ManageEngine Vulnerability Manager Plus is an Enterprise vulnerability management software that helps you scan, assess, prioritize and remediate vulnerabilities in your network endpoints. It comprises of features like vulnerability scanner and vulnerability assessment, automated patch management, security configuration management, zero-day vulnerability mitigation, high-risk software audit and web server hardening. Vulnerability Manager Plus supports the patching of computers in a distributed setup like branch or remote offices (WAN) and for mobile users, for example sales persons who are constantly on the move.
The advantages of using the WAN architecture of Vulnerability Manager Plus include the following:
The following guide will help you understand the process of vulnerability management with the help of an architecture diagram.
IT administrators or network security teams need the following components to perform vulnerability management in the remote computers:
The Vulnerability Manager Plus Server helps you to centrally perform all the vulnerability management tasks in your network endpoints. Some of the tasks include the following:
Any of the Windows computers in your network with the requirements mentioned here can be hosted as your Vulnerability Manager Plus Server. This Vulnerability Manager Plus Server at the customer site subscribes to the Central Vulnerability Database, from which it synchronizes the latest information on vulnerabilities and its remedies. Patches are downloaded directly from vendor sites and stored centrally in the server's patch store and will be replicated to your network endpoints to conserve bandwidth.
This section includes detailed information about the components of the Vulnerability Manager Plus architecture. Refer to Figure 1: WAN Architecture of Vulnerability Manager Plus.
Server
Vulnerability Manager Plus Server has to be installed in your LAN (say, the head office) and has to be configured as an EDGE device. This means that the designated port (default being 6020 and is configurable) should be accessible through Internet. You need to adopt necessary security standards to harden the OS where the Vulnerability Manager Plus Server is installed. Agents from all the remote locations report to this Vulnerability Manager Plus Server.
The Server acts as a container to store the patch details and, upon request, provide the instructions to the agents. It is advised to keep the Vulnerability Manager Plus Server always running to carry out the day-to-day Vulnerability Management activities.
Distribution Server is light-weight software that is installed in one of the computers in the Branch Offices. This agent will communicate with the Vulnerability Manager Plus Server to pull the information for all the computers in that branch. The agents that reside in the branch office computers will contact the Distribution Server to get the information available to them and process the requests.
To perform Vulnerability scanning and management, a lightweight, multipurpose agent will be installed by the server in your network systems. The agent contacts the server every 90 minutes to get the data to perform vulnerability scanning in endpoints as well as to carry out the tasks delegated by the server. It returns back the result to the server after completion of the task. The agent also maintains a continuous thin connection with the server in order to perform on-demand tasks.
Agents can be installed either manually or using a logon script in all the branch-office computers that are being managed using Vulnerability Manager Plus. This task is a one-time task. Up-gradation of agents is done automatically. Vulnerability Plus offers two options to help administrators manage computers across a WAN. The option that you choose depends on the number of computers you are going to manage at your remote office. The options available, enable you to use either of the following:
The web console is a graphical user interface to access the server and perform vulnerability management tasks. This console can be accessed from anywhere. For example, it can be accessed through a LAN, WAN and from home using the Internet or a VPN. Separate client installations are not required to access the Web console.