Appendix A: Network Scan Recommendations

This section lists the AppViewX-recommended best practices for ensuring that network scans for cloud connectors yield more accurate results, thus facilitating a more secure and compliant network infrastructure and appropriate measures for mitigating potential risks.

Selecting Ports for Scanning

  • Commonly, the ports 443 and 8443 are used for scanning. Additional ports identified at the time of your onboarding can be added to the list.
  • If a list of specific ports cannot be identified, a standard port scan is the next best recommendation.
    Note: Research suggests that 99% of open ports can be identified by scanning the top 3328 ports. For more information, click here. For the complete list of standard ports that are scanned by AppViewX, click here.
  • While the all ports scan can also be used, it can be time consuming and add a significant load to the infrastructure. AppViewX recommends a lesser number of ports, so that the scan time is less and the process is more optimally completed.
  • When performing larger subnet scans, for example for a /16 subnet, for throttle scanning, split larger subnets into smaller batches. For example, split the /16 subnet into its /24 equivalent.

Configuring the AppViewX Cloud Connectors’ Infrastructure

  • For production environments, it is recommended to have two cloud connectors per datacenter. This enables high availability within a datacenter as well as across all datacenters in the environment.
  • Enable strict routing for the cloud connectors within the same datacenter so traffic can be optimally routed between the cloud connectors.
  • For scanning more than a 100 subnets within a span of 24 hours, allocate additional computing resources by provisioning one cloud connector for every 100 subnets (so there’ll be a total of 1000 IPs across the subnet).

Setting Batch Limits for Network Discovery

For network discovery, 10K is the maximum recommended batch limit.

Setting the Scanning Intensity

During a network scan, the AppViewX Network Plugin sends the number of packets to the IP address configured on the network scan. The load on the target network can be controlled by selecting a scanning intensity from the range 1 to 12.

Scanning intensity 1 to 4

Scanning intensities between 1 and 4 are designed to scan less than 250 ports or, for larger networks, common SSL ports like 443, 8443.

For a larger network, these intensities can take up to several days to complete scanning, especially if a all ports scan is triggered.

Scanning intensity 5 to 12

Scanning intensities between 5 and 12 are designed for scanning standard ports and all ports. For these higher intensities, the number of network connections increases, which then decreases the time required for scanning.
Tip: A scanning intensity in the range 4 to 6 is known to be appropriately reliable and accurate, and consumes very less bandwidth.
Warning: A scan intensity in the range 8 to 12 is known to establish high packet transmission and a higher number of connections per second. For example, setting intensity = 12 will establish 16K connections/second. Setting the scanning intensity to a value in this range is not recommended unless your network team confirms that your network infrastructure can handle the number of connections established.

Optimizing the Load Factor

For handling increased loads, it is preferable to adopt horizontal scaling by adding more cloud connectors. The requests are then handled using the round robin allocation method across all the available cloud connectors.

Example: For a load of 140K subnets, it is recommended to add one cloud connector for scanning a set of 17.5K subnets. Since a standard ports scan and a all ports scan yield nearly identical results, and a standard port scan is 7x faster, it is proposed to run the scan in two phases: phase 1 will cover the standard ports and phase 2 will cover all ports.

Cloud connector distribution across datacenters will be decided based on your IP distribution across those datacenters.

To reduce network latency, more datacenters (and cloud connectors) should be added based on your subnet topology.