I have a customer that has production resources at IBM SoftLayer in Dallas and other IBM SoftLayer centers. They also have resources at Amazon Web Services (AWS) in Virginia. Our initial attempts to use the AWS-EC2 version of the Qualys scanner appliance at AWS to scan resources at IBM SoftLayer using the secured IP tunnel were UNSUCCESSFUL. There are too many encryption and filtering points between AWS and SoftLayer to allow this. Don't waste your time trying. I've already wasted too much of mine.
The senior staff at my client could not get the Qualys Scanner appliance working on the hypervisor used in the SoftLayer virtual machines. The alternative was to dedicate a physical 'bare metal server' with the Oracle VM Virtual Box or other hypervisor compatible with Qualys scanner appliance images. My client wanted to avoid this dedicated physical server at all costs (pun intended). If your are installing this for your own company, a dedicated base metal server would be the preferred method and you could ignore the VPN instructions below. The bottom line is that you will not be able to have a temporary server running at SoftLayer ONLY during the times of the month you are running vulnerability tests. You can either have a server running and billing 100% of the time or follow the instructions below for scanning via VPN.
After much trial and significant errors, we finally identified a way to run vulnerability scans at SoftLayer using the VPN. The solution involved installing the scanner appliance on a VM running on your laptop/desktop. Then you will need to access SoftLayer using the VPN service to remotely perform the scans. Here's my notes:
INSTALL THE SCANNER APPLIANCE
- Install Oracle VM Virtual Box on your local machine
- Download and install the Qualys Scanner Appliance
- Enter the PERSCODE generated by the Qualys download process
- Verify a good connection to the scanner through the Qualys Appliance tab
- IMPORTANT: Using the Settings button in the Oracle VM Virtual Box, you MUST get into the Network Setup and change the "Attached To" to indicate "NAT"
NOTE: You will need to shut down the Oracle VM Virtual Box and restart to get the network setting in place
CONNECT TO SOFTLAYER VPN
- Logon to the SoftLayer Client Portal using your credentials (You must be authorized to use the VPN service)
- Select Support from the menu then SSL VPN Login from the drop-down.
- Select the site closest to your desired center (getting a VPN connection to one center allows access to all centers - You don't need to sign-out and in if you have servers at multiple centers)
- On your first access, you will need to install the VPN client. You may also get warning about an untrusted site. I simply accepted the risk (This is IBM after all)
- You will need to wait while the service negotiates the credentials and logs you in
NOTE: I often need to uninstall the VPN software using the button on the SoftLayer screen due to update incompatibilities. Simply click on connect after uninstalling to get a fresh version)
NOTE: Not all SoftLayer centers are listed on the VPN selection list. Not to worry. Not all centers have VPN capabilities. However, ALL centers are accessible through a VPN connection to any center with such a service.
Message was edited by: John Crites