Forgive the longwinded question, I am looking to confirm my understanding of certain concepts!
Quick question with regards to the storage of vulnerability information against assets. I am presented with the following scenario:
Target Host A, IP = 10.0.1.50 for arguments sake, in London
Target Host B, IP = 10.0.1.50 for arguments sake, in Edinburgh
So, same IPs for both hosts, but I will stress that they are different hosts. I now bring in two scan engines:
Scan Engine A = routing to 10.0.1.50 routes to Target Host A (for arguments sake, local network)
Scan Engine B = routing to 10.0.1.50 routes to Target Host B (for arguments sake, local network)
Under the main Organisation, there are two workgroups, workgroup A and workgroup B. In the workgroup properties, Workgroup A has Scan Engine A (and only this scan engine) assigned. Likewise, Workgroup B has Scan Engine B (and only this scan engine assigned).
The following vulnerability scans are configured:
VulnScan A = configured under workgroup A, and carries out scan against 10.0.1.0/24
VulnScan B = configured under workgroup B, and carries out scan against 10.0.1.0/24
In the above scenario (example diagram above), if both scans complete, and I generate the *scan* reports - I believe I will get the correct information related to the vulnerabilities on each host, as the reports are based on the scan. However, if I run an *asset* report (assuming 'use most recent data' option is selected), I am assuming that the vulnerability data returned in this report will be that of the last scan to complete.
Or... will the default asset identification rules result in two assets in the foundstone database:
- ePO UID = n/a as assume hosts are not managed by ePO
- FS Asset ID = n/a as assume asset tagging is not used
- MAC address = applicable? Side question - how does the scanner pick up on the MAC address of the target? If it is on the same network as the scanner, that is easy - but if it is not, is it possible to get the MAC as the result of a FASL script (perhaps a simple registry check?)
So I suppose if the MAC addresses are known, the Foundstone database will have 2 distinct assets, but both with the same IP address (default asset identification rules do not match on IP).
To explain my reasoning behind this, I am looking at the above scenario, and am also looking to pull the data using an Arcsight connector. I need to know that when the data is pulled down, Arcsight recognises that we have two separate assets here.
Any help appreciated as always!