Amazon EC2 Pre-Authorized Scanning Appliance: Network Communications

Document created by justin.lute on Feb 14, 2014Last modified by Mikesh Khanal on Feb 17, 2019
Version 12Show Document
  • View in full screen mode

There are three major communication paths the Pre-Authorized virtual appliance must use to be successful.

 

 

Management connectivity to QualysGuard Cloud Platform
Forward proxy server support.  Note that management communications from the appliance to the Qualys Cloud Platform may be routed through a forward proxy.  The appliance can be configured as a proxy client if you provide the IP address of your proxy server and, optionally, a username/password.  See Scanner Appliance: Management Communications and Scanner Appliance FAQs: Tell Me About Proxy Support for more.
DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Management polling from appliance to Platform

 

When: Every 3 minutes by default (configurable from 1 - 60 minutes)

appliance

[as configured]TCP443 (HTTPS)Appliance services @ Qualys Cloud Platform[as specified in Help> About section of UI]
INBOUNDWhat: Responses from Platform, established sessions onlyAppliance services @ Qualys Cloud Platform[as specified in Help> About section of UI]TCPany high port (>=1024)appliance[as configured]

 

 

 

Connectivity to Amazon EC2 and STS API endpoints

Forward proxy server is not supported.  Note that the appliance's communications with the EC2 and STS API endpoint are not "management" connections but, rather, part of the act of scanning.  For authorization, scanners must reach STS endpoints to assume role and get tokens to make EC2 API calls. Much as our appliance must contact a DNS server to resolve FQDN's to IP addresses, it must contact the EC2 API endpoint to resolve EC2 Instance IDs to IP addresses.  The communication to the EC2 and STS API will not be routed through the proxy server that you may have configured for appliance management communications with the Qualys Cloud Platform (see above).  The scanner appliance must communicate directly to the EC2 and STS API or through a fully transparent proxy or filtering technology.  If the appliance cannot reach the EC2 and STS API endpoint, then any EC2 Scan job you initiate will not be able to succeed.  Your scan will conclude without scanning any of the EC2 instance targets, because either it was not authorized or the appliance was not be able to resolve the list of target instance IDs to IP addresses with potential error "No Hosts alive".

DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Lookup against EC2 and STS APIs to confirm target details.

 

When: At beginning of scan launch

appliance

[as configured]TCP443 (HTTPS)EC2 and STS API endpoint for the Region in which scanner is deployed.  See AWS documentation for URLs.[EC2 and STS API URLs resolve to various IP addresses]
INBOUNDWhat: Responses from EC2 and STS API endpoint, established sessions onlyAppliance services @ Qualys Cloud Platform[EC2 and STS API endpoint IP addresses are variable]TCPany high port (>=1024)appliance[as configured]

 

 

 

Active scanning of target instances
DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Active scanning from the appliance instance to the target instances

 

When: Whenever scans are launched/scheduled.

appliance

[as configured]anyanytarget instance[as configured]
INBOUNDWhat: Responses from target instances being scannedtarget instance[as configured]anyanyappliance[as configured]

 

 

 

These articles provide some further detail on these topics:

Scanner Appliance: Management Communications

Virtual Scanner Management Communications: Amazon EC2-Classic

2 people found this helpful

Attachments

    Outcomes