Historically, active vulnerability scanning of network printers and older Novell NetWare servers could be problematic. Sometimes a simple port scan with any type of auditing tool would cause a network printer to print paper, crash or interrupt real print jobs. Similarly, older Novell NetWare installs were also subject to crashing when having their servers fingerprinted.
Based on the feedback from the Nessus user community, Tenable implemented two scan options for Nessus that can limit how network audits interact with these technologies. These scan options are labeled:
- Scan Network Printers
- Scan Novell NetWare hosts
A screen shot of these scan options as found under the Nessus Client is shown below:
By default, Nessus won't scan these devices if they are found. When a printer is found, the fact that it won't be scanned is reported. This can cause some confusion for new Nessus users that are running a scan of just a few plugins on a large network. Even though they haven't specifically enabled the plugins to avoid printers and NetWare servers, if one is found it will be reported.
This occurred with one Nessus user I was working with. He was scanning a class B network for just one Nessus plugin, but kept getting plugin #12241 showing up in his results, even though he was not scanning for it and there were no plugin dependency issues. When the user enabled these settings, he no longer got the report that he may have been scanning a printer.
The trade-off of not scanning these types of devices and perhaps limiting the scope of a scan can be a difficult call to make for a new Nessus user of the first time a target network is audited. My recommendation is to first scan with these options enabled so that you can identify potential targets that could be impacted with a full scan. Later on if you are scanning for services or plugins that are likely to not interact with NetWare or network printers, you can make a more educated decision of when to turn these options on or off.
For completely passive and real time network monitoring, the Passive Vulnerabiltiy Scanner has the ability to identify a wide range of vulnerabilities purely from montioring traffic in real time. This solution can solve a variety of political problems, such as end of year IT freezes, where different business users or organizations do not want to submit themselves to active scans.
We've also blogged before about how to limit the scope of Nessus scans:
- Limiting the ports probed by Nessus
- Understanding the Nessus "safe checks" option
- Using Nessus to scan hosts behind a firewall