Hello All,
Was wondering how InsightVM customers deal with manual processes on vulnerability management for devices out of the scope of InsightVM or incompatibility? We have several ideas into Rapid7, but wondered how others deal with say for instance networking devices; is there reporting mechanism anyone uses to make sure these still get patched. I know this org process but this is the only forum I know of for Vulnerability management.
Do you use Rss feeds? Emails?
you could create a site and scan these devices. you would want to fine tune and make sure that whatever scan template you use feels appropriate. from there you could really just manage the site or create a top 25 remediation report based on that site.
when you say they are incompatible what do you mean? like an agent cannot be loaded on it? vmware for instance you cannot really load the r7 agent on it but you could defiantly scan it, you just need an appropriate scan template.
1 Like
@pete_jacob I mean like they cant be scanned in rapid7 at all. Which i dont see how or why they wouldn’t be able to be discovered at least. I can see why they cant be scanned because there is no data feed for them. Like infoblox and ISE appliances.
I was wondering how everyone else deals with patch management processes on things like that cant be scanned which in turn may turn into the manual processes such as researching rss feeds, vulnerabilities per the vendor site…?
If the asset has an ip address you should be able to scan it with nexpose/insightvm.
Rapid7 does have vulnerability content for several types of networking equipment. You can use search within IVM to check if it has content for your products. In ex. Search for “palo alto” and scroll down to the vulnerabilities section on the search page. You will see all of the vulnerabilities related to Palo Alto network devices Rapid7 has in its database and also you can see if any of your assets have the vulnerabilities by looking in the “Instances” column. If there are any instances you can click on the vulnerability to get a list of assets affected.
If your networking products are not in IVM, you can still run scans on them and see vulnerability data like TLS issues or open telnet, etc. The asset pages for networking equipment show open ports, services, firmware versions, etc.
If you are not able to scan these for some reason, its best to consult with your networking team to ensure that the scan engine has access to the VLANs, subnets, ports, etc for the scans you are performing.
1 Like
Honest approach for our organization. For something like Infoblox I would review our options for fingerprinting the device. So for something like an infoblox appliance I would probably pull the API doc page. Along the lines of https://infoblox.example.com/api/doc/Infoblox.html which contains version information ex:
https://docs.rapid7.com/insightvm/sending-custom-fingerprints-to-paired-scan-engines/
As long as we can fingerprint the appliance version we can at minimum build automated banner checks for the detected versions. If we can determine a reliable/consistent feed we could consume the feed and automate vulnerability check content that we would deploy to our scan infrastructure. I wouldn’t want to scrape a page like NIOS XML Vulnerability - Infoblox Experts Community but if the notices are consistent we could scrape the content on a regular basis.
https://docs.rapid7.com/insightvm/writing-vulnerability-checks
1 Like