EC2 Scan - Deploying Pre-authorized Virtual Scanner Appliance

Qualys Virtual Scanner Appliance is available as an Amazon Machine Image (AMI) at AWS Marketplace, ready for customers to launch onto Amazon EC2-Classic and EC2-VPC.

The scanner deployment involves:

Configuration in Qualys | Configuration in AWS

Deployment Recommendations

Following are some recommendations from Qualys for deploying scanners based on the network topology and the size of the EC2 instance for hosting the scanner appliance.

Instance size for hosting the scanner

To host the Qualys Virtual Scanner Appliance, maximum recommended limit by Qualys is 16 CPUs and 16 GB RAM. In addition, we do not support scanner deployment on A1 instance types. Based on the number of EC2 instances being scanned, and the number of times the instances are scanned, you can scale up to 16 CPUs and 16 GB RAM.  

Limitations on scanning targets

By default, scans cannot be launched on targets with t1.micro, m1.small, t2.nano instance types. Please reach out to your Technical Account Manager or Qualys Support to lift this limitation and allow assets with these instance types to be auto-activated based on the connector settings.

Scanner placement based on the network topology

Amazon Virtual Private Cloud (Amazon VPC) offers a comprehensive set of virtual networking capabilities that provide AWS customers with many options for designing and implementing networks on the AWS cloud. With Amazon VPC, customers can provision logically isolated virtual networks to host their AWS resources. Based upon how you have setup you AWS network, here are some recommendations on how you can place your scanner.

--Non peered VPCs in a region - Qualys recommends to have one or more scanners per VPC per region if the VPCs are non peered.

--Peered VPCs in a region - you can have one or more scanners in the central VPC which is peered to other VPC in a region (hub 'n' spoke model).

--VPCs across regions - you can have one or more scanners in a VPC which has VPN or VPC-transit to other regions.

Some things to consider...

The following features are not supported and are disabled in all cloud (private and public) platforms:

- WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported

- NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console

- STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI

- STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI  

- IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI

What do I need?

The Virtual Scanner option must be turned on for your account. Contact Qualys Support or your Technical Account Manager if you would like us to turn on this option for you.

You must be a Manager or a sub-user with the “Manage virtual scanner appliances” permission. This permission may be granted to Unit Managers. Your subscription may be configured to allow this permission to be granted to Scanners.

Configuration in Qualys

You'll add a new virtual scanner appliance and get your personalization code.

Go to Scans > Appliances and select New > Virtual Scanner Appliance. Choose "I have my image" and click Continue.

Give your scanner a name. If you’re a sub-user then you’ll need to pick an asset group that has been assigned to your business unit by a Manager user. Not seeing any asset groups? Please ask a Manager to assign an asset group (other than the All group) to your business unit.

Follow the on screen instructions to configure your virtual scanner and get your personalization code. You'll need this to launch your AMI instance.

Personalization Code in Add New Virtual Scanner wizard

Configuration in AWS

Launch an AMI instance from the Amazon AWS Marketplace. You can also launch an AMI instance using the AWS Management Console (i.e. sign in to the console, go to Services > EC2 and enter AMI settings per below).

1) Go to Qualys Virtual Scanner Appliance page at AWS Marketplace, and login to your AWS account.

Qualys Virtual Scanner Appliance (Pre-Authorized Scanning) HVM on AWS Marketplace

Qualys Virtual Scanner Appliance page at AWS Marketplace

The AWS marketplace lists two virtual scanner appliances - A Pre-Authorized scanner appliance and a Standard scanner appliance. Qualys recommends you use the Pre-Authorized scanner appliance. If you cannot use the Pre-Authorized scanner appliance it is recommended to contact Qualys Support before choosing the Standard scanner appliance.

2) Launch the virtual scanner AMI in a region.

3) Use the wizard to enter AMI settings. In the Advance Details section, use "V1 and V2 (token optional)" as Metadata version. Currently, Qualys does not support V2 (token required). So, in the User data field, you must enter the personalization code you obtained from the Qualys user interface and optionally proxy server (if used).

Personalization code in User data field in AMI settings in AWS

Personalization Code - Enter the personalization code that you obtained from Qualys preceded by PERSCODE=

Proxy Server (Optional) - Enter Proxy Server information, on a separate line from the personalization code, preceded by PROXY_URL. A proxy server is used when your scanner does not have direct connectivity to the Qualys Cloud Platform.

Important: The proxy server needs to allow access to AWS region-specific endpoints. Go here to learn about regions & endpoints: http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region

Example:

PERSCODE=12345678901234
PROXY_URL=username:password@proxyhost:port

Formatting:

If you have a domain user, the format is domain\username:password@proxyhost:port

If authentication is not used, the format is proxyhost:port

proxyhost is the IPv4 address or the FQDN of the proxy server.

Once launched, Virtual Appliance connects to Qualys Cloud Platform

This step registers the Virtual Scanner Appliance with your Qualys account. Also your appliance will download all the latest software updates right away, so it’s ready for scanning.

Configuring security groups for your Virtual Scanner Appliance

Setup following outbound rule in security group assigned to scanner appliance.

--If you are using proxy server then ensure you have outbound rule allowing access on port 443 and the port used to communicate with proxy server.

--If scanner appliance has direct internet connectivity, then ensure that out bound rule allows access on port 443 to Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys Portal and navigating to Help > About option.

--Scanner should be able to reach out to all the target instances for running the scan. It is recommended to configure outbound rule that allows access to all ports and subnets of the EC2 instances that the scanner is going to scan.