Scan Zones in Active Scanning

Related Reading: Scan Zones in the Tenable Security Center User Guide

A complete active scan configuration includes a scan zone, which associates one or more scanners with a specific area of your network. Scans of IP addresses within a zone are load balanced between the scanners assigned to that zone. You can customize this to support your unique network topology. For example, you could:

  • Create one zone per business unit and add one scanner to each zone.
  • Create one large zone and add multiple scanners to the zone.
  • Create a zone for an isolated network (a network isolated by a low bandwidth or high latency connection), add one scanner to the zone, and deploy the scanner inside the isolated network.

Scan zones are crucial to the success of an enterprise Tenable Security Center deployment. Assigning scanners to scan zones restricts the scanners to scanning their own limited portion of the network, avoiding issues created by scanning through firewalls or across WAN links.

Deployment Examples

You can specify scan zone IP addresses as a single IP address, a range of IP addresses, or subnets in CIDR notation so that you can segment scanning on your network by logical group, physical location, or IP address range.

In general, multiple scanners are most efficient in large, flat networks where Tenable Security Center can automatically distribute the scan load across your scanners. Large organizations commonly deploy several scanners in their core network and additional scanners in more segregated or remote networks. You can also design a mixed architecture to suit your unique network infrastructure.

Optimal deployments vary depending on your network and the needs of your organization; there is no one-size-fits-all deployment methodology.

For example, two regional banks with 30 physical sites may have different optimal deployments:

  • Bank A: deploys five scanners internally at a data center and performs scans only over the network links.
  • Bank B: deploys one scanner at each physical site.

Furthermore, there is no optimal recommendation based on network size:

  • Customer A: deploys 40 Tenable Nessus scanners to scan a total of 300,000 IP addresses
  • Customer B: deploys 300 Tenable Nessus scanners at 300 physical sites with local scanner requirements to scan a total of 37,000 IP addresses

Recommendations for Large Enterprise Deployments

In large enterprise deployments, Tenable recommends:

  • Adding, at minimum, one scanner for every 5,000 active IP addresses in a zone
  • Adding a single scanner to a single zone. Tenable does not recommend adding a scanner to multiple zones.
  • Disabling automatic scan distribution if your scan zones contain overlapping IP addresses
  • Disabling automatic scan distribution if you are scanning any of your IP addresses from scanners located both inside and outside your network and storing the IP address data in multiple repositories
  • Use Tenable Security Center Director to monitor Scan Zone configurations across multiple Scanning tiers or independent Tenable Security Center instances.