Agent Deployment (Nessus Manager & Tenable.io)
The primary purpose for Nessus Manager was to perform agent management and agent scan operations for on-premise infrastructure (10,000 systems), while Tenable.io was used for agent management and scan operations of user workstations (40,000 systems).
- The following processes and uses take place in the Reporting Tier (Tenable.sc).
- Tenable.io was added to Tenable.sc as an “agent capable” scanner.
- Agent scans in Tenable.sc were configured to retrieve Nessus Agent scan results from Tenable.io.
- Analytics, dashboards, reports, and Assurance Report Cards in Tenable.sc were leveraged for all assessment types (Agent and Network Scanning).
- Deployed agents are linked to Nessus Manager or Tenable.io depending on system type.
- Agents are organized in agent groups. Agents can be assigned to agent groups during the installation process.
- Agent scans are established to obtain assessment results from agents via agent groups.
- Agents automatically have plugin and version updates applied by Nessus Manager or Tenable.io.
- Agents were deployed using Initech's internal software distribution processes (in this case, a large variety of platforms including Altiris, SCCM, Tivoli, Casper, and others).
- Agent groups included no more than 2,000 agents per group (1,000 is recommended). Limiting the number of agents in each agent group ensures that Tenable.sc is able to successfully import scan results. This limitation only applies when Tenable.sc is part of the deployment.
- Agent scans were restricted to a single agent group each.
- Agent scan policies were more thorough and verbose than the traditional network scans due to the increased efficiency of agent scan distribution.
- On-Premise/Server agent scan windows were restricted to custom time frames selected by each sub-org to meet individual organizational requirements.
- User workstation scan windows were set to ~24 hours and repeated daily to ensure full coverage regardless of when a system was turned on.
- Agent group membership was established by organization and in some cases, operational tier or other functional requirements.
- Initech monitored for agent deployment issues (failed installations, linking failures, etc.) out of band (logging client, scripts, etc.).
- Nessus Agents only performed local vulnerability assessments and did not perform network-based assessment (for example, SSL or CGI network based assessments).
- Network and firewalls were configured to allow infrastructure Nessus Agents to communicate with the on-premise Nessus Manager via a custom port, and user workstations to communicate with https://cloud.tenable.com.
Design assumptions included:
- Initech will leverage internal processes and tooling to deploy the Nessus Agent software.
- Initech will establish 30-50 agent groups in both Nessus Manager and Tenable.io
- Initech will configure 30-50 agent scans in both Nessus Manager and Tenable.io
- Initech will configure and provision a Nessus Manager that can handle 10,000 agents connecting to it.