Considerations for Air-Gapped Environments

Consider the following when deploying Tenable Security Center in an air-gapped (offline) environment.

Architecture

You must deploy a Tenable Security Center and a set of scanners within each air-gapped network.

If you want to consolidate data from other networks with the data generated in your air-gapped network, you can use offline repositories to export data from your air-gapped Tenable Security Center to your other instance of Tenable Security Center. This supports both consolidated and federated reporting structures.

Upgrades and Updates

Tenable recommends performing Tenable Security Center upgrades at least once a year (quarterly preferred) and plugin/feed updates at least once a month. After you perform a plugin update, run comprehensive scans to take advantage of the new vulnerability data and generate current scan results.

Note: A few plugins require internet access and cannot run in an air-gapped environment. For example, Tenable Nessus plugin 52669 checks to see if a host is part of a botnet.

After you perform a plugin update or feed update, verify the files as described in the knowledge base article.

To perform a Tenable Security Center upgrade or a plugin/feed update offline:

Tip: You can use the API to automate some Tenable Security Center upgrade and plugin update process.

  1. Download the files in a browser or via the API.
  2. Verify the integrity of the files.
  3. Move the files to your Tenable Security Center instance.
  4. Upload the files to Tenable Security Center.

Tenable Nessus Agents

If you deployed Tenable Nessus Manager to manage Tenable Nessus Agents in an air-gapped environment, perform an offline software update (nessus-agent-updates-X.X.X.tar.gz on the Tenable Downloads site) on your Tenable Nessus Manager. Tenable Nessus Manager pushes the update to the managed Tenable Nessus Agents.

For more information, see the knowledge base article.