Asset Discovery and Management with Qualys

Document created by Leif Kremkow Employee on Aug 18, 2017
Version 1Show Document
  • View in full screen mode

Five different approaches to identifying assets on your network, followed by a comparison between the different approaches to help you identify which best suits you.


For the purpose of this document, "assets" is defined as anything with an IPv4 address on your network.


Within the Vulnerability Management service the Qualys platform offers five different methods with which to manage assets.



The Map is amongst Qualys' oldest feature sets and is included with Vulnerability Management subscriptions.



Collecting data with for the Map is either referred to as performing a map or a discovery scan. The Map is very closely to the Vulnerability detection scan in terms of how it works, but at Qualys we try to reserve the word "scan" or "scanning" to Vulnerability detection, and "discovery" or "mapping" to the Map generation.


From the Domain definition that it is given as a target (for example ""), the Map will build a list of possible targets, such as by guessing host names (for example "www"). If the Domain definition also included a netblock (such as in this case: "[]"), the list of possible targets will be complemented with the provided IP addresses.


Once a list of viable targets has been established, the Map will run limited TCP port scans, a limited UDP port scans, and send an ICMP Echo Request (ping). For live targets, it will also attempt to determine the Operation System via TCP Fingerprint.


The discovery activity can either be launched from an external Appliance hosted by Qualys for targets on internet facing resources, or using an Appliance (physical or virtual) to connect with targets that cannot be reached from the internet.


See "How does QualysGuard mapping work?" for a more complete discussion, or "Discovery Scans- How does the scanner determine which port(s) to use?" for a focussed view on the limited port scanning.


Scan without Authentication

Alongside the Map, the non-authenticated scan is amongst the oldest features of Qualys Vulnerability Management service.


Using Qualys' vulnerability detection capabilities is commonly referred to as simply "scanning". Over the years we have expanded our platform's capabilities with authenticated scans in Vulnerability Management, the PCI Compliance service, the Policy Compliance service, and Web Application Scanning service. Now "scanning" can take on many different meanings depending on context. However, for the purpose of this document, we are only calling upon the features in Vulnerability Management.


A vulnerability scan will, in similar fashion to a Map Discovery, try to connect to a target over the network by probing different TCP and UDP ports, and establishing communication with the services available.


Just like the maps, the scans can either be launched from an external Appliance hosted by Qualys for targets on internet facing resources, or using an Appliance (physical or virtual) to connect with targets that cannot be reached from the internet.


See ["How does vulnerability scanning work?"]


Scan with Authentication

This is simply the same vulnerability scanning as described above ("Scan without Authentication") in Vulnerability Management, except that the user has provided Qualys with system credentials. This is also referred to as "trusted scanning" and is closely related to the authenticated, or "trusted", scanning you find in Policy Compliance. This fundamental idea is also shared with Web Application Scanning, where you can also run trusted/authenticated scans to analyze the application layer at the top of the stack.


But for the purpose of this document, authenticated scanning refers only to the possibility in Vulnerability Management to perform in-depth analysis of the configuration of a host locally as opposed to only the services that are made available on the network.

It is now possible for the scanner to log into a target using remote access services (such as SMB/CIFS/WMI, or SSH), and analyze the operating system locally.


Cloud Agent

Qualys' Cloud Agent is an alternative to scanning with Appliances. Typically, a scan would come from either a scanner hosted by Qualys or an Appliance hosted by the customer (see also "Map" or "Scan without Authentication" above).


Using a small piece of software that is installed on the target itself does away with many of the typical challenges that customers have had with an appliance based approach. The issues of having to scan through a firewall, of not being able to reach devices that never roam on the corporate network, or that data freshness is limited to authorized scanning windows are all resolved.


The Cloud Agent is able to deliver Vulnerability Scan and Policy Compliance data in-lieu of a classic scan from an Appliance.


However, the Agent is also able to in a "dormant" state whereby it behaves in similar fashion to the Map and only reports basic asset properties back to Qualys.


See the "Cloud Agent Getting Started Guide" for a full discussion of the Cloud Agent's requirements, deployment, configuration, and usage.



Qualys is currently working on new services that will further extend its single-pane visibility and continuous security offering. Asset Discovery will be further enhanced by the new Container Security for Docker and a Passive Scanner services.


Extending visibility beyond assets in traditional virtualization environments, Qualys Container Security performs inventory and real-time tracking of changes to containers deployed across on-premises and elastic cloud environments. Container Security identifies detailed inventory and provides advanced metadata search so users can identify assets based on multiple attributes. Additionally, they can use topology views to visualize container environment assets and their relationships. See our June 12th press release for more information.


The Passive Scanning Appliance is expected to sniff network devices and traffic, to do real-time discovery and identification, including of unauthorized devices, APT traffic and malware files. It profiles unknown device types based on traffic and activity patterns. In order to gather this information, it is being designed to connect to a mirroring port on a central switch to gain visibility across all networks. See the Qualys Cloud Platform white paper for more informaiton.




MapScan no Auth.Scan w/ Auth.Cloud AgentContainer Sec.Passive Scanner
Requires an appliance to be deployed that is able to reach the targets for internal discovery.

Subject to contracted subscription license and may incur additional fees.❌ (1)
Requires you to have valid login credentials for the target system.
Able to go beyond original scope definition to identify related targets.
Requires you to deploy agent software on target systems.
Generates list of live systems by sweeping through the network.
Generates list of installed software.
Generates list of open ports.❌ (4)❌ (2)
Generates list of listening services.❌ (3)
Generates list of installed operating systems.❌ (4)
Track asset data in Asset View dashboard.
Available now.


(1): At time of writing the Cloud Agent is included in a Vulnerability Management subscription at no additional cost only for Asset Management. Enabling Vulnerability Management and/or Policy Compliance on the Agent incurs additional subscription fees.


(2): Whilst the Passive Scanner is expected to generate lists of open ports, this list will be limited to the ports that were actively in use. Ports on which there is no traffic will not be detected as being open.


(3): Listening service refers to a specific protocol (SMTP, HTTP, etc) that is on a given port, not the daemons/services that might have been started on a given host, which the Authenticated Scan and Cloud Agent are able to report upon.


(4): The Cloud Agent will report the Operating System that is was installed on, but it will not be able to sweep the network and browse.

1 person found this helpful