I'd like to know how everyone else is handling this.
Currently, we very routinely do a full scan of our entire internal IP address range. Currently, we do some authenticated scanning, and will do more soon.
Simply stated - if it is on our network, it gets scanned - period.
I've just been told of one system (SAN storage array management port) that doesn't handle vulnerability scan well. This is posted in the products release notes as a Known Issue ("Controller may reset if the management port is scanned by a network vulnerability scanner") - recommended workaround is to set management IP address to non-routable, effectively taking management interface off-line which would likely remove the ability to monitor and alert on system status. It is likely that I will be asked to exclude this system from scanning. This would set a precedent for others to be so excluded. It strikes me that such a problem constitues a DoS vulnerabilty in the product that should be corrected.
I understand the problem with a system not handling scan activities, but if we don't scan it, we won't know about the vulnerability, and thus cannot make a decision to accept the risk of leaving that vulnerability.
What has been your stance regarding this situation? What has been your response/results for such situations?