PCI-scanning for external IP addresses with QualysGuard PCI

Is a compliance requirement in your future? The voyage doesn't have to be a difficult one. In this TechRepublic post, IT pro Rick Vanover shows you how to install the QualysGuard PCI tool.

For Internet-facing IP addresses, there are a number of ways to perform a scan on a system. Should PCI compliance be in the roadmap, this becomes a requirement. This is increasingly relevant as PCI DSS 2.0 has been released and becomes effective January 1, 2011.

There are a number of factors that go into getting a PCI scan for an Internet-facing IP address. The first is the requirement that they are performed by an external party that is an Approved Scanning Vendor (ASV). Recently, I gave the QualysGuard PCI service a test drive for performing a scan of a system in my personal lab.

In the course of using QualysGuard PCI service, I can say it is very easy to use. The service is a software-as-a-service (SaaS) offering and is an annual subscription. There are two modules that compose the SaaS offering: Vulnerability Management (VM) and Web Application Scanning (WAS). Vulnerability scanning is the primary and most obvious defense for in-compliance systems, while the WAS module is an additional compliance requirement for web-facing applications.

The scans are performed externally from a known list of IP addresses. Qualys currently maintains five subnets of scanners which are listed on their website. In my test drive, I allowed these subnets to pass through my Untangle firewall to permit the scans to occur and pointed them on one server. The scans can be run on-demand or scheduled for a regular interval. Using the web portal for QualysGuard PCI, the on-demand scan is shown below in Figure A: Figure A

Figure A

One Windows Server in the lab was being scanned with the firewall rules set on the Untangle appliance. While the scan was underway, it was very clear to see the impact of the QualysGuard PCI scan. Figure B below shows the netstat command (the –f parameter adds the fully qualified domain name) with the remote connections: Figure B

Figure B

Once the scan is underway, the QualysGuard PCI service sends an email to the account administrator that the scan is underway with information about how it was launched. There is a follow-up email when the scan is completed. At that time, the results and report are available through the QualysGuard PCI portal. Figure C shows this information and the downloadable Adobe PDF file: Figure C

Figure C

Having performed this test drive, I’ll say that the tool is easy to use. The service costs $495 for three Internet IP addresses and additional IPs can be purchased at $25 each, and additional discounts for quantity bring that per-IP price down. If the VM and WAS options are selected, the three-IP price is $995 and additional IPs can be added in the same fashion. This tells me that PCI scanning doesn’t have to be difficult or expensive. How do you manage your external scans? Share your comments below.