Вы находитесь на странице: 1из 61

Best Practices Guide

McAfee Vulnerability Manager 7.5

COPYRIGHT
Copyright 2012 McAfee, Inc. Do not copy without permission.

TRADEMARKS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States
and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR
A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS
SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.

Issued 5/15/2012 15:06 / McAfee Vulnerability Manager Best Practices Guide

Contents
McAfee Vulnerability Manager best practices.................................................. 5
Initial planning ............................................................................................... 5

How to group assets .......................................................................................................... 5


Asset value ....................................................................................................................... 6
How much risk can we accept? ............................................................................................ 6

Setup .............................................................................................................. 8

Number of servers required ................................................................................................ 8


Prepare your setup .......................................................................................................... 10
Place the API server .................................................................................................. 10
Place the configuration manager ................................................................................. 11
Place scan engines and scan controllers ....................................................................... 12
Product updates ........................................................................................................ 14
Remote access to McAfee Vulnerability Manager appliances ............................................ 15
Network requirements ............................................................................................... 15

Discovery scans ............................................................................................ 19

Build an asset inventory with McAfee Vulnerability Manager .................................................. 19


Create effective discovery scans ........................................................................................ 19
Network impact ............................................................................................................... 20
Optimization ................................................................................................................... 20
Summary of discovery scan optimization ...................................................................... 23
Initial discovery............................................................................................................... 23
Sorting and grouping ................................................................................................. 24

Vulnerability scans ....................................................................................... 25

Target scans to each asset group/environment ................................................................... 25


Plan your scanning schedule ....................................................................................... 26
Target scans for specific vulnerabilities............................................................................... 26
How graphing and trending can improve security ................................................................ 26
Using the dashboard .................................................................................................. 27
Optimize vulnerability scans ............................................................................................. 27
How to increase scan speeds ...................................................................................... 27
How to decrease scan speeds ..................................................................................... 28

Web applications scans ................................................................................ 29

Where to start with web application scanning ...................................................................... 29


View web application scan reports ..................................................................................... 29
Improve your web application scans .................................................................................. 30

Custom reports ............................................................................................. 31


Threat assessment using the Threat Correlation Module .............................. 32

What is a threat? ............................................................................................................. 32


Threat Correlation Module ................................................................................................ 32
View the Threat Correlation Module output ......................................................................... 32
How to mitigate the risk ............................................................................................. 33

Optimize performance .................................................................................. 34

Performance parameters .................................................................................................. 34


Host Discovery options ..................................................................................................... 35
Full connect scan ...................................................................................................... 35

McAfee Vulnerability Manager 7.5 Best Practices Guide

iii

Contents

Services options .............................................................................................................. 36


Enable Load Balancer Detection .................................................................................. 36
Services running on non-standard ports ....................................................................... 36
Credential options ........................................................................................................... 37
Scanning with credentials ........................................................................................... 37
Optimize options ............................................................................................................. 38
ICMP / UDP / TCP timeouts......................................................................................... 38
Number of passes ..................................................................................................... 38
Number of scan objects ............................................................................................. 39
Batch size ................................................................................................................ 39
Packet interval .......................................................................................................... 39
Scan vulnerability saving option .................................................................................. 40
Other scanning options .................................................................................................... 40
Foundstone Scripting Language (FSL) threads .............................................................. 40
Scan configuration options................................................................................................ 41
Impact of specific scans ............................................................................................. 41
Perform tracerouting (network mapping)...................................................................... 42
About vulnerability checks in McAfee Vulnerability Manager ............................................ 43
Turning off specific vulnerability checks ....................................................................... 43

Recommended scan settings ........................................................................ 45


Settings:
Settings:
Settings:
Settings:
Settings:
Settings:
Settings:
Settings:

iv

Full-port scans .................................................................................................. 46


Scan for a single vulnerability.............................................................................. 46
Full vulnerability scan (up to 2560 hosts).............................................................. 48
Asset discovery (up to 65536 hosts) .................................................................... 51
SANS/FBI Top 20 scan (up to 65536 hosts) .......................................................... 53
Full vulnerability scan (up to 65536 hosts) ............................................................ 55
Asset discovery (up to 16,700,000 hosts) ............................................................. 57
SANS/FBI Top 20 scan (up to 16,700,000 hosts) ................................................... 59

McAfee Vulnerability Manager 7.5 Best Practices Guide

McAfee Vulnerability Manager best


practices
This guide contains information and instructions on planning, setting up, and using the product to help
you establish the standards, settings and policies appropriate for your organization.
Note: The McAfee Foundstone product is now known as McAfee Vulnerability Manager. For this
release, some portions of the product retain the Foundstone label.

Initial planning
The ultimate goal of a vulnerability management program is to ensure that valuable systems are
available to serve their intended purpose and that they are at as little risk as possible from being
adversely affected by security events.
When implementing a vulnerability management program, this is an important guiding principle which
will help prioritize what to do, and what to focus on first.
Before starting any device discovery or vulnerability scanning, you should set up basic guidelines for
how to group and classify devices. These guidelines will be used throughout the process of discovering
devices, assigning priority and ownership, determining vulnerabilities and mitigating the risk by
deploying patches or other countermeasures.

How to group assets


A good starting point is to consider which aspects of a particular device type would make for a good
device grouping classifier. For example: Should all systems on the 4th floor be grouped together?
Should all UNIX servers be grouped together? Often times, an organization will have maintenance and
monitoring policies and procedures in place. Such policies can be a good starting point for deciding on
how to group devices in McAfee Vulnerability Manager. In fact, many customers will indeed group
their assets in a way that closely matches how systems and devices are already managed and
monitored.
For example, if all Windows servers in one building are managed by the same team (or by the same
individual in smaller organizations), it would seem logical for these Windows servers to be discovered,
profiled, assessed, and remediated in a similar fashion.
Likewise, if all printers on the fourth floor of building B are maintained by the same IT team, grouping
these printers together would be a logical decision.
Please note that McAfee Vulnerability Manager requires assets to be unique in the asset table of the
database. This means that one asset can participate in only one asset group at any given time.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Initial planning
How much risk can we accept?

Asset value
When creating asset groups, think about the business value (Criticality) of the assets in a group. This
is important because many aspects of an ongoing vulnerability management process will become
easier and priorities become clearer if you consider the business value of an asset. For example, both
remediation and risk assessment can benefit from a clear prioritization of assets simply because the
more important systems and devices should receive attention before other assets. This principle helps
the security and operations teams mitigate the most risk with available resources.
When assigning the criticality to assets, consider the following questions: (please note that this is
intended merely as examples and should not be viewed as an all-inclusive list of questions)

How would my business be impacted if this system was unavailable? This is arguably one of the most
important questions to answer. A business critical system can be defined as one that stores
business critical data and/or participates in a vital function or transaction process. A system being
unavailable might not just be the direct result of, for example, a Denial of Service (DoS) attack,
but also a result of the subsequent recovery and possibly forensics efforts. An attack that takes
only seconds to complete can result in several days, even weeks, of downtime.
Can my business function without this system? This question is slightly different and perhaps more
pointed than the previous. Systems that a business cannot function at all without are highly
critical and should be the first to receive attention, to mitigate risk and prepare for any possible
events. If the answer to this question is yes, the system is likely not very important.
How many users are depending on this system? Any system servicing many users should be
considered important. The more users depending on the system, the more important it is. If users
on the system are carrying out functions that are vital to the business, the value of that system
increases.
Are other systems depending on this system? Answering this question might require insight into the
architecture and configuration of networks and systems. Any system that other assets depend on
should be regarded as important. If the system in question is the only system on the network
carrying out that particular function, it should be regarded as important. A good example of a
highly important system would be a firewall through which all Internet communications occur.

Once the basic system classification guidelines have been established, you can quickly create
meaningful groups of assets within McAfee Vulnerability Manager and assign a criticality to these
groups and to individual assets as necessary.
Another very important aspect of establishing policies and guidelines is to identify practical and
achievable targets for the organizations security posture.

How much risk can we accept?


How much risk an organization can accept is highly dependent on the nature of its business. For
example, organizations that store, process or use sensitive personal information can accept very little
risk and are often subject to strict regulatory requirements governing how certain processes, systems,
and controls must be in place to safeguard sensitive information about users, citizens, patients, and
so on. To begin the process of determining the acceptable amount of risk, consider questions such as
the following:

How much exposure can we accept for how long? The longer a system remains unpatched (or
otherwise is at risk), the more likely it is that the system will eventually be affected. In answering
this question, you could consider criteria such as the importance of the system in question,
whether it contains business-critical data and/or sensitive data, and so on. What would be the
impact if the system was to become unavailable or compromised? As a general rule of thumb,
systems which contain very sensitive data, perform business-critical functions, or otherwise are
very important should not be left exposed very long.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Initial planning
How much risk can we accept?

How quickly can we deal with the assessment results? How quickly can we remediate? One of the
unavoidable questions when defining policy and goals is the question of how quickly an
organization can react to findings from a vulnerability scan. In order for a vulnerability
management program to be successful, resources must be in place to remediate vulnerabilities,
adjust firewall rules and packet filters and/or deploy risk-mitigating technologies such as firewalls
and IPS products.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Number of servers required

Setup
This section provides information on how to prepare to deploy McAfee Vulnerability Manager.

Number of servers required


The number, type, and placement of product servers depend on the total amount of address space,
total number of live devices, network topology, desired scan performance, network constraints, and
network policies.
Note: McAfee Vulnerability Manager supports only servers running English-language operating
systems.
The following matrix provides guidelines for determining the number of McAfee Vulnerability Manager
servers.
Number of
live IPs

Number of servers

Notes

0 2,500

One product server with an All- Ideal for small networks


in-One configuration
and product evaluations

2,500
10,000

Two product servers: One


configured as enterprise
manager web portal and the
other configured as a
database, API server, scan
controller, and a scan engine
with additional components.

Very common configuration


for small to mid-sized
deployments

10,001
20,000

Two product servers: One


configured as enterprise
manager web portal and the
other configured as database,
API server, scan controller,
and scan engine with
additional components.

Well-suited for large,


distributed environments

One product server configured


as a dedicated scan engine.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Number of servers required

Number of
live IPs

Number of servers

Notes

20,001 >100,000

Three product servers: One


configured as enterprise
manager web portal, one
configured as database, and
one configured as API server,
scan controller, and scan
engine with additional
components.

Ideal for large, global,


distributed and diverse
networks

n product servers configured as


dedicated secondary scan
engines.
Consider these factors:

Number of IP addresses to be scanned. The primary factor is the number of IP addresses to be


scanned. Small to medium-sized networks, as well as installations for product evaluation
purposes, can deploy a single product server. Larger networks are better accommodated with
additional hardware.
Network connectivity to, and reachability of, all desired target environments. A scan engine must be
able to reach its targets for the results to provide value. When placing scan engines, consider the
networks that are to be scanned and place the scan engine so that it is able to reach the
maximum number of assets with as few firewalls or packet filtering devices as possible.
Firewall traversing. The purpose of a firewall is to restrict traffic to legitimate users and prohibit
traffic that might be malicious. Depending upon the nature of the vulnerability and the discovery
methodology, vulnerability scanning signatures might resemble malicious traffic and be blocked or
filtered by a firewall or port filter. The result of such well-intentioned security devices might be
that the quality of data returned from a vulnerability scan is adversely affected. For example,
hosts behind a firewall might not be discovered correctly or at all, or a firewall might make it
appear that every host behind the firewall is present when they are not. Another possible effect is
that discovery and assessments might take longer to complete when having to traverse a firewall
compared to scans that do not have to traverse firewalls. A common technique to mitigate the
impact is to either avoid sending the assessment traffic through a firewall altogether, or to create
an exception rule in the firewall rule base to allow any and all packets to and from the scan
engine to traverse the firewall unaltered.
WAN links and latency. To ensure a manageable vulnerability assessment schedule, McAfee
Vulnerability Manager employs various timing and monitoring components. Such components
monitor the total time a thread has taken to run a check against a host. If a certain threshold is
exceeded, the thread is terminated under the assumption that the host is down, or that packets
have been lost in transit to or from the host. This technique is necessary to ensure that a scan is
not in an infinite waiting state. Therefore, WAN links, or heavily congested networks in general,
might need special consideration in a deployment. Tests have shown that scanning via WAN links
with a latency of more than 150 milliseconds is likely to produce results of an improper quality.
For example, a set of systems can only be reached via a WAN link, then consider placing a scan
engine in the remote environment so scanning is done locally and not be subject to packet loss
and timeouts that are common on a congested WAN link.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Prepare your setup

Other network traffic (business-critical data/sessions). Any active scanning technology, such as
McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an
unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager
provides robust and detailed controls that allow customers to optimize the scanning behavior and
speed of McAfee Vulnerability Manager. The product has default settings that have proved safe
and effective in most networks. However, no matter how McAfee Vulnerability Manager is
deployed and configured, you should always pay attention to network segments, WAN links,
firewalls, and so on, where particularly important data is passing. Consider a remote site that is
transmitting transactions from a website through a congested or slow WAN link during local
business hours. Since this system only operates during certain hours, you should configure scans
so that the environment is scanned while the web server is not processing transactions and not
relying on bandwidth on the WAN link.
Security or performance. When two product servers are used, McAfee recommends that you deploy
the enterprise manager on one system and the other product components on the second system.
This provides more security because the enterprise manager can be placed outside your firewall,
so users can access it, while the second system can be placed inside the firewall to gather
accurate data from scanned systems. However, having the scan engine and scan controller on the
same system as the database can slow performance, based on the amount of data being
processed. To improve performance when using two product servers, you could separate the scan
engine and scan controller from the database. For example: the enterprise manager, scan engine,
and scan controller on one system and the database and other McAfee Vulnerability Manager
components on the second system.

Prepare your setup


When planning a deployment of new systems in large environments, you should initially deploy on a
limited scale in a controlled, non-production environment. Doing so does have advantages. Deploying
a new technology in a sandbox environment makes it easy to get staff trained on the technology in
an environment where mistakes will have little or no impact to the operations of business critical
systems. However, you should pay close attention to how well such a sandbox environment resembles
the production networks where the technology will ultimately operate. As described elsewhere in this
document, several types of security devices, network topologies, and so on, can have an impact on
the performance and accuracy of scanning and should be considered when deploying McAfee
Vulnerability Manager in a test lab.

Place the API server


There is an API server that the enterprise manager portal uses to communicate with the database.
Any request initiated by a client browser is sent to the enterprise manager which, in turn, sends
requests to the API server, which then communicates with the database. This architecture has distinct
advantages in that it allows McAfee Vulnerability Manager to offload processing and communications
to a process external to the enterprise manager and database.
Consider the following when deciding which appliance will run the API server:

10

Network architecture. The API server should be in close proximity (network-wise) to the database
and the enterprise manager web portal. This provides the best performance for users accessing
McAfee Vulnerability Manager using the enterprise manager. In other words, when deciding on
which appliance to use for the API server, choose the appliance that has no firewalls, WAN links,
congested networks, packet shapers, and so on, between itself, the database, and the enterprise
manager.
Network latency. The API server should be placed so that there is minimal latency between itself,
the enterprise manager, and the database.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Prepare your setup

Scanning. The API server can run on an appliance that also hosts a scan engine. In a large
environment with many users concurrently accessing the enterprise manager, the API server will
be servicing many concurrent requests as a result of the activity of the users accessing the web
portal. Under these circumstances, the scan engine on this appliance should not be used for
scanning, so resources are dedicated to the API server. In these scenarios, McAfee recommends
that you revoke access to the scan engine in the user rights management system to ensure that
the scan engine on this appliance is not used for actual scanning.
Note: The suggested maximum number of scans running at the same time for any scan engine is
5 concurrent scans with 10 subscans each. A scan can be divided into subscans to increase scan
speeds.

The following table is intended to act as a conservative guideline when determining where and how to
place the API server:

IP
addresses

Appliances

1-2500

1-15

Installed with
database and
web portal

Yes

2501
10000

16-30

Installed with
database

Yes

10001 20000

>31

Installed on a
dedicated
server

No

20001+

>3

>31

Installed on a
dedicated
server

No

Concurrent Location of
portal users the API
server

Scan
engine

API server sharing hardware with database. In most deployments (except for large environments),
installing the API server on the same product server as the database is advantageous for several
reasons:

Responsiveness. Co-locating the API server with the database completely negates any
questions regarding network latency or access. On the other hand, it also takes resources
away from the database.

Secure location. The database appliance is typically located in a highly secure environment.

Efficient use of resources. For almost all environments, co-locating the API server with the
database ensures that the investment in McAfee Vulnerability Manager appliance hardware is
used to the best degree possible.

Place the configuration manager


The McAfee Vulnerability Manager Configuration Manager (previously known as the Foundstone
Configuration Manager or FCM) handles configuration options for the McAfee Vulnerability Manager
installation and deploys updates to McAfee Vulnerability Manager appliances. There is only one
configuration manager server for a McAfee Vulnerability Manager installation.
Note: The suggested maximum number of appliances running McAfee Vulnerability Manager
components in a deployment is limited by the number of appliances the configuration manager can
manage. This is determined by the CPU and memory bandwidth of the configuration manager
McAfee Vulnerability Manager 7.5 Best Practices Guide

11

Setup
Prepare your setup

appliance hardware. For example, a McAfee MVM3100 running only the configuration manager can
manage approximately 100 appliances.
The following table is intended to act as a conservative guideline when determining where to place the
configuration manager component.
Configuration manager
Appliances

Location of configuration manager

Scan engine

Installed with database and enterprise


manager

Yes

Installed with database

Yes

3 - 10

Installed with database

No

Installed on a dedicated server

No

10 - 100

Place scan engines and scan controllers


A scan engine is a McAfee Vulnerability Manager component that performs network-based discovery
and assessment of host systems targeted by a scan configuration. There can be many scan engines
per McAfee Vulnerability Manager installation.
A scan controller is a McAfee Vulnerability Manager component that assigns work to, and receives
results from, the scan engines assigned to it. There can be many scan controllers per McAfee
Vulnerability Manager installation, each controlling one or more scan engines. The scan controller is
new with McAfee Vulnerability Manager 7.5 and contains functionality previously handled directly by
each scan engine. By default, scan engines are automatically assigned to scan controllers by
configuration manager, but the scan engines can be manually assigned to a scan controller.
The scan engine connects to the assigned scan controller using the HTTPS protocol. The scan
controller connects to the database using the Microsoft SQL protocol. Both components must connect
to the FC Server using the SSL protocol to receive configuration changes and software updates.

12

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Prepare your setup

In most network environments, like a corporate intranet, each scan engine should be deployed with a
dedicated scan controller on the same appliance. This is the recommended deployment.

Figure 1: Product deployment with a scan engine and scan controller on the same system

McAfee Vulnerability Manager 7.5 Best Practices Guide

13

Setup
Prepare your setup

Scan engines and scan controllers can be deployed independently. For example, when security or
network topology do not allow scan engines to directly connect to the database. The database server
might be behind a firewall, or otherwise isolated from the rest of the network. In this configuration,
one or more scan controllers would straddle the firewall, connecting on one side to the database, and
on the other side accepting HTTPS connections from multiple scan engines. In this configuration, the
API server and configuration manager server would also need to straddle the firewall.

Figure 2: Product deployment with scan engines and scan controllers on separate systems

Note: Under typical load, each scan controller can support up to 40 scan engines when run on an
MVM3100 (as of the McAfee Vulnerability Manager 7.0.2 patch).

Product updates
In order for a McAfee Vulnerability Manager system to obtain new vulnerability checks, threat alerts,
OS signature updates, and product patches, the FSUPDATE process must be running. The FSUPDATE
process contacts the McAfee Vulnerability Manager update servers and retrieves update packages
which then are stored in the database. Once in the database, the update packages are distributed by
the configuration manager and applied as necessary. In order for this process to function
automatically, at least one scan engine must be able to reach the Internet. Please note that while the
FSUPDATE process is, by default, installed on all scan engines, it should be running on only one
appliance. FSUPDATE requires a user name and password to authenticate to the McAfee Vulnerability
Manager update server. Your user name and password is issued along with your product license key.
Product updates are retrieved from update.foundstone.com, ports TCP 443 and 80. Set up an
exclusion for this address to retrieve product updates.

14

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Prepare your setup

The MVM3100 cannot have a proxy provided. When possible, set up a proxy exclusion for susupdate.foundstone.com, port TCP 80. This address is for operating system updates. These updates
have been tested by quality assurance before being released.

Remote access to McAfee Vulnerability Manager appliances


MVM3100s, MVM3000s, and MVM2100s can be configured to accept connections from a Remote
Desktop Connection or Terminal Services client, and can be restricted by client IP.
When accessing an appliance remotely, always connect to the console session using Microsoft Remote
Desktop Client. Select Start | Run, enter CMD and use one of the command lines:

MSTSC/Admin (for Windows XP SP3, Windows Vista SP1, Windows 2008)

MSTSC/Console (for Windows XP SP2 and earlier, Windows Vista prior to SP1, Windows 2003)

Running the McAfee Vulnerability Manager application in any virtualized remote desktop session
(outside of the admin or console session) will greatly impact McAfee Vulnerability Manager
performance.

Network requirements
McAfee Vulnerability Manager components use the network ports and protocols in the following tables.
If there is a firewall separating components, these ports and protocols must be opened in your firewall
configuration before installing McAfee Vulnerability Manager 7.5.
The network requirements diagrams use a distributed deployment architecture to display
communication paths. If you use a different deployment architecture, be sure to note which system is
running a McAfee Vulnerability Manager component, and use the port number and communication
path specified in the communication path tables.
The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability
Manager components and connecting to external components. External components include other
databases, McAfee ePO databases, LDAP or Active Directory servers, and external ticketing or issue
management systems.

Connecting McAfee Vulnerability Manager components

Figure 3: Network requirements

McAfee Vulnerability Manager 7.5 Best Practices Guide

15

Setup
Prepare your setup

McAfee Vulnerability Manager component communication paths


#

Title

Description

System 1 Enterprise
manager

Enterprise manager

System 2 API service,


scan controller, and scan
engine

System 3 Database***

Scan controller
API server
Scan engine
Data synchronization
service
Notification service
Database
Configuration manager
Report engine

System 5 Scan Engine

Scan engine

Authenticated User

Users log on to the enterprise


manager.

Assessment management
search results

Ports: 443 or 80

Command and control

Port: 3800

System 4 Report server

SOAP over HTTPS or HTTP

SOAP over HTTPS or HTTP


3

API service

Port: 1433
(SSL over) TCP/IP

Scan data

Port: 1433
(SSL over) TCP/IP

Data synchronization
service*

Port: 1433

Notification service**

Port: 1433

(SSL over) TCP/IP

(SSL over) TCP/IP


7

Scan data

Port: 1433
(SSL over) TCP/IP

Report data

Port: 1433
(SSL over) TCP/IP

16

Scan data (scan engine to Ports: 3803


scan controller)
REST over HTTPS or HTTP

McAfee Vulnerability Manager 7.5 Best Practices Guide

Setup
Prepare your setup

10

Generating reports or
Ports: 3802
changing report templates
REST over HTTPS or HTTP

11

Generated reports

Ports: 443 or 80
REST over HTTPS or HTTP

12

Web browser traffic

Ports: 443 or 80
HTTPS or HTTP

*Changing the location of the data synchronization service changes the communication path(s)
displayed in this diagram.
**Changing the location of the notification service changes the communication path(s) displayed in
this diagram.
***Changing the location of the configuration manager requires a communication path between the
configuration manager and the database, using Port: 1433, (SSL over) TCP/IP.
Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The
communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL
over) TCP/IP.

Connecting external components

Figure 4: External component communications


External component communication paths
#

Title

Description

System 2 API service,


scan controller, and scan
engine

External ticketing or issue


management

External SMTP server

Scan controller
API server
Scan engine
Data synchronization
service
Notification service

McAfee Vulnerability Manager 7.5 Best Practices Guide

17

Setup
Prepare your setup

External LDAP / Active


Directory (AD)

External McAfee ePO


Database

Notification service**

Port: 162
SNMP

Notification service**

Port: 161
SNMP

Notification service**

Port: 25
SMTP

Data synchronization
service*

Port: 389

Data synchronization
service*

Port: 1433

LDAP

(SSL over) TCP/IP

*Changing the location of the data synchronization service changes the communication path(s)
displayed in this diagram.
**Changing the location of the notification service changes the communication path(s) displayed in
this diagram.

18

McAfee Vulnerability Manager 7.5 Best Practices Guide

Discovery scans
Create effective discovery scans

Discovery scans
This section provides information on some of the more common techniques and practices to help you
get the best results from a deployed McAfee Vulnerability Manager solution.

Build an asset inventory with McAfee Vulnerability Manager


Keeping on top of what devices are available on the network remains one of the most fundamental
challenges for IT security and operations professionals alike. McAfee Vulnerability Manager is uniquely
suited to provide this information in a timely and manageable manner.
Before any identification of vulnerabilities and threats is undertaken, a detailed asset inventory should
be built. The benefits of using a network based asset discovery technique range from efficiency to
operational ease. For example, an IT security or security ops team might find themselves struggling
with reaching the appropriate people within an organization to gather the necessary asset data. Other
times an organization might not have updated asset information. Being able to discover devices on
the network with no prior knowledge effectively solves these problems.

Create effective discovery scans


McAfee Vulnerability Manager comes pre-configured with scan templates. A quick and easy way to
create a discovery scan is to base a scan on the Asset Discovery scan template. Such a scan will
sweep the targeted IP ranges and detect any live devices that respond to the various probes sent by
McAfee Vulnerability Manager. A detailed description of the discovery process is available later in this
section.
The nature of how any network based device discovery technique discovers devices on a network
entails sending certain packet types to the target and observing responses. Certain devices are
configured so they do not emit any response to unsolicited traffic. This includes firewalls and other
devices that employ a local firewall/filtering capability. Such devices are intended to not appear on the
network when subjected to probes. As such, they might not appear in the asset inventory built by
McAfee Vulnerability Manager.
Several possible remedies for this condition are available. The most commonly used method entails
leveraging any centralized management capability of, for example, firewall modules on desktop PCs.
If the firewall module on a desktop PC is under centralized management, it is easy and very
advantageous to create an exception rule in the firewalls rule base allowing the device to respond to
probes and connection requests from a vulnerability management system such as McAfee
Vulnerability Manager. This technique allows organizations to reap the benefits of using host-based
shielding techniques and still be able to identify these devices and subject them to vulnerability
assessments.

McAfee Vulnerability Manager 7.5 Best Practices Guide

19

Discovery scans
Optimization

Network impact
As mentioned elsewhere in this document, any type of network-based assessment technology works
by sending out packets to the targets and observing responses. As such, it is unavoidable that there
will be some amount of network traffic introduced by such technologies. This traffic naturally appears
highest if you were to measure the amount of packets leaving the scan engines network interface. As
a product of how most modern networks transmit and distribute traffic, the amount of packets
actually reaching each individual target system is exponentially less. The vast majority of modern
networks and systems handle assessment traffic with no problems whatsoever. However, certain
types of devices and conditions do warrant caution:

Intrusion Detection System (IDS) sensors. These are, by design, intended to react to traffic patterns
resembling an attack or a major event such as a worm. IDS or IPS (Intrusion Prevention System)
sensors should be configured so that they will not react to traffic from McAfee Vulnerability
Manager.
Legacy devices. Certain devices might be so old and/or fragile that even very light scanning can
have an adverse effect. These devices are typically systems running very old operating systems or
highly unstable applications. A good approach can be to test these legacy devices and applications
in a test lab prior to the full deployment of McAfee Vulnerability Manager.
Improperly configured devices. Some devices might be configured to log all packets, sessions,
transactions, and so on, in extreme detail. While such a configuration might be appropriate for
implementing, tuning, and troubleshooting such devices initially, it can often lead to problems in
production mode due to very large log files. Devices employing this very detailed logging might be
overwhelmed when trying to log the many packets and sessions a typical vulnerability scan
produces.
Packet-modification software/hardware. If a McAfee Vulnerability Manager scan is done through a
program or device that controls computer network traffic (generally known as packet-shapers),
scanning might be impacted negatively due to an increase in the amount of time required to
retrieve results from targets. This might produce inaccuracies in the scan results.

To put things in perspective if devices are adversely affected by a non-intrusive scan, they are so
fragile that they would very likely have been affected even more if a real malicious event had
occurred. Most IT professionals agree that it is better this happens under controlled circumstances
than during a real security event.

Optimization
An important aspect of ensuring successful discovery scans is to understand how to best optimize
your scan settings. As all networks, systems, and environments are different as well as the
requirements imposed by regulatory, corporate and operational policies the default settings of
McAfee Vulnerability Manager must therefore provide the best possible discovery capability and
accuracy and remain non-intrusive. As a result, the default settings, while safe and relevant, can be
optimized to individual environments.
Specifically for device discovery scans, the goal of any optimization effort should be to configure the
discovery parameters such that no more than what is absolutely necessary to discover a device and
accurately identify its operating system is included in the scan.
Before discussing a number of example scenarios where optimization is beneficial, some background
information about the device discovery process is needed.
When attempting to discover live devices in a given IP address range, the discovery process follows
this process:
20

McAfee Vulnerability Manager 7.5 Best Practices Guide

Discovery scans
Optimization

ARP cache interrogation. First, the scan engine looks in its local ARP cache to determine if the MAC
address of a target IP address is known. If it is, it indicates that host is alive and has been
communicated with very recently. If nothing is found, then the discovery process continues to
step 2.

ICMP probes. The discovery process sends ICMP echo requests (ping) to each IP address not
discovered during step 1 (other ICMP packet types can be enabled). If a response is received from
the target IP address, the host is considered live and discovered.

TCP port probes. The discovery process sends TCP SYN packets to specific ports on each IP
address not discovered during step 2. If an IP address responds with a SYN-ACK packet, the host
is considered live.

UDP port probes. As the fourth and last step in the discovery process, UDP packets are sent to any
IP address not yet found as being live. These packets contain properly formatted UDP-based
protocol messages. If a properly formatted protocol message is received from a targeted host,
that host is considered live. Any IP address that has not responded to any probe at this point in
the process is considered down and will not be processed further.

The following are examples of optimization scenarios.

Example 1

A scan engine is deployed near the network core in a NOC. From this location, the scan engine
has network visibility to all networks in the organization. Security policy dictates that firewalls be
in place to segregate remote locations from the NOC. Security policy also dictates that these
firewalls must block ICMP traffic to and from the NOC.

In this example, the default settings would accurately discover all hosts on the remote network, but
would also spend a considerable amount of time needlessly attempting to discover hosts by ICMP
packets. In such a scenario, you could disable the use of ICMP packets which would save considerable
time and bandwidth.

Example 2

A scan engine is scanning hosts through a firewall. The firewall is configured such that only
properly established TCP sessions are allowed to traverse the firewall.

In this example, TCP host discovery would, by default, not yield accurate results due to the default
technique of half open or SYN Scanning. You would need to enable full TCP handshakes for host
discovery and also for service discovery. (This setting is available on the Settings tab when editing or
creating a scan.)

Example 3

A scan engine needs to scan 10.0.0.0 10.255.255.255. This address space covers multiple
locations, some of which are reached via slow WAN links and others being robust, high bandwidth
network segments.

In this example, the challenge lies in finding settings that are effective and accurate both for the slow
segments of the network, and for the fast segments of the network. The safest approach will be to
optimize the parameters to fit the slowest parts of the network. Depending on the number of slow and
fast network segments, it might be advantageous to create separate scans for the slow and fast
network segments. The following example discusses these scenarios in more detail.

Example 4

Hosts on a remote network must be discovered. The only path to the remote network is via a very
slow WAN link. The discovery must be done outside of production hours to avoid any impact on
business critical systems and the data they send and receive across the WAN link.

In scenarios where very little bandwidth is available, you should consider two major factors: sending
as few packets as possible, and mitigating the impact of packet loss. The first concern can be
addressed by making the following adjustments:

McAfee Vulnerability Manager 7.5 Best Practices Guide

21

Discovery scans
Optimization

Slow the scan down. McAfee Vulnerability Manager allows you to adjust the number of milliseconds
between each packet in the discovery process. This is perhaps the single most powerful tool you
can use to decrease the number of packets sent per second. The default value is a compromise
between speed and efficiency. To optimize a scan for low bandwidth, increase the number of
milliseconds between each packet during discovery. This slows down the rate at which packets are
sent, and reduces the bandwidth used at any given point in time. Reducing scan speed as
described above is a simple and effective way of reducing bandwidth requirements. However,
reducing the scan speed is always a trade-off, as a slower scan will take longer.
Note: This only affects discovery scans. Vulnerability scans cannot be slowed down using
interpacket delay. To slow down vulnerability scans, reduce the number of sub scans.

Reduce number of packets sent. Another very effective way of optimizing a scan for low bandwidth
situations is to reduce the number of packets sent to each host. This requires some knowledge
about the target environment. For example, you could disable the use of ICMP packets for
discovery. Doing so eliminates a significant amount of packets sent, but also implies that any
device that only can be discovered using ICMP would not be found by a scan with ICMP disabled.
Another approach is to reduce the number of TCP and UDP ports included in the host discovery. In
an environment where no or few hosts are reached via a firewall, reducing the number of UDP
ports to include only UDP ports 53 and 161 effectively cuts down the amount of packets sent in a
discovery scan. Likewise, in an environment predominantly consisting of Window- based web and
email servers, you could reduce the TCP port list to contain only ports 25, 80, 110, 135, 443, and
445.
Reduce the number of sub scans. McAfee Vulnerability Manager employs a technique by which a
scan is divided into multiple independent virtual scans. The purpose of this is to increase
performance for large networks by scanning more devices at the same time. For the purpose of
optimizing for low bandwidth, you should reduce the amount of parallel scanning performed. Do
this by raising the threshold that triggers the use of sub scans (called the IP Threshold) and also
by reducing the number of Scan objects (synonymous with sub scans). These two adjustments
effectively reduce the amount of parallel scanning and further reduces the number of packets sent
simultaneously.
Specify ports (McAfee ePO or credential methods only). When using McAfee ePolicy Orchestrator
(McAfee ePO) or credential methods to identify Windows operating systems (assessing only for
authenticated checks), specify ports 445 and 139 only to authenticate the system. This eliminates
the need to discover all ports to perform OS identification. The drawback is there will be an
incomplete list of Network Services detected in the report.

Example 5

A B-class of address space on a robust high speed network segment must be discovered in as
little time as possible.

In this example, the goal is quite the opposite as the previous example now the goal is to scan as
fast as possible. The adjustments necessary are, to some extent, the opposite of those discussed in
the previous example:

22

Speed the scan up. By reducing the inter-packet delay, scan speed increases significantly but so
does the amount of network traffic generated.
Reduce the number of packets sent. Reducing the number of packets sent is effective in increasing
scan speeds as well as in reducing the amount of bandwidth used.
Increase the number of sub scans. The concept of sub scans is intended to increase the scan
performance of McAfee Vulnerability Manager by dividing a scan into multiple independent virtual
scan elements. Each sub scan processes its own section of address space, and does so in parallel
with other sub scans. This parallel scanning and processing drastically decreases the amount of
time it takes to scan a given amount of address space but also produces a much higher number of
packets per second.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Discovery scans
Initial discovery

Summary of discovery scan optimization


An important part of optimizing a discovery scan to suit various environments and requirements is to
adjust the number, type, and composition of probes (packets) sent. This tuning and optimization is
best accomplished as part of the on-going process of discovering, assessing, remediating, and
verifying devices and vulnerabilities. The reason for this is that performing a highly accurate
optimization that does not have adverse effects on the quality of the results requires some level of
knowledge about the environment. As a result, initial discovery scans are often configured to have a
broad and thorough nature to ensure that everything is discovered. As you grow more knowledgeable
about the environment, discovery scans can be focused more precisely without running the risk of
misidentifying devices, or not discovering devices altogether.
One of the previous examples in this document describes how it is beneficial to remove ICMP packets
and/or certain TCP ports from the list of packet types used to discover a host. In order to do this and
not run the risk of missing devices and/or identifying devices incorrectly, you must have some amount
of knowledge about the environment, and in doing so understand whether it is appropriate to disable
these packet types.
The best approach to discovery scan optimization is to start with reasonable and safe defaults, and
then through an ongoing process, enhance and develop discovery scan templates that match the
environmental requirements.
The goal of such a process is to understand the characteristics of each distinct environment to such a
degree that it is possible to optimize the discovery scan parameters without compromising the quality
of the discovery data.
In other words, it might be beneficial to develop scans that are designed specifically to suit the needs
of each distinct environment.
While some organizations have some level of advance knowledge about their environments, which is
very useful, this document describes a process that requires no advance knowledge and will help you
understand and build the asset inventory.
Tip: If your networks/hosts are generated or installed from a standard image, scan against the
image to build a discovery scan template.

Initial discovery
The purpose of the initial set of discovery scans is to build awareness of the environment. It is
assumed that, at this point, you do not know what devices to expect in which network segments. It is
therefore necessary to be able to discover any device. This requirement means that you should not
remove any probe or packet types from the default discovery scan profile template. The safest
approach is to conduct the discovery scan in a slower fashion than would be expected in a well-known
environment. If you know about particularly slow network segments, McAfee advises that you run
separate scans for those segments, and reduce the speed of those scans.

McAfee Vulnerability Manager 7.5 Best Practices Guide

23

Discovery scans
Initial discovery

Sorting and grouping


Once the initial device discovery is complete, McAfee Vulnerability Manager contains a detailed device
inventory. You should now begin the process of sorting devices into asset groups and assigning a
business value (criticality) to each device. One grouping strategy is to base asset groups on the asset
owners and the teams responsible for maintaining the systems in question.
The asset management module of McAfee Vulnerability Manager (Manage | Assets) makes it easy to
create groups and populate these with assets. For example, if you wanted to create an asset group of
all Windows servers in a particular subnet, simply use the Advanced Search option to create a search
that returns all hosts where the keywords Windows and Server appear in the OS name, and
belong to the subnet in question. Once the search is complete, simply add the assets found by the
search to the asset group Windows Servers.

24

McAfee Vulnerability Manager 7.5 Best Practices Guide

Vulnerability scans
Target scans to each asset group/environment

Vulnerability scans
Before using vulnerability scans, you should consider how to structure the scanning regimen to obtain
the most useful results. As McAfee Vulnerability Manager is very scalable and can easily scan many
assets, you could be overloaded with information. To avoid this, consider the following suggestions:

Focus on assets that matter most. By considering the asset values and prioritizations as discussed
previously, start by focusing on the devices that are most vital to the organization.
Focus on vulnerabilities that matters most. By targeting high risk vulnerabilities as the first step,
any organization quickly reaps the benefits of their vulnerability management programs.
Develop corporate scanning policies. Many organizations have successfully developed corporate
standard scanning templates. These can easily be derived from public standards such as SANS,
NIST, CIS, and so on. This is one of the most important steps to take. A properly focused
scanning regimen can prove highly effective and ease the adoption of a vulnerability management
technology.
Consider what your risk mitigation/remediation capacity is. A vulnerability management program is
only truly effective if risk is being mitigated, patches are being deployed, and so on. As such, a
very important factor in developing a successful scanning regimen is to consider how much
capacity your organization has for remediating vulnerabilities and/or utilizing other risk mitigation
strategies. Implementing a scanning schedule that produces more results than what can be
processed will lead to frustration and an inefficient approach to securing the organization.

A common mistake is to simply let a vulnerability scan detect every single high, medium and low risk
vulnerability across all networks in an organization. This approach, while seemingly simple, typically
results in information overload system administrators buckle under the workload of keeping up with
the endless stream of information and change requests, and IT security teams can appear ineffective
and appear to show lack of progress.
A more successful approach is to create targeted scans. By tailoring scans to each distinct
environment and applying, for example, a corporate top 20 scan policy, results will be much more
manageable and much more visible when reporting to executive management. A corporate top 20
scan is a scan that targets 20 vulnerabilities that have been identified as being important to your
organization. Whether to target 10, 20, 30, or more vulnerabilities is best decided by the individual
organization but, regardless of how many vulnerabilities are targeted, the focused approach described
here has proven highly successful with most current customers of McAfee Vulnerability Manager.

Target scans to each asset group/environment


Focus on vulnerabilities most important for that environment. More specifically, a successful practice
is to design your scan configurations to match a well designed asset inventory.

Example 1

An asset group contains all Windows-based web servers which are publicly accessible. This web
farm is hosting a vital e-commerce application.

In this example, a scan containing all non-intrusive checks for Windows web servers and general webbased vulnerabilities could be a good starting point. Such a scan focuses on the most critical assets in
this particular organization, namely the e-commerce web front end. Since these devices are exposed
to the Internet and are vital to the business of the company, this scan should target all severities of
vulnerabilities. Even low risk information leakage vulnerabilities are unacceptable to this particular
organization. Limiting the scope of the scan to only web vulnerabilities, and to just this particular
asset group, ensures that the results are manageable and that priority and attention is given to
systems vital to the business.
McAfee Vulnerability Manager 7.5 Best Practices Guide

25

Vulnerability scans
How graphing and trending can improve security

Example 2

An asset group contains all Windows XP workstations in a particular campus for a large
international organization. These workstations are all managed by a central entity and the
population of workstations is expected to be fairly static.

In this example, a scan could target only Windows vulnerabilities of high and medium risk. Attempting
to track and resolve every single low risk vulnerability in a large workstation environment is often not
considered a worthwhile effort.

Plan your scanning schedule


Deciding on when to scan what, and how often, requires some insight into how your assets are
grouped, their importance, and also some close consideration of what conditions and vulnerabilities
are most important to resolve first. As mentioned previously, a good approach can be to scan your
asset groups with targeted scans reflecting the asset groups contents and business value. Many
organizations have adopted a scanning schedule that reflects the business value of the various asset
groups. For example, scan the most important assets more often, looking for high risk vulnerabilities
or other conditions that, if exploited, could cause severe interruptions to the business.

Target scans for specific vulnerabilities


Focus on vulnerabilities most important for your network. Search through the list of vulnerability
checks and save the resulting list as a vulnerability filter. Use the filters you create to act as a
template so you can quickly create standard, identical scans for each group or environment.

Example 1

Scanning assets for approved Microsoft patches and hotfixes.

In this example, you select all of the Microsoft patch and hotfix vulnerability checks that apply to your
network. Once this vulnerability filter is saved, you can select it when setting up a scan configuration
for each group or environment. Such a scan would check assets to ensure all appropriate patches and
hotfixes are applied.

Example 2

Scanning assets for potentially unwanted programs.

In this example, a scan could target specific programs you don't want installed on your network. Such
a scan would search your network for unwanted programs installed on any asset specified in the scan
configuration. The report will display which assets have the unwanted programs installed and you can
view a brief summary of what issues the installed program could cause to your network.

How graphing and trending can improve security


An important aspect of an ongoing vulnerability management program is to keep track of whether or
not progress is made. McAfee Vulnerability Manager is extremely well suited for this purpose. Several
automated and detailed progress tracking features are available. Common for these features are that
they all are designed to make it easy to understand if the organization (or parts of it) is making
progress and improving its security posture.

26

McAfee Vulnerability Manager 7.5 Best Practices Guide

Vulnerability scans
Optimize vulnerability scans

Using the dashboard


The dashboard provides summary information for vulnerabilities, operating systems, severity, and
vulnerability count trending.

Most Prevalent Vulnerabilities Shows the ten vulnerabilities that affect the most number of
assets in your organization or group. Change the minimum security level to focus on a
vulnerability severity level, and higher. This monitor allows you to drill down to see which systems
are vulnerable.
Most Prevalent Operating Systems Shows the ten operating systems used the most on
assets in your organization or group. This monitor allows you to drill down to see which systems
use the operating system.
Vulnerability Count by Severity Shows the number of High, Medium, Low, and Informational
vulnerabilities, based on all of the assets in your organization or group. This monitor allows you to
drill down and see all of the vulnerabilities discovered, on all systems in the organization or group,
by severity.
Vulnerability Percentage by Severity Shows the total percentage of High, Medium, Low, and
Informational vulnerabilities affecting assets in your organization or group. This monitor allows
you to drill down and see all of the vulnerabilities discovered, on all systems in the organization or
group, by severity.
Organization Vulnerability Count Trend Shows a trend graph of the High, Medium, Low, and
Informational vulnerabilities affecting assets in your organization or group. You can change this
monitor to view the FoundScore.

Optimize vulnerability scans


As discussed previously, it is possible and highly advantageous to optimize your scans so they
perform as best as possible.
The benefits of scan optimization include:

Better scan performance. By optimizing a scan, the time to completion is less. This is especially
helpful in situations where a service window permits only a very limited time to scan, or in very
large environments.
More efficient scans. A more efficient scan uses less bandwidth on the network and can complete
in less time.

How to increase scan speeds


Where situations call for faster scans, you can make the following adjustments:

Increase the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan
engine console. By increasing the number of FSL threads, each scan will be able to process more
FSL scripts simultaneously and thus scan quicker. By default, this is set to 20. The maximum
number of concurrent FSL threads is 30.
Create more sub scans. This parameter is controlled on the Settings tab when creating or editing
a scan, under the Optimize icon. By increasing the number of sub scans, you can effectively
increase the number of virtual, independent, instances of scans. In other words, by increasing the
number of sub scans, a scan will be divided in to a higher number of independent virtual instances
and thus process more hosts at the same time. The default value is 5 and can be increased to 10.
Note that increasing the number of sub scans will, in addition to conducting the scan faster, also
consume more resources on the underlying hardware platform, typically in the form of more
memory usage and higher CPU utilization.

McAfee Vulnerability Manager 7.5 Best Practices Guide

27

Vulnerability scans
Optimize vulnerability scans

Note: The suggested maximum number of scans for any scan engine is 5 concurrent scans with
10 subscans each.

Lower the batch size threshold for triggering sub scans. This parameter is controlled on the
Settings tab when creating or editing a scan, under the Optimize icon. Sub scans are used
only when the batch size of a scan exceeds a certain threshold. By lowering this threshold, the
parallel processing is used for smaller scans also.

How to decrease scan speeds


Where situations call for slower scans, you can make the following adjustments:

Decrease the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan
engine console. By decreasing the number of FSL threads, each scan will be able to process less
FSL scripts simultaneously and thus scan slower.
Create fewer sub scans. By decreasing the number of sub scans, you can effectively decrease the
number of virtual, independent, instances of scans. In other words, by decreasing the number of
sub scans, a scan will be divided into a lower number of independent virtual instances and thus
process fewer hosts at the same time.
Raise the threshold for when to trigger sub scans. Sub scans are used only when the size of a scan
exceeds a certain threshold. By increasing this threshold (batch size), the virtualization is used
mostly for larger scans.
Note: This might speed-up scanning for large address pools with only a few hosts.

28

McAfee Vulnerability Manager 7.5 Best Practices Guide

Web applications scans


View web application scan reports

Web applications scans


McAfee Vulnerability Manager web application scans are different compared to the other product
scans. With other product scans, you are scanning one target for multiple vulnerabilities and you can
have more than one target per scan configuration. With web applications, there is no way of knowing
exactly how many pages, links, or forms the web application has. Each web application could have
several forms, hundreds of links and thousands of pages, with each being scanned for vulnerabilities.
McAfee recommends scanning one web application per scan configuration.

Where to start with web application scanning


It is important to know what your web application site map looks like, especially when reviewing a
web scan report. By knowing your web application site map you will know if all or only part of your
web application has been scanned. Using the Informational Web Crawl scan template will give you a
site map of your web application. Even if you already have a site map, it is recommended that you
use the web crawl template and compare your site map with the one discovered by the product.
Once you have your site map, start with a Light Web Scan to find any critical vulnerabilities. The light
scan is set to run for two hours. If you web application has a large number of pages, has pages with
large file sizes, or has a large number of forms, the light scan might terminate before scanning the
entire web application. If this happens, you can modify the scan configuration to lengthen the scan
time or remove the time limit.
Here are some other guidelines for scanning your web applications.

Keep a backup of your web application (i.e. database, server).


Scan your web applications during off hours, not when the servers are in production. Scanning
while a web application is being used could cause problems for your users. A better option is to
scan your web application in a test environment
Know what type of browser or device the web application is designed for (i.e. mobile phones,
Microsoft Internet Explorer, Mozilla Firefox). For example, if you are scanning a web application
for mobile phones, the scan engine is not recognized as a mobile unit. You must configure your
web application to recognize all devices during the scan. When you are done scanning, remember
to change the settings back.

View web application scan reports


To view the scan results, look at the web application scan report. The web application scan report
contains both product specific vulnerabilities and web application vulnerabilities. Product specific
vulnerabilities include known issues for a specific product, like Apache, IIS, and PHP. web application
vulnerabilities include cross-site scripting, header vulnerabilities, and vulnerabilities found while
injecting malicious code patterns. The web portion of a report contains the web application
vulnerability information.

McAfee Vulnerability Manager 7.5 Best Practices Guide

29

Web applications scans


Improve your web application scans

Improve your web application scans


Optimizing scan settings is based on your web application and you might need to experiment with the
settings to find what works best for your web application. McAfee has some general guidelines to help
you out.

30

Exclude anything you know that does not need to be scanned for vulnerabilities. You can exclude
paths and parameters when configuring a scan.
A web application scan will only search the directory and any linked pages from the web address
provided. You must include anything you want to scan that is not in the directory or linked from
the web address being scanned. You can include pages and directories when configuring a scan.
A web application might use the same web page to present different images or products. Each
image or product is given a unique identifier so the same page can be used and only the unique
identifier needs to change to display the correct item. When scanning this part of a web
application, you want to scan the page for vulnerabilities, but you might not want to scan each
unique identifier (which could be thousands or hundreds of thousands of unique identifiers). You
can use the Determine URL Uniqueness setting in a scan configuration to scan the page but ignore
the unique identifiers. For example, if all of your products have a unique numeric value, set
Determine URL Uniqueness to ignore parameters with numeric values.
If you are scanning forms in your web application, you must know what will happen if the scan
tries to modify or manipulate the form. You should also exclude anything that could be destructive
or problematic. For example, you could reset a password by scanning a form. If you are scanning
authentication forms, you should include form credentials to show failures in the report. You
should also specify the input fields (organization, user name, and password) in the scan credential
to get the expected results. You can also include specific results that display on the web page
after a successful logon to verify form authentication.
You can exclude directories or pages to improve scan performance. You should exclude an Admin
directory or pages that will log off the user.
If your network connections are reliable (will not cause timeouts) and your server performance
can handle it, you could reduce the inter-request delay to reduce the scan time. McAfee
recommends not running a web scan while the web application is in production because this could
affect the scan, your users, or both. You should also consider what is between the scan engine
and the target. Your connection could be reliable, but a router could affect the connection and
could end with a Denial of Service.

McAfee Vulnerability Manager 7.5 Best Practices Guide

Custom reports
Improve your web application scans

Custom reports
Foundstone Asset Reports allow you to create custom reports based on templates you create. This
allows a wide variety of reports to be generated and automatically distributed, with a much greater
degree of freedom than is available in Scan Reports. Common questions that Asset Reports can help
answer include:

What vulnerabilities are present on our Windows workstations? Servers?


What vulnerabilities have been remedied, and what new vulnerabilities have been introduced, in
the last 3 months?
What machines outside of my DMZ are operating as web servers?
What vulnerabilities exist on machines where I am responsible for administration?
What high-severity vulnerabilities exist in my environment?
What machines in my global enterprise have not been patched against MS06-040?
Over the last 24 months, has my network become effectively more secure, or less secure?

To answer these questions, you create an appropriate Asset Report Template to gather the data and
report information about your network.

McAfee Vulnerability Manager 7.5 Best Practices Guide

31

Threat assessment using the Threat Correlation Module


View the Threat Correlation Module output

Threat assessment using the Threat


Correlation Module
McAfee Vulnerability Manager features a Threat Correlation Module designed to help IT security staff,
decision makers, and executives keep track of how the organization responds to events, how fast and
how well remediation is conducted, and the general threat level to which the organization is exposed.

What is a threat?
Before beginning to describe the inner workings of the TCM, we should clarify what a threat is and
how it is different from a vulnerability.
A threat is in its simplest form an event, whereas a vulnerability is a condition. The TCM helps to
measure the likelihood that an event will affect hosts in the environment managed by McAfee
Vulnerability Manager.

Threat Correlation Module


The TCM requires very little set up and customization. It does, however, function best and deliver the
most help and value when scans, asset groups, and asset values are properly configured.
When that is the case, the threat correlation module will, with a few mouse clicks, help you
understand which assets are at how much risk from what. Simply click the Correlate button for a
given vulnerability and the threat correlation module displays a prioritized list of the devices affected
by that threat.

View the Threat Correlation Module output


As mentioned previously, the TCM produces a list of hosts that are at risk from a particular threat.
The hosts at the top of the list are hosts that are at the most risk. This risk score is calculated as a
product of the value of the device (asset criticality), the severity of the vulnerability and the quality of
the match made by the threat correlation module.
The TCM works by considering the following parameters of a threat to determine the match:

What OS does the threat affect?


What port would have to be open in order for the threat to be effective against a host?
What service needs to be running in order for the threat to be effective against a host?
What banners would be indicative of a vulnerable host?
Is the host already known to be vulnerable to the condition the threat pertains to?

So in other words, the more severe the underlying vulnerability, the higher the asset value and the
more accurate the match, the more at risk a system is from the threat in question.

32

McAfee Vulnerability Manager 7.5 Best Practices Guide

Threat assessment using the Threat Correlation Module


View the Threat Correlation Module output

The list of hosts produced by a correlation is prioritized so the hosts at the most risk are at the top of
the list. This helps you understand where to deploy risk mitigation resources, and thus helps you
focus on mitigating the most risk with the available resources.
Additionally, the list produced by the TCM will also show if an open trouble ticket already exists for the
host in question.

How to mitigate the risk


For each threat known by the TCM, a countermeasure, or risk mitigation recommendation, is also
known. These recommendations are authored and maintained by McAfee Avert Labs on an ongoing
basis. Following the risk mitigation steps described in the TCM can be a quick and simple way of
resolving the vulnerability or exposure permanently.
Use TCM as a proactive tool to notify asset owners of potential issues. Threats are not a true
indication that a vulnerability is present.

McAfee Vulnerability Manager 7.5 Best Practices Guide

33

Optimize performance
Performance parameters

Optimize performance
This guide provides information on configuring McAfee Vulnerability Manager 7.5 to optimize its
performance over your network and to configure it to your environment. By default, McAfee
Vulnerability Manager 7.5 is already optimized for small to medium networks; its default parameters
minimize impact on network resources. However for organizations with large networks (Class B or
greater), optimizing McAfee Vulnerability Manager 7.5 will help ensure that the scans will complete in
a timely manner.
Selecting the correct scan parameters for your network can affect the speed and accuracy of your
scans, and the impact on your network. See Recommended Settings on page 45 for suggestions on
how to optimize McAfee Vulnerability Manager 7.5 for various environments. Use them as guidelines
for setting up scans on your network.
Note: Use care when adjusting these parameters from the default values; they significantly impact
scan accuracy, scan duration, and network bandwidth consumption.

Performance parameters
The following table shows the effect that increasing parameter values has on the scan speed, required
bandwidth, and scan accuracy.
Key

Increase in value

Decrease in value

none

No effect

Performance
parameters

Scan speed

Required
bandwidth

Scan
accuracy

Turn on TCP Full Connect

Increased ICMP/UDP/TCP
Time-outs

none

Increased # of Passes
Service Discovery

Increased # of Passes
Host Discovery

Increased Number of
Scan Objects

none

Turn on Advanced UDP


Scanning

34

McAfee Vulnerability Manager 7.5 Best Practices Guide

Optimize performance
Host Discovery options

Performance
parameters

Scan speed

Required
bandwidth

Scan
accuracy

Increased Batch-size
Vulnerability Scan

none

Increased Packet
Interval

none

Increased FSL Threads

none

Host Discovery options


You can fine-tune the following options for new or existing scans. In the portal, to create a new scan
select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be
found on the Settings tab in the scan configuration wizard, under the Host options.

Figure 5: Scan configuration Hosts settings

Full connect scan


This feature for TCP port scanning provides better accuracy than TCP SYN scanning. But, it increases
the scan time because it sends a packet, waits for a response from the host, and then sends another
packet (a three-way handshake).
Though SYN scanning is fairly accurate over a LAN, select the Full connect scan feature for better
accuracy on scans over the Internet (external).
Also, select this option when running a minimum number of passes with maximum accuracy for a
more comprehensive scan.

McAfee Vulnerability Manager 7.5 Best Practices Guide

35

Optimize performance
Services options

Services options
You can fine-tune the following options for new or existing scans. In the portal, to create a new scan
select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be
found on the Settings tab in the scan configuration wizard, under the Host options.

Figure 6: Scan configuration - Services settings

Figure 7: Services settings - Advanced options

Enable Load Balancer Detection


McAfee Vulnerability Manager provides a load balancer detection feature that you can enable in your
scan configurations. You can find this under the Services Advanced Options, on the Settings tab.
This feature detects the presence of load balancers on your network. It displays the load balancer as a
node on the Network Topology Report. Selecting this option results in a longer scanning process.

Services running on non-standard ports


McAfee Vulnerability Manager can scan non-standard ports for common services like HTTP, FTP, POP3,
TELNET and several others. Rogue applications or end-users might set up these services on nonstandard ports to avoid detection. You can find this under the Services Advanced Options, on the
Settings tab.
36

McAfee Vulnerability Manager 7.5 Best Practices Guide

Optimize performance
Credential options

Credential options
You can fine-tune the following options for new or existing scans. In the portal, to create a new scan
select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be
found on the Settings tab in the scan configuration wizard, under the Host options.

Figure 8: Scan configuration Credentials settings

Scanning with credentials


McAfee Vulnerability Manager can use credentials to authenticate itself to a Windows, UNIX, or
infrastructure host. This allows the FSL scripts to access the Windows registry and other information.
Infrastructure hosts are other network devices, such as Cisco routers and switches.
This feature lets you add credentials to authenticate an account on a host:

Windows Domain
Windows Workgroup
Windows Individual Host
Windows Default
Shell Domain
Shell Individual Host
Shell Default
Web Domain
Web Server
Web Default
Web Application URL

McAfee Vulnerability Manager 7.5 Best Practices Guide

37

Optimize performance
Optimize options

Each method of authentication requires a user ID (user name), and some methods require a
password. The database stores the encrypted user names and passwords for this scan. When the scan
begins, McAfee Vulnerability Manager 7.5 uses this information to attempt authentication on each
discovered host system.

Optimize options
You can set the following options to optimize performance for new or existing scans. In the portal, to
create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These
settings can be found on the Settings tab in the scan configuration wizard, under the Optimize
options.

Figure 9: Scan configuration Optimize settings

ICMP / UDP / TCP timeouts


The default timeout values are set for optimal external discovery scans. Adjust the timeout values
slightly lower for a faster scan or slightly higher for a more thorough, slower scan.
To optimize internal scans, set the ICMP timeout to 1500ms and the TCP timeout to 2000ms.

Number of passes
This option controls the number of times ICMP, UDP, and TCP requests, or pings, are sent to target IP
address ranges during the scan host discovery sequence.
McAfee recommends three passes; use fewer passes for a faster, less thorough scan. For external
scans, McAfee testing reveals that approximately 95% of all active hosts are discovered on the initial
38

McAfee Vulnerability Manager 7.5 Best Practices Guide

Optimize performance
Optimize options

pass, about 4+% are included in the second pass, and the remaining percentage are discovered in the
final pass.
For internal scans, most, if not all, devices are discovered in the first pass.

Number of scan objects


This option specifies the maximum number of sub-scans the system will use if the number of IP
addresses exceeds the IP threshold. Scan objects is the technical term for a sub-scan. Set the number
of scan objects from 1 to 10.
The Number of Scan Objects setting has a strong impact on both scan performance and bandwidth
utilization. For example, if a scan uses 10 subscans, it runs 10 smaller scans simultaneously. Although
this substantially increases the performance, it also increases the impact on the scan server by adding
9 additional scans. For example, if you had five different scan configurations running simultaneously,
and each uses 10 scan objects, you would be running the equivalent of 50 concurrent scans, which is
a heavy load for the most robust scan server and a solid network infrastructure.

Batch size
This setting controls the number of IP addresses that are scanned simultaneously. Though the default
value of 1024 IP addresses is recommended for small scans, select a larger batch size to speed up the
scan of a large environment. Values can be 32, 64, 128, 256, 512, 1024, 2048, 4096, and 8192 IP
addresses.
For example, assume you are scanning a class C network (256 IP addresses). The following table
shows the number of scans each different batch size would require.
Batch
size

Scan segments
(256 IP addresses)

64

128

256

Batch size recommendations vulnerability scans


For vulnerability scans, select a smaller batch size. Large batches can slow the overall scan time
because the batch has to wait for scripts to either complete or timeout. To maximize scan efficiency,
performance, and bandwidth utilization, select a batch size of 1024 or lower for vulnerability scans.

Packet interval
This setting controls the amount of time that McAfee Vulnerability Manager 7.5 takes to send each
packet across the network. Without a minimal inter-packet delay, McAfee Vulnerability Manager 7.5
would flood the network with packets, causing routers to drop scan traffic destined for target hosts
and affecting the accuracy of the scan.
Though 15 milliseconds is the default value, select a higher value, such as 20-25 milliseconds, when
scanning a highly distributed network such as a global WAN. Use lower delays, such as 10
milliseconds, over smaller networks with a cleaner backbone to improve scan performance without
sacrificing scan accuracy.

McAfee Vulnerability Manager 7.5 Best Practices Guide

39

Optimize performance
Other scanning options

Caution: Even small increases in the Packet Interval affect scan durations. Use caution when adding
delays to large scans.
Assume that a very small scan sends out 1000 packets. Sending them all at once would take very
little time. But consider the effects of adding a small delay:
Delay

Time to send 1000 packets

10ms

10 seconds

25ms

25 seconds

Now consider a scan that sends 750,000 packets:


Delay

Time to send 750,000 packets

10ms

7,500 seconds (2 hours 5 minutes)

25ms

18,750 seconds (over 5 hours)

Scan vulnerability saving option


Some reporting, like compliance scans, might require all data collected from a scanned host
(vulnerable, not vulnerable, and indeterminate).
In the product, you can set whether all data or only vulnerability data is saved from scanned hosts.
Saving all data collected from a scanned host (vulnerable, not vulnerable, indeterminate) can result in
a large amount of data being collected (approximately nine times when compared to returning only
vulnerable data). When creating scan configurations that will collect all data, it is recommended to
have 10,000 hosts as the maximum number to scan.
You can find this feature in the Optimize settings on the Settings tab of a scan configuration.

Vulnerable only: Returns only vulnerability data from scanned hosts. This is the default selection
when creating a new scan.
All: Returns all data collected from scanned hosts (vulnerable, not vulnerable, indeterminate).
Note: Returning all results (full results) is only available with HTML reports.

Other scanning options


You can fine-tune speed and size options for new or existing scans in the enterprise manager.

Foundstone Scripting Language (FSL) threads


The FSL Thread Count setting is the number of threads running in parallel to execute FSL vulnerability
check scripts. Increase the default (20 threads) to 30 for a faster scan when vulnerability checking is
enabled for a scan. Increasing this setting improves scan performance, but also uses more network
bandwidth.

40

McAfee Vulnerability Manager 7.5 Best Practices Guide

Optimize performance
Scan configuration options

Configure the FSL Thread Count setting in enterprise manager on the General Settings page (select
Manage | Engines and click Preferences for the scan engine).

Figure 10: Engine options General settings


Though increasing the number of FSL threads used improves scan performance, it increases network
traffic and can impact the performance of the scan server. Each FSL thread uses approximately 1 MB
of virtual memory, and each scan object uses the full set of threads available. A scan configured to
use 30 FSL threads running 10 concurrent subscans could consume up to 300 MB of virtual memory
for a single scan at its peak.

Scan configuration options


When creating a scan configuration, there are Optimize and Vuln Selection options for improving scan
performance.

Impact of specific scans


The following table shows the impact of different scan features on the scanning speed and required
bandwidth.
Key

Increase in value

Decrease in value

McAfee Vulnerability Manager 7.5 Best Practices Guide

41

Optimize performance
Scan configuration options

Specific scan features

Scan speed

Required
bandwidth

Perform Tracerouting

Run Brute Force Checks

Run Windows Checks

Perform tracerouting (network mapping)


The network topology maps in McAfee Vulnerability Manager 7.5 are created using the results of ICMP
and TCP traceroutes to each live host. This information lets you see high-risk areas, allowing you to
make a quick assessment of the risk posture among subnets.
If a large number of live hosts are anticipated and a network topology map is not desired, disable this
feature to gain a slight improvement in the speed of the scan and a significant improvement in the
time needed to generate a report upon the scans completion.
The Network Mapping setting is part of the scan configuration wizard for both new scans and existing
scans. Go to the Settings tab in the scan configuration wizard, under the Optimize options.

Figure 11: Scan configuration Optimize settings

42

McAfee Vulnerability Manager 7.5 Best Practices Guide

Optimize performance
Scan configuration options

About vulnerability checks in McAfee Vulnerability Manager


McAfee Vulnerability Manager 7.5 runs vulnerability checks against devices that match the profile of
the individual vulnerability. It matches the vulnerabilities with hosts whose operating system type,
open ports, and protocols meet the specifications.
For example, a Windows server is not assessed for a Linux vulnerability, a Cisco router without port
69 open is not assessed for TFTP vulnerability, and a UNIX server with only UDP-based DNS running is
not assessed for a TCP-based DNS vulnerability.
As the number of selected checks and active hosts increases, scans take more time to ensure that all
vulnerabilities are discovered. McAfee Vulnerability Manager 7.5 includes a large number of web
server checks, and scans on environments with many web servers take more time than scans on
comparable networks running other network services. If the purpose of a scan is to perform a network
inventory, turn off vulnerability checking.

Turning off specific vulnerability checks


The Brute Force and Windows checks have the most potential for slowing down a scan. These checks
are part of the scan configuration wizard, on the Settings tab, under Vuln Selection.

Figure 12: Scan configuration Vulnerability selection settings

McAfee Vulnerability Manager 7.5 Best Practices Guide

43

Optimize performance
Scan configuration options

Brute Force checks


These checks successively guess a large series of commonly used user names and passwords against
a target host. Given the nature of the testing, many user names and passwords fail, causing the script
execution to take longer than most other types of scripts. If you are less concerned about discovering
easily guessed usernames and passwords, disable Brute Force checks.

Windows checks
These checks run only if there is remote administrative access to the target Windows host. The time
consumed for the Windows checks to authenticate, fail or succeed, and execute if successfully
authenticated is higher than most checks.
If proper access is not available as with external scans, disable the Windows checks to improve scan
performance.

44

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Scan configuration options

Recommended scan settings


This section provides suggested settings for setting up scans. They are based on the best-practices
developed by McAfee's Sales Engineers. The settings are determined by the size of the network and
by the type of scan.

Network size
For the purposes of describing network sizes, this guide uses the following size definitions:

Small Network Up to 10 Class C networks (2560 potentially live hosts)


Medium Networks Up to a Class B network (65536 potentially live hosts)
Large Networks Up to a Class A network (16.7 million potentially live hosts)

Types of scans
McAfee Vulnerability Manager 7.5 lets you customize your scans to your needs. Scan types can range
from simple discovery scans to full vulnerability scans. The following table provides a quick overview
with cross references for each of the scan types on various networks. The most common scans include
the following:

Single Vulnerability Scan Use this scan to scan for a single vulnerability check
Asset Discovery Scan The Asset Discovery Scan searches for the various devices on your
network. All scans perform discovery services and the other scan types look for additional
information, based on the findings from the discovery scan.
SANS/FBI Top 20 Scan This scan searches only for the vulnerabilities that have been identified
by the Federal Bureau of Investigation (FBI) as the top 20 most common vulnerabilities.
Full Vulnerability Scan The full scan lets you pick and choose the types of vulnerability checks to
run against the network.
WWW Application Assessment Scan This scan searches the network for web applications. It
probes for web applications, looks for access points and weaknesses that could provide access
into the network, and searches for various vulnerabilities associated with web applications.

Note: Use these templates as guidelines. Consider your network configuration and refine the settings
as needed. Refer to this guide and the online help for more information on each setting.

Scan size and type


Large
networks

Medium
networks

Small
networks

Single Vulnerability
Scan

Use the Single Vulnerability Scan


recommendations below for all sizes.

Asset Discovery
Scan

See page 57

See page 51

SANS/FBI Top 20
Scan

See page 59

See page 53

Full Vulnerability
Scan

Not
recommended
see page 55
for notes

See page 48

Web Application
Assessment Scan

Not
See
recommended
see for notes

See page 51
Small
networks use
the same
settings for all
types of
scans.

McAfee Vulnerability Manager 7.5 Best Practices Guide

45

Recommended scan settings


Settings: Scan for a single vulnerability

Settings: Full-port scans


A full-port scan is designed to detect all open ports on a system.

Optimize an all-port scan

Set the packet delay to zero.


Set the timeouts to 500 ms.
Use SYN scanning.

Performance expectations
Using these settings you can scan 65536 ports on one system in about 7 to 12 seconds.
McAfee engineers have spent considerable time and effort tuning the scanning engine to provide the
best accuracy. Although another scanner could theoretically scan all ports faster than this, they won't
be more accurate since sending thousands of packets per second will probably cause routers and/or
the target systems to drop significant numbers of packets.

Settings: Scan for a single vulnerability


When you have to create a scan to look for a single vulnerability, such as the Microsoft Windows RPC
DCOM vulnerability that caused trouble in August 2003, use these recommended settings to optimize
your scan.

Enterprise manager settings

46

Enterprise manager parameters for single


vulnerability scan

Recommended settings

Scan Ranges

Batch Size

1024-8192 Higher
settings make the scan
faster, but generate more
network traffic

Module Selection

Discovery

ON (always ON)

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: Scan for a single vulnerability

Enterprise manager parameters for single


vulnerability scan

Recommended settings

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

ON - Select the single


check you want to use.
Ensure that credentials
are supplied.
Note: Set to OFF if you
are checking for a single
Shell vulnerability.

Wireless Discovery and


Assessment Module

OFF

Shell Module

ON - Select the single


check you want to use.
Ensure that credentials
are supplied.
Note: Set to OFF if you
are checking for a single
Windows vulnerability.

Host Discovery

Service Discovery

General Assessment
Module

ON

Use ICMP Discovery

ON

ICMP: Timeout
(Advanced)

1000ms

Use UDP Ports

OFF

Use TCP Ports

OFF (to increase speed)

Number of Passes

Use UDP Ports

ON

McAfee Vulnerability Manager 7.5 Best Practices Guide

47

Recommended scan settings


Settings: Full vulnerability scan (up to 2560 hosts)

Enterprise manager parameters for single


vulnerability scan

Vulnerability Checks

Options

Recommended settings

UDP: Ports

Use only the ports that


are affected by the
vulnerability

UDP: Timeout

2000ms

Use advanced UDP


Scanning Technique

OFF

Use TCP Ports

ON

TCP: Ports

Use only the ports that


are affected by the
vulnerability

TCP: Timeout

2000ms

TCP: Full connect scan

OFF

Number of Passes

Perform banner grabbing

ON

Service Fingerprinting
Options

OFF

Vulnerability Checks

ON Select the single


check you want to use

SANS/FBI Top 20

OFF

IP threshold

256

Number of Scan Objects

Create report upon scan


completion

ON

Settings: Full vulnerability scan (up to 2560 hosts)


These settings for this full scan are optimized for small environments with fewer than 10 class C
networks. Create the scan configuration from the enterprise manager. This table describes only those
settings that affect the scan performance. The other settings are arbitrary.

Enterprise manager settings (All scans Small network)

48

Enterprise manager parameters for full


vulnerability scan on a small network

Recommended settings

Scan Ranges

Batch Size

128

Module Selection

Discovery

ON (always ON)

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: Full vulnerability scan (up to 2560 hosts)

Enterprise manager parameters for full


vulnerability scan on a small network

Host Discovery:
ICMP

Host Discovery: UDP

Host Discovery: TCP

Recommended settings

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment
Module

ON

Use ICMP Discovery

ON

Echo Request
(Advanced)

ON

Timestamp Request
(Advanced)

OPTIONAL

Address Mask Request


(Advanced)

OPTIONAL

Information Request
(Advanced)

OPTIONAL

Timeout (Advanced)

2000ms

Use UDP Ports

ON

Ports

Allow McAfee Vulnerability


Manager to determine
ports

Timeout (Advanced)

2000ms

Use advanced UDP


Scanning Technique
(Advanced)

OFF

Use UDP Static Source


Port (Advanced)

OPTIONAL

Use TCP Ports

ON

McAfee Vulnerability Manager 7.5 Best Practices Guide

49

Recommended scan settings


Settings: Full vulnerability scan (up to 2560 hosts)

Enterprise manager parameters for full


vulnerability scan on a small network

Recommended settings

Ports

Allow McAfee Vulnerability


Manager to determine
ports

Timeout (Advanced)

4000ms

Full connect scan


(Advanced)

OFF

Use TCP Static Source


Port (Advanced)

OFF

Host Discovery

Number of Passes

Service Discovery:
UDP

Use UDP Ports

ON

Ports

Allow McAfee Vulnerability


Manager to determine
ports

Timeout

2000ms

Use advanced UDP


Scanning Technique

OFF

Use TCP Ports

ON

Ports

Allow McAfee Vulnerability


Manager to determine
ports

Timeout

4000ms

Full connect scan

OFF

Service Discovery

Number of Passes

Service Discovery

Perform banner grabbing ON

Service Discovery

Service Fingerprinting
Options

OFF

Vulnerability Checks

SANS/FBI Top 20

OPTIONAL

Service Discovery:
TCP

or select Vulnerability
Checks and Non-Intrusive
Vulnerability Checks

ON
or use SANS/FBI defaults

Options: Scan
Acceleration

50

Non-Intrusive

ON

IP threshold

256

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: Asset discovery (up to 65536 hosts)

Enterprise manager parameters for full


vulnerability scan on a small network

Options: Reporting

Recommended settings

Number of Scan Objects

Create report upon

ON

scan completion

Settings: Asset discovery (up to 65536 hosts)


This scan is optimal for running asset discovery scans on any size network that is smaller than a Class
B. This type of scan discovers the devices on the network. The reports provide the operating system
types, machine names, and a network topology of the networks scanned.
Note: This high-level scan does not detect all of the services that could possibly be listening on
discovered hosts. In order to get a more detailed view of these services, enable Allow McAfee
Vulnerability Manager to determine which ports to scan on the Services page, but not on the Host
Discovery page. This significantly increases the duration of the scan, but it performs a more
exhaustive service scan on discovered hosts and results in a more detailed report.
The following table describes only those settings in the enterprise manager scan settings that affect
the scan performance. The other settings are arbitrary. See the online help for additional information.

Enterprise manager settings (Asset discovery scan Medium network)


Enterprise manager parameters for asset
discovery scan on a medium network

Recommended
settings

Scan Ranges

Batch Size

4096

Module Selection

Discovery

ON (always ON)

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment
Module

OFF

Use ICMP Discovery

ON

Host Discovery: ICMP

McAfee Vulnerability Manager 7.5 Best Practices Guide

51

Recommended scan settings


Settings: Asset discovery (up to 65536 hosts)

Enterprise manager parameters for asset


discovery scan on a medium network

Recommended
settings

Echo Request
(Advanced)

ON

Timestamp Request
(Advanced)

OPTIONAL

Address Mask Request


(Advanced)

OPTIONAL

Information Request
(Advanced)

OPTIONAL

Timeout (Advanced)

1000ms

Host Discovery: UDP

Use UDP Ports

OFF

Host Discovery: TCP

Use TCP Ports

ON

Ports

21, 22, 25, 135, 80

Timeout (Advanced)

2000ms

Full connect scan


(Advanced)

OFF

Use TCP Static Source


Port (Advanced)

OFF

Host Discovery

Number of Passes

Service Discovery:
UDP

Use UDP Ports

OFF

Service Discovery:
TCP

Use TCP Ports

ON

Ports

21, 22, 23, 25, 80, 111,


135, 445

ON and choose Allow


McAfee Vulnerability
Manager to determine
which ports to scan for
a more exhaustive
search.

Choose Allow McAfee


Vulnerability Manager to
determine which ports to
scan for a more
exhaustive search.

Service Discovery

52

Timeout

2000ms

Full connect scan

OFF

Number of Passes

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: SANS/FBI Top 20 scan (up to 65536 hosts)

Enterprise manager parameters for asset


discovery scan on a medium network

Recommended
settings

Perform banner grabbing OFF


Service Fingerprinting
Options

OFF

SANS/FBI Top 20

OFF

Vulnerability Checks

OFF

Options: Scan
Acceleration

IP threshold

256

Number of Scan Objects

10

Options: Reporting

Create report upon

ON

Vulnerability Checks

scan completion

Settings: SANS/FBI Top 20 scan (up to 65536 hosts)


Use these settings for running a SANS/FBI Top 20 Vulnerability Scan on a medium-sized network. The
settings are optimized for any size network up to a Class B. It provides the operating system types,
machine names, and a network topology and reports the discovery of any of the top 20 vulnerabilities
on the FBI list.
The enterprise manager settings are described in the following tables. These tables do not describe
settings on the scan configuration pages that do not affect the performance of a scan. For example,
they do not discuss the name of the scan configuration or how it is scheduled to run. See the online
help for additional information.

Enterprise manager settings (SANS/FBI Top 20 scan Medium network)


Enterprise manager parameters for full
vulnerability scan on a medium network

Recommended
settings

Scan Ranges

Batch Size

128

Module Selection

Discovery

ON (always ON)

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment
Module

ON

Use ICMP Discovery

ON

Host Discovery:
ICMP

McAfee Vulnerability Manager 7.5 Best Practices Guide

53

Recommended scan settings


Settings: SANS/FBI Top 20 scan (up to 65536 hosts)

Enterprise manager parameters for full


vulnerability scan on a medium network
Echo Request (Advanced)

ON

Timestamp Request
(Advanced)

OPTIONAL

Address Mask Request


(Advanced)

OPTIONAL

Information Request
(Advanced)

OPTIONAL

Timeout (Advanced)

1000ms

Host Discovery: UDP

Use UDP Ports

OFF

Host Discovery: TCP

Use TCP Ports

ON

Ports

21, 22, 25, 135, 80

Timeout (Advanced)

4000ms

Full connect scan


(Advanced)

OFF

Use TCP Static Source


Port (Advanced)

OFF

Host Discovery

Number of Passes

Service Discovery:
UDP

Use UDP Ports

ON

Ports

Allow McAfee
Vulnerability Manager to
determine ports

Timeout

2000ms

Use advanced UDP


Scanning Technique

OFF

Use TCP Ports

ON

Ports

Allow McAfee
Vulnerability Manager to
determine ports

Timeout

2000ms

Full connect scan

OFF

Service Discovery

Number of Passes

Service Discovery

Perform banner grabbing

ON

Service Discovery

Service Fingerprinting
Options

OFF

Service Discovery:
TCP

54

Recommended
settings

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: Full vulnerability scan (up to 65536 hosts)

Enterprise manager parameters for full


vulnerability scan on a medium network

Recommended
settings

Vulnerability Checks

SANS/FBI Top 20

ON

Exclude Intrusive Checks

ON

Options: Scan
Acceleration

IP threshold

256

Number of Scan Objects

10

Options: Reporting

Create report upon

ON

scan completion

Settings: Full vulnerability scan (up to 65536 hosts)


Use these settings for running a non-intrusive Full Vulnerability Scan on a medium-sized network. The
settings are optimized for any size network up to a Class B with up to 65536 potentially live hosts. It
provides the operating system types, machine names, and a network topology and all vulnerability
categories of the networks scanned.
The enterprise manager scan settings are described in the following tables. These tables do not
describe settings on the scan configuration pages that do not affect the performance of a scan. For
example, they do not discuss the name of the scan configuration or how it is scheduled to run. See
the online help for additional information.

Enterprise manager settings (Full vulnerability scan Medium network)


Enterprise manager parameters for full
vulnerability scan on a medium network

Recommended
settings

Scan Ranges

Batch Size

128

Module Selection

Discovery

ON (always ON)

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment
Module

ON

Use ICMP Discovery

ON

Host Discovery:
ICMP

McAfee Vulnerability Manager 7.5 Best Practices Guide

55

Recommended scan settings


Settings: Full vulnerability scan (up to 65536 hosts)

Enterprise manager parameters for full


vulnerability scan on a medium network
Echo Request (Advanced)

ON

Timestamp Request
(Advanced)

OPTIONAL

Address Mask Request


(Advanced)

OPTIONAL

Information Request
(Advanced)

OPTIONAL

Timeout (Advanced)

1000ms

Host Discovery: UDP

Use UDP Ports

OFF

Host Discovery: TCP

Use TCP Ports

ON

Ports

21, 22, 25, 135, 80

Timeout (Advanced)

2000ms

Full connect scan


(Advanced)

OFF

Use TCP Static Source


Port (Advanced)

OFF

Host Discovery

Number of Passes

Service Discovery:
UDP

Use UDP Ports

ON

Ports

Allow McAfee
Vulnerability Manager to
determine ports

Timeout

2000ms

Use advanced UDP


Scanning Technique

OFF

Use TCP Ports

ON

Ports

Allow McAfee
Vulnerability Manager to
determine ports

Timeout

2000ms

Full connect scan

OFF

Number of Passes

Service Discovery:
TCP

Service Discovery

56

Recommended
settings

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: Asset discovery (up to 16,700,000 hosts)

Enterprise manager parameters for full


vulnerability scan on a medium network

Vulnerability Checks

Recommended
settings

Perform banner grabbing

ON

Service Fingerprinting
Options

OFF

SANS/FBI Top 20

OFF

Vulnerability Checks

ON
And select all of the nonintrusive checks

Non-Intrusive

ON

Options: Scan
Acceleration

IP threshold

256

Number of Scan Objects

10

Options: Reporting

Create report upon

ON

scan completion

Settings: Asset discovery (up to 16,700,000 hosts)


These settings are optimized for discovering all devices on a network in extremely large environments
of multiple class Bs or class A address space. The results provide the operating system types,
machine names, and a network topology of the networks scanned. This is a high-level view and does
not provide all the services that could be listening on discovered hosts. Turning on all services for this
type of scan is not recommended as the data presented will be extremely large. For a detailed view of
individual hosts, smaller scans should be used to provide a report that can be used on an operational
basis.
Notes: Changes to these parameters can add significant times to the scan. These parameters are
optimal for this type of scan. Using them, a scan of this magnitude should be able to complete
within 24 hours. Do not attempt to run a vulnerability assessment on this size of a network; the
amount of information alone would be overwhelming. Imagine a report with 10,000 live hosts and
each consisting of 3 vulnerabilities each (most systems have more than 3 each). This is a total of
30,000 vulnerabilities within one extremely large report.
McAfee recommends that you define regions or business units by IP address ranges prior to
configuring a scan. When you enter IP addresses into McAfee Vulnerability Manager, use scan labels
to correlate this information in the reports.

Enterprise manager settings (Asset discovery scan Large network)


Enterprise manager parameters for asset
discovery scan on a large network

Recommended
settings

Scan Ranges

Batch Size

8192

Module Selection

Discovery

ON (always ON)

McAfee Vulnerability Manager 7.5 Best Practices Guide

57

Recommended scan settings


Settings: Asset discovery (up to 16,700,000 hosts)

Enterprise manager parameters for asset


discovery scan on a large network

Host Discovery

Service Discovery

Vulnerability Checks

Options

Recommended
settings

Web Application
Assessment Module

OFF

Windows Host
Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment
Module

OFF

Use ICMP Discovery

ON

ICMP: Timeout
(Advanced)

1000ms

Use UDP Ports

OFF

Use TCP Ports

OFF

Number of Passes

Use UDP Ports

OFF

Use TCP Ports

ON

TCP: Ports

21, 23, 25, 80, 135

TCP: Timeout

2000ms

TCP: Full connect scan

OFF

Number of Passes

Perform banner grabbing

OFF

Service Fingerprinting
Options

OFF

SANS/FBI Top 20

OFF

Vulnerability Checks

OFF

IP threshold

256

Number of Scan Objects

10

Create report upon

ON

scan completion

58

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts)

Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts)


These settings are optimized for discovering all devices on a network in extremely large environments
of multiple class Bs or class A address space for compliance with the SANS/FBI Top 20 list. The
resulting report provides the operating system types, machine names, network topology, and the top
20 vulnerability categories of the networks scanned.
Note: Class A scans typically generate thousands of vulnerabilities. This list can quickly become
overwhelming from a management perspective. McAfee recommends using the SANS / FBI Top 20
on large networks. While McAfee Vulnerability Manager can scan large networks within reasonable
time, McAfee recommends that you chose a smaller network size for more comprehensive, full
vulnerability checks and Web Application Assessment scans.
Changes to these parameters can add significant times to the scan. These parameters are optimal for
this type of scan and can complete within 24-48 hours.
McAfee recommends that you define regions or business units by IP address ranges prior to
configuring a scan. When you enter IP addresses into McAfee Vulnerability Manager, use scan labels
to correlate this information in the reports.

Enterprise manager settings (SANS/FBI Top 20 scan Large network)


Enterprise manager parameters for SANS/FBI Top 20 Recommended
scan on a large network
settings
Scan Ranges

Batch Size

128

Module Selection

Discovery

ON (always ON)

Web Application Assessment


Module

OFF

Windows Host Assessment Module

OFF

Wireless Discovery and


Assessment Module

OFF

Shell Module

OFF

General Assessment Module

ON

Use ICMP Discovery

ON

Host Discovery

McAfee Vulnerability Manager 7.5 Best Practices Guide

59

Recommended scan settings


Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts)

Enterprise manager parameters for SANS/FBI Top 20 Recommended


scan on a large network
settings

Service Discovery

Vulnerability Checks

Options

Echo Request (Advanced)

ON

Timestamp Request (Advanced)

OPTIONAL

Address Mask Request (Advanced)

OPTIONAL

Information Request (Advanced)

OPTIONAL

Timeout (Advanced)

1000ms

Use UDP Ports

OFF

Use TCP Ports

OFF

Number of Passes

Use UDP Ports

ON

UPD: Ports

Allow McAfee
Vulnerability Manager to
determine ports

Use TCP Ports

ON

TCP: Ports

Allow McAfee
Vulnerability Manager to
determine ports

TCP: Timeout

2000ms

Full connect scan

OFF

Number of Passes

Perform banner grabbing

ON

Service Fingerprinting Options

OFF

SANS/FBI Top 20

ON

Exclude Intrusive Checks

ON

IP threshold

256

Number of Scan Objects

10

Create report upon

ON

scan completion

60

Vulnerability Checks

Exclude Intrusive Checks

ON

Options

IP threshold

256

McAfee Vulnerability Manager 7.5 Best Practices Guide

Recommended scan settings


Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts)

Enterprise manager parameters for SANS/FBI Top 20 Recommended


scan on a large network
settings
Number of Scan Objects

10

Create report upon

ON

scan completion

McAfee Vulnerability Manager 7.5 Best Practices Guide

61