Information
Venafi as a Service provides for multiple types of discovery scans that target internal and external resources. When defining internal or external scan settings, there are multiple considerations to work through such as targets, ports, location of the scanners, etc. This article will describe configuring public and private discovery scans with Venafi as a Service/TLS Protect Cloud.
Primer
TLS Protect Cloud's discovery scanning services are hosted by the cloud resource as well as locally in your environments. For internet facing scans with services listening on port 443, the internet scan must be configured. For private facing scans or internet scans with services listening on ports other than 443 or where white/black listing of IPs may be enabled, either an enhanced or a basic scan must be configured which will leverage local resources from your environments. All scans are network based scans.
Internet Scanners
When you first sign up for TLS Protect Cloud and supply your email address, that email suffix (@yourco.com) will be used to define the first domain that will be discovered. Subsequent domains can be added after the first sign-in. Internet scan services are hosted by TLS Protect Cloud. When given a domain to scan they will examine TLS transparency logs to get a list of certificates with your domain name on it. This allows TLS Protect Cloud to perform a full recursive search of your domain's namespace. After this initial lookup, steps to resolve the certificates installation locations and validate their configuration are performed. This provides you with an inventory of all certificates, their installation locations, certain configuration aspects plus all certificate metadata.
When configuring this scan in the user interface and examining the administration tab of the service, you will note there is a scheduling option. This scheduling option is designed to control the additional processes performed during a discovery such as validation or scanning specific targets that are entered as an FQDN or an IP. However, the scan that discovers domains (rather than IP or FQDN) is controlled globally by the Venafi as a Service platform and not this scheduling system. Rather, the domain scan runs every day, automatically.
How to Add a Domain
When adding a domain, you must recognize if your domain name has two parts or more than two parts. For example, is your domain "yourco.com" or "yourco.co.uk"? If your domain is two parts only, "yourco.com", then adding the domain as "yourco.com" it will be added as a domain. However, if you add a three-plus part domain name, "yourco.co.uk" as "yourco.co.uk" it will be added as an FQDN. This is because three-plus part domain names are treated as an FQDN. So if the desire is to add a three-plus part domain name as a domain rather than an FQDN, you must preface the domain name with a "*.", as in "*.yourco.co.uk"
Notice in the screenshot below how two and three part domain names are added and how they are automatically classified by the system:
What Does the Internet Scanner Scan?
The internet scanner is hosted by the cloud service and as such only has access to external resources. To avoid DOS attacks and other bad behavior, the scanner is limited to scanning only port 443 on the target endpoints. If your network would block access to certain endpoints by way of black or white listing, the internet scanner may be unable to locate those internet facing items. If your services are listening on ports other than 443, the internet scanner will be unable to locate those internet facing items. If your items services are not found in DNS, the internet scanner must be fed IP addresses or subnets to locate those items. The internet scanner can be configured to scan domain names, FQDNs, IPs and subnets.
Recommendations:
- Target domain names when possible and don't add child domains or child nodes when a parent domain is being scanned. For example, adding the domain "yourco.com" will scan everything ending in ".yourco.com". That means adding "server.yourco.com" or "api.server.yourco.com" is redundant and consuming more time and resources when the domain is already configured.
Private Scanners
Private scanners perform scans of private network assets or possibly public internet facing assets when those assets are on ports other than 443 or my be black/white listed to allow only trusted sources. no private scans are automatically configured after you fist sign up for TLS Protect Cloud. Private scanners do not perform recursive lookups as an internet-domain scan will. Rather, specific endpoints provided as an FQDN, IP or more commonly subnets must be provided. You may setup multiple scanning services to meet your network's needs.
Basic Scan vs Enhanced Scan
Private scanners come in two forms: basic and enhanced. A Basic scan uses a utility called Scanafi while an enhanced scan uses a service called VSatellite.
Scanafi is a self-contained executable designed to be run in an ad-hoc fashion or by configuring it to run via scheduled task or cron job. Scanafi lacks provisions for certificate validation (a means to validate certificate configuration).
VSatellite is a service that like Scanafi performs discovery, but adds validation, SNI lookup support, and also hosts a slew of other features such as the ability to push certificates to endpoints, generate private key data, and more. Enhanced scans also provide built-in scheduling options to run as frequently as daily. For a full description of VSatellite, please read: https://venafi.zendesk.com/knowledge/articles/10979385608717/en-us?brand_id=1198686.
Recommendations:
- Use VSatellites, rather than Scanafi, for long term production use.
What Does the Private Scanner Scan?
Private scanners mainly scan private resources but can also target public resources as noted above. You can add targets as an FQDN, IP or subnet ID using CIDR notation and you must also define target ports or port ranges.
Often customers are not sure which ports to target. So consider that targeting every port, 1-65535, will scan every port on every name or IP added as a target. This can cause network havoc or trigger your IDS and IPS systems. Commonly observed services when defining your network scans are :
- 443 - HTTPS
- 25/485/587 - Secure SMTP
- 636 - secure LDAP
- 3389 - RDP
- 5986 - WinRM with TLS
- 8443/9443 - common alternative HTTPS
Recommendations:
- If a large swath of ports are scanned initially to get a foot print, pear down the scanner after a full run to target only the ports and services found. This will lighten the network load and allow scans to run more quickly and be less likely to trigger IDS and IPS systems.
- Create sets of smaller scans. You can have multiple scans configured to target different sets of machines and specific services. For example, if you add all servers and domain controller IPs and add ports for web servers (443/8443/9443/5986) and add ports for domain controllers (636/5986) all those ports will be scanned for all added endpoints. This means wasted bandwidth as we know the servers aren't running secure LDAP and we know the domain controllers aren't hosting web servers.
- If multiple scans are configured, you may wish to spread apart their run times. Setting scans to run at different times of the day may alleviate network congestion or backlogs of scans to be run.
- If your network has unroutable segments or is segregated by slow WAN links, setup additional scanners in those network segments.
Comments