Vulnerability Scanning analyzes the security of your network using the largest and most up-to-date KnowledgeBase of vulnerability checks in the industry. When you launch or schedule vulnerability scans, the service safely and accurately detects vulnerabilities using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to each host scanned. The service first gathers information about each host, such as its operating system and version, ports and services, and then selects the appropriate test modules. The impact of scans on your network load is minimal because the service samples your available bandwidth and then uses a fixed amount of resources that you specify.
The KnowledgeBase of vulnerabilities is constantly updated as vulnerabilities are added and updated. For this reason, it's best practice to schedule network security audits regularly to minimize potential risk and ensure constant security. We recommend scheduling routine weekly scans plus running an on demand scan whenever new network devices are introduced or configurations are updated.
External scanning at the network perimeter is available to all users (with scanning privileges) using the external scanners. Internal scanning of private use internal IPs is supported using scanner appliances, installed inside the corporate network. With scanner appliances you have more scanner options to apply to each scan task. You may select a scanner appliance to send the scan task to a particular appliance, or you may select the scanner parallelization option to distribute the scan task across multiple scanners in target asset groups to improve scan performance. See Scanner Parallelization to learn more.
There are several events that take place during the vulnerability scanning process. The standard behavior for each of these events is described below. To change the standard behavior, customize the scan and additional options in your option profile, and then apply the customized profile to an on demand or scheduled scan task. You can specify which probes are sent and which ports are scanned during host discovery, and which TCP and UDP ports are scanned during port scanning.
Scanning Event |
Description |
Host Discovery |
The service checks availability of target hosts. For each host, the service checks whether the host is connected to the Internet, whether it has been shut down and whether it forbids all Internet connections. The service pings each target host using ICMP, TCP, and UDP probes. The TCP and UDP probes are sent to default ports for common services on each host, such as DNS, TELNET, SMTP, HTTP and SNMP. If these probes trigger at least one response from the host, the host is considered "alive." The types of probes sent and the list of ports scanned during host discovery are configurable through your additional options. If the host is not "alive" then the scan process will not proceed. You may choose to scan dead hosts through your scan options, but that option may increase scan time and is not suggested for Class C or larger networks. After host discovery, these events occur dynamically: port scanning, operating system detection, service discovery and authentication to hosts when the authentication feature is enabled. |
Port Scanning |
The service finds all open TCP and UDP ports on target hosts. The list of TCP and UDP ports scanned is configurable through your scan options. |
OS Detection |
The service attempts to identify the operating system installed on target hosts. This is accomplished through TCP/IP stack fingerprinting, OS fingerprinting on redirected ports, and is enhanced by additional information gathered during the scan process, such as NetBIOS information gathering. |
Service Discovery |
When a TCP or UDP port is reported as open, the scanning service uses several discovery methods to identify which service is running on the port, and confirms the type of service running to obtain the most accurate data. |
Authentication |
Authentication to hosts is optional for a vulnerability scan. For a vulnerability scan with authentication enabled, the service authenticates to target hosts based on the selected authentication types in the option profile and the authentication records in the user account. The service uses the credentials for target hosts as defined in authentication records. If authentication to a host is not successful, the service performs vulnerability assessment without authentication. |
Vulnerability Assessment |
Using the information gathered about each target host in the previous scanning steps, the service begins vulnerability assessment. The service scans for all vulnerabilities in the KnowledgeBase or a selected list of vulnerabilities, based on the user's scan settings. The service runs vulnerability tests that are applicable to each target host based on the information gathered for the host. |
Executing a scan or map against a device shielded by a firewall is a common operation. Every day the scanning engine executes thousands of scans and maps in network topologies that protect their servers with firewalls without any issues. Problems can arise when the scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Many modern firewalls are configured to track connections, maintain NAT and ARP tables and a scan operation against a large set of targets can overload these tables. The consequences of such overflows are varied and range from slowdown of the firewall functions to a complete crash.
We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible. If not, we recommend you perform your own assessment testing on your network to validate the impact to your firewall. The accuracy of your scan may also be impacted so you should compare expected results against the detailed results provided in your reports. It's possible this can be service impacting as the scan results might differ. See About Scanner Appliances to learn more.
These tools assist the vulnerability scanning function.
Host assets are used as targets for vulnerability scans and reports. Each host in your account is tracked by IP address initially but you can change the tracking method to DNS hostname or NetBIOS hostname. See About Host Assets to learn more.
Scanning your entire network can be cumbersome and is not recommended. By organizing assets into subsections of your network, you can limit the scope of the scan target, making the results and remediation tasks more manageable. See Organizing Assets.
The scanning engine supports customization of vulnerability scans through scan options, giving users the ability to scan specific ports/services and specific vulnerabilities as needed, and fine-tune scanning parameters. Scan options are specified in option profiles, which are applied to on demand and scheduled scans. See About Option Profiles for more information.
Enable authentication to allow the scanning engine to perform trusted scanning in order to ensure that each host on the network is in compliance with internal security policies. See About Trusted Scanning for more information.
Use scanner appliances to perform vulnerability scans behind the corporate firewall, on the hosts and devices within your enterprise. See About Scanner Appliances to learn more.