From: Geoffrey Shorter (geoffreyshorter@hotmail.com)
Date: Wed Aug 06 2003 - 13:37:12 EDT
Alfred:
I have taken down one of our mission-critical Oracle databases with a Nessus
scan in the middle of a production cycle. Fortunately, it was in a
high-availability environment and failover was smooth.
Using Retina and GFILanGuard NSS, I have never brought down one of our DBs,
but with Nessus I have managed to blow up an Oracle AIX server, a Win2K SQL
Server and a WinNT SQL Server.
And that's just with a scanner. Since Nessus with our current settings does
not blow up anything but DB servers, we do not change the settings so we get
the best results for the majority of our servers. But we do not use Nessus
to scan Production DBs during production cycles any more, nor would we allow
a consultant to do so.
Any scanning / pen-testing of our Production DBs would have to be done
during our very small windows of downtime.
Having seen what I can do with a (relatively) simple scan, I can well
understand why customers would react with horror to the thought of
scanning/testing during production.
geof
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT