Qualys Network Security Audit FAQ
- What is network discovery?
- What is an Inference-Based Scanning Engine?
- How does Qualys find vulnerabilities and characterize network systems?
- What types of devices does Qualys analyze during a scan?
- How many different types of vulnerabilities do you detect?
- What happens after Qualys detects a vulnerability? Do you provide information to help me correct the problem?
- Can I customize or configure Qualys scans to meet my needs?
- What impact will Qualys have on my network?
- How is the service bandwidth-efficient?
- How does the scanning service test a network for a Denial of Service (DoS) attack without bringing down the server or network device?
- How does Qualys audit remote database servers?
- Do firewalls interfere with Qualys scans?
- Does Qualys look for viruses, backdoors, and trojans?
- Does Qualys look for SNMP vulnerabilities?
What is network discovery?
Network discovery consists of the processes Qualys performs to identify each device that resides on your network. The result of the network discovery process is a map of all devices found. This map can be viewed in graphical or text format. In particular, the network map depicts:
- Network topology
- Access points to the network
- Machine names
- IP addresses
- Operating Systems
- Discovered services, such as HTTP, SMTP, Telnet, etc.
Below is a sample network map:
Figure 1 – Sample Graphical Network Map
The network map can be downloaded in multiple formats, including PDF, ZIP (HTML), XML, MHT and CSV. Qualys also provides a tool for importing a network map from XML to Microsoft Visio.
What is an Inference-Based Scanning Engine?
Qualys conducts audits using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to the host being scanned. Depending on the host profile discovered for each device (for example, operating system and version, ports and services), Qualys selectively runs tests applicable to the target device.
How does Qualys find vulnerabilities and characterize network systems?
Qualys uses a unique inference-based scan engine to find vulnerabilities. Each scan begins with a pre-scan module which accurately fingerprints a host. The fingerprinting is performed by sending a series of specially crafted packets to the host and by interpreting the results. Qualys is able to, with a degree of accuracy exceeding 99%, identify the host operating system, services running and ports opened. Once this information has been captured, the inference-based scan engine selects only the appropriate vulnerability checks to run, runs them, and interprets the results. This approach, consisting of the pre-scan and the inference-based scan engine, accelerates the scanning process, minimizes traffic load on your network and touching your systems, and improves overall accuracy.
What types of devices does Qualys analyze during a scan?
Qualys assesses the security risk of all networked, IP devices. This includes all routers, switches, hubs, firewalls, servers (all common operating systems), workstations, desktop computers, printers, and wireless access devices.
How many different types of vulnerabilities do you detect?
Qualys scans for more than 20,000 vulnerabilities across hundreds of applications and operating systems. Qualys maintains the industry's most comprehensive Vulnerability KnowledgeBase. New vulnerability signatures are added to the Qualys Vulnerability KnowledgeBase every day. These signature updates are seamlessly made available to all Qualys users automatically. Also, to further promote the Qualys high standard for accuracy, a complete Vulnerability KnowledgeBase regression test is performed each time the KnowledgeBase is updated.
What happens after Qualys detects a vulnerability? Do you provide information to help me correct the problem?
For each vulnerability detected, Qualys reports detailed information, including:
Host Information: IP address, hostname & Fully Qualified Domain Name (where available), operating system, and asset group(s).
Vulnerability Information: vulnerability severity, description of the threat posed by the vulnerability, recommendation for correcting the problem (including links to vendor sites), and the result, if available, which shows how Qualys verified the vulnerability. These fields can be customized for every signature in the Qualys Vulnerability KnowledgeBase.
Qualys reports can be customized so the user only views and/or prints the vulnerability assessment data that is of interest to them.
Can I customize or configure Qualys scans to meet my needs?
Yes. Qualys scans are completely customizable. Users can choose to run vulnerability scans either on demand or on a scheduled basis. Each scan can be set to run every applicable vulnerability check (as determined by the inference-based scan engine) or a scan can be performed looking for a subset of vulnerabilities. Further, scans can be run against a single IP address, a group of assets, a subnet / network range, or against an entire network and/or domain.
Several customization options are available. When running a scan, the following settings can be tweaked to meet any specific need:
- TCP ports scanned
- UDP ports scanned
- Load balancer detection
- Performance settings
Users can customize vulnerability scoring within Qualys by using the Common Vulnerability Scoring System (CVSS) support. CVSS is an industry open standard designed to convey vulnerability severity and risk, allowing corporations to take into consideration their own security metrics.
User customizable scoring is based on three criteria:
- Base – Fundamental, unchanging qualities of the vulnerability
- Temporal – Time dependent qualities of the vulnerability
- Environmental – Implementation and environment specific qualities of the vulnerability
What impact will Qualys have on my network?
Qualys is designed to minimize both the audit time as well as the network bandwidth it uses. Thus, its impact on network traffic load is minimal. In addition, if Qualys detects that the target host or network performance deteriorates during a scan, Qualys will adapt dynamically and reduce the scan speed.
How is the service bandwidth-efficient?
Qualys allows for a variable bandwidth load (low, normal, high, or custom) on the machines being scanned. Qualys closely monitors the time-response (through RTT, response-time tests) and dynamically adjusts the load according to the selected setting. Furthermore, Qualys will only run the vulnerability checks appropriate to the type of machine scanned (for example, no test specific to Windows operating systems will be run against a Linux machine).
How does the scanning service test a network for a Denial of Service (DoS) attack without bringing down the server or network device?
When Qualys tests for a Denial of Service (DoS) vulnerability on a host, it sends specially crafted packets that are designed to not impact the host availability. By analyzing the host's response, Qualys can determine if the host is vulnerable to a DoS attack without flooding it with traffic and causing a service interruption.
An additional method to verify that a host is susceptible to a DoS attack without jeopardizing the host's stability is by using authenticated scanning. User credentials can be leveraged to perform authenticated audits against hosts which allow for deeper assessments of the devices. Qualys supports Windows, UNIX (via SSH, Telnet, and/or rlogin), SNMP, and Oracle authentication methods.
How does Qualys audit remote database servers?
Most vulnerability assessment tools require passwords or manual configurations to scan databases. In contrast, Qualys detects and audits databases, including PostgreSQL, Oracle, SQL Server, MySQL, & Sybase, without requesting any credentials or configuration information. Qualys searches for vulnerabilities or erroneous configurations that may lead to information leaks, theft of data, or even intrusion and denial of service attacks, all without authenticating to the database.
Qualys also supports Oracle authenticated scans to perform even deeper audits of the configuration settings of an Oracle database.
Do firewalls interfere with Qualys scans?
Firewalls are essential to network security. Qualys tests the effectiveness of firewalls plus applications and services that are naturally accessible through firewalls, such as Web, FTP, and mail services.
Does Qualys look for viruses, backdoors, and trojans?
Yes. Qualys is capable of identifying viruses, backdoors, worms, trojans, and other malicious applications using a variety of techniques. Each malicious application has a unique footprint left on infected hosts. Qualys is able to find these viruses, worms, backdoors, and Trojans by sending specially crafted packets to the assessed hosts and analyzing the response. In addition, by making an inventory of every open port, both TCP and UDP, on the hosts scanned and identifying the service listening on the open port, Qualys is able to verify the presence of a malicious application. Qualys is able to use authenticated scanning to determine malicious software on a host even if it has not listening service.
Does Qualys look for SNMP vulnerabilities?
Yes. Qualys automatically detects if a system is SNMP enabled during host discovery. The inference-based scan engine then attempts to access the SNMP information base. If successful, the SNMP information tree will be displayed in the scan report. Further, the method used to "walk" the MIB will be returned (for example, public / private / default community string, an easily guessed community string, etc.). Qualys also provides a deeper audit option through the use of the SNMP authentication feature which allows users to specify specific community strings to audit against in their environment.