Network and Server Scanning Policy

Version: 1.00Issue Date: 11/24/2014

A Network and Server Scanning Policy is necessary for the smooth and secure operation of an internal network. This Network and Server Scanning Policy is an internal IT policy.

1.0 Overview

This Network and Server Scanning Policy defines the need and frequency for vulnerability scanning and the need for communication between personnel performing vulnerability scans and the administrators or users of systems the scans are being performed against.

2.0 Purpose

This Network and Server Scanning Policy is designed to prevent system downtime due to adverse reactions to network scans while allowing for and requiring a minimum amount of vulnerability scanning to find and fix system security flaws.

3.0 Scope

This Network and Server Scanning Policy applies to the Information Technology Department. It applies to all servers on the organizational network, owned by the organization, or leased by the organization. This Network and Server Scanning Policy covers all types of network and host scanning. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Network Scan Types and Scope

This network scanning policy defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done.

  1. Network device location scan - This scan may use different means to determine IP addresses of active devices on the network. Methods:
    1. ARP Scan - An ARP broadcast can be sent to network IP addresses asking what is the MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address.
  2. Internal full port scan - Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations. Methods:
    1. Socket connect scan - Tries to complete a socket connection to a port on a host computer. this scan allows the host computer to log the connection.
    2. SYN scan - Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection.
    3. FIN scan - Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored.
  3. External full port scan - Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the organization being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method.
  4. Internal vulnerability scan - Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test.
  5. External vulnerability scan - Same as the internal vulnerability scan except it is done from outside the organzation network and is directed toward any IP addresses owned by the organization being tested.
  6. Internal Denial of service scan - This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way.
  7. External denial of service scan - Similar to the internal denial of service scan except it is directed against IP addresses owned by the organization being tested.
  8. Password Cracking - This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this policy since it could potentially disrupt service depending on the password policies of the organization.

Many scanning services will offer some combinations of these types of scans. This policy covers all types of network and host scanning.

5.0 Network Scanning Reasons

  • To determine whether computer systems are vulnerable to attack and fix them.
  • To fulfill regulatory requirements.
  • To check for PCI (Payment Card Industry) compliancy or test in an effort to meet PCI compliancy.

6.0 Scannning Requirements

All networked devices on the organizational network or or that fall under the scope of this policy are subject to scanning for the purposes of identifying vulnerabilities on the devices. Server or network scanning shall be done under the following conditions.

  • Authorized personnel - Scanning of servers or networked equipment shall be done only by designated authorized personnel. Server administrators shall be allowed to scan the servers they manage so long as they do so within the limits of this policy and do not perform scans when business processes may be interrupted at critical times.
  • Designated devices - Scanning shall be done from designated devices.
  • Approved tools - Scanning shall be done using designated and approved scanning tools.
  • Designated times - Scanning shall be done during designated times for designated servers. The person(s) performing the scan shall keep an updated list of servers and allowed scan times. The server administrators or their manager shall notify the manager of those who perform scans, what scan times are acceptable. The contact name for each server administrator shall also be made available to the scanning personnel.
  • Notification - The scanning personnel shall notify the contact person(s) on their server contact list by email or telephone at least one hour before beginning a scan. If a primary or secondary contact is not available, the scan may proceed. The administrator of the server may inform any customers or users about the scan if required by the customer.
  • Denial of Service Scan - Denial of service scan shall not be done without signoff of both the head of IT and the organizational president. This is due to the fact that denial of service scans are an effort to disrupt service and will most likely disrupt one or more services. It may cause key network devices to fail. The hours during which a denial of service scan may be done shall be strictly limited and normally only after normal business hours.
  • Scan blocking - Scans from the approved scanning devices are not allowed to be blocked without the written permission of the Chief Security Officer.

7.0 Scanning Schedule

Server or device scanning shall be done for the following reasons:

  • Monthly - Scans shall be performed monthly to check for vulnerabilities.
  • Hardening - Scans shall be performed as part of the server hardening process.
  • Firewall rules - Scans shall be performed as part of the firewall rule approval process to protect servers that have services to the internet from being vulnerable from intrusion.
  • External requirements - To check for Payment Card Industry (PCI) compliancy or other external regulatory requirements.

8.0 Scan Results

The scan results shall be sent to the server or device administrator. The administrator must do one of the following within one month:

  • Remediate all vulnerabilities by patching or making configuration changes.
  • Show the vulnerability was a false positive by providing sufficient documentation according to the false positive process.
  • Show a business justification for continuing to operate with the vulnerability.
  • Create a plan for remediation and submit it to the Security Officer.

9.0 Enforcement

Since vulnerability scanning and communication of network scanning is important to the security and stability of the network and associated systems, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

10.0 Additional Requirements

  • Keep a list of servers, scan times, and administrator contacts for each server.
  • Monthly scanning, notification, and remediation process - A scanning procedure shall be created for all computer systems to be scanned. For each server to be scanned a list of people to be notified shall be maintained. For workstations to be scanned, users may be notified using a group email. The process for performing monthly scans, notifying administrators of the results, and the expected remediation steps or expectation must be defined in detail including how to document false positives and what is expected.
  • Server hardening process showing the step by step process for building a server, installing applications and services, shutting off unneeded services, patching the server with the latest patches for both the operating system and all applications, and performing a vulnerability scan to determine any additional vulnerabilities must be defined.
  • Firewall rule process - The process for getting firewall rules changed, who performs scans, how soon scans are expected to be done, and who provides approvals under what conditions must be defined.
  • False positive process - A process for reporting false positives from scans must be defined outlining what is required to show a vulnerability to be a false positive. For example, screen shots or outputs from programs along with additional documentation may be required to show specific services are running.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________