Notes on the Networks Feature

Document created by Martin Walker Employee on Feb 6, 2018Last modified by Robert Dell'Immagine on Feb 8, 2018
Version 6Show Document
  • View in full screen mode

Introduction

The Networks feature is a capability in the Qualys portal that must be enabled on a customer-by-customer basis. The Networks feature is intended to allow customers to solve issues related to overlapping address space. There is a small performance penalty involved in enabling the Networks feature as it effectively requires an additional level of joins and other similar database functions on the back end. This will be most noticeable in UI rendering for those UI pages supported by back end queries, in Asset Search and Asset View queries, and in some report generation.

 

The Networks feature is not intended to be used for administrative separation of assets or other asset management or access control reasons and should not be enabled or used for anything other than overlapping addresses.

 

Please read this: Network Support Quick Start

 

The Networks feature is available to direct enterprise and SMB customers.

 

Use Cases

There are two separate use cases where overlapping addresses become a problem, although both cases may occur at a particular customer. Each use case requires slightly different operating processes. The first and most common use case is where different sections of the internal network use the same address space. Most commonly this occurs following an acquisition, or when address management is delegated to regions or locations and not tracked well in a central location or tool.

 

The other use case is when the customer uses their owned/registered publicly routable non-RFC1918 address space internally, usually on a DMZ network where the edge firewalls/load balancers are not performing and NAT/PAT. This will result in the Qualys external scanners and the customers internal scanners having a different view of the same asset (which is the normal case) but recording both views on the same asset record in the database because the IP is the same. Without the Networks feature there is no way to differentiate different assets or different views of the same asset with the same IP. Therefore we will see QIDs flapping, or QIDs with different last discovered dates from the last scan, or even QIDs for the wrong operating system and so forth.

 

How Does the Networks Feature Work?

The networks feature allows Qualys to maintain two or most assets with the same IP address as separate assets instead of merging them. We determine which asset belongs in which Network based upon the scanner used to scan the asset. This requires the customer to place scanners into separate named Networks. Scanners can belong to one and only one network, a scanner can only scan assets in that network, and any asset scanned by that scanner is automatically placed into that scanner’s network. Assets not created by a scanner (currently Cloud Agent assets) are placed into the Global Default Network (GDN).

 

What Happens When Networks is Enabled?

Several things will happen when the feature is enabled:

 

1) All current assets, asset groups, scanners, and agents will remains in Global Default Network

2) Except for EC2 assets and scanners, which will be placed into Global EC2 Network

3) Agents will continue to be in GDN, including new deployments

4) None of the existing assets, asset groups, or agents can be moved to a different Network

5) Agents can never (currently) be in anything other than GDN

6) Existing scan jobs, reports etc, will all remain configured to refer to the assets, asset groups, or tags in GDN as they were before the feature was enabled

7) Other than some display/naming changes nothing will really change when the Networks feature is enabled

 

How to Use The Networks Feature

Use Case: External Non-RFC1918 Address Space also used internally

Add the publicly routable IP address space into Assets->Host Assets if it is not already. Create a new Network called External Network or something similar. This new Network will contain the assets as viewed from the outside. Don’t put any scanners or Asset Groups into the Network when it is created. Now create one or more Asset Groups representing your external address space using the same address ranges. These Asset Groups might represent different data centers, different edge devices, or whatever fits your address management needs.  When setting up your perimeter scan schedules or configuring ad hoc perimeter scans you will see a new option “Network”. Make sure that your perimeter scans are all configured to use the External Network that you just created and use the external scanners. This will create a new asset for each IP found live during your scans, and will preserve the “external attacker perspective” of your DMZ assets.

 

 

For internal scans of the same asset make sure that the network is Global Default network and you are using the appropriate internal scanner.

 

Use Case: Two internal zones use the same address ranges

In this case you will create at least one named network separate from GDN. Typically we would recommend that the majority of your network remain in GDN, with only those few areas with overlap being in special Networks. There is no need to move everything to a specially named network. For this use case you will need at least one dedicated scanner for each named network, and asset groups created within those named networks. Each network will require separate scan jobs, you cannot run a single scan job across multiple networks.  This may dictate an increase in the number of scanners deployed in the environment.

3 people found this helpful

Attachments

    Outcomes