Network Scanning

Texas A&M Information Technology proactively scans the network and reports vulnerabilities to administrators.

Guidelines on Network Scanning
Network Vulnerability Scanning
Vulnerability Scan Resources


Guidelines on Network Scanning

Network scanning is frequently used in attempts to penetrate information resource security. To further responsible computing, these guidelines restrict network scanning activity except in limited circumstances.

Network Scanning is the process of transmitting data through a network to elicit responses in order to determine configuration state about an information system.

Network Vulnerability Scanning is the conduct of network scanning of an information system to determine the presence of security vulnerabilities in the information system.
Texas A&M Information Technology will, from time to time, conduct network scans and network vulnerability scans of devices attached to the Texas A&M University network. Information gathered will be used for network management, including notifying owners of vulnerabilities, determining incorrectly configured systems, validating firewall access requests, and gathering network census data.

Except as provided above, no network scans or network vulnerability scans may be conducted except by the owner of the information resource being scanned. In no case may network scanning traffic transit a router maintained by Texas A&M IT.

Except as provided above, network scans and network vulnerability scans may only be conducted by University employees designated by the organizational unit head responsible for the information resource. Network scans and network vulnerability scans may not be conducted by student systems in the Resident Halls.

Other exceptions to these guidelines may be authorized only by the Chief Information Officer or designee.


Network Vulnerability Scanning

Texas A&M IT is proactive in scanning network connected machines. Scanning of campus machines for vulnerabilities will occur on a regular basis. Administrators of machines found to be vulnerable in any way will be contacted concerning the problems. These machines will be updated as soon as possible by the administrator.

Questions concerning this process should be directed to security@tamu.edu.


Vulnerability Scan Resources

When performing a vulnerability scan against your host, whether to open a port in the firewall or to check for a possible problem, Texas A&M IT uses the Nessus scanner. The scan produces a report that shows the services running on the scanned machine and vulnerabilities found in its services, if any. By services, we mean http, ssh, etc. All vulnerabilities for a service are listed together in one section of the report.

The following is an example of a vulnerability report:

Synopsis :

The remote service encrypts traffic using a protocol with known weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0

CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Within the vulnerability report is the short and long description of the vulnerability itself, along with a suggested solution. The solution should be implemented as soon as possible and will be required if the vulnerability prevents a port from being opened through the campus firewall.

Also included in the report is the 'Risk Factor' of the vulnerability, such as Low, Medium, or High. A Medium or High vulnerability normally prevents a requested port from being opened. A Low Vulnerability is usually informational, but still should be considered and reviewed to fully secure a machine.

Here are additional items to note:

  • CVE Reports -- Some vulnerabilities report a CVE number, such as CVE-2002-0419. This is an identifier for a Common Vulnerability and Exposure. You can look up the identifier reported to learn more about that particular vulnerability.
  • Plug-in Output -- This section of a vulnerability report shows the output of the test against your server for that particular issue.
  • Trace and or Track Methods -- Many web servers report these methods enabled. This flaw allows for cross-site scripting, and the methods will need to be disabled before having port 80 or 443 open through the firewall.
  • SSL v2.0 -- Many servers report using SSL 2.0 for encryption. This method encrypts traffic using a protocol with known weaknesses. Services using SSL 2.0 will not be opened through the campus firewall. SSL 3.0 or TLS 1.0 will be required.

For any questions concerning this output or the solutions, please contact security@tamu.edu.

Questions? Comments?


Please send feedback and questions to Texas A&M IT Product Strategy & Communication at
tamu-it-coms@tamu.edu