Hi everyone,
So here is another thread to address another issue of mine. But before that, a big thanks to those who has been responding to my threads.
Okay, so right now this is more of a network security infrastructure question.
Imagine we want to have a Master - Slave distribution in a network. But due to the nature of Scanners (you have to constantly check and get nvt updates), such nodes will have to send out RSYNC requests to the internet on port 873.
But to keep the infra secure, you would do network segregation, having 2 firewall layers, DMZ zones. And you want to conduct VA scanning through SLAVEs located internally, trusted zones, within L2 (OSI layer).
Hence, allowing slaves to reach out to the INTERNET would be a security risk.
In this scenario, how can network architects design their network with OpenVAS Slave scanners to do VA, and get its NVT updates without bringing back possible cyber intrusions?
======Let’s get specific=============================
Okay so you have the setup below.
Internet
| Proxy (to go internet)
Firewall |
|-----------DMZ (Master sits here?)
Firewall
|
LAN (Slaves here, to scan hosts directly on L2)
You might be thinking, okay why master is sitting in DMZ. I was thinking maybe we can have the master distribute the nvt updates, to the slaves. So that the slaves do not open traffic directly to the internet - the master would do that instead.
At least, only the master is “exposed”.
So really the question is: How do you do NVT syncs without jeopardizing yourself with port 873?
================================================
Thanks for reading, and please let me know your advice. If you can be detailed about it, please go ahead, that would be immensely helpful.
Cheers!