Compliance Scanning is available in subscriptions with the compliance module enabled.
Compliance Scanning analyzes the policy compliance of your network, using a catalogue of technical controls that is hosted by the service. The technical controls pertain to operating systems and applications, referred to as technologies, which are the building blocks for compliance policies. When you launch or schedule compliance scans, the service safely and accurately measures compliance against the technical controls catalogue using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to each host scanned. The impact of scans on your network load is minimal because the service samples your available bandwidth and then uses a fixed amount of resources.
The Technical Controls catalogue is constantly updated, as controls are added and updated. Each control may apply to one or more technologies and may include one or more individual compliance checks. For this reason, it's best practice to schedule network security audits regularly to minimize potential risk and ensure constant compliance. We recommend scheduling routine weekly scans plus running an on demand scan whenever new network devices are introduced or configurations are updated.
Successful authentication to hosts is required for obtaining in-depth compliance data used for policy compliance analysis. See Getting Started with Trusted Scanning and Additional Requirements for Compliance and FDCC Scans.
External scanning at the network perimeter is available to all users (with scanning privileges) using the external scanners. Internal scanning of private use internal IPs is supported using scanner appliances, installed inside the corporate network. With scanner appliances you have more scanner options to apply to each scan task. You may select a scanner appliance to send the scan task to a particular appliance, or you may select the scanner parallelization option to distribute the scan task across multiple scanners in target asset groups to improve scan performance. See Scanner Parallelization to learn more.
There are several events that take place during the compliance scanning process. The standard behavior for each of these events is described below. To change the standard behavior, customize settings in your compliance profile, and then apply the customized profile to your compliance scan.
Scanning Event |
Description |
Host Discovery |
The service checks availability of target hosts. For each host, the service checks whether the host is connected to the Internet, whether it has been shut down and whether it forbids all Internet connections. The service pings each target host using ICMP, TCP, and UDP probes. The TCP and UDP probes are sent to default ports for common services on each host, such as DNS, TELNET, SMTP, HTTP and SNMP. If these probes trigger at least one response from the host, the host is considered "alive." If the host is not "alive" then the scan process will not proceed for the host. The types of probes sent and the list of ports scanned during host discovery are configurable in your compliance profile. After host discovery, these events occur dynamically: port scanning, operating system detection, service discovery and authentication to hosts. |
Port Scanning |
The service finds all open TCP and UDP ports on target hosts. |
OS Detection |
The service attempts to identify the operating system installed on target hosts. This is accomplished through TCP/IP stack fingerprinting, OS fingerprinting on redirected ports, and is enhanced by additional information gathered during the scan process, such as NetBIOS information gathering. |
Service Discovery |
When a TCP or UDP port is reported as open, the scanning service uses several discovery methods to identify which service is running on the port, and confirms the type of service running to obtain the most accurate data. |
Authentication |
Authentication to hosts is required for a compliance scan. For a compliance scan, the service authenticates to target hosts based on the authentication records in the user account. The service uses the credentials for target hosts as defined in authentication records. If authentication to a host fails, the scan processing stops and the assessment phase does not occur. |
Compliance Assessment |
Using the information gathered about each target host in the previous scanning steps, the service begins compliance assessment. The service automatically scans for all technical controls. For each control, the service runs one or more tests that are applicable to each target host, based on the information gathered for the host. |
Executing a scan or map against a device shielded by a firewall is a common operation. Every day the scanning engine executes thousands of scans and maps in network topologies that protect their servers with firewalls without any issues. Problems can arise when the scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Many modern firewalls are configured to track connections, maintain NAT and ARP tables and a scan operation against a large set of targets can overload these tables. The consequences of such overflows are varied and range from slowdown of the firewall functions to a complete crash.
We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible. If not, we recommend you perform your own assessment testing on your network to validate the impact to your firewall. The accuracy of your scan may also be impacted so you should compare expected results against the detailed results provided in your reports. It's possible this can be service impacting as the scan results might differ. See About Scanner Appliances to learn more.
These tools assist the compliance scanning function.
Compliance hosts are used as targets for compliance scans and reports. Typically, compliance hosts consist of a sub-set of the host assets in the subscription. Other host assets are used as targets for vulnerability scans and reports. Each host in the subscription is tracked by IP address initially but you can change the tracking method to DNS hostname or NetBIOS hostname. See About Host Assets to learn more.
Scanning your entire network can be cumbersome and is not recommended. By organizing assets into subsections of your network, you can limit the scope of the scan target, making the results and remediation tasks more manageable. See Organizing Assets.
Scan options are specified in compliance-specific option profiles, which are applied to on demand and scheduled scans. Before you can launch a compliance scan, a compliance profile must be available on the option profiles list in your account. The service does not provide a default compliance profile. A Manager or another user with compliance management privileges must create a compliance profile. See Managing Compliance Profiles for more information.
Successful authentication to target hosts is required for compliance scans. Authentication is automatically enabled for all authentication types: Windows, Unix, Oracle and SNMP. Specify credentials in authentication records to perform trusted scanning on target hosts. See About Trusted Scanning for more information.
Use scanner appliances to perform compliance scans behind the corporate firewall, on the hosts and devices within your enterprise. See About Scanner Appliances to learn more.