cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

MVM required all ports from DMZ to Inside network

Hi,

We have MVM 3200 appliance which is placed in DMZ network.

MVM(DMZ) <--> Firewall <--> INSIDE

Our cisco firewall need to open all ports(1-65535) while scanning

is it any mechanism to reduce ports while scanning ?

4 Replies
Highlighted
Level 13
Report Inappropriate Content
Message 2 of 5

Re: MVM required all ports from DMZ to Inside network

Yes, deploy scanning engines to perform the scan from within different network segments, instead of using just one all-in-one machine to try to perform all the scans.

George

Highlighted

Re: MVM required all ports from DMZ to Inside network


Thanks Georgec,

I agreed with u but due to some limitations we cannot keep scanning engine inside network so in that case we have to open all ports from dmz to inside.

Highlighted
Level 13
Report Inappropriate Content
Message 4 of 5

Re: MVM required all ports from DMZ to Inside network

I'm sure you can find a Windows license to install it. Your MVM license allows you to install as many scanning engines as you want as long as the total number of scanned nodes is within your license count. The last thing you want to do is to open up all the ports for a host towards the internal network.

George

Highlighted
Level 9
Report Inappropriate Content
Message 5 of 5

Re: MVM required all ports from DMZ to Inside network

As stated, you could deploy a remote scanner and only utilize the needed ports (such as 443) for communication from console to remote scan engine. 

The real question is what you are trying to accomplish with MVM.  Are you "port knocking" on all TCP/UPD ports?  Yes, then you need all 65535 open.   Are you just scanning certain hosts for windows vulnerabilities?  Then you might be able to reduce the number of ports to the needed 636, 135, 445, 389, etc needed for windows access.  Search the knowledge base and documentation and you might find the "required" ports needed for each type of OS.

There are ways to massage access groups and ACLs so that a full any:any is not required.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community