Security Policy Compliance Testing
An important aspect of network security is the control and administration of applications and devices into the organization's infrastructure. The security administrator may decide that certain applications pose a risk to the organization's data, and those particular services would be forbidden from attaching to the network.


For example, an organization may decide that the Apache HTTP Server is appropriate for use on the network, but the Microsoft Internet Information Server is not. Since both of these services use TCP port 80, a simple port scan would not provide enough information to determine if the remote device was compliant with the security policies.

Fortunately, nmap can determine much more information than which ports are open or closed. Nmap's version scan can be invaluable for providing detailed information about the active services on a remote device. Since compliance testing also includes operating system information, this example will include nmap's operating system fingerprinting option.


Security Policy Compliance Testing Details
  • Nmap Ping Type: The nmap ping type will be especially important with this scan type, since an intentionally noncompliant device may have enabled firewall or privacy functions that would hide it from the rest of the network. Nmap's ping options can be combined together to maximize the possibility of finding a device on the network. In this example, the default ACK ping on port 80 (-PA80) and ICMP ping (–PE) will be used, as well as a SYN ping on port 23 (–PS23) for good measure.


  • Nmap Scan Type: For compliance testing that focuses on web services, a TCP SYN scan (-sS) should be sufficient to determine the available ports on a remote device. If the compliance testing is concerned with specific operating systems, the stealth scans (-sF, -sX, -sN, -sM) or the window scan (-sW) may be an applicable alternative.


  • Operating System Fingerprinting: If the security policy includes operating system standardization, the OS fingerprinting option (-O) should be included. If the operating system type isn't important, this option can be ignored. If the network is large and many systems will be scanned, the --osscan_limit option can provide faster and more accurate operating system fingerprints.


  • Version Detection: Once nmap identifies open ports, it can also query each open port to identify the application and version information associated with the port. If both the version detection option and the OS fingerprinting option are required, the nmap additional, advanced, and aggressive option (-A) can be used as a shortcut.


  • Port Ranges: Since many ports will be scanned across many different devices, it may be more applicable to use nmap's fast scan option (-F). If there are certain ports that are important in the compliance check, they should be added to the nmap-services support file (if they aren't in there already). This should also increase the overall speed of the scan, since the number of scanned ports will be limited to those in the nmap-services file.


  • Reverse DNS: If an out-of-compliance device is identified, the name of the device may be important. If the organization's DNS is integrated into the remote station IP addressing conventions, then nmap should always perform a reverse DNS (-R). If the IP addresses and names are not linked, then nmap will be the most efficient if it never performs a reverse DNS lookup (-n).


The nmap security policy compliance scan should look something like this (disregard the line break):
# nmap -vv –PA80 –PE –PS23 –sS –iL input.lst --excludefile banned.lst
  -A --osscan_limit –F –R -oA policy_check
This sample of the output shows ports, operating systems, and version information:
Interesting ports on 192.168.0.5:
(The 1217 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
5101/tcp open  admdog?
MAC Address: 00:0F:B5:0A:6E:DA (Netgear)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
The grepable output file can be searched for details, or the entire scan can be viewed in a web browser with the XML file.