Network Scanning Considerations
March 27, 2011Network Scan Types and Scope
This network scanning recommendations defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done.
Network device location scan – This scan may use different means to determine IP addresses of active devices on the network. Methods:
ARP Scan – An ARP broadcast can be sent to network IP addresses asking what is are the responses
MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address.
Internal full port scan – Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations.
Methods:
Socket connect scan – Tries to complete a socket connection to a port on a host computer.
This scan allows the host computer to log the connection.
SYN scan – Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection.
FIN scan – Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored.
External full port scan – Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the organization being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method.
Internal vulnerability scan – Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test.
External vulnerability scan – Same as the internal vulnerability scan except it is done from outside the organization network and is directed toward any IP addresses owned by the organization being tested.
Internal Denial of service scan – This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way.
External denial of service scan – Similar to the internal denial of service scan except it is directed against IP addresses owned by the organization being tested.
Password Cracking – This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this recommendation since it could potentially disrupt service depending on the password policies of the organization.
Many scanning services will offer some combinations of these types of scans. This recommendation covers all types of network and host scanning.
Network Scanning Reasons
Network scanning may be performed for several reasons
To determine whether computer systems are vulnerable to attack and fix them.
To show companies you may interact with that our servers are reasonably secure.
To fulfill regulatory requirements.
Network scanning shall not be performed without written permission.
Network Scanning Disruptions
Network scanning can be very disruptive to both a network and hosts that are operating on a network. No network scanning shall be allowed without close adherence to this recommendation and the associated procedures. Network scanning can cause systems to crash and network devices to become unreliable which can become very disruptive to the business operations.