This document describes how to use a Qualys Virtual appliance to scan an air gap network, i.e. a network that is not connected to the Internet or other networks.
This document describes:
- How to configure and run a Qualys Virtual Scanner Appliance on a laptop connected to the Internet over a MiFi connection.
- Security implications of scanning an air gap network.
- How the scanning performance is equivalent to scans using a Virtual Scanner Appliance with regular Internet connectivity.
This document is based on a recent RFP response to a customer.
Virtual Appliance Security Review using MiFi Configuration
In this document, a MiFi configuration refers to a specific way to install and use a Qualys Virtual Scanner Appliance running on a consultant’s laptop.
To scan air gap networks that don’t provide the Internet connectivity required to manage the Qualys Virtual Scanner Appliance, the consultant will set up a wireless router that acts as a mobile Wi-Fi hotspot and provides Internet access to the laptop via cellular network and a mobile carrier (typically 3G or 4G Internet connections).
The ethernet cable will be connected to the air gap network and will be used for the scanning traffic.
- The consultant is assumed to have a powerful portable computer (minimum of 8GB RAM recommended) running a common general-purpose operating system such as Microsoft Windows, Linux, or Apple Mac OS X.
- The consultant is assumed to have available on the machine a hypervisor application/technology such as VMware Workstation, Player, or Fusion; or Oracle VirtualBox.
- The consultant also needs to have Qualys Virtual Scanner Appliance installed as a virtual machine on top of this hypervisor.
The host machine should be configured with a LAN connection to the isolated internal network. In addition, the MiFi device will provide a second network connection and Internet access to the host machine, via WiFi.
The hypervisor application should be configured to present two network adapters to the Qualys Virtual Scanner Appliance. These two network adapters should be mapped to the corresponding physical network adapters on the host machine, as follows:
- The first listed network adapter should be mapped/bound to the physical LAN adapter of the host machine. This interface should be configured in bridged networking mode.
- The second listed network adapter should be mapped/bound to whichever adapter on the host machine is associated with the MiFi connection.
Qualys Virtual Scanner Appliance
The scanner appliance virtual machine should have both of its network interfaces enabled.
- The eth0 interface on the appliance should naturally map to the first network adapter presented by the hypervisor. This is the LAN interface from a Qualys perspective.
- The eth1 interface on the appliance should naturally map to the second network adapter presented by the hypervisor. This is the WAN interface from a Qualys perspective.
Example: VMware Workstation 9 on Windows 7
Step 1: (optional) Install an ethernet physical adapter if your laptop does not provide this connectivity by default; keep previous VMNet settings intact.
Step 2: Ensure LAN (ethernet to scanning network) cable is not plugged into the laptop and establish the WiFi connection to the MiFi device.
Step 3: Open Virtual Network Editor (Defaults shown below).
Step 4: Add two VMNet interfaces (VMnet5 & VMnet6); bind each local interface as shown below:
VMnet5: Bridged to the WiFi (MiFi connected) adapter
VMnet6: Bridged to LAN (scanning target) adapter
Step 5: Edit Qualys Virtual Appliance settings:
Network Adapter (LAN - eth0): Set to Custom VMnet6
Network Adapter 2 (WAN eth1): Set Custom VMnet5 (MiFi)
Step 6: Power On the Virtual Scanner Appliance and set up the split configuration (refer to the Scanner Appliance User Guide available from within the resource section of Qualys; Help > Resources).
Enable WAN within the console.
Set to use DHCP (MiFi provides DHCP service by default). MiFi device will indicate two clients present.
Once WAN is enabled above, you can then plug in the LAN cable and configure LAN within the console.
The Qualys Scanner Appliance is packaged as a network appliance, pre-installed with Scanner Appliance software, and pre-configured for ease of installation and deployment within an enterprise.
It is available as a physical device or a virtual image that can be deployed on various hypervisors, including virtual solution for desktop and laptops such as VMware Player, VMware Fusion and Oracle VirtualBox.
The Qualys Scanner Appliance is designed as a client-only device with no persistent services or daemons listening to the network. The scanner appliance runs a specifically hardened operating system designed to prevent shell-code and buffer overflow attacks. The scanner appliances do not require inbound Internet connections; they initiate all communications to the Qualys platform on TCP/443 over the Internet, so there is no need for inbound firewall rules.
The Qualys Scanner Appliance functions only as a network host; it has no ability to route packets, even when multiple network interfaces are active in the split network configuration. The appliance scans local systems, processes the resulting data, and then sends the processed data to the Qualys platform.
The Scanner Appliance initiates two types of IP communications: management and scanning traffic. In the MiFi configuration detailed in this document, the split network configuration works as explained below.
Management Traffic over WAN
Scanner Appliance management traffic connections are established from the Scanner Appliance to the Qualys platform over the Internet using HTTPS on TCP port 443 secured with SSL. The Qualys platform IP networks are known and can be used to create outbound firewall rules that restrict all outbound Internet IP communications from the scanner appliance to only the Qualys platform IP networks.
Scanning Traffic over LAN
Scanner Appliance scanning traffic connections are established from the Scanner Appliance to the target hosts configured in a particular scan job by a user of the Qualys VM application.
The Scanner Appliance Applications/Processes do not directly select the IP interface used to send data. Rather they use the IP address of the selected destination, and the OS kernel sends the IP packets to the proper IP interface using a kernel-maintained mapping table ("routing table").
In this configuration (called split network configuration), the Scanner Appliance separates scanning traffic and management traffic. Scanning traffic is sent out the LAN interface and management traffic is sent out the WAN interface. No internal network traffic is routed or bridged to the LAN port, and no management traffic is routed or bridged to the WAN port. The appliance runs no routing or bridging service.
The Scanner Appliance implements logical separation of scanning traffic and management traffic, regardless of which configuration option is used. Management traffic includes updates to software and vulnerability signatures, appliance health and status information, as well as data related to processing security scans.
Split Network Configuration Routing
When the Scanner Appliance is configured for split network configuration, the appliance routing table works as follows:
- All IP packets for which the destination IP address belongs to the IP network of the LAN IP interface are sent out the LAN Interface.
- All IP packets for which the destination IP address belongs to the IP network of the WAN IP interface are sent out the WAN Interface.
- All IP packets destined for the customer-configured proxy server (if configured) are sent out the WAN IP interface.
- All IP packets destined for the Qualys platform IP networks are sent out the WAN IP interface. These packets may be directly routed, or via the customer-configured proxy server (if configured).
- All other IP packets are sent out the LAN IP interface ("the default route").
- Customers can also add their own custom routes via the Qualys UI when the VLAN feature is enabled for their account (disabled by default). These routes take precedence over the routes listed above.
Scanning Performance using MiFi Configuration
When a laptop is configured and setup to use the MiFi for Internet connectivity, the consultant should expect the same scanning performance as using a regular Internet connection.
In order to give some real life performance metrics, we performed some benchmarks with a laptop. We used a virtual appliance to scan the same targets twice, as shown in the list provided below. The first time we used a MiFi connection and the second time we used a regular Internet connectivity over a standard WiFi connection.
For the tests, we selected 30 hosts representing a wide selection of operating systems and network devices, similar to what can be found in a customer network, including Windows Server and Workstations, Linux and Unix operating systems and Cisco devices.
The Qualys Scan Option Profile
We use the scan option profile available by default in any new Qualys account. It gives the best balance between performance and vulnerability coverage. The option profile can be customized to allow additional coverage or faster performance by changing some settings such as:
- Allowing trusted scans with credential to find more vulnerabilities (this slows down the scan)
- Scanning a limited number of TCP/UDP ports (this speeds up the scan)
- Increasing the network performance using the Performance level setting
Scan Performance with Internet Connectivity over MiFi
In this configuration, the Ethernet port of the laptop is connected to the air gap network for the scanning traffic, and the Internet connectivity is provided by a MiFi device.
MiFi speed test
The MiFi was used inside a building and the 3G reception was pretty weak with only one bar signal (out of 4 total). Using the website speedtest.net, the measured Internet bandwidth was:
- Download speed: 0.46 Mbps
- Upload speed: 0.30 Mbps
- Active Hosts: 29
- Found Vulnerabilities: 1535
- Scan Duration: 11 minutes 32 seconds
- Data sent over Ethernet (scan traffic): 137.36 MB
- Data sent over MiFi (management traffic): 1.56 MB
First half of the scan:
Second half of the scan:
Scan Performance with regular Internet Connectivity
In this configuration, the Ethernet port of the laptop is connected to the air gap network for the scanning traffic, and the Internet connectivity is directly provided over WiFi.
WiFi speed test
Standard performance the speedtest.net measurement provided:
- Download speed: 7.67 Mbps
- Upload speed: 8.31 Mbps
- Active Hosts: 28 (one host has been shut down after the first scan)
- Found Vulnerabilities: 1498
- Scan Duration: 14 minutes 9 seconds
- Data sent over ethernet (scan traffic): 128.53 MB
- Data sent over WiFi (management traffic): 0.70 MB
First half of the scan:
Second half of the scan:
Although the data above shows slightly faster scan times with MiFi vs. Internet connectivity, the reported data can have some variation due to other activities happening within the systems being scanned. Given the variation, the results indicate equivalent scan time performance across the two networks.