Re: Scanning Notices

[Tim Doty <tdoty () MST EDU>]

On Wed, 2011-08-31 at 10:16 -0400, Matt Marmet wrote:
> Hello Everyone,
>  
> Here at Armstrong we are looking in to scanning our internal networks
> (desktop and server networks). I was wondering if other institutions
> were doing this and with what frequency? Also, do you notify the
> campus that these scans are going to be taking place and, if so, how
> much lead time do you give the campus? What kind of email or
> disclaimers do you send out letting people know what the scan
> includes? We are only looking at basic port scans and such at the
> moment. Everything we would be doing is non-invasive and not
> "invading" the users desktops looking for personal data. Thanks for
> your replies.

We did and sort of still do constantly scan campus, including the
residential networks. It was/is non-stop scanning via nessus so there
were no particular notifications of scanning. At one time we kept the
"these IP's are used as sources for scanning" on a public page, but no
one outside of IT security really cared so we stopped updating it.

As alluded to above, we have largely stopped scanning. The primary
reason for this is the return has been rapidly diminishing. When we
first started it up the automated notices to users were helpful in
raising awareness and a three-strikes rule (automatic notification to
security group) caught those who blew it off. Windows has few externally
visible vulnerabilities any more, its all crunchy on the outside and
soft and chewy on the inside where malvertising and web-based malware in
general hit it.

At the height of the scanning we managed to go through our entire
network about twice a day (notifications were throttle to at least 24
hours between).

When we first started scanning we would get (a very small number of)
complaints from students. "You're trying to hack my system!" some would
say. They were especially proud if they had verbose logging/intrusive
alerting to every probe. Good for them. But I don't recall getting a
scanning related complaint in at least a year.

One thing to be ready for is that *anything* and *everything* will be
blamed on the scanning. I've had people claim they could tell when they
were being scanned because their computer would slow down. When pressed
for specific times they never matched up to scanning. I scanned the
be-jesus out of my system as a test bed for everything and I couldn't
tell any impact -- and I knew when the scan was actually occurring. But
scanning is a popular scapegoat.

Printers and scanning are an especially sore point. We use nessus and it
has very good printer detection and you can configure it to stop
scanning as soon as the printer is detected as being such. Every time a
printer hiccuped we would receive a complaint that our "scanning broke
the printer." Most of the time I could show that the printer was not
being scanned at the time.

The most common real issue is some printers dump everything sent to a
particular port to the output (print a page) so the web server scanning
plugin would cause a page to print. In the end I added functionality to
our in-house management app to preclude scanning of listed IP's, IP
ranges, hostnames, etc. It wasn't much utilized (amazing how rarely it
is actually a problem given the number of complaints) but it sure helped
smooth feathers to have a way to stop the scans from occurring.

Tim Doty