For Internet-facing IP addresses, there are a number of ways to perform a scan on a system. Should PCI compliance be in the roadmap, this becomes a requirement. This is increasingly relevant as PCI DSS 2.0 has been released and becomes effective January 1, 2011.
There are a number of factors that go into getting a PCI scan for an Internet-facing IP address. The first is the requirement that they are performed by an external party that is an Approved Scanning Vendor (ASV). Recently, I gave the QualysGuard PCI service a test drive for performing a scan of a system in my personal lab.
In the course of using QualysGuard PCI service, I can say it is very easy to use. The service is a software-as-a-service (SaaS) offering and is an annual subscription. There are two modules that compose the SaaS offering: Vulnerability Management (VM) and Web Application Scanning (WAS). Vulnerability scanning is the primary and most obvious defense for in-compliance systems, while the WAS module is an additional compliance requirement for web-facing applications.The scans are performed externally from a known list of IP addresses. Qualys currently maintains five subnets of scanners which are listed on their website. In my test drive, I allowed these subnets to pass through my Untangle firewall to permit the scans to occur and pointed them on one server. The scans can be run on-demand or scheduled for a regular interval. Using the web portal for QualysGuard PCI, the on-demand scan is shown below in Figure A: Figure A
Once the scan is underway, the QualysGuard PCI service sends an email to the account administrator that the scan is underway with information about how it was launched. There is a follow-up email when the scan is completed. At that time, the results and report are available through the QualysGuard PCI portal. Figure C shows this information and the downloadable Adobe PDF file: Figure C
Having performed this test drive, I'll say that the tool is easy to use. The service costs $495 for three Internet IP addresses and additional IPs can be purchased at $25 each, and additional discounts for quantity bring that per-IP price down. If the VM and WAS options are selected, the three-IP price is $995 and additional IPs can be added in the same fashion. This tells me that PCI scanning doesn't have to be difficult or expensive. How do you manage your external scans? Share your comments below.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.