Transcription
Tenable Scan StrategyTenable Professional ServicesLast Revised: May 07, 2021
Table of ContentsIntroduction3Network Assessment4Network Topology5Scan Target Identification7Customer Requirements9Tenable Resource AllocationScanning Methodology1011Active Scan Schedule Options12Scan Policy Configuration13Host Discovery14Vulnerability Scan16External Vulnerability Scan17Compliance Checks18Scan Policy Settings19Related Documents22Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective
IntroductionThe purpose of this document is to describe scan strategies that Tenable Professional Services Consultants recommend for their various customer environments. This document focuses on Tenable.io andTenable.sc active scans that utilize Nessus.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-3-
Network AssessmentThe scan strategy that Tenable recommends depends on several factors:lNetwork TopologylScan Target IdentificationlCustomer RequirementslTenable Resource AllocationCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-4-
Network TopologyThe organization’s network topology determines Nessus scanner placement and Scan Zone configuration.lFlat NetworklllllllIf a network is behind a firewall or is VLAN separated, such as a DMZ, the Nessus Scannermay not be able to successfully scan its target.A Nessus Scanner should be placed in each network segment.Nessus requires port TCP/443 to communicate with Tenable.io and TCP/8834 forTenable.sc.If a Nessus Scanner cannot be placed in the network segments, then firewall rules must beconfigured so the scanner can reach all intended target ports and protocols.Geographically SeparatedllOne or more scanners can be configured to scan network targets in a single ScannerGroup/Scan Zone.Segmented NetworkllThe Nessus scanner(s) can directly access all targets without firewall or other network deviceconfiguration.To minimize network bandwidth utilization and potentially decrease scan duration, considerplacing a Nessus Scanner at geographically separated sites.Operational Technology (OT) (e.g., ICS/SCADA, or other sensitive networks)lNessus Network Monitor is highly recommended.lIf Nessus Scanners are used, first test in a non-production environment.Combination of the previous examplesScanner Groups (Tenable.io) / Scan Zones (Tenable.sc)Example Scanner Groups/ Scan Zones:Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-5-
lllDefault/PrimarylFlat networklNessus can reach all targets Site or DMZ Zone(s)lScanner at geographically separated sitelScanner in DMZPubliclThe Tenable.io cloud-based scanner is in the External Nets scan zone that contains publicfacing IP ent/ScanZones.htmCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-6-
Scan Target IdentificationScan strategy depends on the scan targets. A list of targets, such as IP addresses, ranges, subnets, DNSnames, can be used to create Tenable.io Target Groups or Tenable.sc Static Asset Lists.lOperating Systems (Windows, Linux, macOS)llApplication (DB, vCenter, etc)llScan duration varies based on application server type. Conduct a scan of a sample of systems to estimate scan duration and target system behavior.Network Devices (switch, router, firewall, etc)llOS type, quantity of each, and use of credentials, will impact the scan duration.Credentialed scans are typically the fastest and will provide the most thorough vulnerabilityscan results.Public ExternallUse a Nessus Scanner that is able to communicate to the target public IP address. The Scanner can be cloud-based or internal.llCloud-based scanner examples:lTenable.io ScannerlAWS BYOL scannerlAzurelNessus Scanner installed on Linux/UNIX/Windows virtual instance.Quantity of targetslTo reduce the scan duration of a large number of targets:lAdd additional scannerslPool scanners in a Scanner Group / Scan ZonelScan by network segment / VLANlAdjust scan policy performance settingsCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-7-
lSensitive hostsllllNessus Agent installed on a target will rely on local target resources.Nessus Network Monitor can passively listen to the target’s network traffic so its ports are notscanned.Transient Devices, e.g., laptopslllCreate an Advanced Network Scan policy to finely tune each policy setting and monitor theeffect on the target.Nessus Agents scansIf Nessus Agentsare not an option, scan transient device subnets when users are most likelyto be on the network, such as during business hours.AWS Machine InstanceslUtilize the AWS Connector feature in Tenable.io and deploy the Nessus Pre-AuthenticatedScanner found in the AWS marketplace.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-8-
Customer RequirementsEach customer has various requirements that can influence scan strategy.lSoftware patch and scan cadencelllRegulation and compliancelNIST, HIPAA, NERC CIP, etc.lLocal requirementsChange management processllMany organizations have configuration management processes in place that define patchschedules.If prior approval is required to conduct scans, create a baseline scan policy and propose ascan schedule that can be automated and predictable.Maintenance windowslIf active scanning can only occur within a specific time window, e.g., after business hours,adapt the scan strategy to adapt to the restrictions.lAdd additional Nessus Scanners and pool them in a Scanner Group / Scan Zone.lIncrease the scan policy performance settings, such as Max hosts per scan.lSet Active Scans to Rollover and launch at the same time on the following day.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.-9-
Tenable Resource AllocationDepending on scan policy settings, the Nessus scanner minimum hardware requirements may not be sufficient to meet scan frequency or duration goals.Nessus ScannerTenable recommends using a Linux-based operating system. If your organization has an establishedLinux team, use their recommended RHEL image or CentOS build. You can also use Tenable Core. For afull list of supported operating systems, see Nessus Scanner Software Requirements.A Windows-based Nessus scanner must have its scan policy performance (max number of concurrentTCP sessions per scan) throttled to ensure accuracy. Refer to the Advanced Settings in the Nessusguide.For recommended Nessus hardware settings, see Nessus Scanner Hardware Requirements. Scan policyperformance settings will impact CPU and RAM utilization, so monitor Nessus scanner resource andadjust as necessary.Tenable.scFor hardware and software requirements, see Tenable.sc Hardware Requirements and Tenable.sc Software Requirements. Ensure Tenable.sc hardware resources meet minimum requirements for in-scopeIPs.Caution: It is important that you meet the recommenced Tenable.sc hardware requirements otherwise performanceissues could result.Tenable.ioTenable maintains Tenable.io hardware resources.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 10 -
Scanning MethodologylActive Scan Schedule OptionslScan Policy ConfigurationlScan Policy SettingsCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 11 -
Active Scan Schedule OptionsYou can choose from the following active scan scheduling options to match your scan cadence.lOn-demand: Manually launched by the user.lScheduled: Scheduled scans can be set to automatically launch daily, weekly, or monthly.lDependent: The active scan will launch when a scheduled parent scan completes. Dependentscans can be daisy-chained to other dependent scans.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 12 -
Scan Policy ConfigurationUse the following scan policies to fit your desired scan strategy:lHost DiscoverylVulnerability ScanninglExternal Vulnerability ScanlCompliance ChecksCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 13 -
Host DiscoveryUsing the Advanced Network Scan policy for host discovery, you can configure the policy to meet yourscanner’s hardware resources for speed, accuracy, and thoroughness, while also choosing only pluginsthat do not count against the license. Refer to Table 1 for individual Host Discovery plugins.Notable policy setting changes include:lAdvanced Performance Max simultaneous hosts per scanlTenable.sc: 128lllTenable.sc scans in multiples of 8 hosts.Tenable.io: 100Port Scanning Network Port ScannerslSYNlFor speed, choose only SYN. Leave TCP and UDP disabled. If you are only attemptingto find hosts that are alive, then disable SYN as well and just rely on ping methods.Discovery PluginsGo to Plugins Disable All and then manually select the desired plugins from the table below. The plugins in the table do not count against your license count.Note: The Port Scanners plugin family is not listed in the interface; the plugins are controlled by toggle switches inthe Host Discovery and Port Scanning policy categories.Plugin IDNameFamily45590Common Platform EnumerationGeneral54615Device TypeGeneral12053Host Fully Qualified Domain Name (FQDN)General11936OS IdentificationGeneral10287Traceroute InformationGeneral22964Service DetectionService Detection11933Do not scan printersSettingsCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 14 -
87413Host TaggingSettings19506Nessus Scan InformationSettings33812Port scanners settingsSettings33813Port scanner dependencySettings10180Ping the remote hostPort scanners10335Nessus TCP scannerPort scanners11219Nessus SYN scannerPort scanners14274Netstat Portscanner (SSH)Port scanners14272Netstat Portscanner (WMI)Port scanners34220Nessus SNMP ScannerPort scanners34277Nessus UDP ScannerPort scannersCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 15 -
Vulnerability ScanA Basic Network Scan template is suitable for any host. All plugins are enabled in this policy.Using the Advanced Network Scan policy for vulnerability scanning allows you to configure the policy tomeet your scanner’s hardware resources for speed, accuracy, and thoroughness.Notable policy setting changes include:lAdvanced Performance Max simultaneous hosts per scanl64lTenable.sc scans in “chunks” of 8 hosts.lThis is on the high end and Nessus scanners and network utilization should be monitored.lLower this setting if resources are impacted.Note: Scan duration is increased, which may be to be factored in for organizations with blackout windows.lPlugins Enable AllllMany plugin families will not launch if other policy settings override them. software Local Security Checks family plugins will only run if valid credentials for that software platform are entered in the active scan.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 16 -
External Vulnerability ScanWhen scanning external (internet-facing) hosts, external firewalls or other boundary protection devicesmay block the scan’s host discovery ping packets. If you disable Ping the Remote Host in the scanpolicy, port scanning is forced to run against every target IP in the active scan regardless if it is alive ordead.lHost Discovery Ping the Remote HostlDisableAdditional notable policy setting changes include:lPort Scanning Ports Port scan rangel1-65535 (or all)llThis port range will perform an assessment that mimics what an outside attacker wouldsee. Using this policy, you will discover more public-facing servers than before andbecause the external vulnerability scan policy is reasonably quick, it may eliminate theneed for separate external host discovery scans.Plugins Enable AllCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 17 -
Compliance ChecksFor information on compliance checks, see the following documents:lNessus User GuidelNessus Compliance Checks ReferencelNessus Compliance Checks PDFCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 18 -
Scan Policy SettingsThe table below describes scan policy settings to adjust to meet an organization's scan strategy.Host DiscoveryVulnerabilityScan PolicyFull PortScanPolicyPolicy LocationSetting NameCommentsAdvanced PerformanceNetworktimeout (inseconds)552Increasedscan speedfor the FullPort ScanpolicyMax simultaneouschecks perhost5552 or 1 for oldboxesMax simultaneoushosts per scan96max is 15hardcoded649664 hosts ifNessus with8GB RAM96 for hostdiscoveryLower forslow linksKeep divisibleby 8Host DiscoveryMax number ofconcurrentTCP sessionsper hostunlimitedunlimitedunlimitedSet to 19 toincrease Windows-basedNessus Scanner accuracy.Ping theRemote HostenableenabledisableDisabled inthe full portscan policy toforce aCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services aretrademarks of their respective owners.- 19 -
TCP/UDPscan.Port Scanning PortsPort scanrangedefaultdefault1-65535Full PortScan policywill scan allports insteadof the SCdefault list of4,790 common ports.UDPdisabledisableenableEnable UDPscanning forthose targetsthat require aFull Portscan.Service Discovery General SettingsSearch forSSL/TLS servicesdisableenabledisableEnable forVulnerabilityscan to scanfor additionalservices.Windows Enumerate LocalUsersStart UID - EndUIDdisable1 - 1200defaultGather information on localWindowsaccounts withcredentialedscans.Report ProcessingShow missingpatches thathave beensupersededdisabledisabledisableReducesscan resultclutter. Allowssystem owners to focuson latestpatches.Report Out-Display hostsenableenableenableProvidesCopyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine areregistered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy
May 07, 2021 · Compliance Checks. 18. Scan Policy Settings. 19. Related Documents. 22-3-Introduction. The purpose of this document is to describe scan strategies that Tenable Professional Services Con-sultants recommend for their various customer environments. This document focuses on Tenable.io and . Nessus User Guide Nessus Compliance Checks Reference .File Size: 146KB
