TOC & Recently Viewed

Recently Viewed Topics

Nessus Scanners

In the SecurityCenter framework, the Nessus scanner behaves as a server, while SecurityCenter serves as a client that schedules and initiates scans, retrieves results, reports results, and performs a wide variety of other important functions. Click Resources and then Nessus Scanners to retrieve a list of the scanners including their name, features, current status, version, host, uptime, type, and when they were last modified. If the status of a scanner is believed to have changed recently (since visiting the page), click the Update Status button within the Options. drop-down box to see the latest scanner status between its auto-refresh interval. The gear icon to the right of the scanner information provides a drop-down box to view information, edit the configuration, or delete the scanner.

The Features column indicates if the connected Nessus Manager or Tenable.io™ instance is configured to provide Nessus Agent scan results to SecurityCenter.

There are three classifications of Nessus scanners that may be added to SecurityCenter: Managed, Unmanaged, and Tenable.io™.

A managed scanner is one that is managed by SecurityCenter. Managed scanners are logged in to using Nessus credentials and SecurityCenter has the ability to send plugin updates to the scanner. SecurityCenter also maintains the Activation Code for Managed scanners.

An unmanaged scanner is one that has been logged into using a standard Nessus user’s credentials. This scanner may be used to perform a scan but SecurityCenter cannot send plugin updates to an unmanaged scanner or manage its Activation Code.

SecurityCenter may also use a Tenable.io™ scanner to perform scans. This is a vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. A Tenable.io™ scanner is considered to be an unmanaged scanner and therefore SecurityCenter will not push plugin updates to a Tenable.io™ scanner.

In the examples below, the Nessus scanners are installed on remote systems and are functioning properly.

Adding a Nessus Scanner

To add a scanner, click the Add button. Items with a star (*) next to them indicate information that is required that does not have a default setting. A screen capture of the Add Scanner dialog is shown below:

The table below provides details about the available options for adding a Nessus scanner:

Option

Descripton

Name

Descriptive name for the Nessus scanner.

Description

Scanner description, location, or purpose.

Host

Hostname or IP address of the scanner.

Port

TCP port that the Nessus scanner listens on for communications from SecurityCenter. The default is port 8834.

Enabled

A scanner may be Enabled or Disabled within SecurityCenter to allow or prevent access to the scanner.

Verify Hostname

Adds a check to verify that the hostname or IP address entered in the Host option matches the CommonName (CN) presented in the SSL certificate from the Nessus server.

Use Proxy

Instructs SecurityCenter to use its configured proxy for communication with the scanner.

Authentication Type

Select Password or SSL Certificate for the authentication type to connect to the Nessus scanner. For detailed SSL Certificate configuration options, see the Nessus SSL Configuration section of this document.

Username

Username generated during the Nessus install for daemon to client communications. This must be an administrator user in order to send plugin updates to the Nessus scanner. If the scanner will be updated by a different method, such as through another SecurityCenter, a standard Nessus user account may be used to perform scans. This option is only available if the Authentication Type is set to Password.

Password

The login password must be entered in this option. This option is only available if the Authentication Type is set to Password.

Certificate

This option is available if the Authentication Type is SSL Certificate. Click the Browse button, choose a SSL Certificate file to upload, and upload to the SecurityCenter. For more information, see Nessus SSL Configuration.

Zones

The zone(s) within SecurityCenter that will have access to use this scanner.

Agent Capable

When the Agent Capable option is enabled, an organization option is presented. Select one or more organizations that will have access to import Nessus Agent data into SecurityCenter.

Agent capable Nessus scanners must be either Tenable.io™ or Nessus Manager version 6.5 or higher. When using Nessus Manager, a non-admin account must be used to connect from SecurityCenter.

 

Configure SecurityCenter for Custom Certificates to Verify Hostname

The first step to allow the Verify Hostname to work is to ensure the correct Certificate Authority (CA) certificate is configured for use by SecurityCenter. When using the default certificates for Nessus servers, this is not required to be done. These steps only need to be performed when using a custom CA.

  1. Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s /tmp directory. For this example, the file is named ROOTCA2.cer.
  2. Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA as follows:

    # /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer

  3. Once each of your CAs has been processed, restart the SecurityCenter services with the following command:

    # service SecurityCenter restart

After SecurityCenter has been configured with the proper CA certificate(s), the Verify Hostname will verify the SSL certificate presented against the proper CA certificate.

Tenable.io™ Scanners

SecurityCenter supports the use of the Tenable.io™ as a Nessus scanner within SecurityCenter. The Tenable.io™ is an enterprise-class remote vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. While they are not managed by a SecurityCenter (e.g., plugins are not pushed from SecurityCenter to the scanner), Tenable.io™ scanners can be added to SecurityCenter in the same manner that internal, local, or remote Nessus scanners are added.

To add a Tenable.io™ scanner to SecurityCenter , a valid and active Tenable.io™ subscription must be used. In SecurityCenter, click the Resources tab, Nessus Scanners, and then Add.

Type a name (mandatory) and description (optional) for the Tenable.io™ scanner to be used with SecurityCenter. Type the address cloud.tenable.com as host, with the port specified as 443 (HTTPS). Type a valid Tenable.io™ username and password for authentication and click the zone(s) within SecurityCenter that will use the Tenable.io™ scanner. If Nessus Agent information is to be imported into SecurityCenter, enable the Agent Capable option and click the Organization(s) with permission to access the data. When finished, click Submit to add the authorized Tenable.io™ scanner to SecurityCenter. If successful, the Tenable.io™ scanner will be listed under Nessus Scanners with a status of working.

Note that existing scan reports from the Tenable.io™ are not automatically made available through SecurityCenter, but they can be manually downloaded and imported into SecurityCenter by users with permissions to do so.

Note: The Tenable.io™ Scanner selects the corresponding regional scanner by default. Example: If you are running a scan in the United States, the application will select the U. S. scanner. If you are in Germany, the application will select the Germany scanner.

Nessus Scanner Details

When the view button is clicked from the gear icon drop-down menu, information about the selected scanner is displayed. The information includes the basic information of name, description, IP address or hostname, port, username used to connect to the scanner, uptime, and when the scanner was created and last modified from SecurityCenter. The Nessus scanner version, web server version, type, if it is Nessus Agent capable, and zones it is a part of are also displayed. The number of active scans (load) the server is performing is displayed and updated every 15 minutes, as well as the current loaded plugin set on the scanner.

Deleting a Nessus Scanner

In some cases it may be necessary to delete a configured Nessus scanner from SecurityCenter. When this must be done, click the gear icon next to the scanner to be deleted and click the delete option from the menu. This will open a confirmation window asking to confirm the deletion of the scanner by its name. Click the delete button to remove the scanner or the cancel button or the X at the top right to not delete the selected scanner.

Scan Zones

Scan Zones define the IP ranges associated with the scanner along with organizational access. SecurityCenter allows defined Organizations to be configured with three different scan zone modes: Automatic Distribution Only, Locked Zone, and Selectable Zones. If an Organization is in Automatic Distribution Only mode, SecurityCenter will pick the scan zone and scanners based on the IP address of the target. If an Organization is in Locked Zone mode, only the selected zones are available to users during the creation of scan policies. If an Organization is in Selectable mode, all scan zones are displayed and can be selected as needed.

When in Selectable mode, at scan time, the zones associated with the Organization and All Zones are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user will be scanned by the Nessus scanners associated with the chosen zone.

When a scan is configured to use the All Zones zone, the targets for the scan will be given to scanners in the most appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning and is very useful if an Organization has devices placed behind a firewall or NAT device and has conflicting RFC 1918 non-internet-routable address space with another Organization. In addition, some Organizations may benefit from the ability to override their default scanner(s) with one(s) from a different zone. This allows an Organization to more easily run internal and external vulnerability scans.

Tip: Sometimes forcing a scan to use a non-ideal scanner is helpful to analyze the vulnerability stance from a new perspective. For example, setting the default scanner to an external one allows you to see the attack surface from an external attacker’s perspective.

An example Scan Zone configuration screen capture is displayed below:

There are four items to configure for a Scan Zone. Each zone contains a Name, optional Description, IP range(s) to be covered by the zone, and the Nessus scanner(s) used by the zone for scanning. The ranges are entered using CIDR or range notations with multiple ranges separated by commas. The scanners are selected by checking the box next to the scanner name. When hovering over a scanner name, an information icon is displayed. Hovering over this icon will display scanner information including its name, description, host, version, and current status.

Once configuration is complete, clicking the submit button will create the new scan zone for use within SecurityCenter. This will return you to the Scan Zones page.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.