Nessus + RHN Satellite - Red Hat Summit
Nessus + RHN Satellite - Red Hat Summit Nessus + RHN Satellite - Red Hat Summit
- Page 3 and 4: Compliance Issues Can Be a Growing
- Page 6 and 7: REQUIREMENTPROPOSED SOLUTIONS
- Page 8 and 9: Issues with Auditors in General“F
- Page 10 and 11: Issues with Some AuditorsHow to pre
- Page 12: Strategies to Manage ContentRHEL 5
- Page 15 and 16: Red Hat Satellite (cont.)Systemsaud
- Page 17 and 18: Red Hat Satellite:Nessus Integratio
- Page 19 and 20: NessusWidely-deployed vulnerability
- Page 21 and 22: Nessus + RHN SatelliteWhat if the h
- Page 23 and 24: Nessus + RHN SatelliteReports conta
- Page 25: Tenable SecurityCenter + RHN Satell
Compliance Issues Can Be a Growing PainEach industry affected by its own compliance rules(FDCC, HIPPA, SOX, PCI, and many, many more)Executive summary of all the requirements:“Control your network, keep it tight and up todate, be able to prove it”
REQUIREMENTPROPOSED SOLUTIONS
REQUIREMENTPROPOSED SOLUTIONS
Requirement 11: Regularly Test SecuritySystems and ProcessesRegular audits of the perimeter (or network) by 3rdparties (every quarter) – Very typical of many auditsTypical example: ecommerce site scanned by a PCIASV (“Approved Scanning Vendor”)PCI ASV scans use <strong>Nessus</strong> and other scanners to dotheir jobs Note: Tenable Network Security is now a PCI ASV
Issues with Auditors in General“False positives”: <strong>Red</strong> <strong>Hat</strong> backports security patches. Asite advertising “Apache 2.2.4” may not be vulnerableto all flaws affecting Apache < 2.2.18. No doubt, mostvendors prefer a false positive to a false negative.Findings can now be disputed. However:This is costly (charged per scan) and time consuming(where to get the information).
The False Positive IssueCondition:ExistsCondition:Does Not ExistDetectedValid:True PositiveInvalid:False PositiveNot DetectedInvalid:False NegativeValid:True Negative
Issues with Some AuditorsHow to prepare for an audit and be ready to explain whysome findings are false positives?How to prove that patches are applied regularly?What if your patch schedule does not fit the quarterlyscans?Explaining how <strong>Red</strong> <strong>Hat</strong> backporting works
<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong>
Strategies to Manage ContentRHEL 5 5 .1 5 .2 5 .xClientsCustom 5.0-devCloneCustom 5.0-prod1)Client is built via kickstart from <strong>Red</strong> <strong>Hat</strong> channel kickstart tree2)Activation key reconfigures client (dev or prod?)3)Sat Admin creates 2 custom channels for dev & production clients4)Sat Admin regularly compares custom dev channel vs. <strong>Red</strong> <strong>Hat</strong> and merges selected security updates, fixes,feature enablements5)Dev systems do QA validation6)Sat Admin merges dev to prod at reduced intervals after QA certifies dev channel7)Sat Admin schedules updates for prod clients
<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong> (cont.)<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong> is a great way to manage one’snetwork in a compliant way. However, we still need to:- Prove that every host scanned is indeed managed by<strong>Satellite</strong>- Prove that every host scanned is patched (regularly)- Prove that every host is configured properly from asecurity point of view
<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong> (cont.)SystemsauditedNot every host related toaudits is managed by<strong>Satellite</strong> (yet)Systems managedby <strong>Satellite</strong>Different views between<strong>Satellite</strong> and the scanresults
<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong>: Unlocking the Power of the APIConnect to the <strong>Satellite</strong>server via XML-RPC libraryAuthenticateSession Key* Normal <strong>Satellite</strong> serverpermissions/roles applyPerform queries andoperations of interestLogout (when Auth)
<strong>Red</strong> <strong>Hat</strong> <strong>Satellite</strong>:<strong>Nessus</strong> Integration with <strong>RHN</strong> <strong>Satellite</strong><strong>Satellite</strong> APIIntegrationSoftware DistributionAccount ManagementChannel ManagementMonitoringProvisioningAPILAYERXML-RPCThe API layer can be used to integrate with disparate systems by makingremote procedure calls using XML over HTTP
<strong>Nessus</strong> + <strong>RHN</strong> <strong>Satellite</strong>Each time <strong>Nessus</strong> scans ahost, it can connect to thelocal <strong>RHN</strong> <strong>Satellite</strong> serverand ask –Do you manage it?ANDHow do you manage it?
<strong>Nessus</strong>Widely-deployed vulnerability scanner with open source roots,since 1998Nearly 50,000 vulnerability and configuration pluginsUsed by many auditorsScans a network for remote and local vulnerabilities andmisconfigurationsLeast-expensive commercial vulnerability scanner ($1500/year,unlimited targets; still free for home, non-commercial use)Also includes web app scanning, local policy audits, and more... -http://www.nessus.org for more informationFor organizations with multiple <strong>Nessus</strong> scanners, TenableSecurityCenter for centralized management and reporting
How to Use <strong>Nessus</strong> for Scanning?Products can NOT be certifiedOnly service providers can be certified as ApprovedScanning Vendors (ASVs)<strong>Nessus</strong> prepares you for a scan: It provides the resultsthat most ASVs will reportHelps you detect “false positives” and documentresolution
<strong>Nessus</strong> + <strong>RHN</strong> <strong>Satellite</strong>What if the hosts scanned have not been updated yet?(outside of regular patch schedule)Report on missing patchesCorrelation is the key!
<strong>Nessus</strong> + <strong>RHN</strong> <strong>Satellite</strong>How to prove that patches are applied regularly?<strong>Nessus</strong> will do a per-host <strong>Satellite</strong> report showing thehistory of applied patchesAccurate reporting is key!
<strong>Nessus</strong> + <strong>RHN</strong> <strong>Satellite</strong>Reports contain both the results found remotely andinformation gathered from <strong>Satellite</strong>Arms you with all the facts you need to successfullypass your audit:- Host is managed by <strong>Satellite</strong>- Host is up to date- Host is patched regularly
DEMO
Tenable SecurityCenter + <strong>RHN</strong> <strong>Satellite</strong>
QUESTIONS?http://www.redhat.com/red_hat_network/http://www.nessus.org/http://blog.tenable.com29