Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Scan Policy Types

 

JSA Vulnerability Manager provides several default scan policy types. You can also define your own scans from the scan templates.

You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.

The following scan templates are the most commonly used templates:

  • Discovery scan policy--Discovers network assets, and then scans ports to identify key asset characteristics, such as operating system, device type, and services. Vulnerabilities are not scanned.

    A lightweight uncredentialed scan that searches an address space for active IP addresses, and then scans their ports. It runs DNS and NetBIOS lookups to discover the operating system, open services, and network names.

    If possible, run this uncredentialed scan weekly to provide good network visibility. This scan is most helpful for identifying new assets and changes to previously scanned assets.

    Note

    Use the assets seen in last 14 days but not scanned saved search from the Assets tab, to identify new assets that JSA passively discovered the last 14 days.

  • Full scan policy-- Discovers network assets by using a fast scan port range. Runs a user-configurable port scan and unauthenticated scan of discovered services like FTP, web, SSH, and database. An authenticated scan is run when credentials are provided.

    Runs the full suite of JSA Vulnerability Manager tests.

    A full scan has these phases:

    1. Discovery scan.

    2. Uncredentialed scan.

      Checks services that do not require credentials, for example, reading banners and responses for version information, SSL certificate expiry, testing default accounts, and testing responses for vulnerabilities.

    3. Credentialed scan.

      JSA Vulnerability Manager logs on to the asset and gathers information about the installed application inventory and required configuration, and raises or suppresses vulnerabilities. Credential scans are preferable to uncredentialed scans. Uncredentialed scans provide a useful overview of the vulnerability posture of the network. However, credentialed scanning is essential for a comprehensive and effective vulnerability management program.

      You can't edit the build-in policies but you can copy them to create your own custom scan policy.

      Tip

      Full scans can sometimes lock some administration accounts, for example, SQL Server, when JSA Vulnerability Manager tests multiple default credentials on accounts. Turn off these logon tests by taking the following steps:

      1. Click the Vulnerabilities tab.

      2. From the Scan Policy window, click Scan Policies.

      3. Click the Full Scan policy, then click Edit.

      4. Click the Tools tab.

        By default, the Included list is displayed.

      5. From the Filter menu, select Default Logons (Dos Risk).

      6. Click Exclude All to remove the check marks next to the items in the list.

      7. Click Save.

      8. Verify that the Default Logons (Dos Risk) tools are in the Excluded list.

      Run a full scan every 2-3 months for a detailed and accurate assessment of vulnerabilities in your network. The full scan is resource-intensive so the scheduling and resource allocation is important for optimal performance.

  • Patch scan policy--Scouts the network to discover assets, and then runs a fast port scan and credentialed scan of the assets.

    You use patch scans to determine which patches and products are installed or missing on the network.

    A patch scan has two main phases:

    1. Discovery scan

    2. Credentialed scan

    Run this credentialed scan every 1-4 weeks to determine what patches and products are installed or missing on your network. The patch scan places only a minimal load on your network and active testing is kept to a low level.

  • PCI scan policy--Scans all TCP and UDP ports 0-65535.

    You are not required to scan all UDP ports for PCI compliance. Typically you scan the most common UDP ports for PCI compliance but the list of ports might change slightly over time in accordance with PCI security standards.

    If you scan all UDP ports, the scan might take a long time and not complete within the timeout period on larger network segments, resulting in some Scan Interference Detected - Scan Potentially Incomplete vulnerability instances.

    You can create your own custom PCI scan policy by copying this policy, renaming the policy, and modifying the UDP scan ports according to your requirements.

  • Database scan policy--Scans database ports, 523, 1433, 1521, and 3306 for popular database services.

    Use the uncredentialed database scan to scan ports DB2 (523), Microsoft SQL (1433), MySQL (3306), Oracle (1521), and Informix (1526 ), for popular database services.

    Run this scan regularly if you have high database activity.