A common question our support group receives from Direct Feed customers is how to limit Nessus probes to specific ports. This post will discuss the reasons Nessus sends packets to various ports and how scans can be configured to limit access to specific ports or ranges of ports.
Limiting The Port Scan
The first item someone should decide in an effort to minimize the ports touched by a Nessus scan is to enter in specific ports for scanning. Most Nessus clients have a default scan policy setting of "default". This causes the Nessus port scanner used to scan all TCP ports in the /etc/services file. Users can enter in more specific ranges and ports such as "21-80", "21,22,25,80" or "21-143,1000-2000,60000-60005". This will cause the port scanner to target just those ports during the port scan.
During the port scan, the Nessus TCP scanner will also use the ports involved to determine the round trip time for packets to the target host. If a small number of ports is used, the scanner may choose other ports to determine the RTT.
Choosing Host Enumeration
If an ICMP probe (a ping) is enabled to discover active hosts, then no specific ports are probed. However, if a "TCP Ping" is used to discover a host, then ports will be probed. Both options can be enabled and are not exclusive. It should also be noted that there is another host enumeration for "ARP pinging" which will find hosts on the local LAN.
Considering Un-scanned Ports Closed
After a host is discovered and the desired ports are scanned, Nessus will attempt to run the enabled plugins against the target. If a plugin runs which attempts to connect to a specific port and the "Consider Unscanned Ports Closed" setting is enabled, Nessus won't even run the plugin. However, if this setting isn't enabled, Nessus may start to probe ports that were not specified by the port scan.
Understanding UDP Port Probes
For port scanning, the UDP protocol is very unreliable. Nessus does not have a UDP port scan option and instead runs UDP plugins directly if they are enabled in a scan.
UDP is unreliable because if a port is open, the host is NOT supposed to send a response and if a port is closed, the host is supposed to return an "ICMP Port Unreachable" packet. Since UDP packets can be dropped or a host or network firewall can stop a packet, a scanner that does not get a response for a UDP probe can be fooled into thinking the port is open. Even for closed ports, if a network has implemented outbound ICMP filtering as a security measure, the scanner won't see the "ICMP Port Unreachable" messages.
Because of this, Nessus is designed to work directly with the applications that occur over UDP. Often these applications involve single packet queries and this is more efficient than scanning and then attempting to speak to the application. For example, rather than attempting scan for systems with port 111 open on UDP which is probably the RPC portmapper service, it is more efficient to simply send in the equivalent of the "rpcinfo -p" command and wait for a valid portmapper response.
Using Passive Technology
Tenable customers who have deployed a Passive Vulnerability Scanner (PVS) enjoy continuous monitoring of their network as well as some advantages over active scans. Since the PVS operates 24x7, it can see activity on the network that might not be present during an active scan. The PVS will also find what ports a host "browses" on. For example, if a web server is open on port 80 and 443, it might also browse the network on port 53 for DNS lookups and port 80 to reach out to the web and grab updates.