Discovery Discovery
Building a Baseline Inventory - Overview Manual Certificate Import Manual Certificate Records CA Exports CA Import & Bulk Certificate Import LoB Operations Finance External CA Export Internal MS CA Export 01 02 Network Discovery 03 04 Agent Discovery Leverage Vulnerability Assessment Results (Targeted Queries) vtpp Agent Discovery Queries
Network Discovery - Overview Locates certificates used in SSL/TLS connection on accessible network ports Uses a protocol compliant approach to scanning Attempts TCP 3-way handshake and SSL Handshake Doesn t use protocol tricks like other vulnerability scanners Non-responding hosts / ports must wait for timeouts Each engine is able to scan about 800k Ports / hr 12 IP addresses x 65536 ports = 786,432 total ports
Network Discovery - Targeting Leverage Vulnerability Assessments (scans) to provide targeted Network Discovery information Review of hosts & ports where certificates may be found Manual translation into TPP there isn t an import function
Network Discovery Targeting Strategies Targeting IPs and Ports Use information gleaned from vulnerability assessments. Pros: Fast, scan only known ports Cons: Will never find new server stood up, requires constant tweaking / resetting from vulnerability assessments
Network Discovery Targeting Strategies Targeted ports / full subnets Use port information from vulnerability assessments, but scan whole IP subnets. Pros: Targeted to find common ports that may have certificates. Less administrative maintenance. Will find new servers being stood up in environment. Cons: Slower than more focused scans. Still requires occasional review of targeted IP subnets and ports.
Network Discovery Targeting Strategies Full Discovery All IPs & All Ports Pros: Ensure a complete discovery of the whole environment. Cons: Slow. May not be practical for every environment. Slow. Could require a lot of extra scanning engine resources and/or firewall rules. Very slow. Leveraging the Venafi Server agent may be the only practical way to achieve full discovery on a reasonable timeframe.
Network Discovery Planning & Architecture Network topology and access control rules define the number of dedicated TPP scanning engine(s) needed to conduct network Discovery in all zones. Network zones should map to Devices & Apps folder in TPP. Best Practice: Create a separate Network Discovery job for each zone to be scanned. Allows the proper assignment of Certificate & Device Placement rules
Network Discovery Planning & Architecture
Network Discovery Planning & Architecture
Network Discovery Planning & Architecture
Discovery Placement Rules Placement Rules correspond directly to the policy folder structure created under the _Discovered folder. Create the folder structure before building placement rules. Default Vendor Issuer Certificates PS maintains a list of typically encountered Vendor Certificates. Known Issuers (e.g. Symantec and Internal CA) Define additional rules to refine the sort using certificate properties Place into dedicated ownership folders within \VED\Policy\Certificates folder structure! Note: Placement rules are used for both Network and Agent certificate discovery work Self-Signed Certificates Unknown / Other
Discovery Placement Rules Duplicate placement rules for each network separate zone that will be scanned Device placement is tied to certificate placement rules. Devices must be placed appropriately within the policy tree to ensure that validation functions. Validation & Provisioning use engine-based partitioning in the Policy Tree vs. Discovery Zones assignment on the engine itself
Discovery Placement Rules To match common vendor default certificates that are encountered and place them in the Default Vendor Issued folder, PS has crafted a regular expression that can be used to match the vast majority of discovered vendor certificates.
Discovery Placement Rules It s also necessary to create a catch-all rule for each network zone. This rule is configured to match any certificate found, and controls the placement of the device object. The if no rules apply setting on the Discovery job does not allow placement of devices to be specified!
Discovery Placement Rules
Network Discovery Assigning Placement Rules
Agent Discovery - Overview Agents can discover certificates not accessible over the network. Client authentication certificates Truststore certificates and bundles Discovery can be performed on a more frequent (daily) basis. Discovered certificates are pushed to the TPP server using a single port (443), dramatically reducing: Firewall requirements; and The number of additional engines required for discovery
Agent Discovery Agent Groups should be configured to follow the same zoning to ensure proper placement of devices as well! -Use Membership Criteria and IP in x.x.x.x to align with network zones.
Agent Discovery Agents use the same Certificate Placement Rules as Network Discovery!
Discovery - Scheduling Security best practice would call for Discovery every night, though that may not be practical based on the size and scope of the network. In this case an Agent deployment is the best option! Evaluate the results of those scans as quickly as possible. Use judgment based upon empirical evidence observed during the initial scans: If it s reasonable that all scans could be performed in that environment every two weeks, that should be the recommendation. If only critical server zones can be completed in that reasonable time, schedule those for more frequent runs.
Discovery - Scheduling Regardless of the schedule, best-practice would dictate that Network Discovery Jobs are scheduled. A recurring schedule is decided upon Standing change control tickets are established The scans are performed using the scheduler, not manually started
Discovery Analyze Results Certificates that expire very soon (within days) Weak keys length, especially in production or internet facing systems Deprecated algorithms Certificates from Known Issuers without ownership assigned
Discovery Analyze Results ISSUERS! (Especially ones that are not normal) Certificates that don t expire in a secure fashion (20 year plus) Self-signed certificates Same certificate installed on multiple systems (1 certificate across hundreds of systems)
Lab Complete Lab VTIS Discovery Placement Rules Time: 20 minutes View labs, slides, and other resources: https://training.venafi.com/