Professional Documents
Culture Documents
1. Presentation slides
2. Lab tutorial supplement
3
Start the
tutorial
Host Discovery
§ Checks host “dead/alive” status. By default, scanning will continue for live hosts.
Port Scanning
§ Finds open TCP and UDP ports on target hosts (based on scan preferences).
Service Detection
§ Identifies which services are running on open ports.
OS Detection
§ Identifies the host operating system (at least one open TCP port required).
Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
Scan Process Diagram
1. OS verified 5.
Host Discovery Yes from registry or All Vulnerability
13 TCP system settings Checks
6 UDP, ICMP
2.
Port Scan 4. Successful
1900 Port Scan Authentication?
(configurable)
3.
Service 5. Remote
OS
Detection Vulnerability
Fingerprint
Over 600 TCP No Checks
and UDP Tests
12 Qualys, Inc. Corporate Presentation
Scanning Options
§ A DEAD host is one that does not respond to any Host Discovery probes.
§ Use this option to scan all targeted hosts, regardless of the outcome of
Host Discovery (LIVE/DEAD) probes.
§ This option may increase scan time.
Close Vulnerabilities on Dead Hosts
§ If you have a “Pay Per Scan” account, a scan with Test Authentication
enabled will not count against your number of available scans.
§ No other scan tests will occur.
Additional Certificate Detection
Distinguish Qualys scan traffic from other traffic using the ”Qualys-Scan”
header (i.e., CGI and Web application fingerprint checks).
Host Alive Testing
§ Run a quick scan to determine which of your target hosts are alive
without performing other scan tests.
§ The Appendix section of your Scan Results report will list the hosts that
are LIVE and hosts that DEAD.
Do Not Overwrite OS
§ Qualys scanner appliances will NOT target the ports and IPs
identified here.
40 Qualys, Inc. Corporate Presentation
Packet Options
§ Prevent “ghost” IPs from appearing in your scan results and reports.
44 ** https://www.cisecurity.org/controls/
§ More vulnerabilities are detected.
• Ensures enumeration of software
Benefits of applications.
Scanning in § More accurate detection (more confirmed
Authenticated and fewer potential vulnerabilities).
48
Secure Unix Authentication
50
Best Practice
58
Best Practice
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
64.41.200.249
LAN 2 DMZ
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
10.10.10.1
Trunking enabled
for VLANs: 10.10.10.1/24
10 , 20, 30, and 40
R
SWITCH
10.10.80.1/24
10.10.40.1/24
R
SYN
SYN-ACK
RST
10.1.1.10 10.1.1.20
TRUSTED
SYN
SYN-ACK
RST
UNTRUSTED
Appliance_1
• Use more than one scanner
to scan a block of hosts.
• Reduce the time needed to Appliance_2
complete your scans.
Appliance_3
• Scanner code and signatures
must be synchronized.
Appliance_4
• Can your network handle the
increased bandwidth Appliance_5
consumption?
Scan 172.16.0.1
to172.16.15.254
Scan 172.16.16.1 What if I want to scan a full /16?
to172.16.31.254
The service will accommodate the scan by breaking it up into
Scan 172.16.32.1 to “slices” and distributing them to appliances appropriately based on
172.16.47.254 their capacity.
§ Host type - does host provide one or more services to other hosts?
§ Host utilization - is host busy handling other requests at scan time?
§ Network utilization - how much bandwidth is available at scan time?
§ Number of Scanners and location - how many hops between scanner and
target host?
§ Option Profile settings - how many ports will be probed; how many vulns.
will be tested; is scan performance set to LOW, NORMAL or HIGH?
** always consider your existing network architecture and the location of filtering devices, when selecting
appropriate scanning targets. Firewall rule tables and whitelists may need to be adjusted for your scans.
§ Rescan will be required, anytime new host goes back to the apps
team (if feasible, just scan after the apps team has finished).
• Be sure to enable “Basic host information checks” when using “Custom” detection
• Authentication: Enabled
Remote
§ Qualys Scanner Appliance targets host assets remotely.
Local
§ Qualys Cloud Agent installs as a local system service.
115
Add Agent Addresses To Scan
1. Assign desired
scanner appliance
to targeted Asset
Group(s).
2. Then assign same
Asset Group(s) to
desired user
account.
training@qualys.com