Thursday, July 8, 2021

Subnet Size to accommodate Vulnerability Scanning

My company is onboarding a soc as a service and part of this entails spinning up VMs to do internal vulnerability scanning. Their configuration does a full scan of the subnets you feed it whether the host responds to ping/discovery or not. So it takes somewhere between 12-16 hours to scan a /24 no matter how many active hosts there are. This is prohibitive as they recommend no more than 1000-2000 IPs be assigned per VM. So 4-8 /24s. I have multiple sites with multiple vlans per site all with /24s attached. This will quickly get out of control.

So my thought was that for many of these sites they only have 10-30 users, I could scale all of the networks down to /25 or /26. I would ideally use the same mask for all of them for consistencies sake. And just keep /24s for the bigger sites. There are 30 sites averaging 2 /24 each, bigger sites have 4-8 depending on the infra in place. Any thoughts on how others might tackle this would be great.



No comments:

Post a Comment