Network device discovery, credential mapping and scanning:

In this document, we will cover:

Discovering and adding network devices:

For the local office and remote offices maintained through direct connection with the central server, the central server will perform Nmap scan to discover network devices. For remote offices managed through distribution server, the respective distribution server will perform the same. Ensure the following:

  • All the network devices must have a network connection to either central server/distribution server
  • The following ports must not be blocked in the network devices in order to discover them through Nmap scanning:
  • Port
  • Type
  • Connection
  • 22
  • TCP
  • Inbound to Network devices
  • 23
  • TCP
  • Inbound to Network devices
  • 161
  • TCP
  • Inbound to Network devices
  • 902
  • TCP
  • Inbound to Network devices
  • 903
  • TCP
  • Inbound to Network devices
  • 2179
  • TCP
  • Inbound to Network devices
  • 3306
  • TCP
  • Inbound to Network devices

Follow the below steps to discover and add devices:

  1. Go to Network Devices > Managed Devices.
  2. Click on Add device(s) to open the device discovery wizard.
  3. Under the Discover tab in the wizard, select the local office or the remote office in which you want to scan for network devices.
  4. You can choose to scan specific IP addresses or an IP range to discover network devices.
  5. If you select the IP address option in step 4, provide the IP addresses to be scanned in the IP address field and click Discover. While adding multiple IP addresses, separate them with a comma (,). (Only IPv4 format is supported for now. IPv6 will be supported sooner). The network devices belonging to the IP addresses specified will be displayed in the section to the right.
  6. You can also choose to scan the subnet in which the above IP address is deployed by providing the subnet mask. On clicking Discover, all the network devices present in the same subnet as that of the above specified IP will be discovered. The subnet mask scanning feature works only when one IP address is specified in the IP address field.
  7. If you select the IP range option in step 4, provide the Starting IP and ending IP for scanning and click Discover. In this case, all network devices within the IP range will be discovered and displayed in the section to the right.
  8. For the discovered devices, the IP address and vendor name will be displayed. If you want to see only the newly discovered network devices that aren't already added to the Managed Devices view, enable the "Hide Managed Devices" checkbox. Now, from the discovered devices, you can select the devices that you want to manage and click Add.
  9. On clicking Add, the devices will be moved to the Selected tab in the wizard. Verify your selection and click on Add to Managed Devices to successfully add the selected devices to the Managed Devices View.

View the complete list of network devices supported by Vulnerability Manager Plus

Details available in the Managed Devices view:

For each device available in the managed devices view, the following details are displayed:

  • Device IP: The IP address of the device.
  • Host Name: Name of the device as configured in the DNS server. If the device name isn't configured in the DNS server, IP address will be displayed as host name.
  • MAC Address: The Media Access Control address of the device.
  • Vendor Name: The authorized manufacturer of the device.
  • Credential Status: This column indicates whether appropriate management credentials are mapped to the device. Clicking on "Credentials mapped" status reveals more details about the credentials.

Note:

Vendor name and mac address may not be available initially for some devices that are located in subnets other than that of the central server/distribution server. Once SNMP credentials are mapped and the devices are scanned, these details will be retrieved.

Removing devices from the Managed devices view:

You can select any number of the devices available in the managed devices view and click on Remove Devices to remove them from the Managed Devices view successfully. Once removed, details regarding those devices will be removed everywhere from the console.

Mapping device Credentials:

Once the devices are discovered and added to the Managed Devices view, the next step is to prepare them for scanning. Unlike endpoints where agents residing locally on each machine perform the scanning, network devices require an agentless approach. So network device credentials are required to establish connection with these devices, access their information and perform various actions, including scanning.

Two types of protocols are utilized by the central server to perform various operations on network devices. Below we see what they are and what function they serve. While scanning the network devices, SNMP protocol is used to query them for device identification information. This information is utilized by the central server to determine the device type, vendor, series, and model. With these details, the central server retrieves the firmware version detection command since it differs with every vendor and device. SSH command-line utility is then leveraged by the central server to run the firmware version detection command on devices. Once the firmware versions of the devices are detected, corresponding vulnerabilities are correlated for every device and displayed in the console. Also during patch deployment, the central server runs a series of commands using SSH command-line utility to deploy patches to vulnerable devices.

Above operations require authentication with administrative SNMP and SSH credentials on managed network devices. If you've not added SNMP or SSH credentials to the console, refer to this document for detailed steps. Once you've added the SNMP and SSH credentials to the Network Device Credentials view, as mentioned in the linked document, you can map them to corresponding devices in the managed devices view by following the below steps:

  • Go to Network Devices > Managed Devices.
  • Select a device and click on Map Credentials.
  • Under SNMP, for the version, you can select either SNMP version v1/v2 or SNMP version v3 depending on the SNMP version you've configured in the device.
  • In the credential name field, select the appropriate SNMP credential from the list of SNMP credentials you've added. If you want to add a new SNMP credential for mapping, click the "+" icon.
  • In the credential name field under SSH, select the appropriate SSH credential from the list of SSH credentials you've added. If you want to add a new SSH credential for mapping, click the "+" icon.
  • Click Save to map credentials to the associated device successfully.

You can view the details about the credentials mapped for each device by clicking on the "Credential mapped" hypertext under the credential status column. If you wish to change the credentials mapped to a particular device, you can select the device, click on Map Credentials and repeat the steps mentioned above.

Scanning network devices:

Once credentials are mapped to the devices, the devices will appear in the "Scan Devices" view and an authenticated scan will be performed automatically on these devices to detect vulnerabilities. Also, every time the vulnerability database sync occurs, the network devices available in the "Scan Devices" view are automatically scanned for firmware vulnerabilities. The server will initiate authenticated remote scans using the mapped credentials.

Only in the instances mentioned above, network devices are scanned automatically. To perform a manual scan,

  • Go to Network Devices > Scan Devices.
  • Select the devices which you want to scan
  • Click on the Scan Now button to initiate a manual scan.

Note:

We recommend updating the vulnerability database before scanning to achieve better results, since this will fetch the new vulnerability information to the server. To update the vulnerability database, click on the Update Now button under Update Vulnerability DB in the left tree.

The scan status in the table view displays whether scan for each device has failed, successful, in-progress or not initiated. The remarks section offers reasons for scan failure, if any. The Network scan summary graph offers a breakdown of devices based on scan status.

Here are some of the instances in which the scan may fail:

  • Device is inactive or unreachable by the server
  • Credentials are invalid or changed
  • Device belongs to an unsupported vendor.
  • Discovered devices available in the Managed Devices view can also be included in the firmware patch deployment workflow without mapping credentials. In this case, the patch deployment will fail for those devices and the devices will appear in the scan view with the scan failed status.

Once the scan is complete, the firmware vulnerabilities are detected and displayed in the Firmware Vulnerabilities view under the Network Devices tab. Refer to this document for detailed steps on how to deploy firmware patches to resolve vulnerabilities in network devices. The actively exploited vulnerabilities and publicly disclosed vulnerabilities pertaining to the firmware of the devices are displayed in the Zero-day vulnerability view under Network Devices tab. Learn how to mitigate zero-day vulnerabilities.

Besides discovering vulnerabilities, the authenticated scan also fetches device details such as device type, vendor, series, model, firmware and hardware information. You can view these details by clicking on each device.