- Knowledge base
- Network & System Security
- Scanning techniques
-
Security updates
-
Product news
-
Next-Gen Vulnerability Management
-
Getting started
-
General
-
Operating status
-
Network & System Security
-
Web Application Security
-
Cloud Security
-
API Security
-
Phishing Simulation & Awareness Training
-
Attack Surface Management
-
Scanner Appliance
-
Device Agent
-
On-premise platform deployment
-
Asset management
-
Vulnerability manager
-
Reports
-
Digest reports
-
Organizer
-
Continuous monitoring
-
Integrations
-
Platform API
-
Remediation
-
Users
-
PCI DSS
-
Terms & conditions
-
Dashboard
What are the general requirements and practices for scanning large networks?
With the scan network product, you can scan up to /16-networks (Class B) in one schedule.
When selecting a network scan target larger than a /20 network to perform a scan against, the system will automatically identify this and split up the scan into several runs for optimal performance, where scans will be run in parallel from different scanner appliances.
A Scanner Appliance can, under normal circumstances, handle a scan on its own for 4096 IP addresses.
If you are to exceed this amount of potential targets, it's recommended to install more scanner appliances and connect them through a group. That way, multiple scanner appliances can share the workload and handle larger networks in separate runs.
Requirements for scanning large networks:
If you are performing an internal scan on a larger network - you need to have the correct number of scanner appliances to support the scans. The recommendation is one appliance per 4096 addresses in a group to split the load among these and get the best performance on your scan.
You can find information on how to configure a group here:
https://support.holmsecurity.com/knowledge/how-do-i-set-a-group-for-a-scanner-appliance
Best practices and examples:
Depending on what you are trying to scan, there could be several options to consider. Below, we provide some examples of targets typical for many environments.
Example /16 network:
- You choose a network scan target that includes a /16 network.
- The system identifies this as a larger IP range and performs an automatic split into several scans.
- From the initial /16 network, there will be a total of 16 scan jobs running against /20 networks based on the initial target /16 network.
- The 16 scan jobs will be executed in parallel for optimal performance and return results when finished per each /20 network.
- If you target a /16 network, you should have 16 appliances working together(Class B = 65536 divided by 16 = 4096).
Example /20 network:
- You choose a network scan target that includes a /20 network.
- If you run a scan on a probe group, and the scanned network is /20 or smaller, it will be run on a single probe from that group, one that is least loaded.
- On the other hand, if we would manually divide that /20 network to, for example, 2 /21 networks or 4 /22 networks and run these as 2 or 4 separate scans on a scan group, the execution will be much more efficient as these will be separate scans and as such, they will be distributed between probes within a group.
Suppose you wish to increase the efficiency of a scan or individual runs of your large network scans. In that case, you can consider adding more cores and RAM (cores being a priority for performance) to each Scanner Appliance. After that, you can also increase the scan profile scan intensity to High.