DeepSurface: Network Connectivity

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

DeepSurface needs to understand which subnets can talk with one another. The Network Connectivity Probe determines this and models communications at a subnet to subnet level.

Connectivity scanning consists of:

• Authenticating to a system (the scanner) that is a member of one subnet
• Using a script to perform light, slow port scans to a member of another subnet
  • Ports scanned are ones already known to be open (according to the destination’s netstat)
• This process is repeated in both directions for each pair of subnets

A Network Connectivity probe takes information from an credentialed scan and tries to determine if there are any firewalls or other blocks that prevent one machine from connecting to another. This is not accomplished by blindly running a port scan on every single machine and every single port (which would take forever and consume a lot of resources), it uses a sophisticated sampling scheme to locate where communications from one machine to another might be blocked.

Remember that a block is probably a good thing in terms of security. Network administrators often want to isolate one area from another. While this isolation may be required for privacy or other business reasons, it also means a blocked off area of your network will be much less likely to be the victim of an exploit in the other area of your site.

Connectivity information is gathered through a combination of:

• User input based on (covered in more detail below)
• Simple port scans performed between scanned hosts

Network Connectivity Scans

• If two subnets don’t have simple, bi-directional, wide-open connectivity, DeepSurface can perform scans to learn more about what is allowed.
• Connectivity between two subnets will be tested if:
  • The subnets aren’t in a Clique together and
  • The subnets have been added to the Included in Probes field.

Network Connectivity Settings

In the Connectivity Settings area of the screen in the top left, you can configure the following settings:

• Number of port scan workers
• Time pause between port scans
• Scanned service timeout
• Maximum ports per client scanner

Let's briefly cover each of those items

Number of port scan workers - This is the maximum number of hosts to use in parallel as port scan clients. These clients are the machines running ports scans to see what connections are possible. Experienced system administrators know this activity can freak security software completely out. Time pause between port scans (seconds) - This is the amount of time each port scan client pauses between each port scan. When security software (such as desktop firewalls and intrusion prevention systems) see an internal host conducting port scans, it may trigger alerts or even a blockage of that host. Obviously, that's bad. Increasing the time pause value helps the connectivity scanning process to avoid triggering this type of detection. Scanned service timeout(ms) - If a scanned port does not respond in this amount of time, the port scanner will give up and consider this service to be unavailable (either because it's filtered by a firewall or is otherwise non-routable). Maximum ports per client scanner - The maximum number of ports to scan from any given client host in a single connectivity scan. This is another way of ensuring the probes don't run for an unacceptable amount of time.

Probe Connectivity

The right-hand side shows all subnets included in the network connectivity probe. The left-hand side shows addresses excluded. Select any subnets you would like to be included in probes and add them to the included list. It is recommended that your first job only include a few subnets so you can observe if any security software gets triggered.

Subnet Cliques

Often internal networks have a large number of subnets that can communicate with one another without any significant restrictions. We refer to these as Cliques. When you create a subnet clique, you are telling DeepSurface that all the members of each subnet in a clique can communicate with all the other members of the other subnets in the clique with no significant firewalls or other blocks in the way. See below for an illustration.

• Adding a set of subnets to a Clique tells DeepSurface that every subnet in that clique can fully communicate (bi-directionally) with every other subnet in the Clique.
• By telling DeepSurface about obvious Cliques, it greatly reduces the need for connectivity scanning

The subnet clique section of this page can be found at the bottom. This section is where subnets discovered by the Network Connectivity scan may be grouped together as cliques. When you create a subnet clique, you are telling DeepSurface that all the members of each subnet in a clique can communicate with all the other members of the other subnets in the clique with no significant firewalls or other blocks in the way. When you do this, it means future network connectivity probes need not check for firewalls/blocks here.

Note: If, for example, you added a firewall in the future, it will just mean that the attack paths reported show some paths which aren't really vulnerable. If you discover this, you may want to edit your cliques or launch a new, full connectivity probe.

To add a subnet clique, click the big '+ Connectivity Clique' button. You will see a form that looks like the following.

On the left, you will see all the subnets discovered by the Network Connectivity probe. Now, do the following with the pop-up form.

1. Give the clique a unique identifer (Name).
2. Select a subnet (or subnets) on the left and click the right arrow to add them to the clique.
3. Continue this process until all the subnets which should belong to this clique are added.
4. If a particular subnet does not belong in the clique, just select it from the list on the right and click the left arrow.
5. Finish by selecting Save.

• You can edit an existing clique by clicking on the pencil icon.
• You can delete a clique by clicking on the trashcan.

A Final Note: There are two ways to tell the Network Connectivity Probe, "you don't need to scan here".

1. A subnet clique is created, which, in effect, says, "all these machines can talk with one another".
2. A subnet is put in the "Excluded from Probe" list