This article explains the reason behind the following scenarios:
- Deep Security Intrusion Prevention rules do not trigger when third-party vulnerability scanners are ran.
- Vulnerabilities still show up in third-party vulnerability scanners with Deep Security Intrusion Prevention enabled.
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. It is the core technology component of vulnerability management.
Many third-party vulnerability scanners (e.g. Nessus, Qualys) assess the systems as little disruptive and non-intrusive as possible. Otherwise, it would result in false positives. This is done through very specific port and product version mapping and not through active vulnerability exploitation. For more information, refer to the Qualys forum about How does vulnerability scanning work?.
Deep Security's Deep Packet Inspection (DPI) technology looks at network traffic for exploitation attempts through remote vulnerabilities. If there is no exploitation being attempted, Deep Security Intrusion Prevention rules will not be triggered and the traffic will not be blocked.
For this same reason, third-party vulnerability scanners may also show local vulnerabilities that cannot be protected by Deep Security Intrusion Prevention.
Penetration testing is an effective way of showing that Deep Security is actively blocking exploitation attempts.