Security

Related Reading: User Access (including LDAP Authentication, Certificate Authentication, SAML Authentication, and WebSeal) and Encryption Strength in the Tenable Security Center User Guide

Review the following information about Tenable Security Center security features and considerations.

Tenable Security Center

At its core, Tenable Security Center is a web application served with Apache and written in PHP. While controls have been put in place to secure the user interface, Tenable recommends deploying Tenable Security Center on a secure, internal-facing network. In high security environments, you may want to restrict the interface only to authorized networks and systems. For more information, see the port requirements.

From a user perspective, Tenable Security Center supports a role-based access control model for user data interaction and separation of duties. This allows you to grant application administrators control over management tasks without exposing organizational vulnerability data. Users can authenticate to Tenable Security Center in a variety of ways, including local authentication, LDAP/AD authentication, certificate/smart card authentication, SAML authentication, and WebSeal authentication. All user interface interaction, including user authentication, takes place over HTTPS.

You can customize the default Tenable Security Center HTTPS certificate to meet your organizational requirements.

Tenable Nessus and Tenable Nessus Manager

From a network interface perspective, Tenable Nessus only requires a connection to Tenable Security Center for operational usage; you may want to consider restricting interface access to only the Tenable Security Center server. Before restricting access, consider:

  • You may need user interface access to Tenable Nessus for setup or troubleshooting.
  • You need user interface access to Tenable Nessus Manager for operational usage.

When connected to Tenable Security Center, Tenable Nessus does not store any vulnerability or credential data. Tenable Nessus runs the scan and transmits the scan data to Tenable Security Center using an HTTPS connection. Then, Tenable Nessus deletes the scan data.

If you are using Tenable Nessus Agents with Tenable Security Center, vulnerability data is stored in Tenable Nessus Manager or Tenable Vulnerability Management.

Data Storage Encryption

Credentials are stored encrypted on the Tenable Security Center server, while vulnerability and application data is not encrypted. Tenable Security Center also integrates with PAM solutions, allowing Tenable Nessus to access a centralized password store during a network scan.

If your organization requires data at rest encryption for vulnerability data or backup data, Tenable recommends hardware-level disk encryption. Tenable Support does not assist with hardware-level disk encryption.

Communications Encryption

Tenable Security Center encrypts all communications over the network. This includes user interaction with the user interface and API as well as all scanner communications and communications with Tenable. You can customize these encryptions to meet specific organizational requirements.

By default, Tenable Nessus uses encrypted protocols to authenticate to targets, but the security of this traffic is based on the protocols that the targets support for authentication.

Product Upgrades

In most large environments, Tenable recommends updating your Tenable products quarterly to take advantage of the feature and security updates in the latest versions of Tenable products.

In addition, you can: