we are using Qualisguard version 7.1 and for VM scanning I want to add hosts on DNS name. There is an option Assets - assests host - new assets - DNS tracking but i shows me only the window of adding by ip addres. In this window it's not possible to fill in a DNS name, only an IP address.
This is the same window as new asset - ip tracking.
My question: is it possible to add hosts by DNS name, and if yes where can I add these hosts.
When adding hosts, for DNS tracking, the hosts are still added by IP address. However, when this is done, they are 'tracked' by their DNS name during scans. If a host retains the same DNS name but changes IPs (dynamic environment, etc) when it is scanned on different IP addresses, each time it resovles to the same name, the data is combined with previous scans that resolved to the same name. Scans using automatic data and featuring trending will track vulnerabilities and changes for the host even though it's IP address is changing.
The same applies to NetBIOS tracking.
One important caveat with this type of tracking is that if a scan is completed of a given IP address but the DNS (or NetBIOS, if that is the tracking method) name does not resolve, the scan data will be discarded, so as to avoid contaminating the trending data.
Hosts are, by default, added by IP address, regardless of the tracking method selected. Tracking method can be changed, of course, after the host assets have been added. When changing tracking method, it is important to be aware that you cannot change a host asset to be DNS or NetBIOS tracked unless it has been scanned and has a valid DNS or NetBIOS name that was discovered during the scan.
So, let's say I scan 1000 hosts, and I move the windows OS ones to NetBIOS tracking.
That seems to now mean that the IPs assoicated with those hosts is always going to be tracked by NetBIOS, even if somebody drops a unix box or router onto the same IP, without any NetBIOS services on it.
So, if I scan an IP that I designated as NetBIOS tracking, when a non NetBIOS host has the IP instead, the device won't be scanned because it doesn't reply to NetBIOS queries, even if it responds on multiple other ports/services.
Why not automatically switch it back to IP tracking during a scan if a non NetBIOS host is detected?
Is that correct?
My understanding of the tracking is this (and I hope it's right, because I've just changed all my workstation records to DNS name scanning).
It's always IP addresses that are going to get scanned, with NETBIOS scans being performed against that IP address. The results of that scan are saved. When you perform your next scan, you're going to get more results, and you want the results of the second scan to be associated with the results of the first scan.
So the question is, how is Qualys going to know which result of the first scan is the same machine in the results of the second scan? What remains constant?
IP Addresses (the default) are fine if your machines never change IP. I guess DNS is the one to choose if your DNS records are dynamically updated as machines change IP. NETBIOS, maybe choose that if you're on a network with Windows machines that don't have DNS.
This is correct; however, automatically changing host tracking would only create a large number of other problems. Just as an example, if a host fails to resolve due to a temporary issue, should that IP no longer be tracked by NetBIOS? Automatic tracking-changing would be likely to cause far more inconsistencies than it would resolve.
The intention is that if you have a range of (for example) dynamically tracked devices that are all Windows, you can scan that range without having to adjust normally. In the overwhelming majority of these cases, the devices should always resolve their NetBIOS names the same way (if it's the same machine) and no trouble is caused.
When you start mixing and matching as you've suggested, you begin creating a sort of chaos that would require human intervention to sort out - or an identifying agent installed on the target, which is not somethign Qualys is interested in doing at this time.
How are others handling tracking for windows based clients that change IPs a lot versus static IP addressed network and server infrastructure devices? Our environment is so large that we could easily miss a new DHCP segment that would be appropriate for NetBIOS tracking, or on the flip side, miss a previously DHCP-only segment being reclaimed and reused for static addressed devices that should be tracked by IP.
EDIT: fixed two typos.
When a Windows host changes IPs regularly (laptops are most common for this, obviously), NetBIOS tracking will ensure that the data collected during a scan will be collated back together with previous scan data against the host (or hosts, potentially) with the exact same NetBIOS name.
If you have a static infrastructure, there's no real reason to use anything other than IP tracking, of course.
As far as monitoring new segments popping up or monitoring when segments are reclaimed, that's generally something that needs to be handled on a business process level. There really isn't any way for QualysGuard to identify the type of infrastructure in place on a given segment during a scan, independently.
A few points from a colleague of mine.
"So, they are tracking each scan by IP, and then correlating the data afterwards. That means this is a process issue. If scans would gather all the data, in a key-less fashion, and then do some heuristics to match the scanned host to a given existing host, this wouldn't be a problem.
The only gotcha that comes to mind is if a host is on TWO lists... i.e. track NetBIOS name X, and track DNS name Y"
The same problem effectively remains, however, in that there is in no way a guarantee that there would be enough information coming back to build a reliable fingerprint of the target. Certainly there might be in many cases, but 'many' is not good enough - because if we can't identify the target host, we're in the same boat we were in previously, which is that we have data that we cannot collate - so we must discard it.
I know that more host identification research is ongoing, but at this time we have no reliable way to do this - and without a method that's nearly 100% reliable, we won't want to implement it.
I'm Tim's un-named collegue... I am completely unclear why there would EVER be data that didn't correlate. If a host doesn't get tracked via NetBIOS or DNS, then it should be tracked by IP. Sure, you might end up with both an IP Tracked host entry and a NetBIOS/DNS Tracked host entry that both are actually the same host, but in no case would data be lost.
Shouldn't it be as simple as this basic process:
I am sure there is more to it than this (e.g. checking for signs that the system has been rebuilt or changed, like the OS changing, etc.) but the same basic process seems to be sane.
On another note, wouldn't it also be possible for systems that use Authenticated scans to leave behind some sort of entry that provides more corellation information (e.g. stash the Host ID into a registry key or a file in /var/lib/qualys)?
Unfortunately, it isn't quite that simple; the 'catch-all' of just tracking by IP if things don't resolve means the likelihood is very high that the IP-tracked data would be unreliable (for trending purposes, which is the only purpose for which tracking is relevant, obviously) and that would, of course, completely undo things for a very large number of users.
As far as authentication, again - we do not want to add to the registry or leave files on a target (there's an entire laundry list of reasons for this, but the shortest and most direct is that writing to the registry or anywhere but /tmp on a UNIX system opens up the potential to cause problems - even if it's only in 0.001% of targets, with tens of millions of scans annually, that's a lot of potential issues). What little writing to target systems we do do is very carefully managed for that very reason.
For the time being, much of this discussion does sound good in theory but is not anything we can implement (and certainly not in the short term) without a whole lot of development and research.
As I mentioned above, there is work going into a lot of things that are at least similar to many of the items noted above - the first parts of some of this work will be bearing fruit with the asset tagging system that we're developing.
all thanks for this information. The purpose of the question was if it’s possible to start with DNS instead of IP address. Now I understand that it’s a great feature to track the host but the essence is still IP.
More reading about this information says: scanner appliance selected must be able to resolve the hostnames in the group to IP addresses in the account. Note that you cannot scan hosts by hostname using the "External" option (for External scanners).
Why is it not possible for an external scanner to resolve a DNS name of a server which is available on the internet and has a DNS name which can be resolved by any internet DNS server?
Scan by hostname (if enabled) is enabled ONLY for scanner appliances and not for external scanners because we want to make sure that the way host resolution and scanning is performed is consistent in your environment. Using the External scanners could produce inconsistent results (since our scanner pools could be using different DNS servers at different times), whereas you have control over which DNS servers your scanners are querying.