Monthly & On-Demand Vulnerability Scanning FAQ

Information Assurance (IA) offers a free monthly and on-demand scanning service to units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure. This service is an appropriate option for networks that are accessible from campus or where the scanner can be allowed through a firewall.

All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High or Restricted must be scanned monthly.

How is the monthly scanning and on-demand service different from the quarterly vulnerability scan performed by IA?

The quarterly vulnerability scan looks at the entire U-M network space from an external internet location. It is designed to test for a subset of vulnerabilities that are remotely exploitable, require no authentication, impact confidentiality or integrity, and are considered high or medium in severity. In addition, the quarterly scan only checks a list of commonly-observed ports to find services to test, and is performed from an internet address outside of the campus network (which limits the scanner's visibility). Since the quarterly scan is performed on a very large scale from the internet, it cannot provide as accurate a vulnerability assessment as one generated by a more local customized scan. By contrast, the monthly and on-demand scans, by default, run all safe tests available in our scanning tool, probe a much larger number of ports, and are conducted from a server on the campus network

Who can request monthly and on-demand scans

Staff eligible to request scans for their units from IA must be listed as an owner, administrator, or contact for the target network in the NetInfo database.

What can be scanned?

Any U-M-owned network can be scanned. Any type of host or device that is assigned an IPv4 address on the target network can be scanned, although the level of testing possible will depend on the specifics of the host. We do not offer IPv6 scanning or scanning of U-M-owned hosts that reside on non-U-M networks (such as at other universities or in third-party data centers).

Do my scans have to be monthly? What if I want more/less frequent scanning?

While most units choose to have scans recur monthly, you may request your scan to run one time or at any frequency you choose.

I have heard that scans sometimes cause problems on the hosts/networks targeted by the scanner. How can I reduce the risk of this happening?

Hosts sometimes react in unexpected ways when scanned. Scanning commonly causes a negative impact on:

  • Printers
  • Embedded web servers
  • Novell Netware devices
  • Firewalls with a "default allow" policy
  • Hosts that have a history of outages as the result of peaks in traffic

IA's default scan policy is configured to stop scanning hosts if the scanner identifies them as printers or Netware devices. For other types of devices listed above, the scan policy can be modified to scan more slowly overall or exclude specific IP addresses from the scan. Running one or more test scans during off-peak hours may help determine if there are hosts that will be adversely impacted. IA will work with subscribers to determine the best unit-specific scanning option.

My network is protected by a firewall. Can I still use the IA scanning service?

Yes! However, if you want the scanner to have full visibility into your network, you will need to add an exception for the scanner's IP address. A special policy will be developed for your scan that accounts for crossing the firewall, and testing will take place in advance of scheduling your scan to mitigate the risk of performance degradation while scanning.

I have very specific scan requirements. Can the scan be configured to meet those requirements?

The scan policy can be configured to your needs. When making your request for a new scan, include details of your requirements, and the analyst assigned to assist will determine whether they can be supported.

What scan policy does IA use when scanning?

A non-credentialed baseline policy is used as a starting point for new scans that enables all safe tests (plugins), discovers hosts with a TCP and ICMP ping scan, performs a TCP port scan and an SNMP scan, enables CGI scanning, and uses conservative defaults for most settings. From there, IA can configure the policy to fit your needs.

The default scan policy does not include credentialed scanning, compliance checks (such as for PCI-DSS), or web application tests. If you are interested in any of these options, be sure to note it in your scan request.

Is credentialed scanning supported? In what cases should a credentialed scan be used?

Credentialed scanning is supported. We recommend credentialed scans in cases where the impact of non-credentialed scanning to the network or host would be undesirable. Credentialed scans may also be preferred on hosts that have few ports/services open, or when determining the status of installed client software is a priority.

What do the scan results look like?

See a Sample IA Scan Report (actual IP addresses have been removed).

What should I do if I have a question or problem with my scan results?

For questions or help with troubleshooting, contact iia.vulnscans@umich.edu.