top of page
Search

Stop Scanning Through Firewalls—There is a Better Way

​​Quick tips for Layer2/VLAN Scanning


One of the most common concerns I hear when deploying scanners on client networks: "I like the scanner placement, but I’m worried about scanning through my firewalls." From previous clients' perspectives, there is often concern that scanning through security devices can have a negative impact, potentially creating downtime in their production environment. During my career in Cybersecurity, I have seen instances where clients have attempted to scan through security devices (i.e., firewalls, routers with ACLs), and there were negative impacts to their environment. I have seen several occasions where attempting to scan through security devices resulted in a Denial of Service attack. This resulted in downtime in the client’s production environment and led to a loss of revenue.


While this is a valid concern, scanning still has to take place to detect vulnerabilities and to secure the client’s environments. This needs to be done proactively as addressing vulnerabilities is a continual and ongoing process.


I recommend that clients implement Layer 2/VLAN scanning. Instead of scanning traffic through firewalls (which can cause performance hits and skew results), you can configure your scanners to operate at Layer 2, directly traverse through VLANs and trunked links. This keeps scans local to the switch level while avoiding firewall traversal altogether.

Prior to enabling VLANs on scanners, the following topics need to be discussed between the Security and Network Administrators, including the appropriate executive for proper facilitation.

  • The best time to scan devices

    • A good rule of thumb is to scan during non-production hours. By doing this, you are avoiding conflicts like maintenance windows, patching, and downtime.

  • Review switch configuration and segmentation rules               

    • Understanding where scan traffic can and cannot go is essential. This step defines the technical boundaries and prevents delays due to blocked access or misaligned expectations.

  • Validate scanner placement

    • Once targets and boundaries are known, determine where scanners should go to achieve full and efficient coverage. Poor placement leads to blind spots or wasted resources.


  • Coordinate access to VLANs or subnets

    • Now that placement is agreed upon, ensure the necessary network access is enabled. This step is critical for operationalizing the plan and requires tight coordination with network teams

  • Align on scanning windows

    • With the setup in progress, now agree on when scans should run to avoid business disruptions. This reduces resistance and ensures the assessment doesn’t interfere with key operations.

  • Document responsibilities and approvals

    • Formalize what’s been agreed upon- ownership, timing, access, and approvals—so the teams stay aligned and can refer to decisions as the project progresses.

  • Establish a shared escalation process

    • Once execution begins, unexpected issues may arise. Having a predefined process for resolving them quickly ensures continuity and reduces friction.

  • Review findings together

    • Finally, when the data is in, bring both teams together to validate results, clarify anomalies, and prioritize follow-up actions. This shared review ensures actionable, trusted outcomes.

 

Once the operational decisions have been agreed upon, the technical implementation of enabling and specifying VLANs on the security appliance needs to happen. This will be a collaborative effort that involves the security administrator and the network administrator:

  • Enabling VLAN tagging on the scanner 

    • By configuring the scanner to tag its network traffic with a specific VLAN ID. This is important in environments where network segmentation and security are segmented using VLANs.

  • Enable Trunking on the switch to establish the trunked link with the scanner

    • To enable trunking on a switch and establish a trunked link with a scanner, you will need to configure the switch port that connects to the scanner as a trunk port. The process will involve configuring the trunked link on the client’s switch port.

  • Specify which VLANs need to be scanned 

    • When specifying which VLANs need to be scanned, it is essential to clearly identify the specific VLANs within your network that you want to target for the scan. Typically, this can be done by referencing VLAN IDs or ranges, depending on the tools and methods you are using for scanning.

  • Confirming host visibility and troubleshooting any switch configs as needed

    • If the scan results return “no host alive” with network troubleshooting, specifically related to ensuring host visibility, and possibly checking switch configurations.

The result? Cleaner scans, less network disruption, and improved collaboration between security stakeholders.

댓글

ImagineX Logo

ImagineX is a digital services firm whose mission is to help our clients #BeBetter by leveraging world class technologies.

Company

About us

Solutions

Engineering

Careers

Cybersecurity

Clients

Privacy

Partners

Connect

Qualys

Zendesk

Wiz

AWS

CrowdStrike

  • Facebook
  • LinkedIn
Glassdoor Icon

Atlassian

Atlanta headquarters:

1155 Perimeter Center W
Suite 875
Atlanta, GA  30338

D.C. office:

44927 George Washington Blvd, Ashburn, VA 20147

ImagineX Studio

San José, Costa Rica

© 2024 IX Digital LLC. All Rights Reserved.

bottom of page