Scan over Firewall

Support/Development for OpenVAS
syntax1127
New Forum User
New Forum User
Posts: 3
Joined: Tue Oct 13, 2015 8:46 am
Location: Israel

Scan over Firewall

Unread post by syntax1127 »

Hello all,
I have setup OpenVas on my PC in order to make some tests.
The Server is install in my LAN (192.168.1.x ) and Everything seems to work fine.
When I try to scan a target inside my LAN (192.168.1.100 for instance ) , it seems to take a while and I finnaly get resaults and vulnerabilities report.
However, when I try to scan another host in my DMZ environment ( meaning differnet segments and diffrent network - 212.x.x.x) it seems that the scan takes only 1 min and I get status "DONE" but no resaults nither vulenrabilites report.

When I explored my Firewall logs I have noticed it blocks all the requested made by the Openvas Server ( inckuding echo request, RDP request etc. )
Shouldn't the Openvas system alert on that?
What am I missing ? What am I doing wrong?
What is the best way to test my web servers in DMZ environment ?
Thanks in advance
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Scan over Firewall

Unread post by scott »

Its going to need a clear shot through the firewall to scan the hosts. The first phase of the scan is to run discovery with ping or tcp detection. If that fails or is otherwise blocks, it just treats it as no hosts being detected.

Assuming it has a clear shot at the ports running in your DMZ, and this is just a situation where icmp discovery is being blocked, you can change the scan profile to treat dead hosts (ie, not discovered) as alive, and it will move on to the next phase of the assessment
syntax1127
New Forum User
New Forum User
Posts: 3
Joined: Tue Oct 13, 2015 8:46 am
Location: Israel

Re: Scan over Firewall

Unread post by syntax1127 »

Hi,
Thank you for the replay.
Indead. The Target I am trying to test is blocking Ping. Infact it blocks any other traffic beside 443.
The site is Https with an SSL Certificate.
Anyway, I have changed the status of the target to "Consider live" . Now I do not get "DONE" but it seems to stuck at 1% ... ( more than an hour ) .
Can OpenVas scan and test sites with an ssl certificate anyway??
Is that mean that I can only scan targets withn my LAN?
What am I doing wrong?
Thanks again
syntax1127
New Forum User
New Forum User
Posts: 3
Joined: Tue Oct 13, 2015 8:46 am
Location: Israel

Re: Scan over Firewall

Unread post by syntax1127 »

Hi,
Thank you for the replay.
Indead. The target I am trying to Scan and test is blocking Ping adn echo-requests. In fact, it blocks any other traffic except 443.
This web site is an ssl certificate based site and the access is only with https://xxx.xxx.xxx ( you get into a login form which requires a username and password ) .

scott wrote: Assuming it has a clear shot at the ports running in your DMZ, and this is just a situation where icmp discovery is being blocked, you can change the scan profile to treat dead hosts (ie, not discovered) as alive, and it will move on to the next phase of the assessment
I have changed the target properites to "Conside Alive" and now the scan goes to 1% but stuck ( for more than an hour )

Can OpenVas acctually Scan and find sites with https ?

When I try to scan other web sites which are not https it seem to work find and I do get results and a report.
What Am I missing now ?
Thanks again!
zareef.aqmar
New Forum User
New Forum User
Posts: 1
Joined: Wed Nov 15, 2017 6:17 am
Location: MY

Re: Scan over Firewall

Unread post by zareef.aqmar »

syntax1127 wrote:Hi,
Thank you for the replay.
Indead. The target I am trying to Scan and test is blocking Ping adn echo-requests. In fact, it blocks any other traffic except 443.
This web site is an ssl certificate based site and the access is only with https://xxx.xxx.xxx ( you get into a login form which requires a username and password ) .
Run 'openvas-check-setup'
scott wrote: Assuming it has a clear shot at the ports running in your DMZ, and this is just a situation where icmp discovery is being blocked, you can change the scan profile to treat dead hosts (ie, not discovered) as alive, and it will move on to the next phase of the assessment
I have changed the target properites to "Conside Alive" and now the scan goes to 1% but stuck ( for more than an hour )

Can OpenVas acctually Scan and find sites with https ?

When I try to scan other web sites which are not https it seem to work find and I do get results and a report.
What Am I missing now ?
Thanks again!
phydroxide
New Forum User
New Forum User
Posts: 4
Joined: Tue Jan 23, 2018 4:33 pm
Location: Bozeman, Mt

Re: Scan over Firewall

Unread post by phydroxide »

If you are scanning for open ports across the firewall, it is self-defeating to give OpenVAS a clean shot across the firewall. If you are scanning for open ports on the local network, a best practice would be to deploy the scanner on the local network.

With ever-expanding scale of networks, OpenVAS would do well to figure out ways to facilitate a lightweight deployment, even if I have to share plugins from some central location, or be able to trim smaller policies for smaller scope. If that were done, I could have lots of scanners in lots of LAN segments and can also test scans across the firewall to prove the firewalls are closed.

Remember that part of Security is Availability. Scanning across a firewall can kill the firewall if too many sessions hang open, which will diminish the reputation of the scanner and the scanning team. Scan local if you can. Open ports to an triggering script if possible.
Post Reply