Ruslan Rakhmetov, Security Vision
1. Introduction
2. What is network scanning?
3. Types of network scanning
4. Advantages and limitations of network scanning
5. Conclusion
1. Introduction
Imagine that your company's computer network is a large and complex building, a modern office, a medieval castle, or an impregnable fortress. Your most valuable assets are stored inside this building: financial data, customer information, trade secrets, and the business processes themselves that bring you profit. Naturally, all this needs to be protected, so cybersecurity specialists are being hired and SOC response centers (Security Operational Center) are being created, and 2 processes are being introduced into the work itself, which we will discuss in more detail in this review: network scanning and vulnerability scanning.
Before you defend anything, you need to understand what exactly you are defending, so at the very beginning, two key processes come on the scene, which are often perceived as synonymous, but perform completely different tasks:
1) Network scanning, as an initial bypass of the guard in order to make a detailed map or plan of your fortress, answers basic questions:
- How many rooms are there in the building?
- Where are all the doors, windows and service hatches located?
- Which ones are open and which ones are locked?
This process is dedicated to taking inventory and discovering everything that is on your network.
2) Vulnerability scanning, as a deeper stage of verification, in which a guard approaches each door and each window and carefully examines the locks:
- Aren't they old and rusty?
- Does this lock model have a known weakness that allows you to open it with a regular paper clip?
- Is it possible to put a ladder to the window to get inside?
This is no longer just an inventory, but a targeted search for specific, well-known flaws in the protection system.
2. What is network scanning?
To protect a building, you first need to understand its structure. Scanning is exactly the process that allows you to create a detailed "floor plan" of your digital infrastructure, an asset map, or even better, a resource and service model, as is done by the asset and inventory management module and the Security Vision vulnerability scanner. Network scanning is the process of extracting data about network devices, its logical or physical organization, and vulnerability scanning is a procedure for searching applications, systems, devices, or networks for potential security issues. You need a map first, and only then can you check the locks. Like a real security guard, a network scanner has different methods of operation, the choice of which depends on the purpose, security level and availability of information, which we will now discuss.
3. Types of network scanning
In the world of information technology, any resource that has value to an organization is called an IT asset. It can be anything: a server with a database, an accountant's computer, a network printer, an IP phone, or even a smart thermostat in the meeting room. As part of the inventory, these assets receive a unique number, which in computer network terminology is an IP address (Internet Protocol address). The process of network scanning can be compared to how a guard methodically goes around the entire fortress and makes a complete list of all room numbers (IP addresses) in order to understand which of them are in use and which are empty. A room is useless if it cannot be entered or exited, and in networks these entry and exit points are called ports, which are used by various services, for example:
- Port 80 (and 443 for secure connection), the main, front entrance to the room through which visitors enter (for example, to view a website);
- Port 25, the mail slot in the door through which letters are delivered (for sending e-mail);
- Port 21, a cargo hatch in the backyard through which goods are received and shipped (for example, for file transfer via FTP protocol).
Port scanning is a process in which a security guard (scanner) goes through all the corridors and checks each room for all possible doors (ports from 1 to 65535). It captures the status of each "door", which can be open (there is someone behind the door, the service is active and ready to accept the connection), closed (when the door is there, but it is locked from the inside, i.e. the service is inactive and the connection will be rejected) or filtered (if there is an additional barrier in front of the door, for example, firewall). This process allows you to create a map not only of rooms, but also of all potential entrances/exits, which is the basis for further security analysis. This is just one of the steps of the information security process, which is associated with hardening (see SV SPC module) and vulnerability detection (see SV VS module) along with simple network monitoring. Therefore, we suggest analyzing the various types of scanning.
Active scanning is a security guard who physically walks around all floors, knocks on every door, pulls window handles and checks locks (in IT terminology, conducts port scans and https://blog.skillfactory.ru/glossary/ping/ping requests). This is the most reliable way to make an exhaustive map and find absolutely all potential entrances, but this method has drawbacks, because it creates a lot of noise (network traffic), it is easy to notice, and it can be destructive (imagine that there is sensitive medical equipment, an MRI or X-ray machine in one of the rooms, and aggressive "pulling on the handle" can cause it to malfunction or distract the operator during operation). Intensive scanning can disrupt the operation of fragile industrial or outdated systems, so when developing the vulnerability scanner module, we built various levels of aggressive search into it
Passive scanning is another security guard who sits in a room with monitors from surveillance cameras. He does not interact with objects directly, but only observes the existing traffic, monitors and sees which doors are in use, who enters and exits them, and notices any unusual activity. This method is absolutely safe and does not interfere with work, it is ideal for detecting new, unauthorized devices as soon as they appear on the network ("shadow IT"), but it also has a weak spot – a "blind spot" (a guard will not see a door that no one ever uses, but a forgotten but vulnerable one the server will remain unnoticed).
An unauthenticated scan is when a security consultant is hired to check the fortress and asked to evaluate the perimeter protection: he walks around the building, inspects the walls, checks all public doors, windows and gates, and records everything that a random passerby or an intruder who does not have any access inside can see and try to use. This is a hacker's view of your system.
Authenticated scanning is when the same consultant is given a set of office keys (credentials in terms of technology), so he can go inside and check the locks on the doors of offices, server rooms and file cabinets. This approach provides a much deeper and more accurate picture of internal security and allows you to find vulnerabilities that are completely invisible from the outside.
The "black box" works like a tourist at your castle, it has no map, no keys, no idea about the layout of the building, so the tester must figure everything out from scratch, acting exactly like a real external attacker. This is the most realistic simulation of an external attack, but it can take a long time, and some internal vulnerabilities may be overlooked.
The White Box works in more detail as the building's chief architect, who has all the drawings, wiring diagrams, material specifications, and master keys for all the doors. He can perform the most comprehensive verification, as he has complete information about the system, so the method provides the maximum depth of analysis, but it is the least realistic in terms of simulating an attack from the outside.
Sometimes the tester can be an ordinary employee with a regular pass, working on the principle of a "Gray box". He has some knowledge (where his department is located, how to get to the dining room) and limited access. This test simulates the actions of an attacker who has already overcome the first line of defense (for example, stole employee credentials) or an insider, and combines the realism of a "black box" with the depth of a "white box".
4. Advantages and limitations of network scanning
At first glance, it seems that you need to choose one thing: either completeness with risk, or security with gaps. However, the most mature approach is not a choice, but a clever combination: passive scanning can work 24/7 as an "alarm", constantly monitoring activity (as soon as this alarm detects a new, unknown device, it automatically launches a targeted and more careful active scan of this particular device). Many companies focus on protecting themselves from external threats by building high "fortress walls", and unauthorized scanning is ideal for verifying the strength of these walls (however, statistics show that the most destructive attacks often occur after an attacker has already entered, for example, by stealing the password of an ordinary employee).
5. Conclusion
We have come a long way: from mapping your digital fortress (network scanning) to a thorough inspection of each castle (port scanning and various vulnerability scanning methods). The main conclusion from this journey is simple: security is not a one–time project, but a continuous cycle of vigilance involving a combination of technologies. A reliable fortress is one that is constantly patrolled, inspected and maintained in good condition, and when there are few resources for this, you can think about automation.
 (2).jpg)
.jpg)
