cancel
Showing results for 
Search instead for 
Did you mean: 
abdulmoheed
Level 8

MVM required all ports from DMZ to Inside network

Hi,

We have MVM 3200 appliance which is placed in DMZ network.

MVM(DMZ) <--> Firewall <--> INSIDE

Our cisco firewall need to open all ports(1-65535) while scanning

is it any mechanism to reduce ports while scanning ?

0 Kudos
4 Replies
georgec
Level 13

Re: MVM required all ports from DMZ to Inside network

Yes, deploy scanning engines to perform the scan from within different network segments, instead of using just one all-in-one machine to try to perform all the scans.

George

0 Kudos
abdulmoheed
Level 8

Re: MVM required all ports from DMZ to Inside network


Thanks Georgec,

I agreed with u but due to some limitations we cannot keep scanning engine inside network so in that case we have to open all ports from dmz to inside.

0 Kudos
georgec
Level 13

Re: MVM required all ports from DMZ to Inside network

I'm sure you can find a Windows license to install it. Your MVM license allows you to install as many scanning engines as you want as long as the total number of scanned nodes is within your license count. The last thing you want to do is to open up all the ports for a host towards the internal network.

George

foose
Level 9

Re: MVM required all ports from DMZ to Inside network

As stated, you could deploy a remote scanner and only utilize the needed ports (such as 443) for communication from console to remote scan engine. 

The real question is what you are trying to accomplish with MVM.  Are you "port knocking" on all TCP/UPD ports?  Yes, then you need all 65535 open.   Are you just scanning certain hosts for windows vulnerabilities?  Then you might be able to reduce the number of ports to the needed 636, 135, 445, 389, etc needed for windows access.  Search the knowledge base and documentation and you might find the "required" ports needed for each type of OS.

There are ways to massage access groups and ACLs so that a full any:any is not required.