I'm setting up a periodic port scan and vulnerability scan for a medium-sized network implementing a customer-facing web application. The hosts run CentOS 5.4.
I've used tools like Nmap and OpenVAS, but our firewall rules have special cases for connections originating from our own facilities and servers, so really the scan should be done from the outside.
Rather than set up a VPS or EC2 server and configuring it with various tools, it seems like this could just be contracted out to a port and vulnerability scanning service. If they do it professionally they may be more up to date than something I set up and let run for a year...
Any recommendations or experience doing this?
I've automated scanning before, but did not use an outsourced scanning service. On the topic of outsourced security services for scanning, many people I know swear by Rapid7. They also have HD Moore on staff so they certainly know penetration testing and Metasploit.
It is trivial to use Nmap or Nessus scripted, encrypt the output and send it to yourself via email.
You could also regularly assess compliance with a hardened baseline to ensure they are not deviating from it over time, or introducing new risks..
If you are a security guru, I'd keep it in house, but otherwise, I would outsource it.
Keep in mind that to get accurate results from vulnerability scanning & compliance analysis, you'll need to perform authenticated scans from inside the firewall(s).
It sounds like you're not looking for Web service tests but general network pen testing. I'd say the best bet is farm it out to guys like Offensive Security of Backtrack fame, and even if you don't contract them to do the work, they could provide your internal team with training for it.
I was lucky enough to take advantage of some of their early training (before they monetized) and they're really good either way.
(Insert blurb about wretched compliance testing here)
Take a look a Nessus ( http://nessus.org/nessus/ ). I've setup and used this in a past job and I think it does exactly what you are asking for. It handles network vulnerabilities both remotely or by setting up an agent on the target host.
Edit: oh, it looks like openvas is a fork of Nessus...
Do you want to secure your internet-facing web applications? Securing web application is different than securing a host. Web app testing has many tools involved like the ones listed at http://yehg.net/hwd/?id=c&go=101 . At times, there are many services like www.zerodayscan.com
Qualys is one of the most known company whose main business is remote vulnerability management.
Try their free tools to see if they fit your needs.
This is a sample report from such freetools:
(source: qualys.com)
I've done this a few different ways. The tools you pick are up to you, but it seems like people tend to lean towards nCircle, Rapid7, and/or Qualys for vulnerability and compliance scanning from my experience. Either way, they all vary in price and accuracy. OpenVAS is fine as a starting point.
As for getting a good un-biased scan of your network, you can do something like order cable/dsl for your organization and use that for your scans - or you can go the EC2/Colo route. I maintain colocations on different providers for outside testing.
There is a lot of information that you didn't include. What is your budget? Do you have to report on your compliance to anyone? What compliance are you trying to attain? What is your overall goal for this project?
I can offer up http://www.securitymetrics.com
They provide quite detailed, PCI compliant reports on known vulnerabilities ranging from the network layer to the application layer along with what needs to be done to close the vulnerability.
We use McAfee Secure for our web scans, they provide in depth scans including PCI compliance. If you are looking for a well known brand with industry approval I would think they are not a bad place to start depending on exactly what you want the scan to do. We have them checking PCI compliance on any of our sites that accept credit card info and scanning all of our IP for open ports, servers for vulnerabilities, cross-site scripting issues, etc.
i can offer Snort, considered to be a lightweight IDS. By this, it simply represents itself as a small-footprint, flexible IDS that is intended to be deployed within small to median-sized enterprises. Besides being very simple to set up and maintain, one of Snort’s main advantage is that it can be run in one of three modes: