Device Scans

Security scans against devices test for known vulnerabilities in their local network processes. It is a technique often used by attackers to detect potential security holes. In order to detect such holes before them and in order to improve the general security of devices connected to CERN networks, the Security Team is currently using a series of different vulnerability scanners:

  • The standard "Nmap" is used for a general assessment of locally running services. This scanner is part of the regular network scans;
  • "Prodder", a custom tool, probes deeper into the services found by "Nmap" in order to discover a range of critical vulnerabilities. Together with "Nmap" it is part of the regular network scans;
  • The widely used "OpenVAS" tool is generally employed for checking the security of and detecting vulnerabilities on devices for which there are openings in CERN's outer perimeter firewall (Requests for Web services, i.e. HTTP/HTTPS, must also pass a Web application scan).

If security holes are found, instructions to fix them will be sent to the person responsible for the system, whose name can be viewed and updated at Network Connection Request Form. (This requires that the "Responsible" or "Main User" are correctly registered).

Why are security scans useful?

Scans conduct basic intrusions attempts which any device should be capable to resist. Software running behind TCP/UDP ports may be exploited by intruders. Taking preventative action against known vulnerabilities avoids the unpleasant and time consuming consequences of a security break-in.

What are the side-effects of a scan?

Caution will be taken to run security scans in the smoothest possible way. However, unforeseen side-effects on network services cannot be excluded. Some examples are:

  • network services which log connection attempts will have entries in their logs;
  • X display forwarders such as SSH may report connection attempts;
  • under certain rare circumstances special device like Programmable Logic Controller (PLC) might fail due to lack of robustness.

Sensitive devices can be excluded from scanning by informing the Security Team.

What can system administrators do?

System administrators are requested to check that correct data is registered for their systems at Network Connection Request Form. To securely configure your systems we advise you to:

  • disable non-essential network processes;
  • secure active network services, and
  • pro-actively install security patches.

Also follow the good practises listed here.