There is currently a debate in my office on the best location to place a vulnera

Question

There is currently a debate in my office on the best location to place a vulnerability scanner (a distributed scanner - Rapid7 Nexpose, using scan engines) within a data center.

I see two options:

- Place the virtual appliance in a secured VLAN, open ip any from the appliance to all IP addresses in the DC so we can ensure all UDP and TCP can be scanned.
- Give the virtual appliance a virtual interface for each VLAN in the data center

I like the second option, as I do not have to traverse a firewall, as I know that firewalls can sometimes mess with vulnerability scanner. However, is there any reason why the first option would not work? Our network team is leaning towards it and I want to make sure that would be acceptable.Where to place a vulnerability scanner within a data center?

Explanation / Answer

The question is which "view" you want on the network from the vulnerability scanner's Point of view.

If you want to include the firewall security in your vulnerability assessment, you should Place the scanner with no access to internet, but on "WAN" side of security boundary in the firewall. Thus, your vulnerability scanner would then alert you if you accidentally misconfigure your firewall to expose a vulnerability on the internet. Thus, all your servers and firewall will simply consider your vulnerability scanner as something coming from the internet. Blocking internet access at all for the vulnerability scanner (in both directions) is important so not your vulnerability scanner gets hacked and taken over to perform vulnerability Scans on hosts not belongning to your network.

Another view is for example if you simply want a assessment that Everything is so securely setup that you can completely remove the firewall from the equation, then you put the vulnerability scanner on the inside, on the LAN side.

A third use of a vulnerability scanner is for example bridging it with a wireless access Point, so you get a view of the network as of the hacker would connect with a wireless client.

So theres no correct answer on your question. Depending on what you want to see, you should let the vulnerability scanner either traverse the firewall (without any exceptions) or the vulnerability scanner should have full access.

A vulnerability scanner is a measurement tool, and you Place it of course where you want to measure the security. If I want to know the outside temp, I put the termometer on the outside. If I want to know the inside temp, I put the termometer on the inside. Here the isolation in the wall could be the "firewall".

Same here with your vulnerability scanner. To put it short - Place it logically in your network exactly where you want to measure the security.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.