With Holm Security, you have the option to scan up to /16-networks (Class B) in one schedule.
When selecting a network scan target larger than a /20 network to perform a scan against, the system will automatically identify this and split up the scan into several runs for optimal performance, where scans will be run in parallel from different scanner appliances.
A scanner appliance can under normal circumstances handle a scan on its own for 4096 IP addresses.
If you are to exceed this amount of potential targets, it's recommended to install more scanner appliances and connect them through a group. That way multiple scanner appliances can share the workload and handle larger networks, in separate runs.
Requirements for scanning large networks:
If you are performing an internal scan on a larger network - you need to have the correct number of scanner appliances to support the scans, the minimum requirement is one appliance per 4096 addresses in a group to be able to split the load among all of these and get the best performance on your scan.
You can find information on how to configure a group here:
Best practices and examples:
Depending on what you are trying to scan there could be several options to consider. Below we provide some examples of targets that are typical for many environments.
- You choose a network scan target that includes a /16 network.
- The system identifies this as a larger IP network and performs automatic analysis to split it up into several scans.
- From the initial /16 network, there will be a total of 16 scan jobs running against /20 networks, based on the initial target /16 network.
- The 16 scan jobs will be executed in parallel for optimal performance and return results when finished per each /20 network
- This means that if you are targeting a /16 network you should have 16 appliances working together(Class B = 65536 divided by 16 = 4096).
- You choose a network scan target that includes a /20 network.
- If you run a scan on a probe group, and the scanned network is /20 or smaller, it will be run on a single probe from that group, one that is least loaded.
- On the other hand, if we would manually divide that /20 network to for example 2 /21 networks or 4 /22 networks and run these as 2 or 4 separate scans on a scan group, the execution will be much more efficient as these will be separate scans and as such, they will be distributed between probes within a group
If you wish to increase the efficiency of a scan or individual runs of your large network scans, you can consider adding more cores and RAM (cores being a priority for performance) to each scanner appliance, after that you can also increase the scan profiles scan intensity to High.