Has anyone been able to tag assets with a defined tag based on if they were scanned by an External Qualys scanner appliance?
My reasoning for this is to tag assets that are detected during external perimeter scans as "INET_EXPOSED" so I can pull periodic inventories and vulnerability reports. This also helps keep network/firewall teams honest when they say something is no internet facing.
At this time, there isn't a flag based on the Scanner Appliance that we can use for tagging.
How about tagging based on IP ranges? I'm guessing there must be a well-defined set of IP's that have been publicly exposed.
Thanks for the response. I prefer not to use known IP ranges for a tag since that would leave us with continually having to update the list or cause issues where we add an IP (let's say in the DMZ) that is in the internet range but is not actually internet exposed.
If we scan an entire netblock and only get back what is truly visible from the outside, I feel that is the more accurate way of detections and inventory creation. The added benefit is that scans could be scheduled and tagging would automatically be maintained.
Red,
Did my response make sense? Basically you could use a MAP Scan to scan all the external Ranges you have defined. You disable the DNS part of the map scan so your not "depending" or relying on DNS as it can lie.
I would add port 3389 and a few others I can share what we do.
Now when the MAP runs you can download the map and you will have a few IPs to remove because they will be in the list as part of the hops from the scanners to your ranges.
Then you could write a fairly simple script to take the list of IP Addresses identified by the MAP and create/redefine a tag for those IPs, so not a range but specific IPs to TAG.
Next time you run and you redefine the TAG if an IP was in the list on say the 1st of the month but not on the 15th the tag would get removed.
We are pulling the data into Splunk for some of this.
David
Yep thanks. that is similar to the current way we do things. It would be better to have it all done within the Qualys product instead of relying on an outside resource to execute scripts etc.
Red,
I have asked for something similar. Right now the only thing I can do is to create one tag for the NETWORK Range(s) that are Potentially exposed. Then you can use the Light Inventory scan to scan the network range from external. Now that will TAG the assets exposed. After that you could run a full vuln scan but you can also run a report of the assets identified by the tag as now the TAG has been applied to all of the assets. Now you should be able to run the scan every week or so to "Re-Tag" the assets. You might want to verify that if an asset is exposed on Week one and then the firewall team blocks that, the tag gets removed from the asset entry in Qualys. If not then you may need to "remove" the tag from the assets. You could do this with a script with some effort.
This I think would give you the report your after.
The other Technique I used was using the MAP scan. You can run the MAP Scan over the range; I recommend turning off DNS and adding a few other ports. This should give you a more accurate report and you can do something with the data. Such as download the CSV and compare the IPs in the MAP with another list of what should be and highlight the deltas.
Let me know if your interested and I can post more of what we have done and maybe something will benefit you.
David
I agree, actually I use the scanner in the map scans to help me determine what is exposed to the internet. I think for some people if the vulnerability on a host scanned from internally and externally you may have say two rows for poodle.
The thought is that if I scan an IP and say I discover the poodle issue on port 443; well that may not be an issue internally but externally different story. Right now from the data I can from a scan/report I can't get that context. Maybe it makes a difference and maybe not. In my case it would; I want the issue resolved but I would think that being exposed to the internet intrinsically increase the likelihood of any attack.
Just my humble thoughts on it.
David
I use my manual effort tagging as a way to identify externally exposed assets. I pull down all host detection's based on that tag and their vulnerabilities. I do care what is internet exposed, however I review the vulnerabilities holistically (all vulnerabilities on the asset regardless of internal/external scan) to take into account factors such as 1st and 2nd stage attack vectors. one low vulnerability may not seem severe facing the internet, but coupled with other vulnerabilities it may lead an attacker to chain exploits. going back to my original point, being able to tag assets within Qualys based on external scanner appliance would be a very efficient way of completing one of my tasks.
At this time, there isn't a flag based on the Scanner Appliance that we can use for tagging.
How about tagging based on IP ranges? I'm guessing there must be a well-defined set of IP's that have been publicly exposed.