Vulnerability scanners check your network against a database of known vulnerabilities; such a database is usually compiled from respectable resources such as CVE (http://cve.mitre.org) or OVAL (http://oval.mitre.org). They can also check for administrative oversights such as weak passwords and misconfigurations. Although most scanning applications do not fix what they have found to be broken on the spot, some will give you the ability to apply patches or updates that themselves may contain a fix for the vulnerability – this is known as ‘auto-remediation’ of missing patches.
The whole scope of a vulnerability scanner is to give you an indication of what’s wrong, and an opportunity to fix it before the network is compromised. If left unchecked, you could be setting yourself up for a potentially large scale attack. We’ve all heard stories of people who have disregarded the need for pinpointing weaknesses in their network because they think “it will never happen to me”, or “I’ll deal with it later” and then ‘later’ never comes.
Vulnerability Scanning Precautions
The tendency with a lot of companies is to think that the pre-defined settings in such an application will be sufficient. Whereas this point-and-click type approach acts as a decent preliminary scan or as a quick ‘triage’ examination of your network, you cannot rely on this alone. You need to tailor the scan to your network environment, accounting for different ports, protocols, operating systems, legacy systems and so on. I mention this for the simple reason that an aggressive scan by your vulnerability scanner may cause the list of open connections on a particular system to become exhausted, resulting in a denial of service or, at worst, a system crash. The trick to avoid such a situation is to break the scan down into smaller chunks and execute one piece at a time. It would also be a good idea to let people know when a scan is going to take place. You don’t want your IT support staff to be bombarded with e-mail and SMS notifications because your scanner is knocking too hard on your network’s front door. Due to network bandwidth considerations and the potential stress the scan may cause on the host machine, running the scan out of hours would also be beneficial.
Choosing the right Scanning Solution
Vulnerability scanners are powerful tools that help you keep on top of network security and prevent attacks. Any security analyst worth his salt would recommend investing in one and coming up with a vulnerability scanning strategy that matches the requirements of your organization and fits your network environment. As with all such applications however, the rule of thumb is to evaluate your chosen solution(s) on an in-house testing environment first, and once you are satisfied with the results move to testing it on the network environment it is being purchased for. With this in mind, it’s important that you buy a solution that is right for your organization (think of company size, scanning requirements, scanning frequency, features needed, etc). If the solution can’t scale to your needs, then either don’t buy it in the first place, or change your approach to the scan.