The 3 Main Types of Vulnerability Scanning Approaches
There are 3 major types of vulnerability scanning you can use on your networks. Most large organizations will have to use all 3 (or at least a couple) methods.
-
Unauthenticated Network Based Scanning
-
Authenticated Network Based Scanning
-
Agent Based Scanning
This post will go over the differences of these methods and explain why a combination of methods is typically needed. (This is standard network and host scanning. Containers will be covered in a different post) Yes, passive network scanning exists too. I don’t feel knowledgeable enough on that yet to speak to it.
Back in 2011 I posted a quick explanation of some of the differences between authenticated and unauthenticated scans. Not much (if anything) has changed since then in regards to the differences between those 2 types of scans. However, I will add some more details on the differences in this post.
Unauthenticated Network Based Scanning
These are scans that you run from a system with “scan engine” software or a an appliance type of system. These scans run across a network, targeted at other systems without knowing anything about the targeted systems other than the IP address or DNS name.
No credentials are provided in these types of scans.
The unauthenticated scan has to mostly guess at everything it tells you about the target system because all it can do is probe the ports and services you have open on your system and try to get it to give up information.
- Cons – More false positives. (it is guessing)
- Cons – Less detailed information. (it is still guessing)
- Cons – May require more network connections than authenticated scans.
- Cons – You are more likely to impact legacy services or applications that do not have authentication or input sanitation.
- Cons – You have to maintain access to your targets through firewalls, IDS, IPS, etc.
- Cons – You have to manage a scanner system(s)
- Pros – Only shows the highest risk issues
- Pros – Gives you a good view of the least capability an attacker on your network will have. Any script kiddie will be able to see anything an unauthenticated scan shows you.
- Pros – Is usually faster than an authenticated scan in many cases.
Authenticated Network Based Scanning
These are scans that you run from a system with “scan engine” software or a an appliance type of system. These scans run across a network, targeted at other systems but provide login credentials to the targeted system that allow the network scanner to get a command shell (or similar access) so it can simply run commands and check settings on the targeted system. This allows for much more accurate and detailed information to be returned.
You will never get 100% authenticated scanning success on large networks because of the variety of system types and authentication methods required. You will probably not be able to get into every appliance, printer, iot device, etc.. So 100% is not typically a realistic goal for diverse environments.
- Pros- Less false positives. (Much less guessing)
- Pros- More detailed information. (again, doesn’t have to guess anymore)
- You can now see things like missing patches, specific os versions, locally installed 3rd client software versions.
- Pros- May require less network connections than authenticated scans.
- Pros- You are less likely to impact 3rd party legacy services or applications that do not have authentication or input sanitation, because the scanner doesn’t have to guess about the service.
- Pros – You can now gather configuration information off the system to help feed a CMDB or perform configuration baseline checks. You are now a configuration checking tool and not just a vulnerability checking tool..
- Cons – Still has most of the type of impacts on custom written socket servers/services.
- Cons – You are now awash in a sea of data (vulnerability data) about that system.
- Cons- Risk assessment requires more analysis because instead of a handful of findings from an unauthenticated vulnerability scan, you may now have 30-40 findings.
- Cons – Is often slower than an un-authenticated scan in many cases, because it is running specific commands from a shell on the system and waiting for the returns etc.. This is not always the case, and it some cases authentication may speed up scans.
- Cons – You have to maintain access to your targets through firewalls, IDS, IPS, etc.
- Cons – You have to manage a scanner system(s)
Agent Based Scanning
Agent based scanning requires the installation of a daemon/agent on Linux and Unix systems, or a “Service” on Windows systems. I will refer to this an a “agent” from now on.
The agent is installed locally on the targeted systems, runs on a schedule, and reports the data up to a centralized system or SaaS service. Vulnerability scan agents are usually fairly light weight, but the different variations and vendors all have their own quirks. I highly recommend you perform testing on a variety of systems and talk to existing similar clients using the vendor’s agents before going with this approach.
One of the big pitfalls with an agent is that it cannot fully talk to the target system’s network stack like a network based scanner.. So if you have an nginx service that is misconfigured, it likely won’t report that as an issue, while a network based vulnerability scan would.
This lack of capability to simulate a network client is the big gap in agent functionality. As a result, you cannot truly get a “full” vulnerability picture without running at least an additional network based scan. In some cases, the agent data may be good enough, but that is a decision up to each organization.
Agents are good solutions for systems like mobile laptops that may rarely be on the corporate network, or for systems like some public cloud scenarios, where you can’t maintain full network scanner access across a network to the target host.
- Pros- Less false positives. (Much less guessing. The agent is installed on the system and just asks for the information. )
- Pros- More detailed information. (again, doesn’t have to guess anymore)
- You can now see things like missing patches, specific os versions, locally installed 3rd client software versions.
- Pros- Requires Far less network connections. Usually just an outbound push of data.
- Pros – The system with the agent can report up its data from anywhere to your Saas backend or potentially into an internet connected backend if that is your design scenario. So the scanner just resides with each host.
- Pros- You are less likely to impact 3rd party legacy services or applications that do not have authentication or input sanitation, because the agent doesn’t talk to the network stack and services like a network client.
- Pros – You can now gather configuration information off the system to help feed a CMDB or perform configuration baseline checks. You are now a configuration checking tool and not just a vulnerability checking tool..
- Cons – You are now awash in a sea of data (vulnerability data) about that system.
- Cons- Risk assessment requires more analysis because instead of a handful of findings from an unauthenticated vulnerability scan, you may now have 30-40 findings.
- Cons – You now have an agent and piece of software on every target system that you (or some team) has to own and somewhat manage. Since every company has slight different ways this is done, it adds a layer of complexity and overhead compared to running a scan across the network.
- Pros- You have to maintain far less network access (usually just an outbound connection) IDS, IPS, WAF’s etc don’t matter anymore.
- Cons – You now have to manage an agent, and are now a customer and user of every target system
- Cons – Your agent may (will) get blamed, (and sometimes rightly so) for impacting performance on a system.
So what is the best solution?
Like almost everything in IT and IT Security, the best solution depends on your requirements. Most larger organizations want the verbose data that an authenticated scan or agents provide.
With most people using laptops these days, classic network based vulnerability scanning is going to miss a lot of assets that an agent will be able to cover.
Datacenter implementations may be covered fine with authenticated scanning, and not having to manage an agent or be called in to every performance issue (because you have something running on the system) in that scenario may reduce headache.
Public iaas hosts may require unauthenticated scanning from an Internet based scanner, and an agent on the host to get the full picture of data..
Ultimately, the right approach is the one that meets your requirements and fits within your funding and capabilities.