Installation guide
33
When in “selectable” mode, at scan time, the zones associated with the Organization and “default” are available to the
user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored
and any IPs in the managed ranges for that user will be scanned by the Nessus scanners associated with the chosen
zone.
When a scan is configured to use the “default” zone, the targets for the scan will be given to scanners in the most
appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning
and is very useful if an Organization has devices placed behind a firewall or NAT device and has conflicting RFC 1918
non-internet-routable address space with another Organization. In addition, some Organizations may benefit from the
ability to override their default scanner(s) with one(s) from a different zone. This allows an Organization to more easily run
internal and external vulnerability scans.
Sometimes forcing a scan to use a “non-ideal” scanner is helpful to analyze the vulnerability stance from a new
perspective. For example, setting the default scanner to an external one allows you to see the attack surface
from an external attacker’s perspective.
An example Scan Zone configuration screen capture is displayed below:
Passive Vulnerability Scanners
Tenable’s Passive Vulnerability Scanner (PVS) is a patented network discovery and vulnerability analysis software
solution, that delivers real-time network profiling and monitoring for continuous assessment of an organization’s security
posture in a non-intrusive manner. The PVS monitors network traffic at the packet layer to determine topology, services,
and vulnerabilities. Where an active scanner takes a snapshot of the network in time, the PVS behaves like a security
motion detector on the network.