Site creation scenarios

This section discusses "recipes" for sites to suit common needs. By selecting an appropriate template, assets, and configuration options, you can customize your site to suit specific goals.

Default settings

The default scan template is Full Audit without Web Spider.

This scan template gives you thorough vulnerability checks on the majority of non-Web assets. It runs faster than the scan template with the Web spider.

To check thoroughly for vulnerabilities, you should specify credentials. See Configuring scan credentials for more information.

As you establish your vulnerability scanning practice, you can create additional sites with various scan templates and change your Scan Engine from the default as needed for your network configuration.

Find out what you have: Discovery scan

Summary: The first step in checking for vulnerabilities is to make sure you are checking all the assets in your organization. You can find basic information about the assets in your organization by conducting a discovery scan. The application includes a built-in scan template for a discovery scan.

If there is an asset you do not know about that can be exploited, attackers can use that to bypass the Virtual Private Network (VPN) and corporate firewall, and launch attacks from within the local network. If you are new to your role, you might not already be aware of every asset you are responsible for securing. In any case, new assets are frequently added. You can conduct discovery scans to find and learn more about those assets, in preparation for developing an ongoing scanning program.

Your discovery scan may vary depending on your organization’s network configuration.We recommend conducting a discovery scan on as wide a range of IP addresses as possible, in case your organization has items outside the typical range. Therefore, for the initial discovery scan, we recommend initially checking the entire private IPv4 address space (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0) as well as all of the public IP addresses owned or controlled by the organization. Doing so will help you find the largest possible number of hosts. We recommend this certainly for organizations who actually make use of all the private address space, but also for organizations with smaller networks, in order to make sure they find everything they can.

Note:   Scanning so many assets could take some time. To estimate how long the scans will take, see the Planning for capacity requirements section of the administrator's guide. In addition, a discovery scan can set off alerts through your system administration or antivirus programs; you may want to advise users before scanning.

To conduct the initial discovery scan in Nexpose:

  1. Create a new static site (see Adding assets to sites), including the following settings:
  2. Run a scan on this site.