Network Scanning Policy
1.0 Network Scan Types and Scope
This network scanning policy defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done.
- 1. Network device location scan - This scan may use different means to determine IP addresses of active devices on the network. Methods:
- ARP Scan - An ARP broadcast can be sent to network IP addresses asking what is the MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address.
- Internal full port scan - Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations. Methods:
- Socket connect scan - Tries to complete a socket connection to a port on a host computer. this scan allows the host computer to log the connection.
- SYN scan - Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection.
- FIN scan - Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored.
- External full port scan - Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the organization being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method.
- Internal vulnerability scan - Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test.
- External vulnerability scan - Same as the internal vulnerability scan except it is done from outside the organzation network and is directed toward any IP addresses owned by the organization being tested.
- Internal Denial of service scan - This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way.
- External denial of service scan - Similar to the internal denial of service scan except it is directed against IP addresses owned by the organization being tested.
- Password Cracking - This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this policy since it could potentially disrupt service depending on the password policies of the organization.
Many scanning services will offer some combinations of these types of scans. This policy covers all types of network and host scanning.
2.0 Network Scanning Reasons
Network scanning may be performed for several reasons
- To determine whether computer systems are vulnerable to attack and fix them.
- To show companys we interact with that our servers are reasonably secure.
- To fulfill regulatory requirements.
Network scanning shall not be performed without written permission.
3.0 Network Scanning Disruptions
Network scanning can be very disruptive to both a network and hosts that are operating on a network. No network scanning shall be allowed without close adherence to this policy and the associated procedures. Network scanning can cause systems to crash and network devices to become unreliable which can become very disruptive to the business operations.
4.0 Authorizers of Network Scanning and allowable hours
The head of the IT department shall determine who is authorized to perform network scans. Those who perform network scans must have authorization in writing and a specified time period when they are permitted to perform network scans. This policy may limit the hours that scanning may be done so scanning is not done during business hours. Specified time periods may provide for the following constraints:
- Scanning shall be done between the hours of ___ and ___. This may be to prevent disruptions during business hours.
- This permit allows scanning between the dates of Month 1, of Year N to Month 2 of Year X.
5.0 Scanning Notifications
When scanning is to be done, the following groups of people must be notified on a daily basis:
- The IT manager
- The manager responsible for system administration of the computer system to be scanned.
- The manager of applications running on the computer system to be scanned.
- The users of computer systems that will be scanned.
6.0 Scanning Procedure
A scanning procedure shall be created for all computer systems to be scanned. For each server to be scanned a list of people to be notified shall be maintained. For workstations to be scanned, users may be notified using a group email.
7.0 Denial of Service Scan
Denial of service scan shall not be done without signoff of both the head of IT and the organizational president. This is due to the fact that denial of service scans are an effoprt to disrupt service and will most likely disrupt one or more services. It may cause key network devices to fail. The hours during which a denial of service scan may be done shall be strictly limited and normally only after normal business hours.
Since network scanning can be disruptive to the operations of the network and the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.