sunhux
asked on
best location to connect Tenable vulnerability scanner & penetration scanner
We're getting Nessus Tenable for vulnerability scans (likely with admin-credentialed scans)
& likely penetration tests.
Q1:
https://security.stackexchange.com/questions/71389/where-to-place-a-vulnerability-scanner-within-a-data-center
Above link has various views & I don't understand one of the line:
"If you're not granting the scanner admin level access to your assets and you're allowing an IPS to interfere then you're doing yourself a disservice."
Q2:
I intend to scan through the Network IPS because we may not be able to apply patches
in time (can't test out patches & obtain downtime in time), so most likely we'll deploy
NIPS virtual patches as interim remediation. So do we still scan using 'admin credential'
scan in my scenario?
Q3:
Certainly dont plan to scan from public Internet but where is the best location within
our Prod network should we connect up this virtual (runs in VM) scanner? Management
VLAN or in each Prod subnet, we place one scanner or run from laptop & connect to
a switch port which is assigned all the VLANs or we just place in DMZ or internal
subnet & open up firewall rules? Firewall may slow down the scans.
Q4:
From secure perspective, which is the most secure place to connect it as we may
use admin credentials (at this moment, no idea how to get it to integrate with
TPAM though we may move to CyberArk in 12-16 months' time as Nessus told
us it integrates with Cyberark, querying the password from Cyberark)
& likely penetration tests.
Q1:
https://security.stackexchange.com/questions/71389/where-to-place-a-vulnerability-scanner-within-a-data-center
Above link has various views & I don't understand one of the line:
"If you're not granting the scanner admin level access to your assets and you're allowing an IPS to interfere then you're doing yourself a disservice."
Q2:
I intend to scan through the Network IPS because we may not be able to apply patches
in time (can't test out patches & obtain downtime in time), so most likely we'll deploy
NIPS virtual patches as interim remediation. So do we still scan using 'admin credential'
scan in my scenario?
Q3:
Certainly dont plan to scan from public Internet but where is the best location within
our Prod network should we connect up this virtual (runs in VM) scanner? Management
VLAN or in each Prod subnet, we place one scanner or run from laptop & connect to
a switch port which is assigned all the VLANs or we just place in DMZ or internal
subnet & open up firewall rules? Firewall may slow down the scans.
Q4:
From secure perspective, which is the most secure place to connect it as we may
use admin credentials (at this moment, no idea how to get it to integrate with
TPAM though we may move to CyberArk in 12-16 months' time as Nessus told
us it integrates with Cyberark, querying the password from Cyberark)
David Johnson, CD
between your firewall and your network is the best place.
ASKER
Guess David suggest between external-facing firewall & our network IPS.
What are some of the firewall rules needed? Thought of the following:
Tenable scanner/Console -> Fetch update from Tenable via Internet (ie patches)
Tenable scanner/Console -> Endpoint Agents (is there any updates to Tenable agents needed?)
Agent -> Scan servers, PCs, devices in the same subnet directly (by plugging in laptop running Tenable?)
Agent -> upload data to console for reporting
Security Admins -> Access console
What are some of the firewall rules needed? Thought of the following:
Tenable scanner/Console -> Fetch update from Tenable via Internet (ie patches)
Tenable scanner/Console -> Endpoint Agents (is there any updates to Tenable agents needed?)
Agent -> Scan servers, PCs, devices in the same subnet directly (by plugging in laptop running Tenable?)
Agent -> upload data to console for reporting
Security Admins -> Access console
Exactly which Tenable product are you getting? IO, or SC? I'm assuming SC, but you tell us.
I'd deploy inside the IPS to avoid causing an explosion in logs or the need to do a lot of exclusions. You'd probably also get a more complete picture.
Within the network itself, do you have firewalls? Or even restrictions between VLANs?
I'd deploy inside the IPS to avoid causing an explosion in logs or the need to do a lot of exclusions. You'd probably also get a more complete picture.
Within the network itself, do you have firewalls? Or even restrictions between VLANs?
ASKER
It's SC.
> Within the network itself, do you have firewalls?
We have 2-tier firewalls, one is external-facing & one is internal.
No further restrictions between VLANs
> Within the network itself, do you have firewalls?
We have 2-tier firewalls, one is external-facing & one is internal.
No further restrictions between VLANs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.