Configuring Vulnerability Assessment Devices

Similar documents
ACS 5.x: LDAP Server Configuration Example

ForeScout Extended Module for Qualys VM

Host Identity Sources

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Configuring Antivirus Devices

Security Manager Policy Table Lookup from a MARS Event

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Configuring Network-based IDS and IPS Devices

Troubleshooting Cisco DCNM

Using the SSM Administration Console

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Integration Guide. LoginTC

File Reputation Filtering and File Analysis

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Managing External Identity Sources

Realms and Identity Policies

Risk Intelligence. Quick Start Guide - Data Breach Risk

OPC UA Configuration Manager PTC Inc. All Rights Reserved.

Securing CS-MARS C H A P T E R

Data Sources. Data Sources Page

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

vrealize Orchestrator Load Balancing

Remote Support Security Provider Integration: RADIUS Server

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

Data Sources. Data Sources page

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

Equitrac Integrated for Océ

Community Edition Getting Started Guide. July 25, 2018

Configure the Cisco DNA Center Appliance

OPC UA Configuration Manager Help 2010 Kepware Technologies

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Licensing the Firepower System

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

LDAP/AD v1.0 User Guide

VI. Corente Services Client

IBM Security QRadar. Vulnerability Assessment Configuration Guide. January 2019 IBM

Frequently Asked Questions About Performance Monitor

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

FireSIGHT Qualys Connector Configuration Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Using Trend Reports. Understanding Reporting Options CHAPTER

Security Provider Integration RADIUS Server

Configure WSA to Upload Log Files to CTA System

CHAPTER 7 ADVANCED ADMINISTRATION PC

Sending Alerts and Incident Notifications

How to Configure Authentication and Access Control (AAA)

Integrated for Océ Setup Guide

Step 3 - How to Configure Basic System Settings

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

Installation Procedure Windows 2000 with Internet Explorer 5.x & 6.0

Configuring the SMA 500v Virtual Appliance

The following sections describe the various menu options.

Detector Service Delivery System (SDS) Version 3.0

Clientless SSL VPN End User Set-up

Install and Configure the TS Agent

Using CSC SSM with Trend Micro Damage Cleanup Services

Network Discovery Policies

ForeScout Extended Module for Carbon Black

VII. Corente Services SSL Client

Outlook 2010 Exchange Setup Guide

VMware AirWatch Certificate Authentication for EAS with ADCS

Tenable.sc-Tenable.io Upgrade Assistant Guide, Version 2.0. Last Revised: January 16, 2019

Installation Procedure Windows NT with Netscape 4.x

Configure WSA to Upload Log Files to CTA System

ForeScout CounterACT. Configuration Guide. Version 4.1

ForeScout Extended Module for VMware AirWatch MDM

SOHO 6 Wireless Installation Procedure Windows XP with Internet Explorer 5.x & 6.0

Tenable.io for Thycotic

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Digi Remote Manager. User Guide

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Equitrac Integrated for Konica Minolta

Using ANM With Virtual Data Centers

ForeScout Extended Module for ServiceNow

Deploy the ExtraHop Discover Appliance 1100

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Configuring Cisco TelePresence Manager

Configuring Cisco Unified Presence for Integration with Microsoft Exchange Server

Setting Up the Sensor

CLI users are not listed on the Cisco Prime Collaboration User Management page.

ForeScout Extended Module for Symantec Endpoint Protection

Deploying the hybrid solution

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

Boot Attestation Service 3.0.0

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

MS Exchange Scheduling

Integration Guide. Auvik

Unified-E App Manager

Sourcefire 3D System. Qualys Connector Guide. Version 1.0.1

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Managing GSS Devices from the GUI

Installing and Configuring vcenter Multi-Hypervisor Manager

Offline Scanner Appliance

Troubleshooting Guide ir Advance Series

How to assign an IP address and access your device

Transcription:

CHAPTER 10 Revised: November 10, 2007 Vulnerability assessment (VA) devices provide MARS with valuable information about many of the possible targets of attacks and threats. They provide information useful for accurately assessing false positives. This information includes the operating system (OS) running on a host, the patch level of the OS, the type of applications running on the host, as well as detailed logs about the activities occurring on that host. Note When a vulnerability assessment device is deleted from the MARS web interface, its corresponding vulnerabilities and open ports are not immediately removed from the MARS database. MARS continues to use this event information for false positive analysis until a successful vulnerability assessment import occurs. Upon completion of the new import, the historical event information associated with the deleted device is removed from the database. This chapter explains how to bootstrap and add the following VA devices to MARS: Foundstone FoundScan 3.0, page 10-1 eeye REM 1.0, page 10-3 Qualys QualysGuard Devices, page 10-6 Foundstone FoundScan 3.0 To configure MARS to pull data from FoundScan, you must perform three tasks: Configure Foundstone FoundScan to correlate the required data, ensuring that the data is current. Add the Foundstone FoundScan server to MARS using the web interface. Schedule the interval at which the Foundstone FoundScan server data is pulled by MARS. This section contains the following topics: Configure FoundScan to Generate Required Data, page 10-2 Add and Configure a FoundScan Device in MARS, page 10-2 10-1

Foundstone FoundScan 3.0 Chapter 10 Configure FoundScan to Generate Required Data To configure FoundScan to provide data to MARS, follow these steps: Run command svrnetcn at the DOS prompt on the host where FoundScan is installed. In the SQL Server Network Utility dialog box, enable TCP/IP by moving TCP/IP from the Disabled Protocols list to Enabled Protocols list. Step 4 Verify that the Force protocol encryption checkbox is cleared. Add and Configure a FoundScan Device in MARS To add a FoundScan device in MARS, follow these steps: 10-2

Chapter 10 eeye REM 1.0 Step 4 Step 5 Select Admin > Security and Monitor Devices > Add. Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Enter the device name and IP addresses if adding a new host. Click the Reporting Application tab Step 6 From the Select Application list, select Foundstone FoundScan 3.0 Step 7 Click Add. Step 8 Step 9 0 Enter the following information: Database Name The name for this database. Access Port The default access port is 1433. Access Type Verify the value is MS SQL. Login The login information for the database. Password The password for the database. Click Submit. Once you activate this device (click Activate in the web interface), you must define the schedule at which MARS should pull data from it. For more information, see Scheduling Topology Updates, page 2-40. eeye REM 1.0 To configure MARS to pull this REM data, you must perform three tasks: Configure eeye REM to correlate the required data, ensuring that the data is current. Add the eeye REM server to MARS using the web interface. Schedule the interval at which the eeye REM server data is pulled by MARS. This section contains the following topics: Configure eeye REM to Generate Required Data, page 10-4 10-3

eeye REM 1.0 Chapter 10 Add and Configure the eeye REM Device in MARS, page 10-5 Configure eeye REM to Generate Required Data To configure eeye REM to provide the correct data to MARS, follow these steps: Run command svrnetcn at the DOS prompt on the host where eeye REM 1.0 is installed. In the SQL Server Network Utility dialog box, enable TCP/IP by moving TCP/IP from the Disabled Protocols list to Enabled Protocols list. Add and Configure the eeye REM Device in MARS To add the eeye REM device in MARS, follow these steps: 10-4

Chapter 10 Qualys QualysGuard Devices Step 4 Step 5 Select Admin > Security and Monitor Devices > Add. Select Add SW Security apps on a new host or Add SW security apps on existing host from the Device Type list. Enter the device name and IP addresses if adding a new host. Click the Reporting Applications tab. Step 6 From the Select Application list, select eeye REM 1.0. Step 7 Click Add. Step 8 Step 9 0 Enter the following information: Database Name The name for this database. Access Port The default access port is 1433. Login The login information for the database. Password The password information for the database. Click Submit. Once you activate this device (click Activate in the web interface), you must define the schedule at which MARS should pull data from it. For more information, see Scheduling Topology Updates, page 2-40. Qualys QualysGuard Devices In MARS, a QualysGuard device represents a specific report query to the QualysGuard API Server, which is the central API server hosted by Qualys. The only one that you configure to work with MARS is the QualysGuard API Server. You want to ensure that the QualysGuard API Server can provide reports about the devices on the network segments that you are monitoring with the MARS Appliance, as each MARS Appliance is responsible for identifying false positives for the network segments it monitors. If you have a subscription to the QualysGuard service, MARS can pull VA data from the QualysGuard database using the QualysGuard XML API. To configure MARS to pull this data, you must perform three tasks: 10-5

Qualys QualysGuard Devices Chapter 10 Configure QualysGuard to collect the required data, ensuring that the data is current. Add the QualysGuard device that represents a report query to MARS using the web interface. Schedule the interval at which the QualysGuard device data is pulled by MARS. Note If a proxy server resides between the QualysGuard server and the MARS Appliance, the settings defined on the Admin > System Parameters > Proxy Settings page are used. For more information, see Specify the Proxy Settings for the Global Controller or Local Controller, page 6-20 of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x. This section contains the following topics: Configure QualysGuard to Scan the Network, page 10-6 Add and Configure a QualysGuard Device in MARS, page 10-6 Schedule the Interval at Which Data is Pulled, page 10-8 Troubleshooting QualysGuard Integration, page 10-9 Configure QualysGuard to Scan the Network MARS uses the QualysGuard XML API and password-based authentication over SSL (TCP port 443) to retrieve scan reports from the QualysGuard API Server. As such, you do not need to configure the QualysGuard server to accept connections from MARS. The only required configuration is that you have an active account and Qualys subscription that is configured correctly to scan your network. By default, MARS assumes that you want to retrieve the most recent scan report saved on the QualysGuard server. Depending on the number of IP addresses analyzed, the QualysGuard scan takes from a few seconds to several minutes. You need to estimate this time so that you can schedule automated scans of your network with a frequency that ensures a recent saved scan report is available. Using the QualysGuard administrative interface, you can determine how long a scan takes and set the schedule accordingly. Add and Configure a QualysGuard Device in MARS Adding an internal QualysGuard device as a reporting device entails identifying the QualysGuard API Server, which is the central API server hosted by Qualys, from which the reports are pulled and providing credentials that MARS can use to log in to the device to pull the reports. You can specify whether you want to pull saved scan reports that are run on a schedule or whether you want to initiate and retrieve an on-demand scan report. Each reporting device identifies a unique query to the QualysGuard API Server. To add a QualysGuard device, follow these steps: Select Admin > Security and Monitor Devices > Add. Select QualysGuard ANY from the Device Type list. 10-6

Chapter 10 Qualys QualysGuard Devices Step 4 Enter the name of the Qualys device in the Device Name field. This name is used to identify the Qualys device uniquely within MARS. It is used in reports and query results to identify this device. The IP address field is read only. The value is also fixed at 165.193.18.12, which is significant because you can only define one schedule for pulling all report queries defined as Qualys devices on the Local Controller. However, you can define unique schedules across different Local Controllers. For more information, see Scheduling Topology Updates, page 2-40. Enter the URL that identifies the device and report type in the URL field. The URL provides the following information: Server. Identifies the server from which the report should be pulled. This value can be specified as a hostname or IP address that identifies the primary Qualys server. Report type. Real-time vs. Last Saved. The default value. Real-time Report. qualysapi.qualys.com/msp/scan.php?ip=[addresses] The addresses attribute specifies the target IP addresses for the scan request. IP addresses may be entered as multiple IP addresses, IP ranges, or a combination of the two. Multiple IP addresses must be comma separated, as shown below: 123.123.123.1,123.123.123.4,123.123.123.5 An IP address range specifies a start and end IP address separated by a dash (-), as shown below: 123.123.123.1-123.123.123.8 A combination of IP addresses and IP ranges may be specified. Multiple entries must be comma separated, as shown below: 123.123.123.1-123.123.123.5,194.90.90.3,194.90.90.9 Note You must use a Scanner Appliance to scan private IP addresses on your internal network. Step 5 Step 6 Last Saved Report. qualysapi.qualys.com/msp/scan_report_list.php?last=yes Enter the username of the account that MARS will use to access the Qualys device in the Login field. Enter the password that corresponds to the account identified in Step 5 in the Password field. 10-7

Qualys QualysGuard Devices Chapter 10 Step 7 Step 8 (Optional) To verify that the settings are correct and that the MARS Appliance can communicate with this Qualys device, click Test Connectivity. If you receive error messages during this test, refer to Troubleshooting QualysGuard Integration, page 10-9. To add this device to the MARS database, click Submit. Once you activate this device (click Activate in the web interface), you must define the schedule at which MARS should pull data from it. For more information, see Schedule the Interval at Which Data is Pulled, page 10-8. Schedule the Interval at Which Data is Pulled Once you activate one or more Qualys devices (where each device represents a report query run on the QualysGuard API Server), you must define the schedule at which MARS pulls data from them. The schedule, or update rule, that you define is the same for all Qualys devices. This update rule is based on the fixed IP address of 165.193.18.12, which is the Qualys Access IP. When you define an update rule using this address, all Qualys devices are updated based on that schedule. Even if you have more than one Qualys device on your network, you cannot stagger when MARS queries those Qualys devices. However, you can define unique schedules across different Local Controllers. For more information on the broader use of update rules, see Scheduling Topology Updates, page 2-40. To define the rule by which all Qualys devices will be discovered, follow these steps: Step 4 Step 5 Step 6 Step 7 Step 8 Click Admin > Topology/Monitored Device Update Scheduler. The Topology/Monitored Device Update Scheduler page displays. Click Add. Enter Qualys Devices or another meaningful value in the Name field. This name identifies the rule in the list of rules that appears on the Topology/Monitored Device Update Scheduler page. Select the Network IP radio button, and enter 165.193.18.12. and 255.255.255.255 in the Network IP and Mask fields respectively. Click Add to move the device into the selected field. In the Schedule table, select Daily, and select a time value from Time of Day list. We recommend that you pull this data daily, during off-peak hours, however, you can define any interval required by your organization. Click Submit. The update rule appears in the list on the Topology/Monitored Device Update Scheduler page. Click Activate. Tip To perform this discovery on demand, select the check box next to the rule you just defined and click Run Now. 10-8

Chapter 10 Qualys QualysGuard Devices Troubleshooting QualysGuard Integration Table 10-1 identifies possible errors and likely causes and solutions. Table 10-1 Error Table for QualysGuard and MARS Integration Error/Symptom Test connectivity failed. Click the View Errors button for more information. Server unavailable. Fail to parse scan report. Invalid user credentials. Test connectivity failed for qualys. Unknown host: qualysapi.qualys.com Please make sure that, Proxy settings are configured correctly, If there is no direct connection exists from CS-MARS to Qualys server The hostname specified in the URL string is correct Login name and Password is valid. Workaround/Solution This error means that MARS was unable to connect to the Qualys device. Four possible issues can account for this message: You have entered an invalid hostname or IP address in the URL field. Verify the value was entered correctly. The traffic may be blocked by either a proxy server or firewalls and gateways on your network. Enable SSL traffic (TCP port 443) to traverse between the MARS Appliance and the Qualys device. Enter the correct settings for your proxy server on the Admin > System Parameters > Proxy Setting page. This error means that MARS was unable to parse the scan report that it pulled from the Qualys device. Two possible issues can account for this message: Data corruption on the QualysGuard device. Format changes to the report due to an issue on the QualysGuard device or due to a software upgrade on the QualysGuard device. Verify that the QualysGuard device is running a supported version and that the device data is not corrupted. This error means that MARS was unable to authenticate to the Qualys device. Two possible issues can account for this message: The provided login credentials are incorrect. Verify these values were entered correctly, and verify that the provided account has sufficient privileges. Your account has expired. Renew your subscription services with Qualys. Make sure that the DNS server is configured correctly for the MARS Appliance. For more information on these DNS settings, see Specifying the DNS Settings, page 5-16. 10-9

Qualys QualysGuard Devices Chapter 10 10-10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback