Using Nessus to scan hosts behind a firewall

By | August 2, 2006

This post will discuss several issues with scanning hosts behind firewalls and strategies Nessus users can use to overcome this. Although a relevant topic, we´re not going to consider host-based firewalls, scanning load-balancers or scanning through VPN links in this post.

Before we get started, the term “firewall” is often used loosely. In some cases, this is a device that prevents certain types of network traffic from flowing between different network segments. For example, port 80 traffic could be denied from the 10.10.0.0/16 subnet heading out to the Internet. So performing vulnerability scans in this sort of environment involves knowing the security policy and being able to work with it.

In other cases, the “firewall” device is performing a network function called NAT for Network Address Translation. (It also does Port Address Translation (PAT) but we won´t get into that). In this case, many IP addresses on one side of the firewall can share one or even a few IP addresses on the other side of the firewall. A small office might have a firewall that hands out DHCP addresses for 192.168.10.4, 192.168.10.10 and 192.168.10.12, but when each of these systems communicates through the firewall, it translates the IP addresses to an address on the public side. Scanning through a NAT environment is more tricky, but we will cover that to.Read Full Story

Leave a Reply