Network Scan Coverage

Related Reading: Tenable Security Center Hardware Requirements and License Requirements in the General Requirements Guide

Most organizations have many types of technology on their network, which can complicate getting a clear picture (and total number) of the assets on your network. Your network may include assets with diverse hardware, operating systems, software, and infrastructure purposes.

Tenable Security Center is primarily an IP address-based tool; most Tenable Security Center data, scans, queries, and reports are based on asset IP addresses. The IP address count of assets on your network is the primary measure of data when discussing network size and licensing.

If you are new to Tenable Security Center, you should consider deploying Tenable Security Center to support more assets than you are currently tracking on your network. If you have an asset inventory from a different product, Tenable generally recommends increasing your total by 20-30% to account for previously unseen assets (e.g., unknown systems, untracked systems, and systems with multiple IP addresses in use). The exact increase varies, but 20-30% is a good starting point to estimate your network size.

Tip: You can also run discovery scans (for example, a scan configured with the Host Discovery template or an Tenable Nessus Network Monitor instance in discovery mode) to get a more accurate estimate of your actual IP address count.

Tenable Security Center Instance Configurations

After you estimate your network size, consider that a single instance of Tenable Security Center can support 150,000 to 200,000 IP addresses if properly deployed and scaled.

A tiered remote repository configuration uses remote repositories to share data between multiple Tenable Security Center instances.

  • For environments that support more than 100,000 hosts or multiple Tenable Security Center consoles, Tenable recommends Tenable Security Center Director to provide additional operational insight to your Tenable environment.

  • If you plan to support 100,000-249,999 hosts, Tenable recommends a tiered remote repository configuration.
  • If you plan to support 250,000 or more hosts, Tenable requires a tiered remote repository configuration.

Tiered Tenable Security Center instances perform informal roles in your overall Tenable Security Center deployment. Tenable recommends at least one designated reporting Tenable Security Center and an additional Tenable Security Center instance for every 100,000 to 150,000 hosts on your network.

For more information, see Tiered Deployments.

Active Scans

If you intend to perform active scanning, consider that Tenable Nessus scanner deployments are designed to be flexible to meet the unique needs of your network architecture. There are many ways to optimize Tenable Nessus coverage. For example, you could configure:

  • One scanner dedicated for one scan zone that covers a remote, low-bandwidth network area containing 50 IP addresses
  • Ten scanners dedicated for many scan zones that cover a flat network area containing 50,000 IP addresses

Tenable recommends customizing your Tenable Nessus scanner deployment to meet the unique needs of your network architecture. For more information, see Deployment Considerations in the Tenable Nessus User Guide.

For information about placing scanners, see Assessment Scanning Methods.