Dealing with Virtual IPs and Real Servers when scanning for vulnerabilities
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 01:58 PM
Hi,
We use Qualys scanners to scan our environment for vulnerabilities. We use both Qualys Virtual Appliance scanners and Qualys Cloud Agents installed locally on the servers.
Attached is a diagram of an issue we are dealing with (all ips/servers/QIDs are made up). We have a vulnerable item showing up on multiple systems: a load balancer/virtual IP that fronts two real backend servers, which also have the same vulnerability. Each of the real servers (which is scanned by the local Qualys Cloud Agent) matches to a CI in the CMDB and with the assignment rules, then gets assigned to the correct teams to remediate. The load balancer/virtual IP (which is scanned by the virtual appliance scanner) sees the vulnerability from which ever server the virtual IP is pointed to, and thus also assigns that vulnerability to that Virtual IP. Of course that is a duplicate. In addition, we don't have the load balancer IPs in the CMDB thus it is classified as an Incomplete IP Identified Device, and gets assigned to the "Unassigned VR Team" to review and reassign to the correct team manually.
Is there a way to have that Virtual IP in the CMDB show the correct real server behind it?
NOTE: We MUST be able to scan the servers via the load balancer/VIP because it finds TCP related vulnerabilities the agents don't find (QID-8888 in this example).
