To call the QualysGuard Intranet Scanner Applicance just an appliance is to miss the point. Yes, it does include a device that’s intended to scan behind the firewall, but it also comes with the QualysGuard Web-based service. The combined duo can provide complete, detailed vulnerability-assessment scanning inside and outside your firewall, and full reports on the Qualys Web site. As a result, you can view the results of your scans from any computer with Web access.
As you’d expect, Qualys offers the Intranet appliance so it can work inside your corporate firewall. Although Qualys’ earlier products worked well at scanning Internet-accessible computers, there’s just not a lot they could do to get past a properly configured firewall. The newly released appliance handles the internal task and reports its findings to the QualysGuard Web site where the information is combined with information from any scans that have been ordered for outward-looking servers and devices.
Thanks to its vulnerability-scanning roots, QualysGuard can handle just about any operating system more recent than TRS-DOS. This means that you can scan any version of Windows you’re likely to find on the network, as well as Mac OS, NetWare, Linux, Unix, and OSes on devices such as Cisco’s IOS.
When it’s told to scan, the QualysGuard appliance searches for every device attached to the network, then queries each for their respective operating systems and patch levels. Qualys can be configured to perform querying for devices that do not respond to pings. About the only thing beyond QualysGuard’s reach is a computer running a properly configured (and properly chosen) personal firewall, such as ZoneAlarm Pro. (During our tests, a ZoneAlarm-equipped ThinkPad remained completely invisible to QualysGuard.) But if your desktop clients are installed with ZoneAlarm, you don’t have a lot to worry about in terms of vulnerabilities on those machines.
Qualys clearly spent a lot of time thinking through the installation and management of the QualysGuard appliance. Setup takes only a few minutes, during which time you set the IP address and perform related tasks. Beyond that, management is done via a Web interface that’s easy to use and intuitive. Initial setup on this 1U appliance is particularly nice because of an easy-to-use front control panel and an LCD screen.
Scanning made simple
We tested the QualysGuard appliance by installing it on the InfoWorld Test Center internal lab network. For most unsuspecting appliances, this would be cruel and unusual punishment. After all, like most lab networks, this one contains devices of nearly every imaginable description, running operating systems ranging from the archaic to the not-yet-released, with patch levels ranging from totally buttoned down to totally irresponsible. But this is supposedly what the device was designed to deal with, so we plugged it in, set it up, and fired off the first scan. Then we went to lunch.
QualysGuard was done scanning the lab network well before we’d finished our sandwiches. For a vulnerability scanner, it’s pretty fast. Fortunately, Qualys has designed QualysGuard so that you can fire off a scan, then go do something else. It’ll email you when it’s done. There are several reasons to run scans repeatedly on the network. First, QualysGuard uses the SANS/FBI Top 20 list of network vulnerabilities, which is updated frequently, as a primary source of vulnerability information.
Diagnoses and prescriptions
Upon finishing its scan, QualysGuard creates a series of reports accessible via its Web site. These reports range from a high-level management report and network illustration to a detailed list of every finding, sorted by IP address and displaying every available item of information from every network device. On these listings, Qualys makes available all port usage and availability, OS details, patch levels, and some usage information.
Furthermore, these reports list every vulnerability and its respective level of seriousness, and provide detailed information on where to find the patch or, in some cases, detailed instructions on how to fix the problem directly.
For quicker updates on your current vulnerability state, Qualys provides some executive summaries that can show the change in vulnerability trends over time or the current number of vulnerabilities sorted by seriousness. You can also view an animated picture of your network, generated by QualysGuard, and use it to scrutinize individual devices.
Overall, QualysGuard is a winner for the enterprise. It’s easy to use, and it produces thorough vulnerability assessments and, perhaps more importantly, easy-to-understand results from its vulnerability scans.
Equally importantly, QualysGuard gets much of its information about vulnerabilities from an excellent source in the SANS/FBI Top 20. Because this list is updated frequently and because Qualys provides these updates to its customers, you can be assured that your scans will be up-to-date and reflect the most serious issues regarding your network.
QualysGuard can be expensive, but much of the cost can be contained by carefully managing the type and frequency of scans you perform. By customizing your scans, you can keep the barbarians at bay, while still managing this part of your network security responsibly. And if it helps you keep those holes closed, it’s certainly a lot less expensive than having someone invade your network.