Agent Use Cases

The following sections describe various use cases for Tenable Agents.

Mobile, Distributed Workforce

Tenable recommends deploying agents for a mobile workforce, because agents eliminate the need for your employees to VPN into your organization's headquarters to have their devices scanned. In this scenario, active scanning over WAN or VPN connections incurs risks of low link speed, high encryption overhead, and possible problems with link stability. Agents can reduce scan times from hours to minutes.

To support a mobile workforce, Tenable recommends that you:

  • Deploy the manager in the DMZ and assign it a publicly facing IP address that the agents can use to communicate. All communication between agent and manager occurs via TLS encrypted communication.

  • Configure appropriate scan windows for agent scans. The scan window is the period of time where agents conduct their scans and report their results back to the manager. The agent discards any scan requests or results submitted after the scan window is discarded, and marks the system as not scanned.

    This approach helps ensure accurate security data while also reducing the need for duplicative and irrelevant scanning. For example, an employee returning from a two-week vacation will not have to endure 14 queued scans (one for each day their system was offline).

High Latency Networks

In Tenable Nessus network scanning, a best practice is to put the scanner close to the assets targeted for scanning and never scan across a WAN. This strategy has proven difficult for deployment scenarios where the targeted assets do not have the luxury of a local Tenable Nessus server. These scenarios include ships underway, mobile military operations, and areas with high latency and low bandwidth. These networks typically rely on satellite connections for connectivity. The network burden that a port, protocol, and service scan produces when running a full active scan can easily take down a satellite connection.

Tenable Agents help solve this problem by significantly minimizing network traffic related to scanning.

There are three types of data transmitted when using Tenable Agents:

  • Command and control data — Transmitted from the manager to Tenable Agents, this data represents the who, what, when, where and how needed to complete the task of local scanning. This data is the smallest set of data that traverses the network.
  • Results data — Result data varies in size due to the scan configuration. Historically, compliance scans are larger than vulnerability scans. This data transmits back to the manager for aggregation. Update data is the largest data type transmitted using Tenable Agents.
  • Updates — When you install a Tenable Agent and link it to a Tenable Nessus Manager, the agent downloads a full set of plugins. Once that first full download completes, the agent only downloads incremental plugin updates. This approach drastically reduces the ongoing network traffic by only pulling content deltas across the network. Also, you can handle code updates by patch management systems like System Center Configuration Manager (SCCM) or Yellowdog Updater Modified (YUM), or via the manager itself.

Hardened Systems

Active network scanning using scanners such as Tenable Nessus Professional has long been the preferred method for scanning systems in the enterprise environment. Active scanning is done remotely and requires access to key services that are typically disabled as part of system hardening (for example, Remote Registry access). The hardening of systems can actually limit the data collected by active scanning. Compounding this problem is that enumeration of key services requires credential scanning. To access key datasets, elevated privileges are required (that is, root, local admin, or domain admin). Many security professionals are hesitant to use these elevated privileges across the network. On high-value targets such as domain controllers, this caution is further elevated.

Tenable Agents do not require elevated privileges or extra accounts because they operate at the system level. The use of agents allows a low-risk approach to scanning hardened systems without requiring that you reduce security. You can effectively eliminate the need for credentials while scanning at the system level.