TOC & Recently Viewed

Recently Viewed Topics

About Scan Distribution

Note: This feature is being deployed to customers in a rolling fashion. No special steps are required to enable the scan distribution feature. This document only applies to organizations that have this feature enabled.

Overview

Scan distribution is a feature of Tenable.io that improves the efficiency of scanning both for your organization’s scanners as well as the cloud scanners provided by Tenable.io for the platform as a whole. In the case of the scanners that belong to your organization, scans are distributed as tasks across multiple scanners in the scanner group assigned to the scan, rather than an individual scanner being assigned a complete scan job. Similarly, scans utilizing the cloud scanners provided by Tenable will be distributed as jobs across groups of scanners. Those jobs are broken down into tasks, which are then funneled down to scanners within the groups.

In both cases, this effectively allows multiple scans to run simultaneously, eliminating bottlenecks that might otherwise occur if scans were staggered one after another on individual scanners. As the requirements of your organization grow, scan performance will be less likely to degrade. Even when scans are assigned to a specific scanner, those scans are broken down into tasks that can be run simultaneously, allowing the scanner to complete the scan job more efficiently.

As tasks are completed, those results become immediately available to you. The results that were already obtained will not be lost if the scan is canceled. If for some reason a scanner crashes during the scan, or a problem is encountered with a target, the other tasks will be completed as normal.

How the Scan Distribution Feature Works

When scan jobs are created, the jobs are placed either directly in the job queue of a scanner (if that scanner was specified in the scan), or into the job queue of a scanner group.

Scanner Capacity

In order to determine efficiently how many tasks a scanner can process, scanners are assigned three types of capacities that Tenable.io considers when distributing scans.

Target Capacity

The target capacity for a scanner is the number of assets a scanner can actively scan simultaneously. This value is by default based on the hardware resources of the scanner, including the number of processors it has and the amount of memory available.

Task Capacity

The task capacity for a scanner is the number of tasks (parts of a scan) that a scanner can perform simultaneously. A scanner's task capacity is determined based on the target capacity.

Job Capacity

The job capacity for a scanner is the number of different jobs a scanner can include tasks from at once. In this way, scans can be performed asynchronously, and a scanner that has available capacity can complete multiple tasks even if those tasks are not derived from the same scan. Job capacity is always determined to be less than equal to the task capacity so that when a scanner is at its job capacity, it will be able to complete tasks from every job.

Scanner Group Capacity

Similar to scanners, scanner groups also have a job capacity. Jobs at the scanner group level are broken down into tasks when there is available capacity. Tasks from those jobs can then be divided among the scanners in the group.

Job Queues

Before scan jobs are separated into tasks, they are queued.

Scanner Group Job Queues

Jobs are queued for a scanner group in the order those jobs are received. When the scanner group has available job capacity, the job that was earliest in the queue is broken down into tasks. That job will then be assigned to each of the scanners in the group, one scanner after another in succession (a “round robin” method). The tasks will be dispatched to the scanners that have been assigned the job.

Scanner Job Queues

The job queue for a scanner is also processed in the order the jobs enter the queue, regardless of the origin of a scan job.

For example, the job queue for a scanner may include scan jobs that were assigned directly to the scanner as well as jobs distributed to the scanner by the groups the scanner belongs to.

Dispatching Tasks

When a scanner has available capacity for tasks, it will poll for and be assigned additional tasks from the jobs that have filled the scanner’s job capacity. Tasks are assigned from each job in succession, in a round robin method, similar to the way jobs are assigned to scanners in a group.

The way the tasks are dispatched to scanners varies depending on the scenario.

Example Scenario: One Scanner with One Job

In this example, assume there is one scanner with a single job queued. This scanner is not a part of a scanner group and as such processes scan jobs one at a time in the order the jobs are queued. This scanner has a task capacity of six. When the job is broken down into tasks, six of those tasks are assigned to the scanner to be executed simultaneously. Tasks continue to fill the scanner’s task capacity until the scan job is completed.

Example Scenario: One Scanner with Multiple Jobs

In this example, assume there is one scanner with multiple jobs queued. The scanner belongs to two scanner groups, SG1 and SG2. Three scan jobs are created. The first scan was configured to use the scanner directly. The other two scans were configured to use SG1 and SG2, respectively.

Because the first scan job was configured to use that particular scanner, it is added to the scanner’s job queue. In the case of SG1 and SG2, the scanner happens to be next in the order of scanners to receive jobs in both groups. The jobs from those groups are also added to the scanner’s job queue.

This scanner has a job capacity of three, so the scanner is able to be assigned tasks from all three jobs.

This scanner has a task capacity of five. Tasks are assigned to the scanner one at a time from each job in succession. In this case, tasks would be assigned in the following order: Job 1, Job 2, Job 3, Job 1, Job 2, filling the task capacity. Using this “round robin” method, the scanner begins working on two tasks from the first job, two tasks from the second job, and one task from the third job. When one of the tasks is completed, the next task from the third job is then dispatched.

Example Scenario: Multiple Scanners with Multiple Jobs

In this example, assume there are two scanners, Scanner 1 and Scanner 2. Both scanners are assigned to a scanner group, SG1. Both Scanner 1 and Scanner 2 have a job capacity of three.

Two scan jobs are created. Job 1 is assigned directly to Scanner 1. Job 2 is assigned to SG1. Both Jobs are broken down into Tasks. Job1 will only be worked by Scanner 1. Job2 can be worked by both Scanner 1 and Scanner 2.

Both Scanner 1 and Scanner 2 have a task capacity of six. Scanner 1 is assigned tasks one at a time from each job in succession, three from Job 1 and three from Job 2. Scanner 2 is assigned six tasks from Job 2.

Tasks for Job 2 are dispatched to Scanner 1 and Scanner 2 from SG1 as task capacity becomes available for the scanners. This process continues until both jobs are completed.

Interacting with Scans

Because of the way the scan distribution feature breaks down scans into tasks that can be completed asynchronously, there is some nuance to the way you can interact with scans.

Scanner Groups

In order to take advantage of the scan distribution feature with your organization’s scanners, you should create scanner groups. Scanner groups maximize the efficiency of your scans by spreading out tasks across the individual scanners you assign to the group, rather than dedicating a single scanner to complete a whole job.

Scan Results

As tasks are being completed by scanners, you can view the scan results in Tenable.io. Each time a task is completed, the scan results will be updated with new data. If for some reason a scan fails or is interrupted, the scan results that were already accumulated will not be lost, although the scan will reflect that the process was not completed.

If a job is assigned to multiple scanners and one of those scanners happens to fail, the tasks dispatched to the other scanners will still be completed.

Stopping Scans

When you stop a scan, all tasks for that scan are terminated. Data gathered from any completed tasks will still be reflected in the results of the scan. You cannot stop individual tasks, only the scan as a whole.

Pausing Scans

When you a pause a scan, all active tasks for that scan are paused. The paused tasks continue to fill the task capacity of the scanner that the tasks were assigned to. No new tasks will be dispatched from a paused scan job.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.