Best Practices for Scanning

Document created by Qualys Documentation Employee on Oct 4, 2012Last modified by Qualys Documentation Employee on Feb 4, 2016
Version 5Show Document
  • View in full screen mode

Here are a few scanning best practices from our Support team.


Identify and prioritize assets

It's important to identify your networked devices and specify which have the highest priority. Launch maps to discover your network and learn more about the IP addresses it contains. Use workflows in the map results to create asset groups containing your network IP addresses and domains.


Check network access to scanners

In order to protect your network from external and internal threats, scanners must be able to access target hosts. Be sure that your network permits access to the scanners to be used. Log into your Qualys account and go to Help > About to see information about the external scanners and scanner appliances for your account. The About page lists IP addresses for the service's external scanners that you might need to whitelist, a list of URLs scanner appliances must be able to contact.


Limit the scope of your first scans

For best results, limit the scope of your first scans instead of scanning your entire network. Start with one host, then a few hosts, move to a subnet or organizational unit, and then to an entire Class B or Class C. By limiting the scope of your first scans you can better understand how much scan traffic your environment can handle, and your scan results and remediation tasks will be more manageable.


Be aware when scanning non-standard and legacy devices

We make a significant effort to perform security audits in a nondestructive and non-intrusive fashion. However, under certain circumstances, such as when systems have not been kept up to date for some period of time, these systems may be impacted. Non-standard devices (such as printers, VOIP phones) and legacy devices (such as mainframes, devices with old operating systems, end of life devices) may have weaknesses in the devices themselves or not enough resources to be able to handle the scan traffic required for a modern day security scan.


Schedule your scans

Setup scheduled scans so that scans run automatically and you receive scan results daily, weekly, or monthly. Running scheduled scans allows you to reduce time spent running scans and freeing time for other tasks including remediation and reporting. Regular scan results become the basis for the most meaningful trend reporting.


Consult your network group for scanner placement

It's highly recommended that you work with your network group to determine where to place scanner appliances in your environment. Some things to consider: place scanner appliances as close to target machines as possible, and make sure to monitor and identify any bandwidth restricted segments or weak points in the network infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load balancers) could result in degraded performance so you may consider using our VLAN tagging feature (VLAN trunking) to circumvent layer 3 devices to avoid potential performance issues.


Avoid scanning through a firewall from the inside out

Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible.

2 people found this helpful