Perimeter Scanning using Qualys External Scanners

We provide the ability to scan public-facing virtual machines in your Azure cloud environment using Cloud Perimeter Scanning for VM and PC.

Qualys External Scanners (Internet Remote Scanners), located at the Qualys Enterprise TruRisk™ Platform are used for Perimeter Scanning of Azure virtual machines. For subscriptions on Private Cloud Platforms, your account may be configured to allow internal scanners to be used.

These are DNS or IP-based scans launched using the target virtual machines' public DNS or Public IP. If public DNS and IP addresses exist for your virtual machines, we need to launch a scan on public DNS.

Requirements

• The Cloud Perimeter Azure VM Scan feature must be enabled for your subscription. You need to reach out to your Technical Account Manager (TAM) or Qualys Support to enable this feature. You also need these features enabled: Cloud Perimeter Scanning, EC2 Scanning, and Scan by Hostname.
• Cloud perimeter scans are available for VM and PC modules. Only Managers and Unit Managers have permission to configure cloud perimeter scans.
• We allow you to create or update a cloud perimeter scan job through Cloud Perimeter Scan API even if no scan targets are resolved from the provided details. At the time of scan, if no scan targets are resolved from the provided details, the scan does not be launched, and we add the error in the Activity log and Run the history of the scheduled scan job.

Get Started

All cloud perimeter scans are scheduled for now (a one-time scan job) or recurring. Once saved, you can see the scan job on the Schedules list. When the scan job starts, it appears on your Scans list.

1. Create a dynamic tag with Cloud Asset Search filters under AssetView app based on your requirements.

   For example:

   • All running public VMs in your Qualys Subscription: not azure.vm.publicIpAddress is null and azure.vm.state:"RUNNING"
   • All running public VMs in your Azure Subscription: not azure.vm.publicIpAddress is null and azure.vm.subscriptionId: and azure.vm.state:"RUNNING" 
   • All running public VMs in a location: not azure.vm.publicIpAddress is null and azure.vm.state:"RUNNING" and azure.vm.location:westus
   • All running public VMs in a resource group: not azure.vm.publicIpAddress is null and azure.vm.state:"RUNNING" and azure.vm.resourceGroupName:testRG
2. Now, lets start scanning. Go to VM/VMDR for a vulnerability scan (or PC for a compliance scan) and choose New > Cloud Perimeter Scan. You can also see this option on the Schedules tab.

   

3. In the Cloud Information tab, select the Azure icon to scan the Azure VM machines and click Continue.

   

    While updating the scan, you cannot change the Provider. When creating the scan in the Scan option profile settings, we populate the values you selected.

4. Go to the Scan Details tab give the scan a name and select the option profile and priority.

5. Go to the Target Hosts tab to select the public-facing Azure VM machines on which you want to run the Cloud Perimeter scan. From the Connectors drop-down, select an Azure connector.

   The Connector drop-down lists the connectors you have configured in AssetView. Select asset tags to further filter the Azure VM assets fetched from the Azure connector.

   The selected asset tag will scope the selected connectors assets and do not scan assets from under other connectors or non-connector based assets.

   For Azure VM scan, we do not support pulling load balancer DNS names from the CloudView module.

   

6. Go to the Scanner and Schedule & Notification tabs to select the External/Internal scanner and schedule the scans.

   By default, the external scanner appliance is selected. If the internal scanner is enabled for cloud perimeter scan in your subscription, only then we allow you to select an internal scanner for the scan.

   We allow you to select internal scanner for the scan if using internal scanners for cloud perimeter scan is enabled for your subscription.

7. Go to the Review tab. In the Target Hosts section, we will show you:

   • Number of public-facing Azure VM assets are fetched from the connector,
   • Assets that are qualified for the scan.
   • Out of the qualified assets, how many assets are activated in VM on which the scan is launched.

     

8. Finally, submit the scan job.

The VM assessment results from Azure perimeter scans will be tracked to the virtual machine ID tracked asset. As a part of the scan option profile, the scanner tries to reach out the IPs and try to get to the virtual machines.

View Azure VM Tracked Host Assets in Host Assets

1. Go to Assets > Host Assets > Filters to search for the Azure VM tracked assets.

   

2. Click the Info to view the cloud provider name (which is Azure for Azure VM assets), cloud service name (VM for Azure VM assets), and resource ID for the Azure Virtual Machine in the Host Information screen. The Cloud Asset Metadata tab shows the metadata information for the host.