network - - photo credit xdxd_vs_xdxd

This video discusses ASV scan interference, inconclusive scans, and alternate methods to complete scans.

Customers may deploy active protection devices which can interfere with an ASV scan of all their in-scope Internet-facing network devices.

Inconclusive scans are reported by the ASV as FAILED scans.

[Time/Topic Index]

00:13 – What is an inconclusive scan?
00:23 – What is scan interference?
01:01 – Definition of scan interference
01:37 – What is an active protection system?
01:47 – Intrusion Prevention System that drops traffic based on previous behavior
02:17 – Web application firewall blocks traffic based on events
02:41 – firewall blocks detected port scans
02:53 – Next generation firewall blocking IP address ranges
03:25 – Quality of Service device
03:46 – SPAM filter
04:38 – Exception 1: Intrusion Detection System
04:54 – Exception 2: Intrusion Prevention System blocks specific attacks
05:42 – Exception 3: web application firewall blocks SQL injection attack
05:57 – Exception 4: firewall always blocks some ports and always allows other ports
06:18 – Exception 5: VPN server only allows authorized access
06:42 – Exception 6: anti-virus software blocking attacks
07:11 – Exception 7: Logging & monitoring tools
07:37 – How do we resolve inconclusive scans?
08:07 – Why reconfigure systems?
08:34 – No active protection device at customer location?
09:18 – Alternate methods to complete ASV scan
10:05 – Inconclusive scans = FAILED scans
10:17 – Recap issues discussed

[Video Transcript]

Hi I’m Paul Caloca.

Today’s topic is inconclusive ASV scans and scan interference.

So, what is an inconclusive scan? it’s a scan that can’t be completed due to scan interference.

So what is scan interference?

Before we answer that we have to take a look at page 6 of the ASV Program Guide version 2.0, released in May 2013. This is is an updated ASV Program Guide and is effective immediately upon release because there were no changes to the ASV scan solutions required. It’s really a policy and procedure update only.

So again, what’s scan interference? I’ll read the definition from the guide:

“refers to interference including, but not limited to,  active protection systems blocking, filtering, dropping or modifying network packets in response to scan traffic such that the view of the environment would be changed and the ASV scanning solution would no longer see what an attacker would see”.

It’s a bit of a mouthful, but will explore little bit further.

So first question is, what’s an active protection system? There’re basically six general categories and I’ll cover each one of them.

The first is an intrusion prevention system that drops non-malicious packets based on previous behavior from an originating IP address. For example, blocking all traffic from the originating IP address of an ASV for a period of time because it detected one or more systems being scanned from the same IP address

The next example is a web application firewall that blocks all traffic from an IP address based upon the number of events exceeding a defined threshold. For example, more than three requests to a login page per account.

Another example of an active protection system is a firewall that shuns or blocks an IP address upon detection of a port scan from that IP address.

The next example is a next-generation firewall that shuns or blocks IP ranges because an attack was perceived based on previous network traffic patterns. This is important because these sophisticated devices can not only block single IP addresses they can block multiple IP addresses or IP address ranges, so they’re very intelligent and they can really cause scan interference.

The next item is a quality of service device that limits certain traffic based on traffic volume anomalies. For example blocking traffic because specific DNS traffic exceeded the defined threshold.

The next category of active protection system is a spam filter that blacklists a sending IP address based on certain previous SMTP commands originating from that address. SMTP is the Simple Mail Transfer Protocol that’s used to send email messages back and forth. Attackers can query an SMTP server by issuing commands to find out what type of server it is, what features it supports and they can use the output of those commands from the server to determine the best way to get their messages through by using that server.

So, as with any rule there are always exceptions. What are the exceptions in this case?

We have an intrusion detection system that logs events however it takes no preventive actions and is just limited to alerting.  Those types of systems don’t cause interference.

Next, an intrusion prevention system that drops all occurrences of a certain attack but lets non-attack traffic from the same IP address pass. Now this is interesting because the IPS can be configured in such a way that certain attacks it knows about can be blocked but it lets everything else through from the scan vendor. So that legitimately is allowing the IPS to perform its service as well as it does not prevent the ASV scan from completing, according to the ASV Program Guide.

The next type is a web application firewall that detects an SQL injection attack but lets non-attack traffic pass from the same source IP address.

Another exception is a firewall that is configured to always block certain ports but always keep certain ports open. This is the normal operation of a firewall and this is a standard configuration and this does not interfere with the ASV scan.

The next exception is a VPN server that rejects entities, could be either a person or a machine they are using, with invalid credentials, such as an SSL certificate, but permits others with valid credentials to to use the service to login.

The next exception is antivirus software that blocks, quarantines, or deletes all known malware based on a database of defined signatures, but permits all other perceived content to pass through. This is normal operation of antivirus software and this normal operation is not considered interference for an ASV scan.

The next exception is logging and monitoring systems and event log aggregators and reporting engines. These are basically passive devices that observe and record traffic that’s happening on the network and they typically perform no other activity than recording activity logging it and possibly sending alerts to a network operation center.

So how do we resolve inconclusive scans? The ASV Program Guide states that the scan customer must make temporary configuration changes to remove interference during a scan. This temporary change is only for the duration of the ASV scan, and it only applies to in-scope external facing IP addresses.

So why reconfigure the systems? We want to ensure that an active protection system does not interfere with the ASV scan. ASV scans tend to produce high traffic in a short amount of time and that can trigger the protective behavior in security devices. Those triggers have to be disabled so scans can complete.

What happens if there is no active protection device installed at the customer? The ASV Program Guide states that the scan customer must provide sufficient documentation to the ASV that demonstrates they have not deployed any active protection devices. For example, the scan customer can provide network to network topology diagrams, network device diagrams, circuit drawings, packet filters, packet dumps, or device configuration files as evidence that an active production device is not installed.

If there’s still a problem, the ASV customer and the ASV must work together to agree on some sort of alternate method for completing a scan. One common method is for the customer to set up a VPN tunnel between their site and the ASV so the scan can be completed. Another option available is that many ASV’s have hardware devices that can be installed at a customer site in such a network location that will enable scanning of all the devices.

How are these inconclusive scans reported? Scans that cannot be completed due to interference are report as FAILED scans by the ASV.

To recap, ASV scan interference can be caused by intelligent network devices actively dropping or modifying traffic perceived as attacks. Temporary device reconfiguration is required to allow ASV scans to be completed without interference. If reconfiguration is not possible, the customer and the ASV have to come up with some alternative method. For example, setting up a VPN tunnel between the customer and the ASV or installing an ASV scanning device at the customer location so all the external in-scope components can be scanned.

Inconclusive scans are reported as failed scans.

That wraps up this video, thanks for watching.

Subscribe to the video blog
Receive an update straight to your inbox every time I publish a new article. Your email address will never be shared
Share →