In this document, we will cover:
For the local office and remote offices maintained through direct connection with the central server, the central server will perform Nmap scan to discover network devices. For remote offices managed through distribution server, the respective distribution server will perform the same. Ensure the following:
Follow the below steps to discover and add devices:
View the complete list of network devices supported by Vulnerability Manager Plus
Details available in the Managed Devices view:
For each device available in the managed devices view, the following details are displayed:
Vendor name and mac address may not be available initially for some devices that are located in subnets other than that of the central server/distribution server. Once SNMP credentials are mapped and the devices are scanned, these details will be retrieved.
You can select any number of the devices available in the managed devices view and click on Remove Devices to remove them from the Managed Devices view successfully. Once removed, details regarding those devices will be removed everywhere from the console.
Once the devices are discovered and added to the Managed Devices view, the next step is to prepare them for scanning. Unlike endpoints where agents residing locally on each machine perform the scanning, network devices require an agentless approach. So network device credentials are required to establish connection with these devices, access their information and perform various actions, including scanning.
Two types of protocols are utilized by the central server to perform various operations on network devices. Below we see what they are and what function they serve. While scanning the network devices, SNMP protocol is used to query them for device identification information. This information is utilized by the central server to determine the device type, vendor, series, and model. With these details, the central server retrieves the firmware version detection command since it differs with every vendor and device. SSH command-line utility is then leveraged by the central server to run the firmware version detection command on devices. Once the firmware versions of the devices are detected, corresponding vulnerabilities are correlated for every device and displayed in the console. Also during patch deployment, the central server runs a series of commands using SSH command-line utility to deploy patches to vulnerable devices.
Above operations require authentication with administrative SNMP and SSH credentials on managed network devices. If you've not added SNMP or SSH credentials to the console, refer to this document for detailed steps. Once you've added the SNMP and SSH credentials to the Network Device Credentials view, as mentioned in the linked document, you can map them to corresponding devices in the managed devices view by following the below steps:
You can view the details about the credentials mapped for each device by clicking on the "Credential mapped" hypertext under the credential status column. If you wish to change the credentials mapped to a particular device, you can select the device, click on Map Credentials and repeat the steps mentioned above.
Once credentials are mapped to the devices, the devices will appear in the "Scan Devices" view and an authenticated scan will be performed automatically on these devices to detect vulnerabilities. Also, every time the vulnerability database sync occurs, the network devices available in the "Scan Devices" view are automatically scanned for firmware vulnerabilities. The server will initiate authenticated remote scans using the mapped credentials.
Only in the instances mentioned above, network devices are scanned automatically. To perform a manual scan,
We recommend updating the vulnerability database before scanning to achieve better results, since this will fetch the new vulnerability information to the server. To update the vulnerability database, click on the Update Now button under Update Vulnerability DB in the left tree.
The scan status in the table view displays whether scan for each device has failed, successful, in-progress or not initiated. The remarks section offers reasons for scan failure, if any. The Network scan summary graph offers a breakdown of devices based on scan status.
Here are some of the instances in which the scan may fail:
Once the scan is complete, the firmware vulnerabilities are detected and displayed in the Firmware Vulnerabilities view under the Network Devices tab. Refer to this document for detailed steps on how to deploy firmware patches to resolve vulnerabilities in network devices. The actively exploited vulnerabilities and publicly disclosed vulnerabilities pertaining to the firmware of the devices are displayed in the Zero-day vulnerability view under Network Devices tab. Learn how to mitigate zero-day vulnerabilities.
Besides discovering vulnerabilities, the authenticated scan also fetches device details such as device type, vendor, series, model, firmware and hardware information. You can view these details by clicking on each device.