RE: Qualys performance nonsense

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Mon Feb 13 2006 - 14:30:31 EST


Amit, good points. This discussion has gotten pretty uninformed.

1. It seems highly unlikely, from external audits to the nature
of interaction we've had with Qualys, that they have access to
private data. I doubt they play games with this as one publicly
disclosed violation might sink their business model.

2. This performance talk is nonsense. Unless Qualys has un-improved
in the last year, they provide a number of options for scan
performance--both Internet and internal appliances, including
throttling bandwidth, increasing/decreasing threading, even
beyond what their GUI interface allows.

I have called Qualys and had them increase both the number of
distributed hosts (on their end) and the number of available
threads when we've had high numbers of firewalled hosts on low
bandwidth links across disparate network blocks to test in a
very short time-window. And they've done it.

Identifying that you can crank up the gain/speed on a scanner
as "better" is like saying that listening to a grenade go off
is preferable to the radio because it is "louder". While
both may be enjoyable in the right circumstances, it is all
about context now isn't it?

thread_dead

-ae

> -----Original Message-----
> From: Amit [mailto:amit.deshmukh@security-assessment.com]
> Sent: Sunday, February 12, 2006 10:10 PM
> To: pen-test@securityfocus.com
> Subject: Re: Qualys
>
>
> My comments below guys.
>
> >There was a query I had initiated on qualysguard sometime
> back(late last year) on the list, and quite frankly, the
> replies generated showed qualysguard in a poor light. As did
> our own assesment of it. One big problem we saw (and someone
> else on the list confirmed) was that qualys does have access
> to your vulnerability data - as in read/view capability - one
> of the mails that came back to us(from qualys personnel)
> asked if we wanted help on an aborted scan.
> >
> >
> I have worked quite closely with Qualys support and can
> confirm they do
> not have access to your scan/vuln data. They however get notified of
> failed scans via the platform and hence the support email to you
> Prasanna. All scan results are stored in encrypted format within the
> database and are only accessible via your credentials and
> support has no
> knowledge of these.
>
> >There were a host of other problems with its performance -
> the scanning being very very slow, b'cos of it happening via
> the internet. So, if you're looking at a huge network, its
> going to be slow. We benchmarked it against Nmap, and frankly
> it was a no-contest.
> >
> >regards,
> >Prasanna
> >
> >
> >
> There are options that will let you throttle scan speends. So
> you really
> need to look at what options you chose while doing scans.
> Internet based
> scanning only occurs for Internet facing hosts. For internal
> hosts you
> need to purchase an appliance that would be located on your internal
> network. The appliance performance parameters can also be
> configured. In
> my experience I have always had to slow down the scan in
> order to ensure
> no network devices get bumped off due to scan packets.
>
> David, to answer your question, one of our clients who was trialling
> qualysguard accidentally set off a scan of a class A network and went
> home and returned the next morning to find about 80,000 hosts
> scanned :)
>
> Amit.
>
> >________________________________________
> >From: David M. Zendzian [mailto:dmz@dmzs.com]
> >Sent: Wed 2/8/2006 11:35 AM
> >To: US Infosec
> >Cc: pen-test@securityfocus.com
> >Subject: Re: Qualys
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >And just for the lists knowledge, what products did you find
> that could
> >deliver on a class A assessment?
> >
> >BTW, I know of several national and multi-national financial
> >institutions that depend on n-circle, doing both regular
> sweeps around
> >their network as well as tying into their dhcp servers to
> scan hosts as
> >they "go-live".
> >
> >dmz
> >
> >
> >
> >
> >
>
>
> e-mail protected and scanned by Bizo Email Filter - powered
> by Advascan
>
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT