Difference between Agent-based and Network-based Internal Vulnerability Scanning

Reading time: Reading time 4 minutes

Agent-based and network-based internal vulnerability scans have emerged as the premier approaches to safeguard against cyber security threats. Through the process of such vulnerability scanning, IT teams can assess, mitigate, and report security vulnerabilities that have been found in a company’s internal networks. 

If you are looking to implement and address internal vulnerability scanners, this is the right place. Read on to understand the difference between the two scanning procedures and make the right decision for your organisation.


What is a Network-based vulnerability scanner?

How does a Network-based vulnerability scan work?

A network-based vulnerability scan, in simplistic terms, is the process of identifying loopholes in a computer’s network or IT assets, which hackers and threat actors can exploit. 

Through the implementation of this process, you can successfully identify your organisation’s current risks and verify the effectiveness of your systems'  security measures while improving internal and external defences. 

Through this review, an organisation will be well equipped to take an extensive inventory of all systems, which includes operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and much more.

How does a Network-based vulnerability scan work?

In a nutshell, a network-based vulnerability scanner compares different OS and applications, and the vulnerabilities are checked against vulnerability databases to identify unpatched applications, which are vulnerable and need to be patched to avoid breaches. In the case of firewalls, this scan will help determine whether well-known ports can be exploited and, further, whether they need to be shut down or not.

Network-based vulnerability scanning can be divided into two parts: internal and external scanners. 


1. Internal Vulnerability Scanning:

These types of scanners are specifically designed to expose the shortcomings of internal systems weaknesses. This way, an organisation can cover a range of scenarios, which are often not scanned by external scanners. An apt example is as follows: 

Suppose you are using an outdated version of a browser on your company’s laptop. Such outdated browser versions can become a trojan horse, especially if the user is prompted to visit a malicious website. Some other weaknesses include vulnerabilities in the services or ports, like SMB services. 

The ease of accessing internal networks will depend on how such networks are configured. Therefore, the first step should be to map the organisation's system and further classify them based on their data and access needed.


2. External Vulnerability Scanning:

External vulnerability scanners, more commonly known as perimeter scanners, are as vital as internal scanners. As the name suggests, these scanners scan vulnerabilities that the world sees mainly from the outside. A few years ago, such scanners were limited to external network infrastructure, which was always in scope for hackers. 

However, with advanced technology, most defence mechanisms are breached through web applications or even through a mix of network-layer vulnerabilities. Organisations must keep abreast of these changes and secure their web applications from hackers and external security breaches.    


Common elements of Network-based vulnerability scanners

1. Vulnerability databases: 

The database is the main crux of the vulnerability scanner tool, as it contains a list of extensive vulnerabilities and a checklist of the procedures for checking the various system vulnerabilities. 


2. User configuration tools: 

Users can select target systems and further identify which vulnerability checks should be run within the scanner.  


3. Scanning engines: 

The scanning engine is the mind and soul of vulnerability scanners, as it sends packets to target systems. This way, the scanner is able to determine different vulnerabilities, which are reported back to users.  


4. Data of current and previous scans: 

This element tracks and acts like the memory base of the scanner, which not only keeps track of current scans, along with the discovered vulnerabilities, but also helps feed data into scanning engines.  


5. Results report tool: 

The final aspect is the reporting tool, which is the mouthpiece of the scanner in totality. Through this, users can access reports, which explain the vulnerabilities which were discovered on the various target systems.  

View this sample report created by AppKnox to gain a better understanding. 


What is an Agent-based vulnerability scanner?

How does an Agent-based vulnerability scanner work?

Agent-based scanners use software scanners on a device; the results of the scans are reported back to the central server. Such scanners are well-equipped to find and report a range of vulnerabilities. 

These assessments need an installed sensor on each individual machine. Such agents are significant, which in turn bogs down the systems as the scans continue to run individually. Once each unique device is scanned, the legacy systems provide a report, which analysts have to sift through to understand the right remediation points.

Despite being extremely time-consuming, they can report back on vulnerabilities, even when the scanner is not installed.  

Some features of agent-based scanners include but are not limited to 

  • Based majorly on pull technology. 
  • This scanning system is ideal for distributed networks that have limited bandwidth in remote locations. 
  • Such scanners are not dependent on network connectivity, making them ideal for mobile computers, which are not connected to a central network.  
  • Such scanning tools perform well with Windows-based patch management machines. 


New Cta Image Design_CTA 8


Why do companies need to use both Network-based and Agent-based vulnerability scanners?

It takes two to tango- this holds true in the case of network-based vulnerability and agent-based scanners. By using a combined scanning strategy, an organisation can ensure all assets on a network are appropriately scanned for vulnerabilities. 

Even though network-based vulnerability scanners are a better choice for specific assets, it is not the preferred standalone choice. Network scanners have a light footprint, dole out fewer negative impacts and reduce false positives. 

On the contrary, there are systems and devices that are not frequently connected to the networks. For such cases, agent-based scanning techniques can become your true friend by providing a real-time picture of at-risk systems. 

Such systems have become almost a necessity with the increase in remote working conditions caused as a result of the pandemic. As a byproduct of remote working, the attack surface available to hackers has increased and expanded beyond traditional network perimeters. Whilst installing and managing such agents is not ideal, it can be beneficial for facilitating better coverage. 

Both scanning options aren’t mutually exclusive; while the former addresses concerns from the outside, the latter works internally on each individual system. With the appropriate mix of network and agent-based scanners, organisations can cover every type of imminent threat and provide a comprehensive report to the centralised review team for remediation.  

With this said and done, while the network-based approach is highly cost-effective and fruitful, sometimes, using the agent-based approach for tracking individual vulnerabilities can be a boon in its own way. All organisations need is the optimum mix to address the concerns of breaches and data hacks.

To receive an expert’s opinion on your organisation’s cyber security and the right mix of the two vulnerability scanning techniques for you, set up a call with AppKnox today.


Published on Jun 23, 2021
Abhinav Vasisth
Written by Abhinav Vasisth
Abhinav Vasisth is a certified ethical hacker and the security research lead at Appknox, a mobile security suite that helps enterprises automate mobile security. Abhinav has been a critical member of Appknox for 5 years, reinventing the standards of mobile app security against evolving threats. He is highly regarded in the industry for his expertise, speaks at various security conferences like PHDays, and has collaborated with numerous enterprises to safeguard their digital assets.
When he's not outsmarting hackers, he listens to metal music or is lost in books.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now