Filter
Top Products
FortiAnalyzer Version 3.0 MR7 Administration Guide
158 05-30007-0082-20080908
Preparing for the vulnerability scan job Tools
authenticating without root or administrator credentials are typically not able to
view sensitive areas of the system software or configuration; scans involving
those parts cannot be accurately assessed without administrator credentials. You
may also be required to modify the target host’s security policy to allow the
connections and to ensure that the account uses administrator account privileges
when authenticating remotely. Some vulnerability scan modules, such as those
that test for denial of service (DoS) attack vulnerability by simulation, can result in
degraded network performance during the scan. For all of these reasons, you may
want to work with the owners of target hosts to schedule an appropriate time. For
example, you might schedule to avoid peak traffic hours, to restrict unrelated
network access, to configure a local or domain administrator account for the
express purpose of the vulnerability scan, and to ensure that the target hosts will
not be powered off during the vulnerability scan.
Required preparation varies by the operating system or other installed software on
target host, and by the vulnerability scan modules that you want to use. For more
information about preparing Windows and Unix variant operating systems for a
vulnerability scan, see “Preparing Windows target hosts” on page 158 and
“Preparing Unix target hosts” on page 160.
You may want to consider temporarily removing obstacles that prevent the
vulnerability scan from reliably connecting to the intended target hosts on the
required standard port numbers. If you do not remove the obstacles, the
vulnerability scan may contain false negatives or may be unable to complete a full
scan. However, some vulnerability scan obstacles are typical network security or
other infrastructure, so removing or disabling them can involve some risk. In this
case, you will want to consider whether or not you require a full scan, and how to
negate or mitigate any risk during the scan. Examples of vulnerability scan
obstacles include:
• intrusion prevention systems (IPS)
• dynamic NAT
• port forwarding
• firewalls, including FortiGate units and FortiClient installations
Consider also the perspective from which you are performing the vulnerability
scan, and your network’s routing or other configuration to ensure that you do not
scan target hosts outside your intended network space. For example, if you want
to assess vulnerability from the perspective of the external network, but do not
wish to impact the private network of a business partner whose network is
connected to yours, you may want to connect the FortiAnalyzer unit to the external
network while running the vulnerability scan job, and to carefully restrict the IP
addresses and routing of traffic to target host IP addresses.
Preparing Windows target hosts
Vulnerability scan modules targeting Microsoft Windows hosts require the ability to
log in to the target host using the NetBIOS protocol. If NetBIOS is not already
enabled on target hosts running Windows, you must enable it for the duration of
the vulnerability scan.