Considerations for Air-Gapped Environments

Consider the following when deploying Tenable.sc in an air-gapped (offline) environment.

Architecture

You must deploy a Tenable.sc and a set of scanners within each air-gapped network.

If you want to consolidate data from other networks with the data generated in your air-gapped network, you can use offline repositories to export data from your air-gapped Tenable.sc to your other instance of Tenable.sc. This supports both consolidated and federated reporting structures.

Upgrades and Updates

Tenable recommends performing Tenable.sc upgrades at least once a year (quarterly preferred) and plugin/feed updates at least once a month. After you perform a plugin update, run comprehensive scans to take advantage of the new vulnerability data and generate current scan results.

Note: A few plugins require internet access and cannot run in an air-gapped environment. For example, Tenable Nessus plugin 52669 checks to see if a host is part of a botnet.

After you perform a plugin update or feed update, verify the files as described in the knowledge base article.

To perform a Tenable.sc upgrade or a plugin/feed update offline:

1. Download the files in a browser or via the API.
2. Verify the integrity of the files.
   • Tenable.sc upgrade: Compare the download checksum with the checksum on the Tenable downloads page
   • Plugin/feed update: Download and compare the checksums.
3. Move the files to your Tenable.sc instance.
4. Upload the files to Tenable.sc.
   • Tenable.sc upgrade: via the CLI.
   • Plugin/feed update: in a browser or via the API.

Tenable Nessus Agents

If you deployed Tenable Nessus Manager to manage Tenable Nessus Agents in an air-gapped environment, perform an offline software update (nessus-agent-updates-X.X.X.tar.gz on the Tenable Downloads site) on your Tenable Nessus Manager. Tenable Nessus Manager pushes the update to the managed Tenable Nessus Agents.

For more information, see the knowledge base article.