Just need to know : Is there any specific option profile , with specific configuration that will give a comprehensive scanning result while scanning network devices like Firewall , Router , Switches etc..
I am waiting for any EPXERT comment on this.
Anyone from Qualys side , kindly suggest !!
Yes, there are specific things that you should do when trying to scan network devices. Specifically, you want to be careful when scanning firewalls. How are you planning to scan them from the inside, DMZ, or outside interfaces? Also, are you planning to scan a loopback address or a specific interface? You want to be careful not to scan through a less secure interface to a more secure interface. This is because most firewalls are configured to forward that type of traffic by default and since the scanner opens up thousands of connections (by design) it can flood the translation or state tables and cause a denial of service condition.
So, f you do plan on scanning through a firewall, there is a setting in the option profile that allows you to lower the scan intensity (performance in scan options). I would recommend that you choose lower settings (low or minimum) if you do launch a scan against the firewall to help avoid this type of situation.
Regarding other network devices, you should just be able to scan as usual. However, we always recommed that you scan a small sample of devices first to understand how scans impact certain device in your specific network configuration. Then, after you have a better understanding of that you can slowly roll it out at a larger scale. Also, keep in mind that you can authenticate against certain network devices such as SNMP based, or Cisco IOS devices to provide enhanced results.
If you have more questions, please feel free to reach out to me directly by PM'ing me.
Thanks for your valuable reply.
One more question on network devices front.
Canyou confirm what type of Cisco Devices are supported by Qualys?
Do we have to whitelist Qualys IP range to scan internet facing external firewalls and routers ? We want to do external scan for these public IP address. Do we still need to go with authenticated scan or unauthenticated scan is fine ?
In addition to the other comments I would suggest doing an external scan for those devices facing the outside and maybe not authenticated just to minimize credentials flying over the internet to your devices. I would run the scan from the inside as authenticated to you have a what does the world see and what it is really.
Another issue as mentioned you will want to watch what your firewall is logging and forwarding to say a SIEM. If your logging all the traffic on the firewalls the scanners could do a DOS on you by bogging the firewall down logging everything. You might consider whitelisting your internal scanners and maybe even the external Qualys range if needed.
You can also try certificate based authentication to your devices.
Thanks Sameer. We planned to run unauthenticated scan with low intensity for the external facing firewalls and routers . Is there any other specific settings we have to change in option profile? shall we check the options 1.Ignore firewall-generated TCP RST packets 2. Ignore firewall-generated TCP SYN-ACK packets.
Retrieving data ...