Scanner Appliance Security: FAQs
We have compiled a list of a few questions that you may have for scanner appliance security.
Frequently Asked Questions
What type of hardening is done on the virtual scanner device?
The scanner images are self-hardened, locked down encrypted custom Linux systems that do not have any user accounts and any means of over-the-network or local user access.
Which security parameters Qualys is maintaining for the virtual scanner device?
Our company policy strictly prohibits the disclosure of security details pertaining to our Virtual Scanner images. We do not require nor uphold any certifications related to CIS compliance.
Does the hardening of the virtual scanner device meet the CIS best practices for its function?
The scanner appliance runs a specifically hardened operating system kernel designed to prevent shell-code and buffer overflow attacks. It hosts limited required packages, which are provided and maintained by Qualys.
Is it possible to get logs from the scanner for auditing or investigation purposes?
Remote syslog forwarding feature is available from Qualys account for Scanning related logs only. For general system logs, contact Qualys support.
What type of services are running on scanners?
The scanner appliance is designed as a client-only device with no persistent services or daemons listening to the network. There are no listening ports.
Which ports are open for scanners?
The scanner appliance does not require an inbound Internet connection; the scanner initiates all communications to the data center on TCP/443 over the Internet so there are no open ports.
What type of connections are initiated from scanners?
The scanner only initiates a DHCP connection, so only UDP port 67 is open, no other ports need to be open.
Can a scanner be used as a router or a firewall?
The scanner appliance acts solely as a network host and cannot route packets, even when multiple network interfaces are active. Network data forwarding is permanently disabled. The appliance scans local systems, processes the resulting data, and then sends the processed data back to the Qualys Cloud Platform.
Is SSH enabled on the scanner?
There are no listening TCP ports and services running on Scanner appliances, so SSH is disabled on the scanner.
Do scanners use NTP?
NTP is not currently being used and is not available for configuration. However, the time on the scanner is synced with the Qualys Platform through APIs.
How is scan data stored and secured on scanners? Is there any difference between Virtual and Physical Scanners in terms of scan data security?
Limited customer data is stored on a scanner appliance during the scan. Regardless of the scanner type, physical or virtual, the storage and protection mechanisms are the same. All sensitive data is encrypted on the file system on any scanner appliance. Virtual or physical.
To mount this file system, you need the decryption key obtained from the Qualys Cloud Platform during communication with the Data Center. If the scanner is removed (deactivated) from a customer account, then a key is no longer available to access the file system, and no data will be accessible.
All customer files, including temporary data, are stored on this encrypted file system during the scan, this means that the data is protected by encryption. The encryption key is stored only in the data center and is destroyed if the appliance entry is removed. To access the files, appliances need to retrieve the key from the data center each time they boot up. The file system is only decrypted and mounted after successful authentication to the Qualys Data Center.
In addition to the encrypted file system, most customer scan data is doubly encrypted using file-level encryption. This provides two layers of encryption, i.e., individually encrypted files are stored in the encrypted file system. Two types of keys are used: one for input and temporary data (which includes credentials), and a random key is used that is only kept in appliance memory.
Information related to scanning is never stored on the scanner, once the scan is completed the results are sent back to the cloud back-end for processing and all data from the scanner is cleaned.
Is it possible to set up multiple scanners in High Availability (HA) or redundancy in DR sites?
No, HA and DR cannot be applied to Scanners as they are client, not servers.
Do we need to back up anything on the scanner appliance?
We do not store any user's data or scan data except the network configuration. So, there is no need to back up anything.
How does the scanner handle inbound and outbound connections? How is communication secured?
Iptables rules are present to drop potentially malicious incoming ICMP packets. All outbound connections are over TLS version 1.2 with strict certificate validation to allow only Qualys trusted root CAs.
Qualys Platform endpoint URLs that the appliance needs to connect are pre-configured at the time of imaging and activation. URLs cannot be modified by a user at any later point.
We provide complete encryption for our customers' sensitive information, including passwords and private keys. This encryption starts from the moment the credentials are created and continues to their use in the scanner process memory. There is no need for decryption at any point in between. Just-in-time decryption in scanner to limit the period of time during which credentials reside in scanner process memory in unencrypted form.
Private PODs, also known as PCPs, enable customers to upload credentials in pre-encrypted form, so end-to-end encryption can start on customer equipment instead of Qualys web servers.
To ensure secure storage of credentials in the Qualys database, scanners do not rely on global keys or easily accessible keys used by QWeb or other data center components for encryption.
To safeguard against attacks on TLS, all credentials are double-encrypted during TLS transfers for enhanced protection. (End-to-end encryption plus TLS transport encryption). The key management has been designed in a way that even if an attacker has complete access to all decrypted content in the TLS channel, they will not be able to retrieve any credentials.
Even full penetration of the data center, a scanner appliance, and the TLS channel will not result in exposed credentials, as long as no advanced reverse engineering techniques are used.
Why does Qualys scanner appliance still use kernel 3.10, which is quite old?
Qualys scanner appliance uses our homegrown flavor of Linux, QAL (Qualys Appliance Linux), leveraging good parts from several popular Linux distros. The current kernel is forked from kernel v3.10 and has been enhanced and patched for security vulnerabilities as required over the years.
Currently, we are in the process of moving the scanner appliances to a newer Linux platform based on Oracle Linux 8, which is going to be GA in upcoming release.
Is the current scanner appliance or its kernel vulnerable to attacks?
Qualys scanner appliance is a complete black box with no open TCP ports. It may only have one optional listening UDP port (DHCP). No one can log in to QVSA, so authenticated vulnerabilities can not be exploited on it. We have always fixed all remotely exploitable vulnerabilities or kernel vulnerabilities as soon as they are discovered. So, there are no known exploitable vulnerabilities in Qualys scanner appliance.
Why are we now upgrading the Linux platform (QAL) for the scanner appliance if it's not vulnerable?
Even if the current Linux platform (QAL) is not vulnerable, we decided to upgrade it to a more modern Linux platform for the following reasons:
- Leverage a modern enterprise Linux platform with performance, stability, and security features such as UEK (Unbreakable Enterprise Kernel).
- Leverage Oracle Linux's version management, vulnerability patching, upstream updates, and security validation updates for the distribution system packages.
- There are certain other benefits, like FIPS 140-2 compliant encryption libraries. This upgrade is also essential for some of Qualys's key business goals from the FedRAMP and NIAP certification perspectives. Some controls in these certifications are prescriptive on subsystem versions and do not use the criterion of vulnerabilities.
How does the scanner appliance communicate with Qualys cloud if it's a black box?
The scanner appliance initiates all communications to the Qualys Secure Cloud on TCP/443 over the Internet, so there are no open ports. The scanner appliance functions only as a network host; it has no ability to route packets, even when multiple network interfaces are active. The appliance scans the local system, processes the resulting data, and then sends the processed data back to the Qualys Secure Cloud Platform (through a proxy if configured).
How does the scanner appliance protect my data?
Limited customer data is stored on a scanner appliance. Regardless of the scanner type, physical or virtual, the storage and protection mechanisms are the same. All sensitive data is encrypted on the file system on the scanner appliance. The decryption key required to mount this file system is obtained from the Qualys Secure Cloud Platform during the communication process with the Data Center. If the scanner is removed (deactivated) from a customer account, then no key is available to mount the file system, so no data is available. All the customer files, including temporary data, are stored on this encrypted file system for the duration of a scan and is, therefore, subject to that encryption. The encryption key is stored only in the data center and is destroyed if the appliance entry is removed. Appliances must retrieve the key from the Secure Cloud platform in Qualys Data Centers every time they boot. The file system is decrypted and mounted only after the scanner successfully authenticates to the Qualys Secure Cloud.
In addition to the encrypted file system, most customer data are encrypted twice using file-level encryption. This provides two layers of encryption, which means individually encrypted files are stored in the encrypted file system.
Two types of keys are used:
- One for input and temporary data (which includes credentials),
- Random key is used that is only kept in appliance memory.
Information related to scanning is never stored on the scanner; once the scan is completed, the results are sent back to the cloud backend for processing, and all data from the scanner is cleaned up.