Faculty and staff who maintain servers and websites at IU can use the QualysGuard vulnerability scanners (more informally known as “Qualys”) to discover vulnerabilities. Periodically scanning and reviewing scan reports is required by IU’s information security policy, IT-12.
Go to QualysHas your server or website been scanned lately?
Why should I have my server or website scanned?
A better question might be why wouldn’t you want it scanned? What would be the damage if someone broke into your website? Is institutional data present? Would you be liable under the law? What would happen if your website were defaced? What if it were used to distribute illegal content?
System administrators face these sorts of concerns every day. A vulnerability scan doesn’t completely eliminate the risks, but it does make you aware of any system flaws first, before an attacker. Additionally, any action you take to increase security on your systems will improve the security of the entire IU network overall.
A vulnerability scan doesn’t completely eliminate the risks, but it does make you aware of any system flaws first, before an attacker.
Requesting Qualys access
To use Qualys, send email to scanner-admin@iu.edu with the following information.
- Unique name for your group. ADS groups or HR Codes like IU-UISO are the optimal format for this.
- Email and full name of users who will need to control scans.
- Email and full name of any other users who will need to read scan reports
- If you’re doing website scanning, a list of URLs to scan (see below for additional information required for website scans)
- If you’re doing system scanning, a list of IPs or CIDR blocks broken out in three sections
- Servers in the IU Data Center
- Servers outside the IU Data Center
- Any DHCP ranges you exclusively control or Desktops with Static IPs
Scan engines
Server and Web scans can originate from any of the following IU IP addresses. You may need to grant access from these IPs if you use a host-based firewall or other network safeguards. These IPs should be able to ping your hosts, but if you allow the scanner to access more open ports it will give more precise results.
- 129.79.217.0/27
- 129.79.16.38
- 129.79.16.39
- 129.79.72.22
- 129.79.72.38
- 10.79.72.6
Additionally, any public website will most likely be scanned from an offsite Qualys scanner located in the following block:
- 64.39.96.0/20
Risks of web app scanning
As with any sort of vulnerability scan, there are some inherent risks, including degraded performance, unintentional denial of service, and accumulation of garbage data.
These risks are usually minimal and temporary, however, and are outweighed by the advantage of discovering weaknesses in your web application. Further, remember that anyone with access to your site can perform the same actions as the UISO scanners, meaning it’s better for you to identify vulnerabilities up front rather than have them exploted by someone with nefarious intentions.
The scanner actively tries to fill out web forms and submit data so it can try to identify certain vulnerabilities, including SQL injection and cross site scripting. When the scanner submits data in this way, it tries to make it easy for you to recognize so you can easily delete it from your database later.
Whenever scanning a website, please be sure to notify your supervisor, colleagues, IT Pros, and anyone else who has a stake in the website or service. Since the scan may impact performance and generate unusual-looking data, users of the site may believe it’s an attack and panic if not properly informed.
Notify your supervisor, colleagues, IT Pros, and anyone else who has a stake in the website or service.
Web app scanning logistics
Scans can be run against production or development servers. Scanning production servers has the disadvantage that the site load may be too great during regular hours, necessitating a less convenient off-peak scan. Conversely, scanning a development server may produce unreliable results if the production server is not 100 percent exact copy of the production server. That said, it can eliminate possible problems before they reach the production environment.
The scanner has the ability to authenticate if needed. If your site uses CAS, LDAP, or Kerberos authentication, simply grant access to the username uisoscan (ads\uisoscan), and the scanner in turn will be able to access your site. If your authentication is local, please create a local username (preferably named uisoscan) and passphrase for the scanner. Passphrases can be sent securely through Lync chat.
Important: Please ensure you assign the uisoscan user permissions at whatever privilege level you would like the scanner to scan. For instance, if you have an admin interface that you want scanned, uisoscan must be able to access it.
Scans can often be tailored to specific concerns you have. Since this process is hands-on, we are able to give a lot of attention to these scans and customize them for you.
Web app scan reports
Suppose you’ve run a web app scan and have received a scan report. How do you resolve the issues that were found?
Your first line of support should come from your department’s IT Pro. If you are an IT Pro, you should consult with Support Center Tier 2, who can guide you to various resources, documents, and training sessions.
If you’re a web developer wanting to improve your site’s security, peruse the following resources:
The Open Web Application Security Project (OWASP) contains a great deal of information preventing web vulnerabilities. Specifically, the OWASP Top 10 document details the most prevalent web security issues today.
SANS offers several courses on web application security.
The Web Application Security Consortium (WASC) is a trade organization that offers community forums and a library of technical information on web app vulnerabilities and how to prevent them.