Scan Guidance, Including EdgeConnect Flow Table Considerations

Scans are an essential to ensuring the security of network infrastructure. Performing scans without full awareness of how a scan might impact network performance can result in degredation of the responsiveness of essential services. Use the guidelines below to perform scans that satisfy the security requirements of your environment while maintaining expected levels of network performance.

  • Use Approved Scanning Tools: Ensure that all scans are performed using tools approved by your organization’s Information Security (InfoSec) group.

  • Create Scan Policies:

    • Develop policies that specify which ports and protocols to scan, along with the frequency of scans.

    • Schedule scans during non-business hours, if possible.

    • Apply credentials to enhance scan depth and accuracy, as recommended.

    • Avoid scanning production systems without approval; obtain written approval before scanning live environments.

  • Prioritize and Target Authorized Assets: Confirm asset ownership and authorization before initiating scans. Prioritize which assets to scan and limit the number of flows created to avoid overwhelming EdgeConnect flow tables.

  • Use Firewall Protection Profiles: Limit the number of flows per IP address or zone to prevent runaway scans and maintain network stability.

  • Take Into Account EdgeConnect Flow Table Considerations: Do not run vulnerability scans at extreme rates across the WAN; instead, meter and constrain the number of concurrent flows to prevent network saturation. The EdgeConnect appliance flow table limit is the number of simultaneous connections it supports. See EdgeConnect SD-WAN for the EdgeConnect supported simultaneous connections specifications. Scanners can overwhelm these limits. Each port for each endpoint is one flow. Scanning all TCP and UDP ports (approximately 65,000 per IP address) would result in approximately 130,000 flows. Consider using a process that combines both full port scans with scans that target a set of ports and protocols.

  • Follow Scan Frequency Guidelines: Adjust the scan rate and speed appropriately. Align scan timing with infrastructure usage patterns to minimize performance impact. Adhere to the recommended cadence for full, differential, and targeted scans. For example, offset scans instead of doing one bulky scan by scanning 20% of multiple sites rather than one entire site at one time. For large sites, consider an on-site scanner that enables fast scanning without affecting the WAN.

  • Document and Report Critical Findings Immediately: Escalate high-risk vulnerabilities to InfoSec promptly, in accordance with your organization’s policies. Use a standardized reporting format.

  • Validate Scan Coverage: Cross-check scan scope against asset inventory to ensure completeness.

  • Review and Update Scan Configurations Regularly: Maintain alignment with evolving security policies and infrastructure changes.