Recently Viewed Topics
In the SecurityCenter framework, the Nessus scanner behaves as a server, while SecurityCenter serves as a client that schedules and initiates scans, retrieves results, reports results, and performs a wide variety of other important functions. Click Resources and then Nessus Scanners to retrieve a list of the scanners including their name, features, current status, version, host, uptime, type, and when they were last modified. If the status of a scanner is believed to have changed recently (since visiting the page), click the Update Status button within the Options drop-down box to see the latest scanner status between its auto-refresh interval. Click the gear icon to the right of the scanner information to view information, edit the configuration, or delete the scanner.
The Features column indicates if the connected Nessus Manager or Tenable.io™ instance is configured to provide Nessus Agent scan results to SecurityCenter.
There are three classifications of Nessus scanners that may be added to SecurityCenter: Managed, Unmanaged, and Tenable.io™.
A managed scanner is managed by SecurityCenter. Managed scanners are logged in to using Nessus credentials. SecurityCenter can send plugin updates to the scanner. SecurityCenter also maintains the Activation Code for managed scanners.
An unmanaged scanner has been logged into using a standard Nessus user’s credentials. This scanner may be used to perform a scan but SecurityCenter cannot send plugin updates to an unmanaged scanner or manage its Activation Code.
SecurityCenter may also use a Tenable.io™ scanner to perform scans. This is a vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. A Tenable.io™ scanner is considered to be an unmanaged scanner and therefore SecurityCenter does not push plugin updates to a Tenable.io™ scanner.
In the examples below, the Nessus scanners are installed on remote systems and are functioning properly.
Adding a Nessus Scanner
To add a scanner, click the Add button. Items with a star (*) next to them indicate required information that does not have a default setting.
The table below provides details about the available options for adding a Nessus scanner:
Configure SecurityCenter for Custom Certificates to Verify Hostname
To enable the Verify Hostname, ensure the correct Certificate Authority (CA) certificate is configured for use by SecurityCenter. When using the default certificates for Nessus servers, this is not required. These steps only apply when using a custom CA.
- Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s
/tmpdirectory. For this example, the file is named
installCA.phpscript to create the required files for each CA in
# /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer
Once each of your CAs has been processed, restart the SecurityCenter services with the following command:
# service SecurityCenter restart
After SecurityCenter is configured with the proper CA certificate(s), the Verify Hostname verifies the SSL certificate presented against the proper CA certificate.
SecurityCenter supports the use of the Tenable.io™ as a Nessus scanner within SecurityCenter. The Tenable.io™ is an enterprise-class remote vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. While they are not managed by a SecurityCenter (e.g., plugins are not pushed from SecurityCenter to the scanner), Tenable.io™ scanners can be added to SecurityCenter in the same manner that internal, local, or remote Nessus scanners are added.
To add a Tenable.io™ scanner to SecurityCenter , a valid and active Tenable.io™ subscription must be used. In SecurityCenter, click the Resources tab, Nessus Scanners, and then Add.
Type a name (mandatory) and description (optional) for the Tenable.io™ scanner to be used with SecurityCenter. Type the address cloud.tenable.com as host, and specify the port as 443 (HTTPS). Type a valid Tenable.io™ username and password for authentication and click the zone(s) within SecurityCenter that use the Tenable.io™ scanner. If Nessus Agent information is to be imported into SecurityCenter, enable the Agent Capable option and click the organization(s) with permission to access the data. When finished, click Submit to add the authorized Tenable.io™ scanner to SecurityCenter. If successful, the Tenable.io™ scanner is listed under Nessus Scanners with a status of working.
Note that existing scan reports from the Tenable.io™ are not automatically available through SecurityCenter. However, they can be manually downloaded and imported into SecurityCenter by users with permissions to do so.
Nessus Scanner Details
Click the view button from the gear icon drop-down menu to view information about the selected scanner. The information includes name, description, IP address or hostname, port, username used to connect to the scanner, uptime, and when the scanner was created and last modified from SecurityCenter. The Nessus scanner version, web server version, type, if it is Nessus Agent capable, and zones it is a part of also display. The number of active scans (load) the server is performing displays and is updated every 15 minutes, as well as the current loaded plugin set on the scanner.
Deleting a Nessus Scanner
In some cases it may be necessary to delete a configured Nessus scanner from SecurityCenter. When this must be done, click the gear icon next to the scanner to be deleted and click the delete option from the menu. This opens a confirmation window which asks to confirm the deletion of the scanner by its name. Click the delete button to remove the scanner or the cancel button or the X at the top right to cancel.
Scan zones define the IP ranges associated with the scanner along with organizational access. SecurityCenter allows the configuration of defined organizations with three different scan zone modes: Automatic Distribution Only, Locked Zone, and Selectable Zones. If an organization is in Automatic Distribution Only mode, SecurityCenter picks the scan zone and scanners based on the IP address of the target. If an organization is in Locked Zone mode, only the selected zones are available to users during the creation of scan policies. If an organization is in Selectable mode, all scan zones display and can be selected as needed.
When in Selectable mode, at scan time, the zones associated with the organization and All Zones are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user are scanned by the Nessus scanners associated with the chosen zone.
When a scan is configured to use the All Zones zone, the targets for the scan are given to scanners in the most appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning and is very useful if an organization has devices placed behind a firewall or NAT device and has conflicting non-internet-routable address space with another organization. In addition, some organizations may benefit from the ability to override their default scanner(s) with one(s) from a different zone. This allows an organization to more easily run internal and external vulnerability scans.
Tip: Sometimes forcing a scan to use a non-ideal scanner helps to analyze the vulnerability stance from a new perspective. For example, set the default scanner to an external one to see the attack surface from an external attacker’s perspective.
For more information, see Scan Zones.