Nessus scanning too many hosts...

Hi all,

I have a client, call him Digby Widgetts. Digby Widgetts has a Widgett factory in Bolivia and when the Nessus Secruity Center (the latest version with all scanners up to date)) in San Francisco does a vulnerability scan it discovers say 6000 IPs which is way more than physically exists in Bolivia and it exceeds the licensing of Security Center so all the scans get blocked. The team in San Francisco needs to find out why so many more IPs are being scanned than really exist as physical devices. One theory is that many of the devices have multiple IP address assigned to them so are actually being scanned twice or more. The staff in Bolivia has neither the staff, time nor inclination to inventory all the hosts in their data center and desktops for IP addresses and San Francisco does not have visibility into Bolivia except thru Nessus Security Center. Mosts of the devices are Windows desktops (say Win7), Windows Servers (2k 2008,2012 etc, mostly as VMs) and ESX servers.. Only a handful of Linux devices and Network gear so they won't contribute much to the total.

Does any one know of a plugin or strategy for Nessus I can use  to determine the actual devices and what IPs they listen too so I can set the scanner to only scan one IP per device?

Thanks in advance.
tomarseneaultTAC-CX EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

But you can select which hosts to check?
btanExec ConsultantCommented:
Understand that normal set up will involve one to setup one or more scan ranges with IP ranges you intend to scan,
e.g.  scan ranges - at least one Nessus scanner assigned,
e.g. at least one repository set up - IP ranges set up
May slip for some when first time or re-using past setup both a/m configurations in SecurityCenter IP ranges. In short, assume "Repository IP Range" is, then scanning a single IP, say, will fail. But too wide a range can be a costly scheme. And if you are looking to represent ranges by names (asset tags), then may consider to look at SecurityCenter's asset lists. I think leveraging asset lists would be more appropriate as form of reporting and logical allocation mapping. Common use case of asset lists is represent a VLAN range by its zone or asset group location e.g. lab, DMZ, Office, etc.

Let say you are going for big network scan, you really need to divide and conquer other it is inundating
With such a large IP address space, it is highly recommended that you leverage multiple Nessus scanners to perform the work. Dividing the targets up evenly between each scanner increases the efficiency of the assessment and allows you to look for more open ports and vulnerabilities.

There are two general ways to utilize Nessus to leverage the methodology as described above.

First, you can create a single scan policy that performs all of the required functions including discovery, scanning a handful of ports and using specific plugins. Such a policy would be convenient and easy to manipulate should a repeat scan be required.

The second option is to create one policy for each phase of the methodology. This involves separate policies for host discovery, port scanning and vulnerability checks. Using one policy at a time to refine the target list allows for efficient scans and the ability to make adjustments to the next policy based on previous results.
tomarseneaultTAC-CX EngineerAuthor Commented:
gheist: Yes I can. We have control over the scanner.
btan: Not the issue at all.

Let me clarify a little. Lets define "host" as a physical device and "IP" as and IP address. We brought a large enough license to cover all the physical hosts but there are way more used IPs than there are hosts so when we scan we are exceeding our license. Breaking the scan into pieces (which we have already done) may make the scan process more efficient but does not address the underlying fact that we are exceeding our license (one IP = One license slot). I need to figure out which hosts are being assigned multiple IP addresses (for example either a Mgmt net or a Backup net as well as the production net would make the host take up two license slots when I only need to scan it once).

Note: we have multiple sites having this issue, more IPs than Hosts, but if we can solve Bolivia then we can apply the fix to the other sites.

Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Nessus licence understands host as a IP that responds to ping.
btanExec ConsultantCommented:
noted, I understand in past there is plugin 43815 - NetBIOS Multiple IP Address Enumeration that provide with all the IP's that are on the Windows target. e.g. sending a special NetBIOS query, Nessus was able to detect the use of multiple IP addresses on the remote host.  This indicates the host may be running virtualization software, a VPN client, or has multiple network interfaces. There is some similar case as you in though not as conclusive in the investigation but has some hints
1.  We seem to be using licenses for IPs where we don't have an actual host (possibly a switch/networking device returning a plugin result that counts towards the license for an IP that actually has no workstation/server attached).  I am working on mitigating against this by removing some of the plugins that seem to cause a license to be used on these empty IPs.  I can seem to drop down a couple % when I run a new scan, but nothing drastic has changed

Likewise I am thinkg of re-scan and making to see any some difference after few runs.
If we have PVS and Nessus results in the same SecurityCenter repository it is possible to further refine the process so Nessus scans new hosts on an hourly basis. We are going to use a target list of new hosts detected by PVS for the last 24 hours but ensure when a host on the list is scanned by Nessus and returns results it is removed from the list so it won’t be scanned again.

We now need to configure a scan template that will use the dynamic asset list for its scan targets. How you configure a scan policy to be used by the scan template is down to your needs and requirements but initially you might consider building a SecurityCenter Discovery Scan which uses Nessus plugins that don’t count towards your SecurityCenter licensed IP count

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tomarseneaultTAC-CX EngineerAuthor Commented:
Got me the information I needed but not the answer I was looking for, not as many hosts with multiple IPs as  I hoped. Still too many IPs but at least now I know what it's not.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.