Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Integrating the results from a vulnerability scanner into a higher order system<br />
such as a <strong>Security</strong> Information Management (SIM) tool, <strong>Net</strong>work Based Anomaly<br />
Detection (NBAD), <strong>Net</strong>work Access Control (NAC) or a <strong>Net</strong>work Intrusion<br />
Detection System (NIDS) is commonplace on modern networks. Data from the<br />
vulnerability scanner can help populate asset tables and identify vulnerable<br />
targets. However, watching real-time events or trends in events over time provides<br />
much more insight from vulnerability scan data. This article describes<br />
some techniques to make your scanning program more effective by using<br />
information gathered from real-time systems.<br />
Are you scanning the right targets?<br />
Devices that monitor packets on your network<br />
such as a <strong>Net</strong>work Intrusion Detection System,<br />
packet analyzers, firewalls and even<br />
proxy devices produce logs. These logs typically<br />
include reports about top IP addresses<br />
seen, all IP addresses seen, IP addresses<br />
that could be in the demilitarized zone (DMZ),<br />
IP addresses that connect to the Internet and<br />
so on.<br />
It is a very good practice to compare this list<br />
of IP addresses obtained from a passive or<br />
logging device with the list allocated to the<br />
team running the vulnerability scanners. This<br />
list is extremely useful because it is very accurate<br />
and near real-time.<br />
<strong>Security</strong> auditing teams that are provided lists<br />
of IP addresses to scan are often also provided<br />
routing tables, CIDR blocks, DNS domains<br />
information and so on. <strong>Net</strong>work topologies<br />
and protocols can change over time and<br />
a security auditing team may have been made<br />
aware of these changes.<br />
If you run a security auditing team and have<br />
been given a large IP address space, you<br />
may be conducting “quick” scans of this<br />
www.insecuremag.com 12