About vulnerability scanners

On this page:


Why scanning is important

Faculty and staff who maintain servers and websites at Indiana University can use the QualysGuard vulnerability scanners (often known as "Qualys") to discover vulnerabilities. Periodically scanning and reviewing scan reports is required by Security of Information Technology Resources (IT-12).

System administrators face security concerns every day. (For example: What would be the damage if someone broke into your website? Is institutional data present? Would you be liable under the law? What would happen if your website were defaced? What if it were used to distribute illegal content?) A vulnerability scan doesn't completely eliminate these risks, but it does make you aware of any system flaws first, before an attacker. Additionally, any action you take to increase security on your systems will improve the security of the IU network overall.

Request Qualys access

To use Qualys, send mail to scanner-admin@iu.edu and include the following information:

  • A unique name for your group; ADS groups or HR codes (such as IU-UISO) are the optimal format here.
  • The email addresses and full names of users who will need complete control over scanning
  • The email addresses and full names of users who will only need to run scans; these users will not be able to create new scans.
  • The email addresses and full names of users who will only need to read or generate reports
  • If you're doing website scanning, a list of URLs to scan
  • If you're doing system scanning, a list of IPs or CIDR blocks broken out into three sections:
    • Servers in the IU Data Center
    • Servers outside the IU Data Center
    • Any DHCP ranges you exclusively control or desktops with static IPs

Scan engines

Server and web scans can originate from any of the following IU IP addresses. You may need to grant access from these IPs if you use a host-based firewall or other network safeguards. These IPs should be able to ping your hosts, but if you allow the scanner to access more open ports it will give more precise results.

  • 129.79.217.0/28

Additionally, any public website will most likely be scanned from an offsite Qualys scanner located in the following block:

  • 64.39.96.0/20

Risks of web app scanning

Any type of vulnerability scan carries some inherent risks, including degraded performance, unintentional denial of service, and accumulation of garbage data.

These risks are usually minimal and temporary, however, and are outweighed by the advantage of discovering weaknesses in your web application. Furthermore, anyone with access to your site can perform the same actions as the UISO scanners, and it's better that you identify vulnerabilities up front rather than have them exploited by someone with nefarious intentions.

The scanner actively tries to fill out web forms and submit data so it can try to identify certain vulnerabilities, including SQL injection and cross-site scripting. When the scanner submits data in this way, it tries to make it easy for you to recognize so you can easily delete it from your database later.

Whenever scanning a website, be sure to notify your supervisor, colleagues, IT Pros, and anyone else who has a stake in the website or service. Since the scan may impact performance and generate unusual-looking data, users of the site may believe it's an attack and panic if not properly informed.

Logistics of web app scanning

Vulnerability scans can be run against production or development servers. Scanning production servers has the disadvantage that the site load may be too great during regular hours, necessitating a less convenient off-peak scan. Conversely, scanning a development server may produce unreliable results if the development server is not a perfect copy of the production server. However, it can eliminate possible problems before they reach the production environment.

The scanner has the ability to authenticate if needed. If your site uses IU Login, LDAP, or Active Directory authentication, simply grant access to the username uisoscan (ads\uisoscan), and the scanner in turn will be able to access your site. If your authentication is local, please create a local username (preferably named uisoscan) and passphrase for the scanner.

Important:
Make sure you assign the uisoscan user permissions at whatever privilege level you would like the scanner to scan. For instance, if you have an admin interface that you want scanned, uisoscan must be able to access it.

Scans can often be tailored to specific concerns you have. Since this process is hands-on, UISO is able to give a lot of attention to these scans and customize them for you.

Interpret web app scan reports

If you've run a web app scan and have received a scan report containing vulnerability issues, contact your department's IT Pro for help interpreting the results.

If you are an IT Pro, you should consult with Tier 2 Support, who can guide you to various resources, documents, and training sessions.

Learn more

If you are a web developer and you want to improve your site's security, consider the following resources:

  • Open Web Application Security Project: The Open Web Application Security Project (OWASP) contains a great deal of information preventing web vulnerabilities. Specifically, the OWASP Top Ten details the most prevalent web security issues today.
  • SANS: SANS offers several courses on web application security.
  • Web Application Security Consortium: The Web Application Security Consortium (WASC) is a trade organization that offers community forums and a library of technical information on web app vulnerabilities and how to prevent them.

This is document bgzt in the Knowledge Base.
Last modified on 2021-08-17 14:00:05.