最后更新于2022年10月17日星期一19:48:30 GMT

试图处理一个大的网络可能是困难的. 太经常了, engineers 和 admins 不 know the full scope of their environment 和 have trouble defining the actual subnets 和 the systems that exist on those subnets. They know of a couple /24 subnets here or there, but it's very possible they're missing a few. Once you get over a couple thous和 assets, it can get fairly unruly pretty quick. 不同的团队拥有不同的服务器和不同的网络范围. With regards to InsightVM, how do you know what sites create if you 不 even know what you own?

幸运的是,在 InsightVM, 我们可以使用一点SQL, 一个具有ping扫描的总体站点, 和 a nifty little tag to help get a h和le on things – all outside any third-party software or  other management tools you may acquire to help you wrangle in your IP space. This method in InsightVM lets you find all live assets 和 identify all network spaces being used in your environment. 然后, we can correlate this list against our known subnets 和 begin building out defined sites for scanning. As we create our known sites, we can start whittling down the number of unknown or undefined subnets.

1. Ping扫描模板

The first step is to create a new scan template dedicated solely to a ping sweep. 此模板不扫描任何其他服务或端口, 指纹识别, or performing any other action –  it is simply sending pings to see what is alive. 如果我们得到回应, 我们假设那里有一个活资产, 这将有助于建立我们已知的网络.

使用这些屏幕截图作为指导创建模板. 请注意,除了ICMP和ARP ping之外,几乎所有的东西都关闭了, 和 we're not treating TCP resets as live assets (we 不 want firewalls throwing us off). 扫描只需几分钟即可完成, as it's not doing all the other functions that a typical scan can do.

If you are using network gear that responds for endpoints devices regarding ICMP traffic then DO NOT use this method OR tune your network gear to no longer respond for ICMP traffic.

In the event that your Network gear was designed to respond to ICMP traffic for endpoint devices 和 you used this method, InsightVM would see every possible IP in the scope as a live asset 和 fill the database with erroneous data possibly leading to console health issues.

2. 包罗万象的网站

这个过程的第二步是创建一个总体站点. Give it a simple name like "Full Network" or whatever floats your boat. What's important is that, within this site, you define as large of a network range as you know of. 在这里想想/16,或者甚至是几个/16网络. I 不 know your network, so use your judgment as to what you think exists. 这个想法是要尽可能的广泛.

现在,在这个站点中,将默认扫描模板设置为.“Ping Sweep”模板,如我上面的例子. 设置默认的扫描引擎或扫描池,然后保存并扫描.

What you should get back now is a full list of every live IP that exists within the defined network. 如果您定义的网络包含所有可能的IP空间, 我们假设所有的资产都是在线的并且能够响应, 然后,你应该有一个相当健全的已发现资产列表.

3. 已知网络报告

The next step is to 转到Reports选项卡 和 create a SQL Query Export. 在定义中抛出以下SQL查询, 并将查询范围从GUI扩展到您的“全网络”站点.

用AS ()
SELECT
asset_id,
CONCAT (split_part (ip_address。”.',1),'.”,split_part (ip_address, '.',2),'.”,split_part (ip_address, '.',3),'.0/24’)AS网络
从dim_asset
)
 
选择不同网络
从一个
由网络ASC订购

保存并运行此报告, 和 you will get a CSV output of all the /24 networks that have at least one live IP in them. You can use this CSV to compare to your known list of networks 和 start defining the actual sites within your environment. 例如,如果这个报告列出了10.0.0.0/24 和 you know that network as your main corporate server’s VLAN, 然后,您可以将该网络包含到一个单独的站点中 漏洞扫描.

4. 动态标签

既然我们已经开始将已知的网络定义为站点, we need to create a dynamic tag that gets applied to all assets within any site. 现在, 在我的例子中, 我不包括Rapid7 Insight Agents网站, because depending on your environment 和 whether people are working from home, the Insight Agent may report the IP of their computer when logged onto their home network. We obviously can't scan home networks, so we want to exclude this site to deter any of that bad data.

创建带有几行的动态标记,以包含每个站点. Note that if your site structure is large enough that you have hundreds of sites, 您可能想要在这部分使用API, 但我们不会在这里讨论这个——那是另一个话题.

在下面的例子中, I only have four sites – keep in mind I did not select the Rapid7 Insight Agents or 我的全网网站. Make sure the operator is set to match ANY of the specified filters. Apply a tag called "Defined Network" to this criteria to tag all assets within a defined site.

You could also optionally create a secondary tag for "Undefined Networks,“但这并不是这个过程所必需的. 下面的查询将为您提供未定义的网络资产. 基本上,查询只是寻找任何资产 have the Defined Network tag 和 are not in the Rapid7 Insight Agents sites.

5. 未定义网络报告

现在, we can set up our secondary SQL report to show us all networks that are not defined within the scope of a site. 再一次, 转到Reports选项卡, 创建SQL查询导出报告, 然后将这个查询放入定义中.

用AS ()
SELECT
asset_id,
CONCAT (split_part (ip_address。”.',1),'.”,split_part (ip_address, '.',2),'.”,split_part (ip_address, '.',3),'.0/24’)AS网络
从dim_asset
)
 
选择不同网络
从一个
 
一个.asset_id NOT IN ()
SELECT DISTINCT asset_id
从dim_asset
左连接dim_tag_asset USING (asset_id)
左连接dim_tag USING (tag_id)
WHERE tag_name = 'Defined Network'
)
 
由网络ASC订购

保存并运行此报告, 和 you will get a new CSV that lists out all /24 networks where there was at least one live asset found but the assets are within a /24 that has not been defined within the scope of a created site. You can use this CSV to work your way through those networks to determine what they are 和 who owns them 和 then ensure they are included in future or current sites.

Large environments with unknown network components can be difficult to manage 和 monitor for vulnerabilities. These five steps in InsightVM help make the process easier 和 more intuitive, so you can maintain better oversight 和 a stronger security posture within your environment.

更多阅读:

不要错过任何一个博客

获取有关安全的最新故事、专业知识和新闻.