Forgive the longwinded question, I am looking to confirm my understanding of certain concepts!
Quick question with regards to the storage of vulnerability information against assets. I am presented with the following scenario:
Target Host A, IP = 10.0.1.50 for arguments sake, in London
Target Host B, IP = 10.0.1.50 for arguments sake, in Edinburgh
So, same IPs for both hosts, but I will stress that they are different hosts. I now bring in two scan engines:
Scan Engine A = routing to 10.0.1.50 routes to Target Host A (for arguments sake, local network)
Scan Engine B = routing to 10.0.1.50 routes to Target Host B (for arguments sake, local network)
Under the main Organisation, there are two workgroups, workgroup A and workgroup B. In the workgroup properties, Workgroup A has Scan Engine A (and only this scan engine) assigned. Likewise, Workgroup B has Scan Engine B (and only this scan engine assigned).
The following vulnerability scans are configured:
VulnScan A = configured under workgroup A, and carries out scan against 10.0.1.0/24
VulnScan B = configured under workgroup B, and carries out scan against 10.0.1.0/24
In the above scenario (example diagram above), if both scans complete, and I generate the *scan* reports - I believe I will get the correct information related to the vulnerabilities on each host, as the reports are based on the scan. However, if I run an *asset* report (assuming 'use most recent data' option is selected), I am assuming that the vulnerability data returned in this report will be that of the last scan to complete.
Or... will the default asset identification rules result in two assets in the foundstone database:
- ePO UID = n/a as assume hosts are not managed by ePO
- FS Asset ID = n/a as assume asset tagging is not used
- MAC address = applicable? Side question - how does the scanner pick up on the MAC address of the target? If it is on the same network as the scanner, that is easy - but if it is not, is it possible to get the MAC as the result of a FASL script (perhaps a simple registry check?)
So I suppose if the MAC addresses are known, the Foundstone database will have 2 distinct assets, but both with the same IP address (default asset identification rules do not match on IP).
To explain my reasoning behind this, I am looking at the above scenario, and am also looking to pull the data using an Arcsight connector. I need to know that when the data is pulled down, Arcsight recognises that we have two separate assets here.
Any help appreciated as always!
All interesting quetions, we have had similar scenarios but created a seperate Organization rather than Workgroup to differentiate between the two networks. This does successfully create a seperate asset record for the same IP address. Also, it would depend on your asset identification rules as you've pointed out; both servers would likely have different hostnames (NBName) and if this is set as a higher priority the logic should create different assets. Have you tested out any of your assumptions? If so, please post the results as I'm sure others would be interested to read.
Regarding MAC address enumeration, yes ARP would be the first technique used to resolve this. However if the target IP address is not on the same LAN, looks as though the scanner issues a nbstat -a <remoteIP> command. Of course this would only resolve information if your target has NetBIOS over TCP/IP enabled. Notice that you only ever get MAC addresses for Windows devices which are not on the same LAN as the scanner? There may be some additional logic to obtain this such as checking a registry, however I have yet to observed that behaviour.
Hope some of this helps!