Qualys Community Edition is a free version of the Qualys Cloud Platform designed for the security community.
Discover IT assets.
Scan web apps.
Inventory cloud assets.
Qualys Community Edition Getting Started Guide: https://www.qualys.com/docs/qualys-community-edition-user-guide.pdf
Table of Contents
Edition gives you these great capabilities at no cost:
Monitor up to 16 assets with
Qualys Cloud Agent
Scan up to 16 internal and 3
external IPs with Vulnerability Management
Scan 1 URL with Web Application
Deploy a Virtual Scanner Appliance
within your internal network.
Gain visibility within your
Generate reports and assess
results quickly and easily.
Your scan data within the platform will be
retained for 90 days. Be sure to download and save reports for your records as
you continue to use the Qualys Community Edition. Accounts that are inactive
for 6 months are automatically purged for security.
To summarize the limitations:
Only the scanning of 16 IP addresses (internal or public) is allowed, and only 1 Web application Scanner is available. Furthermore, only one local appliance can be deployed, so only one internal network can be scanned.
Similar product: Tsunami Security Scanner
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
To scan your internal network you will need to download the virtual appliance, and register it with the Qualys Platform.
Use the Discovery scan to get a list of assets (hosts) present on you local network, and check the open ports.
This is where it gets interesting. Select up to 16 internal or external IP addresses to be scanned. This is the basis for either an on-demand scan, or future scheduled scans. There are many options to choose from, but often the defaults are fine. To scan the internal network, select the virtual appliance you downloaded earlier. I also recommend performing some external scans using the external (Qualys) scanner, targeting your external IP address, to see what is vulnerable from the outside. The internal scan took about 35 minutes on my network, but it probably depends on the number of open ports.
Web Application scanning
Qualys Community Edition package also includes Web Application scanning, although the CE is limited to one web application only. There are many settings to tweak the scan to your needs. Even complicated Selenium scripts can be included in the scans. It is unfortunate that contrary to the vulnerability scans, the Web Application Scans cannot be scheduled.
A different way to scan the infrastructure is the use of cloud agents. These are small programs that are installed on the computers of the network. Agents can be downloaded for Linux, Windows, IBM AIX, and OSX. From the inside of the computer, they can detect things that cannot be detected easily from the outside. The agents can for instance detect software that needs updating.
By default, both the vulnerability scan and web application scans may give a lot vulnerabilities. And this is where things get more complicated. What are false positives, what can be ignored, and what should be rectified immediately? Of course, all vulnerabilities are ranked by threat level, and Qualys does an excellent job at giving additional information about the vulnerabilities found. One the other hand, the discovery scan only sees devices which respond to ICMP (ping) messages, so rogue devices can still be hiding in your network without being detected. The cloud agents work really well, the day after Adobe reported a vulnerability I could see which of my system contained the problem. Scanning from the outside proved useful, and pointed out that some application used uPnP to unintentionally forward a port on my router.
Here is a video to show you how to register a community edition and install virutal appliance on your local network to execute internal scanning: