AnsweredAssumed Answered

Multiple Domains per Network - Authentication Record Strategy

Question asked by David Veatch on Mar 2, 2018
Latest reply on Jun 27, 2018 by Chris Jones

Based on my understanding of Authentication Records, networks, and scanner appliances, the following is true:

  1. Multiple scanner appliances can be assigned to a given network, but only one network can be assigned to any given scanner appliance.
  2. Multiple authentication records can be assigned to a given network, but only one network can be assigned to any given authentication record.

In our environment, segmentation dictates multiple scanner appliances across multiple very large networks (/11, /16, /20, etc), each of which has multiple Active Directory domains that use shared infrastructure services (AD, DNS, etc) spread across multiple segments within each network.

 

Very much simplified for explanation sake, we have the following networks defined based on distinct supernets and subnets:

Untrust

DMZ

Semi-Trust

Trust

 

In each of those, we may have one or more of the following Active Directory domains represented:

CORE.lan

CLOUD.lan

PAAS.lan

SAAS.lan

 

That gives a high number of potential combinations.  Is it necessary to create a distinct authentication record for each domain within each network?  Given the above examples, that would be 16 separate authentication records, with a lot of credential duplication and maintenance should any one of the passwords need to change.


Auth Record - Untrust-CORE.lan
Auth Record - Untrust-CLOUD.lan
Auth Record - Untrust-PAAS.lan
Auth Record - Untrust-SAAS.lan

Auth Record - DMZ-CORE.lan
Auth Record - DMZ-CLOUD.lan
Auth Record - DMZ-PAAS.lan
Auth Record - DMZ-SAAS.lan
Auth Record - Semi-Trust-CORE.lan
Auth Record - Semi-Trust-CLOUD.lan
Auth Record - Semi-Trust-PAAS.lan
Auth Record - Semi-Trust-SAAS.lan
Auth Record - Trust-CORE.lan
Auth Record - Trust-CLOUD.lan
Auth Record - Trust-PAAS.lan
Auth Record - Trust-SAAS.lan

Outcomes