Meraki

Community

Allowing Rapid7 server to scan remote endpoints

pjwhitby
Conversationalist
‎May 19 2022 7:07 PM
‎May 19 2022 7:07 PM

Allowing Rapid7 server to scan remote endpoints

Hello Community,

 

Is there a way to allow a central vulnerability scanning server (Rapid7 in this case) to periodically scan all the endpoints in a remote branch when the remote branch is connected via an MX67 using AutoVPN and configured with Intrusion Detection and Prevention in Prevention mode? We can see plenty of Blocked actions in the Security Centre from the vulnerability scanning server but no obvious way to whitelist the server.

 

Everything I have researched indicates that this is not possible but reaching out to the Community to check, or find out if it is on the roadmap?

 

Thank you

0 Kudos
9 Replies 9
Brash
Kind of a big deal
Kind of a big deal
‎May 19 2022 7:39 PM
‎May 19 2022 7:39 PM

If I understand correctly, the Rapid7 scanner is a cloud based vulnerability scanner that you're wanting to use to scan your endpoints?

 

If yes, you can look at using inbound firewall rules. You need to open a case with Meraki support to enable this feature.

However I feel like a more elegant solution would be to use an on premise proxy to do the scanning and report results to the cloud. I'm  thinking similar to how Tenable IO and Nessus scanners work. I'm not sure whether that's a solution provided by Rapid7.

0 Kudos
In response to Brash
pjwhitby
Conversationalist
‎May 19 2022 7:44 PM
‎May 19 2022 7:44 PM

Thank you for your help. The Rapid7 scanning host is on their private network. It runs from their private cloud (or datacentre if you prefer 🙂) across their SD-WAN network via AutoVPN, and into the remote branch.

 

Rapid7 Server <> Meraki VPN Concentrator <> AutoVPN <> Remote MX <> Endpoint

0 Kudos
In response to pjwhitby
CptnCrnch
Kind of a big deal
Kind of a big deal
‎May 20 2022 12:55 AM
‎May 20 2022 12:55 AM

As far as I know, there is no option to specifially exclude sources (or destinations) from IPS.

In response to CptnCrnch
cmr
Kind of a big deal
Kind of a big deal
‎May 20 2022 1:41 PM
‎May 20 2022 1:41 PM

That's very interesting, we have the Enterprise license as our SD-WAN is on top of MPLS circuits and Rapid7 works just fine...  You can install a scanner at each site and still centrally control them.  Might that be an option?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
pjwhitby
Conversationalist
‎May 26 2022 1:51 AM
‎May 26 2022 1:51 AM

thank you cmr

 

I have asked if Rapid7 has a remote agent and I will see what the response is. It looks like IDS/IPS is not in the ENT license.

 

0 Kudos
In response to pjwhitby
cmr
Kind of a big deal
Kind of a big deal
‎May 26 2022 12:10 PM
‎May 26 2022 12:10 PM

@pjwhitby with Rapid7 Insight VM you can definitely have remote scanners and agents.  The agents are for individual endpoints and the scanners are for network scanning.  They are both included in the standard price.  The remote scanners are recommended if you have sites over a WAN and the agents are recommended for all endpoints as you get more up to date information and better accuracy.  We put the agents on everything, they use about 50MB RAM (more if you also have Insight IDR) and about 0.1% CPU on my laptop.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to pjwhitby
Brash
Kind of a big deal
Kind of a big deal
‎May 20 2022 2:38 PM
‎May 20 2022 2:38 PM

Right, bit of a different design then. You can only specify to protect specific networks for IPS when an MX is in VPN Concentrator or passthrough mode.

For your scenario, you might be better off looking into using the API to temporarily change the IPS mode to detection only for the time that you run the scan.

 

https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-security-intrusion

In response to Brash
pjwhitby
Conversationalist
‎May 26 2022 1:49 AM
‎May 26 2022 1:49 AM

Thank you Brash,

 

I have asked the customers security team and network team if this is an option they can work with but given we are the MSP and that kind of change via API has never been in scope, I am not sure of the outcome.

 

appreciate the help.

0 Kudos
jbrotschul1
Conversationalist
‎Jan 9 2023 1:58 PM
‎Jan 9 2023 1:58 PM

We have this issue as well...  Converted all our locations to Meraki full stacks and now we do not have a way to run our vulnerability management program.  There's no option to whitelist our scanners by source IP address.  It exists on the backend, and your SE can assist support, but it's not exposed to Meraki customers within dashboard.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.