Qualys Rollout Guide

8/17/2019 Qualys Rollout Guide

1/164

Security and Compliance Suite

Rollout GuideAugust 4, 2015


2/164

Copyright 2005-2015 by Qualys, Inc. All Rights Reserved.

Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of

their respective owners.

Qualys, Inc.

1600 Bridge Parkway

Redwood Shores, CA 94065

1 (650) 801 6100


3/164

Preface

Chapter 1 Introduction

Operationalizing Security and Compliance ................................................................ 10Qualys Best Practices ...................................................................................................... 11

Chapter 2 Rollout First StepsFirst Login......................................................................................................................... 14

Your Qualys account............................................................................................ 14Update your account settings if needed............................................................ 14Your Host Assets .................................................................................................. 15Add Hosts.............................................................................................................. 16Remove IPs from the Subscription..................................................................... 19Virtual Hosts ......................................................................................................... 20Check Network Access to Scanners................................................................... 20Review Password Security Settings................................................................... 20

Adding User Accounts ................................................................................................... 21User Roles and Privileges.................................................................................... 21Asset Groups and Business Units ...................................................................... 22Adding a Manager................................................................................................ 24About User Account Settings.............................................................................. 25

Defining Scope of User Actions..................................................................................... 27Adding Asset Groups .......................................................................................... 28Adding Scanners and Readers............................................................................ 29Adding Business Units......................................................................................... 29Adding Unit Managers to Business Units......................................................... 31User Hierarchy Chart ........................................................................................... 31Transfer Users to Business Units........................................................................ 32Transfer Business Objects to Users .................................................................... 33

Ownership of Business Objects .......................................................................... 33Deleting Users ....................................................................................................... 34Scanner Appliance Installation and Setup................................................................... 35

Planning Appliance Installation ......................................................................... 36Scanning and Firewalls........................................................................................ 37Custom VLANs for VLAN Trunking ................................................................ 37

Managing Your Appliances ........................................................................................... 38View Your Scanner Appliances.......................................................................... 39

Check Out the Scanner Capacity Chart............................................................. 40Take Actions on Appliances................................................................................ 41Scanner Appliance Information.......................................................................... 41Edit Scanner Appliance........................................................................................ 42


4/164

Contents

4 QualysGuard Rollout Guide

Versions and Automatic Updates....................................................................... 42Assign Scanner Appliances to Asset Groups.................................................... 43Grant Users Access to Scanner Appliances....................................................... 44Multiple Scanner Appliances and Business Units............................................ 44Replace Scanner Appliance ................................................................................. 45

Chapter 3 Vulnerability Scanning

Network Discovery.......................................................................................................... 48Launch a Map ........................................................................................................ 49View Map Results ................................................................................................. 50View Map Results - Graphic Mode .................................................................... 51Map Settings .......................................................................................................... 52About Network Discovery................................................................................... 53

Asset Categorization and Workflows ........................................................................... 55Add a New Asset Group...................................................................................... 56Taking Workflow Actions.................................................................................... 59Unknown Device Report...................................................................................... 60

Your First Scans................................................................................................................ 61Select Scan Notification ........................................................................................ 63Launch Vulnerability Scan................................................................................... 64Scan Status.............................................................................................................. 65Scan Complete Email for Vulnerability Scan.................................................... 67View Scan Results ................................................................................................. 69About Scanning Events ........................................................................................ 73

Vulnerability KnowledgeBase ....................................................................................... 74

Vulnerability Severity Levels .............................................................................. 76Vulnerability Search ............................................................................................. 78Vulnerability Search Lists .................................................................................... 78Editing Vulnerabilities ......................................................................................... 81

Customizing Scans........................................................................................................... 83Scanner Appliance Setting................................................................................... 83Option Profiles Provided ..................................................................................... 84View Option Profiles ............................................................................................ 84

Option Profile Settings ......................................................................................... 85Current Host Information............................................................................................... 90

Chapter 4 Enterprise Management and Reporting

Enterprise Security Auditing.......................................................................................... 92Add Scheduled Scans and Maps......................................................................... 93Review Option Profiles ........................................................................................ 94Set Default Option Profile.................................................................................... 95

Publish Global Option Profiles ........................................................................... 95Scan for Selected Vulnerabilities......................................................................... 95Trusted Scanning................................................................................................... 97Scanner Parallelization ......................................................................................... 99


5/164

Contents

QualysGuard Rollout Guide 5

Enterprise Reporting..................................................................................................... 101View Report Templates ..................................................................................... 102Running Reports with Report Share................................................................ 103Scheduling Reports............................................................................................. 105Sharing Reports................................................................................................... 106Secure PDF Distribution .................................................................................... 106Scorecard Reports ............................................................................................... 109Patch Reports....................................................................................................... 110Consultant Reports ............................................................................................. 111Report Templates................................................................................................ 112Publish Global Templates.................................................................................. 112Download Data Lists as CSV, XML, HTML, MHT........................................ 112

Remediation Workflow ................................................................................................ 113Enable Remediation Workflow ........................................................................ 114View Tickets List................................................................................................. 116View Ticket Information.................................................................................... 116About the Closed Loop Ticketing System....................................................... 117

Customizing Level of Risk ........................................................................................... 119Customizing Vulnerabilities ............................................................................. 119Business Risk in Scan Reports........................................................................... 120Security Risk in Scan Reports ........................................................................... 121CVSS Scoring....................................................................................................... 125Ignoring Vulnerabilities..................................................................................... 128

Chapter 5 Compliance

Achieving Compliance ................................................................................................. 130Vulnerability Reporting and Trend Analysis............................................................ 131Executive Report with Trending ...................................................................... 132Asset Search......................................................................................................... 133Risk Analysis ....................................................................................................... 136Vulnerability Compliance Reports................................................................... 138

Remediation Reporting................................................................................................. 139Payment Card Industry (PCI) Compliance................................................................ 142

PCI Data Security Standard .............................................................................. 142Quarterly PCI External Scans Workflow......................................................... 142Quarterly PCI Internal Scans Workflow ......................................................... 144

Policy Compliance (PC)................................................................................................ 146Auditor User Role............................................................................................... 146Policy Editor ........................................................................................................ 146Policy Manager ................................................................................................... 148Policy Compliance Reporting ........................................................................... 149

Running Template Based Reports.................................................................... 149Running Interactive Reports............................................................................. 149Exceptions Management.................................................................................... 151

Policy Compliance — Current Regulations and Mandates..................................... 152


6/164

Contents

6 QualysGuard Rollout Guide

Chapter 6 Successful Qualys Rollout Case Studies

Case 1 — Global Online Retailer.................................................................................. 158Case 2 — Web Meeting Application Provider........................................................... 159Case 3 — Global Electronics Manufacturer................................................................ 160Case 4 — Global UK Bank ............................................................................................ 161Case 5 — Large Chemical Company........................................................................... 162Case 6 — Global Food Services Company ................................................................. 163


7/164

Preface

This user guide is intended for security mangers and auditors responsible for thesuccessful rollout of Qualys Security and Compliance Suite in the enterprise. Qualys

is the widely adopted vulnerability management and policy compliance solutionfrom Qualys, Inc.

About Qualys

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud securityand compliance solutions with over 7,700 customers in more than 100 countries,including a majority of each of the Forbes Global 100 and Fortune 100.The Qualys

Cloud Platform and integrated suite of solutions help organizations simplify securityoperations and lower the cost of compliance by delivering critical securityintelligence on demand and automating the full spectrum of auditing, complianceand protection for IT systems and web applications. Founded in 1999, Qualys hasestablished strategic partnerships with leading managed service providers andconsulting organizations including Accenture, Accuvant, BT, Cognizant TechnologySolutions, Dell SecureWorks, Fujitsu, HCL Comnet, InfoSys, NTT, TataCommunications, Verizon and Wipro. The company is also a founding member of the

Cloud Security Alliance (CSA).

For more information, please visit www.qualys.com.

Contact Qualys Support

Qualys is committed to providing you with the most thorough support. Throughonline documentation, telephone help, and direct email support, Qualys ensures thatyour questions will be answered in the fastest time possible. We support you 7 days aweek, 24 hours a day. Access support information at www.qualys.com/support/.

https://cloudsecurityalliance.org/http://www.qualys.com/http://www.qualys.com/support/http://www.qualys.com/support/http://www.qualys.com/https://cloudsecurityalliance.org/


8/164

Preface

8 Qualys Rollout Guide


9/164

INTRODUCTION

This guide combines many of the best practices gained from our experience withsupporting customers of varying sizes and complexity with Qualys rollouts. These

projects are large in scale, most often deployed globally on distributed, segmentednetworks, and frequently involve many users with diverse responsibilities within theenterprise. As you start your own Qualys rollout, it makes sense for us to share withyou our best practices approach so that you can quickly and effectively takeadvantage of Qualys to automate the process of vulnerability management andpolicy compliance within your organization.

The goal of this document is to take you step by step through the process of both

getting Qualys running in production and learning the best practices that willmaximize the value you will receive from enhanced network security.

We have arranged this guide into the sections described below.

Chapter 2, Rollout First Steps, covers the basics of setting up the service, addingusers, defining the scope of user actions, installing QualysGuard Scanner Appliances,and planning for distributed scanning with multiple Scanner Appliances.

Chapter 3, Getting Started with Security Auditing, leads you through the steps ofrunning your first scans and understanding scan results. In preparation to this wediscuss QualysGuard tools that help you discover your network and prioritize assets.Once you have performed and reviewed your first scans, we will describe the optionsfor customizing scans.

Chapter 4, Enterprise Management and Reporting, takes you through the steps ofimplementing a successful Qualys rollout across the enterprise. This is focused on aphased approach that allows you to start out with a basic process and to enhance the

process, as required, over time. It involves using Qualys enterprise managementtools for security auditing and reporting as well as the remediation workflow feature.

1


10/164

Chapter 1 — IntroductionOperationalizing Security and Compliance


Chapter 5, Compliance, helps you to use Qualys to show the progress you are making inmanaging your vulnerabilities and the security risk in your network. This will also help

you in making the adjustments to your vulnerability management system’s options andprocesses to achieve your required results. A key element in tracking your progress ishow this will assist you in meeting the myriad of regulations which have networksecurity as part of their requirements.

In Chapter 6, Successful Qualys Rollout Case Studies, we have taken real customerexamples, from various industries, to help you understand their ingredients for success.You can learn from the challenges they faced and have an implementation plan that

leverages their experience.

While this document is intended to assist you with a successful rollout of Qualys, it isimportant to note that there are many product features that are not outlined here. As you become familiar with Qualys you will find additional features and capabilities. Werecommend that you fully explore the application and reference the online help and otherresources documents to allow you to take full advantage of the power of the application.

Before we start it is important that we have a common understanding of Qualys benefitsand a set of high level best practices which we have found to lead to successfulimplementations.

Operationalizing Security and Compliance

The amount of risk facing any IT infrastructure is constantly in flux and can be difficult tomeasure. Any change to a system or its broader computing environment might also

change its security posture. While every organization has firewalls and antivirus in place,the limitations of these basic layers of defense are a constant concern for securityconscious companies. CERT states that, “99% of intrusions result from exploitation ofknown vulnerabilities or configuration errors where countermeasures were available.”

Today’s fast-moving viruses and worms have found ways to pass through firewalls and bypass antivirus applications. As the time from vulnerability announcement to commonvulnerability exploit continues to shrink, organizations are increasingly faced with the

challenge to find more proactive security solutions.One of the proven ways to reduce the risk of being hit by a worm or virus is throughregular network security audits to identify vulnerabilities and correct the weaknesses before they can be exploited. Security risk and policy compliance management makes itpossible for a company to take proactive steps to spot rogue devices, identifyvulnerabilities, and ensure systems are configured inline with standards and corporatepolicy.

The Policy Compliance module allows customers to audit and document compliance tointernal and external auditors to meet corporate security policies, laws and regulations.


11/164

Chapter 1 — IntroductionQualys Best Practices

Qualys Rollout Guide 11

Qualys Best Practices

As you begin your rollout program, Qualys customers have found these steps, in theorder presented below, to be keys to success with Qualys rollout projects:

1 Know Your Network

2 Automate

3 Integrate

4 Distribute Use5 Report on Risk, Vulnerabilities and Compliance

Know Your Network

Prior to embarking on an initiative to scan each device on the network, it’s important tofirst identify every device on the network. Qualys recommends performing a networkdiscovery (map) to enumerate each host. After discovering the hosts, you can use this

information to group like hosts and to blacklist any host that might have a potentiallynegative impact to being scanned. Typically these are hosts listed in the “Qualys PotentialImpact to Systems” document, available from within your Qualys account (go to Help >Resources).

Automate

Once you are ready to begin assessing the security risks on your network, it is important

to have an assessment plan and use Qualys to automate the scanning process.Automation yields consistent scanning activities which will, in turn, help increase theconsistency of the results. Automation also makes certain you are assessing your riskregularly (e.g. weekly or monthly). Within Qualys, you can automate network discoveryscans, vulnerability scans, the creation of remediation tickets, and the delivery ofvulnerability reports.

Integrate

Greater value can be achieved by integrating the components of your security solution toprovide an overall view of your security posture. Qualys has available more than 20out-of-the-box integrations with patch management solutions, intrusion detection /prevention solutions, SIM (Security Information Management) solutions, ticketingsolutions, and asset management solutions.


12/164

Chapter 1 — IntroductionQualys Best Practices


Distribute Use

Qualys advocates performing vulnerability scans from each network vantage point. Toachieve this in a geographically distributed or segmented network, customers mustdistribute QualysGuard Scanner Appliances throughout the network. Consider placing aScanner Appliance in each security zone on the internal network and use the Qualysprovided Remote Internet Scanners to assess risk from the Internet.

In addition, it is important to empower users throughout the organization by distributingthe use of Qualys across functional teams and throughout all levels of the organization.

Many enterprises have reported success in reducing risks by empowering network andsystems administrators to scan their assets. Similarly, by distributing the use of Qualys tointernal and external audit teams, customers have recognized efficiencies in process andreduced auditing fees. Consider using the five-tier hierarchical role-based access controls built into Qualys to empower as many users as appropriate within your organization.

Report on Risk, Vulnerabilities and Compliance

Qualys does not view vulnerabilities and risk as being synonymous. Within Qualys thereare different metrics returned in scan reports: Security Risk, Business Risk, and CVSSscores.

The Security Risk is a reflection of the number of vulnerabilities on each host and therelative security risk of those vulnerabilities.

The Business Risk is based on the security risk and takes into consideration the businessvalue of the hosts. In many situations, the business risk value will drive remediation

efforts rather than simply the security risk.

CVSS scores for vulnerabilities are based on the Common Vulnerability Scoring System(CVSS) standard. CVSS provides a common language for understanding vulnerabilitiesand threats. By including CVSS scores in scan reports, you can compare your securityaudit results against the CVSS standard.

Several pre-defined reports allow you view reports based on saved scan, map andremediation data in your account. Some reports include trending automatically, such as

the Executive Report and remediation reports, to assist with tracking remediation andsecurity risk over time. Compliance reports allow you to see whether you’re compliantwith the Payment Card Industry (PCI) Data Security Standard (DSS), the Qualys Top 20real-time vulnerabilities (10 internal, 10 external), and user-defined compliance policies.


13/164

ROLLOUT FIRST STEPS

The rollout project setup involves building a deployment plan based on networkanalysis and business objectives, and then distributing vulnerability management

and policy compliance responsibility to multiple users. It’s recommended that youdo your homework in advance to understand your network environment and itssegmentation before you begin network security auditing. With your understandingof the network and the people responsible for managing the various systems andnetwork segments, you will add user accounts, install Scanner Appliances, andassign users asset responsibility by defining asset groups and optionally businessunits.

To achieve the best rollout project setup in the quickest time, please complete thefollowing activities in the order presented:

• FIRST LOGIN

• ADDING USER ACCOUNTS

• DEFINING SCOPE OF USER ACTIONS

• SCANNER APPLIANCE INSTALLATION AND SETUP

• MANAGING YOUR APPLIANCES

Note: The rollout project setup requires Manager user privileges. If you are thesubscription owner, then your user account has these privileges by default. You maychoose to add additional Manager users to assist with the rollout project setup. Wewill discuss adding users as well as user roles and privileges in this chapter.

2


14/164

Chapter 2 — Rollout First StepsFirst Login


FIRST LOGIN

Be sure to complete your first login and check to be sure that you are ready to startsecurity auditing activities using the account.

BEST PRACTICES

Be sure to complete your account registration. Follow the instructions provided,starting with the Qualys “Registration - Start Now” email and ending with accepting theterms and conditions.

Check configurations before you begin. It’s recommended that you view theIP addresses in your account, add IP addresses and virtual hosts as needed, classifyassets in your account, check network accessibility to target hosts, and review passwordsecurity options for the subscription.

ROLLOUT STEPS

Your Qualys account

When your new subscription is created, you will receive an email notification titledQualys Registration - Start Now. This email includes a secure link to your user login IDand password (this is a one-time only link).

After completing the registration steps, you will receive an email notification titledQualys Registration - Complete.

Soon we will discuss adding user accounts to the subscription. When you add useraccounts, each new user will receive a Qualys Registration email and will need tocomplete the same registration process.

Update your account settings if needed

The user menu (top right) give you several options, available to you all the time.

- Change your password

- Change your default Home Page

- View your account settings

- Return to the Quick Start Guide


15/164



Your Host Assets

Qualys provides methods for asset classification to support managing network securityin dynamic and distributed networking environments.

At this time you will want to view the hosts in your account and select the host trackingmethod to be used. For a new subscription, hosts in the account are tracked by IP addressand the tracking method can be changed to DNS hostname or NetBIOS hostname.Optionally, you may enter asset tags (host attributes) and an asset owner.

The hosts in your account may be used as targets for vulnerability and compliance scans.To view the hosts in your account, go to Assets > Host Assets.

Click (Expand range) next to a range to view hosts in the range.

Click (View host information) next to a host to view comprehensive host information,including the host’s attributes, current vulnerabilities and tickets as well as an activity loglisting actions involving the host.


16/164



The host assets list displays all hosts in your account. All hosts may be the target for avulnerability scan. Compliance hosts may be the target for a compliance scan, when the

policy compliance module is enabled in the subscription. To view compliance hosts only,select Filters > Compliance Hosts.

Managers can view information on the total IPspurchased and total IPs in subscription in theAccount Info section (go to Help > Account Info).Please contact Support or an Account representativefor help with purchasing more IPs.

Add Hosts

To add hosts, go to New > IP Tracked Hosts. (You’ll see you have the option to select theDNS or NetBIOS tracking method if hosts in your network are assigned IP addressesdynamically.) Use the wizard to enter your new hosts.

Ch t 2 R ll t Fi t St


17/164



Host IPs

In the Host IPs section enter IP addresses/ranges. Multiple entries are comma separated.

The policy compliance module may be enabled in your account. If so, the check box “Addto Policy Compliance Module” appears. Select this check box if you want the new hoststo also be added to the policy compliance module. When selected you can performvulnerability scans and compliance scans on the hosts.

Host AttributesIn the Host Attributes section, enter host attributes (optional). The host attributes aredisplayed in host security views throughout the application, and in scan status reports(automatic). Initially the names are set to Location, Function, and Asset Tag. Go toSetup > Host Attributes if you want to customize host attribute names.

Chapter 2 Rollout First Steps


18/164



Click the “Add” button to add the hosts.

Take Actions on Hosts

Select hosts already added to your account and take actions on them using the Actionsmenu. You can edit host attributes (one host at a time, or bulk edit), add/remove hostsfrom asset groups, and add hosts for compliance scans.

Chapter 2 — Rollout First Steps


19/164

Chapter 2 Rollout First StepsFirst Login


Remove IPs from the Subscription

Managers can remove IPs from the subscription. Once an IP is removed, the host data isnot recoverable. Please review these possible consequences before removing IPs:

• IPs will be deleted from Asset Groups.

• Scheduled Scans will be deactivated at the next launch (except when the targetincludes asset groups only and at least one asset group has remaining IPs).

• Automatic host data will be purged, also Tickets and Exceptions will be deleted.

To remove IPs, go to New > Remove IPs.

Select the IPs you want to remove and then click Remove.



20/164

C apte o out st StepsFirst Login


Virtual Hosts

Depending on your network configuration, you may want to add virtual hosts to yoursubscription. A virtual host is defined as a single machine that acts like multiple systems,hosting more than one domain (FQDN). Adding virtual host configurations ensures thatthe scanning service analyzes all specified domains associated with each IP addressscanned, possibly increasing the number of vulnerabilities detected. To view the virtualhosts in your account, go to Assets > Virtual Hosts. From the virtual host list you can adda new virtual host configuration by going to New > Virtual Host.

Check Network Access to Scanners

Important details about External Scanners and Scanner Appliances are shown on theAbout page (go to Help > About). Be sure that your network permits access between thescanners and the IPs to be scanned.

External Scanners. External Scanners for external (perimeter) scanning are located atthe Secure Operating Centers (SOCs), datacenters maintained by Qualys. Externalscanners must be able to access target IPs for perimeter scanning (see Help > About).

Scanner Appliances. Scanner Appliances for internal scanning are installed on yourinternal network, inside your corporate Intranet. Scanner appliances must be able toaccess target IPs for scanning your internal network (see Help > About).

Review Password Security Settings

Your Qualys login ID is permanent and assigned byQualys. Your password is a randomly generated“strong” password. You can change your passwordif you wish at any time from your account menu.

Manager users have the ability to allow user-defined passwords. This option is not

enabled in new subscriptions. To enable this option, go to Users > Setup > Security. andselect “Allow user defined passwords”. Any password security settings you make willapply to all user accounts in the same subscription.



21/164

Adding User Accounts


ADDING USER ACCOUNTS

You can easily assign assets to multiple users within the enterprise. By assigningresponsibility for security auditing and vulnerability remediation on assigned assets, youcan distribute this responsibility to multiple users.

User Roles and Privileges

Qualys has a user role-based model for assigning user privileges. Pre-defined user rolesgrant specific privileges, including access to assets. Multiple users with the same userrole may be added.

Figure 2-1. User Role based privileges

User Role Summary of privilegesManager - Most privileged user role with access to all assets

- Discovery (maps), security auditing (scans), reporting, remediation- Manage assets and users- Set subscription policies and global configurations- Typical users: Chief Security Officer, Security Manager

Auditor This role is available when the policy compliance module is enabled- Manage policies, exception requests, and compliance reporting

- Access to all compliance hosts in the subscription- Typical users: Security Auditor, Third Party Consultant

Chapter 2 — Rollout First StepsAddi U A


22/164



Asset Groups and Business Units

User accounts grant users access to certain hosts, based on user role. Sub-account users —Scanner, Reader, Contact — are assigned asset groups. Unit Managers are assigned a business unit consisting of asset groups. For a subscription with multiple users andassets, you’ll want to organize your assets as shown in the diagram below.

Unit Manager - Discovery (maps), security auditing (scans), reporting, remediation- Access to assets (IPs, domains, appliances) in asset groups assigned

business unit- Manage assets and users in assigned business unit- Typical users: Division Manager, Regional Manager

Scanner - Discovery (maps), security auditing (scans), reporting, remediation- Access to assets (IPs, domains, appliances) in asset groups assignedto the user’s account- Typical users: Security Engineer, IT Administrator, Inside Consultant

Reader - Reporting and remediation only-- Access to assets (IPs, domains) in asset groups assigned to the user’saccount- Typical users: Executive, Outside Consultant, Auditor, IT Assistant

Contact - No access to the Qualys user interface- Receive summary email notifications for scans and maps-- Receives notifications for assets (IPs, domains) in asset groups

assigned to the user’s account. (A Contact user account exists foradministrative purposes and can be edited by Managers A Contactuser cannot log in to the user interface or make API requests using thisaccount.)- Typical users: Monitoring or tracking device, Auditor, Alert System

User Role Summary of privileges

Chapter 2 — Rollout First StepsAdding User Accounts


23/164



Figure 2-2. Organizing Assets into Asset Groups and Business Units

Starting with all the assets in the subscription, you create logical asset groups. EachScanner and Reader account is assigned one or more asset groups. You have the option togo one step further and define business units including asset groups and users. Each business unit must be assigned one or more Unit Managers who have managementresponsibility for a limited set of assets in the subscription.

BEST PRACTICES

Add at least one user account. Qualys recommends that you add at least one new useraccount. We suggest that you add a Manager or Unit Manager to begin, although a useraccount with any role except Contact is fine. If the subscriber account is lost or misplaced,this makes it possible for Qualys Support to reset the password for the subscriber accountwhile retaining all saved results and user configurations for the subscription.

Add users with management responsibility first — Managers and Unit Managers.

These users will have management responsibility for the rollout project and they willhave the ability to add more users.

Create a flexible solution. Delegating roles and responsibilities to multiple usersinvolves creating a flexible solution that adapts to operating environments and maintainsglobal standards. Refer to “Defining Scope of User Actions” for developing an approach

to building the solution for your organization.



24/164



ROLLOUT STEPS

Add at least one user account. Add at least one new user account with privileges toaccess the Qualys web application. To add a new user select Users from the top menu andthen select New > User. See “Adding a Manager” and “Adding Scanners and Readers” for help.

Add a Unit Manager. If you wish to use a business unit you ned to add a Unit Manager.See “Adding Unit Managers to Business Units” for information.

Review user account information. Gain an understanding of user account informationand privileges for the various user roles. Apply this information when setting upmultiple users.

Adding a Manager

As the subscriber, your user account is automatically assigned the Manager role. You canchoose to add another Manager user so that there is redundancy at the Manager level for

the subscription. All Managers have full privileges.To add a user, go to Users. From the user’s list select New > User. Using the new userwizard, enter user settings.

Under General Information, provide the user’s name and contact information.



25/164



Under User Role, select the user role “Manager”. (The service automatically addsManagers to the Unassigned business unit).

Under Notification Options select email notifications for the user. After creating theaccount, the user has the ability edit these settings.

After you save the account, the new user will automatically receive a registration emailwith a secure link to the credentials for their new account and login instructions.

About User Account Settings

The user account settings have common sections for all users. The sections Asset Groupsand Extended Permissions appear for users with certain roles.

User Account Section Description

General Information General information about the user, including name andcontact information.

User Role The user role and business unit. A business unit is required

for a Unit Manager.Options: Notification Several email notification options are available. A user may

choose to edit these settings:- Latest Controls (when PC is enabled)- Latest Vulnerabilities- Scan Complete Notification- Scan Summary Notification (vulnerability scans only)- Map Notification- Report Notification (when Report Share is enabled)- Exception Notification (when PC is enabled)- Daily trouble ticket updates- Scanner Appliance heartbeat check

Chapter 2 — Rollout First Steps Adding User Accounts


26/164

g


Options: SAML SSO Qualys supports SAML SSO for user authentication. When

this feature is enabled for the subscription, Managers havethe option to enable SAML SSO for new users or forselected users.

Using SAML SSO, Qualys acts as a Service Provider andprovides cloud security and compliance services. Yourorganization's SSO solution acts as an Identity Provider thatmanages usernames, passwords and configurations used to

authenticate users for our services.

Note that users with SAML enabled for UI access do nothave API access.

Options: VeriSign IdentityProtection (VIP)

Qualys includes support for VeriSign Identity Protection(VIP) two-factor authentication. Managers have the optionto require VIP authentication for all subscription users orfor specific users. Any user can opt in.

When VIP authentication is required for a user account,logging into the user interface is a two-part process. Firstthe user provides their Qualys credentials (login name andpassword) followed by their VIP credentials (VIP credentialID and one-time security code).

Asset Groups (Appears only for Scanner, Reader, Contact) Use thissection to assign asset groups. Refer to “Adding Scannersand Readers.”.

Permissions (Appears only for Unit Manager, Scanner Reader) Selectextended permissions.- Add assets (Unit Manager)- Create/edit remediation policy (Unit Manager)- Create/edit authentication records/vaults (Unit Manager)- Create option profiles (Unit Manager, Scanner)- Create/edit virtual hosts (Unit Manager, Scanner)- Purge host information/history

- Manage compliance- Manage web applications

User Account Section Description

Chapter 2 — Rollout First StepsDefining Scope of User Actions


27/164


DEFINING SCOPE OF USER ACTIONS

The scope of user actions is defined by each user’s user role and other user accountproperties, including asset group responsibility. The diagram below illustrates a samplesubscription with multiple users and two business units.

Using Asset Group Conventions

By applying conventions for organizing and naming your asset groups, you can moreeffectively manage vulnerabilities and their remediation.

Flexible asset groups support any organizational method you desire. Asset groups can bedefined by importance, priority, location, business function or ownership. It’s often the

case that rollout projects organize assets in a number of different ways. Keep in mind thatthe same asset may be defined in multiple asset groups.

Asset group names appear throughout the application for quick identification. It’srecommended that you adopt a naming scheme for your asset groups. An asset group’sgrouping method can be reflected in its name for example.

When the policy compliance module is enabled, asset groups containing compliancehosts are assigned to user-defined policies for compliance testing and reporting.



28/164


BEST PRACTICES

Understand your network and the people managing the systems. Evaluate thenumber of users you expect and what their responsibilities will be, and then match themto asset groups and business units accordingly.

Follow asset grouping guidelines. When creating asset groups, apply someconventions for naming and organizing them. As an option, you may use the assetmanagement workflows from map reports and asset search reports to add assets to assetgroups. See Chapter 3 for information.

ROLLOUT STEPS

Add asset groups and business units.

Add user accounts. Add Managers, Unit Managers, Scanners and Readers asappropriate for your rollout project.

View users and their asset groups. Refer to the Hierarchy Chart to assist with building

teams and managing users.

Adding Asset Groups

To add a user — except a Manager user — there must be asset groups in your account before you can add the user account. For a Scanner, Reader or Contact, asset groups areassigned directly to the user account. A business unit includes asset groups. Each Unit

Manager is assigned to a business unit and inherits the asset groups in their assigned business unit.

To add an asset group go to Assets > Asset Groups. From the asset groups list, selectNew > Asset Group.

In the new asset group wizard, enter an asset group title, following some namingconvention, and other settings in the sections provided.

Asset Group Section Settings

IPs IP addresses/ranges to be used as scan targets.

Domains Domains to be used for network discovery targets.

Scanner Appliances Scanner Appliances for internal scanning of devices on theIntranet, inside the corporate network. This section appearsonly when a Scanner Appliance is available in your account.See “Scanner Appliance Installation and Setup.”

Business/CVSS Info Business information, including a business impact level usedfor calculating business risk in reports. An impact level of“High” is automatically assigned to new asset groups.



29/164


Adding Scanners and Readers

For a Scanner or Reader when you use the wizard to add or edit a user account, you grantthe user access to assets for scanning (IP addresses, domains and Scanner Appliances) byassigning asset groups in the Asset Groups section. Simply add asset groups to theAssigned Asset Groups list on the right.

Notes about adding users within a business unit: Unit Managers can create Scanners andReaders for their own business units. When a Unit Manager adds a new user, the assetgroups in the Available list correspond to the asset groups in the Unit Manager’s business unit. Unit Managers are responsible for managing assets and users in their own business unit.

Adding Business Units

A business unit consists of asset groups so you must add asset groups before you begin.There are two workflows for adding a business unit. You can do this when adding a UnitManager account (see “Adding Unit Managers to Business Units” below) or whenviewing the business units list.

To add a business unit from the business units list, go to Users > Business Units. From the business units lists, select New > Business Unit.



30/164


Using the new business unit wizard, enter a business unit name. In the Assets section,assign the business unit assets for scanning (IP addresses, domains and Scanner

Appliances) by moving selected asset groups to the Assigned Asset Groups list. Oneasset group is required. In the Users section you can assign users to the asset group(optional).

Managers can limit the number of new IP addresses that Unit Managers can add, when

these users have accounts with permission to add assets. To enable these controls, go toSetup > Business Units and select the option “Enable limiting the number of new IPs thatUnit Managers can add”.

When enabled, Managers have the option to assign a New IP Limit to a business unit.

The New IP Limit is the total number of new IP addresses (not already in thesubscription) that Unit Managers can add. A unique New IP Limit may be assigned toeach business unit.



31/164


Adding Unit Managers to Business Units

Manager users can choose to add a Unit Manager to a new or existing business unit. AUnit Manager can be assigned to only one business unit, and this user has the option toadd additional users to the same business unit — Unit Managers, Scanners and Readers.

To add a new user, go to Users. From the user accounts list, select New > User. Using thewizard, select the Unit Manager user role and a business unit name. Tip: Click the NewBusiness Unit button to add a new business unit, if it doesn’t already exist.

User Hierarchy Chart

The user hierarchy chart provides a list of users in the subscription according to theorganization’s business structure. To view this chart, go to Users and then select Filters >

Hierarchy Chart. See the sample chart below. The asterisk denotes the subscriptioncontact (Manager) and the contact for each business unit (Unit Manager).



32/164


Transfer Users to Business Units

Managers have the ability to transfer existing users to a business unit using a simpleworkflow within the business unit. The user transfer workflow supports the smoothtransition of users and their configurations.

When adding or editing a business unit, the users section shows users assigned to the business unit and users in the subscription who may be added. You may sort and viewthe users list in many ways — by user name, user role, business unit and asset group.

To add users, go to the Users section and move users, already in the subscription, to the

Assigned Users list (on the right) and then click Save.

The transfer wizard appears. In the Options section confirm the user transfer and selectoptions. You may choose to keep users’ personal configurations and asset groups. Please be aware that if you move users’ personal configurations without the asset groups, it’s

possible user configurations may need to be modified after the transfer (for example, inorder for user schedules to run as defined). For more information, see the online help.



33/164


Transfer Business Objects to Users

Managers and Unit Managers have the ability to transfer business objects from one userto another in the subscription. Business objects that can be transferred include assetgroups, option profiles (scan settings), report templates, scan schedules, and search lists.The ability to transfer business objects from one user to another supports organizationchanges to infrastructure and responsibility over time.

Ownership of Business Objects

When editing a business object such as an asset group, you can assign an owner for theobject using the Owner drop-down menu in the top section.

The Owner menu lists all users who can be assigned the asset group. Possible assigneesdepend on the role of the manager making the transfer and the user’s business unit.

Manager Doing

Transfer

Owner’s

Business Unit

Possible New Owner

Manager Unassigned Manager or Scanner in current owner’s business unit

Manager Custom Manager in Unassigned business unit - or -

Unit Manager in current owner’s business unitUnit Manager Custom Unit Manager or Scanner in current owner’s business unit



34/164


In the case where a Manager transfers an asset group from a user in a custom businessunit to a Manager (in the Unassigned business unit), the asset group automatically

remains in the custom business unit so that users in the custom business unit cancontinue to use it.

Deleting Users

Managers and Unit Managers have the ability to delete users. Managers can delete anyuser in the subscription, while Unit Managers can delete users in their own business unit.

To delete a user from the user accounts list, selectthe check box next to the user you wish to delete,and then select Actions > Delete. It’s possible toselect multiple check boxes to delete multiple usersin bulk.

Confirm the user delete action. You’ll have the option to delete the user’s scan results.Also you’ll have the option to transfer the user’s business objects to another user. Theseobjects include profiles, report templates, asset groups, scheduled tasks, authenticationrecords, policies, exceptions, vulnerability tickets and search lists.

Map and Scan Results. When map and scan results are deleted results will no longer beavailable to other users for reporting.

User Business Objects. Assign the user’s business objects to another user or select “NoNew Owner”. Possible assignees are Managers plus other users with the same or greateruser role as the user you are deleting. For example, if deleting a Scanner, the New Ownermenu lists Managers plus Unit Managers and Scanners in the user’s same business unit.When “No New Owner” is selected, the user’s personal business objects are deleted.

Chapter 2 — Rollout First StepsScanner Appliance Installation and Setup


35/164


SCANNER APPLIANCE INSTALLATION AND SETUP

Installing Qualys Scanner Appliances allows you to scan for security vulnerabilities onyour internal network. The number of Scanner Appliances for your enterprise willdepend on the size and configuration of your network. Once installed, each ScannerAppliance keeps itself updated with the latest vulnerability signatures via its connectionto the Qualys platform at the Security Operations Center (SOC).

BEST PRACTICES

Plan for Scanner Appliance installations. First evaluate your network setup and accessto the Qualys platform. Qualys Support is available to assist you with networkevaluation and analysis to determine the recommended number of Scanner Appliancesfor your organization.

Place Scanner Appliances as close to targets as possible. It’s best to place ScannerAppliances as close to scan targets as possible to minimize latency and maximize

bandwidth for scanning traffic, which is much heavier than reporting traffic.

ROLLOUT STEPS

Add user account for installation. A Qualys user account is required to install eachappliance. It’s recommended that you create a dedicated Qualys user account - aManager or Unit Manager account is required. See “Adding User Accounts.”

Physical Scanner Appliances. Follow the simple 3-step installation steps in the QualysScanner Appliance User Guide. You can download the latest version from the online help.

Virtual Scanner Appliances. Qualys offers multiple distributions to supportdeployments on multiple virtualization platforms. For information, see the Qualys VirtualScanner User Guide. You can download the latest version from the online help.



36/164


Planning Appliance Installation

Review the sections below for assistance with planning for appliance installation.

Network Configuration Requirements

The Qualys Scanner Appliance has the following network requirements.

Network Traffic Options

The Qualys Scanner Appliance traffic connections are established from the ScannerAppliance to the Qualys platform over HTTPS port 443 and secured with SSL. There aretwo network traffic configurations: Standard and Split.

In the Standard network configuration, which is enabled by default, the LAN connectorservices both scanning traffic and management traffic to the Qualys platform.

In the Split network configuration, the Scanner Appliance separates scanning traffic andmanagement traffic, using both the LAN and WAN connectors. No internal traffic isrouted or bridged to the WAN port, and no management traffic is routed or bridged to

the LAN port.The Scanner Appliance implements logical separation of scanning traffic andmanagement traffic, regardless of which configuration option is used. Managementtraffic includes updates to software and vulnerability signatures, ensuring the overallhealth of the appliance, as well as data related to processing security audits.

Outbound HTTPS Access The local network must be configured to allow outbound https(port 443) access to the Internet, so that the Scanner Appliancecan communicate with the Qualys platform.

Accessibility of Target IPs The IP addresses for the hosts to be scanned must be accessibleto the Scanner Appliance. This is particularly important if yournetwork is designed with VLANs.

Proxy Support The Scanner Appliance includes Proxy support with orwithout authentication — basic or NTLM. The Proxy servermust be assigned a static IP address and must allowtransparent SSL tunneling. Proxy-level termination (as

implemented in SSL bridging, for example) is not supported.VLANs, Static Routes and

IPv6 Support

Supported on all platforms except Amazon EC2/VPC.



37/164


Scanning and Firewalls

Executing a scan or map against a device shielded by a firewall is a common operation.Every day the Qualys scanning engine executes thousands of scans and maps in networktopologies that protect their servers with firewalls without any issues. Problems can arisewhen the scan traffic is routed through the firewall from the inside out, i.e. when theScanner Appliance is sitting in the protected network area and scans a target which islocated on the other side of the firewall. Many modern firewalls are configured to trackconnections, maintain NAT and ARP tables and a scan operation against a large set oftargets can overload these tables. The consequences of such overflows are varied and

range from slowdown of the firewall functions to a complete crash.

We recommend placing Scanner Appliances in your network topology in a way thatscanning and mapping through a firewall from the inside out is avoided if possible. Ifnot, we recommend you perform your own assessment testing on your network tovalidate the impact to your firewall. The accuracy of your scan may also be impacted soyou should compare expected results against the detailed results provided in yourQualys reports. It’s possible this can be service impacting as the scan results might differ.

Custom VLANs for VLAN Trunking

Qualys gives users the ability to configure Scanner Appliances with custom VLANs tosupport VLAN trunking on the LAN interface for scanning traffic. Using the LCDinterface, you can define one VLAN configuration per appliance. Using the Qualys webapplication, you can define up to 99 VLANs and 99 static routes for each appliance. Whena VLAN configuration is provided and the appliance is properly configured with a Static

IP network configuration, the appliance adds a VLAN tag to all scanning packetsfollowing the 802.1Q tagging protocol. The VLAN tag designates which VLAN the trafficshould be routed to the hosts being scanned.

Chapter 2 — Rollout First StepsManaging Your Appliances


38/164


MANAGING YOUR APPLIANCES

Upon completion of the 3-Step Quick Start, a Scanner Appliance is installed in thesubscription account and it appears in your scanner appliances list. Go to Scans >Appliances to view your scanner appliances list. This is where you manage yourappliances.

BEST PRACTICES

Check Scanner Appliance Status before you start scanning. Check the scannerappliance status within your Qualys account to be sure the status is online and the mostrecent heartbeat check performed by the service was successful for the appliances in youraccount.

Evaluate which Scanner Appliances to add to which Asset Groups. Once installed aScanner Appliance is available to all Managers. Other users (Unit Managers, Scanners,Readers) must be granted access to Scanner Appliances. To do this you add the

appliances to asset groups and then assign the groups to users accounts and/or businessunits.

ROLLOUT STEPS

View your Scanner Appliances. View and manage Scanner Appliances in your Qualysaccount from the scanner appliances list.

Check out the Scanner Capacity Chart. This chart shows the percentage of usedcapacity for the appliance over the past 7 days. Also the service calculates a capacitytrend so you can track usage over time.

Grant users access to Scanner Appliance. Only Managers can view/access newlyinstalled Scanner Appliances. See “Assign Scanner Appliances to Asset Groups” and“Grant Users Access to Scanner Appliances.”



39/164


View Your Scanner Appliances

The Appliances list helps you understand the status of each appliance and to seeavailable capacity for scanning.

1) Readiness for Scanning. indicates that the scanner appliance is currently connectedto the New Scanner Services and is ready to process scans. You can also see whether theappliance is currently busy with a scan. indicates the appliance is busy.

2) Appliance Type. indicates that the scanner appliance is a physical appliance.indicates a virtual appliance. Mouse over any icon for details.

3) Appliance Summary. The summary includes the number of heartbeat checks missed,and the latest software versions of the scanning engine and vulnerably signatures. If theappliance does not have the latest software installed then you’ll see a yellow indicatornext to the version.

4) Understand the Available Capacity. You’ll see the amount of capacity currentlyavailable for the appliance. This helps you better understand which scanner appliancesget the most use and which appliances are available for scanning. Available Capacityappears only in accounts with New Scanner Services enabled.



40/164


Check Out the Scanner Capacity Chart

You can see the Scanner Capacity chart by going to the appliance information window(select Info from the Quick Actions menu). The chart shows the percentage of usedcapacity for the appliance over the past 7 days. (Note this chart appears only when NewScanner Services is enabled for your account.)

The Scanner Capacity chart shows the capacity of the appliance within the past 7 days,calculated in 15 minute increments. Place your cursor over any point in the chart to seethe used capacity for that moment in time, expressed as a percentage. For example UsedCapacity: 18% means the appliance used 18% of its capacity and 82% of its capacity wasavailable at that time. You’ll see the date and time the capacity was calculated.

A trend line shows you the capacity trend, calculated in 6 hour intervals. Every 6 hoursthe service takes an average of the used capacity and shows this in the middle of a 6 hourwindow. For example, for the period 3pm to 9pm the average appears at 6pm. Averageover 6 hours: 10% means the average of the used capacity was 10% and 90% of itscapacity was available for the 6 hour window.



41/164


Take Actions on Appliances

A Manager views all Scanner Appliances installed by all users in the subscription. A UnitManager, Scanner and Reader views the Scanner Appliances available in their account.

Use the Quick Actions menu (in the data list row) toview scanner appliance information and makechanges to its settings.

Scanner Appliance Information

Select Quick Actions > View to view appliance information. Under General Informationyou’ll see the appliance friendly name, polling interval, serial number, status andheartbeat check setting. The service automatically performs a heartbeat check every 4hours to determine if the appliance is online and able to contact the Qualys platform.

Additional sections show LAN settings, WAN settings, proxy settings, users grantedaccess to the appliance, asset groups containing the appliance, installed software versionsand user-defined comments.



42/164


Edit Scanner Appliance

Select Quick Actions > Edit to edit appliance settings. Managers have the ability to editthe settings for all appliances in the subscription. Unit Managers have the ability to editthe settings for appliances in their business unit.

Versions and Automatic Updates

Scanner Appliance software is distributed automatically by the service several times aday. Both vulnerability signatures (including vulnerability and compliance checks) andscanner components are updated automatically. For this reason, you do not need to takeany action to update software versions. When an automatic software update is inprogress, the S2 LED on the Scanner Appliance front panel is lit. The first time you

complete the Quick Start to install a Scanner Appliance on your network, the S2 LED onthe front panel is lit while the first software update occurs. It is recommended to waituntil the S2 LED light is off, when it is safe to run maps and scans.

When editing Scanner Appliance settings in Qualys, you can request a software update ifthe appliance is not updated with the latest software versions.



43/164


Versions include: Vulnerability Signatures, Scanner (scanning engine software), andSoftware (Scanner Appliance system software, installed on the appliance itself).

Under Versions, when the installed software version is current, a green check mark ( )appears next to the components. When the software version is not current and a newversion is available, a red strike mark ( ) appears and you have the option to click theUpdate Now button to start the software update. Depending on your network load anddownload file sizes, the time it takes to update the software will vary.

Assign Scanner Appliances to Asset Groups

Assigning Scanner Appliances to asset groups in the Qualys web application allows youto manage which Scanner Appliances are used to scan which target IPs. It also provides away for you to make Scanner Appliances available to user accounts with limitedprivileges (Scanners, Readers, Unit Managers).

For large enterprises, the scanner parallelization feature may be used to increase scanspeed when asset groups are defined with Scanner Appliances and IP addresses. See“Scanner Parallelization” on page 99 for details.

Where do I manage my asset groups? Go to Hosts > Asset Groups. From there you canadd a new asset group or or edit an existing one. In the asset group wizard, go to theScanner Appliances section and move appliances to “Scanner Appliances Added toGroup.”

Need help with organizing your assets? See “Asset Categorization and Workflows” inChapter 3 where we discuss how to use Qualys to identify, prioritize and classify assetsinto asset groups.



44/164


Grant Users Access to Scanner Appliances

Manager users are granted access to a newly installed Scanner Appliance automatically.Other users (Unit Managers, Scanners, Readers) are not granted access to a newlyinstalled Scanner Appliance without authorization. Initially, these users do not view theScanner Appliance when they log into their accounts.

How to Grant Access to Unassigned Users

Unassigned users are users are assigned to the Unassigned business unit - these users

will have the Scanner or Reader role. Just follow these steps (Manager role is required):1 Add the Scanner Appliance to one or more asset groups.

2 Assign the asset groups containing the Scanner Appliance to each user account.You need to edit each user’s account and add the asset groups to the user’sAssigned Asset Groups list.

How to Grant Access to Users in Business Unit

Just follow these steps (Manager role is required for some or all steps):

1 Manager: Add the Scanner Appliance to one or more asset groups.

2 Manager: Add the asset groups containing the Scanner Appliance to the target business unit. This grants Unit Managers access to the appliance.

3 Manager or Unit Manager: Assign the asset groups containing the Scanner

Appliance to each user account. You need to edit each user’s account and add theasset groups to the user’s Assigned Asset Groups list.

Multiple Scanner Appliances and Business Units

It’s best practice for effective global management to follow the steps below (the user rolerequired for each step is indicated):

1 Manager: Add a master asset group for each business unit, where each master assetgroup contains all IPs and domains for an individual business unit. Since theseasset groups are created by a Manager, they can be edited only by Manager users.Note Scanner Appliances will be added to these asset groups later in Step 6.

2 Manager: Add business units by adding a master asset group to each.

3 Manager: Add the first Unit Manager to each business unit.

4 Manager or Unit Manager: Add more users to each business unit. Unit Managershave the ability to add additional users (Unit Managers, Scanners, Readers) to theirassigned business unit.



45/164


5 Manager or Unit Manager: Install Scanner Appliances. After completing this step,only Managers have privileges to view and manage the appliances.

6 Manager: Assign Scanner Appliances installed in Step 5 to the master asset groupfor each business unit. Completing this step makes the Scanner Appliances for each business unit available to Unit Managers.

7 Manager or Unit Manager: Manage the installed Scanner Appliances assigned to a business unit. A Manager can manage all appliances assigned to all business units.A Unit Manager can manage appliances assigned to their own business unit.

Replace Scanner Appliance

The Replace Scanner Appliance workflow allows easy replacement of scanner appliancesand their settings. This workflow for replacing a scanner appliance performs bulkmigration of all scanner settings to the new scanner appliance.

Permissions: This workflow is available to Managers and Unit Managers. Managers havethe ability to replace any scanner appliance in the subscription. Unit Managers have the

ability to replace any scanner appliance assigned to their business unit.

A few things to consider

The new Scanner Appliance must be installed in your account. “Scanner ApplianceInstallation and Setup” for assistance.

It's recommended that you do not replace a scanner appliance while scans are in progresssince these scan. Running and paused/resumed scans will not be updated to use the newappliance. The service will attempt to complete these scans using the old appliance.

Tell me the steps

1 Go to Scans > Appliances.

2 Select New > Replace Scanner Appliance.


3 U d R l S A li h h ld d li d


46/164


3 Under Replace Scanner Appliance, choose the old and new scanner appliance andclick Replace. Important: If the new appliance is currently defined in asset groups

and scheduled tasks, then it will be removed from those business objects.

4 Review the warning message and then click the View Report button to see thescanner appliance settings to be migrated to the new appliance.

5 Review the Replace Scanner Appliance Report. It’s recommended that you do notreplace a scanner appliance if scans are running.

6 Close the report and click the Replace button.

3


47/164

VULNERABILITY SCANNING

Getting started with security auditing involves learning about Qualys security auditsand developing an approach to security auditing that will meet your organization’snetwork security goals. Typically multiple users participate in security auditing. It’s

important to demonstrate the value of Qualys to gain the trust and confidence of theoperating teams and outsourcers. The best way to do this is to support them in theirfirst experiences with security auditing and to provide them with guidelines, whichare the focus of this chapter.

Qualys gives users the ability to learn more about their network environment first, before launching security audits on an enterprise scale. In fact this is reported bymany customers with successful rollouts as an ingredient for their success with their

rollout project. This chapter discusses network discovery and workflow features thatare designed to assist users with learning more about their networks.

To get started with security auditing in the quickest time, please complete thefollowing activities in the order presented:

• NETWORK DISCOVERY

• ASSET CATEGORIZATION AND WORKFLOWS

• YOUR FIRST SCANS

• VULNERABILITY KNOWLEDGEBASE

• CUSTOMIZING SCANS

• CURRENT HOST INFORMATION

3

Chapter 3 — Vulnerability ScanningNetwork Discovery

NETWORK DISCOVERY


48/164


NETWORK DISCOVERY

Network discovery produces a baseline map of your network infrastructure from whichyou can identify and categorize assets. Depending on your network, there may be morethan one network domain to discover.

The network discovery feature identifies network devices and reports comprehensiveinformation about them. Starting with a domain name you supply such as“mycompany.com”, the service uses the domain’s DNS to discover hosts and gatherinformation about hosts. Map results are available in both text and graphic formats.

BEST PRACTICES

Perform network analysis before you begin. Perform network analysis with theSecurity and Network teams at the outset of the project to produce a working inventoryof your organization’s assets.

Use Qualys mapping to understand your network. Use the Qualys mapping feature

to produce a map of your network and learn about the devices it contains. Check the mapresults and compare against your own asset inventory.

ROLLOUT STEPS

View the domains in your account in the Domain Assets section. Run an on demand mapfor a target domain using the profile “Initial Options” and view the map results. To makethe maps manageable, you may choose to run multiple maps on separate network

segments. Then schedule one or more maps to run weekly, and run differential reports tomeasure network changes.

Figure 3-1. Network Discovery workflow


Launch a Map


49/164


Launch a Map

Go to Scans > Maps. Then select New > Map.

In the Launch Map window, enter a map title, select an option profile (the profile "InitialOptions" is recommended to get started) and map targets under Target Domains. For themap target, you may specify any combination of IPs/ranges, domains and asset groups.When Scanner Appliances are in your account, select a scanner option on the ScannerAppliance menu. Click Launch to start the map.

For each map request, we’ll create one or more maps, depending on the map targets youspecify. When multiple maps are created, they’ll share the same map title.


You can track the map’s progress on the Maps tab. You’ll see the status Running when the


50/164


You can track the map s progress on the Maps tab. You ll see the status Running when themap is in progress, and the status Finished indicates the map has completed. You cancancel a map in progress at any time by selecting the map (row) and then selectingActions > Cancel.

View Map Results

From the maps list you can view map results when the map status is Finished. To viewmap results, go to the maps list (go to Scans > Maps). Mouse over a map (row), clickand then select View from the Quick Actions menu. A Report Summary is followed by a

Results section with information on discovered hosts.

Host indicators in the Results section provide additional host information. A - Approvedhost for the domain. S - Scannable host, already in the subscription. L - Host was alive attime of discovery. N - Host in the domain’s netblock. In the Hosts section, you can viewhost details for each discovered host.

Click the right arrow next to any host to view a list of open services on the host. You’llfind the discovery method used to detect each service along with the port that the servicewas found to be running on (if available).

For a scannable host, click the host IP address to view detailed, current host information.


View Map Results - Graphic Mode


51/164


View Map Results Graphic Mode

Go to View > Graphic Mode from the menu at the top of your report. Qualys will preparea graphical representation of the map in a separate window. Here is an example:

Click on any host in the map to see details in the Preview pane (below). You’ll see basicinformation on the discovered host, its OS, and how it was identified:


Map Settings


52/164


p g

Target DomainsEach time you launch or schedule a map, you specify one or more map targets in theTarget Domains section. You may specify any combination of registered domains, IPaddresses/ranges, and asset groups. When you select an asset group for the map target,you have the option to map the domains and/or the IPs defined in the asset group.

When multiple map targets are submitted in a single map request, we’ll automaticallycreate multiple map reports - 1 report for each registered domain and for each group ofIPs. For example, if you enter 2 registered domains, then we’ll create 2 map reports. Ifyou enter 2 registered domains plus a range of IPs, then we’ll create 3 map reports. All ofthe maps created from a single request will share the same map title. The Targets columnin your Maps list identifies the registered domain name or the IP addresses/rangesincluded in each map report.

What are netblocks? When your map target is a registered domain, netblocks are used toexpand the scope of discovery beyond the domain itself - the IPs in the netblocks are

included in the discovery process and resulting maps. When your map target is thespecial “none” domain, discovery is limited to the user-configured IPs/ranges.

Tell me about using the “none” domain. First define the “none” domain is defined withIPs/ranges in your account, add the “none” domain to asset groups, and then launchmaps on this domain. We recommend these option profile settings for the scan: “PerformLive Host Sweep” and “Exclude Hosts Only Discovered via DNS”.

Option ProfileYour network scan (map) configuration settings are defined in an option profile. Werecommend the profile “Initial Options” to get started with your first maps. You maychoose to customize this profile. See “Option Profile Settings” and the online help fordetails.


Scanner Selection


53/164


External scanners are available for mapping external domains. When there are Scanner

Appliances in your account, you select a scanner option for internal scanning from theScanner Appliance menu. Note that you need to use a Scanner Appliance to create mapsfor internal domains (those with private use internal IPs).

About Network Discovery

When a target domain is provided, the discovery process begins by using the targetdomain’s DNS to find as many hosts within that domain as possible. Then information isgathered about each identified host.

The following methods are used to find hosts within the specified domain:

• The service identifies the Name Server (NS), and then sends a request to list all thehosts managed by the NS. Note that this request is not always allowed and may beforbidden by the administrator.

• Using a proprietary list of roughly 100 common names, such as www or ftp, to forma list of Fully Qualified Domain Names (FQDN), the service queries the NS to findthe IP address assigned to each FQDN.

• The service sequentially checks IP addresses provided as netblocks in the domainspecification, if any.

After hosts are identified, the service determines whether hosts are alive and gathersinformation about the hosts, such as information about the operating system and routersdetected on each host. Operating system detection is mainly based on TCP/IP stackfingerprinting. Multiple information gathering methods may be employed. Note that theprecise methods used relate to the option profile configuration.

Option Description

External This option is set by default when there are no ScannerAppliances in your account. Select this option to useexternal scanners for external (perimeter) mapping.

Scanner Appliance name Select a Scanner Appliance name to use the scanner forinternal mapping.

Default Select this option to use the default scanner feature. Whenselected, the service uses the default scanner in each targetasset group to map the group’s domains. The map task isdistributed across various scanners and when mapping iscomplete the service compiles a separate map report foreach domain.


Network discovery is a dynamic process that involves two main events: host discoveryd b i i f ti th i Th t d d b h i f th t i d ib d


54/164


and basic information gathering. The standard behavior for these events is described below. The service enables this standard behavior in new option profiles, including the“Initial Options” profile. You can modify this standard behavior by creating or editing anoption profile and applying the profile to the map request.

Host Discovery

Upon receiving a map request for a registered domain, Qualys gathers data from publicrecords to identify hosts using various methods including Whois lookups, DNS zonetransfer, and DNS brute force. The service then checks availability of the hosts in thetarget domain. For each host, the service checks whether the host is connected to thenetwork, whether it has been shut down and whether it forbids all Internet connections.

The service pings each target host using a combination of TCP, UDP, and ICMP probes based on the option profile configuration. If these probes trigger at least one responsefrom the host, the host is considered “alive” and the service proceeds to the next event asdescribed in “Basic Information Gathering on Hosts” below. If a host is found to be notalive, discovery stops for that host.

The types o

Documents

Qualys Rollout Guide