Here’s a tough question that follows me wherever I go, as a vulnerability management practitioner. Can Qualys scan a mainframe? I’m going to answer that question in a way that proves I probably should run for office someday. It depends what you mean by “scan.” I’ll also hedge by saying the appropriate first word in that sentence is “should,” rather than “can.”
Qualys can scan a mainframe but you may not like what you see
Qualys can scan a mainframe. It’s a TCP/IP device, so Qualys can absolutely query the ports and evaluate them. But what Qualys will see, and how accurate it’s going to be, is a problem.
Yes, I said the results may not be accurate. Under optimal conditions, Qualys is normally very accurate. But mainframes confuse it. Qualys isn’t designed to authenticate to a mainframe. You can try to fool it and set up an account on the mainframe and trick Qualys into trying to use Unix/Cisco authentication, but Qualys won’t know what commands to run. So it will probably flag it as an authentication failure, even if the logs say it did log in.
What’s worse, if you’re running some kind of Samba on your mainframe so that Windows hosts can swap data with it easily, Qualys will see the SMB ports open and try to log in with whatever Windows accounts it has. That authentication will fail, and somebody will be unhappy about it. Seeing those ports can also cause Qualys to misidentify the device, depending on what other ports are open. The only way to stop that from happening is to exclude the SMB ports, 137-139 and 445, from the scan.
If everything goes right, Qualys will recognize the mainframe for what it is and identify it properly, and present a few informational QIDs. But Qualys has precious few QIDs involving IBM mainframe technology, and most of them are very old.
Also, I said IBM. As far as I know, Qualys doesn’t even know about Unisys mainframes. Scanning a Unisys mainframe with Qualys shouldn’t break anything, but I’ve never had the opportunity to try it, so I can’t say for sure, and I have no idea what the results look like. Scan your Unisys beasts at your own risk.
Should Qualys scan a mainframe?
So should you scan your mainframe with Qualys? That’s a slightly tricky question.
On one hand, it’s a waste of a Qualys license. If you have licenses to spare, fine. But you’re burning a license and lengthening the time of your scan to get a small number of findings you can’t do anything about, and you’re probably making the mainframe system programmers mad.
If you’re running Linux in LPARs on the mainframe, Qualys can log into those and potentially make more sense of those, but the advice it gives may not be as complete as it would be for Linux running on x86.
On the other hand, if someone requires it due to a contract, you can scan your mainframe with Qualys and get a checkbox. You can even brag about how clean the scan is. The reaction you get from that brag will tell you a lot. If they’re impressed, it’s a checkbox. If they tell you not to patronize them, they also know it’s a checkbox.
Being able to speak halfway intelligently about mainframes is tough, because there’s not a lot of crossover these days between the mainframe world and the rest of IT. I encountered mainframes in college in the 90s, and even then, my friends at other colleges thought that was weird. There’s a book that can help. Being able to speak to mainframes and minis without making a fool of yourself is a good way to make yourself more indispensable.
And yes, the same advice holds true for minicomputers like an AS/400 or a DEC VAX. Qualys behaves the same way with those. And knowing that a minicomputer isn’t the same as a mainframe can help you save some of your credibility during a discussion, though as far as Qualys is concerned, minicomputers and mainframes inhabit the same world of devices it knows little about.
There’s no reason Qualys couldn’t support minicomputers and mainframes, and the question comes up from time to time. But the demand just isn’t there.
What to do instead of scanning your mainframes
Realistically, what I recommend you do instead of scanning your mainframes is to be prepared to prove the system is under maintenance. That probably means showing a copy of your maintenance contract to whoever is asking. Updates are generally part of your service agreement, and what you need to prove to your contractual partners is that your security is equivalent to theirs. If you’re under maintenance and they’re under maintenance, your security is equivalent. And that tells you more than the 3-5 lines you’re likely to get out of a Qualys scan.
And in this case it’s not like you have any choice, but this is an example where you volunteer only an unauthenticated scan. The authentication failures if you try to force it to authenticate will probably confuse and annoy everyone, and make it look like you’re covering something up.