4 Replies Latest reply: Aug 15, 2017 6:49 AM by ManiacMac RSS

How do Agent scans handle multiple interfaces?

nsanders Expert

If you have an agent on a system that has multiple interfaces, what IP is assigned as the primary or how is that handled? Such as, if you have a virtual machine app installed and it builds its own private NAT that overlaps with the same subnets as other parts of your network, how does the agent handle the assingment of that systems IP?

 

The issue we're running in to is that we define our assets based on subnets. Prod is one range, Corp is another range. But suddenly we're finding systems from Corp that are showing up as being in Prod because they have VMs installed or other interfaces on the system.

 

Also, what happens if the system is scanned, say over a weekend, when it's out of the office and on a home Internet connection? Does its IP change in tenable.io or does it still retain it's original internal IP? Tenable.io see's Assets, which could have different IP's, but when this data is imported in to SecurityCenter, how does it handle what might be the same asset with a different IP on different days? This could have drastic consequences on how we've broken things up by subnet ranges as well as repo's (mainly, our "External" repo will now be full of laptops scanned from home instead of just external infrastructure). If internal assets start showing up as external assets due to a home Internet IP, that'll throw all sorts of trends out of line.

 

Hopefully there's a good answer here?