Issue:
What kind of network firewall openings need to be in place between scan nodes and hosts to be scanned?
What ports need to open for the Scan Node?
Resolution:
Any limitation to the visibility of the scanned host will result in less findings from network-based vulnerability scans. We recommended deploying scan nodes in the same private networks where scan-targets are present and allowing all incoming/outcoming traffic from scan nodes. Only in this scenario can you detect e.g. unwanted services running on non-standard TCP/UDP ports.
However, there is additional network access requirement applicable when using authenticated scanning where scan node needs to communicate with scan targets and fetch data. Each of those methods has a default port that needs to be open and these are documented in the online documentation available here:
The paragraph starting with "Network access to" from this page for Windows: Installing scan nodes (Windows) | Elements Vulnerability Management | 4.0 | WithSecure User Guides and for Linux: Installing WithSecure Elements VM scan nodes (Linux) | Elements Vulnerability Management | 4.0 | WithSecure User Guides
The TCP-port used is 443 and in the default configuration, the traffic is OUTBOUND (from SNA point of view).
To summarize: the network access requirement depends on the authenticated scan method select and is summarized below using default TCP-ports (note that the TCP-ports used can be differently configured in your environment).
1. WinRM based authenticated scanning, either WinRM port 5985/TCP (http) or 5986 (https) need to be open (INBOUND) on the scan targets.
2. RPC based authenticated scanning, TCP/135 need to be open (INBOUND) on scan targets.
3. SSH based authenticated scanning, TCP/22 need to be open (INBOUND) on scan targets.
Important!
Related to firewall access, scan nodes need to have unlimited access to the IP addresses associated with *.fsapi.com. A good example is active test for the Log4J vulnerability, which requires the scan node to access a call-back server hosted by WithSecure.