Skip navigation
5861 Views 7 Replies Latest reply: May 23, 2012 3:22 AM by JHo RSS
JHo Level 1 4 posts since
Jan 25, 2011
Currently Being Moderated

Feb 7, 2011 2:07 AM

Mobile clients scan

Hello, I like to ask for advice about how to scan mobile clients. I have quite large amout of laptop users, and I need to scan their computers for vulnerabilities let say once a month. Problem is that some of them are not regulary attended at the office, and my problem is how to schedule scans to the moment when they are connected.

 

Thank you for your time.

 

Jiri

  • Damian OHara Level 2 26 posts since
    Jul 28, 2010
    Currently Being Moderated
    Feb 15, 2011 2:38 AM (in response to JHo)
    Mobile clients scan

    Hi Jiri,

     

    I was considering this same question last week.

     

    I couldn't think of a way to do it through the WebUI without just blind scanning the client list twice a day - say 10:00 and 14:00.

     

    Using the API you could select an appropriate number of scanner appliances to run continual subnet discoveries and feed back the results to an "online" list.

    That list could be checked against a "not seen in 3 days (or whatever period)" list and all those that match are put into another API call to a different scanner appliance to VA scan them.

     

    Damian

  • Stephen Davis Lurker 1 posts since
    Apr 27, 2012
    Currently Being Moderated
    Apr 27, 2012 12:43 PM (in response to JHo)
    Mobile clients scan

    Having this same issue. Anyone else have an experience that they can share?

    • jkent@qualys.com Level 4 435 posts since
      Jul 24, 2010
      Currently Being Moderated
      Apr 28, 2012 10:56 AM (in response to Stephen Davis)
      Mobile clients scan

      I saw a fairly interesting Splunk usecase where the Splunk service looks at the VPN logs for new connections, asks the Qualys data if a new device has been scanned in X days and then if it hasn't it kicks off a scan down the tunnel.

    • Brian Asplin Lurker 1 posts since
      Nov 18, 2010
      Currently Being Moderated
      May 22, 2012 8:56 AM (in response to JHo)
      Re: Mobile clients scan

      Hi All,

       

      I have discussed this same challenge with our Qualys SE over the past year.  We were trying to determine how best to satisfy the SANS Critical Security Control 04 called "Continuous Vulnerability Assessment and Remediation" for both mobile and non-mobile clients.  The solution here is very similar to what we discussed.  However, let me add a few thoughts to this issue.

       

      One of concerns was a means to provide a "safeguard" to Internet bandwidth.  For example, if there are 50 to 100 mobile clients on-line at the same time, we certainly do not want to start scans on all of them.  Would it be possible to modify the above script in such a way as to "queue" client scan status information by date/time of connection and "limit" the number of concurrent scans allowed to a maximum value to better manage impact on bandwidth?

       

      Also, as scans complete and new ones may be allowed to begin, it would make sense to confirm clients in the queue are still on-line via some PING or other means.  Knowing Qualys performance or service could be impacted by so many API calls, it would also make sense to "batch" the maximum allowed clients to scans into a single API call; again possibly through a recurring scheduled process - checking status of current/past scans, status of clients in queue, updating status and/or starting new scans every 15 minutes.

       

      I drafted the attached diagram last year as an "idea" to this overall.  I welcome your thoughts on this challenge, or how it could be perfected further and implemented in a secure manner.

       

      -Brian

       

      CSC04-AutoScan-P1.jpg

      CSC04-AutoScan-P2.jpg

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points