Was this topic helpful?
We have compiled a list of a few questions that you may have for scanner appliance security.
The scanner images are self-hardened, locked down encrypted custom Linux systems that do not have any user accounts and any means of over-the-network or local user access.
Our company policy strictly prohibits the disclosure of security details pertaining to our Virtual Scanner images. We do not require nor uphold any certifications related to CIS compliance.
The scanner appliance runs a specifically hardened operating system kernel designed to prevent shell-code and buffer overflow attacks. It hosts limited required packages, which are provided and maintained by Qualys.
Remote syslog forwarding feature is available from Qualys account for Scanning related logs only. For general system logs, contact Qualys support.
The scanner appliance is designed as a client-only device with no persistent services or daemons listening to the network. There are no listening ports.
The scanner appliance does not require an inbound Internet connection; the scanner initiates all communications to the data center on TCP/443 over the Internet so there are no open ports.
The scanner only initiates a DHCP connection, so only UDP port 67 is open, no other ports need to be open.
The scanner appliance acts solely as a network host and cannot route packets, even when multiple network interfaces are active. Network data forwarding is permanently disabled. The appliance scans local systems, processes the resulting data, and then sends the processed data back to the Qualys Cloud Platform.
There are no listening TCP ports and services running on Scanner appliances, so SSH is disabled on the scanner.
NTP is not currently being used and is not available for configuration. However, the time on the scanner is synced with the Qualys Platform through APIs.
Limited customer data is stored on a scanner appliance during the scan. Regardless of the scanner type, physical or virtual, the storage and protection mechanisms are the same. All sensitive data is encrypted on the file system on any scanner appliance. Virtual or physical.
To mount this file system, you need the decryption key obtained from the Qualys Cloud Platform during communication with the Data Center. If the scanner is removed (deactivated) from a customer account, then a key is no longer available to access the file system, and no data will be accessible.
All customer files, including temporary data, are stored on this encrypted file system during the scan, this means that the data is protected by encryption. The encryption key is stored only in the data center and is destroyed if the appliance entry is removed. To access the files, appliances need to retrieve the key from the data center each time they boot up. The file system is only decrypted and mounted after successful authentication to the Qualys Data Center.
In addition to the encrypted file system, most customer scan data is doubly encrypted using file-level encryption. This provides two layers of encryption, i.e., individually encrypted files are stored in the encrypted file system. Two types of keys are used: one for input and temporary data (which includes credentials), and a random key is used that is only kept in appliance memory.
Information related to scanning is never stored on the scanner, once the scan is completed the results are sent back to the cloud back-end for processing and all data from the scanner is cleaned.
No, HA and DR cannot be applied to Scanners as they are client, not servers.
We do not store any user's data or scan data except the network configuration. So, there is no need to back up anything.
Iptables rules are present to drop potentially malicious incoming ICMP packets. All outbound connections are over TLS version 1.2 with strict certificate validation to allow only Qualys trusted root CAs.
Qualys Platform endpoint URLs that the appliance needs to connect are pre-configured at the time of imaging and activation. URLs cannot be modified by a user at any later point.
We provide complete encryption for our customers' sensitive information, including passwords and private keys. This encryption starts from the moment the credentials are created and continues to their use in the scanner process memory. There is no need for decryption at any point in between. Just-in-time decryption in scanner to limit the period of time during which credentials reside in scanner process memory in unencrypted form.
Private PODs, also known as PCPs, enable customers to upload credentials in pre-encrypted form, so end-to-end encryption can start on customer equipment instead of Qualys web servers.
To ensure secure storage of credentials in the Qualys database, scanners do not rely on global keys or easily accessible keys used by QWeb or other data center components for encryption.
To safeguard against attacks on TLS, all credentials are double-encrypted during TLS transfers for enhanced protection. (End-to-end encryption plus TLS transport encryption). The key management has been designed in a way that even if an attacker has complete access to all decrypted content in the TLS channel, they will not be able to retrieve any credentials.
Even full penetration of the data center, a scanner appliance, and the TLS channel will not result in exposed credentials, as long as no advanced reverse engineering techniques are used.
Was this topic helpful?