July 18, (Revision 3)

Transcription

1 3D Tool 2.0 User Guide July 18, 2011 (Revision 3) Copyright Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. The ProfessionalFeed is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. Tenable Network Security, Inc Columbia Gateway Drive, Suite 100, Columbia, MD sales@tenable.com

2 Table of Contents Introduction... 3 Standards and Conventions... 4 Prerequisites... 4 Important Terms... 4 Topology... 4 Modifier... 4 Layout... 5 Architecture... 5 SecurityCenter Communication... 5 Installing the 3D Tool... 5 Upgrading... 5 Configuring the 3D Tool... 6 Configure SecurityCenter Queries... 6 Load CCD (Compiled Chart Data)... 6 Load DTA (Data Table File)... 6 Configure a New Topology... 7 Modifiers...13 Node Traits List...14 Connections List...20 Counts List...23 About Tenable Network Security...28 Introduction Copyright Tenable Network Security, Inc. 2

3 INTRODUCTION This document covers the installation and operation of Tenable s 3D Tool. Please share your comments and suggestions with us by ing them to support@tenable.com. A basic understanding of the SecurityCenter including types of vulnerabilities, asset lists, and Nessus traceroute scans is assumed. Tenable s 3D Tool is a Windows application that is used to query data from a SecurityCenter 4 server and present it in an interactive visual console to facilitate presentations and security analysis. Tenable developed the 3D Tool to help better communicate different types of information available in SecurityCenter, such as: > Nessus vulnerability data > Network topologies > PVS data, including passively discovered vulnerabilities, network connections and new network devices > Event data discovered and normalized by the Log Correlation Engine (LCE), including intrusion detection, firewall, netflow and syslog data Many people are visual learners, preferring to use images, colors and charts to organize information and communicate with others. The 3D Tool provides a mechanism to communicate large amounts of technical data in visual terms that are easier to understand than written text. Using three dimensions to visualize network topology is easier than using two dimensions. Most Tenable customers have routing networks that are sufficiently complex enough to clutter any 2D topology map. Using 3D provides a visual display of the network topology and events that is easier to understand and navigate interactively. The 3D Tool can be applied in a number of different ways depending on the requirements. The typical application is to install it on a desktop in a network that can access the SecurityCenter continuously so the data can be updated. However, once the data is loaded on the 3D Tool desktop, it no longer needs this connectivity. This enables managers and technical staff to examine security data from remote locations. The desktops that are used to run the 3D Tool will contain sensitive data from the SecurityCenter. It is assumed that these desktops will be secured from unauthorized access according to the organization s site security policy. The 3D Tool is available to all SecurityCenter customers and can be obtained from the Tenable Support Portal. For more information, please contact Tenable Support. The 3D Tool is available for all major Windows releases and works on most hardware platforms, although increased memory, multi-cpu and high-end graphic card configurations will greatly improve performance. Copyright Tenable Network Security, Inc. 3

4 Tenable has encountered some performance issues with dual monitor configurations with video chipsets that did not perform video acceleration for the second monitor. STANDARDS AND CONVENTIONS Throughout the documentation, filenames, daemons and executables are indicated with a courier bold font such as gunzip, httpd and /etc/passwd. Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples and best practices are highlighted with this symbol and white on blue text. PREREQUISITES The 3D Tool operates on Microsoft Windows 7, Vista, XP, 2000, 2003 and The 3D Tool also requires one or more installed SecurityCenters with valid organizational login accounts to access data. 3D Tool users launch the application on their system and then use their SecurityCenter account to retrieve data. Retrieved data can be saved for access later, even if the SecurityCenter is not available. The 3D Tool does not require a specific license key, but users must agree to the Software License Agreement (SLA) before installation will proceed. Users can install multiple 3D Tools, each one of which can communicate with multiple SecurityCenters. Tenable has performed a variety of testing on different display resolutions. If you encounter a compatibility issue with your display, please contact Tenable support. IMPORTANT TERMS This document extensively uses 3D Tool-specific terms that are defined in this section to aid in fully understanding how to use the 3D Tool. Topology A topology is a saved configuration file (.ccd extension) that is a visual representation of the network layout with or without any applied modifiers and is based on a vulnerability query using the Detailed Vulnerability List analysis tool. There must be a SecurityCenter query that includes results from Nessus plugin (Traceroute) for a topology to be built. Topologies can be saved for later reuse, such as off-line situations where demonstrations are required. Modifier A modifier is a saved configuration file (.mld extension) that contains modifications to the visual attributes of the topology to highlight important host or event traits. For example, a modifier could be created that changes the icons displayed on all hosts that are running Copyright Tenable Network Security, Inc. 4

5 Linux. Groups of modifiers can be saved as modlists for convenience and then applied to a selected topology. Modlists expedite the process of loading previously saved custom topology configurations. Layout A layout is a saved configuration file (.vlo extension) that contains the current topology display based on the screen configuration. For example, it is possible to use the 3D Tool with five monitors and multiple split screens (e.g., two views per monitor). Loading a saved layout loads the previously saved display settings. ARCHITECTURE The 3D Tool architecture is based on the ability to query a complex network topology and create a graphic that is easy to understand at varying levels. It does so by directly querying SecurityCenter for event, vulnerability and asset data over port 443 (configurable) using a SecurityCenter organizational user s account. The 3D Tool is able to query all data available to that user using SecurityCenter predefined queries. Communications occur in a one-way data flow from SecurityCenter to the Windows 3D Tool host. Data displayed using the 3D Tool is saved to binary files for rapid reload. Saved data files from a topology can be transferred to any other host running the 3D Tool to facilitate presentations in off-line modes. SecurityCenter Communication The 3D Tool uses SSL certificates to communicate with SecurityCenter to perform queries. These SSL certificates can be verified using the 3D Tool user interface for authenticity to ensure the remote host is correct. Once data resides on the 3D Tool, connectivity to the SecurityCenter is no longer needed. It is only necessary to log in to the SecurityCenter to retrieve new data. INSTALLING THE 3D TOOL Follow these simple steps to install the 3D Tool on a Windows system: 1. Download the setup executable from the Tenable Support Portal located at: Confirm the integrity of the installation package by comparing the download md5 checksum with the one listed in the product release notes. 2. Run the installation program, named similar to 3D_Tool_2_x_x_x32.exe. 3. Click Next when prompted to install the Tenable 3D Tool v2 on your computer and click Install to begin the installation. The executable will launch the installer, prompt for an installation location and create a Tenable Network Security program group that contains a link to the 3D Tool application. No manual configuration is performed during the installation process. 4. Once installation is complete, the 3D Tool can be launched via a desktop shortcut or from the Tenable Network Security start menu. UPGRADING As newer versions of the 3D Tool become available, users can run the new.exe. The upgrade will maintain data from previous installations of the 3D Tool v2 and backup data from legacy installations of the 3D Tool v1.x. Although legacy data 3D Tool v1 data is backed up it is not available through the new installation. Copyright Tenable Network Security, Inc. 5

6 CONFIGURING THE 3D TOOL Click on the question mark icon in the upper right-hand corner of the user interface and drag it over any item that you are uncertain about to obtain more detailed information. CONFIGURE SECURITYCENTER QUERIES Before launching the 3D Tool, one or more custom queries that are used by the 3D Tool must be created on the SecurityCenter to perform two primary functions: 1. Generate the initial topology map vulnerability query based on plugin and the Detailed Vulnerability List analysis tool. When selecting a topology query from the main screen, only queries that match these criteria are shown. 2. Facilitate modifier creation queries based on either vulnerability or event data to modify the topology view (e.g., add custom icons based on Operating System). These queries are selected by clicking on Modifier and choosing the desired modifier. The list below provides available query types for each modifier that can be applied to the base topology: > Node Traits List Modifier Asset List, Vulnerability IP Summary, Events IP Summary > Connections List Modifier List of Events or Show Connections (uses Detailed Vulnerability List and PVS plugin ID 3) > Counts Modifier Vulnerability IP Summary or Events IP Summary The Modifiers section of this document provides more detail about the modifier creation process and specific query requirements. LOAD CCD (COMPILED CHART DATA) Choose this option to load a previously saved.ccd file. When a topology diagram is created, all of the data required to display and manage it is stored as a binary file. This.ccd file format is designed to allow the program to load the diagram quickly and to use less space in computer memory to represent a network topology and its associated data. LOAD DTA (DATA TABLE FILE) DTA files are not currently the native format used by the 3D Tool, and are currently required only at the direction of Tenable s Support team. They may also be used for future 3D Tool enhancement. Choose this option to make and load a new CCD (.ccd file extension) file from a.dta file. The 3D Tool is designed to accept data from multiple sources to use for its displays. The.dta file is an intermediate file format that is designed to store a wide variety of data standardized as an efficient source for various purposes. Copyright Tenable Network Security, Inc. 6

7 When you choose this option, the newly created.ccd file will have the same base name and location as the.dta file that you select. When a.dta file is created, it is saved for later use by functions of the 3D Tool that may be able to relate data across various presentation types from the same source. CONFIGURE A NEW TOPOLOGY Use the steps below to create and configure a new topology view: 1. Launch the 3D Tool interface by double-clicking on the desktop or start menu icon. Once launched, a screen similar to the one below is displayed. The top two configuration panes will automatically hide when not in use and can be displayed by clicking in the 3D Tool window towards the top of the visible area. The lower configuration pane contains several elements that can be used to assist with the configuration process: To the right of the configuration gear icon are two icons that determine whether the interface is displayed vertically or horizontally. If the display is split vertically, the resulting topology might look similar to the one below: Copyright Tenable Network Security, Inc. 7

8 In the same way, the display can be split horizontally numerous times to allow multiple 3D visualizations to be shown vertically. If a layout was previously created, click the arrow icon layout to use. Otherwise, click the gear icon next to the save icon in the upper pane and choose the to start the configuration process. Use the pin icon to keep the desired configuration pane open at all times. If at any point you want more information about a particular option, click on the question mark icon and drag it over the item that you wish to obtain more information about for a detailed description. 2. If not previously performed, select the SC4 Query section to enter a SecurityCenter login. This login data will be reused with subsequent accesses to retrieve updated data. Copyright Tenable Network Security, Inc. 8

9 Click the Manage Logins command button to enter a SC4 login that will be used to retrieve data. Complete all required fields similar to the screen capture below: A default login named Default Login will already exist. Double-click the name field to create your own login. Copyright Tenable Network Security, Inc. 9

10 After clicking on Test Login for the first time, a certificate warning is displayed. Assuming you trust the remote host, click through the warning to perform the login. 3. Once the test login has been successfully performed, click Done to save your new login and continue. The new login is now listed in the login dropdown box. If at any point you wish to view the certificate of the remote host after performing the first query, click View Cert to display the certificate of the remote host. 4. Click List Queries to retrieve a list of available queries from the remote SecurityCenter. The 3D Tool will now log into the SecurityCenter and retrieve a list of available queries. For a new topology to be built, the query type must be Vunerability, the analysis tool must be Detailed Vulnerability List, and there must be query results from Nessus plugin (Traceroute). Once completed, the Queries dropdown will appear similar to the following: Copyright Tenable Network Security, Inc. 10

11 5. Select the desired query and then click Query Now to continue. At this point you will be prompted to save a Compiled Chart File. 6. Enter the desired name for this file that is saved for later reuse and then click Create. Copyright Tenable Network Security, Inc. 11

12 Allow the records to complete processing and populate your new topology. Depending on the number of records, this process can take anywhere from several seconds to over an hour. Please allow adequate time for this process to complete. After the data has been retrieved, the topology screen is automatically populated, similar to the screen capture below: Copyright Tenable Network Security, Inc. 12

13 Notice in the display above that a cloud icon is displayed in the upper lefthand section of the user interface. This icon represents the public Internet with each of the dots surrounding it representing a particular public Class A subnet. This representation is useful to display connections to and from public Internet sites. 7. Use your mouse s right/left buttons and scroll button to move or rotate the display as desired. In addition, the arrow keys on the keyboard can be used to adjust the display. MODIFIERS Modifiers are options that can be applied to specialize or modify the topology display based on your unique needs. There are three available modifier types: Node Traits List, Connections List and Counts List. The Node Traits List modifier allows you to adjust host attributes such as color, shape, icon and vertical offset. The Connections List modifier visually displays connections using lines of varying height and source/destination color for contrast. The Counts List modifier displays counts of vulnerability and/or events per host with a vertical bar. Copyright Tenable Network Security, Inc. 13

14 Node Traits List As mentioned earlier, a Node Traits List is a modifier that is used to modify the host icon based on detected host attributes. For example, hosts can be assigned special icons based on the detected operating system. There are four types of connections list queries: Default, Asset List, Vuln IP Summary and Event IP Summary. These are the queries that must exist on the SecurityCenter for this modifier to obtain its data. The table below describes each of these queries in detail: Table 1: Nodes List Query Types Option Default Asset List Description Uses a query type of Vulnerability displayed with the IP Summary analysis tool. All records are requested. All asset lists are requested. Vuln IP Summary Event IP Summary Uses a query type of Vulnerability displayed with the IP Summary analysis tool. The query s filters are used. Uses a query type of Event displayed with the IP Summary analysis tool. The query s filters are used. Use the steps below to add a Node Traits List (host modifier). 1. Load the desired topology and click the Modifiers button at the top of the topology configuration screen below the title bar. A screen similar to the one below is displayed: Copyright Tenable Network Security, Inc. 14

15 2. Click New to add a new modifier. After selecting the desired modifier type, you are prompted to save a file that will contain the modifier definitions. Enter the desired name of this file and then click Create : Copyright Tenable Network Security, Inc. 15

16 3. Highlight the modifier in the list and click Edit and then Configure to add attributes. 4. A screen similar to the following is displayed: Copyright Tenable Network Security, Inc. 16

17 5. Use the login ( test in this case) created during the initial topology creation. 6. Under Query Type choose Asset List. 7. Choose List Queries and then select the desired query. In our case, the query name was OS Windows. Then click Perform Query to pull the assets that match this query on the remote SecurityCenter. After clicking Perform Query, you will be prompted to choose from a repository on the remote host that contains the desired host data. Either select Use all repositories, or individually select the desired repository. 8. For Trait Select choose Icon and then choose the default Windows icon. Copyright Tenable Network Security, Inc. 17

18 9. Click Done and a list of affected hosts is displayed. In addition to the display list, existing modifier lists can be updated by clicking on Update as shown in the screen capture below. Copyright Tenable Network Security, Inc. 18

19 10. Click Done again. Copyright Tenable Network Security, Inc. 19

20 Connections List A Connections List is used to modify the display based on detected events or PVS connection data. Events are connections from one host to another host at a specific point in time. Connection lines are displayed based on connection attributes such as source host, destination host and event query parameters. There are three types of connections list queries: Default, Show Connections and List of Events. These are the queries that must exist on the SecurityCenter for this modifier to obtain its data. The table below describes each of these queries including parameters that must be used to create them: Table 2: Connections List Query Types Option Default Description Uses a query type of Event displayed with the List of Events analysis tool. All records are requested. Copyright Tenable Network Security, Inc. 20

21 Show Connections This query is based on PVS connection records. Setting the appropriate filters is important with this query because PVS connection counts can be quite large and unfiltered can lead to a lengthy record download time. Uses a query type of Vulnerability with the Detailed Vulnerability List analysis tool. Only records based on PVS plugin ID 3 are displayed and the query s filters are also used. List of Events Uses a query type of Event displayed with the List of Events analysis tool. The query s filters are used. The example below displays all connections where the target port is 21 (FTP). The source portion of the line is displayed in red, while the destination of the connection is displayed in blue. Hovering the cursor over the source of one of these events displays the IP address of the source in the lower right-hand corner of the interface. Copyright Tenable Network Security, Inc. 21

22 Use the steps below to add a connections list similar to the one shown above. 1. Load the main topology screen and click the configure icon ( ) to begin the configuration process. 2. Next to the modifiers list, click New to create a new modifier and choose Connections List from the dropdown. 3. In the File box at the top of the screen, enter a descriptive name to be assigned the modifier and click Create. 4. Click Configure to start editing your new modifier. 5. The modifier edit screen looks similar to the screen capture below: Copyright Tenable Network Security, Inc. 22

23 6. In this example, we have used our main login named SC4 under Manage Logins. We then clicked on List Queries to display all available queries of this type. The chosen query (FTP Events) was created to only show events whose target port is port 21. After clicking on Perform Query we were prompted to select the repository from which the data will be obtained. This helps narrow down the data retrieval location. 7. For event source color, destination color and line height, we chose display options that would help us readily differentiate the source from the destination of the event. The Line Height and Lines drawn above layout options affect the manner in which the connection lines are drawn. Since the display is a 3D display that can be rotated, edit these options to help the user best understand the underlying data source events. 8. Click Done to display a list of affected hosts and then click Done again to display the topology with the new modifier elements. Counts List The Counts List modifier is used to demonstrate counts of events or vulnerabilities per host using a bar representation per host. The display below is a topology view containing a counts list modifier that visualized hosts with critical vulnerabilities by using a red bar. The longer the bar, the more critical vulnerabilities were found in the query parameters. There are three types of counts list queries: Default, Vuln IP Summary and Event IP Summary. These are the queries that must exist on the SecurityCenter for this modifier to obtain its data. The table below describes each of these queries in detail: Table 3: Counts List Query Types Copyright Tenable Network Security, Inc. 23

24 Option Default Vuln IP Summary Event IP Summary Description Uses a query type of Vulnerability displayed with the IP Summary analysis tool. All records are requested. Uses a query type of Vulnerability with the IP Summary analysis tool. The query s filters are used. Uses a query type of Event displayed with the IP Summary analysis tool. The query s filters are used. The screen capture below contains a sample counts list display view: Use the steps below to add a counts list modifier similar to the one shown above. 1. Load the main topology screen and click the configure icon ( ) to begin the configuration process. Copyright Tenable Network Security, Inc. 24

25 2. Next to the modifiers list, click New to create a new modifier and choose Counts List from the dropdown. 3. In the File box at the top of the screen, enter a descriptive name to be assigned the modifier and click Create. 4. Select the new modifier from the list of modifiers and click Edit and then Configure to begin the configuration process. 5. In this example, we have used our main login named SC4 under Manage Logins. We then clicked List Queries to display all available queries of this type. The chosen query (Critical Vulns) was created to only show only critical vulnerabilities. After clicking Perform Query we were prompted to select the repository from which the data will be obtained. This helps narrow down the data retrieval source. Use the table below to help understand the various bar configuration options: Table 2: Counts List Bar Configuration Options Option Which Bar Bar Color Description Every node icon in a diagram has four places above and four places below to host a count line. This dropdown list specifies where the bar will be displayed on the icon. Click on the color swatch to specify the bar color. Copyright Tenable Network Security, Inc. 25

26 To draw colors based on the values, you could break the source data (queries) up into value regions (such as severities), and make a separate modifier for each. This would allow you to set the color separately for each value region. Max Bar Height Height Relative To Min Clamp This is the amount of vertical diagram space the lines of this modifier are permitted to consume. All of the returned values are spread out evenly across the display space. The smallest value will have no relative height, and the greatest value will have the full height of this setting. This setting specifies which of the count modifiers will share the same vertical space as this modifier. All of the values from all of the modifiers that are related this way will have the same scaling applied to the values, so they can be visually compared to each other. After all of the calculations to determine the height of the line have been performed, this value is the minimum line height permitted. This is useful where the minimum value must be a small stub of a line, rather than no line. Max Clamp After all of the calculations to determine the height of the line have been performed, this value is the maximum line height allowed to be displayed. This is useful where some values of the data set are too large to be useful relative to others. Value Distribution This setting allows you to modify the bar for displays with a large range of values. For example, in some cases there may be numerous bars with values < 10 and a single bar with a count of 9,000 (e.g., vulnerabilities). In a case like this, displaying the bars in a linear fashion would make the bars with low values hard to see and make it very difficult to represent low-end value differences. To better represent the low-end differences, change to a Cubed Top Compressed view (described below), which will compress values at the top end and spread out low end values (e.g., counts between zero and ten). Selection descriptions: 1. Linear Use this when the relationships between the values have about the same level of concern at the top end as those at the bottom end. 2. Squared Top Compressed This is used when the values at the bottom end should show their differences more than those at the top end. 3. Cubed Top Compressed This is similar to item two, Copyright Tenable Network Security, Inc. 26

27 but the values are spread out even more at the bottom end and compressed even more at the top end. 4. Squared Bottom Compressed This is used when the values at the top end should demonstrate their differences more than those at the bottom end. 5. Cubed Bottom Compressed This is similar to item four, but the values are spread out even more at the top end, and compressed even more at the bottom end. 6. Click Done and a list of affected hosts is displayed. 7. Repeat the steps for High and Medium vulnerability hosts choosing a different bar color and Which Bar value for each and then click Done again to display the topology with the new modifier elements. Copyright Tenable Network Security, Inc. 27

28 ABOUT TENABLE NETWORK SECURITY Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability scanner and the creator of enterprise-class, agentless solutions for the continuous monitoring of vulnerabilities, configuration weaknesses, data leakage, log management and compromise detection to help ensure network security and FDCC, FISMA, SANS CAG and PCI compliance. Tenable s award-winning products are utilized by many Global 2000 organizations and Government agencies to proactively minimize network risk. For more information, please visit Tenable Network Security, Inc Columbia Gateway Drive Suite 100 Columbia, MD Copyright Tenable Network Security, Inc. 28