AnsweredAssumed Answered

Best practices for scanning routers ?

Question asked by Jake VanMast on Jul 30, 2019
Latest reply on Jul 31, 2019 by derekv

Qualys doesn't support "unified view" for Cisco routers.  Meaning every vulnerability detected via authenticated VM scan will show N times, where N is the number of interfaces being scanned.
 
In order for authentication to work, operators must maintain a static list of IPv4 addresses in a Cisco Authentication record.
What are the "Best Practices" for scanning routers then?
What is the best way to detect a new host (versus a new interface on existing host, which creates duplicate assets)?
Should all interfaces of a host be network scanned, or is there a trick/strategy to limit the scan to one interface per host (or per "context" per host in the case of Nexus-OS)?

Ditto for policy compliance asset inventory; if we tag based on Cisco model type patterns (via QID=45276 or 45304), what is the best practice to limit the number of duplicate asset instances per each interface?
 
Additionally, we assume that most customers are scanning all CIDR blocks that they have defined/routed; meaning all router interfaces are being scanned (either authenticated or unauthenticated).  Per vendor advice, we have recently abandoned Map & Lite Inventory scanning, in favor of doing a Full VM Scan on everything.  In our case, our routers have between 2-90 interfaces (L3 vlans, etc) each.

Outcomes