Scanner Appliance : FAQs
We have compiled a list of questions you may have about the scanner appliance.
Frequently Asked Questions
What type of hardening is done on the virtual scanner device?
The scanner images are self-hardened, locked down encrypted custom Linux systems that do not have any user accounts and any means of over-the-network or local user access.
Which security parameters Qualys is maintaining for the virtual scanner device?
Our company policy strictly prohibits the disclosure of security details pertaining to our Virtual Scanner images. We do not require nor uphold any certifications related to CIS compliance.
Does the hardening of the virtual scanner device meet the CIS best practices for its function?
The scanner appliance runs a specifically hardened operating system kernel designed to prevent shell-code and buffer overflow attacks. It hosts limited required packages, which are provided and maintained by Qualys.
Is it possible to get logs from the scanner for auditing or investigation purposes?
Remote syslog forwarding feature is available from Qualys account for Scanning related logs only. For general system logs, contact Qualys support.
What type of services are running on scanners?
The scanner appliance is designed as a client-only device with no persistent services or daemons listening to the network. There are no listening ports.
Which ports are open for scanners?
The scanner appliance does not require an inbound Internet connection; the scanner initiates all communications to the data center on TCP/443 over the Internet so there are no open ports.
What type of connections are initiated from scanners?
The scanner only initiates a DHCP connection, so only UDP port 67 is open, no other ports need to be open.
Can a scanner be used as a router or a firewall?
The scanner appliance acts solely as a network host and cannot route packets, even when multiple network interfaces are active. Network data forwarding is permanently disabled. The appliance scans local systems, processes the resulting data, and then sends the processed data back to the Qualys Cloud Platform.
Is SSH enabled on the scanner?
There are no listening TCP ports and services running on Scanner appliances, so SSH is disabled on the scanner.
Do scanners use NTP?
NTP is not currently being used and is not available for configuration. However, the time on the scanner is synced with the Qualys Platform through APIs.
How is scan data stored and secured on scanners? Is there any difference between Virtual and Physical Scanners in terms of scan data security?
Limited customer data is stored on a scanner appliance during the scan. Regardless of the scanner type, physical or virtual, the storage and protection mechanisms are the same. All sensitive data is encrypted on the file system on any scanner appliance. Virtual or physical.
To mount this file system, you need the decryption key obtained from the Qualys Cloud Platform during communication with the Data Center. If the scanner is removed (deactivated) from a customer account, then a key is no longer available to access the file system, and no data will be accessible.
All customer files, including temporary data, are stored on this encrypted file system during the scan, this means that the data is protected by encryption. The encryption key is stored only in the data center and is destroyed if the appliance entry is removed. To access the files, appliances need to retrieve the key from the data center each time they boot up. The file system is only decrypted and mounted after successful authentication to the Qualys Data Center.
In addition to the encrypted file system, most customer scan data is doubly encrypted using file-level encryption. This provides two layers of encryption, i.e., individually encrypted files are stored in the encrypted file system. Two types of keys are used: one for input and temporary data (which includes credentials), and a random key is used that is only kept in appliance memory.
Information related to scanning is never stored on the scanner, once the scan is completed the results are sent back to the cloud back-end for processing and all data from the scanner is cleaned.
Is it possible to set up multiple scanners in High Availability (HA) or redundancy in DR sites?
No, HA and DR cannot be applied to Scanners as they are client, not servers.
Do we need to back up anything on the scanner appliance?
We do not store any user's data or scan data except the network configuration. So, there is no need to back up anything.
How does the scanner handle inbound and outbound connections? How is communication secured?
Iptables rules are present to drop potentially malicious incoming ICMP packets. All outbound connections are over TLS version 1.2 with strict certificate validation to allow only Qualys trusted root CAs.
Qualys Platform endpoint URLs that the appliance needs to connect are pre-configured at the time of imaging and activation. URLs cannot be modified by a user at any later point.
We provide complete encryption for our customers' sensitive information, including passwords and private keys. This encryption starts from the moment the credentials are created and continues to their use in the scanner process memory. There is no need for decryption at any point in between. Just-in-time decryption in scanner to limit the period of time during which credentials reside in scanner process memory in unencrypted form.
Private PODs, also known as PCPs, enable customers to upload credentials in pre-encrypted form, so end-to-end encryption can start on customer equipment instead of Qualys web servers.
To ensure secure storage of credentials in the Qualys database, scanners do not rely on global keys or easily accessible keys used by QWeb or other data center components for encryption.
To safeguard against attacks on TLS, all credentials are double-encrypted during TLS transfers for enhanced protection. (End-to-end encryption plus TLS transport encryption). The key management has been designed in a way that even if an attacker has complete access to all decrypted content in the TLS channel, they will not be able to retrieve any credentials.
Even full penetration of the data center, a scanner appliance, and the TLS channel will not result in exposed credentials, as long as no advanced reverse engineering techniques are used.