|
|
When you run a discovery scan we will create a map that gives you an inventory of your network devices as seen from the Internet (perimeter devices) or Intranet (internal devices). If you run discovery scans on a regular basis you can keep track of your continually evolving network. Changes in firewall rules or DNS setups may allow intruders to find more information than they should. A map is also a way to find devices and services running without your authorization, including virtual hosts that may have been maliciously placed on your network.
When mapping your network perimeterWhen mapping your network perimeter
The map includes devices that can be "seen" from the Internet. You'll get an outside-in perspective of your network elements. The scope of the network discovery includes the devices found for a domain through the domain's DNS (Domain Name Server), plus the devices between those devices and the Internet.
When mapping your internal networkWhen mapping your internal network
You use a scanner appliance to produce a map of visible devices on your internal network. The appliance is installed inside your network environment to discover and map all devices that can be "seen" from the Intranet. The scope of the network discovery includes the devices found for a domain through the internal DNS in your network, plus the devices between those devices and the scanner appliance.
Tell me more about the types of devices identifiedTell me more about the types of devices identified
The following devices are identified: routers, administrable switches and hubs, operating systems, firewalls, web servers, FTP servers, LDAP servers and load balancing servers.
For each host detected we will show you a list of open services running on the host. Then for each service listed you can view the discovery method used to identify the service along with the port the service was running on, if available. Simply click the black arrow next to any host in your map results to view these details.
Show me possible discovery methodsShow me possible discovery methods
The discovery methods are:
ICMP. The mapping service received an ICMP packet from the host.
TCP Port. The mapping service detected open TCP port <number>.
UDP Port. The mapping service detected open UDP port <number>.
DNS. The mapping service resolved a name within the domain into this host's IP address.
Reverse DNS. The mapping service resolved the host's IP address into a name within the domain.
DNS Zone Transfer. Detected via Zone Transfer.
TCP RST. The mapping service received TCP Reset packets from this host.
Traceroute. The mapping service discovered this host via traceroute.
Other Protocol or ICMP. The mapping service received an IP packet from this host whose protocol is not TCP, UDP, or ICMP.
Other TCP Ports. The mapping service received TCP packets whose source ports are not in the list of probed ports.
You can choose to be notified via email each time a map completes. The email gives you a summary of the results and a secure link to the saved report. Select User Profile below your user name, go to the Options section and select Map Notification. You'll notice additional email notifications you can opt in to.
See difference in duration on Map Summary email and UI
Under Target Domains, enter domains and domains with netblocks into the Domains/Netblocks field. The registered domain names that you enter must be in your account (under Assets > Domains), making them available to you for mapping.
If a netblock was already specified as part of a domain configuration (on the domains list), then you only need to specify the domain name when launching the map. The netblock will be used automatically. You may, however, enter a portion of the netblock if you do not want the entire netblock mapped.
See different ways to enter domains and netblocksSee different ways to enter domains and netblocks
Enter domains and netblocks using these formats.
Entry |
Sample |
Single Domain |
mydomain.com |
Multiple Domains |
mydomain.com,corp1.com |
Domain with Netblock |
mydomain.com:[167.216.205.1-167.216.205.20] |
Domain with Multiple Netblocks |
mydomain.com:[167.216.205.1-167.216.205.20, 167.216.205.40-167.216.205.59] |
Domain with Netblock containing single IP |
mydomain.com:[167.216.205.1] |
Enter 1 domain and we'll create 1 map. Show meEnter 1 domain and we'll create 1 map. Show me
When you enter a single domain name, we'll create a single map for that domain.
Domains/Netblocks |
Maps Created (1) |
corp1.us.com |
Target: corp1.us.com |
Enter 2 domains and we'll create 2 maps. Show meEnter 2 domains and we'll create 2 maps. Show me
When you enter 2 domain names, we'll create 2 maps. Enter 3 domains and we'll create 3 maps, and so on.
Domains/Netblocks |
Maps Created (2) |
corp1.us.com,corp2.us.com |
Target: corp1.us.com Target: corp2.us.com |
Under Target Domains, enter IPs and IP ranges into the Domains/Netblocks field. The IPs you enter must already be part of the None domain in your account.
Important notes about mapping IPs/ranges:
1) Define the None domain - Go to your domain assets list (Assets > Domains) to determine whether the None domain has already been defined for your account. If you plan to manually enter IPs/ranges in the Domains/Netblocks field, then those IPs must be included in the None domain configuration. (Note that when you map IPs from asset groups, the IPs do not have to be part of the None domain configuration. Learn more
2) Review map options - If you map IPs/ranges without a domain, be sure to enable the map option "Perform live host sweep" in the option profile applied to the task.
Enter IPs only and we'll create 1 map. Show meEnter IPs only and we'll create 1 map. Show me
When you enter IPs/ranges, we'll create a single map using the special None domain. The map target shows the None domain and netblocks which reflect the manually entered IPs.
Domains/Netblocks |
Maps Created (1) |
64.41.134.59-64.41.134.61,10.10.10.1,10.10.10.9 |
Target: none:[64.41.134.59-64.41.134.61,10.10.10.1,10.10.10.9] |
When you enter IPs and domains, we'll create multiple maps. One map for the IPs and one map for each domain.
Domains/Netblocks |
Maps Created (3) |
10.10.10.1,10.10.10.9,64.41.134.59-64.41.134.61, |
Target: none:[10.10.10.1,10.10.10.9,64.41.134.59-64.41.134.61] Target: mydomain.com Target: qualys-test.com |
Under Target Domains, enter one or more asset groups in the Asset Groups field. Then identify which assets (domains and/or IPs) from the asset groups you want to target by selecting the Domains and/or IPs check boxes.
When Domains is selected, we'll create a separate map for each domain in the asset groups.
When IPs is selected, we'll create a single map for each asset group including all the group's IP addresses. The map report lists the target domain for each group as "none:[netblock]" where netblock includes the IP addresses from the asset group. When you map IPs from asset groups, the IPs do not have to be part of the None domain configuration.
Sample asset groups:
The group "New York" includes the following assets:
Domains: corp1.newyork.com and corp2.newyork.com
IPs: 64.41.134.59-64.41.134.61
The group "London" includes the following assets:
Domains: corp3.london.com and corp4.london.com
IPs: 10.10.10.1-10.10.10.100,10.10.10.115
Map the domains from these asset groupsMap the domains from these asset groups
When you enter the asset groups New York and London and select the Domains check box only, we'll create 4 maps (one for each domain).
Asset Groups |
Maps Created (4) |
New York, London Assets from Asset Groups: [X] Domains [ ] IPs |
Target: corp1.newyork.com Target: corp2.newyork.com Target: corp3.london.com Target: corp4.london.com |
Note: The service automatically creates a separate map report for
each domain in each target asset group. In the case where the same
domain name is included in multiple asset groups, the service produces
duplicate map reports. For example, if the target asset groups New
York and London include the same domain "mydomain.com",
then the service produces 2 map reports for "mydomain.com".
Map the IPs from these asset groupsMap the IPs from these asset groups
When you enter the asset groups New York and London and select the IPs check box only, we'll create 2 maps (one for each group).
Asset Groups |
Maps Created (2) |
New York, London Assets from Asset Groups: [ ] Domains [X] IPs |
Target: none:[64.41.134.59-64.41.134.61] Target: none:[10.10.10.1-10.10.10.100,10.10.10.115] |
Map the domains and IPs from these asset groupsMap the domains and IPs from these asset groups
When you enter the asset groups New York and London and select both the Domains and IPs check boxes, we'll create 6 maps.
Asset Groups |
Maps Created (6) |
New York, London Assets from Asset Groups: [X] Domains [X] IPs |
Target: corp1.newyork.com Target: corp2.newyork.com Target: corp3.london.com Target: corp4.london.com Target: none:[64.41.134.59-64.41.134.61] Target: none:[10.10.10.1-10.10.10.100,10.10.10.115] |
Yes. Go to Scans > Setup > Excluded Hosts to create a list of IPs that you want to exclude from all maps and scans launched by all users. These hosts will not be scanned even if specified as part of the map target.
This could happen if the host was discovered via a DNS method and this server is used to resolve DNS names for hosts in the map target.
You customize your map by changing the map settings in a scan option profile. Go to Scans > Option Profiles to see the option profiles available to you or to create a custom profile. The following settings can be tweaked to meet your specific needs: ports to scan for host discovery, ports to scan for basic information gathering on the hosts discovered during scanning, performance settings, and more.
These options can be configured in your option profile.
During network discovery (mapping) we first identify which hosts are alive. We ping every host within the target domain's netblock using ICMP, TCP and UDP probes. TCP and UDP probes are sent to default ports for common services, such as DNS, TELNET, SMTP, HTTP and SNMP. If these probes trigger at least one response from the host, the host is considered alive and is reported on. These ports and services can be configured.
Perform Live Host SweepPerform Live Host Sweep
You have the option to disable the live host sweep to only discover devices using DNS discovery methods (DNS, Reverse DNS and DNS Zone Transfer.) Active probes will not be sent. When mapping IPs that are not part of a domain configuration make sure you have Perform Live Host Sweep turned on.
Disable DNS trafficDisable DNS traffic
This option is valid only when the target domain name includes one or more netblocks, e.g. none:[10.10.10.2-10.10.10.100]. We'll perform network discovery only for the IP addresses in the netblocks. No forward or reverse DNS lookups, DNS zone transfers or DNS guessing/bruteforcing will be made, and DNS information will not be included in map results.
This option is used for mapping asset groups with scanner appliances. Select the Default scanner option to use the default scanner defined in each asset group for discovery of the domains/IPs in those groups. When there are multiple targets we create multiple maps, one for each target. Discovery scans of your targets will run sequentially - one at a time - and each map will be created using a single scanner appliance.
For example, let's say that Group ABC includes Domain1 and the default scanner is SA_ABC. Group XYZ has Domain2 and Domain3 and the default scanner is SA_XYZ. When you include both groups in the map request and you're using the Default scanner appliance option you'll get these 3 maps (one for each domain):
- Domain1 is mapped using SA_ABC
- Domain2 is mapped using SA_XYZ
- Domain3 is mapped using SA_XYZ
Yes, scanners must be able to reach the target hosts being scanned. Go to Help > About to see the IP addresses for external scanners that you'll need to add to your allow list. You'll also see a list of URLs that your scanner appliances must be able to contact for internal scanning.
Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Learn more
You will only see the Scanner Appliance option if you have scanner appliances in your account. If you don't have scanner appliances you can still map your network perimeter using our External scanners.
Contact Support or your Technical Account Manager to: 1) have a physical scanner appliance shipped to you, or 2) have the Virtual Scanner option enabled for your subscription in order to download a virtual scanner image and configure your scanner in a few easy steps.