Terminology | Description |
---|---|
CRS | Continuous Risk Scanning |
Scan Surface | Definition of scan targets evaluated by the platform |
Agent-based Scan Surface | Part of the scan surface covered with installed agents in either local deployment mode or AD integrated mode. |
Agentless Scan Surface | Part of the scan surface covered with network scanners either in the customer network or from a public internet scanner |
Cloud Scanner | Shared multi-tenant scanner that is hosted in a the public cloud and can be used by any tenant of the platform to scan publicly accessible hosts or services (Websites, Routers, Cameras etc.) |
Internal Scanner | A tenant level network scanner deployed in the customer’s network (LAN, private/public cloud) that can be used to perform network scans in a single tenant. |
Agent | A binary executable that scans an individual machine or integrates with the AD to scan multiple machines while deployed on a single machine. May be installed on both Windows and MacOS systems. |
Footprint Console | Cloud based SaaS console that centralizes Scan Surface definition, hosts and processes scan results, manages all agents and scanners centrally and produces and updates reports. Single pane of glass for all detections, alerts and results for both MSP and end users. |
There are two types of scans Agentless and Agent based. The key difference between the two is that one is performed from the network by a scan engine and the other is local to the scanned host and is performed by an agent.
How to perform an agentless scan
An agentless scan is a type of scan that is performed by a scanner over the network or the internet.
If we want to scan a public IP, FQDN or website then we would use the default Cloud Scanner. This is present in the console and is shared between all the tenants.
The Cloud Scanner is scanning from an internet location with a source IP or Public IP that is mentioned in the Scan Surface > Deployed Scanners tab.
If you are scanning specific assets and the results may either not show information or expected information consider whitelisting the scanner or checking your firewall for block rules / geo-protection. The scanner simply shows a point of view as if you are scanning from the Internet so it it also possible that no results actually mean you are not visible from the internet or the ports are already filtered.
Scanning Public IP Addresses or Websites
Prepare a list of your Public IP’s or Websites. Take not that scanning may be regulated in certain regions so do not attempt to scan ranges that are not your own or in the scope of your contract.
Browse to Scan Surface > Agentless Scan Surface and click Add elements to agentless scan surface
A windows will open where you can introduce your list of scan targets. This can be a subnet range, an IP address or FQDN. You may introduce an entire list of different mixed entries separated by a new line. You can also use IP ranges separated by a dash.
2. Once the textbox is populated make sure to select a scanner from the drop-down menu. The cloud scanner would be selected by default if it is the only scanner present.
3. Press the Add entries button and this will cause your input to be converted and prepared for scanning.
4. You are now ready to scan. Press the Scan button and this would perform an initial scan. Make sure that you have add all desired targets at this step as starting a scan would prevent you from adding more targets until this initial scan is finished.
Your scan has started. You can minimize this by pressing the two arrows on the top right corner and it will run in the background.
The status of the scan is also shown in the top left corner of the interface.
Any entries that may have been added by mistake can be removed from the scan surface by pressing the “X” button. This is also an option if you want to exclude specific IP addresses from a range. If you press the “X” that entry will not be scanned again and you would need to re-add it to the scan surface.
Scanning Internal IP Addresses or performing Network Discovery
If you want to scan the local LAN , Company Network or a specific cloud subscription you need to use an Internal Scanner. The Internal Scanner is deployed on-premise or in a private/public cloud subscription and can perform scans on any network that it can reach.
Internal Scanners come as Virtual Machines (VMWare, Hyper-V) , Cloud Appliances or integrated in an local agent (Super Agent).
In order to install an Internal Scanner refer to the specific guide:
https://support.codaintelligence.com/hc/en-us/articles/6578804055836--Internal-Scanner-VM-Setup
https://support.codaintelligence.com/hc/en-us/articles/9183317671708-Footprint-Internal-Scanner-GCP-Deployment
https://support.codaintelligence.com/hc/en-us/articles/4415822825234-How-to-Deploy-the-Footprint-Internal-Scanner-in-Digital-Ocean
https://support.codaintelligence.com/hc/en-us/articles/4403980361874-Footprint-Cloud-Appliance-AWS-Marketplace-Deployment
https://support.codaintelligence.com/hc/en-us/articles/4403735639954-Footprint-Cloud-Appliance-Azure-Marketplace-Deployment
Once your scanner is installed you can scan following the same procedure we used for the public IP addresses.
Make a list of networks or hosts.
Browse to Scan Surface > Agentless Scan Surface > Add elements to agentless scan surface
Add the network entries in the textbox
4. Make sure to select your Internal Scanner from the drop-down list.
5. Press the Scan button to start the scan
Adding a subnet to the list of scan targets is a good idea for local networks as this would also perform discovery. Newly added hosts or computers would then be automatically discovered and scanned.
If you want to add specific exceptions to the scan you can do this before the scan by using a range.
So to except 192.168.10.10 from the 192.168.10.0/24 subnet you can use two ranges:
192.168.10.1-192.168.10.9
192.168.10.11-192.168.10.254
To remove a specific IP from a range you can use the “X” button.
The Internal Scanner also has an option for authenticated scans.
https://support.codaintelligence.com/hc/en-us/articles/360016817419-Footprint-Technical-Reference#FootprintTechnicalReference-Addinganewauthenticatedscanentry
For cloud subscriptions (AWS, Azure) there is an additional guide on how to find your subnets and instance IP addresses:
https://support.codaintelligence.com/hc/en-us/articles/9403691266460-How-to-determine-scan-targets
https://support.codaintelligence.com/hc/en-us/articles/9683649949852-Scanning-the-network
How to perform an agent based scan
In order to perform an agent based scan you need to install a Footprint Agent. This can be done according to your OS type and version:
https://support.codaintelligence.com/hc/en-us/articles/8785438059932-Deploy-procedures-macOS-
https://support.codaintelligence.com/hc/en-us/articles/360016103319-Deploy-procedures-Windows-
Once the agent is installed it will automatically start sending data to the console. The agent does not need any configuration other than it’s initial deployment and will always be automatically updated to the latest version.
On deployment an agent can be configured for either a local scan or an AD integrated scan.
The local scan would only scan the computer the agent is installed on. This also performs SCAP/OVAL scans.
AD integrated scanning allows an agent to scan other hosts in the Active Directory as long as they are reachable. Remember the AD integrated agent will always scan the local host as if it is a local agent and does not need to be deployed to a domain controller.
You can verify if the scans are happening properly in the Scan Surface > Agent Based > Deployed Agents tab.
References: https://support.codaintelligence.com/hc/en-us/articles/13333226068892-Solving-Wrong-OS-Finding
Comments
0 comments
Please sign in to leave a comment.