Best practices for adding assets
Consider several things when selecting assets for a site. Asset selection can have an impact on the quality of scans and reports.
Choosing a grouping strategy for creating a site with manually selected assets
There are many ways to divide network assets into sites. The most obvious grouping principle is physical location. A company with assets in Philadelphia, Honolulu, Osaka, and Madrid could have four sites, one for each of these cities. Grouping assets in this manner makes sense, especially if each physical location has its own dedicated Scan Engine. Remember, each site is assigned to a specific Scan Engine.
With that in mind, you may find it practical simply to base site creation on Scan Engine placement. Scan engines are most effective when they are deployed in areas of separation and connection within your network. So, for example, you could create sites based on subnetworks.
Other useful grouping principles include common asset configurations or functions. You may want have separate sites for all of your workstations and your database servers. Or you may wish to group all your Windows 2008 Servers in one site and all your Debian machines in another. Similar assets are likely to have similar vulnerabilities, or they are likely to present identical logon challenges.
If you are performing scans to test assets for compliance with a particular standard or policy, such as Payment Card Industry (PCI) or Federal Desktop Core Configuration (FDCC), you may find it helpful to create a site of assets to be audited for compliance. This method focuses scanning resources on compliance efforts. It also makes it easier to track scan results for these assets and include them in reports and asset groups.
Being flexible with site membership
When selecting assets for sites, flexibility can be advantageous. You can include an asset in more than one site. For example, you may wish to run a monthly scan of all your Windows Vista workstations with the Microsoft hotfix scan template to verify that these assets have the proper Microsoft patches installed. But if your organization is a medical office, some of the assets in your “Windows Vista” site might also be part of your “Patient support” site, which you may have to scan annually with the HIPAA compliance template.
You can also define an asset group within a site, in order to scan based on a specific logical grouping.
Grouping options for Example, Inc.
Your grouping scheme can be fairly broad or more granular.
The following table shows a serviceable high-level site grouping for Example, Inc. The scheme provides a very basic guide for scanning and makes use of the entire network infrastructure.
| Site name | Address Space | Number of Assets | Component |
|---|---|---|---|
| New York | 10.1.0.0/22 10.1.0.0/23 10.1.0.0/24 | 360 | Security Console |
| New York DMZ | 172.16.0.0/22 | 30 | Scan Engine 1 |
| Madrid | 10.2.0.0/22 10.2.10.0/23 10.2.20.0/24 | 233 | Scan Engine 1 |
| Madrid DMZ | 172.16.10.0/24 | 15 | Scan Engine 1 |
A potential problem with this grouping is that managing scan data in large chunks is time consuming and difficult. A better configuration groups the elements into smaller scan sites for more refined reporting and asset ownership.
In the following configuration, Example, Inc., introduces asset function as a grouping principle. The New York site from the preceding configuration is subdivided into Sales, IT, Administration, Printers, and DMZ. Madrid is subdivided by these criteria as well. Adding more sites reduces scan time and promotes more focused reporting.
| Site name | Address space | Number of assets | Component |
|---|---|---|---|
| New York Sales | 10.1.0.0/22 | 254 | Security Console |
| New York IT | 10.1.10.0/24 | 25 | Security Console |
| New York Administration | 10.1.10.1/24 | 25 | Security Console |
| New York Printers | 10.1.20.0/24 | 56 | Security Console |
| New York DMZ | 172.16.0.0/22 | 30 | Scan Engine 1 |
| Madrid Sales | 10.2.0.0/22 | 65 | Scan Engine 2 |
| Madrid Development | 10.2.10.0/23 | 130 | Scan Engine 2 |
| Madrid Printers | 10.2.20.0/24 | 35 | Scan Engine 2 |
| Madrid DMZ | 172.16.10.0/24 | 15 | Scan Engine 3 |
An optimal configuration, seen in the following table, incorporates the principal of physical separation. Scan times will be even shorter, and reporting will be even more focused.
| Site name | Address space | Number of assets | Component |
|---|---|---|---|
| New York Sales 1st Floor | 10.1.1.0/24 | 84 | Security Console |
| New York Sales 2nd Floor | 10.1.2.0/24 | 85 | Security Console |
| New York Sales 3rd Floor | 10.1.3.0/24 | 85 | Security Console |
| New York IT | 10.1.10.0/25 | 25 | Security Console |
| New York Administration | 10.1.10.128/25 | 25 | Security Console |
| New York Printers Building 1 | 10.1.20.0/25 | 28 | Security Console |
| New York Printers Building 2 | 10.1.20.128/25 | 28 | Security Console |
| New York DMZ | 172.16.0.0/22 | 30 | Scan Engine 1 |
| Madrid Sales Office 1 | 10.2.1.0/24 | 31 | Scan Engine 2 |
| Madrid Sales Office 2 | 10.2.2.0/24 | 31 | Scan Engine 2 |
| Madrid Sales Office 3 | 10.2.3.0/24 | 33 | Scan Engine 2 |
| Madrid Development Floor 2 | 10.2.10.0/24 | 65 | Scan Engine 2 |
| Madrid Development Floor 3 | 10.2.11.0/24 | 65 | Scan Engine 2 |
| Madrid Printers Building 3 | 10.2.20.0/24 | 35 | Scan Engine 2 |
| Madrid DMZ | 172.16.10.0/24 | 15 | Scan Engine 3 |