eTrust Vulnerability Manager Scoping Guide r8.0

Document ID : KB000055845
Last Modified Date : 14/02/2018
Show Technical Document Details

How Many Appliances Do I Need?

This questionnaire will help you define how many eTrust Vulnerability Manager appliances are needed in your corporate network. Each question allows you to divide the network into segments the appliance can handle, given logical access, traffic flow, network division, permission division and actual device limits.

How to Use the Questionnaire

This questionnaire methodically goes through a process to determine the number of appliances needed. The first step is to create a network diagram in the implementation scope. The questionnaire then leads you through the process of segmenting or dividing the network. Upon completion of the questionnaire, you will have the number of logical segments as well as the appropriate number of appliances for your implementation.

With your network diagram in hand, please follow the questionnaire below. We have entered sample numbers in the table to illustrate. For additional scenarios refer to Appendix 1.

Figure A

Simplified Example

  1. How much of your network do you want to secure using e Trust Vulnerability Manager?
    Here is a simplified network overview of the network we want to secure.

    Figure B

  2. Consider the logical or physical separation of information.
    In this example, we just separated the two networks that are not connected.

    Figure C

  3. Firewalls, routers and switches may restrict auto-discovery or auto-inventory traffic.
    In this example, firewalls will not allow auto-discovery or auto-inventory traffic through them. We need to separate the network into sections by firewall.

    Figure D

  4. Expensive lease lines may separate networks, and there are other separation factors.
    We'll separate the segment with the leased line.

    Figure E

  5. Determine the number of devices per network division. Is there any network with more than 10,000 servers, devices and workstations?
    Each server shown is 500 devices. We'll separate the segments into a maximum of five server icons each.

    Figure F

  6. Readjust as Necessary
    Our segmentation areas that can now be consolidated. Instead of having three segments in the stand-alone private network, we can consolidate to two.

    Figure G

Conclusion: This network requires four eTrust Vulnerability Manager appliances.

Figure H

Appendix A

Figure I

Scenario 1: ABC Bank, Inc.

ABC Bank is a $1 billion dollar company with 1250 devices in their network. ABC Bank's corporate network has two logical separations which consist of a corporate network and a stand-alone private network. The organization also has two traffic flow restriction devices built into the infrastructure. The IT group has notified CA that approximately 1000 devices are located in the corporate network, and 250 devices reside in a stand-alone network. The IT group has also pointed out that 500 of the 1000 devices are behind two routers of which only one blocks access to port 5250.

Scoping Questionnaire:

Figure J

Scenario 2: DEF Manufacturing

Figure K

DEF Manufacturing is a $10 billion dollar company with 10,000 devices in their network. DEF's corporate network has three logical separations which consist of a corporate network and two stand-alone private networks. The organization has a lease line which separates the manufacturing organization from the corporate network. The organization also has three traffic flow restriction devices built into the infrastructure, which allows port 5250 access. The IT group has notified CA that approximately 4400 devices are located in the corporate network, 1300 devices reside in both stand-alone networks, and 3000 devices on the lease line.

Scoping Questionnaire:

Figure L

Scenario 3: XYZ Pharmaceutical

Figure M

XYZ Pharmaceutical is a $50 billion dollar company with 30,000 devices in their network. XYZ's corporate network has four logical separations which consist of two corporate networks and two stand-alone private networks. The organization also has five traffic flow restriction devices built into the infrastructure, which allow port 5250 access except for one of the routers. The IT group has notified CA that approximately 20,000 devices are located in both of the corporate networks, 10,000 devices reside in both stand-alone networks.

Scoping Questionnaire:

Figure N