What are your thoughts on scanning a host behind a network FW and also having a host based FW running? Should I only be scanning the service/port that will be opened to the internet or should the scanner be allowed to scan the entire server?
For information on scanning through firewalls, check out this post.
As far as how you should scan, the recommendation is to give QualysGuard as much access as possible. QualysGuard is a vulnerability management tool, not a penetration testing tool. Giving it the access to correctly assess your vulnerability posture is the correct way to use QualysGuard for its intended purpose.
Hope this helps,
I totally agree with your statement. However, the server owner says that since the server only has port X exposed to the internet, that is the only port that they will allow me to scan. My concern with this is that we will not know the true posture of the system. I will only be able to scan for vulnerabilities associated with that port/application. They will say that if the scan comes back clean, they are safe. I disagree with their viewpoint but dont know how to convince them to let me scan the entire system.
The server owner is kind of looking at it from the way things used to be. Back 5-10 years ago, Microsoft -- for example -- had problems with their server-side code. That was the time when the "typical" attacker would send exploits at listening ports on a target and carry on. Typical defense would be to block that listening port.
Within the past few years however, server-side code has been cleaned up dramatically. Attackers have generally moved to the web-application layer and the client-side (e.g., exploiting web-browers, e-mail clients, IM clients, and the like).
Focusing strictly on the perimeter is what is generally referred to as an "eggshell defense". Hard on the outside, but soft on the inside. I'd push the server administrator on that point, as well as the whole "defense in depth" argument; not simply relying on a single layer for protection.
Retrieving data ...