is there any Qualys recommendation about the number of scanner appliances or virtual scanners to deploy in a network based on the number of IPs to scan?
I would start by trying to define roughly your goals. Scan are affected by so many criteria, size of the network, speed of the network, scan options, authenticated or not, number of vulnerabilities to scan for etc.
You might start out something like this:
If you have class /24 roughly 65K of possible addresses; how often do you want that scanned. One scanner can do this just may take a week; is that ok? in our case we had a /16 that needed a scan everyday. I was seeing the scan take about 3 days with roughly 11 scanners. So I re-architect the scan. On Sunday I do a LIGHT discovery type of scan on the /16 using a network range tag. Then the rest of the week I do a full scan on the same tag just not as a network range. Out of that /16 there are less than 600 active hosts. Now the scan takes a few hours as opposed to days.
So that meets the criteria for that subnet.
I think you will get a better discussion with your TAM if you kinda map out your requirements. You will not get it perfect but it will give you a decent idea and then you will need to consistently watch to make sure your not exceeding any thresholds. You might be able to do a more aggressive scan as well.
Max, there's a few items you'll need to identify:
- how many IP's do you plan to scan?
- how often you'll be scanning them?
- how many ports are you going to target?
- are you going to do Complete scans?
- do you have a time limit within which you'd like your scans to complete?
I agree with David - it's best to discuss with your TAM. He'll be able to evaluate your network and make recommendations.
Our Documentation | Qualys, Inc. page contains a section dedicated to appliances.
I like to break up scans into digestible pieces. Rather than attempting to scan a huge range of IPs in a single scan that can take 3 days to complete, I recommend investing time into investigating your network, how management likes to report on things, how patch management is performed, and how inventory is maintained (sunrise/sunset). Based on the results of your research, you may want to consider scanning by a logical grouping, such as region, location, function, infrastructure segment, IPv4 and IPv6 CIDR groupings, physical assets by external/internal/endpoints, virtual assets by external/internal/endpoints, network assets external/internal, wireless private/public, regulatory PCI/SOX/PII/HIPAA, Printers, Telecom, AV, Security cameras and entry points.
Keep in mind, fewer scans is not always a good solution. Often, smaller scans, executed with a custom scan option profile perhaps set at a normal bandwidth, with standard TCP/UDP ports selected is the way to go. Not to mention, it's much easier to download and interrogate the result of a scan performed on a smaller scope. CSVs on large scans contain 10s of thousands of records. And a PDF, well, PDFs are huge and unmanageable. Remember, digestible pieces!
Again, reiterating what others have already suggested, engage your TAM to share experience and expertise.
You may also want to take a look at our self-paced training options to learn more Training and Certification | Qualys, Inc., Perhaps starting with Scanning Strategies and Best Practices on Vimeo.
scanner best-practices trainning
Good luck on your journey of discovery (pun intended)...
Retrieving data ...