This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points.

Hole in the Wall, by Lars Plougmann

The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s effectiveness.

Merchants and service providers don’t want to drop in huge exceptions to their policies to whitelist massive swaths of IP addresses that are admittedly hostile. Leaving them whitelisted permanently unnecessarily lowers their defenses, and performing temporary whitelisting disrupts IT/IS. THey are also foolish to rely solely on the IPS/IDS as the bad guys know how to get around them to exploit some known vulnerabilities.

My solution to this problem involves another issue in the scanning world. I propose that merchants and service providers be allowed to leave those IPS perimeter defenses up and running, IF AND ONLY IF they are required to use an ASV for internal/behind the IPS scans. This would allow companies to maintain higher levels of security while ensuring a better representation of actual vulnerabilities on the systems.

This post originally appeared on