Book Image

Securing Network Infrastructure

By : Sairam Jetty, Sagar Rahalkar
Book Image

Securing Network Infrastructure

By: Sairam Jetty, Sagar Rahalkar

Overview of this book

Digitization drives technology today, which is why it’s so important for organizations to design security mechanisms for their network infrastructures. Analyzing vulnerabilities is one of the best ways to secure your network infrastructure. This Learning Path begins by introducing you to the various concepts of network security assessment, workflows, and architectures. You will learn to employ open source tools to perform both active and passive network scanning and use these results to analyze and design a threat model for network security. With a firm understanding of the basics, you will then explore how to use Nessus and Nmap to scan your network for vulnerabilities and open ports and gain back door entry into a network. As you progress through the chapters, you will gain insights into how to carry out various key scanning tasks, including firewall detection, OS detection, and access management to detect vulnerabilities in your network. By the end of this Learning Path, you will be familiar with the tools you need for network scanning and techniques for vulnerability scanning and network protection. This Learning Path includes content from the following Packt books: •Network Scanning Cookbook by Sairam Jetty •Network Vulnerability Assessment by Sagar Rahalkar
Table of Contents (28 chapters)
Title Page
Copyright and Credits
About Packt

Network Vulnerability Scanning

A vulnerability is a weakness present in a system or device that is exposed to a possibility of being attacked. Network Vulnerability Scanning is a process of looking into identifying and detecting vulnerabilities in the network components such as clients, servers, network devices, and endpoints, using various automated or manual tools and techniques. It can be broadly classified into two types: internal network vulnerability scan and external network vulnerability scan.

The internal and external vulnerability scans share a similar process, but differ in the network placement of the scan appliance or the system. An external vulnerability scan has a scope to identify loopholes with a perspective of the attacker being over the internet and targeting the network through public IP addresses of the network, whereas an internal vulnerability scan operates considering the attacker to be an insider with access to the internal network and targeting the network through private IP addresses. Identifying both internal and external threats is very important for any computer network, to create a real-time picture of how secure the network is, based on the number of vulnerabilities identified.

The vulnerability scans have their own side effects on the networks, such as an increase in network latency caused by the increase in traffic, unresponsive network resources, and rebooting of devices and servers. Thus, all internal network scans within the organization should be performed with the utmost care and proper approvals. In general, there are two types of scanning techniques that can be used, authenticated and unauthenticated. We will see the recipes for these scan types in Chapter 4Vulnerability Scanning, and Chapter 5, Configuration Audit.

Beginners always confuse the Vulnerability Scan with the penetration test. The Vulnerability Scan is a preliminary step to identify the hosts on which you can perform a penetration test. For example, as a part of a vulnerability scan you identify that port 80 is open on a server and is susceptible to Remote Code Execution (RCE) attacks. For a penetration test, this information will be input as you already know that the server is vulnerable to RCE and will try to perform the attack and compromise the server.


Before performing a Network Vulnerability Scan, it is always recommended to inform the stakeholders and obtain downtime if required based on how critical the servers and the data hosted on the servers are. It is a good practice to write an email before beginning the scan and after completion of the scan as this would help the respective teams to check the continuity of the service.

We will have a look at many recipes in further chapters of this course to understand the various best practices to be followed during a Network Vulnerability Scan.

Flow of procedures

The activity of a Network Vulnerability Scan can be divided into three phases:

  • Discovery
  • Port scanning
  • Vulnerability scanning


Discovery, also known as Host Discovery, is a process to enumerate live hosts and is a very important component of the reconnaissance phase of a security testing activity. This will help you to eliminate the unwanted hosts from the list of targets, thus it will allow you to use these enumerated hosts to perform targeted scans and penetration tests.  Some of the tools that can be used to perform Network Discovery are Nmap, Nessus, OpenVas, and Wireshark.

The following screenshot shows a sample host scanned using Nmap for Discovery. It shows that the host is up, thus we can determine the host is live:

These tools come in handy if the ping is disabled across the network. I always prefer using Nmap over other tools because of its ease of use and the Nmap Script Engine (NSE), which allows the user to write and implement custom scripts. We will be discussing NSE in coming chapters.

In this course, we will further introduce you to various recipes on how to perform host discovery manually and using tools.

Port scanning

In this phase, we will perform detection of the ports open for a specific host based on the communication between the host on that port to your machine. This technique helps to determine whether a particular port is open or closed. This technique differs from protocol to protocol. For example, for TCP, the communication and the pattern to conclude a port to be open is different when compared to UDP. Some of the tools that can be used to perform port scanning are Nmap, Nessus, OpenVas, and Wireshark.

The following screenshot shows a sample host scanned using Nmap for port 80. The screenshot shows that the host is up and port 80 with state as open, thus we can determine the host is live. These tools come in handy if the ping is disabled across the network:

In this course, we will further introduce you to various recipes on how to perform port scanning manually and using tools.

Vulnerability scanning

Once the open ports are identified on the discovered live hosts, we can perform vulnerability scanning. A vulnerability scan detects and identifies known issues of the software and tools installed on a host such as older version of software in use, vulnerable protocols enabled, and default passwords. It is difficult to perform this activity manually; hence this phase needs to be performed using automated tools that identify the open ports and try various exploits on the ports to identify whether the particular process/software using the port is vulnerable to the exploit based on the process. Some of the tools used to perform vulnerability scanning are Nessus, OpenVas, and Qualys.

The following screenshot shows a sample host scanned for vulnerabilities using OpenVas. You can see that the output shows the list of vulnerabilities the host is affected:

In this course, we will further introduce you to various recipes on how to scan a host for vulnerabilities using Nessus, and how to customize these scans to obtain specific and fewer false-positive results.