High-level overview of networks in RiskSense.
Two key elements in the RiskSense platform are Networks and Groups. Networks determine an asset’s uniqueness, while Groups provide access controls to assets. There is no hierarchical relationship between networks and groups.
Networks are managed on the Organize > Networks page in RiskSense.
When uploading data to the RiskSense platform, users must designate a network partition for the upload.
RiskSense uses Networks to determine if data should be aggregated by IP address, hostname, or a mix of the two. This way, you can configure your networks in the RiskSense platform to match the way you perform your network/application scans.
If your scanners are tuned to return a hostname, we recommend you upload your scans to a hostname-based network.
If your scanners are tuned to return a static IP address, we recommend you upload your scans to an IP-based network.
If your scanners are tuned to return a unique identifier (which is specific to each scanner) or if you need to customize the logic of identifying an asset, we recommend you upload your scans to a MIXED network.
As an example, let us say that your workstations receive hostnames but some of the devices are wireless and receive different IP addresses each time they connect to your internal network. In that scenario, upload your workstation-environment scans into a hostname-based network. Let us also say that you have a number of assets that live outside your firewall. These devices do not communicate with DHCP but have been issued static IP addresses. In this scenario, upload vulnerability scans of those external hosts to an IP-based network partition. Keep in mind that these scans must be uploaded to the correct network consistently to avoid accidental asset duplication in the RiskSense platform.
If you have overlapping IP ranges, these can be managed by network partitioning. Assets in each network are treated as unique, even if they have the same IP address. If they are uploaded to separate networks, the data will not be merged.
A common use case for defining and leveraging more than one network of the same aggregation type would be organizations that grow through acquisition. If your environment uses the 10.5.10.x space for workstations and you acquire a new location that leverages the same 10.5.10.x address space, we suggest creating a second IP-based network to upload the acquired office’s scan data. This allows the RiskSense platform to keep hosts with identical IP addresses as separate entities.
In some cases, the hostname or IP address may not be unique, and there may be a chance where the asset identification will be based on the scanner’s unique identifier or any field like EC2 identifier, MAC Address, NETBIOS, etc. The asset uniqueness can be varied for each scanner and customer preference. In this scenario, we prefer uploading scans to a MIXED network. Please contact RiskSense support for more details on this network.