Nmap in the enterprise: Interpreting and acting on Nmap results

September 13th, 2006 · No Comments

One of the regular tasks you’ll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not. A simple firewall audit scan would be something similar to: nmap -v -sA -ff -r -n www.yourorg.com -oA firewallaudit

The Nmap TCP ACK scan (-sA) establishes whether packets can pass through your firewall unfiltered, and by adding the -ff option you can also test how it handles fragmented traffic. To make it easier to follow how packets are handled by the firewall, it is best to scan ports in numerical order. This can be done by adding the –r option. I would also use the -oA output option so that you create a searchable grepable file as well as an XML file to use for proper record keeping and reporting. You can use these output files to review the traffic flow through any unfiltered ports and then modify your firewall rule sets where necessary. If you do make changes to your firewall, rerun the audit scan to ensure that your changes were successful. It’s a good idea to run this type of audit scan on a regular basis to ensure that your firewall configuration has not been modified unexpectedly.

As most new viruses and spyware programs create open ports on infected machines you can use Nmap to search for open ports after a reported outbreak using an ICMP ping (-PE) and TCP SYN and UDP scans, options -sS and -sU. Nmap in the enterprise: Interpreting and acting on Nmap results

The Network Security. Org

Nmap in the enterprise: Interpreting and acting on Nmap results

September 13th, 2006 · No Comments

From around the Web

Advertisments

Sponsors

Sponsors

Earlier Archives

Web Links