Getting the best bargain on network vulnerability scanning

How do you handle vulnerability scanning on your enterprise network? If you're like many of your peers, you've either invested in an expensive enterprise-wide commercial vulnerability scanner, or you've jury-rigged an open source product to keep within a shoestring budget. For most organisations, neither one of those approaches is entirely satisfactory: the former involves a potentially excessive commitment of financial resources, while the latter sacrifices security and manageability in the interest of saving a buck (or a hundred thousand of them!).

Enterprise-class vulnerability scanning systems, such as Qualys's QualysGuard and Tenable Network Security's Security Center, offer many advantages over freely available security tools. They often combine database-driven, trend-tracking capabilities with reporting facilities designed to meet the demands of both technical professionals and executive management. However, the products often come with a hefty price tag based upon the number of IP addresses covered by their licenses. In larger installations, the cost of implementing such a system may quickly rise into the low six figures.

For the vast majority of networks, widespread deployment of an expensive scanning product is overkill; security dollars are better spent elsewhere. These systems provide value, but I instead advocate a hybrid model: use an expensive tool where it delivers the most value, and deploy an open-source one for the vast majority of the network. I've seen several organisations successfully implement a combined approach to optimise use of security resources.

Why do multiple vulnerability scanners work?

On most networks, productivity workstations comprise the bulk of network-connected computers. In many organisations, security configuration standards limit the network exposure of those systems to a very small set of ports -- if any at all! If you run a network vulnerability scan against a system configured in this manner, it's merely confirming that the firewall is functioning properly. This verification is valuable, but there's a cheaper way to accomplish the same objective: use the time-tested tool that holds a place of honour in every security practitioner's toolkit: Nmap.

The hybrid approach to vulnerability scanning requires the prioritisation of assets into two groups: servers and workstations. (Alternatively, you could divide them into categories based upon other value-ranking criteria: strength of data assets, importance of operating system, or anything that makes sense in your business environment.) Use a commercial scanning tool to keep tabs on your high-value server assets. They're a more likely source of potential exposures, as they're intended to offer services to other systems.

Meanwhile, use Nmap to handle the remaining workstations and lower-value assets. Write a simple script that periodically runs Nmap scans against your network, finds open ports, and stores the results in a database. You can use the language of your choice, but I prefer to use Perl and the free Nmap::Scanner library. Here's the pseudocode to scan a network:

1. Start an Nmap scan of the system, using parameters tuned for your environment.
2. Remove any ports from the results that are part of your standard workstation build, such as remote administration ports.
3. Retrieve prior scan results from the database and remove any ports from the results that were previously reported.
4. If any ports remain in the results, report them to the administrator to either accept or investigate.
5. Move on to the next system.

Once you've done this a couple of times, you should have a pretty stable baseline. There should be only occasional reports, most likely the result of a system exposing a new service that differs from the baseline build. When this occurs, examine the system and determine which of three cases applies:

1. The system is actually a server and should be added to the enterprise scanner.
2. The system is a workstation that is not authorised to offer the service and should be remediated.
3. The system is a workstation that is authorised to offer the service, and this should be noted in the database to prevent future false positive reports.

With this approach, it Is possible to miss a vulnerability on a workstation. Nmap doesn't perform vulnerability assessment; it's only a port scanner. If something more sophisticated is needed to spot flaws, consider using an automated Nessus-based approach instead. However, this open-source and commercial product combination will surely satisfy the Pareto principle, allowing you to achieve many of the enterprise scanning system benefits for a fraction of the cost.