AnsweredAssumed Answered

Effect of number of scanners on scan traffic

Question asked by Janosch Hoffmann on Jul 16, 2019
Latest reply on Jul 16, 2019 by Busby



I am wondering how the number of scanner appliances that is used for one vulnerability scan is affecting the scan traffic and the number of scans that can be run in parallel.


Our situation is as follows:
We have several networks whose assets are grouped in multiple asset groups. We also have multiple scanner appliances.
All of the networks can be reached by all of the scanner appliances.
There are also a number of different firewalls seperating the scanners from the target networks. (The scanners are whitelisted.)
We assume that each target network is scanned over a single firewall.
According to experience, too many simultaneous connections over one firewall can overload that firewall.
Therefore we try to avoid multiple scans over a single firewall at any given time.
I.e. we run multiple scans in parallel but only a single scan over each firewall.


Two ways of dealing with that situation come to my mind:
(Let's assume that we have two appliances A and B and two networks X, which is protected by firewall FW1, and network Y, which is protected by firewall FW2.)
  1) We assign different appliances to the different networks.
    So in the example, appliance A scans network X over FW1 and appliance B scans network Y over FW2.
    Both scans are run in parallel. This is not a problem, since there is running only a single scan over any given firewall    at any given time.
    By doing that, we limit the number of appliances that scan over a given firewall at the same time.
    The disadvantage of this approach is that we have to assign a specific appliance to each network.
    It's also harder to achieve the same load for each appliance, since network X may contain much more active hosts    than network Y.
    This is the approach we currently use.
2) We assign all of the appliances to each network/scan.
    So in the example, we run two scans in parallel, one on network X and one on network Y.
    We also assign both appliances (A and B) to each scan.
    This would make managing the scans much simpler.


So now my question is, is it safe to use the second approach instead of the first?
Or can this increase the number of concurrent connections over a single firewall significantly?
Please note that, unlike the example, we have 6 appliances in total and we currently use 2 appliances per scan.


When configuring the option profile, the "help tips" for the "Hosts to Scan in Parallel" option say:
"Set the maximum number of hosts to scan at the same time (PER SCAN TASK)." (not per scanner appliance)
This lets me assume that the number of appliances does not affect the scan traffic after surpassing a certain value.
Is this assumption reasonable?


If the number of concurrent connection does increase with the number of appliances per scan, can we compensate that by reducing the "Hosts to Scan in Parallel" parameter?


Another question is, are we still able to run multiple scans in parallel when we assign all of the appliances to each scan?
Assume that we would run 2 scans in parallel and we assign (the same) 100 scanner appliances to each scan.
Is the number of concurrent connections limited by the option profile?
And can the two scans still run in parallel because Qualys knows that it doesn't need all 100 appliances for a single scan and can therefore use the excessive appliances for the second scan?

I'm sorry for the length of my question.