It depends on what is doing your VPN encryption... Modern VPN appliances have IDS/IDP functionality and firewall policy in addition to encryption capabilities. If your VPN tunnel endpoints have security built in like this, the VPN appliance itself could hinder the accuracy of your scan by doing its job denying anomalies like port scans or signature based attacks before it encrypts and sends the data across the VPN tunnel. Most firewall vendors have attached VPN functionality to their firewall platforms: Cisco PIX, Fortinet, Netscreen (Juniper), Secure Computing... they all do VPN on top of their FW feature set.
However, if your VPN is router-based (for example), and there is no security logic applied (ACLs, signature / anomaly based IDP, etc) then your scan will be fairly accurate. Assuming your VPN endpoints have no security functionality beyond encryption, you will just want to make sure that you tune your scan to an appropriate level, taking into account the amount of available bandwidth from scanner to scanned hosts. You can't scan hundreds of hosts simultaneously over a 128k circuit and not expect to loose a few important packets! -----Original Message----- From: Firewall Administrator [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 2:39 PM To: [email protected] Subject: Nessus Scans over a VPN Greetings! I would like to know whether members of this list have any thoughts about whether one could run successful Nessus scans over a VPN link. I have read various concerns about running Nessus scans through a firewall, but haven't seen anything about doing it through a VPN. What would the potential problems be? Network latency causing false positives (or false negatives)? Any thoughts from anyone who has tried this? Thanks in advance, TJ _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
