4 Replies Latest reply: Jul 17, 2013 10:29 AM by tcorrea RSS

    Net Scan through a Firewall with MVM 7.x

    tcorrea

      Hello we need to know if McAfee Found Stone (Vulnerability Manager) 7.0 and/or 7.5 (7.x) Standalone can scan a net outside from it passing over a firewal, like that.

       

      Regards,

      Tomas Correa.

        • 1. Re: Net Scan through a Firewall with MVM 7.x
          jhaynes

          We don't recommend it but yes we can scan through a firewall as long as the firewall is configured to pass all traffic.

           

          Jeff Haynes

          Manager WW Tier III Support Risk &Compliance

          Security Management Business Unit

          • 2. Re: Net Scan through a Firewall with MVM 7.x
            nielsensan

            We are using MVM 7.5 to scan throug firewalls - it works as expected.

             

            Firewall needs to be configured so that MVM traffic are allowed "unaltered" (no proxy or NAT).

             

            It will work if you do as jhaynes proposes to "allow all trafic" - but to me it's a bit drastic.

            Our setup works with only the ports listed in the KB below opened.

             

            https://kc.mcafee.com/corporate/index?page=content&id=KB50834

             

            To check if things are correct setup in the firewall just try to do a quick asset scan.

            If MVM returns assets on all IP adresses and maybe two assests for "live" addresses you have not configured the firewall correct.

             

            BTW we are using Mcfee Enterprise firewall.

             

            Regards

             

            Michael Nielsen

            Security Architect

            Atea A/S

            • 3. Re: Net Scan through a Firewall with MVM 7.x
              John M Sopp

              Agreed..scanning through firewalls will work--but--there are circumstances where it's a bad idea.

              I've scanned successfully for years without issue--until a service running as part of of an application misbehaved when it recieved a udp packet.

              So yes, the service was buggy, but it caused a continuous traffic loop with one of my scan appliances on the other side of a firewall, which in turn, caused a state table to fill up in the firewall, which exhausted firewall resources and begain causing some issues with other apps.

               

              I'm looking to get a new appliance for the other side of the firewall to avoid this..at least where there are alot of hosts on "the other side".

              • 4. Re: Net Scan through a Firewall with MVM 7.x
                tcorrea

                Thank you very much for the information.