[ previous ] [ next ] [ threads ]
 From:  Mike Mentges <mmentges at gstisecurity dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0wall and Nessus/Network/NMAP Scanning
 Date:  Fri, 20 May 2005 13:36:34 -0400
I am curious to find out if anyone else has had issues when performing 
Nessus or Nmap scans from behind a m0n0wall if they have seen 
performance drop on their network and bring all traffic to a very slow 
Today I was running Nessus scans through our m0n0wall in the office to 
remote hosts, suddenly we started having various network issues with 
regards to any network protocol. At work we use RoadRunner Business 
class Simple webpages like google took 10 seconds to refresh etc etc.. 
It was horrible. The second I stopped the scans everything worked as 
normal. To eliminate messing with works firewall I decided to take my 
work home and attempt the same scan from home where I use m0n0wall as 
well. I found the same issues here. Has anyone else had similar issues.?
To get around the network issues I was seeing I decided to reconfigure 
my Traffic Shaper to only give a certain amount of bandwidth to my 
Nessus machine. I placed rules putting traffic sourced from my machine 
to the networks I was scanning in to the upload/download #3 buckets 
giving them less bandwidth (I used the default traffic shaper wizard). 
This allowed me to use my standard RoadRunner Cable modem to both do 
scans as well as browse/e-mail/download with no issues.

Like I said I did not have time to look in to weather it was a bandwidth 
issue or if it was something to do with our setup at work but I do know 
that I have seen Checkpoint FW's lock up and quit passing traffic due to 
the amount of connections that the Nessus scanner throws out. When I 
have some time I will try to set this up in a lab to see if it is the 
sheer # of states that are generated by a Nessus scan or if it truly is 
a bandwidth related issue. For now I will deal with throttling the 
nessus scanner so I can continue to work. But if anyone has time to test 
this now feel free to send me msg and I can give you some details as to 
our current setup maybe you can mirror it in a lab.


Mike Mentges
Security Engineer/Architect