Discovery. Discovery

Similar documents
Categories Administrative Security Categories 57 Alerts Hidden Categories 2 Asset Intelligence Total 59 Client Push Client Status Total Reports 541

Streamline Certificate Request Processes. Certificate Enrollment

SSH Product Overview

VSP18 Venafi Security Professional

Venafi Server Agent Agent Overview

ForeScout Extended Module for Tenable Vulnerability Management

VSP16. Venafi Security Professional 16 Course 04 April 2016

Sophos Mobile as a Service

ADMINISTERING SYSTEM CENTER 2012 CONFIGURATION MANAGER

Reinvent Your 2013 Security Management Strategy

Sophos Mobile as a Service

Comodo Certificate Manager

BMC Remedyforce Discovery and Client Management. Frequently asked questions

A: Administering System Center Configuration Manager

User Guide. Version R95. English

How to configure Sophos for all other clients

Administration of Altiris Client Management Suite 7.0 Study Guide

Administering System Center Configuration Manager

Service Mesh and Microservices Networking

Administering System Center Configuration Manager

ADMINISTERING SYSTEM CENTER CONFIGURATION MANAGER

Atrium Webinar- What's new in ADDM Version 10

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Administering System Center Configuration Manager

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

ZENworks 2017 Audit Management Reference. December 2016

ZENworks 11 Support Pack 4 Management Zone Settings Reference. October 2016

Sophos Mobile SaaS startup guide. Product version: 7.1

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Qualys Cloud Platform

Cyber Essentials Questionnaire Guidance

CITRIX 1Y0-200 EXAM QUESTIONS & ANSWERS

KYOCERA Net Admin User Guide

Configuring Vulnerability Assessment Devices

Integrated Access Management Solutions. Access Televentures

HOW TO BUILD A SUCCESSFUL VULNERABILITY MANAGEMENT PROGRAM FOR MEDICAL DEVICES. Sarah Kennedy Robert Sloan

CounterACT Check Point Threat Prevention Module

Getting started with System Center Essentials 2007

Novell ZENworks 10 Patch Management SP3

Client Certificates Are Going Away

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

"Charting the Course... MOC A: Administering System Center Configuration Manager. Course Summary

Administrator's Guide

Sophos Mobile in Central

ForeScout Extended Module for Qualys VM

Sophos Mobile in Central

Course A: Administering System Center Configuration Manager

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

ForeScout CounterACT. Configuration Guide. Version 5.0

Altiris CMDB Solution from Symantec Help. Version 7.0

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

High Availability Synchronization PAN-OS 5.0.3

Administering System Center 2012 Configuration Manager

Administering System Center Configuration Manager ( A)

Advanced Security Tester Course Outline

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Exam Name: Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

IPV6 SIMPLE SECURITY CAPABILITIES.

ForeScout Extended Module for VMware AirWatch MDM

Qualys Cloud Suite 2.x

Administering System Center 2012 Configuration Manager

SHA-1 to SHA-2. Migration Guide

Microsoft Administering System Center Configuration Manager

Build

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

FIREWALL BEST PRACTICES TO BLOCK

FIVE BEST PRACTICES FOR ENSURING A SUCCESSFUL SQL SERVER MIGRATION

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Belarc Product Description

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Manage Your Device Inventory

WhatsConfigured v3.1 User Guide

ForeScout Extended Module for Symantec Endpoint Protection

Tenable.io User Guide. Last Revised: November 03, 2017

10747D: Administering System Center 2012 Configuration Manager

EXAM Recertification for MCSE: Private Cloud. Buy Full Product.

ZENworks 2017 Patch Management Reference. December 2016

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Release Notes McAfee Vulnerability Manager 7.5.8

Implementing and Supporting Windows Intune

Host Identity Sources

Administrator's Guide

MOC ADMINISTERING SYSTEM CENTER 2012 CONFIGURATION MANAGER

Banner Gets a Facelift Coming this October

ForeScout Extended Module for ArcSight

The following topics describe how to configure correlation policies and rules.

Administering System Center Configuration Manager ( )

VMware vcenter AppSpeed User s Guide AppSpeed 1.0 EN

Altiris Client Management Suite 7.1 from Symantec User Guide

Industrial Defender ASM. for Automation Systems Management

Foundstone 7.0 Patch 6 Release Notes

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

: Administration of Symantec Endpoint Protection 14 Exam

Channel FAQ: Smartcrypt Appliances

F5 BIG-IQ Centralized Management: Local Traffic & Network Implementations. Version 5.4

Recommendations for Device Provisioning Security

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Understanding the Dynamic Update Mechanism Tech Note

Transcription:

Discovery Discovery

Building a Baseline Inventory - Overview Manual Certificate Import Manual Certificate Records CA Exports CA Import & Bulk Certificate Import LoB Operations Finance External CA Export Internal MS CA Export 01 02 Network Discovery 03 04 Agent Discovery Leverage Vulnerability Assessment Results (Targeted Queries) vtpp Agent Discovery Queries

Network Discovery - Overview Locates certificates used in SSL/TLS connection on accessible network ports Uses a protocol compliant approach to scanning Attempts TCP 3-way handshake and SSL Handshake Doesn t use protocol tricks like other vulnerability scanners Non-responding hosts / ports must wait for timeouts Each engine is able to scan about 800k Ports / hr 12 IP addresses x 65536 ports = 786,432 total ports

Network Discovery - Targeting Leverage Vulnerability Assessments (scans) to provide targeted Network Discovery information Review of hosts & ports where certificates may be found Manual translation into TPP there isn t an import function

Network Discovery Targeting Strategies Targeting IPs and Ports Use information gleaned from vulnerability assessments. Pros: Fast, scan only known ports Cons: Will never find new server stood up, requires constant tweaking / resetting from vulnerability assessments

Network Discovery Targeting Strategies Targeted ports / full subnets Use port information from vulnerability assessments, but scan whole IP subnets. Pros: Targeted to find common ports that may have certificates. Less administrative maintenance. Will find new servers being stood up in environment. Cons: Slower than more focused scans. Still requires occasional review of targeted IP subnets and ports.

Network Discovery Targeting Strategies Full Discovery All IPs & All Ports Pros: Ensure a complete discovery of the whole environment. Cons: Slow. May not be practical for every environment. Slow. Could require a lot of extra scanning engine resources and/or firewall rules. Very slow. Leveraging the Venafi Server agent may be the only practical way to achieve full discovery on a reasonable timeframe.

Network Discovery Planning & Architecture Network topology and access control rules define the number of dedicated TPP scanning engine(s) needed to conduct network Discovery in all zones. Network zones should map to Devices & Apps folder in TPP. Best Practice: Create a separate Network Discovery job for each zone to be scanned. Allows the proper assignment of Certificate & Device Placement rules

Network Discovery Planning & Architecture

Network Discovery Planning & Architecture

Network Discovery Planning & Architecture

Discovery Placement Rules Placement Rules correspond directly to the policy folder structure created under the _Discovered folder. Create the folder structure before building placement rules. Default Vendor Issuer Certificates PS maintains a list of typically encountered Vendor Certificates. Known Issuers (e.g. Symantec and Internal CA) Define additional rules to refine the sort using certificate properties Place into dedicated ownership folders within \VED\Policy\Certificates folder structure! Note: Placement rules are used for both Network and Agent certificate discovery work Self-Signed Certificates Unknown / Other

Discovery Placement Rules Duplicate placement rules for each network separate zone that will be scanned Device placement is tied to certificate placement rules. Devices must be placed appropriately within the policy tree to ensure that validation functions. Validation & Provisioning use engine-based partitioning in the Policy Tree vs. Discovery Zones assignment on the engine itself

Discovery Placement Rules To match common vendor default certificates that are encountered and place them in the Default Vendor Issued folder, PS has crafted a regular expression that can be used to match the vast majority of discovered vendor certificates.

Discovery Placement Rules It s also necessary to create a catch-all rule for each network zone. This rule is configured to match any certificate found, and controls the placement of the device object. The if no rules apply setting on the Discovery job does not allow placement of devices to be specified!

Discovery Placement Rules

Network Discovery Assigning Placement Rules

Agent Discovery - Overview Agents can discover certificates not accessible over the network. Client authentication certificates Truststore certificates and bundles Discovery can be performed on a more frequent (daily) basis. Discovered certificates are pushed to the TPP server using a single port (443), dramatically reducing: Firewall requirements; and The number of additional engines required for discovery

Agent Discovery Agent Groups should be configured to follow the same zoning to ensure proper placement of devices as well! -Use Membership Criteria and IP in x.x.x.x to align with network zones.

Agent Discovery Agents use the same Certificate Placement Rules as Network Discovery!

Discovery - Scheduling Security best practice would call for Discovery every night, though that may not be practical based on the size and scope of the network. In this case an Agent deployment is the best option! Evaluate the results of those scans as quickly as possible. Use judgment based upon empirical evidence observed during the initial scans: If it s reasonable that all scans could be performed in that environment every two weeks, that should be the recommendation. If only critical server zones can be completed in that reasonable time, schedule those for more frequent runs.

Discovery - Scheduling Regardless of the schedule, best-practice would dictate that Network Discovery Jobs are scheduled. A recurring schedule is decided upon Standing change control tickets are established The scans are performed using the scheduler, not manually started

Discovery Analyze Results Certificates that expire very soon (within days) Weak keys length, especially in production or internet facing systems Deprecated algorithms Certificates from Known Issuers without ownership assigned

Discovery Analyze Results ISSUERS! (Especially ones that are not normal) Certificates that don t expire in a secure fashion (20 year plus) Self-signed certificates Same certificate installed on multiple systems (1 certificate across hundreds of systems)

Lab Complete Lab VTIS Discovery Placement Rules Time: 20 minutes View labs, slides, and other resources: https://training.venafi.com/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback