Enable VulScan Integration with Cyber Hawk for Internal Vulnerability Scanning

If you use VulScan to perform internal vulnerability scans, you can import these scans into your Cyber Hawk site. Simply set up internal scans in VulScan, and enable the integration in Cyber Hawk. You can then generate Cyber Hawk security alerts for detected internal vulnerabilities.

The integration requires that you have a VulScan site with an internal appliance that is performing scheduled internal scan tasks.

Follow these steps to enable the integration of VulScan with Cyber Hawk:

Step 1 – Set Up VulScan Site

This step covers how to set up a VulScan site. if you already have a VulScan site set up to perform internal scans in the same organization as your Cyber Hawk site, you can skip to Step 4 – Configure Cyber Hawk Internal Vulnerability Scan using VulScan.

To create a VulScan site: 

1. Access the RapidFire Tools Portal at https://www.youritportal.com and log in with your credentials.



2. From the Sites page, click Add Site.



3. Enter a Site Name. This can be the name of the client for whom the assessment is being performed, for example.

IMPORTANT  Once you create a site, you cannot change the site name.

4. Under Site Type, select VulScan.



5. Click Next. Choose an Org Folder for the site and click Next. Be sure to place your VulScan site in the same organization as your Cyber Hawk site.



6. Select Yes to provision an Internal Vulnerability Scanner appliance for the new site. Then click Confirm.



The VulScan site dashboard will appear. This dashboard will populate with data once you begin performing scans.

Step 2 – Install VulScan Appliance

Next, install the VulScan virtual appliance that you provisioned in Step 1 onto the target network to be scanned. This should be the same network where you have deployed Cyber Hawk.

Download the VulScan Virtual Appliance Installer at https://www.rapidfiretools.com/vs-downloads.

For detailed instructions, see VulScan Hyper-V Installation Guide

During the install, be sure to associate the appliance with the correct site. During the install process, you will need to choose the correct Data Collector ID for the site. You can find ID for the "IVS" (Internal Vulnerability Scanner) for the site either from the site dashboard or from [Your Site] > Home > Data Collectors, as in the image below.

Once you install the appliance on the target site, it may take about 10 minutes for it to appear as active in the site. Once active, it will appear with a green light ● in the site Appliance Status panel from VulScan > Dashboard.

Step 3 – Create and Schedule VulScan Scan Task

In order for VulScan to collect vulnerability data from the target network, you need to set up scan tasks. Follow these steps to create an internal vulnerability scan task with VulScan:

1. From your site, go to VulScan > Settings > Scan and Notification Tasks.
2. From the Scan Tasks tab, click Create Scan Task.



3. From Scan Type, select Internal Vulnerability Scan and click next.



4. Select the Appliance from the drop-down menu and click Next.



5. Select the Scan Profile. You can select from the available profiles, or you can use your own Custom Scan Profile. See the VulScan User Guide for complete details.



The available options are in the table below. Click Next.

Scan Profile	Description	Notes
Low Impact Scan	Standard TCP ports and Top 1000 UDP	Does not include brute force login attempts or default accounts login attempts
Standard Scan	Standard TCP ports and Top 1000 UDP
Comprehensive Scan	All TCP (1-65535) and Top 1000 UDP	Comprehensive scans may take a significant amount of time and incur increased load on network

6. Next select IP ranges. The VulScan appliance will automatically suggest an IP Range for the scan. If you do not wish to scan the default IP Range, select it and click Clear All Entries. Use this screen to enter additional IP Addresses or IP Ranges and click Add.

IMPORTANT  Do not use multiple appliances to scan the same subnet or IP range. This may produce errors in your scan results.

By default, VulScan will Only scan pingable devices, or devices that VulScan can talk to. Unselect this option to scan the entire IP range even when no device is detected at an IP address.



From this screen you can also:

• Click Reset to Auto-detected to reset to the automatically suggested IP Range.
• Exclude IPs or IP ranges from the scan.

NOTE  Key network component IP addresses should be excluded in order to prevent scans being performed from impacting the performance of a device when it is being scanned. For example, a company might want to exclude the IP Address range for their voice over IP telephone system if they are performing a scan during business hours.

NOTE  If you are using multiple appliances to perform internal vulnerability scans for a site, define a sub-set of the IP range for the scan task. Create multiple scan tasks to distribute the work between the available appliances.

7. Click Next Page once you have configured the IP ranges for the scan.
8. From the Credentials for Authenticated Scans screen, select whether you use credentials for the internal scan. See the VulScan User Guide for more detail on credentialed scans.



For each protocol, select the credentials you wish to use from the drop-down menu. When you're finished, click Next.

• SSH: Use this protocol to scan for devices that use the SSH protocol.
• SMB: Use this protocol to scan for network shares, such as file and printing shares.
• EXSi: Use this protocol to scan for VMware hosts.
• SNMP: Use this protocol to scan for devices such as switches, bridges, routers, access servers, computer hosts, hubs, and printers.
9. From the Verify and Schedule menu, configure the scan task:



1. Select whether to send an email notification when the scan completes — then enter an email recipient for the notification.
2. Enter a task label to describe the scan task.
3. Select the time zone from the drop-down menu.
4. Next choose a day and time to schedule the scan.
5. Enable or disable scan task; you can then later edit the scan task to enable/disable at any time.
6. Choose whether to skip devices that have all ports filtered.
10. Click Save.

The internal vulnerability Scan Task will be created. You can see the details for the task in the scan tasks table.

Step 4 – Configure Cyber Hawk Internal Vulnerability Scan using VulScan

Once you 1) create a VulScan site, 2) install the internal scan appliance, and 3) schedule an internal vulnerability scan, return to your Cyber Hawk site. In this step, you will configure Cyber Hawk to import internal scans from VulScan.

1. From your Cyber Hawk Site, navigate to Cyber Hawk > Settings > Scan & Notification Schedules.



2. Click the slider to Enable Internal Vulnerability Scan.



3. Select VulScan. (This step is only required if you also have a Cyber Hawk Virtual Appliance associated with your site.)
4. From Site, select your VulScan site from the drop-down menu. Your VulScan site must be in the same organization as your Cyber Hawk site.



5. From Appliances, select the VulScan appliance(s) from which to import internal vulnerability scans. Be sure you have a scheduled internal vulnerability scan task set up for your VulScan site.
6. From Import Schedule, set the time and interval to import the results of VulScan internal vulnerability scans.

NOTE  Set the import time to occur after your VulScan internal vulnerability scans will have completed.

You can also click Import Now to import scans immediately.

Step 5 – Enable Remediate Internal Vulnerability Policies

Finally, be sure you have enabled the appropriate Policies from Policy Configuration.

1. Navigate to Cyber Hawk > Settings > Policy Configuration.
2. Ensure that the Remediate Medium and High Severity Internal Vulnerabilities policies are selected.



3. When 1) your scheduled VulScan import completes, and 2) your Cyber Hawk Alert Notifications are sent, you will receive alerts for internal vulnerabilities detected by VulScan.