I am scanning my services which are all behind a firewall using an external remote sensor, but I’m having problems with the first stage where it identifies which addresses to scan.
- I can’t assume alive because there are too many and it would take more than a month to scan
- I could allow Pings through just for the scanner but not all machines respond to ping
- I could use a TCP-SYN but that doesn’t allow me to ICMP Ping as well
- The alternatives which include ICMP ping all use TCP-ACK which is useless against a stateful firewall because it only tests the firewall’s reaction, not the rulebase or the server. It is completely up to the firewall configuration whether it drops these silently or sends a RST so either way it doesn’t tell you whether there is a host behind it.
There doesn’t seem to be an option for ICMP Ping and TCP-SYN which to me seems the obvious test. I could clone and modify the scan, then use “scan config default” but then I won’t get updates to the scan config.
Does anyone have any suggestions for a reasonably reliable way to test hosts are alive?