I have the idea to install an Scan Engine on a hardware with 4 network ports. The goal is to scan multiple DMZ segments by connecting one network port to each DMZ segment.
Can that be done?
Message was edited by: gooru4speed on 10/25/11 8:28:13 PM GMT-03:00Message was edited by: gooru4speed on 10/25/11 8:37:27 PM GMT-03:00
It all really comes down to routing. The MVM scanner relies on the OS to figure out where the targets are. Since we are using TCP/IP we are relying on the OS's routing table. Normally what happens is the interface with the Default Gateway is connected to the internal network and the DMZ networks are directly connected to the other eternal interfaces. Since the DMZs are directly connected, the OS will know which interface to send the packets out of. Scanning DMZ's that are not directly connected is more complicated but can be done if static routes are configured.
The one thing to remember is that if you can't ping the target from the OS the scan engine will not be able to reach it either.
I would recommend exercising caution with doing this...your mvm scanning box may become a bridge between network segments(multi-homed)
Any way you can get mvm connected to a span port on your network switch, or adjust firewall rules so your scanner has all-access?
What good would connecting an MVM to a span port do? Span ports are not generally useful for products like MVM as they typically do not accept inbound traffic from the host.
My bad Ron, excuse the terminology... in the definitive sense of a span that's exactly right.
I was thinking more in terms of routing...
You would need to make sure routes exist from the scanning box to all of the dmz segments, and firewall traffic is allowed as as well.
Thanks John, you are right. Connect a single hardware with multiple NICs to multiple DMZ's could produce a bridge between them. At least it is a very cuestionable solution from a security stand point.