2 Read Before Use#

2.1 Using a Supported GOS Version#

The Greenbone Enterprise Appliance should always be operated in a version supported by Greenbone (including patch level). Otherwise, the following problems/effects may occur:

  • Incompatibilities in the feed

  • Unfixed bugs

  • Missing functionalities (e.g., ones that are required for VTs to work reliable or to work at all)

  • Decreased scan coverage or missing vulnerability detection due to the issues mentioned above

  • Unfixed security vulnerabilities in the used components (e.g., GOS)

2.2 Effects on the Scanned Network Environment#

The Greenbone Enterprise Appliance includes a full-featured vulnerability scanner. While the vulnerability scanner has been designed to minimize any adverse effects on the network environment, it still needs to interact and communicate with the target systems being analyzed during a scan.

Note

It is the fundamental task of the Greenbone Enterprise Appliance to find and identify otherwise undetected vulnerabilities. To a certain extent, the scanner must behave like real cyber criminals would.

While the default and recommended settings reduce the impact of the vulnerability scanner on the environment to a minimum, unwanted side effects may still occur. By using the scanner settings, the side effects can be controlled and refined.

Note

Be aware of the following general side effects:

  • Log and alert messages may show up on the target systems.

  • Log and alert messages may show up on network devices, monitoring solutions, firewalls and intrusion detection and prevention systems.

  • Firewall rules and other intrusion prevention measures may be triggered.

  • Scans may increase latency on the target and/or the scanned network. In extreme cases, this may result in situations similar to a denial-of-service (DoS) attack.

  • Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.

  • Embedded systems and elements of operational technology with weak network stacks are especially subject to possible crashes or even broken devices.

  • Logins (e.g., via SSH or FTP) are done against the target systems for banner-grabbing purposes.

  • Probes via different protocols (e.g., HTTP, FTP) are done to all exposed services for service detection.

  • Scans may result in user accounts being locked due to the testing of default user name/password combinations.

Since the behavior described above is expected, desired, or even required for vulnerability scanning, the scanner’s IP address(es) should be added to the allow list of the affected system/service. Information on creating such an allow list is available from the documentation or support of the respective system/service.

Remember that triggering faults, crashes or locking with default settings means that cyber criminals can do the very same at unplanned times and to an unplanned extent. Finding out about it earlier than the cyber criminals is the key to resilience.

While the side effects are very rare when using the default and recommended settings, the vulnerability scanner allows the configuration of invasive behavior and thus will increase the probability of the effects listed above.

Note

Be aware of these facts and verify the required authorization to execute scans before using the Greenbone Enterprise Appliance to scan the target systems.

2.3 Scanning Through Network Equipment#

2.3.1 General Information#

Scanning through network equipment like an IDS (Intrusion Detection System)/IPS (Intrusion Prevention System), a WAF (Web Application Firewall), a proxy or a firewall should be avoided, as such devices may interfere with the scan, which may lead to the following unpredictable scan behavior or environmental impact:

  • False-positive and false-negative results

  • Slow scanning speed

  • Too many ports reported as open on the scan target

  • Dropped packets due to TCP connection limits, or reaching the maximum session limit

  • Depending on the settings, logs can become very extensive, which can lead to an overload of the log server or – if they are completely deactivated – to a blind spot.

Note

Such behavior can also occur if the maximum number of checks per host is limited.

2.3.2 Firewall-Specific Information#

Depending on the specific product, a firewall may have several additional modules such as deep packet inspection and denial-of-service (DoS) protection.

  • These modules may have limited configurability like general on/off switching per interface and not per source/target IP address.

  • Some of the modules may even be hidden or not configurable at all, so that the side effects as mentioned above may occur without any knowledge of why and where they occur.

  • The load on the firewall will increase significantly. In a worst-case scenario, connections are not only interrupted for the scanner, but the entire firewall functionality can be impaired, which can lead to a denial of service.