You are here: Features > Resources > Nessus Scanners

Nessus Scanners

In the SecurityCenter framework, the Nessus scanner behaves as a server, while SecurityCenter serves as a client that schedules and initiates scans, retrieves results, reports results, and performs a wide variety of other important functions. Click “Resources” and then “Nessus Scanners” to retrieve a list of the scanners including their name, features, current status, version, host, uptime, type, and when they were last modified. If the status of a scanner is believed to have changed recently (since visiting the page), click the “Update Status” button within the “Options” drop-down to see the latest scanner status between its auto-refresh interval. The gear icon to the right of the scanner information provides a drop-down menu to view information, edit the configuration, or delete the scanner.

The Features column indicates if the connected Nessus Manager or Nessus Cloud instance is configured to provide Nessus Agent scan results to SecurityCenter.

There are three classifications of Nessus scanners that may be added to SecurityCenter: “Managed”, “Unmanaged”, and “Nessus Cloud”.

A “Managed” scanner is one that is managed by SecurityCenter. Managed scanners are logged in to using Nessus credentials and SecurityCenter has the ability to send plugin updates to the scanner. SecurityCenter also maintains the Activation Code for Managed scanners.

An “Unmanaged” scanner is one that has been logged into using a standard Nessus user’s credentials. This scanner may be used to perform a scan but SecurityCenter cannot send plugin updates to an unmanaged scanner or manage its Activation Code.

SecurityCenter may also use a “Nessus Cloud” scanner to perform scans using Tenable’s Nessus Cloud. This is a vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities “from the cloud”. A Nessus Cloud scanner is considered to be an unmanaged scanner and therefore SecurityCenter will not push plugin updates to a Nessus Cloud scanner. More information about using the Nessus Cloud through SecurityCenter is found in the Nessus Cloud Scanners section of this document.

In the examples below, the Nessus scanners are installed on remote systems and are functioning properly.

Adding a Nessus Scanner

To add a scanner, click the “Add” button. Items with a star (*) next to them indicate information that is required that does not have a default setting. A screen capture of the “Add Scanner” dialog is shown below:

The table below provides details about the available options for adding a Nessus scanner:

Option

Descripton

Name

Descriptive name for the Nessus scanner.

Description

Scanner description, location, or purpose.

Host

Hostname or IP address of the scanner.

Port

TCP port that the Nessus scanner listens on for communications from SecurityCenter. The default is port 8834.

Enabled

A scanner may be “Enabled” or “Disabled” within SecurityCenter to allow or prevent access to the scanner.

Verify Hostname

Adds a check to verify that the hostname or IP address entered in the “Host” field matches the CommonName (CN) presented in the SSL certificate from the Nessus server.

Use Proxy

Instructs SecurityCenter to use its configured proxy for communication with the scanner.

Authentication Type

Select Password or SSL Certificate for the authentication type to connect to the Nessus scanner. For detailed SSL Certificate configuration options, see the Nessus SSL Configuration section of this document.

Username

Username generated during the Nessus install for daemon to client communications. This must be an administrator user in order to send plugin updates to the Nessus scanner. If the scanner will be updated by a different method, such as through another SecurityCenter, a standard Nessus user account may be used to perform scans. This field is only available if the Authentication Type is set to “Password”.

Password

The login password must be entered in this field. This field is only available if the Authentication Type is set to “Password”.

Certificate

This field is available if the Authentication Type is “SSL Certificate”. Select the “Browse” button, choose a SSL Certificate file to upload, and upload to the SecurityCenter. For more information, see Nessus SSL Configuration.

Zones

The zone(s) within SecurityCenter that will have access to use this scanner.

Agent Capable

When the Agent Capable option is enabled, an organization selection field is presented. Select one or more organizations that will have access to import Nessus Agent data into SecurityCenter.

Agent capable Nessus scanners must be either Nessus Cloud or Nessus Manager version 6.5 or higher. When using Nessus Manager, a non-admin account must be used to connect from SecurityCenter.

 

Configure SecurityCenter for Custom Certificates to Verify Hostname

The first step to allow the Verify Hostname to work is to ensure the correct Certificate Authority (CA) certificate is configured for use by SecurityCenter. When using the default certificates for Nessus servers, this is not required to be done. Only when a custom CA is in use do these steps need to be performed.

  1. Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s /tmp directory. For this example, the file is named ROOTCA2.cer.
  2. Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA as follows:

    # /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer

  3. Once each of your CAs has been processed, restart the SecurityCenter services with the following command:

    # service SecurityCenter restart

After SecurityCenter has been configured with the proper CA certificate(s), the Verify Hostname will verify the SSL certificate presented against the proper CA certificate.

Nessus Cloud Scanners

SecurityCenter supports the use of the Nessus Cloud as a Nessus scanner within SecurityCenter. The Nessus Cloud is an enterprise-class remote vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities “from the cloud”. While they are not “managed” by a SecurityCenter (e.g., plugins are not pushed from SecurityCenter to the scanner), Nessus Cloud scanners can be added to SecurityCenter in the same manner that internal, local, or remote Nessus scanners are added.

To add a Nessus Cloud scanner to SecurityCenter, a valid and active Nessus Cloud subscription must be used. In SecurityCenter, select the “Resources” tab, “Nessus Scanners”, and then “Add”:

Enter a name (mandatory) and description (optional) for the Nessus Cloud scanner to be used with SecurityCenter. Enter the address cloud.tenable.com as “Host”, with the “Port” specified as 443 (HTTPS). Enter a valid Nessus Cloud username and password for authentication and select the zone(s) within SecurityCenter that will use the Nessus Cloud scanner. If Nessus Agent information is to be imported into SecurityCenter, enable the “Agent Capable” option and select the Organization(s) with permission to access the data. When finished, click “Submit” to add the authorized Nessus Cloud scanner to SecurityCenter. If successful, the Nessus Cloud scanner will be listed under “Nessus Scanners” with a status of “Working”.

Note that existing scan reports from the Nessus Cloud are not automatically made available through SecurityCenter, but they can be manually downloaded and imported into SecurityCenter by users with permissions to do so.

Nessus Scanner Details

When the “View” button is clicked from the gear icon menu, information about the selected scanner is displayed. The information includes the basic information of name, description, IP address or hostname, port, username used to connect to the scanner, uptime, and when the scanner was created and last modified from SecurityCenter. The Nessus scanner version, web server version, type, if it is Nessus Agent capable, and zones it is a part of are also displayed. The number of active scans (load) the server is performing is displayed and updated every 15 minutes, as well as the current loaded plugin set on the scanner.

Deleting a Nessus Scanner

In some cases it may be necessary to delete a configured Nessus scanner from SecurityCenter. When this must be done, select the gear icon next to the scanner to be deleted and select the “Delete” option from the menu. This will open a confirmation window asking to confirm the deletion of the scanner by its name. Select the “Delete” button to remove the scanner or the “Cancel” button or the “X” at the top right to not delete the selected scanner.

Scan Zones

Scan Zones define the IP ranges associated with the scanner along with organizational access. SecurityCenter allows defined Organizations to be configured with two different scan zone modes: “selectable” and “forced”. If an Organization is in “selectable” mode, any available zones can be associated with the Organization and made available to users for scanning configuration. If an Organization is in “forced” mode, the selected zone(s) will always be used for every scan performed by users in that Organization.

When in “selectable” mode, at scan time, the zones associated with the Organization and “All Zones” are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user will be scanned by the Nessus scanners associated with the chosen zone.

When a scan is configured to use the “All Zones” zone, the targets for the scan will be given to scanners in the most appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning and is very useful if an Organization has devices placed behind a firewall or NAT device and has conflicting RFC 1918 non-internet-routable address space with another Organization. In addition, some Organizations may benefit from the ability to override their default scanner(s) with one(s) from a different zone. This allows an Organization to more easily run internal and external vulnerability scans.

Tip: Sometimes forcing a scan to use a “non-ideal” scanner is helpful to analyze the vulnerability stance from a new perspective. For example, setting the default scanner to an external one allows you to see the attack surface from an external attacker’s perspective.

An example Scan Zone configuration screen capture is displayed below:

There are four items to configure for a Scan Zone. Each zone contains a Name, optional Description, IP range(s) to be covered by the zone, and the Nessus scanner(s) used by the zone for scanning. The ranges are entered using CIDR or range notations with multiple ranges separated by commas. The scanners are selected by checking the box next to the scanner name. When hovering over a scanner name, an information icon is displayed. Hovering over this icon will display scanner information including its name, description, host, version, and current status.

Once configuration is complete, clicking the “Submit” button will create the new scan zone for use within SecurityCenter. This will return you to the Scan Zones page.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.