Optimizing the performance of your network scanner involves considering various parameters, including the selection of ports, scan configuration, and other metrics.
Port selection for efficient scans
The choice of ports for your scanning tasks plays an important role in determining the speed of your network scanning process.
Understanding ports and port Lists
Ports are the gateways for network communication, enabling connections between different systems. They are categorized into Transmission Control Protocol (TCP) ports and User Datagram Protocol (UDP) ports.
TCP ports
Each system has a total of 65,535 TCP ports. Data transmission occurs bidirectionally between two TCP ports, making TCP port scanning quick and efficient.
UDP ports
Like TCP, each system has 65,535 UDP ports, but data transmission here is unidirectional. Testing UDP ports often takes longer due to the lack of data confirmation.
Specific ports, specifically those numbered 0 to 1023, are considered privileged or system ports and are not accessible to user applications.
Scanning all available ports can be time-consuming, as many are often unused. To address this issue, port lists come into play.
Port lists for efficient scanning
Port lists are generated by analyzing the ports of internet-accessible systems and identifying the most commonly used ones. For most scanning tasks, scanning the ports under the Standard range is usually sufficient.
Here are the predefined port lists available:
https://support.holmsecurity.com/knowledge/what-ports-are-included-in-the-different- scan-levels
Please note that you can add additional ports in the scan profile if needed.
Selecting the correct port list
When choosing a port list, consider factors such as discovery performance and scan duration.
The duration of a scan primarily depends on your network configuration and the number of ports to be tested.
Ports not included in the selected list will not undergo vulnerability testing. Additionally, malicious applications that use such ports may go undetected. Malicious applications often target open ports that are typically unused and far from system ports.
Other factors include defense mechanisms triggered by exhaustive port scans, leading to countermeasures or alerts. Even during regular scans, firewalls may simulate that all 65,535 ports are active, causing time-outs and slowing down the actual scan.
Furthermore, each port queried results in at least one log entry from the corresponding service. Some services may only be scanned at specific times due to organizational constraints.
Scan duration considerations
In certain scenarios, scanning all TCP and UDP ports, especially with port throttling, may take up to 24 hours or longer for a single system. Parallel scans expedite the process, with two systems requiring only marginally more time than a single system. However, parallelization is constrained by system resources and network performance. Our scanner allows up to 10 hours for scanning selected ports.
Customizable scanner configurations
In addition to choosing the correct port list, customizable scanner configurations are crucial in optimizing your network scanning process. These configurations allow you to tailor your scans to meet specific needs. Here are some key customizable options to consider:
Scan intensity options
Adjusting scan intensity can impact the speed and thoroughness of your scans. You have predefined templates like Low, Medium, High, and Custom options. Let's explore each configuration:
- Low intensity: In low-intensity mode, your scans prioritize being polite to the network. It's slower but minimizes disruption, making it suitable for very sensitive environments.
- Medium intensity: Medium intensity strikes a balance between speed and thoroughness. It's a commonly used setting for general network scans.
- High intensity: High intensity is all about speed. It scans quickly but can be more disruptive, making it suitable for less sensitive environments.
- Intense: This mode takes scanning to the highest level of speed and discovery. This setting runs 15 processes in parallel (compared to High's 10), using the most aggressive options for both port and host discovery. Due to its aggressive nature, it is best suited for environments where impact on network performance is acceptable.
Important information
Intense mode is CPU-intensive. For optimized scan duration, we recommend using 6 CPU cores or more. This scan intensity should only be used on an extraordinarily fast network. Using this mode could result in some accuracy loss!
- Custom: You can manually change any preferences that build our scan intensity templates. There are several preferences available:
Hosts to scan in parallel
This setting determines how many hosts are scanned simultaneously. Depending on your setup, you may have "External scanners" and "Scanner appliances" options. The settings are as follows:
- Low: Scan one host at a time.
- Medium: Scan up to 15 hosts in parallel.
- High: Scan up to 25 hosts simultaneously.
- Intense: Scan up to 25 hosts simultaneously.
Processes to run in parallel
To maximize efficiency, you can control the number of tests/plugins executed simultaneously on a host. The settings are as follows:
- Low: Run one test at a time.
- Medium: Run up to 4 tests at once.
- High: Run up to 10 tests simultaneously.
- Intense: Run up to 15 tests simultaneously.
Packet delay options
Packet delay represents the minimum time to wait between probes. This preference can affect scan performance. However, it is particularly useful in the case of rate limiting. These are the options:
- Low: 10 ms
- Medium: 100 ms
- High: 400 ms
- Automatic: 0 ms (no packet delay)
These configurations allow you to fine-tune your scanning process for optimal results, matching your network's characteristics and objectives while balancing speed and accuracy.
Host timeout
Customers can utilize the "Host Timeout (min)" parameter to specify a maximum time for each host to be scanned during the port discovery phase. If the scan duration for a particular host exceeds the specified timeout, the scan for that host will be terminated with no results returned.
This parameter allows customers to manage scan duration and ensure that the scan does not exceed their desired time frame. It is particularly valuable when dealing with large and potentially time-consuming scans involving UDP ports.
By properly planning and utilizing this parameter, you can effectively avoid excessive delays and disruptions during the scan, enhancing the overall efficiency of your network scanning process. These are the options:
- Low: 8 hours
- Medium: 5 hours
- High: 5 hours
- Intense: 5 hours
Adaptation to different networks
To help you understand how the configurations mentioned in this article can be adapted to different scanning environments, here are a few practical examples:
- Large and medium-sized networks:
https://support.holmsecurity.com/knowledge/how-do-i-optimize-scans-for-large-medium-sized-networks - A small amount of IP addresses:
https://support.holmsecurity.com/knowledge/how-do-i-optimize-scans-for-a-small-amount-of-ip-addresses - Sensitive and hard-to-reach environments:
https://support.holmsecurity.com/knowledge/how-do-i-optimize-scans-for-sensitive-environments