Part 1 of a multiple part series explaining vulnerability scan data and nuances of how that data should be used.
- This is (of course) the network address that the vulnerability was found on.
- The IP address is the one piece of data you can count on to always be in your vulnerability scan data. A vulnerability scanner always must have an IP address to probe for vulnerabilities, so this is the key starting point for any vulnerability scan data.
- Some of your customers or app/developers infrastructure developers may not understand networking very well, so it is a good idea to supply dns name and/or host name to them also. I will cover those in a later post.
- One host (server, machine, appliance.. whatever you want to call it) may have multiple IP addresses. Correcting a vulnerability may resolve the finding on multiple IP addresses. Some common uses of multiple network adapters listed below..
- Main Adapter
- Backup Network Adapter
- HeartBeat/Cluster Network Adapter
- Management Card (This is often an embedded device on its own and not managed by the host OS)
- Other (Redundant adapter, Crossover cable adapter, Some servers may have adapters on multiple networks for various reasons)
- One good approach for vulnerability footprint reduction is to ask the server and application owners if their services and/or apps need to be available on all the IP addresses on the system where the service is found running.
- For example.. Apache may be found running on all the IP addresses on the server.. It usually does not need to be on all of them.
- The IP address listed may actually be the Virtual IP (VIP) that points to a particular port on a webserver. (ports will be covered later)
- One Host/Webserver may have multiple websites running on it. The VIP that you see in the vulnerability scan may be redirected by a network load balancer to a particular listening port on one of the webserver IP addresses. This means there can easily be a Many-to-One relationship of IP addresses to one server or group of servers..
- In this case you will need to have information about the load balancer configurations of your environment to determine which webserver port/instance and/or server may have the vulnerability in question. This information should show the VIP and which port on another IP address that gets the traffic from that VIP. The VIP is often facing a non-trusted network like the Internet, or just used for load balancing and/or to allow a webserver to be used more efficiently.
- Other– The IP address can often tell you other information. Based on your network design it could tell you physical location, system type, network zone (like DMZ) etc.. It is a good idea to understand how your company provisions and allocates IP addresses and networks. This information can often allow you to understand more about an IP address than what they vulnerability scanner tells you.
Pingback: How To Understand a Vulnerability Scan Report – Part 2 – The Network Port | IT Security From the Trenches