Value-added resellers (VARs) and consultants can use Nmap to test their customer's firewall configuration and settings. This tip provides best practices for confirming that firewall rules are operating correctly and then acting on the scan results.
With many organizations having remote or virtual offices it is essential that regular audits are carried out of the devices connecting to the network, both for security and licensing purposes. The following scan will produce a categorized inventory of client and server devices, as well as routers, switches and printers:
nmap -vv -sS -O -n www.yourorg.com/24 -oA inventory
The SYN scan (-sS) combined with OS fingerprinting (-O) uses very few packets while still gathering the required information. If you are auditing a remote office over a slow link then you can add a timing policy, such as -T 2, to slow down the scan and use less bandwidth and resources on the target machines.
Finally, while you're running an Nmap scan you can change certain options or request status
messages without having to abort and restart the scan. For example, typing V will increase the
verbosity of the output while most keys will give you status update showing hosts completed and
estimated time remaining.
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
Read more about firewall testing with Nmap:
- Firewall configuration testing using open source software like Nmap.
- How to manage firewall testing using Nmap
This tip originally appeared on SearchSecurity.com.
This was first published in December 2006