Deploying two consoles

Is it possible to deploy two separate consoles one for Vulnerability management the other for ALL asset management with the same scan engines?

Anyone use two consoles for inventory or use insightVM as asset manager?

I’ve worked with a few customers over the years that had more than one console connected to the same engine. We can pair an engine to as many consoles as you want, and we still want to try to not do overlapping scanning which is a bit tougher with separate consoles. Most of these customers look at options to split off say PCI scanning to a separate console so they can isolate and use the PCI Risk score global setting.

1 Like

That is great to hear that more than one console can be used with same engine. Since our methodology only involves discovering for asset management meaning just wanting to know whats on the network and no scanning at all on onside would that be recommended to use one discovery engine vs the same that i would be discovering and scanning with. Because vulnerability Mgmt is beast of its own in turn i would want the same networks to be be able to be discovered in my VM console so i can catch servers only… The other stuff would fall to asset management console or space?

It looks like the question is ‘should you run a discovery first to find the assets, then another vuln scan?’ if that is the question the answer is, it depends. When you run a vuln scan. it will essentially redo the discovery scan, so it is doing double work on any alive assets. 5 years ago, I might have said sure, that sounds like a plan, mainly because it took so much longer to scan than it does now. However now, with scan speed pretty darn fast, I usually recommend just combining any Discovery and Vuln scanning into a single scan, unless you need to scan more than one Class A range.

It also might be a good idea to discovery only if you are trying to conserve license space. Discovery scans do not count towards the license, so if you are not sure if you are going to find way more IP’s than licensed for, it might be wise to do a discovery scan first.

If you want to see the raw results of the discovery scan make sure to scope the report using the scan log and not the site or asset group.

Yes, that is the question. So discovery comes first. That pretty much clear now. Under that answer I’m going to throw another couple of questions at you; just out of curiosity. This is due to some people wanting to intertwine everything in my vulnerability management console; we have worked hard to setup process and authentications and i don’t want to intermingle. Having two consoles seems ideal. Lets say we have discovery (VM)-only discovering vlans with servers only, and lets say we have discovery with both server vlans and vlans that have network devices, appliances, maybe workstations, etc.) in them this one of course used more for inventory purposes, no scanning at all. Likely, my vm will find the servers its already found in the discovery for MISC so i wont need to be notified of that; but I would want to be aware if any servers are spun up in those MISC vlans? Keeping in mind that Ill have two separate consoles, one discovery on each(one for servers to be caught and keeping in mind servers will be scanned as well, the other to catch EVERYTHING (these misc systems will just count as inventory more of a count).

With this scenario would it be wise to have one discovery for both consoles or two?

Also, with two consoles can they talk to each other…I know that usually its engine to console and console to engine… is there a console to console so that i may set up auto actions in console (misc) to filter out and drop the windows/linux OS servers in my console for VM if they are not caught in the discovery for VM?

Unfortunately the lack of console to console communication is why i am not a big fan of this strategy. Scanning in the end, is quick, and discovery scanning doesn’t use IP’s or all that much database space. My recommendation would be one console, separate things out using DAGs and Tags, or query builder within the console, but for asset reporting use the Data warehouse and give the asset management team direct access to it. That way they can access their data without needing to interrupt your VM program using the console. A few extra discovery scans here and there will have little impact on the engine or console performance.