Does Qualys have the ability to scan remote VPN Users connected to a corporate network?
Good talking with you yesterday. Just wanted to recap our conversation here in case anyone facing the same issue stumbles upon this thread.
If you have a Qualys scanner appliance active and scanning while the user is tunneled in to the network then yes Qualys will be able to do a remote scan. However, there are a lot of troublesome aspects of scanning through VPN. As my friend Busby pointed out, primarily you're dependent on the end user actually having their VPN client up and running while the scan is active. You can imagine how many hosts you'll miss in each scan because the user was off the VPN at scan time.
Secondly, bandwidth can be a huge problem if you're scanning a decent sized range of assets. Typically the bandwidth throughput on a VPN tunnel is pretty restricted, and network scans generate a ton of traffic. I've seen many Qualys users struggle to work through scan errors and extremely long scan times when attempting to scan through a VPN. This is especially difficult when the network is using site-to-site VPN tunneling as the networking team typically hasn't accounted for the addition of regular scanning traffic and the high bandwidth demands that it brings with it.
In summary, if you want to be able to confidently guarantee full coverage of assets off of the corporate network then the Qualys Cloud Agent is highly recommended. As long as the host is online and connected to the internet Qualys will be able to generate updated findings every ~4 hours, regardless of whether the host is located in corporate HQ or a Starbucks half way around the globe.
That would kind of depend. Normally when a user is connected to a VPN there will be an IP Address on the local network for that user as well as the remote. Normally the VPN should only be open when transmitting data from the client initiated connection but I have hit them before at the right time but it is not reliable.
I would strongly suggest you use the Qualys Cloud Agent for systems like that.
I would strongly urge following busbys advice - Cloud agent.
I have tried to get around the issue here to no avail. I would go so far to say there is only one option for VPN Users - Cloud Agent. I know Qualys like to push Cloud Agent but it is more than just talk - Anything on DHCP, with mobile users connecting via various IP's (MacDonalds hotspot, Trains, Coffee shops etc....) would best be served with a deployment of CA.
Retrieving data ...