QualysGuard Network Security Audits FAQs

What is network discovery?

Network discovery consists of the processes QualysGuard performs to identify each device that resides on your network. The result of the network discovery process is a map of all devices found. This map can be viewed in graphical or text format. In particular, the network map depicts:

  • Network topology
  • Access points to the network
  • Machine names
  • IP addresses
  • Operating Systems
  • Discovered services, such as HTTP, SMTP, Telnet, etc.

Below is a sample network map:

Figure 1 – Sample Graphical Network Map

The network map can be downloaded in multiple formats, including PDF, ZIP (HTML), XML, MHT and CSV. Qualys also provides a tool for importing a network map from XML to Microsoft Visio.

Back to top

What is an Inference-Based Scanning Engine?

QualysGuard conducts audits using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to the host being scanned. Depending on the host profile discovered for each device (for example, operating system and version, ports and services), QualysGuard selectively runs tests applicable to the target device.

Back to top

How does QualysGuard find vulnerabilities and characterize network systems?

QualysGuard uses a unique inference-based scan engine to find vulnerabilities. Each scan begins with a pre-scan module which accurately fingerprints a host. The fingerprinting is performed by sending a series of specially crafted packets to the host and by interpreting the results. QualysGuard is able to, with a degree of accuracy exceeding 99%, identify the host operating system, services running and ports opened. Once this information has been captured, the inference-based scan engine selects only the appropriate vulnerability checks to run, runs them, and interprets the results. This approach, consisting of the pre-scan and the inference-based scan engine, accelerates the scanning process, minimizes traffic load on your network and touching your systems, and improves overall accuracy.

Back to top

What types of devices does QualysGuard analyze during a scan?

QualysGuard assesses the security risk of all networked, IP devices. This includes all routers, switches, hubs, firewalls, servers (all common operating systems), workstations, desktop computers, printers, and wireless access devices.

Back to top

How many different types of vulnerabilities do you detect?

QualysGuard scans for more than 11,000+ vulnerabilities across hundreds of applications and operating systems. Qualys maintains the industry's most comprehensive Vulnerability KnowledgeBase. New vulnerability signatures are added to the QualysGuard Vulnerability KnowledgeBase every day. These signature updates are seamlessly made available to all Qualys users automatically. Also, to further promote the Qualys high standard for accuracy, a complete Vulnerability KnowledgeBase regression test is performed each time the KnowledgeBase is updated.

Back to top

What happens after QualysGuard detects a vulnerability? Do you provide information to help me correct the problem?

For each vulnerability detected, QualysGuard reports detailed information, including:

Host Information: IP address, hostname & Fully Qualified Domain Name (where available), operating system, and asset group(s).

Vulnerability Information: vulnerability severity, description of the threat posed by the vulnerability, recommendation for correcting the problem (including links to vendor sites), and the result, if available, which shows how QualysGuard verified the vulnerability. These fields can be customized for every signature in the QualysGuard Vulnerability KnowledgeBase.

QualysGuard reports can be customized so the user only views and/or prints the vulnerability assessment data that is of interest to them.

Back to top

Can I customize or configure QualysGuard scans to meet my needs?

Yes. QualysGuard scans are completely customizable. Users can choose to run vulnerability scans either on demand or on a scheduled basis. Each scan can be set to run every applicable vulnerability check (as determined by the inference-based scan engine) or a scan can be performed looking for a subset of vulnerabilities. Further, scans can be run against a single IP address, a group of assets, a subnet / network range, or against an entire network and/or domain.

Several customization options are available. When running a scan, the following settings can be tweaked to meet any specific need:

  • TCP ports scanned
  • UDP ports scanned
  • Load balancer detection
  • Performance settings
  • Authentication

QualysGuard supports the Open Vulnerability Assessment Language (OVAL) which is an industry standard for custom, customer specific vulnerability checks to verify mis-configurations and out-of-policy assets.

Users can customize vulnerability scoring within QualysGuard by using the Common Vulnerability Scoring System (CVSS) support. CVSS is an industry open standard designed to convey vulnerability severity and risk, allowing corporations to take into consideration their own security metrics.

User customizable scoring is based on three criteria:

  • Base – Fundamental, unchanging qualities of the vulnerability
  • Temporal – Time dependent qualities of the vulnerability
  • Environmental – Implementation and environment specific qualities of the vulnerability
Back to top

What impact will QualysGuard have on my network?

QualysGuard is designed to minimize both the audit time as well as the network bandwidth it uses. Thus, its impact on network traffic load is minimal. In addition, if QualysGuard detects that the target host or network performance deteriorates during a scan, QualysGuard will adapt dynamically and reduce the scan speed.

Back to top

How is the service bandwidth-efficient?

QualysGuard allows for a variable bandwidth load (low, normal, high, or custom) on the machines being scanned. QualysGuard closely monitors the time-response (through RTT, response-time tests) and dynamically adjusts the load according to the selected setting. Furthermore, QualysGuard will only run the vulnerability checks appropriate to the type of machine scanned (for example, no test specific to Windows operating systems will be run against a Linux machine).

Back to top

How does the scanning service test a network for a Denial of Service (DoS) attack without bringing down the server or network device?

When QualysGuard tests for a Denial of Service (DoS) vulnerability on a host, it sends specially crafted packets that are designed to not impact the host availability. By analyzing the host's response, QualysGuard can determine if the host is vulnerable to a DoS attack without flooding it with traffic and causing a service interruption.

An additional method to verify that a host is susceptible to a DoS attack without jeopardizing the host's stability is by using authenticated scanning. User credentials can be leveraged to perform authenticated audits against hosts which allow for deeper assessments of the devices. QualysGuard supports Windows, UNIX (via SSH, Telnet, and/or rlogin), SNMP, and Oracle authentication methods.

Back to top

How does QualysGuard audit remote database servers?

Most vulnerability assessment tools require passwords or manual configurations to scan databases. In contrast, QualysGuard detects and audits databases, including PostgreSQL, Oracle, SQL Server, MySQL, & Sybase, without requesting any credentials or configuration information. QualysGuard searches for vulnerabilities or erroneous configurations that may lead to information leaks, theft of data, or even intrusion and denial of service attacks, all without authenticating to the database.

QualysGuard also supports Oracle authenticated scans to perform even deeper audits of the configuration settings of an Oracle database.

Back to top

Do firewalls interfere with QualysGuard scans?

Firewalls are essential to network security. QualysGuard tests the effectiveness of firewalls plus applications and services that are naturally accessible through firewalls, such as Web, FTP, and mail services.

Back to top

Does QualysGuard look for viruses, backdoors, and trojans?

Yes. QualysGuard is capable of identifying viruses, backdoors, worms, trojans, and other malicious applications using a variety of techniques. Each malicious application has a unique footprint left on infected hosts. QualysGuard is able to find these viruses, worms, backdoors, and Trojans by sending specially crafted packets to the assessed hosts and analyzing the response. In addition, by making an inventory of every open port, both TCP and UDP, on the hosts scanned and identifying the service listening on the open port, QualysGuard is able to verify the presence of a malicious application. QualysGuard is able to use authenticated scanning to determine malicious software on a host even if it has not listening service.

Back to top

Does QualysGuard look for SNMP vulnerabilities?

Yes. QualysGuard automatically detects if a system is SNMP enabled during host discovery. The inference-based scan engine then attempts to access the SNMP information base. If successful, the SNMP information tree will be displayed in the scan report. Further, the method used to "walk" the MIB will be returned (for example, public / private / default community string, an easily guessed community string, etc.). QualysGuard also provides a deeper audit option through the use of the SNMP authentication feature which allows users to specify specific community strings to audit against in their environment.

Back to top