Hi all,
This question seeks confirmation on how we believe an application proxy
firewall (example: Raptor or Checkpoint) impacts Nessus scanning results.
We periodically do Nessus scans from outside of networks against target
servers inside the same networks behind a firewall. Most recently the
Nessus Scan was done from outside the target network going through a Raptor (application
proxy) Firewall loaded on a windows server, pointed at target system (a web
server running Windows/IIS). The Nessus scan reported only three warnings
(and no vulnerabilities). We separately examined the Windows Software on
the target web server device. The web server’s Windows operating
system had many vulnerabilities (sample listed below by CVE#) - it was woefully
behind schedule for installation of software updates/patches/fixes.
Initially, we could not account for why the Nessus scan missed the large number
of windows related vulnerabilities.
We then came up with this theory on what
limited what the the Nessus Scan found……..Nessus
scanning will not work if a target server is being scanned through an application
proxy firewall, since these type firewalls check packet formatting at higher
OSI model layers. For example, for a buffer overflow attack, the application
firewall detects packet malformation, drops the packet, the packet(s) never reach
the target, so the Nessus scan engine gets no feedback from target server.
CVE-2006-5758
CVE-2006-3443
CVE-2006-3444
CVE-2006-2379
CVE-2006-2373
CVE-2006-2371
CVE-2006-2370
CVE-2006-1313
CVE-2006-0034
CVE-2006-0012
CVE-2006-1591
CVE-2006-0010
CVE-2006-0143
Preferences Used for This Scan:
slice_network_addresses no
plugin_upload_suffixes .nasl,
.nasl3, .inc, .inc3, .nbin
plugin_upload yes
kb_max_age 864000
kb_dont_replay_denials no
kb_dont_replay_attacks no
kb_dont_replay_info_gathering
no
kb_dont_replay_scanners no
only_test_hosts_whose_kb_we_have
no
only_test_hosts_whose_kb_we_dont_have
no
kb_restore no
save_knowledge_base yes
use_mac_addr no
silent_dependencies yes
auto_enable_dependencies no
safe_checks yes
plugins_timeout 320
non_simult_ports 139,
445
checks_read_timeout 5
language english
optimize_test yes
port_range 1-1024
cgi_path / cgi-bin
log_whole_attack yes
throttle_scan yes
max_checks 10
max_hosts 16
auto_update_delay 24
auto_update no
ntp_save_sessions yes
ntp_detached_sessions yes
server_info_nessusd_version
3.0.1
server_info_libnasl_version
3.0.1
server_info_libnessus_version
3.0.1
server_info_thread_manager
fork
server_info_os Linux
server_info_os_version 2.6.13-15-smp
reverse_lookup no
ntp_keep_communication_alive
yes
ntp_opt_show_end yes
save_session yes
detached_scan no
continuous_scan no