Mapping with Domains and Netblocks Best Practices

Document created by Leif Kremkow Employee on Jun 18, 2018Last modified by Leif Kremkow Employee on Jun 18, 2018
Version 3Show Document
  • View in full screen mode

Qualys Vulnerability Management comes with the Map: a feature with which to discover what your scanners can discover about the target network they are given.

 

The target of a Map can be specified in two ways:

  • Domains/Netblocks: the specific, most granular definition of the perimeter in which to look for live systems.
  • Asset Groups: a symbolic container that includes one or more of either Domains/Netblocks and/or IP addresses.

Map Target Domains

Generally speaking:

  • Scanning uses IP addresses, usually as ranges. Never Domains. Never netblocks.
  • Mapping uses Domains, and possibly also Netblocks. Can also use Scanning IP Ranges in-lieu of netblocks.

 

You might have observed that "netblocks" and "IP address ranges" are very similar in appearance and purpose, and yet Qualys uses two different names for what appears to be the same thing. The different names are to make sure it is easy to understand what is meant and how this information is used.

 

Step 1: Add a Domain

Scan and Map both require you to first add targets to your subscription that you wish to scan. In Scan you may be used to adding IPs, but for the Map you'll need to add "Domains".

Asset - Domains - NewIn order to Map your internal perimeter, I suggest you work with the "none" Domain. Any other Domain, such as "corp.com" will trigger the scanner into running DNS queries. If you want to find resources because the domain name exists, then this is perfectly reasonable. However, if you are using a fake name, beware that this may result in superfluous DNS queries being sent.

 

I suggest you add "none:[10.0.0.0-10.255.255.255]".

New Domains

We are using the reserved word domain name "none" to suppress DNS queries and providing the complete 10/8 range - even if we have no intention of mapping all 16 million addresses. We may only be wanting to Map parts of this network - the next steps will show you how.

 

Step 2: Create an Asset Group

Since we want to Map only a specific subnet or site, we'll use an Asset Group to represent this perimeter.

Assets - Asset Groups

Give the new Asset Group a name that represents the perimeter you want to Map.

New Asset Group - Site Alice - Title

Then select the global "none" Domain that we created previously:

New Asset Group - Site Alice - New Domain

Use the "Edit" link to change the netblock of the "none" Domain we just added:

New Asset Group - Site Alice - Edit Domain

Edit the netblock (i.e. the IP address range) to reflect the IPs that you actually want to include during the Map that represent the target perimeter (such as "10.1.1.0-10.1.1.255"):

New Asset Group - Site Alice - Edit Netblock

Select the Appliance that is deployed for this perimeter:

New Asset Group - Site Alice - Set Appliance

Save this Asset Group. Create another Asset Group for the second perimeter, such as "Site Charly" such as "10.3.0.0-10.3.255.255, 10.4.5.0-10.4.5.255":

New Asset Group - Site Alice - New Domain CharlyNew Asset Group - Site Alice - Edit Netblock Charly

Notice how with a comma we can include multiple IP or ranges inside one netblock definition - ranges do not need to be contiguous.

New Asset Group - Site Alice - Set Appliance Charly

This will give us two Asset Groups:

Assets - Asset Groups - overviewStep 3: Schedule Maps

Configure a new scheduled Map in the Scans section.

Scans - Maps

Use the two Asset Groups we just created to launch two scans against two distinct perimeters with two distinct Appliances at the same time:

Scans - Maps - New Scheduled Map

Attachments

    Outcomes