Qualys has provided an automated remote vulnerability testing service for some time. However, a remotely operated service like that is limited in what it can do when it is trying to access your computers through a properly configured firewall. That is not to say it doesn't do a good job of showing up external vulnerabilities, but it can't give a complete vulnerability picture, as it lacks the 'enemy within' perspective. Incidentally, internal risks are not limited to dishonest or malicious employees - it could apply to an innocent user accidentally running a trojan attached to an email, because he is running it inside the firewall perimeter.
What is needed to complete a security audit is a vulnerability assessment carried out from inside the organisation on the corporate intranet to see what vulnerabilities are exposed to internal users who may be a threat. And that's exactly what QualysGuard Enterprise does with its Intranet Scanner option.
Intranet Scanner is an appliance that is installed on the internal network, but communicates with Qualys' remote vulnerability testing servers through the firewall. In this way, it receives up-to-date instructions on what tests to perform directly from Qualys in real time, but does not itself compromise existing security as it does not bypass the firewall. Also, all data traffic flowing between the appliance and Qualys' data center is encrypted using SSL. Effectively, you are putting a vulnerability sensor at a node within the internal network to be tested.
Being an appliance, the Intranet Scanner is easily installed. It needs a mains power supply and a 10/100Mbits/sec Ethernet connection to the internal network. All you need to configure from its front panel is whether or not to use DHCP and, if not using DHCP, a static IP address along with gateway and DNS IP addresses must be entered. If you install it behind a proxy server, you need to enable the SSL proxy option on the appliance. However, once an IP configuration has been established, there is no need to connect to it directly using a web browser. Rather, it immediately communicates with Qualys' data centre over the internet, and you log on to Qualys' web site to control it remotely via the QualysGuard web service.
Once installed, the first step is to allow its auto-discovery feature to find all the nodes on your internal network. This results in a graphical map showing how they are connected. The hostname and operating system are identified for each node, not just servers, but any device that can be identified - this includes routers, hubs, switches, wireless and VPN access points and other network infrastructure components.
The next step is to carry out a vulnerability scan. You can select which hosts to scan and schedule regular scans if you wish. Summary scan results can be emailed immediately on completion, so you can leave a scan in progress and do something else. The time taken to complete the scan depends on the number of hosts, but is not unduly long - it can scan a half-full Class C network in less than one hour. Once the scan is complete, you can view the results on the web. They give a full description of each vulnerability and the recommended solution.
Finally, you can download patches and other fixes easily at the click of a mouse simply by pointing at the indicated solution section of each vulnerability report and clicking. Most patches and updates are downloaded directly from the OS/application vendor's web site, but they are all verified by Qualys to ensure that they do indeed fix the vulnerability and that no other problems will be caused. However, you then have to install the downloaded patch manually - there is no option to install patches and fixes automatically.
The reporting engine is very good and provides an overview of the vulnerabilities, prioritized based on severity. Delegation is catered for by a simple hierarchy in which users can be given permissions limited to merely reading scan reports, simply being notified by email that a scan has completed, or given full privileges to configure, schedule and initiate scans. Additionally, remedy tickets can be generated automatically and progressed through the system to ensure that action is taken to fix vulnerabilities.
The real advantage of Qualys' solution is that the whole vulnerability assessment process can be automated in a scalable manner to go across a multi-site intranet. This scheduling of scans and delegation of responsibility is essential, as busy security managers do not have the time to run scans manually. Also, Qualys effectively provides a third-party audit - reports and logs that cannot be tampered with by the customer - and this will satisfy external security auditors.