Extending the Network Feature

The Network feature is also applicable to the NPS appliances, which provide these benefits:

- It allows NPS to maintain two or more passively sensed assets from overlapping IP address space having the same IP, as separate assets within one subscription, each with its unique identity.

- It allows NPS to dynamically tag the assets based on the Network and IP.

- It allows NPS to de-duplicate and merge the passively sensed asset having the same IP as the managed asset, provided both assets belong in the same network. So, asset de-duplication is enhanced to use IP, Network combination in addition to the previously support MAC or hostname as merge criteria. NPS uses MAC to merge if available, if not then hostname and lastly IP and Network combination.

- The Network feature is available as a subscription on your account, and you should avail this feature subscription only if you have assets in overlapping IP address space that have to be inventoried.

Use Cases:

1) Your network has overlapping IP addresses of the private RFC-1918 IPs, one existing in your enterprise and another having the same address space coming from a network of an acquired company. You may already have been actively scanning enterprise network using Qualys active scanners and/or passively sensing the same and now you want to extend the active scan/passive sensing operations on the overlapped private IP address space of the acquired network. You want to inventory the assets in both the overlapped spaces and also see the assets tagged with a name reflecting the enterprise and the overlapped network. You also want passively sensed unmanaged assets from enterprise network to merge with managed assets from the same enterprise network and likewise for the acquired network.

2) The other use case of overlapping IP address space is where you have used non-RFC-1918 IPs in your internal network and want to keep them separate from the public non-RFC-1918 IPs assigned to load-balancers or external facing servers. You would want NPS to deduplicate passively sensed assets from this internal network with managed assets from the same internal network.

Note: An additional use case arising out of a misunderstanding of the Network feature, is that a user creates networks to define sub-networks such as specific subnets rather than for segregating overlapped IP address space. In this case, a single passive sensor may get associated with more than one sub-networks whose traffic it may be sensing.

Note: For usecase 1 and 2, it is mandatory to have two or more passive sensors, one for each overlapping IP address space. You cannot have a single sensor that is fed with a mirrored traffic from two networks having IP overlapped address space.

How must you use the Network feature?

1) Subscribe to the Networks feature to see the Network tab in VMDR module. Using the Network tab define two networks one for each overlapping space.

a. Enterprise Network N1

b. Acquired Network N2

2) In VMDR, define asset groups in each of the networks such as

a. Asset group 1: AG1,, Network N1

b. Asset group 2: AG2,, Acquired Network N2

3) Have a PS appliance, one for each of the networks and associate it with the corresponding network. To configure the appliance to network association, navigate to Passive Sensor Module, select a sensor, in the details select the “Network” tab and in that edit to select the Network from a list of Networks.

- Deploy PS1 in Network N1. Configure the PS1 to contain as internal inventory IP range, associate PS1 with N1.

- Deploy PS2 in Network N2. Configure the PS2 to contain as internal inventory IP range, associate PS2 with N2.

- Register both sensors with the same account.

4) Run active scans or install cloud agents on assets in each of the ranges to enable deduplication with un-managed assets sensed by PS1 and PS2.