Network Scan Targets and Exclusions
In JSA Vulnerability Manager, you can provide information about the assets, domains, or virtual webs on your network that you want to scan.
You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.
Use the Details tab on the Scan Profile Configuration page to specify the network assets that you want to scan.
You can exclude a specific host or range of hosts that must never be scanned. For example, you might restrict a scan from running on critical servers that are hosting your production applications. You might also want to configure your scan to target only specific areas of your network.
JSA Vulnerability Manager integrates with JSA by providing the option to scan the assets that form part of a saved asset search.
Scan Targets
You can specify your scan targets by defining a CIDR range, IP address, IP address range, or a combination of all three.
Domain Scanning
You can add domains to your scan profile to test for DNS zone transfers on each of the domains that you specify.
A host can use the DNS zone transfer to request and receive a full zone transfer for a domain. Zone transfer is a security issue because DNS data is used to decipher the topology of your network. The data that is contained in a DNS zone transfer is sensitive and therefore any exposure of the data might be perceived as a vulnerability. The information that is obtained might be used for malicious exploitation such as DNS poisoning or spoofing.
Scans That Used Saved Asset Searches
You can scan the assets and IP addresses that are associated with a JSA saved asset search.
Any saved searches are displayed in the Asset Saved Search section of the Details tab.
For more information about saving an asset search, see the Users Guide for your product.
Exclude Network Scan Targets
In Excluded Assets section of the Domain and Web App tab, you can specify the IP addresses, IP address ranges, or CIDR ranges for assets that must not be scanned. For example, if you want to avoid scanning a highly loaded, unstable, or sensitive server, exclude these assets.
When you configure a scan exclusion in a scan profile configuration, the exclusion applies only to the scan profile.
Virtual Webs
You can configure a scan profile to scan different URLs that are hosted on the same IP address.
When you scan a virtual web, JSA Vulnerability Manager checks each web page for SQL injection and cross site scripting vulnerabilities.
Excluding Assets from All Scans
In JSA Vulnerability Manager, scan exclusions specify the assets in your network that are not scanned.
Scan exclusions apply to all scan profile configurations and might be used to exclude scanning activity from unstable or sensitive servers. Use the IP Addresses field on the Scan Exclusion page to enter the IP addresses, IP address ranges, or CIDR ranges that you want to exclude from all scanning. To access the Scan Exclusion page:
Click the Vulnerabilities tab.
In the navigation pane, click Administrative >Scan Exclusions.
On the toolbar, select Actions >Add.
Note:You can also use the Excluded Assets section of the Vulnerabilities >Administrative >Scan Profiles >Add >Domain and Web App tab to exclude assets from an individual scan profile.
Managing Scan Exclusions
In JSA Vulnerability Manager you can update, delete, or print scan exclusions.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative >Scan Exclusions.
From the list on the Scan Exclusions page, click the Scan Exclusion that you want to modify.
On the toolbar, select an option from the Actions menu.
Depending on your selection, follow the on-screen instructions to complete this task.