Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Introduction
Host Assets (Lab 1)
Qualys KnowledgeBase and Search Lists (Lab 2)
Scanning (Lab 3)
Asset Management (Lab 4)
Reporting (Lab 5)
User Management (Lab 6)
Remediation (Lab 7)
Exam
IT Remediation Team
Patch Reports
Alerts
ü Security, Compliance, and Asset Management Configuration
Reports
ü Single Solution
ü No Software to Maintain!
Qualys Cloud Platform
IaaS Providers
Cloud Asset
Internal Scanner
QUALYS PLATFORM
Strong Data Encryption
Firewalls
IDS
TLS communications
Internal External Scanner Pool
Asset
External
Asset
Qualys User
Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Application Scanning
Vulnerability Management Lifecycle
1.
Discover
6. 2. Organize
Verify Assets
5. 3.
Remediate Assess
4.
Report
Host Assets
Account Setup
Details - QID, CVE ID, Bugtraq ID and other vendor references info
Disabled vulnerabilities are still scanned for but they are not reported or ticketed.
KnowledgeBase
Editing Vulnerabilities
Change Severity
Levels
Threat – Impact –
Solution have user
comments field
Edited vulnerabilities
are noted in Scan
results
KnowledgeBase
Search
Use the search functionality to find vulnerabilities by QID, title,
user configurations and many other criteria.
KnowledgeBase Search List
SEARCH
LISTS
Search Lists Overview
User-defined Groups of QIDs
• Static search list
• Manually defined
• Dynamic search list
• Defined based on search
criteria
Benefits
• Dynamic List updates when
new QIDs meet the search
criteria
• No limitation to the number of
QIDs in search list
Search Lists
Static Saved Searches
Modules
§ Responsible for collecting data from the hosts
§ Modules are launched based upon information collected
§ Hundreds of modules can coexist during a single scan
Information
Data collected by modules
§ Operating System
§ Open Ports
§ Active Services
§ Installed Applications
Scanning Modules
Host Discovery Module
Requires : {IP ADDRESS}
Task : Checks if remote host is alive
Produces : {HOST STATUS:HOST ALIVE/DEAD}
. . . HTTP 80/tcp
. . . SNMP 161/udp
Note: Qualys VM can detect more than 600 different services on TCP
and UDP ports. To review these services go to the Help > About Section.
o IANA guidelines are used to perform initial test specific to the service’s port
number.
o Detection by valid protocol negotiation (non-destructive).
Exceptions – Initial tests may fail if:
• Service running on non-standard port (more common for TCP).
• Service using non-standard (unpredictable) banner.
Qualys will continue to negotiate communications until the correct service can be identified (may result in service impact).
OS Detection
Based on TCP/IP stack fingerprinting.
• OS vendors implement the TCP/IP stack differently
• Specially crafted packets are sent to target host to collect
replies and build an OS fingerprint (using TTL, MSS,
window size, etc…)
• TCP/IP stack fingerprinting alone, does not always produce
accurate results
Enhanced using additional protocols (e.g. NetBIOS, HTTP, SNMP
etc..) when available
Authenticated scanning is more accurate, as the host simply tells
us what it is (uname -a, Windows registry, cat /etc/redhat-release,
etc).
Vulnerability Scanning
Host Discovery
§ Checks for availability of target hosts. One response from the host indicates the
host is "alive"
Port Scanning
§ Finds all open TCP and UDP ports on target hosts (based on scan preferences)
Service Discovery
§ Identify which services are running on open ports
Vulnerability Assessment
§ Based on 1) Operating System, 2) Active Services, and 3) Installed Software
Vulnerability Detection
Module launching
- Specific vulnerability modules loaded based on information gathered in
previous phases
Signatures
- Template-based vulnerability signatures
- Active (but non-intrusive) tests for almost all detections
- Specially crafted request to distinguish between patched and un-patched
versions
- Multiple tests validate each others’ results to “confirm” the vulnerability
Scan Configuration
Scan
• Schedules can be
paused to comply with
maintenance windows
Vulnerability Scanning
§ Geographic location
§ Ownership
(Servers) (Servers) (Servers)
Reports:
AssetView and Tagging
Tags: Server
Chicago Branch
TELNET ON (Scanner)
Network
10.0.30.16/28
01001
?
10.0.30.20 10.0.30.17
10.0.30.19
Workstation 10.0.30.18
Server Workstation
Chicago Server
Chicago Chicago
Chicago
TELNET ON
Initial Asset Tags
• Asset Groups
• Cloud Agent
• Business Units
• Malware Domain Assets
• Web Application Assets
Creating and Assigning Tags
Edit and create new
tags in:
1. Asset Search (in
Vulnerability
Management)
2. The AssetView
application
Asset Tag Rule Engine
Solution: Use an Asset Tag based on the “IP Address In Range” rule
engine, and select the “Use IP Network Range” check box when
launching the scan.
Applications Inventory
Ports and Services Inventory
Certificates Inventory
Assets
Report Template
(the what)
Filtering and
Host Based vs Search Lists
Scan Based Data Netblocks
Asset Tags
Qualys Reporting
Report Templates
Qualys has a set of standard templates that assist in
reporting on scans, maps, and remediation.
Scan Based vs. Host Based
Weekly adhoc Weekly
What are Host Based
Scan 1 Scan 2 Scan 3 Findings?
Asset Group 1 Asset Group 1 Asset Group 1
Option Profile 1 Option Profile 2 Option Profile 1 • Provides the most
Results 1 Results 2 Results 3 up-to-date and
Scan Based Findings accurate information
as it relates to a
host.
• Used in Trend
Host Based Findings reports.
• Used when using
Vulnerability
Host Tracking Status: dashboard, asset
IP / NetBIOS /
DNS / UUID
NEW | ACTIVE
RE-OPENED
search, remediation
FIXED tickets and host
First Time
KnowledgeBase
QID / Sev / Found information.
Title Last Time
Description Found
Results
Host Based Findings
- Passed
- Failed
- Passed with insufficient privileges
- Not Attempted
Reporting
Reader Reporting
Least privileged
User Management
VIP and Password Resets
Subscription Setup
Security
• Restrict IP access
• External IDs
• Session Timeout
Map
Domains/
Map Netblocks
Preferences
Asset Groups
Mapping Options
Mapping Benefits
Shows an overall view of your corporate assets
A: Approved
S: Scannable
L: Live
N: Netblock
Mapping: Graphic Mode
Mapping: Choosing A Target
1. Domain - Qualys service will identify domain members via DNS
interrogation.
2. Netblock - Target a specific netblock range using the “none” domain.
3. Domain + Netblock – Use an IP address range to identify the upper
and lower boundaries of a domain.
4. Asset Group
- Associated Domains
- Associated IPs (already in your subscription)
Mapping Goals
1. Use map results and reports to discover and add new hosts to your
subscription and identify dead and rogue hosts.
2. Ensure network and system admin teams participate in the Mapping
and Reporting responsibilities.
Unknown Devices Report
118
Lab
Mapping
training@qualys.com