Appendix D- Extending the Network Feature
The Network feature is also applicable to the PS appliances, which provides the following benefits:
- It allows PS to maintain two or more passively sensed assets from overlapping IP address space, having the same IP, as separate assets within one subscription, each with its unique identity.
- It allows PS to dynamically tag the assets based on the Network and IP.
- It allows PS to de-duplicate and merge the passively sensed asset having the same IP as the managed asset, provided both assets belong in the same network. So, asset de-duplication is enhanced to use only IP in addition to the previously supported MAC or hostname as merge criteria. PS uses MAC to merge if available, if not, then hostname and lastly only IP.
The Network feature is available as a subscription on your account, and you need to avail this feature subscription only if you have assets in overlapping IP address space that have to be inventoried.
Use Cases
- Your network has overlapping IP addresses of the private RFC-1918 IPs, one existing in your enterprise and another having the same address space coming from an acquisition. You may already have been actively scanning enterprise networks using Qualys active scanners and/or passively sensing the same and now you want to extend the same active scan/passively sense operations on the overlapped private IP space of the acquired network. You want to inventory the assets in both the overlapped spaces and also see the assets tagged with a name reflecting the enterprise or the overlapped network. You also want unmanaged assets from the enterprise network to merge with managed assets from the same network and, likewise, for the acquired network.
- The other use case of overlapping IP address space is where you have used routable, non-RFC-1918 IPs in your internal network and want to keep it separate from the routable IPs assigned to load-balancers, external facing servers. You want to deduplicate assets from this internal network with non-RFC1918 IPs actively scanned by an internal active scanner with passively sensed assets from the internal network.
- A third use case, arising more misunderstanding of the Network feature, is to use this feature to define networks as per administrative domains rather than for overlapped IP address space. In this case, a single passive sensor may get associated with more than one administrative network whose traffic it may be sensing.
- For usecase 1 and 2, it is mandatory to have two or more passive sensors, one for each overlapping IP address space. You cannot have a single sensor sensing that is fed with a mirrored traffic from two networks having IP overlapped address space.
Use Network Feature
- Subscribe to the Networks feature to see the Network tab in VMDR module. Using the Network tab define two networks one for each overlapping space.
- Enterprise Network N1
- Acquired Network N2
- In VMDR, define asset groups in each of the networks such as
- Asset group 1: AG1, 192.168.0.0/24, Network N1
- Asset group 2: AG2, 192.168.0.0/24, Acquired Network N2
- Have a PS appliance, one for each of the networks and associate it with the corresponding network. To configure the appliance to network association, navigate to Passive Sensor Module, select a sensor, in the details select the Network tab and in that edit to select the Network from a list of Networks.
- Deploy PS1 in Network N1. Configure the PS1 to contain 192.168.0.0/24 as internal inventory IP range, associate PS1 with N1.
- Deploy PS2 in Network N2. Configure the PS2 to contain 192.168.0.0/24 as internal inventory IP range, associate PS2 with N2.
- Register both sensors with the same account.
- Run active scans or install cloud agents on assets in each of the ranges to enable de-duplication with un-managed assets sensed by PS1 and PS2.