where the host behind the firewall never gives a response back, not even a rejection and this causes nessus to retry. It'll retry several times, and your firewall is forced to deal with it, every time, and it ramps up the cpu, or fills a queue on the firewall.

Recently, I ran into a cisco firewall-on-a-blade when scanning. Several networks were behind this firewall, and one of them was known by the firewall, but was disconnected. This caused the CPU on the firewall to ramp up, as it had to write out logs. Even with the logging turned off, it kicked the cpu up to 70%.

What we did was to put a nessus scanner behind each of the major firewalls in our facilities. Then the scanning traffic doesn't cross it. We put in some allow and deny rules to further prevent accidents (we had some of those).

Sometimes, we will scan across, and generally, we have to turn it way down. We might also turn off the port scan, which seems to work alright. Another option would be to run an nmap scan first, in a very slow setting, and then import the results into nessus.

I hope this helps.

On 1/26/07, Knut Hellebø <Knut.Hellebo@nho.hydro.com> wrote:

Regards,
I have two questions regarding Nessus scanning across firewalls. We have
experienced network con,gestion/slowness when running Nessus inside a
firewall protected network against hosts on the "other side". We use
Nessus 3.0.4 and did not enable the nmap wrapper, ie using Nessus
internal port scanner to scan all ports (65535). We limited checks to 5
simultaneous hosts, 5 simultaneous checks. We also turned on throttle
scan and network congestion detection. Even though these precautions
were taken, the network suffered. Apparently this was caused by ports
being held open for too long during the scanning period, making the
firewall drop old connections. Unfortunately I cannot reveal further
details. Is Nessus 3 this intrusive ? What can be done to further limit
network impact when testing across firewalls ?




***********************************************************************
NOTICE: This e-mail transmission, and any documents, files or previous
e-mail messages attached to it, may contain confidential or privileged
information. If you are not the intended recipient, or a person
responsible for delivering it to the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of
any of the information contained in or attached to this message is
STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify the sender and delete the e-mail and attached
documents. Thank you.
***********************************************************************



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

-- 
Doug Nordwall
Unix, Network, and Security Administrator
Noise proves nothing. Often a hen who has merely laid an egg cackles as if she laid an asteroid. -- Mark Twain
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus