Allowing Rapid7 server to scan remote endpoints

pjwhitby
Conversationalist

Allowing Rapid7 server to scan remote endpoints

Hello Community,

 

Is there a way to allow a central vulnerability scanning server (Rapid7 in this case) to periodically scan all the endpoints in a remote branch when the remote branch is connected via an MX67 using AutoVPN and configured with Intrusion Detection and Prevention in Prevention mode? We can see plenty of Blocked actions in the Security Centre from the vulnerability scanning server but no obvious way to whitelist the server.

 

Everything I have researched indicates that this is not possible but reaching out to the Community to check, or find out if it is on the roadmap?

 

Thank you

9 Replies 9
Brash
Kind of a big deal
Kind of a big deal

If I understand correctly, the Rapid7 scanner is a cloud based vulnerability scanner that you're wanting to use to scan your endpoints?

 

If yes, you can look at using inbound firewall rules. You need to open a case with Meraki support to enable this feature.

However I feel like a more elegant solution would be to use an on premise proxy to do the scanning and report results to the cloud. I'm  thinking similar to how Tenable IO and Nessus scanners work. I'm not sure whether that's a solution provided by Rapid7.

pjwhitby
Conversationalist

Thank you for your help. The Rapid7 scanning host is on their private network. It runs from their private cloud (or datacentre if you prefer 🙂) across their SD-WAN network via AutoVPN, and into the remote branch.

 

Rapid7 Server <> Meraki VPN Concentrator <> AutoVPN <> Remote MX <> Endpoint

CptnCrnch
Kind of a big deal
Kind of a big deal

As far as I know, there is no option to specifially exclude sources (or destinations) from IPS.

cmr
Kind of a big deal
Kind of a big deal

That's very interesting, we have the Enterprise license as our SD-WAN is on top of MPLS circuits and Rapid7 works just fine...  You can install a scanner at each site and still centrally control them.  Might that be an option?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
pjwhitby
Conversationalist

thank you cmr

 

I have asked if Rapid7 has a remote agent and I will see what the response is. It looks like IDS/IPS is not in the ENT license.

 

cmr
Kind of a big deal
Kind of a big deal

@pjwhitby with Rapid7 Insight VM you can definitely have remote scanners and agents.  The agents are for individual endpoints and the scanners are for network scanning.  They are both included in the standard price.  The remote scanners are recommended if you have sites over a WAN and the agents are recommended for all endpoints as you get more up to date information and better accuracy.  We put the agents on everything, they use about 50MB RAM (more if you also have Insight IDR) and about 0.1% CPU on my laptop.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal

Right, bit of a different design then. You can only specify to protect specific networks for IPS when an MX is in VPN Concentrator or passthrough mode.

For your scenario, you might be better off looking into using the API to temporarily change the IPS mode to detection only for the time that you run the scan.

 

https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-security-intrusion

pjwhitby
Conversationalist

Thank you Brash,

 

I have asked the customers security team and network team if this is an option they can work with but given we are the MSP and that kind of change via API has never been in scope, I am not sure of the outcome.

 

appreciate the help.

jbrotschul1
Conversationalist

We have this issue as well...  Converted all our locations to Meraki full stacks and now we do not have a way to run our vulnerability management program.  There's no option to whitelist our scanners by source IP address.  It exists on the backend, and your SE can assist support, but it's not exposed to Meraki customers within dashboard.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels