Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Qualys performance nonsense

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 13 Feb 2006 13:30:31 -0600
Amit, good points. This discussion has gotten pretty uninformed.

1. It seems highly unlikely, from external audits to the nature
of interaction we've had with Qualys, that they have access to
private data. I doubt they play games with this as one publicly
disclosed violation might sink their business model.

2. This performance talk is nonsense. Unless Qualys has un-improved
in the last year, they provide a number of options for scan
performance--both Internet and internal appliances, including
throttling bandwidth, increasing/decreasing threading, even
beyond what their GUI interface allows.

I have called Qualys and had them increase both the number of
distributed hosts (on their end) and the number of available
threads when we've had high numbers of firewalled hosts on low
bandwidth links across disparate network blocks to test in a
very short time-window. And they've done it.

Identifying that you can crank up the gain/speed on a scanner
as "better" is like saying that listening to a grenade go off
is preferable to the radio because it is "louder". While
both may be enjoyable in the right circumstances, it is all
about context now isn't it?

thread_dead

-ae


-----Original Message-----
From: Amit [mailto:amit.deshmukh () security-assessment com] 
Sent: Sunday, February 12, 2006 10:10 PM
To: pen-test () securityfocus com
Subject: Re: Qualys


My comments below guys.


There was a query I had initiated on qualysguard sometime 

back(late last year) on the list, and quite frankly, the 
replies generated showed qualysguard in a poor light. As did 
our own assesment of it. One big problem we saw (and someone 
else on the list confirmed) was that qualys does have access 
to your vulnerability data - as in read/view capability - one 
of the mails that came back to us(from qualys personnel) 
asked if we wanted help on an aborted scan. 

 


I have worked quite closely with Qualys support and can 
confirm they do 
not have access to your scan/vuln data. They however get notified of 
failed scans via the platform and hence the support email to you 
Prasanna. All scan results are stored in encrypted format within the 
database and are only accessible via your credentials and 
support has no 
knowledge of these.


There were a host of other problems with its performance - 

the scanning being very very slow, b'cos of it happening via 
the internet. So, if you're looking at a huge network, its 
going to be slow. We benchmarked it against Nmap, and frankly 
it was a no-contest. 


regards,
Prasanna

 


There are options that will let you throttle scan speends. So 
you really 
need to look at what options you chose while doing scans. 
Internet based 
scanning only occurs for Internet facing hosts. For internal 
hosts you 
need to purchase an appliance that would be located on your internal 
network. The appliance performance parameters can also be 
configured. In 
my experience I have always had to slow down the scan in 
order to ensure 
no network devices get bumped off due to scan packets.

David, to answer your question, one of our clients who was trialling 
qualysguard accidentally set off a scan of a class A network and went 
home and returned the next morning to find about 80,000 hosts 
scanned :)

Amit.


________________________________________
From: David M. Zendzian [mailto:dmz () dmzs com]
Sent: Wed 2/8/2006 11:35 AM
To: US Infosec
Cc: pen-test () securityfocus com
Subject: Re: Qualys
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And just for the lists knowledge, what products did you find 

that could

deliver on a class A assessment?

BTW, I know of several national and multi-national financial
institutions that depend on n-circle, doing both regular 

sweeps around

their network as well as tying into their dhcp servers to 

scan hosts as

they "go-live".

dmz

 

 




e-mail protected and scanned by Bizo Email Filter - powered 
by Advascan






------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: