Network Security: Vulnerability Scanner
Implement a means whereby from the ASG you can scan networks for vulnerabilities.
Where this MIGHT make sense is to have the UTM scan for traffic that can be identified and grouped according to IPS groupings. It's often hard to know what servers have been installed on various clients on a network. Having the UTM continuously (or periodically) identify such servers (perhaps with a risk ranking applied) would allow admins to readily identify which IPS groupings should be switched on and which might be safe to turn off. Might reduce resource drains on the UTM while assuring admin that they are providing adequate IPS coverage.
Sascha Pantleon commented
Have you ever heard of Greenbone. A UTM is not a vulnerability scanner.
Clayton Dillard commented
I also agree with Bastian. This is not a role for a UTM firewall.
John Nielsen commented
As the Astaro product is a Threat Management device, it would be nice to have the ability to run vulnerability scans. Since it runs on a version of Linux, incorporating something like OpenVAS wouldn't be too much of a stretch. However, I can see where it could get painful to manage from a product development standpoint since any vulnerability scanner is incredibly resource intensive. Maybe Astaro can make it part of the Subscription services. If you're willing to pay for the subscription, then activate the console to scan internally and maybe have an Online version to scan the Astaro protected networks. It would be a great selling point for upper management types who want to see proof that the network is protected or have to provide annual audit information.
Last time I checked the Astaro is a UTM, not a firewall/gateway.... upvoted!
William Warren commented
Pieter van Stokkom commented
I'm with Bastian Haas on this one. However a possibility to scan incoming (VPN-) traffic could be useful to alert admins to increases of certain types of traffic.
Cameron Byers commented
Would this not be in line with scanning the internal PCs/ Servers for current patch levels in order to identify potential internal threats? As we know many infections of internal systems can occur by laptops or flash drives brought to the office rather than through a perimeter device. Mitigating or identifying the potential victims of those attacks would be useful.
Bastian Haas commented
Sorry, but such kind of a feature really doesn't belong to a firewall/gateway product like Astaro.