Speaking as a security person who uses nmap and who watches firewall logs
scrolling by all
day, I'd recommend the following:
1) Cooperate with your networking people. They can give you copies
of the routers'
ACLs. If you are scanning only ports left open by the
routers, there shouldn't be
much spamming of the logs. It will also make your scans
faster, so it's a win-win
situation.
2) Avoid scan types and scanned ports that may make trouble. You
don't want to
be making your DB server fill up its filesystem with error logs,
rebooting anything
or making intrusion detection agents go crazy. Avoid xmas-tree
etc., and those
services on those machines that may have caused headaches after
your previous
comprehensive scans.
3) Maybe settle for less often than bimonthly? If someone's running
telnetd on a Unix
machine, and there are no apparent reasons why they shouldn't,
it would probably
be safe to assume that they'll still be running it there in 2
weeks. Scanning a short
list of ports (e.g. looking for specific trojan installs)
frequently might be more
acceptable politically and nearly as useful, and you could save
the grand unified
scans for monthly-quarterly.
4) Refer them to
ftp://ftp.porcupine.org/pub/security/admin-guide-to-cracking.101.Z,
Wietse Venema and Dan Farmer's paper on improving the security
of your site
by breaking into it. Probing your systems is absolutely vital
for security. Good
crackers and good security people differ mainly in whether or
not the company has
asked them to be doing what they are. And security people
usually fix the holes
instead of exploiting them. ;-) You have the responsibility of
maintaining
security, so you should have the right to do what's necessary.
> -----Original Message-----
> From: Foust, Adam G. [SMTP:agfoust_at_tva.gov]
> Sent: Friday, September 17, 1999 5:57 AM
> To: nmap-hackers_at_insecure.org
> Subject: Examples of legit nmap usage?
>
> nmap has the potential of becoming an extremely useful tool for me in my
> job
> (not in the hacker sense, but in the discovery and security sense). I ran
> it
> for a while and built up a picture of our intranet WAN (with the help of a
> custom bit of perl and CGI programming), but now I'm being told knock it
> off
> for good based on the high amount of messages that began to accumulate in
> our router logs. All of our other $$$ commercial network tools have so far
> provided a rather piecemeal view of things, and I would like to continue
> to
> use this excellent nmap tool to augment our picture of things
> (particularly
> having an inventory of TCP services).
>
> Can anyone help me out with a good "business case" for administratively
> running nmap in a corporate environment? What would be the impact to
> routers
> and hosts of say automating a weekly scan on a rather large network (I
> won't
> give specifics, but I will say that if I seed nmap with a list of
> ping-able
> IP addresses it requires a couple of days to complete a single sweep)? Is
> using nmap in this fashion a dumb idea?
>
> Any good examples of nmap being used for network discovery in any
> corporations out there?
>
> Any information you can provide would be of great use. Thanks.
Received on Sep 20 1999
Intro
