AnsweredAssumed Answered

Mapping woes for large companies.

Question asked by jasonw on Sep 23, 2014

Given that mapping does not require IPs be added to your subscription, why are domains restricted to one "None" domain?

 

Really this question should be, "Why does a domain name need to be defined at all?"

 

 

Background:

We have 6-8 Class C external IP ranges, 3 primary data centers with 2 auxiliary locations, and 300+ remote offices. These are spread all over the world.

We have defined time windows in which to do mapping and scanning.

We use multiple internal scanners to reduce having to map/scan across WAN links.

 

Externally, I have 4 maps that need to run. I know what the ranges are, and there is no domain name that is distinctly relevant to any of these maps. It is just IP spaces and time windows.

 

Internally, it is the same situation, just on a much larger scale.

 

This has no real relevance to us...

MyCompany.com:[1.1.1.1/24, 2.2.2.2/24, 3.3.3.3/24, 4.4.4.4/24]

 

This however would be extremely valuable both internally and externally...

EastCoast:[1.1.1.1/24]

WestCoast:[2.2.2.2/24]

Europe:[3.3.3.3/24]

EastAsia:[4.4.4.4]

 

I know that Asset Groups can be created based on domains, and that they can even be based on just select netblocks within a defined domain.

 

a) This is a pain to manually manage for internal ranges and can have some undesired results after upgrades to the Qualys service.

b) Reporting and scan notifications are based on the whole domain definition, not the partial selection.

 

ex.

MyCompany.com:[1.1.1.1/24, 2.2.2.2/24, 3.3.3.3/24, 4.4.4.4/24]

AssetGroup1 - MyCompany.com:[1.1.1.1/24, 2.2.2.2/24]

AssetGroup2 - MyCompany.com:[3.3.3.3/24, 4.4.4.4/24]

 

Map1 - AssetGroup1 = 100 hosts

Map2 - AssetGroup2 = 50 hosts (Difference reported is -50 hosts even though the 2 map jobs mapped totally different ranges.)

Map3 - AssetGroup1 = 120 hosts (Difference reported now is +70 hosts. Which is incorrect.)

Outcomes