4 out of 5 CISOs Don't Scan for Off-Port Web Servers
An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.
Active scanners like Nessus will find web servers on any port, but you need to tell them to do so. By default, scanners don't test all 65,535 TCP ports.
When you do want to perform a scan, your network gets in the way and limits how fast it can go. Performing a full scan means that you need to send a "SYN" packet, wait for a response and then time out the session or process the open port to look for an HTTP server.
If your potential web server target is far away, is behind a firewall or just slow, your scan can take a long time.
For example, imagine you have a web server listening on port 8000 behind a firewall and the firewall is configured to drop any packet not sent to port 8000. If your scanner was configured to wait 1 second to hear something back from the server, it may have to wait for a response from the server before moving on.
Modern firewalls may also see the hits from your scanner on these "denied" ports and blacklist you so that when port 8000 is probed, the firewall has already blocked the scanner, preventing discovery.
Tenable felt this type of problem was serious enough that we wrote the Passive Vulnerability Scanner. This product monitors network traffic in the same manner as a sniffer or intrusion detection system. It produces a set of real-time logs as well as vulnerability reports.
The vulnerability reports identify many useful items such as port independent discovery of web servers, vulnerabilities associated with the web server and even identification of issues with SSL such as expired certificates.
I've only met a handful of organizations (about 20%, which is where the '4 out of 5' statistic comes from in our title) that perform a full 65,535 service discovery scan of their entire network at least once a week. The reasons I'm given for not scanning often includes:
- too many scans impact the router, link, VPN, SIEM, etc.
- there are too many applications that crash when you send even one packet to the wrong port
- lack of permission to perform organization-wide scans
- don't have a scanner that is powerful enough
If this sounds like your organization, please consider calling Tenable to see if we can help with your security monitoring. Our Passive Vulnerability Scanner technology can be deployed in many different types of flexible license models.
When managed by SecurityCenter, you can also deploy as many Nessus scanners as you need and have centralized control over what is and isn't scanned. Combining real-time passive discovery to uncover web servers also means that you can follow up and scan them with a Nessus web application audit.
For more information, please contact firstname.lastname@example.org to arrange a demo or to learn more about our solutions.