You only have to scan the ones you want to keep

Growing up, my dentist had a sign “You don’t have to brush all your teeth, just the ones you plan to keep.”  I thought of that when talking to Qualys recently.

As we look ahead to IPv6, vulnerability scanning needs to be addressed.   Old methods like scanning IP ranges don’t work when scanning IPv6.   Qualys’ current solution is for you to get a list of online IPv6 addressable devices, input that into Qualys and then scan.   There is currently no integration capable of pulling that information from a switch or another source like Forescout.  I don’t currently use IPv6 or have Forescout looking at my external hosts otherwise they may have had something  I could alpha.

The bigger concern I have is dual stack.

That always makes me think of Wendys.  (double stack).

If systems have two IPv4 addresses, Qualys would normally charge for two IPs.   That’s ok with servers because there aren’t that many servers.  They also plan to charge for scanning a IPv4 and a IPv6 address.   That then doubles the amount of IPs I’m scanning.   When you’re charged per IP, that isn’t acceptable.

They had two responses to that.  They both aren’t good.
1.  “You can only scan external hosts with IPv6.”   I hadn’t picked that up from any of the information I’d seen.   External scans from Qualys’ data center are much more expensive.   I tend to scan from a onsite appliance.   Apparently I wont be able to do that.

2.  Services could be running on IPv4 and not on IPv6, or vice versa.   For internal systems, with an authenticated scan, you’ll likely pick up everything anyway.   But with an unauthenticated scan, you’re reliant on interrogating services.   If you miss that vulnerable PHPNuke someone put on IPv6 only, that leads to the title line.  You only have to vulnerability scan the systems you wish to not be compromised.