Best Practices for Optimizing Vulnerability Scans

Scanning Strategies and Best Practices
Course Prerequisites
• Please complete the Qualys Vulnerability Management training class,

before starting this class.
• Students and participants should already be familiar with TCP/IP and
basic networking concepts.
2 Qualys, Inc. Corporate Presentation

Qualys Training & Certification Portal
• LAB exercises
• Presentation slides
Qualys Student Lab Account
Agenda
§ Introduction & Account Setup

§ Scan Process & Scanning Options
§ Authenticated Scanning & Host Tracking
§ Deploying & Using Scanner Appliances
§ Scanning Approaches & Techniques
§ Scanning Cloud Agent Hosts
§ Delegating Scanning Tasks & Privileges

Host Assets

Adding Host Assets
For scanning to begin, you must first add
assets to your subscription.
Managers can:
• Add assets to the subscription
• Remove assets from the subscription
A Unit Manager can add assets to the

subscription but cannot remove them.

Lab 1
Account Activation and Setup
15 min.

Scan Process Review

Qualys Scanning Modules
A Qualys vulnerability scan is comprised of multiple tasks,

each performed by an independent module:
§ Host Discovery Module
§ Port Scanning Module
§ Service Detection Module
§ OS Detection Module
§ Vulnerability Assessment Modules

Vulnerability Scanning Workflow
Host Discovery
§ Checks for availability of target hosts. Any response from the host indicates the
host is "alive"
Port Scanning
§ Finds all open TCP and UDP ports on target hosts (based on scan preferences)
Service Discovery
§ Identify which services are running on open ports.
OS Detection
§ Attempts to identify the operating system (with at least one open TCP port).
Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
Scan Process Diagram
1. View 5.
Host Discovery Yes Registry/File All Vulnerability
13 TCP settings Checks
6 UDP, ICMP
2.
Port Scan 4. Successful
1900 Port Scan Authentication?
(configurable)
3.
Service 5. Remote
OS
Detection Vulnerability
Fingerprint
Over 600 TCP No Checks
and UDP Tests
Scanning Options

TCP and UDP Ports
§ Standard Scan provides a

good balance between
port coverage and scan
performance.
§ Ensure that potential

filtering devices allow
traffic on the ports you
are targeting.
Authoritative Option for Light Scans
Moving from the Standard Scan to the Light Scan option?
Close QIDs associated with ports that are no longer targeted.

Scan Dead Hosts
§ A DEAD host is one that does not respond to any Host Discovery probes.
§ Use this option to scan all targeted hosts, regardless of the outcome of
Host Discovery (LIVE/DEAD) probes.
§ This option may increase scan time.
Close Vulnerabilities on Dead Hosts
If enabled and the configured threshold is reached:

§ Existing tickets associated with dead hosts will be marked as Closed/Fixed
§ Vulnerability status will be updated to Fixed.
Purge Old Host Data When OS Is Changed
When enabled and a change is detected in the host’s OS vendor:

§ All existing host vulnerability findings are purged.
§ Not impacted by OS version changes (i.e., same vendor).
Performance
§ Hosts to Scan in Parallel –

max. number of hosts to scan at
the same time per scanner--per
scan task.
§ Processes to Run in Parallel –
max. number of processes to
run at the same time per host.
§ If the network response
degrades during scanning,
Qualys scanners will
automatically throttle back the
rate in which packets are sent.
Load Balancer Detection
§ When enabled, each targeted host is tested to determine if it’s a load

balancing device.
§ QID 86189 – Presence of a Load-Balancing Device Detected.

Password Brute Forcing
§ Use “System” generated passwords or configure you own custom lists.
§ Combine both system generated and custom lists together.

§ Part of the “pre-deployment” scanning process.
Best Practice
• Avoid ”Password Brute Forcing” on host assets

protected by an account lockout policy.
• Best used with “pre-deployment” scans.

Vulnerability Detection
§ Complete scans always perform “Basic host information checks.”

§ QID dependencies should always be considered, when using the “Custom”
scan option.
Best Practice
• Choose “Complete” scans over “Custom” scans when

possible.
• Be aware of QID dependencies and ensure “Basic host
information checks” are included, if using the “Custom”
scan option.

Authentication
§ Qualys recommends performing scans in

“authenticated” mode, because it provides
the most accurate results with fewer false
positives.
§ Selecting an authentication option here, will
require a matching authentication (or vault)
record.
Best Practice
• Perform vulnerability scans in “authenticated” mode.

Test Authentication
§ Enable this option to run a scan to test authentication results.

§ Identify authentication issues before running a full assessment scan.
§ If you have a “Pay Per Scan” account, a scan with Test Authentication
enabled will not count against your number of available scans.
§ No other scan tests will occur.
Additional Certificate Detection
§ Enable to check for certificates in more locations, and beyond

traditional ports.
Dissolvable Agent
§ Enable this option to allow Qualys scanner appliances to

enumerate Windows shares.
§ The agent immediately “dissolves” after completing its

assigned task.
§ Scan must target QID 90635 in the “Vulnerability Detection”
section.
Lite OS Scan
§ QID 45017 “Operating System Detected,“ must be included in the

scan task.
§ Enabling Lite OS Detection will remove “expensive” OS detection

methods only from the information gathering phases of a scan.
§ These “expensive” methods may still be used later, if needed by any
vulnerability assessment QIDs.
Add Custom HTTP Header Value
Distinguish Qualys scan traffic from other traffic using the ”Qualys-Scan”
header (i.e., CGI and Web application fingerprint checks).
Host Alive Testing
§ Run a quick scan to determine which of your target hosts are alive
without performing other scan tests.
§ The Appendix section of your Scan Results report will list the hosts that
are LIVE and hosts that DEAD.
Do Not Overwrite OS
§ When enabled, Qualys scanners will NOT update the OS detected

for targeted hosts.
§ This can be useful when performing occasional “untrusted” scans,

when “trusted” scans are commonly used.
“Additional” Scanning Options

Host Discovery
§ Which probes will be used to determine host ALIVE/DEAD status?

Best Practice
§ Use the default “Host Discovery” settings provided by

Qualys, and then provide additional TCP or UDP ports for
your unique network and systems environments.

Blocked Resources
§ Avoid triggering IDS/IPS alerts and blacklists.
§ Qualys scanner appliances will NOT target the ports and IPs
identified here.
Packet Options
§ Prevent “ghost” IPs from appearing in your scan results and reports.
§ Use the bottom option to prevent Qualys scanners from performing

extra ACK and SYN-ACK testing, during Host Discovery.

Lab 2
Option Profile
10 min.

Authenticated Scanning
Qualys, Inc. Corporate Presentation

Best Practice
Control 4: Continuous Vulnerability Assessment and Remediation

CSC 4-3: “Perform vulnerability scanning in authenticated mode either
with agents running locally on each end system or with remote
scanners that are given administrative rights on the system being
tested…”**
41 ** https://www.cisecurity.org/controls/
§ More vulnerabilities are detected.
• Ensures enumeration of software
Benefits of applications.
Scanning in § More accurate detection (more confirmed
Authenticated and fewer potential vulnerabilities).
Mode § Save Time - manually investigating a

potential vulnerability takes time.
§ Most accurate OS detection.
Secure Windows Authentication

Windows Authentication Security Options
Kerberos Negotiation and
Configuration
Check these items to ensure successful Kerberos Negotiation:

§ Target host must support Kerberos authentication.
§ DNS must resolve Kerberos Server (KDC) and target
hosts.
§ Kerberos relies on accurate time synchronization (+/- 5
minutes).
§ Configure encryption for Kerberos (AES 256, AES 128,
and maybe RC4).
§ If the requirements above are not met, NTLMv2
negotiation will begin.
§ Use QID 70028 to verify Windows authentication method
used.
45
Secure Unix Authentication

Root Delegation
Root delegation is provided via sudo, PowerBroker, or
Pimsu.
47
Best Practice
• Use a “non-privileged” user account with any supported

“Root Delegation” service, when scanning Unix-based
host assets.

Unix § Private key authentication is supported for
SSH2 only.
Private Key
§ Scanning account must be added to all
Authentication target hosts, along with its public key (i.e.,
authorized_keys file).
Tips
§ Private key must be PEM-encoded
(OpenSSH standard).
§ Use ssh-keygen to create public/private

key pairs.
§ Private key can be encrypted with a

passphrase or left unencrypted.
Best Practice
• Use more secure Public/Private key pairs (when

possible) over less secure password authentication.

Qualys Authenticated Scanning Resources

Agentless Tracking

Host Tracking
How do you want to track host vulnerability history?

§ IP Address (works best for static IPs)
§ DNS Name
§ NetBIOS Name
§ Qualys Host ID (default for Qualys Cloud Agent)
§ Qualys Host ID can be used by Qualys Scanner Appliances,

when “Agentless Tracking” is enabled.
What Is Agentless Tracking?
§ Qualys Cloud Agent uses a universally unique ID (UUID)

called the Qualys Host ID to track vulnerabilities.
§ Agentless Tracking provides “scannable” host assets, with

the same Qualys Host ID.
§ Available through Windows and Unix auth. records.
§ This common ID allows you to merge SCAN and AGENT

data together into a “unified” view.
54
Best Practice
• Enable “Agentless Tracking” when scanning host assets

running a Qualys agent, to merge SCAN data with
AGENT data.

Enable Agentless Tracking
Navigate to Scans > Setup.

Windows Authentication Record

Unix Authentication Record

Best Practice
• Store the Qualys Host ID in the /etc directory (i.e., the

same directory used by Qualys Cloud Agent).

Lab 3
Authentication and Host Tracking
10 min.

Deploying and Using Scanner Appliances

Scanner Appliance Deployment
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
Qualys Cloud Platform

External Scan Review
Remote Users
• Azure
• Google
64.41.200.249
LAN 2 DMZ

Internal Scan Review
Remote Users
• Azure
• Google
LAN 2 DMZ
10.10.10.1

Scanner Location
External Scanners (Public Interface)
• Scanning Public IPs
• External PCI scans (11.2.2)
• Public Cloud Platforms (e.g., Amazon)
Internal Scanners (Public or Private Interface)
• Scanning Private IP addresses
• Best Practice: one scanner appliance per subnet
• Internal PCI scans (11.2.1)
• DMZ Appliance
• IPv6 scanning

Qualys Virtual Scanner Appliance
Qualys Virtual Scanner Appliances are available for multiple hypervisor and
virtualization platforms.
Best Practice
• Deploy virtual scanners to leverage the remote access

tools provided by hypervisor and cloud platforms.

VLAN Tagging

VLAN Tagging
10.10.20.254 10.10.30.254 10.10.40.254

LAN interface
10.10.10.10/24
Trunking enabled
for VLANs: 10.10.10.1/24
10 , 20, 30, and 40
R
VLAN 20 VLAN 30 VLAN 40

10.10.20.0/24 10.10.30.0/24 10.10.40.0/24
Internet

Scanner Appliance “VLANs” Option
• Scanner appliance receives a local IP address on each configured VLAN

segment.
• The same IP address cannot be used in more than one VLAN
configuration.
Best Practice
• Use VLAN Tagging to Scan multiple VLANs using a

single scanner appliance.
• Bypass layer three packet filtering.

Static Routes

Static route
SWITCH
10.10.80.1/24
10.10.40.1/24
R
VLAN 20 VLAN 30 VLAN 40 10.10.80.0/24

10.10.20.0/24 10.10.30.0/24 10.10.40.0/24

Scanner Appliance “Static Routes” Option
• Physical scanners support up to 99 static routes.

• Virtual scanners support up to 4094 static routes.

Scanning through Firewalls

Half-Open SYN Scan
Host Discovery & Port Scanning
SYN
SYN-ACK
RST
10.1.1.10 10.1.1.20

Cascading Firewalls
TRUSTED
SYN
SYN-ACK
RST
UNTRUSTED

Best Practice
• Avoid scanning through cascading or multiple firewalls.

Firewall Detected QID

Scanning through Firewalls
From Trusted to Untrusted
Large amounts of “outgoing” traffic could

potentially exhaust your firewall’s state table,
causing it to crash or fail.
Precautionary steps to follow:

• Lower Port Scanning and Host Discovery “Intensity
to Minimum.
• Minimize the number of hosts and ports targeted.
• Work closely with systems and network admins to
monitor state table (allocate more memory if
needed).
• Do NOT turn-off stateful inspection.
• Increase NAT/PAT pools.

Best Practice
• Avoid scanning from “trusted” to ”untrusted” networks,

through a stateful inspection firewall.

Calculating Scan Parameters & Resources

How Many Hosts Should My Scan Target?
Ex. 17 million / number of ports = number of hosts

• Light Scan: 17 million / 160 ports = 106, 250 hosts
• Standard Scan: 17 million / 1900 ports = 8947 hosts
• Full Scan: 17 million / 65,535 ports = 259 hosts
Add More Scanners for Larger Targets
17 million / 1900 ports = 8947 hosts (Standard Scan)

• 8947 x 2 (scanners) = 17,894 hosts
• 8947 x 3 (scanners) = 26,841 hosts
• 8947 x 4 (scanners) = 35,788 hosts
• 8947 x 5 (scanners) = 44, 735 hosts
• etc...

Scanner Parallelization

Scanner Parallelization
Combining Multiple Scanners
Appliance_1
• Use more than one scanner
to scan a block of hosts.
• Reduce the time needed to Appliance_2
complete your scans.
Appliance_3
• Scanner code and signatures
must be synchronized.
Appliance_4
• Can your network handle the
increased bandwidth Appliance_5
consumption?

Microslicing Technology At
I now
Fullhave
capacity
capacity!
Scan 172.16.0.1
to172.16.15.254
Scan 172.16.16.1 What if I want to scan a full /16?
to172.16.31.254
The service will accommodate the scan by breaking it up into
Scan 172.16.32.1 to “slices” and distributing them to appliances appropriately based on
172.16.47.254 their capacity.

Best Practice
• Combine multiple scanner appliances to reduce overall

scan time.

Select Multiple Scanners
Parallel Scaling for Scanner Appliances
§ Select this option to dynamically

“scale” the “Hosts to Scan In
Parallel” setting (at scan time).
§ This calculated value will be
based upon the computing
resources available on each
appliance.
§ Can be especially useful in
subscriptions with scanner
appliances that have different
performance characteristics
(e.g., processor, memory, etc...).
Monitoring and Analyzing Scans

How Long Will My Scan Take?
§ Host type - does host provide one or more services to other hosts?
§ Host utilization - is host busy handling other requests at scan time?
§ Network utilization - how much bandwidth is available at scan time?
§ Number of Scanners and location - how many hops between scanner and
target host?
§ Option Profile settings - how many ports will be probed; how many vulns.
will be tested; is scan performance set to LOW, NORMAL or HIGH?

Check Scan Status for Suspect Hosts
§ Which host assets are driving your overall scan time?
• When a routine scan

exceeds its expected scan
time, check to see which
host assets (IPs) are still in
the queue.
• Make a list of all suspect
IPs and analyze their scan
statistics, when the scan
finishes.

Host Scan Time QID

Some Other Useful Scan Analysis QIDs
45038 - Host Scan Time

45006 - Traceroute
45179 - Report Qualys Host ID Value
45180 - Report Qualys Host ID Access Errors
90194 - Windows Registry Pipe Access Level
§ Access to Remote Registry Service is denied or Registry access denied
§ You may need to enable Remote Registry Service
90195 - Windows Registry Key Access Denied
§ Check your scanning account’s access privileges.
§ User Access Control (UAC) will impact this QID.
70028 - Windows Authentication Method
105015 - Windows Authentication Failed
105053 - Unix Authentication Failed

Best Practice
• Create and maintain your own custom Search List for

analyzing scan performance.

Lab 4
Analyzing Scan Results
15 min.

Scanning Approaches and Techniques

What’s An Effective Scanning Target?
§ Create scanning targets separate from reporting targets (an ideal

reporting target isn’t necessarily a good scanning target).
§ RECOMMENDED: Select targets that cover entire netblocks or
subnets (i.e., perform comprehensive, pervasive scans)
§ Avoid narrow or constricted scanning targets that might inadvertently
miss active host assets.
§ Scan frequently and often (Vulnerability Detection = Complete).
** always consider your existing network architecture and the location of filtering devices, when selecting
appropriate scanning targets. Firewall rule tables and whitelists may need to be adjusted for your scans.

Recommended Scans
1. Certification/Accreditation – pre-production scan

(authenticated-mode)
2. Discovery/Inventory – lightweight discovery and inventory
scan (authenticated-mode)
3. Assessment – standard scan (authenticated-mode)
• Combine Inventory with Assessment scan (perform

assessment scans more frequently).
• Add Compliance scan (Qualys PC) for complete coverage

Certification/Accreditation Scan
§ GOAL: Ensure newly deployed host assets meet baseline security

requirements, prior to moving into a production role.
§ Option Profile Settings:
• Full scan (65,535 ports)
• Password Brute Forcing enabled (target known vendor and device defaults)
• Vulnerability Detection: Complete
• Authentication: Enabled
§ Rescan will be required, anytime new host goes back to the apps
team (if feasible, just scan after the apps team has finished).

Discovery/Inventory Scan
§ GOAL: Provide a lightweight scan that collects host metadata useful

for asset inventory and management tasks, including data needed to
propagate or update Asset Tags.
§ Option Profile Settings: (e.g., Light Inventory Scan v.1)
• TCP Ports (16): 21-23,25,53,80,88,110-111,135,139,443,445,515,1433,1521
• UDP Ports (6): 53,111,135,137,161,500
• Vulnerability Detection: Custom
o Windows Authentication Results
o Unix Authentication Results
o Inventory Results
• Be sure to enable “Basic host information checks” when using “Custom” detection
§ Perform pervasive scans that cover entire netblocks or subnets.

Useful Host Inventory QIDs
QIDs used by Asset Tag rule engines:

45039 – Host Names Found
45361 – Linux/Unix Hostname Information
45141 – Installed Packages on Unix and Linux Operating Systems
90235 – Installed Applications Enumerated from Windows Installer
123816 – Interface and IP Address List (Unix)
45099 – Interface Names and Assigned IP Address Enumerated from Registry
82004 – Open UDP Services
82023 – Open TCP Services

Assessment Scan
§ Goal: Perform a thorough and comprehensive scan to find and

mitigate host vulnerabilities.
§ Option Profile Settings:
• Standard Scan (about 1900 TCP and 180 UDP ports): include additional
ports where necessary.
• Vulnerability Detection: Complete
§ Perform pervasive scans that cover entire netblocks or subnets.

§ Scan frequently and often.

Lab 5
Basic Scanning Approaches
15 min.

Continuous Scanning

Scheduled Continuous Scans

Scanning Cloud Agent Hosts

Host Perspectives
Remote
§ Qualys Scanner Appliance targets host assets remotely.
Local
§ Qualys Cloud Agent installs as a local system service.

Cloud Agent QID Search List
1. Build Dynamic Search list of all Cloud Agent QIDs
2. Create Option Profile to exclude those QIDs
3. Run Scan

Lab 6
Scanning Cloud Agent Hosts
10 min.

Delegating Scanning Tasks and Privileges

Who Can Run Qualys Scans?
§ Scans may be performed by a: Scanner, Unit Manager, or Manager.
§ Scanning privileges may be provided via GUI, API, or both.

Which Hosts Can A User Scan?
§ Asset Groups assigned to a Qualys user, determine which IPs that user
can successfully scan.

Which Scanner Appliances Can I Use?
1. Assign desired
scanner appliance
to targeted Asset
Group(s).
2. Then assign same
Asset Group(s) to
desired user
account.
§ Qualys pool of External Appliances is available by default.

Lab 7
Scan Delegation
15 min.

Thank You
training@qualys.com

Best Practices for Optimizing Vulnerability Scans

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practices for Optimizing Vulnerability Scans

Uploaded by

Copyright:

Available Formats

Scanning Strategies and Best Practices

• Please complete the Qualys Vulnerability Management training class,

2 Qualys, Inc. Corporate Presentation

§ Introduction & Account Setup

5 Qualys, Inc. Corporate Presentation

6 Qualys, Inc. Corporate Presentation

A Unit Manager can add assets to the

7 Qualys, Inc. Corporate Presentation

Account Activation and Setup

8 Qualys, Inc. Corporate Presentation

9 Qualys, Inc. Corporate Presentation

A Qualys vulnerability scan is comprised of multiple tasks,

10 Qualys, Inc. Corporate Presentation

13 Qualys, Inc. Corporate Presentation

§ Standard Scan provides a

§ Ensure that potential

Moving from the Standard Scan to the Light Scan option?

Close QIDs associated with ports that are no longer targeted.

If enabled and the configured threshold is reached:

When enabled and a change is detected in the host’s OS vendor:

§ Hosts to Scan in Parallel –

§ When enabled, each targeted host is tested to determine if it’s a load

§ QID 86189 – Presence of a Load-Balancing Device Detected.

§ Use “System” generated passwords or configure you own custom lists.

§ Combine both system generated and custom lists together.

• Avoid ”Password Brute Forcing” on host assets

22 Qualys, Inc. Corporate Presentation

§ Complete scans always perform “Basic host information checks.”

• Choose “Complete” scans over “Custom” scans when

24 Qualys, Inc. Corporate Presentation

§ Qualys recommends performing scans in

• Perform vulnerability scans in “authenticated” mode.

26 Qualys, Inc. Corporate Presentation

§ Enable this option to run a scan to test authentication results.

§ Enable to check for certificates in more locations, and beyond

§ Enable this option to allow Qualys scanner appliances to

§ The agent immediately “dissolves” after completing its

§ QID 45017 “Operating System Detected,“ must be included in the

§ Enabling Lite OS Detection will remove “expensive” OS detection

§ When enabled, Qualys scanners will NOT update the OS detected

§ This can be useful when performing occasional “untrusted” scans,

34 Qualys, Inc. Corporate Presentation

§ Which probes will be used to determine host ALIVE/DEAD status?

35 Qualys, Inc. Corporate Presentation

§ Use the default “Host Discovery” settings provided by

36 Qualys, Inc. Corporate Presentation

§ Avoid triggering IDS/IPS alerts and blacklists.

§ Use the bottom option to prevent Qualys scanners from performing

38 Qualys, Inc. Corporate Presentation

39 Qualys, Inc. Corporate Presentation

Qualys, Inc. Corporate Presentation

Control 4: Continuous Vulnerability Assessment and Remediation

Mode § Save Time - manually investigating a

Qualys, Inc. Corporate Presentation

Check these items to ensure successful Kerberos Negotiation:

Qualys, Inc. Corporate Presentation

• Use a “non-privileged” user account with any supported

48 Qualys, Inc. Corporate Presentation

§ Use ssh-keygen to create public/private

§ Private key can be encrypted with a

• Use more secure Public/Private key pairs (when

50 Qualys, Inc. Corporate Presentation

51 Qualys, Inc. Corporate Presentation