On [Day 25](day25.md) we learned that vulnerability scanning is the process of scanning a network or system to identify any existing security vulnerabilities.
We also learned that Network Vulnerability Scanning is a subset of Systems Vulnerability Scanning, e.g. we are only scanning the network part of our system.
Today we are going to dive deeper into what Network Vulnerability Scanning is and how we can do it.
## Network Vulnerability Scanning
**Network vulnerability scanning** is the process of identifying weaknesses on a network that is a potential target for exploitation by threat actors.
Once upon a time, before the cloud, network security was easy (sort of, good security is never easy).
You build a huge firewall around your data center, allow traffic only to the proper entrypoints and assume that everything that managed to get inside is legitimate.
This approach has one huge flaw - if an attacker managed to get through the wall, there are no more lines of defence to stop them.
Nowadays, such an approach would work even less.
With the cloud and microservices architecture, the actors in a network has grown exponentially.
This requires us to change our mindset and adopt new processes and tools in building secure systems.
One such process is **Network Vulnerability Scanning**.
The tool that does that is called **Network Vulnerability Scanner**.
## How does network vulnerability scanning work?
Vulnerability scanning software relies on a database of known vulnerabilities and automated tests for them.
A scanner would scan a wide range of devices and hosts on your networks, identifying the device type and operating system, and probing for relevant vulnerabilities.
A scan may be purely network-based, conducted from the wider internet (external scan) or from inside your local intranet (internal scan).
It may be a deep inspection that is possible when the scanner has been provided with credentials to authenticate itself as a legitimate user of the host or device.
## Vulnerability management
After a scan has been performed and has found vulnerabilities, the next step is to address them.
This is the vulnerability management phase.
A vulnerability could be marked as false positive, e.g. the scanner reported something that is not true.
It could be acknowledged and then assessed by the security team.
Many vulnerabilities can be addressed by patching, but not all.
A cost/benefit analysis should be part of the process because not all vulnerabilities are security risks in every environment, and there may be business reasons why you can’t install a given patch.
It would be useful if the scanner reports alternative means to remediate the vulnerability (e.g., disabling a service or blocking a port via firewall).
## Caveats
Similar to container image vulnerability scanning, network vulnerability scanning tests your system for _known_ vulnerabilities.
So it will not find anything that is not already reporter.
Also, it will not protect you from something like exposing your admin panel to the internet and using the default password.
(Although I would assume that some network scanner are smart enough to test for well-known endpoints that should not be exposed).
At the end of the day, it's up to you to know your system, and to know the way to test it, and protect it.
Tools only go so far.
## Network Scanners
Here is a list of network scanners that can be used for that purpose.
**NOTE:** The tools on this list are not free and open-source, but most of them have free trials, which you can use to evaluate them.
