Skip navigation
4889 Views 12 Replies Latest reply: Jun 18, 2012 8:47 AM by Caleb Corey RSS
Rene van Wolferen Level 1 9 posts since
Jun 6, 2012
Currently Being Moderated

Jun 7, 2012 12:52 AM

Adding hosts on DNS name

Hello,

 

we are using Qualisguard version 7.1 and for VM scanning I want to add hosts on DNS name. There is an option Assets - assests host - new assets - DNS tracking but i shows me only the window of adding by ip addres. In this window it's not possible to fill in a DNS name, only an IP address.

This is the same window as new asset - ip tracking.

 

My question: is it possible to add hosts by DNS name, and if yes where can I add these hosts.

 

Thanks already,

Rene

  • Caleb Corey Level 2 32 posts since
    Jul 27, 2010
    Currently Being Moderated
    Jun 7, 2012 4:23 PM (in response to Rene van Wolferen)
    Adding hosts on DNS name

    Rene-

     

    When adding hosts, for DNS tracking, the hosts are still added by IP address.  However, when this is done, they are 'tracked' by their DNS name during scans.  If a host retains the same DNS name but changes IPs (dynamic environment, etc) when it is scanned on different IP addresses, each time it resovles to the same name, the data is combined with previous scans that resolved to the same name.  Scans using automatic data and featuring trending will track vulnerabilities and changes for the host even though it's IP address is changing.

     

    The same applies to NetBIOS tracking.

     

    One important caveat with this type of tracking is that if a scan is completed of a given IP address but the DNS (or NetBIOS, if that is the tracking method) name does not resolve, the scan data will be discarded, so as to avoid contaminating the trending data.

     

    Hosts are, by default, added by IP address, regardless of the tracking method selected.  Tracking method can be changed, of course, after the host assets have been added.  When changing tracking method, it is important to be aware that you cannot change a host asset to be DNS or NetBIOS tracked unless it has been scanned and has a valid DNS or NetBIOS name that was discovered during the scan.

     

    -Caleb

    • Tim Pettigrew Level 1 17 posts since
      Jul 27, 2010
      Currently Being Moderated
      Jun 8, 2012 12:22 PM (in response to Caleb Corey)
      Adding hosts on DNS name

      So, let's say I scan 1000 hosts, and I move the windows OS ones to NetBIOS tracking.

       

      That seems to now mean that the IPs assoicated with those hosts is always going to be tracked by NetBIOS, even if somebody drops a unix box or router onto the same IP, without any NetBIOS services on it.

       

      So, if I scan an IP that I designated as NetBIOS tracking, when a non NetBIOS host has the IP instead, the device won't be scanned because it doesn't reply to NetBIOS queries, even if it responds on multiple other ports/services. 

       

      Why not automatically switch it back to IP tracking during a scan if a non NetBIOS host is detected?

       

      Is that correct?

       

      Regards,

      Tim

      • Hywel Mallett Level 1 5 posts since
        Apr 26, 2012
        Currently Being Moderated
        Jun 8, 2012 12:41 PM (in response to Tim Pettigrew)
        Adding hosts on DNS name

        Tim,

        My understanding of the tracking is this (and I hope it's right, because I've just changed all my workstation records to DNS name scanning).

        It's always IP addresses that are going to get scanned, with NETBIOS scans being performed against that IP address. The results of that scan are saved. When you perform your next scan, you're going to get more results, and you want the results of the second scan to be associated with the results of the first scan.

        So the question is, how is Qualys going to know which result of the first scan is the same machine in the results of the second scan? What remains constant?

        IP Addresses (the default) are fine if your machines never change IP. I guess DNS is the one to choose if your DNS records are dynamically updated as machines change IP. NETBIOS, maybe choose that if you're on a network with Windows machines that don't have DNS.

    • Caleb Corey Level 2 32 posts since
      Jul 27, 2010
      Currently Being Moderated
      Jun 8, 2012 12:35 PM (in response to Caleb Corey)
      Adding hosts on DNS name

      Tim-

       

      This is correct; however, automatically changing host tracking would only create a large number of other problems. Just as an example, if a host fails to resolve due to a temporary issue, should that IP no longer be tracked by NetBIOS?  Automatic tracking-changing would be likely to cause far more inconsistencies than it would resolve.

       

      The intention is that if you have a range of (for example) dynamically tracked devices that are all Windows, you can scan that range without having to adjust normally.  In the overwhelming majority of these cases, the devices should always resolve their NetBIOS names the same way (if it's the same machine) and no trouble is caused.

       

      When you start mixing and matching as you've suggested, you begin creating a sort of chaos that would require human intervention to sort out - or an identifying agent installed on the target, which is not somethign Qualys is interested in doing at this time.

       

      -Caleb

      • Tim Pettigrew Level 1 17 posts since
        Jul 27, 2010
        Currently Being Moderated
        Jun 8, 2012 12:50 PM (in response to Caleb Corey)
        Re: Adding hosts on DNS name

        How are others handling tracking for windows based clients that change IPs a lot versus static IP addressed network and server infrastructure devices?  Our environment is so large that we could easily miss a new DHCP segment that would be appropriate for NetBIOS tracking, or on the flip side, miss a previously DHCP-only segment being reclaimed and reused for static addressed devices that should be tracked by IP.

         

        -Tim

         

        EDIT: fixed two typos.

        • Caleb Corey Level 2 32 posts since
          Jul 27, 2010
          Currently Being Moderated
          Jun 8, 2012 12:56 PM (in response to Tim Pettigrew)
          Re: Adding hosts on DNS name

          When a Windows host changes IPs regularly (laptops are most common for this, obviously), NetBIOS tracking will ensure that the data collected during a scan will be collated back together with previous scan data against the host (or hosts, potentially) with the exact same NetBIOS name.

           

          If you have a static infrastructure, there's no real reason to use anything other than IP tracking, of course.

           

          As far as monitoring new segments popping up or monitoring when segments are reclaimed, that's generally something that needs to be handled on a business process level.  There really isn't any way for QualysGuard to identify the type of infrastructure in place on a given segment during a scan, independently.

           

          -Caleb

          • Tim Pettigrew Level 1 17 posts since
            Jul 27, 2010
            Currently Being Moderated
            Jun 8, 2012 1:01 PM (in response to Caleb Corey)
            Re: Adding hosts on DNS name

            A few points from a colleague of mine.

             

            "So, they are tracking each scan by IP, and then correlating the data afterwards. That means this is a process issue.  If scans would gather all the data, in a key-less fashion, and then do some heuristics to match the scanned host to a given existing host, this wouldn't be a problem.

             

            The only gotcha that comes to mind is if a host is on TWO lists... i.e. track NetBIOS name X, and track DNS name Y"

            • Caleb Corey Level 2 32 posts since
              Jul 27, 2010
              Currently Being Moderated
              Jun 8, 2012 1:05 PM (in response to Tim Pettigrew)
              Re: Adding hosts on DNS name

              The same problem effectively remains, however, in that there is in no way a guarantee that there would be enough information coming back to build a reliable fingerprint of the target.  Certainly there might be in many cases, but 'many' is not good enough - because if we can't identify the target host, we're in the same boat we were in previously, which is that we have data that we cannot collate - so we must discard it.

               

              I know that more host identification research is ongoing, but at this time we have no reliable way to do this - and without a method that's nearly 100% reliable, we won't want to implement it.

               

              -Caleb

              • Matt Mossholder Lurker 2 posts since
                Sep 2, 2011
                Currently Being Moderated
                Jun 11, 2012 8:34 AM (in response to Caleb Corey)
                Re: Adding hosts on DNS name

                I'm Tim's un-named collegue... I am completely unclear why there would EVER be data that didn't correlate. If a host doesn't get tracked via NetBIOS or DNS, then it should be tracked by IP. Sure, you might end up with both an IP Tracked host entry and a NetBIOS/DNS Tracked host entry that both are actually the same host, but in no case would data be lost.

                 

                Shouldn't it be as simple as this basic process:

                 

                1. A range of IPs is scanned, and data gathered, including NetBIOS and DNS names, where available.
                2. Scan completes, data is sent back to Qualys for corellation.
                3. Qualys cloud checks lists of names that are to be tracked by NetBIOS name, and associates any matching entries with the existing host entries in the DB.
                4. Qualys cloud checks lists of names that are to be tracked by DNS name, and associates any matching entries with the existing host entries in the DB.
                5. Remainder of entries are associated with hosts based upon IP. Even if there is a NetBIOS or DNS tracked entry in the DB with the same IP, the host should associate to a host entry that is tracked by the IP, or a new host entry is created to store the data.

                 

                I am sure there is more to it than this (e.g. checking for signs that the system has been rebuilt or changed, like the OS changing, etc.) but the same basic process seems to be sane.

                 

                On another note, wouldn't it also be possible for systems that use Authenticated scans to leave behind some sort of entry that provides more corellation information (e.g. stash the Host ID into a registry key or a file in /var/lib/qualys)?

                 

                     --Matt

                • Caleb Corey Level 2 32 posts since
                  Jul 27, 2010
                  Currently Being Moderated
                  Jun 11, 2012 9:54 AM (in response to Matt Mossholder)
                  Re: Adding hosts on DNS name

                  Matt-

                   

                  Unfortunately, it isn't quite that simple; the 'catch-all' of just tracking by IP if things don't resolve means the likelihood is very high that the IP-tracked data would be unreliable (for trending purposes, which is the only purpose for which tracking is relevant, obviously) and that would, of course, completely undo things for a very large number of users.

                   

                  As far as authentication, again - we do not want to add to the registry or leave files on a target (there's an entire laundry list of reasons for this, but the shortest and most direct is that writing to the registry or anywhere but /tmp on a UNIX system opens up the potential to cause problems - even if it's only in 0.001% of targets, with tens of millions of scans annually, that's a lot of potential issues).  What little writing to target systems we do do is very carefully managed for that very reason.

                   

                  For the time being, much of this discussion does sound good in theory but is not anything we can implement (and certainly not in the short term) without a whole lot of development and research.

                   

                  As I mentioned above, there is work going into a lot of things that are at least similar to many of the items noted above - the first parts of some of this work will be bearing fruit with the asset tagging system that we're developing.

                   

                  -Caleb

    • Caleb Corey Level 2 32 posts since
      Jul 27, 2010
      Currently Being Moderated
      Jun 18, 2012 8:47 AM (in response to Rene van Wolferen)
      Adding hosts on DNS name

      Rene-

       

      Scan by hostname (if enabled) is enabled ONLY for scanner appliances and not for external scanners because we want to make sure that the way host resolution and scanning is performed is consistent in your environment.  Using the External scanners could produce inconsistent results (since our scanner pools could be using different DNS servers at different times), whereas you have control over which DNS servers your scanners are querying.

       

      -Caleb

      Support Engineer

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points