Professional Documents
Culture Documents
Course Prerequisites
• LAB exercises
• Presentation slides
Qualys Student Lab Account
Agenda
15 min.
Host Discovery
§ Checks for availability of target hosts. Any response from the host indicates the
host is "alive"
Port Scanning
§ Finds all open TCP and UDP ports on target hosts (based on scan preferences)
Service Discovery
§ Identify which services are running on open ports.
OS Detection
§ Attempts to identify the operating system (with at least one open TCP port).
Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
Scan Process Diagram
1. View 5.
Host Discovery Yes Registry/File All Vulnerability
13 TCP settings Checks
6 UDP, ICMP
2.
Port Scan 4. Successful
1900 Port Scan Authentication?
(configurable)
3.
Service 5. Remote
OS
Detection Vulnerability
Fingerprint
Over 600 TCP No Checks
and UDP Tests
12 Qualys, Inc. Corporate Presentation
Scanning Options
§ A DEAD host is one that does not respond to any Host Discovery probes.
§ Use this option to scan all targeted hosts, regardless of the outcome of
Host Discovery (LIVE/DEAD) probes.
§ This option may increase scan time.
Close Vulnerabilities on Dead Hosts
§ If you have a “Pay Per Scan” account, a scan with Test Authentication
enabled will not count against your number of available scans.
§ No other scan tests will occur.
Additional Certificate Detection
Distinguish Qualys scan traffic from other traffic using the ”Qualys-Scan”
header (i.e., CGI and Web application fingerprint checks).
Host Alive Testing
§ Run a quick scan to determine which of your target hosts are alive
without performing other scan tests.
§ The Appendix section of your Scan Results report will list the hosts that
are LIVE and hosts that DEAD.
Do Not Overwrite OS
§ Qualys scanner appliances will NOT target the ports and IPs
identified here.
37 Qualys, Inc. Corporate Presentation
Packet Options
§ Prevent “ghost” IPs from appearing in your scan results and reports.
Option Profile
10 min.
41 ** https://www.cisecurity.org/controls/
§ More vulnerabilities are detected.
• Ensures enumeration of software
Benefits of applications.
Scanning in § More accurate detection (more confirmed
Authenticated and fewer potential vulnerabilities).
45
Secure Unix Authentication
47
Best Practice
54
Best Practice
10 min.
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
64.41.200.249
LAN 2 DMZ
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
10.10.10.1
Trunking enabled
for VLANs: 10.10.10.1/24
10 , 20, 30, and 40
R
SWITCH
10.10.80.1/24
10.10.40.1/24
R
SYN
SYN-ACK
RST
10.1.1.10 10.1.1.20
TRUSTED
SYN
SYN-ACK
RST
UNTRUSTED
Appliance_1
• Use more than one scanner
to scan a block of hosts.
• Reduce the time needed to Appliance_2
complete your scans.
Appliance_3
• Scanner code and signatures
must be synchronized.
Appliance_4
• Can your network handle the
increased bandwidth Appliance_5
consumption?
Scan 172.16.0.1
to172.16.15.254
Scan 172.16.16.1 What if I want to scan a full /16?
to172.16.31.254
The service will accommodate the scan by breaking it up into
Scan 172.16.32.1 to “slices” and distributing them to appliances appropriately based on
172.16.47.254 their capacity.
§ Host type - does host provide one or more services to other hosts?
§ Host utilization - is host busy handling other requests at scan time?
§ Network utilization - how much bandwidth is available at scan time?
§ Number of Scanners and location - how many hops between scanner and
target host?
§ Option Profile settings - how many ports will be probed; how many vulns.
will be tested; is scan performance set to LOW, NORMAL or HIGH?
15 min.
** always consider your existing network architecture and the location of filtering devices, when selecting
appropriate scanning targets. Firewall rule tables and whitelists may need to be adjusted for your scans.
§ Rescan will be required, anytime new host goes back to the apps
team (if feasible, just scan after the apps team has finished).
• Be sure to enable “Basic host information checks” when using “Custom” detection
• Authentication: Enabled
15 min.
Remote
§ Qualys Scanner Appliance targets host assets remotely.
Local
§ Qualys Cloud Agent installs as a local system service.
3. Run Scan
10 min.
1. Assign desired
scanner appliance
to targeted Asset
Group(s).
2. Then assign same
Asset Group(s) to
desired user
account.
Scan Delegation
15 min.
training@qualys.com