Juniper Secure Analytics

Transcription

1 Juniper Secure Analytics Vulnerability Manager User Guide Release Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Secure Analytics Vulnerability Manager User Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the ix Conventions ix Feedback xi Requesting Technical Support xi Self-Help Online Tools and Resources xi Opening a Case with JTAC xii Part 1 Juniper Secure Analytics Vulnerability Manager Chapter 1 Vulnerability Manager Installations and Deployments Vulnerability Manager Access and Installations Vulnerability Processing and Scanning Deployments Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment Deploy a Dedicated JSA Vulnerability Manager Processor Appliance Move the Vulnerability Processor from Your Console to Your Managed Host Deploying a Dedicated JSA Vulnerability Manager Processor Appliance Moving Your Vulnerability Processor to a Managed Host or Console Verifying that a Vulnerability Processor is Deployed Removing a Vulnerability Processor from Your Console or Managed Host Options for Adding Scanners to Your JSA Vulnerability Manager Deployment Dynamic Vulnerability Scans Deploy a Dedicated JSA Vulnerability Manager Managed Host Scanner Appliance Deploy a JSA Vulnerability Manager Scanner on Your JSA Console or Managed Host Configure Access to a Juniper Networks Hosted Scanner and Scan your DMZ Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance Deploying a Vulnerability Scanner to a JSA Console or Managed Host Scanning the Assets in Your DMZ Configuring Your Network and Assets for External Scans Configuring JSA Vulnerability Manager to Scan Your External Assets Verifying that a Vulnerability Scanner is added to your Deployment Supported Web Browsers Enabling Document Mode and Browser Mode in Internet Explorer Vulnerability Backup and Recovery iii

4 Juniper Secure Analytics Vulnerability Manager User Guide Chapter 2 JSA Vulnerability Manager Vulnerability Manager Overview Vulnerability Scanning Vulnerability Processor Deployment Options Configuration Options Vulnerability Management Dashboard Reviewing Vulnerability Data on the Default Vulnerability Management Dashboard Creating a Customized Vulnerability Management Dashboard Chapter 3 Security Software Integrations IBM Endpoint Manager Integration Integration Components Vulnerability Remediation Configuring Secure Socket Layer for IBM Endpoint Manager Integration Integrating JSA Vulnerability Manager with IBM Endpoint Manager IBM Security SiteProtector Integration Connecting to IBM Security SiteProtector Chapter 4 Vulnerability Scanning Vulnerability Scanning Overview Scan Profiles JSA Integration Creating a Scan Profile Viewing Scan Profiles Monitoring Scans in Progress Scan Profile Details Scan Scheduling Scanning Domains Monthly Scheduling Scans of New Unscanned Assets Reviewing your Scheduled Scans in Calendar Format Network Scan Targets and Exclusions Network Scan Targets and Exclusions Overview Include Network Nodes Domain Scanning Scans that Used Saved Asset Searches Exclude Network Scan Targets Virtual Webs Excluding Assets from all Scans Managing scan Exclusions Scan Protocols and Ports Configuring Your Scan Profile Port Protocols Scanning a Full Port Range Scanning Assets with Open Ports Authenticated Patch Scans Centralized Credential Sets Configuring Linux Operating System Public Key Authentication iv

5 Table of Contents Configuring an Authenticated Scan of the Linux or UNIX Operating Systems Configuring an Authenticated Scan of the Windows Operating System Enabling Remote Registry Access to Assets on the Windows Operating System Enabling the Windows Management Interface Configuring a Permitted Scan Interval Overview Configuring a Permitted Scan Interval Scanning During Permitted Times Managing Operational Windows Disconnecting an Operational Window Dynamic Vulnerability Scans Associating Vulnerability Scanners with CIDR Ranges Scanning CIDR ranges with Different Vulnerability Scanners Scan Policies Pre-configured Scan Policies Modifying a Pre-configured Scan Policy Configuring a San Policy to Manage your Vulnerability Scans Chapter 5 Vulnerability Scan Investigations Vulnerability Scan Investigations Overview Scan Results Vulnerability Counts Searching Scan Results Managing Scan Results Asset Risk Levels and Vulnerability Categories Asset, Vulnerability, and Open Services Data Vulnerability Risk and PCI Severity Chapter 6 Management of Your Vulnerabilities Vulnerabilities Management Overview Searching Vulnerability Data Saving your Vulnerability Search Criteria Deleting Saved Vulnerability Search Criteria Vulnerability Instances Network Vulnerabilities Asset Vulnerabilities Open Service Vulnerabilities Investigating the History of a Vulnerability Reducing the Number of False Positive Vulnerabilities Investigating High Risk Assets and Vulnerabilities Identifying Vulnerabilities with an IBM Endpoint Manager Patch Identifying the Patch Status of your Vulnerabilities Chapter 7 Vulnerability Exception Rules Vulnerability Exception Rules Overview Applying a Vulnerability Exception Rule Managing a Vulnerability Exception Rule Searching Vulnerability Exceptions v

6 Juniper Secure Analytics Vulnerability Manager User Guide Chapter 8 Vulnerability Remediation Assigning Individual Vulnerabilities to a Technical User for Remediation Assigning a Technical User as the Owner of Asset Groups Configuring Remediation Times for the Vulnerabilities on Assigned Assets Chapter 9 Vulnerability Reports Running a Default JSA Vulnerability Manager Report ing Assigned Vulnerability Reports to Technical Users Generating PCI Compliance Reports Updating your Asset Compliance Plans and Software Declarations Creating a PCI Compliance Report Chapter 10 Vulnerability Research, News, and Advisories Vulnerability Library Usage Overview Viewing Detailed Information about Published Vulnerabilities Remaining Aware of Global Security Developments Viewing Security Advisories from Vulnerability Vendors Searching Vulnerabilities, News, and Advisories Glossary Part 2 Index Index vi

7 List of Tables About the ix Table 1: Notice Icons ix Table 2: Text and Syntax Conventions x Part 1 Juniper Secure Analytics Vulnerability Manager Chapter 1 Vulnerability Manager Installations and Deployments Table 3: Supported Web Browsers for JSA Products Chapter 4 Vulnerability Scanning Table 4: Scan Profile Details Configuration Options Table 5: Scan Protocol and Port Options Chapter 6 Management of Your Vulnerabilities Table 6: Server Type Vulnerabilities Table 7: Vulnerabilities Patch Status Options vii

8 Juniper Secure Analytics Vulnerability Manager User Guide viii

9 About the Conventions Conventions on page ix Feedback on page xi Requesting Technical Support on page xi Table 1: Notice Icons Table 1 on page ix defines notice icons used in this guide. Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2 on page x defines the text and syntax conventions used in this guide. ix

10 Juniper Secure Analytics Vulnerability Manager User Guide Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions x

11 About the Table 2: Text and Syntax Conventions (continued) Convention Description Examples Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical site at simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: xi

12 Juniper Secure Analytics Vulnerability Manager User Guide Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see xii

13 PART 1 Juniper Secure Analytics Vulnerability Manager Vulnerability Manager Installations and Deployments on page 3 JSA Vulnerability Manager on page 17 Security Software Integrations on page 21 Vulnerability Scanning on page 25 Vulnerability Scan Investigations on page 51 Management of Your Vulnerabilities on page 57 Vulnerability Exception Rules on page 67 Vulnerability Remediation on page 71 Vulnerability Reports on page 75 Vulnerability Research, News, and Advisories on page 81 1

14 Juniper Secure Analytics Vulnerability Manager User Guide 2

15 CHAPTER 1 Vulnerability Manager Installations and Deployments This chapter describes about the following sections: Vulnerability Manager Access and Installations on page 4 Vulnerability Processing and Scanning Deployments on page 4 Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment on page 6 Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Removing a Vulnerability Processor from Your Console or Managed Host on page 9 Options for Adding Scanners to Your JSA Vulnerability Manager Deployment on page 9 Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance on page 11 Deploying a Vulnerability Scanner to a JSA Console or Managed Host on page 11 Scanning the Assets in Your DMZ on page 13 Verifying that a Vulnerability Scanner is added to your Deployment on page 14 Supported Web Browsers on page 14 Enabling Document Mode and Browser Mode in Internet Explorer on page 15 Vulnerability Backup and Recovery on page 15 3

16 Juniper Secure Analytics Vulnerability Manager User Guide Vulnerability Manager Access and Installations You access Juniper Secure Analytics (JSA) Vulnerability Manager by using the Vulnerabilities tab. Depending on the product that you install and whether you upgrade JSA or install a new system, the Vulnerabilities tab might not be displayed. To access vulnerabilities tab: If you install JSA, the Vulnerabilities tab is enabled by default with a temporary license key. If you install Log Analytics, the Vulnerabilities tab is not enabled. Depending on how you upgrade JSA, the Vulnerabilities tab might not be enabled. To use JSA Vulnerability Manager after an install or upgrade you must upload and allocate a valid license key. For more information, see the Juniper Secure Analytics Administration Guide. For more information about upgrading, see the Upgrading Juniper Secure Analytics to Vulnerability Processing and Scanning Deployments on page 4 Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment on page 6 Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Vulnerability Processing and Scanning Deployments When you install and license Juniper Secure Analytics (JSA) Vulnerability Manager, a vulnerability processor is automatically deployed on your JSA console. The vulnerability processor provides a scanning component by default. If required, you can deploy more scanners, either on dedicated JSA Vulnerability Manager managed host scanner appliances or JSA managed hosts. For example, you can deploy a vulnerability scanner on an Event Collector or Flow Processor. You cannot deploy a vulnerability scanner on a high availability managed host. If required, you can move the vulnerability processor to a different managed host in your deployment. You might move the processor to preserve disk space on your JSA console. NOTE: You can have only one vulnerability processor in your deployment and you can move the processor only to a dedicated JSA Vulnerability Manager managed host processor appliance. When you move the vulnerability processor between the console and a managed host, the system enforces validation checks in the deployment editor. 4

17 Chapter 1: Vulnerability Manager Installations and Deployments NOTE: After you change your vulnerability processor deployment, you must wait for your deployment to fully configure. In the Scan Profiles page, the following message is displayed: QVM is in the process of being deployed. To configure your vulnerability processing and scanning components, you must use the JSA deployment editor, which is on the Admin tab. Ensure that following applications are installed on all desktop systems that you use to access the JSA product user interface: Java Runtime Environment (JRE) version 1.7 Adobe Flash version 10.x For more information about the deployment editor, see the Juniper Secure Analytics Administration Guide. If you have a large network and require flexible scanning options, you can add more scanners to your JSA Vulnerability Manager deployment. For more information about the deployment editor, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment on page 9. If you have a large network and require flexible scanning options, you can add more scanners to your JSA Vulnerability Manager deployment. For more information about the deployment editor, see Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment on page 6. For more information about the deployment editor, see the Juniper Secure Analytics Administration Guide. Vulnerability Manager Access and Installations on page 4 Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment on page 6 Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 5

18 Juniper Secure Analytics Vulnerability Manager User Guide Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment If required, you can move the vulnerability processor from your Juniper Secure Analytics (JSA) console to a dedicated JSA Vulnerability Manager managed host appliance. For example, you might move your vulnerability processing capability to a managed host to minimize disk space impact on your JSA console. NOTE: You can have only one vulnerability processor in your deployment. Also, you must deploy the vulnerability processor only on a JSA console or JSA Vulnerability Manager managed host processor appliance. To move the vulnerability processor, choose one of the following options: Deploy a Dedicated JSA Vulnerability Manager Processor Appliance on page 6 Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Deploy a Dedicated JSA Vulnerability Manager Processor Appliance To deploy a processor appliance you must complete the followings tasks: 1. Install a dedicated JSA Vulnerability Manager managed host processor appliance. For more information, see the Juniper Secure Analytics Installation Guide. 2. Add the managed host processor appliance to your deployment by using the deployment editor. When you select the managed host option in the deployment editor, the processor is automatically removed from the JSA console. Move the Vulnerability Processor from Your Console to Your Managed Host If the vulnerability processor is on your JSA console, then later you can move your vulnerability processor to a previously installed JSA Vulnerability Manager managed host processor appliance. At any time, you can move the vulnerability processor back to your JSA console. Vulnerability Processing and Scanning Deployments on page 4 Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 6

19 Chapter 1: Vulnerability Manager Installations and Deployments Deploying a Dedicated JSA Vulnerability Manager Processor Appliance You can deploy a dedicated Juniper Secure Analytics (JSA) Vulnerability Manager managed host processor appliance. When you deploy your vulnerability processor to a managed host, all vulnerabilities are processed on the managed host. NOTE: After you deploy processing to a dedicated JSA Vulnerability Manager managed host, any scan profiles or scan results that are associated with a JSA console processor are not displayed. You can continue to search and view vulnerability data on the Manage Vulnerabilities pages. Ensure that a dedicated JSA Vulnerability Manager managed host is installed. To deploy JSA Vulnerability Manager processor: 1. Click the Admin tab. 2. On toolbar, click Deployment Editor. 3. From the menu, select Actions > Add a Managed Host. In the managed host wizard, ensure that you select the IP address of the JSA Vulnerability Manager managed host processor appliance. You must wait several minutes while the managed host is added. 4. In the Validation Error window, select the JSA Vulnerability Manager managed host processor and click OK. 5. Click Yes. 6. In the deployment editor menu, select File > Save and close. 7. On the Admin tab toolbar, select Advanced > Deploy Full Configuration. 8. Click OK. Verify that the JSA Vulnerability Manager processor is deployed on the managed host. Vulnerability Processing and Scanning Deployments on page 4 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Moving Your Vulnerability Processor to a Managed Host or Console If required, you can move your vulnerability processor between a Juniper Secure Analytics (JSA) Vulnerability Manager managed host appliance and your JSA console. 7

20 Juniper Secure Analytics Vulnerability Manager User Guide To move JSA Vulnerability Manager processor: 1. Click the Admin tab. 2. On toolbar, click Deployment Editor. 3. Click the Vulnerability View tab. 4. In the Vulnerability Components pane click QVM Processor. 5. Type a memorable name for the QVM Processor that you want to add, then follow the instructions in the user interface and click Next. 6. In the Adding a new component window, ensure that you select the host for the console or managed host appliance. If your processor is on the managed host, you can select only the JSA console. 7. Click Finish and Yes. 8. In the deployment editor menu, select File > Save and close. 9. In the Validation Error window, select the processor on the console or managed host. If you select the processor on the console, then the vulnerability processor on the managed host is automatically removed during the deployment. You must wait several minutes while the deployment completes. 10. On the Admin tab toolbar, select Advanced > Deploy Full Configuration. 11. Click OK. Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Removing a Vulnerability Processor from your Console or Managed Host on page 9 Verifying that a Vulnerability Processor is Deployed In Juniper Secure Analytics (JSA) Vulnerability Manager, you can verify that your vulnerability processor is deployed on a JSA console or JSA Vulnerability Manager managed host. To verify the deployment of a vulnerability processor: 1. Log in to the JSA console. 2. On the Admin tab, click the Deployment Editor. 3. Select the Vulnerability View tab. 4. Verify that the QVM Processor is displayed in the Vulnerability View pane. If the QVM Processor is not deployed, then you must deploy the processor. For more information, see Moving Your Vulnerability Processor to a Managed Host or Console on page 7. 8

21 Chapter 1: Vulnerability Manager Installations and Deployments Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Removing a Vulnerability Processor from your Console or Managed Host on page 9 Removing a Vulnerability Processor from Your Console or Managed Host If required, you can remove the vulnerability processor from a Juniper Secure Analytics (JSA) console or JSA Vulnerability Manager managed host. To remove the deployment of a vulnerability processor: 1. Log in to the JSA console. 2. On the Admin tab, click the Deployment Editor. 3. Select the Vulnerability View tab. 4. Verify that the QVM Processor is displayed in the Vulnerability View pane. 5. In the Warning window, click Yes. 6. From the Deployment Editor menu, select Edit > Delete. 7. From the Deployment Editor menu, select File > Save and close. 8. On the Admin tab toolbar, select Advanced > Deploy Full Configuration. 9. Click OK. Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Options for Adding Scanners to Your JSA Vulnerability Manager Deployment on page 9 Options for Adding Scanners to Your JSA Vulnerability Manager Deployment If you have a large network and require flexible scanning options, you can add more scanners to your Juniper Secure Analytics (JSA) Vulnerability Manager deployment. Your JSA Vulnerability Manager processor is automatically deployed with a scanning component. By deploying more scanners you can increase the flexibility of your scanning operations. For example, you can scan specific areas of your network with different scanners and at different scheduled times. 9

22 Juniper Secure Analytics Vulnerability Manager User Guide Dynamic Vulnerability Scans The vulnerability scanners that you deploy might not have access to all areas of your network. In JSA Vulnerability Manager you can assign different scanners to network CIDR ranges. During a scan, each asset in the CIDR range that you want to scan is dynamically associated with the correct scanner. To add more vulnerability scanners, choose any of the following options: Deploy a Dedicated JSA Vulnerability Manager Managed Host Scanner Appliance on page 10 Deploy a JSA Vulnerability Manager Scanner on Your JSA Console or Managed Host on page 10 Configure Access to a Juniper Networks Hosted Scanner and Scan your DMZ on page 10 Deploy a Dedicated JSA Vulnerability Manager Managed Host Scanner Appliance You can scan for vulnerabilities by using a dedicated JSA Vulnerability Manager managed host scanner appliance. To deploy a scanner appliance, you must complete the followings tasks: 1. Install a dedicated JSA Vulnerability Manager managed host scanner appliance. 2. Add the managed host scanner appliance to your deployment by using the deployment editor. Deploy a JSA Vulnerability Manager Scanner on Your JSA Console or Managed Host If you move your vulnerability processor from your Juniper Secure Analytics (JSA) console to a JSA Vulnerability Manager managed host, you can add a scanner to your console. You can also add a vulnerability scanner to any preexisting JSA managed hosts in your deployment. For example, you can add a scanner to an event collector, flow collector, or event processor. NOTE: You cannot add a vulnerability scanner to a high availability managed host. Configure Access to a Juniper Networks Hosted Scanner and Scan your DMZ You can configure access to a Juniper Networks hosted scanner and scan the assets in your DMZ. Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Removing a Vulnerability Processor from your Console or Managed Host on page 9 10

23 Chapter 1: Vulnerability Manager Installations and Deployments Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance You can deploy a dedicated Juniper Secure Analytics (JSA) Vulnerability Manager managed host scanner appliance. Ensure that a dedicated JSA Vulnerability Manager managed host scanner appliance is installed. To deploy a dedicated Vulnerability Manager Scanner Appliance: 1. Click the Admin tab. 2. On the toolbar, click Deployment Editor. 3. From the menu, select Actions > Add a managed host. In the managed host wizard, ensure that you select the IP address of the JSA Vulnerability Manager managed host scanner appliance. You must wait several minutes while the deployment saves. 4. At the Adding Managed Host dialog box, click OK. 5. From the deployment editor menu, select File > Save and close. 6. On the Admin tab toolbar, select Advanced > Deploy Full Configuration. 7. Click OK. Deploying a Dedicated JSA Vulnerability Manager Processor Appliance on page 7 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 Verifying that a Vulnerability Processor is Deployed on page 8 Deploying a Vulnerability Scanner to a JSA Console or Managed Host on page 11 Deploying a Vulnerability Scanner to a JSA Console or Managed Host You can deploy a Juniper Secure Analytics (JSA) Vulnerability Manager scanner to a JSA console or managed host. For example, you can deploy a scanner to a flow collector, flow processor, event collector, or event processor. To deploy a scanner on your JSA console, ensure that the vulnerability processor is moved to a dedicated JSA Vulnerability Manager managed host appliance. To deploy scanners on JSA managed hosts, ensure that you have existing managed hosts in your deployment. For more information, see the Juniper Secure Analytics Installation Guide. To deploy a vulnerability scanner: 1. Click the Admin tab. 2. On the toolbar, click Deployment Editor. 11

24 Juniper Secure Analytics Vulnerability Manager User Guide 3. On the Vulnerability Components pane, click QVM Scanner. 4. Type a unique name for the QVM Scanner that you want to add. NOTE: The name can be up to 20 characters in length and can include underscores or hyphens. 5. Click Next. 6. From the Select a host list box, select the IP address of the JSA managed host or console. NOTE: You cannot add a scanner to a JSA console when the vulnerability processor is on the console. You must move the vulnerability processor to a JSA Vulnerability Manager managed host. 7. Click Next. 8. Click Finish. 9. From the deployment editor menu, select File > Save and close. 10. On the Admin tab toolbar, select Advanced > Deploy Full Configuration 11. Click OK. Verify that the external scanner is listed in the Scan Server list box in the Scan Profile Details expandable pane. Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance on page 11 Options for Adding Scanners to Your JSA Vulnerability Manager Deployment on page 9 Moving Your Vulnerability Processor to a Managed Host or Console on page 7 12

25 Chapter 1: Vulnerability Manager Installations and Deployments Scanning the Assets in Your DMZ In Juniper Secure Analytics (JSA) Vulnerability Manager, you can connect to an external scanner and scan the assets in your DMZ for vulnerabilities. If you want to scan the assets in the DMZ for vulnerabilities, you do not need to deploy a scanner in your DMZ. You must configure JSA Vulnerability Manager with a hosted IBM scanner that is located outside your network. Detected vulnerabilities are processed by the processor on either your JSA console or JSA Vulnerability Manager managed host. To scan the assets in your DMZ for vulnerabilities: Configuring Your Network and Assets for External Scans on page 13 Configuring JSA Vulnerability Manager to Scan Your External Assets on page 13 Configuring Your Network and Assets for External Scans To scan the assets in your DMZ, you must configure your network and inform Juniper Networks of the assets that you want to scan. 1. Configure outbound internet access on port Send the following information to Juniper Networks: Your organization's external IP address. NOTE: The IP address must be configured before you can run external scans. The IP address range of the assets in your DMZ. Configuring JSA Vulnerability Manager to Scan Your External Assets To scan the assets in your DMZ you must configure Juniper Secure Analytics (JSA) Vulnerability Manager, by using the deployment editor: 1. On the Admin tab, click Deployment Editor. 2. Click the Vulnerability View tab. 3. In the Vulnerability Components pane, click External Scanner. 4. Type a unique name for the External Scanner that you want to add. 5. Click Next. 6. Type your external IP address and click Next. 13

26 Juniper Secure Analytics Vulnerability Manager User Guide NOTE: You cannot scan external assets until your external IP address is configured. Ensure that you details of your external IP address to Juniper Networks. 7. If your network is configured to use a proxy server, then type the details of your server, then click Next. 8. Click Finish. 9. From the deployment editor menu, select File > Save and close. 10. On the Admin tab toolbar, select Advanced > Deploy Full Configuration. 11. Click OK. Verify that the external scanner is listed in the Scan Server list box in the Scan Profile Details expandable pane. For more information, see Scan Profile Details on page 28. Verifying that a Vulnerability Scanner is added to your Deployment In Juniper Secure Analytics (JSA) Vulnerability Manager you can verify that a vulnerability scanner is added to your deployment. To verify that a vulnerability scanner is added to your deployment: 1. Click the Vulnerabilities tab. 2. On the navigation menu, select Administrative > Scan Profiles. 3. On the toolbar, click Actions > Create. 4. In the Scan Profile Details pane, click the Scan Server list and ensure that your scanner is displayed. If the scanner is not listed, open the deployment editor and verify that you added the scanner. Supported Web Browsers For the features in Juniper Secure Analytics (JSA) products to work properly, you must use a supported web browser. When you access the JSA system, you are prompted for a user name and a password. The user name and password must be configured in advance by the administrator. Table 3 on page 15 lists the supported versions of web browsers. 14

27 Chapter 1: Vulnerability Manager Installations and Deployments Table 3: Supported Web Browsers for JSA Products Web browser Supported version Mozilla Firefox 17.0 Extended Support Release 24.0 Extended Support Release 32-bit Microsoft Internet Explorer, with document mode and browser mode enabled Google Chrome The current version as of the release date of JSA products Configuring JSA Vulnerability Manager to Scan your External Assets on page 13 Enabling Document Mode and Browser Mode in Internet Explorer on page 15 Vulnerability Backup and Recovery on page 15 Enabling Document Mode and Browser Mode in Internet Explorer If you use Microsoft Internet Explorer to access Junos Secure Analytics (JSA) products, you must enable browser mode and document mode. To enable browser and document mode: 1. In your Internet Explorer web browser, press F12 to open the Developer Tools window. 2. Click Browser Mode and select the version of your web browser. 3. Click Document Mode. For Internet Explorer V9.0, select Internet Explorer 9 standards For Internet Explorer V8.0, select Internet Explorer 8 standards Configuring your Network and Assets for External Scans on page 13 Configuring JSA Vulnerability Manager to Scan your External Assets on page 13 Supported Web Browsers on page 14 Vulnerability Backup and Recovery on page 15 Vulnerability Backup and Recovery You can back up and recover your vulnerability data including vulnerability configurations. For example, you can back up scan profiles. Juniper Secure Analytics (JSA) Vulnerability Manager back up and recovery is managed by using the Admin tab. For more information about vulnerability backup and recovery, see the Juniper Secure Analytics Administration Guide. 15

28 Juniper Secure Analytics Vulnerability Manager User Guide Configuring your Network and Assets for External Scans on page 13 Configuring JSA Vulnerability Manager to Scan your External Assets on page 13 Vulnerability Scanning on page 17 16

29 CHAPTER 2 JSA Vulnerability Manager Vulnerability Manager Overview This chapter describes about the following sections: Vulnerability Manager Overview on page 17 Vulnerability Scanning on page 17 Vulnerability Management Dashboard on page 18 Juniper Secure Analytics (JSA) Vulnerability Manager is a network scanning platform that detects vulnerabilities within the applications, systems, and devices on your network or within your DMZ. JSA Vulnerability Manager uses security intelligence to help you manage and prioritize your network vulnerabilities. For example, you can use JSA Vulnerability Manager to continuously monitor vulnerabilities, improve resource configuration, and identify software patches. You can also, prioritize security gaps by correlating vulnerability data with network flows, log data, firewall, and intrusion prevention system (IPS) data. You can maintain real-time visibility of the vulnerabilities that are detected by the built-in JSA Vulnerability Manager scanner and other third-party scanners. Third-party scanners are integrated with JSA and include IBM Security EndPoint Manager, Guardium, AppScan, Nessus, ncircle, and Rapid7. Unless otherwise noted, all references to JSA Vulnerability Manager refer to JSA Vulnerability Manager. All references to JSA refer to JSA and Log Analytics and all references to SiteProtector refer to IBM Security SiteProtector. Vulnerability Scanning on page 17 Vulnerability Management Dashboard on page 18 Vulnerability Backup and Recovery on page 15 Vulnerability Scanning In Juniper Secure Analytics (JSA) Vulnerability Manager, vulnerability scanning is controlled by configuring scan profiles. Each scan profile specifies the assets that you want to scan and the scan schedule. 17

30 Juniper Secure Analytics Vulnerability Manager User Guide Vulnerability Processor When you license JSA Vulnerability Manager, a vulnerability processor is automatically deployed on your JSA console. The processor contains a JSA Vulnerability Manager scanning component. Deployment Options Vulnerability scanning can be deployed in different ways. For example, you can deploy your scanning capability to a JSA Vulnerability Manager managed host scanner appliance or a JSA managed host. Configuration Options Administrators can configure scans in the following ways: Schedule scans to run at times convenient for your network assets. Specify the times during which scans are not allowed to run. Specify the assets that you want to exclude from scans, either globally or for each scan. Configure authenticated patch scans for Linux, UNIX, or Windows operating systems. Configure different scanning protocols or specify the port ranges that you want to scan. Vulnerability Manager Overview on page 17 Vulnerability Backup and Recovery on page 15 Vulnerability Management Dashboard on page 18 Vulnerability Management Dashboard You can display vulnerability information on your Juniper Secure Analytics (JSA) dashboard. JSA Vulnerability Manager is distributed with a default vulnerability dashboard so that you can quickly review the risk to your organization. You can create a new dashboard, manage your existing dashboards, and modify the display settings of each vulnerability dashboard item. For more information about dashboards, see the Juniper Secure Analytics Users Guide. Reviewing Vulnerability Data on the Default Vulnerability Management Dashboard You can display default vulnerability management information on the JSA dashboard. The default vulnerability management dashboard contains risk, vulnerability, and scanning information. You can configure your own dashboard to contain different elements like saved searches. 18

31 Chapter 2: JSA Vulnerability Manager To review vulnerability data on the default vulnerability management dashboard: 1. Click the Dashboard tab. 2. On the toolbar, in the Show Dashboard list, select Vulnerability Management. Creating a Customized Vulnerability Management Dashboard In JSA you can create a vulnerability management dashboard that is customized to your requirements. To create a customized vulnerability management dashboard: 1. Click the Dashboard tab. 2. On the toolbar, click New Dashboard. 3. Type a Name and Description for your vulnerability dashboard. 4. Click OK. 5. On the toolbar select Add Item > Vulnerability Management and choose from the following options: If you want to show default saved searches on your dashboard, select Vulnerability Searches. If you want to show website links to security and vulnerability information, select Security News, Security Advisories, or Latest Published Vulnerabilities. If you want show information that is about completed or running scans, select Scans Completed or Scans In Progress. Vulnerability Manager Overview on page 17 Vulnerability Backup and Recovery on page 15 Vulnerability Scanning on page 17 19

32 Juniper Secure Analytics Vulnerability Manager User Guide 20

33 CHAPTER 3 Security Software Integrations IBM Endpoint Manager Integration Juniper Secure Analytics (JSA) Vulnerability Manager integrates with other security products to help you manage and prioritize your security risks. IBM Endpoint Manager Integration on page 21 Configuring Secure Socket Layer for IBM Endpoint Manager Integration on page 22 Integrating JSA Vulnerability Manager with IBM Endpoint Manager on page 23 IBM Security SiteProtector Integration on page 24 Juniper Secure Analytics (JSA) Vulnerability Manager integrates with IBM Endpoint Manager to help you filter and prioritize the vulnerabilities that can be fixed. Integration Components A typical JSA Vulnerability Manager IBM Endpoint Manager integration consists of the following components: A Juniper Secure Analytics (JSA) console. A licensed installation of JSA Vulnerability Manager. An IBM Endpoint Manager server installation. An IBM Endpoint Manager agent installation on each of the scan targets in your network. Vulnerability Remediation Depending on whether you installed and integrated IBM Endpoint Manager, JSA Vulnerability Manager provides different information to help you remediate your vulnerabilities. If IBM Endpoint Manager is not installed, then JSA Vulnerability Manager provides information about vulnerabilities for which a fix is available. JSA Vulnerability Manager maintains a list of vulnerability fix information. Fix information is correlated against the known vulnerability catalog. Using the JSA Vulnerability Manager search feature, you can identify vulnerabilities that have an available fix. 21

34 Juniper Secure Analytics Vulnerability Manager User Guide If IBM Endpoint Manager is installed, then JSA Vulnerability Manager also provides specific details about the vulnerability fix process. For example, a fix might be scheduled or an asset might be already fixed. The IBM Endpoint Manager server gathers fix information from each of the IBM Endpoint Manager agents. Fix status information is transmitted to JSA Vulnerability Manager at pre-configured time intervals. Using the JSA Vulnerability Manager search feature, you can quickly identify those vulnerabilities that are scheduled to be fixed or are already fixed. Deploying a Vulnerability Scanner to a JSA Console or Managed Host on page 11 Integrating JSA Vulnerability Manager with IBM Endpoint Manager on page 23 IBM Security SiteProtector Integration on page 24 Configuring Secure Socket Layer for IBM Endpoint Manager Integration You can configure secure socket layer (SSL) encryption to integrate JSA Vulnerability Manager with IBM Endpoint Manager. To configure secure socket layer (SSL) encryption: 1. To download the public key certificate, open your web browser and type NOTE: The IP address is the IP address of your IBM Endpoint Manager server. 2. Click Add Exception. 3. In the Add Security Exception window, click View. 4. Click the Details tab and click Export. 5. In the File name: field, type iemserver_cert.der 6. In the Save as type: field, select X.509 Certificate (DER). 7. Click Save. 8. Copy the public key certificate to your JSA console. 9. To create a JSA Vulnerability Manager truststore. a. Using SSH, log in to the JSA console as the root user. b. Type the following command: keytool -keystore /opt/qvm/iem/truststore.jks -genkey -alias iem c. At the prompts, type the appropriate information to create the truststore. 10. To import the public key certificate to your truststore, type the following command: 22