- Knowledge base
- Network & System Security
- Scanning techniques
-
Security updates
-
Product news
-
Next-Gen Vulnerability Management
-
Getting started
-
General
-
Operating status
-
Network & System Security
-
Web Application Security
-
Cloud Security
-
API Security
-
Phishing Simulation & Awareness Training
-
Attack Surface Management
-
Scanner Appliance
-
Device Agent
-
On-premise platform deployment
-
Asset management
-
Vulnerability manager
-
Reports
-
Digest reports
-
Organizer
-
Continuous monitoring
-
Integrations
-
Platform API
-
Remediation
-
Users
-
PCI DSS ASV scans
-
Terms & conditions
-
Dashboard
What are the general requirements and practices for scanning large networks?
With the scan network product, you can scan up to /16-networks (Class B) in one schedule.
When selecting a network scan target larger than a /20 network to perform a scan against, the system will automatically identify this and split up the scan into several runs for optimal performance, where scans will be run in parallel from different scanner appliances.
Requirements for scanning large networks
A Scanner Appliance can, under normal circumstances, handle a scan on its own for 4096 IP addresses.
If you are to exceed this amount of potential targets, it's recommended to install more scanner appliances and connect them through a group. That way, multiple scanner appliances can share the workload and handle larger networks in separate runs.
If you are performing an internal scan on a larger network - you need to have the correct number of scanner appliances to support the scans. The recommendation is at least one appliance per 4096 addresses in a group to split the load among these and get the best performance on your scan.
How do I group my scanner appliances?
You can find information on how to configure a group here:
https://support.holmsecurity.com/knowledge/how-do-i-set-a-group-for-a-scanner-appliance
Best practices and examples
Depending on what you are trying to scan, there could be several options to consider. Below, we provide some examples of targets typical for many environments.
Example /16 network:
- You choose a network scan target that includes a /16 network.
- The system identifies this as a larger IP range and performs an automatic split into several scans.
- From the initial /16 network, there will be a total of 16 scan jobs running against /20 networks based on the initial target /16 network.
- The 16 scan jobs will be executed in parallel for optimal performance and return results when finished per each /20 network.
- If you target a /16 network, you should have 16 appliances working together(Class B = 65536 divided by 16 = 4096).
Example /20 network:
- You choose a network scan target that includes a /20 network.
- If you run a scan on a scanner appliance group, and the scanned network is /20 or smaller, it will be run on a single probe from that group, one that is least loaded.
- On the other hand, if we would manually divide that /20 network to, for example, 2 /21 networks or 4 /22 networks and run these as 2 or 4 separate scans on a scan group, the execution will be much more efficient as these will be separate scans and as such, they will be distributed between probes within a group.
Scan faster with more hardware resources and higher intensity
If you want to increase the efficiency of a scan or individual runs of your large network scans. In that case, you can consider adding more cores and RAM (cores being a priority for performance) to each Scanner Appliance. After that, you can also increase the scan profile scan intensity to High.