Network Vulnerability Scanner placement on network
I have not used QualysGuard however using a vendor agnostic approach I would consider the following.
Indirect connection through firewall:
This can be a good option if you are unable to connect to the subnet for some reason (not enough connections, physically not accessible, etc...).
Some types of active scans depend on logical network location and may not work though a firewall / IPS (such a broadcasts and some poisoning) depending on your configuration. This is normally not a problem because the firewall / IPS provides that layer of protection, but an assessment may not be complete.
Increased load / processing through firewall and network equipment. Vulnerability scanning traffic can stress network equipment and may flood links. If this is a concern then locating the scanning interface logically close to the target is an advantage.
Direct connection to subnet:
Generally the best performance way to install a scanner, but can be a problem if you are unable to connect to a switch port with access to the network or VLAN you want to scan.
Directly connecting a scanner where it has direct connectivity to it’s target may allow it to detect vulnerabilities that are masked behind switch, firewall or IPS devices.
Scanners bridges secure zones. A scanner can have vulnerabilities too, less so these days but every scanner interface is potentially a bridge to multiple networks. This obviously depends on your implementation and product, some are better than others. Scanners would not normally route traffic but may if a vulnerability existed in the scanner or the scanner OS.
Conclusion:
The other options you have listed are all valid and could be used with an indirect connection through a firewall. Ideally you need to scan the platforms or applications from the side they will be servicing requests on. That may not be possible on a management network, depending on your configuration.
Where would you put the scanner appliance on your network and why?
I would connect the scanner with directly connected ports on your most secure subnets (Internal network) which would likely have more hosts to scan. And then put some other interfaces in a separate subnet with access through firewalls to your least secure subnets.
This limits bridging and allows you to scans most/all of your hosts with minimal performance hit.
Hope this helps.
I am not sure that you will be able to get away with not adding rules to your firewalls to allow the traffic from the scanner. You will not need to open them up globally, just for the scanner's IP.
If you are using stateful inspection, the scanners should be on the untrusted side of the firewall anyway so that the state tables of the firewalls do not fill up and cause traffic problems.
The QualysGuard scanner supports VLAN tagging, so you might be able to work around the firewalls, depending on your setup.
It's highly recommended that you work with your network group to determine where to place Scanner Appliances in an enterprise network environment. Some things to consider: place Scanner Appliances as close to target machines as possible, and make sure to monitor and identify any bandwidth restricted segments or weak points in the network infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load balancers) could result in degraded performance so you may consider using our VLAN tagging feature (VLAN trunking) to circumvent layer 3 devices to avoid potential performance issues.
A static IP is reserved for the Qualys scanner in each of the VLAN to be scanned by it. The scanner uses the reserved static IP while scanning the VLAN.
So ,as you said, effectively it will be sitting inside the VLAN and hence L3 routing is not required.
Example : Scanner will scan VLAN A - 192.168.1.0/24 & VLAN B- 192.168.2.0/24 A static IP,Lets say 192.168.1.2 & 192.168.2.2 in each of the VLAN's is reserved for the scanner. While scanning VLAN A,it will use the IP 192.168.1.2 thus effectively sitting inside VLAN A. Similarly for VLAN B