17. Monitoring the Performance

When operating the Greenbone Security Manager (GSM), a considerable amount of data may be transmitted by the target systems. The available scan results are analyzed, filtered and processed by the GSM. On larger GSM types this occurs generally simultaneously and by many users and processes.

17.1. Optimizing the Scan Performance

The speed of a scan depends on many parameters:

  • Selected ports
  • Selected scan configuration
  • Scanning order of targets

17.1.1. Selecting a Port List for a Task

Which port list is configured for a target and as such for the tasks and the scans has a large influence on the discovery performance and on the scan duration.

17.1.1.1. General Information about Ports and Port Lists

Ports are the connection points of network communication. Each port of a system connects with the port on another system.

Transmission Control Protocol (TCP) ports

  • 65535 TCP ports for each system
  • Data transmission occurs in both directions between two TCP ports.
  • The scan of TCP ports is usually performed simply and fast.

User Datagram Protocol (UDP) ports

  • 65535 UDP ports for each system
  • Data transmission occurs only in one directions between two UDP ports.
  • Data received by UDP are not necessarily confirmed, so the testing of UDP ports usually takes longer.

Additionally, there is the special port 0. Ports 0 to 1023 need to be highlighted as so called privileged or system ports and cannot be opened by user applications 1.

The Internet Assigned Numbers Authority (IANA) assigns ports to standard protocols, e.g. port 80 to “http” or port 443 to “https”. Over 5000 ports are registered.

Scanning all ports takes too long in many cases and many ports are usually not used. To overcome this, port lists can be used.

All ports of all systems of all internet accessible systems were analyzed and lists of the most used ports were created. Those do not necessarily reflect the IANA list because there is no obligation to register a specific service type for a respective port. Nmap, an open source port scanner, and the OpenVAS scanner use different lists by default and do not check all ports either.

For most scans it is often enough to scan the ports registered with the IANA.

The following port lists are predefined on the GSM:

  • All IANA assigned TCP 2012-02-10: all TCP ports assigned by IANA on 10th of February 2012
  • All IANA assigned TCP and UDP 2012-02-10: all TCP and UDP ports assigned by IANA on 10th of February 2012
  • All privileged TCP
  • All privileged TCP and UDP
  • All TCP
  • All TCP and Nmap 5.51 top 100 UDP: all TCP ports and the top 100 UDP ports according to Nmap 5.51
  • All TCP and Nmap 5.51 top 1000 UDP: all TCP ports and the top 1000 UDP ports according to Nmap 5.51
  • Nmap 5.51 top 2000 TCP and top 100 UDP: the top 2000 TCP ports and the top 100 UDP ports according to Nmap 5.51
  • OpenVAS Default: the TCP ports which are scanned by the OpenVAS scanner when passing the default port range preference

17.1.1.2. Creating and Managing Port Lists

If applications run on unusual ports and they should be monitored and tested with the GSM, the default port lists should be adapted. If necessary, an individual port list including the desired port can be created.

17.1.1.2.1. Creating a Port List

A new port list can be created as follows:

  1. Select Configuration > Port Lists in the menu bar.

  2. Create a new port list by clicking new.

  3. Define the port list (see Fig. 17.1).

    _images/port_list_new.png

    Fig. 17.1 Creating a new port list

  4. Click Save.

The following details of the port list can be defined:

Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Port Ranges

Manual entry of the port ranges or importing of a list of the port ranges. When entering manually, the port ranges are separated by commas. When importing from a file, the entries can be separated with commas or line breaks.

Each value in the list can be a single port (e.g. 7) or a port range (e.g. 9-11). These options can be mixed (e.g. 5, 7, 9-11, 13).

An entry in the list can be preceded by a protocol specifier (T: for TCP, U: for UDP), e.g. T:1-3, U:7, 9-11 (TCP ports 1, 2 and 3, UDP ports 7, 9, 10 and 11). If no specifier is given, TCP is assumed.

17.1.1.2.2. Managing Port Lists

List Page

All existing port lists can be displayed by selecting Configuration > Port Lists in the menu bar.

For all port lists the following information is displayed:

Name
Name of the port list. A global port list is marked with view_other.
Total
Total number of ports in the port list.
TCP
Number of TCP ports in the port list.
UDP
Number of UDP ports in the port list.

For all port lists the following actions are available:

  • trashcan Delete the port list. Only port lists which are currently not used can be deleted.
  • edit Edit the port list. Only port lists which are currently not used can be edited.
  • clone Clone the port list.
  • export Export the port list as an XML file.

Note

By clicking trashcan or export below the list of port lists more than one port list can be deleted or exported at a time. The drop-down-list is used to select which port lists are deleted or exported.

Details Page

Click on the name of a port list to display the details of the port list. Click details to open the details page of the port list.

The following registers are available:

Information
General information about the port list.
Port Ranges
All port ranges included in this port list. The first and the last port of a range as well as the protocol specifier are displayed.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all port lists.
  • new Create a new port list.
  • clone Clone the port list.
  • edit Edit the port list. Only port lists which are currently not used can be edited.
  • trashcan Delete the port list. Only port lists which are currently not used can be deleted.
  • export Export the port list as an XML file.

17.1.1.3. Selecting the Right Port List

When choosing a port list discovery performance and scan duration have to be taken into account.

The duration of a scan is mostly determined by the network configuration and the amount of ports to be tested.

Services not bound to ports on the list are not tested for vulnerabilities. Additionally, malicious applications that are bound to such ports will not be discovered. Malicious applications mostly use open ports that are usually not used and are far from the system ports.

Other criteria are the defence mechanisms that are activated by exhaustive port scans and initiate counter measures or alerts. Even with normal scans, firewalls can simulate that all 65535 ports are active and as such slow down the actual scan with so called time-outs.

Additionally, for each port that is queried the service behind it reacts at least with one log entry. For organizational reasons some services may only be scanned at a specific time.

17.1.1.3.1. Scan Duration

In some situations with port throttling, scanning all TCP and UDP ports can take up to 24 hours or more for a single system. Since the scans are performed in parallel, two systems will only take marginally more time than a single system. However, the parallelizing has its limits due to system resources and network performance.

All IANA TCP ports usually require only a couple of minutes to be scanned.

Since some counter measures can increase the duration of a scan, throttling can be prevented by making configuration changes on the defense system.

In suspected cases of a compromise or highest security breaches a fully inclusive scan is unavoidable.

17.1.1.3.2. Total Security

For port scans total security does not exist, i.e. even when all TCP and all UDP ports are scanned the preset timeout of the port testing can be too short to force a hidden malicious application to respond.

If an initial suspicion exists, an experienced penetration tester should be consulted.

17.1.2. Selecting a Scan Configuration for a Task

The scan configuration has an impact on the scan duration as well. The GSM offers four different scan configurations for vulnerability scans:

  • Full and fast
  • Full and fast ultimate
  • Full and very deep
  • Full and very deep ultimate

The scan configurations Full and fast and Full and fast ultimate optimize the scan process by using information found earlier in the scan. Only NVTs that are useful are executed, resulting in a reduced scan duration.

Scans using the scan configurations Full and very deep and Full and very deep ultimate ignore already discovered information and execute all available NVTs without exception.

17.1.3. Selecting the Scanning Order of Targets

During a scan the correspconding status bar on the page Tasks reflects the progress of the scan in percent (see Chapter 10.7).

In most cases this progress is a rough estimation since it is difficult for the GSM to project how the systems or services that have not been scanned yet behave compared to the already scanned systems and services.

Example

Assumed is a network 162.168.0.0/24 with 5 hosts: 192.168.0.250-254. A scan that will be performed in sequence is configured for this network. Due to the fact that the IP addresses at the beginning of the network are used the scan reaches 95 % very fast.

Then, however, systems are discovered that use many services. The scan slows down and since all services are tested the status bar only jumps slower.

To overcome this behaviour the setting Order for target hosts can be adjusted when creating a new task (see Chapter 10.2.2).

The setting Random is recommended (see Fig. 17.2).

_images/performance_task.png

Fig. 17.2 Selecting the order for targets

17.2. Optimizing the Appliance Performance

The overall performance of the Greenbone Security Manager (GSM) can be monitored by selecting Extras > Performance in the menu bar.

The resource utilization of the GSM for the last hour, day, week, month or year can be displayed.

The performance of a configured sensor can be displayed on the master as well.

_images/performance2.png

Fig. 17.3 Displaying the performance of the GSM

The following sections are important:

Processes
A high amount of processes is not critical. However, primarily only sleeping and running processes should be displayed.
System Load
An ongoing high utilization is critical. A load of 4 on a system with 4 cores is considered acceptable.
CPU Usage
Especially a high Wait-IO is critical.
Memory Usage
The GSM uses aggressive caching. The usage of most of the memory as cache is acceptable.
Swap Usage
A use of the swap memory points to a potential system overload.
[1]In UNIX access to these privileged ports is only allowed for privileged users (i.e. root). Ports starting at 1024 are also available to unprivileged users.