Juniper Secure Analytics

Transcription

1 Juniper Secure Analytics Managing Vulnerability Assessment Release Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Secure Analytics Managing Vulnerability Assessment All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation ix Documentation and Release Notes ix Documentation Conventions ix Documentation Feedback xi Requesting Technical Support xii Self-Help Online Tools and Resources xii Opening a Case with JTAC xii Part 1 Juniper Secure Analytics Vulnerability Assessment Chapter 1 Vulnerability Assessment Scanner Vulnerability Assessment Scanner Overview Chapter 2 Managing Beyond Security Automatic Vulnerability Detection System Scanner Beyond Security Automatic Vulnerability Detection System Scanner Overview Adding a Beyond Security AVDS Vulnerability Scanner Chapter 3 Managing eeye Scanner eeye Scanner Overview Adding an eeye REM SNMP Scan Adding an eeye REM JDBC Scan Installing the Unrestricted Java Cryptography Extension Chapter 4 Managing IBM Security AppScan Enterprise Scanners IBM Security SiteProtector Scanner Overview Creating a Customer User Type for IBM AppScan Enabling Integration with IBM Security AppScan Enterprise Creating an Application Deployment Map in IBM Security AppScan Enterprise Publishing the Completed Reports in IBM AppScan Adding an IBM AppScan Vulnerability Scanner Chapter 5 Managing an IBM Security Guardium Scanner IBM Security Guardium Scanner Overview Adding an IBM Security Guardium Vulnerability Scanner Chapter 6 Managing IBM Security SiteProtector Scanner IBM Security SiteProtector Scanner Overview Adding an IBM SiteProtector Vulnerability Scanner iii

4 Juniper Secure Analytics Managing Vulnerability Assessment Chapter 7 Managing IBM Security Tivoli Endpoint Manager Scanner IBM Security Tivoli Endpoint Manager Scanner Overview Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner Chapter 8 Managing Foundstone FoundScan Scanner Foundstone FoundScan Scanner Overview Adding a Foundstone FoundScan Scanner Importing Certificates for Foundstone FoundScan Chapter 9 Managing ncircle IP360 Scanner ncircle IP360 Scanner Overview Exporting ncircle IP360 Scan Results To an SSH Server Adding a ncircle IP360 Scanner Chapter 10 Managing Nessus Scanner Nessus Scanner Overview Adding a Nessus Scheduled Live Scan Adding an Nessus Live Scan with the XMLRPC API Adding a Nessus Scheduled Result Import Adding a Nessus Completed Report Import with the XMLRPC API Chapter 11 Managing NMap Scanner NMap Scanner Overview Adding a NMap Remote Result Import Adding a NMap Remote Live Scan Chapter 12 Managing Qualys Scanner Qualys Scanner Overview Adding a Qualys Detection Scanner Adding a Qualys Scheduled Live Scan Adding a Qualys Scheduled Import Asset Report Adding a Qualys Scheduled Import Scan Report Chapter 13 Managing Juniper Profiler NSM Scanner Juniper Profiler NSM Scanner Overview Adding a Juniper NSM Profiler Scanner Chapter 14 Managing Rapid7 NeXpose Scanner Rapid7 NeXpose Scanner Overview Adding a Rapid7 NeXpose Scanner API Site Import Adding a Rapid7 NeXpose Scanner Local File Import Chapter 15 Managing netvigilance SecureScout Scanner netvigilance SecureScout Scanner Overview Adding a netvigilance SecureScout Scan Chapter 16 Managing McAfee Vulnerability Manager Scanner McAfee Vulnerability Manager Scanner Overview Adding a Remote XML Import Scan Adding a McAfee Vulnerability Manager SOAP API Scan Creating Certificates for McAfee Vulnerability Manager Processing Certificates for McAfee Vulnerability Manager iv

5 Table of Contents Importing Certificates For McAfee Vulnerability Manager Chapter 17 Managing SAINT Scanner SAINT Scanner Overview Configuring a SAINTwriter Template Adding a SAINT Vulnerability Scan Chapter 18 Managing Tenable SecurityCenter Scanner Tenable SecurityCenter Scanner Overview Adding a Tenable SecurityCenter Scan Chapter 19 Managing Axis Scanner Axis Scanner Overview Adding an AXIS Vulnerability Scan Chapter 20 Scheduling a Vulnerability Scan Overview Viewing the Status Of a Vulnerability Scan Chapter 21 Managing the Supported Vulnerability Scanner Supported Vulnerability Scanner Overview Part 2 Index Index v

6 Juniper Secure Analytics Managing Vulnerability Assessment vi

7 List of Tables About the Documentation ix Table 1: Notice Icons x Table 2: Text and Syntax Conventions x Part 1 Chapter 2 Juniper Secure Analytics Vulnerability Assessment Managing Beyond Security Automatic Vulnerability Detection System Scanner Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options Chapter 5 Managing an IBM Security Guardium Scanner Table 4: IBM AppScan Enterprise Scanner Authentication Options Chapter 10 Managing Nessus Scanner Table 5: Nessus Scheduled Result Authentication Options Chapter 11 Managing NMap Scanner Table 6: NMap Remote Result Import Authentication Options Table 7: NMap Remote Live Scan Authentication Options Chapter 16 Managing McAfee Vulnerability Manager Scanner Table 8: Remote XML Import Authentication Options Chapter 17 Managing SAINT Scanner Table 9: SAINT Vulnerability Authentication Options Chapter 19 Managing Axis Scanner Table 10: AXIS Vulnerability Scan Authentication Options Chapter 20 Scheduling a Vulnerability Scan Table 11: VA Scanner CIDR Options Table 12: VA Scanner Priority Options Table 13: Scan Schedule Status Chapter 21 Managing the Supported Vulnerability Scanner Table 14: Supported Vulnerability Scanners vii

8 Juniper Secure Analytics Managing Vulnerability Assessment viii

9 About the Documentation Documentation and Release Notes Documentation and Release Notes on page ix Documentation Conventions on page ix Documentation Feedback on page xi Requesting Technical Support on page xii Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at Table 1 on page x defines notice icons used in this guide. ix

10 Juniper Secure Analytics Managing Vulnerability Assessment Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2: Text and Syntax Conventions Table 2 on page x defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name x

11 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical Documentation site at simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at xi

12 Juniper Secure Analytics Managing Vulnerability Assessment Send your comments to Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). xii

13 About the Documentation For international or direct-dial options in countries without toll-free numbers, see xiii

14 Juniper Secure Analytics Managing Vulnerability Assessment xiv

15 PART 1 Juniper Secure Analytics Vulnerability Assessment Vulnerability Assessment Scanner on page 3 Managing Beyond Security Automatic Vulnerability Detection System Scanner on page 5 Managing eeye Scanner on page 9 Managing IBM Security AppScan Enterprise Scanners on page 15 Managing an IBM Security Guardium Scanner on page 21 Managing IBM Security SiteProtector Scanner on page 25 Managing IBM Security Tivoli Endpoint Manager Scanner on page 29 Managing Foundstone FoundScan Scanner on page 33 Managing ncircle IP360 Scanner on page 37 Managing Nessus Scanner on page 41 Managing NMap Scanner on page 49 Managing Qualys Scanner on page 55 Managing Juniper Profiler NSM Scanner on page 63 Managing Rapid7 NeXpose Scanner on page 67 Managing netvigilance SecureScout Scanner on page 71 Managing McAfee Vulnerability Manager Scanner on page 75 Managing SAINT Scanner on page 83 Managing Tenable SecurityCenter Scanner on page 87 Managing Axis Scanner on page 89 Scheduling a Vulnerability Scan on page 93 Managing the Supported Vulnerability Scanner on page 97 1

16 Juniper Secure Analytics Managing Vulnerability Assessment 2

17 CHAPTER 1 Vulnerability Assessment Scanner This chapter describes about the following sections: Vulnerability Assessment Scanner Overview on page 3 Vulnerability Assessment Scanner Overview Integration with vulnerability assessment scanners provide administrators and security professionals information build vulnerability assessment profiles for network assets. References to Juniper Secure Analytics (JSA) apply to all products capable of collecting vulnerability assessment information. Products that support scanners include JSA. Assets and asset profiles created for servers and hosts in your network provide important information to assist you when resolving security issues. Networks, servers, and individual hosts within the network can be extremely complicated. The ability to collect data and view information about an asset is the purpose of the Assets tab. The goal is to connect offenses triggered in your system to physical or virtual assets to provide a starting point in a security investigation. Asset data is helpful to identify threats, to identify vulnerabilities, services, ports, and monitor asset usage in your network. The Assets tab in JSA is intended to provide a unified view of the information known about your assets. As more information is provided to the system through vulnerability assessment, the system updates the asset profile and incrementally builds a complete picture about your asset. Vulnerability assessment profiles use correlated event data, network activity, and behavioral changes to determine the threat level and vulnerabilities present on critical business assets in your network. Integration with vulnerability assessment products provides administrators the ability to schedule scans and ensure that vulnerability information is relevant for assets in the network. To collect vulnerability assessment information for JSA, administrators can select a scanner from the following support scanner list: For the list of support scanner products, see Managing the Supported Vulnerability Scanner on page 97. For the configuration options to add a vulnerability scanner to JSA, see ManagingBeyondSecurityAutomaticVulnerabilityDetectionSystemScanner onpage5. Managing eeye Scanner on page 9. 3

18 Juniper Secure Analytics Managing Vulnerability Assessment Managing an IBM Security Guardium Scanner on page 21. Managing IBM Security AppScan Enterprise Scanners on page 15. Managing IBM Security Tivoli Endpoint Manager Scanner on page 29. Managing ncircle IP360 Scanner on page 37. Managing Nessus Scanner on page 41. Managing NMap Scanner on page 49. Managing Qualys Scanner on page 55. Managing Foundstone FoundScan Scanner on page 33. Managing Juniper Profiler NSM Scanner on page 63. Managing Rapid7 NeXpose Scanner on page 67. Managing netvigilance SecureScout Scanner on page 71. Managing McAfee Vulnerability Manager Scanner on page 75. Managing SAINT Scanner on page 83. Managing Axis Scanner on page 89. Managing Tenable SecurityCenter Scanner on page 87. To add a scan schedule to import the vulnerability data, see Scheduling a Vulnerability Scan on page 93. To view the status of the scan to verify the successful data import, see Viewing the Status Of a Vulnerability Scan on page 94. 4

19 CHAPTER 2 Managing Beyond Security Automatic Vulnerability Detection System Scanner This chapter describes about the following sections: Beyond Security Automatic Vulnerability Detection System Scanner Overview on page 5 Adding a Beyond Security AVDS Vulnerability Scanner on page 5 Beyond Security Automatic Vulnerability Detection System Scanner Overview Vulnerability assessment is the evaluation of assets in the network to identify and prioritize potential security issues. Juniper Secure Analytics (JSA) products that support Vulnerability Assessment can import vulnerability data from external scanner products to identify vulnerabilities profiles for assets. Vulnerability assessment profiles use correlated event data, network activity, and behavioral changes to determine the threat level and vulnerabilities present on critical business assets in your network. As external scanners generate scan data, JSA can retrieve the vulnerability data with a scan schedule. To configure a Beyond Security AVDS scanner, see Adding a Beyond Security AVDS Vulnerability Scanner on page 5. Related Documentation Vulnerability Assessment Scanner Overview on page 3. Adding a Beyond Security AVDS Vulnerability Scanner on page 5. Viewing the Status Of a Vulnerability Scan on page 94 Adding a Beyond Security AVDS Vulnerability Scanner Beyond Security Automated Vulnerability Detection System (AVDS) appliances create vulnerability data in Asset Export Information Source (AXIS) format. AXIS formatted files can be imported by XML files that can be imported. To successfully integrate a Beyond Security AVDS vulnerabilities with Juniper Secure Analytics (JSA), you must configure your Beyond Security AVDS appliance to publish vulnerability data to an AXIS formatted XML results file. The XML vulnerability data must 5

20 Juniper Secure Analytics Managing Vulnerability Assessment be published to a remote server that is accessible by using Secure File Transfer Protocol (SFTP). The term remote server refers to any appliance, 3rd party host, or network storage location that can host the published XML scan result files. The most recent XML results containing Beyond Security AVDS vulnerabilities are imported to when a scan schedule starts. Scan schedules determine the frequency with which vulnerability data created by Beyond Security AVDS is imported. After you add your Beyond Security AVDS appliance to JSA, you can then create a scan schedule to import the scan result files. Vulnerabilities from the scan schedule updates the Assets tab after the scan schedule completes. To add a Beyond Security AVDS Vulnerability Scanner to JSA: 1. Click the Admin tab. 2. Click the VA Scanners icon. 3. Click Add. 4. In the Scanner Name field, type a name to identify your Beyond Security AVDS scanner. 5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import. 6. From the Type list, select Beyond Security AVDS. 7. In the Remote Hostname field, type the IP address or host name of the system that contains the published scan results from your Beyond Security AVDS scanner. 8. Choose one of the following authentication options as described in Table 3 on page 6. Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options Option Description Login Username To authenticate with a username and password: 1. In the Login Username field, type a username that has access to retrieve the scan results from the remote host. 2. In the Login Password field, type the password associated with the username. Enable Key Authorization To authenticate with a key-based authentication file: 1. Select the Enable Key Authentication check box. 2. In the Private Key File field, type the directory path to the key file. The default is directory for the key file is /opt/ qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file. 9. In the Remote Directory field, type the directory location of the scan result files. 10. In the File Name Pattern field, type a regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. The default value is.*\.xml. The.*\.xml pattern imports all xml files in the remote directory. 6

21 Chapter 2: Managing Beyond Security Automatic Vulnerability Detection System Scanner 11. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days. 12. To configure the Ingore Duplicates option: Select this check box to track files that have already been processed by a scan schedule. This option prevents a scan result file from being processed a second time. Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities being associated with an asset. If a result file is not scanned within 10 days, the file is removed from the tracking list and is processed the next time the scan schedule starts. 13. To configure a CIDR range for your scanner: a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR range from the network list. b. Click Add. 14. Click Save. 15. On the Admin tab, click Deploy Changes. To create a scan schedule, see Scheduling a Vulnerability Scan on page 93 Related Documentation Vulnerability Assessment Scanner Overview on page 3. Viewing the Status Of a Vulnerability Scan on page 94 Adding an eeye REM SNMP Scan on page 9 7

22 Juniper Secure Analytics Managing Vulnerability Assessment 8

23 CHAPTER 3 Managing eeye Scanner eeye Scanner Overview This chapter describes about the following sections: eeye Scanner Overview on page 9 Adding an eeye REM SNMP Scan on page 9 Adding an eeye REM JDBC Scan on page 11 Installing the Unrestricted Java Cryptography Extension on page 13 Juniper Secure Analytics (JSA) can collect vulnerability data from eeye REM Security Management console or eeye Retina CS scanners. The following protocol options are available to collect vulnerability information from eeye scanners: Add a SNMP protocol eeye scanner. See Adding an eeye REM SNMP Scan on page 9. Add a JDBC protocol eeye scanner. See Adding an eeye REM JDBC Scan on page 11. Related Documentation Adding an eeye REM SNMP Scan on page 9 Adding an eeye REM JDBC Scan on page 11 Vulnerability Assessment Scanner Overview on page 3. Adding a Beyond Security AVDS Vulnerability Scanner on page 5. Adding an eeye REM SNMP Scan Administrators can add a scanner to collect vulnerability data over SNMP from eeye REM or CS Retina scanners. To use CVE identifiers and descriptions, you must copy the audits.xml file from your eeye REM scanner to the managed host responsible for listening for SNMP data. If your managed host is in a distributed deployment, you must copy the audits.xml to the console first and SSH the file to /opt/qradar/conf/audits.xml on the managed host. The default location of audits.xml on the eeye scanner is %ProgramFiles(x86)%\eEye Digital Security\Retina CS\Applications\RetinaManager\Database\audits.xml. 9

24 Juniper Secure Analytics Managing Vulnerability Assessment To receive the most up-to-date CVE information, administrators must periodically update Juniper Secure Analytics (JSA) with the latest audits.xml file. To add an eeye REM scanner to JSA: 1. Click the Admin tab. 2. Click the VA Scanners icon. 3. Click Add. 4. In the Scanner Name field, type a name to identify your SecureScout server. 5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import. 6. From the Type list, select eeye REM Scanner. 7. From the Import Type list, select SNMP. 8. In the Base Directory field, type a location to store the temporary files that contain the eeye REM scan data. The default directory is /store/tmp/vis/eeye/. 9. In the Cache Size field, type the number of transactions you want to store in the cache before the SNMP data is written to the temporary file. The default is 40. The default value is 40 transactions. 10. In the Retention Period field, type the time period, in days, that the system stores scan information. If a scan schedule has not imported data before the retention period expires, the scan information from the cache is deleted. 11. Select the Use Vulnerability Data check box to correlate eeye vulnerabilities to Common Vulnerabilities and Exposures (CVE) identifiers and description information. 12. In the Vulnerability Data File field, type the directory path to the eeye audits.xml file. 13. In the Listen Port field, type the port number that is used to monitor for incoming SNMP vulnerability information from your eeye REM scanner. The default port is In the Source Host field, type the IP address of the eeye scanner. 15. From the SNMP Version list, select the SNMP protocol version. The default protocol is SNMPv In the Community String field, type the SNMP community string for the SNMPv2 protocol. For example, Public. 17. From the Authentication Protocol list, select the algorithm to authenticate SNMPv3 traps. The options include: SHA Select this option to use Secure Hash Algorithm (SHA) as your authentication protocol. MD5 Select this option to use Message Digest 5 (MD5) as your authentication protocol. 10

25 Chapter 3: Managing eeye Scanner 18. In the Authentication Password field, type the password that you want to use to authenticate SNMPv3 communication. The password must include a minimum of eight characters. 19. From the Encryption Protocol list, select the SNMPv3 decryption algorithm. The options include: DES Select this option to use the Data Encryption Standard (DES). AES128 Select this option to use the 128-bit Advanced Encryption Standard (AES). AES192 Select this option to use the 192-bit Advanced Encryption Standard (AES). AES256 Select this option to use the 256-bit Advanced Encryption Standard (AES). 20. In the Encryption Password field, type the password required to decrypt SNMPv3 traps. 21. To configure a CIDR range for your scanner: a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR range from the network list. b. Click Add. 22. Click Save. 23. On the Admin tab, click Deploy Changes. Select one of the following options: If you do not use SNMPv3 or use low-level SNMP encryption, you are now ready to create a scan schedule. See Scheduling a Vulnerability Scan on page 93. If your SNMPv3 configuration uses AES192 or AES256 encryption, you must install the unrestricted Java cryptography extension on each console or managed host that receives SNMPv3 traps. See Installing the Unrestricted Java Cryptography Extension on page 13. Related Documentation Installing the Unrestricted Java Cryptography Extension on page 13 Adding an eeye REM JDBC Scan on page 11 Vulnerability Assessment Scanner Overview on page 3. Adding a Beyond Security AVDS Vulnerability Scanner on page 5. Adding an eeye REM JDBC Scan Administrators can add a scanner to collect vulnerability data over JDBC from eeye REM or CS Retina scanners. Before you configure Juniper Secure Analytics (JSA) to poll for vulnerability data, we suggest you create a database user account and password for JSA. If you assign the user 11

26 Juniper Secure Analytics Managing Vulnerability Assessment account read-only permission to the RetinaCSDatabase, you can restrict access to the database that contains the eeye vulnerabilities. The JDBC protocol enables JSA to log in and poll for events from the MSDE database. Ensure that no firewall rules block communication between the eeye scanner and the console or managed host responsible for polling with the JDBC protocol. If you use database instances, you must verify port 1433 is available for the SQL Server Browser Service to resolve the instance name. To add an eeye REM JDBC scanner to JSA: 1. Click the Admin tab. 2. Click the VA Scanners icon. 3. Click Add. 4. In the Scanner Name field, type a name to identify your SecureScout server. 5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import. 6. From the Type list, select eeye REM Scanner. 7. From the Import Type list, select JDBC. 8. In the Hostname field, type the IP address or the host name of the eeye database. 9. In the Port field, type Optional. In the Database Instance field, type the database instance for the eeye database. If a database instance is not used, administrators can leave this field blank. 11. In the Username field, type the username required to query the eeye database. 12. In the Password field, type the password required to query the eeye database. 13. In the Domain field, type the domain required, if required, to connect to the eeye database. If the database is configured for Windows and inside a domain, you must specify the domain name. 14. In the Database Name field, type RetinaCSDatabase as the database name. 15. Select the Use Named Pipe Communication check box if named pipes are required to communicate to the eeye database. By default, this check box is clear. 16. Select the Use NTLMv2 check box if the eeye scanner uses NTLMv2 as an authentication protocol. By default, this check box is clear. The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication. 17. To configure a CIDR range for the scanner: a. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list. 12

27 Chapter 3: Managing eeye Scanner b. Click Add. 18. Click Save. 19. On the Admin tab, click Deploy Changes. To create a scan schedule, see Scheduling a Vulnerability Scan on page 93. Related Documentation Installing the Unrestricted Java Cryptography Extension on page 13 Adding an eeye REM JDBC Scan on page 11 Vulnerability Assessment Scanner Overview on page 3. Adding a Beyond Security AVDS Vulnerability Scanner on page 5. Installing the Unrestricted Java Cryptography Extension The Java Cryptography Extension (JCE) is a Java framework that is required to decrypt advanced cryptography algorithms for AES 192-bit or AES 256-bit SNMPv3 traps. Each managed host that receives SNMPv3 traps with high-level requires the unrestricted JCE. You must repeat this process on each appliance that listens If you require advanced cryptography algorithms for SNMP communication, you must update the existing cryptography extension on your managed host with an unrestricted JCE. To Install the Unrestricted Java Cryptography Extension to Juniper Secure Analytics (JSA): 1. Using SSH, log in to your JSA console. 2. To verify the version of Java on the console, type the following command: java -version NOTE: The JCE file must match the version of the Java installed on the console. 3. Download the latest version of the Java Cryptography Extension. 4. Secure copy (SCP) the local.policy.jar and US_export_policy.jar file to the following directory of the console: /opt/ibm/java-[version]/jre/lib/security/ 5. Optional. Distributed deployments require administrators to copy the local.policy.jar and US_export_policy.jar files from the console appliance to the managed host. To create a scan schedule, see Scheduling a Vulnerability Scan on page 93. Related Documentation Adding a Beyond Security AVDS Vulnerability Scanner on page 5 Adding an eeye REM SNMP Scan on page 9 Adding an eeye REM JDBC Scan on page 11 13

28 Juniper Secure Analytics Managing Vulnerability Assessment 14

29 CHAPTER 4 Managing IBM Security AppScan Enterprise Scanners This chapter describes about the following sections: IBM Security SiteProtector Scanner Overview on page 15 Creating a Customer User Type for IBM AppScan on page 16 Enabling Integration with IBM Security AppScan Enterprise on page 16 Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Publishing the Completed Reports in IBM AppScan on page 18 Adding an IBM AppScan Vulnerability Scanner on page 18 IBM Security SiteProtector Scanner Overview The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses vulnerability data from IBM SiteProtector scanners through Java Database Connectivity (JDBC) queries. The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table and polls for new vulnerabilities each time a scan schedule starts. The Compare field enables the query to retrieve any new vulnerabilities from the RealSecureDB table to ensure that duplicate vulnerabilities are not imported. When the IBM SiteProtector scanner is configured, the administrator can create a SiteProtector user account specifically for polling vulnerability data. After the user account is created, the administrator can verify that there are no firewalls that reject queries on the port configured to poll the database. To configure an IBM Security SiteProtector scanner, see Adding an IBM SiteProtector Vulnerability Scanner on page 25. Related Documentation Adding an IBM SiteProtector Vulnerability Scanner on page 25 Creating a Customer User Type for IBM AppScan on page 16 Enabling Integration with IBM Security AppScan Enterprise on page 16 Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 15

30 Juniper Secure Analytics Managing Vulnerability Assessment Creating a Customer User Type for IBM AppScan Custom user types allow administrators to perform limited and specific administrative tasks and must be created before you can assign permissions. To create a customer user type for IBM AppScan: 1. Log in to your IBM AppScan Enterprise appliance. 2. Click the Administration tab. 3. On the User Types page, click Create. 4. Select all of the following user permissions: Configure Juniper Secure Analytics (JSA) Integration Select this check box to allow users to access the JSA integration options for AppScan Enterprise. Publish to JSA Select this check box to allow JSA access to published scan report data. JSA Service Account Select this check box to add access to the REST API for the user account. This permission does not provide access the user interface. 5. Click Save. You are now ready to enable integration permissions. See Enabling Integration with IBM Security AppScan Enterprise on page 16. Related Documentation Adding an IBM SiteProtector Vulnerability Scanner on page 25 Creating a Customer User Type for IBM AppScan on page 16 Enabling Integration with IBM Security AppScan Enterprise on page 16 Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Enabling Integration with IBM Security AppScan Enterprise IBM Security AppScan Enterprise must be configured to enable integration with Juniper Secure Analytics (JSA). To complete these steps, you must be logged in with the user type you created in the previous step. To enable integration with IBM SecurityAppScan Enterprise: 1. Click the Administration tab. 2. On the Navigation menu, select Network Security Systems. 3. On the JSA Integration Setting pane, click Edit. 4. Select the Enable JSA Integration check box. 16

31 Chapter 4: Managing IBM Security AppScan Enterprise Scanners Any reports previously published to JSA are displayed. If any of the reports displayed are no longer required, you can remove them from the list. As you publish additional reports to JSA, the reports are displayed in this list. You are now ready to configure the Application Deployment Mapping in AppScan Enterprise. See Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17. Related Documentation Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Creating a Customer User Type for IBM AppScan on page 16 Enabling Integration with IBM Security AppScan Enterprise on page 16 Adding an IBM SiteProtector Vulnerability Scanner on page 25 Creating an Application Deployment Map in IBM Security AppScan Enterprise The Application Deployment Map allows AppScan Enterprise to determine the locations hosting the application in your production environment. As vulnerabilities are discovered, AppScan Enterprise knows the locations of the hosts and the IP addresses affected by the vulnerability. If an application is deployed to several hosts, then AppScan Enterprise generates a vulnerability for each host in the scan results. To create an application deployment map in IBM Security AppScan Enterprise: 1. Click the Administration tab. 2. On the Navigation menu, select Network Security Systems. 3. On the Juniper Secure Analytics (JSA) Integration Setting pane, click Edit. 4. In the Application test location (host or pattern) field, type the test location of your application. 5. In the Application production location (host) field, type the IP address of your production environment. To add vulnerability information to JSA, your Application Deployment Mapping must include an IP address. Any vulnerability data without an IP address is excluded from JSA if the IP address is not available in the AppScan Enterprise scan results. 6. Click Add. 7. Repeat this procedure to map any more production environments in AppScan Enterprise. 8. Click Done. You are now ready to publish completed reports. See Publishing the Completed Reports in IBM AppScan on page 18. Related Documentation Publishing the Completed Reports in IBM AppScan on page 18 Adding an IBM AppScan Vulnerability Scanner on page 18 17

32 Juniper Secure Analytics Managing Vulnerability Assessment Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Creating a Customer User Type for IBM AppScan on page 16 Publishing the Completed Reports in IBM AppScan Completed vulnerability reports generated by AppScan Enterprise must be made accessible to Juniper Secure Analytics (JSA) by publishing the report. To publish the completed reports in IBM AppScan: Click the Jobs & Reports tab. Navigate to the security report you want to make available to JSA. On the menu bar of any security report, select Publish > Grant to provide report access to JSA. Click Save. You are now ready to enable integration permissions. See Adding an IBM AppScan Vulnerability Scanner on page 18. Related Documentation Adding an IBM AppScan Vulnerability Scanner on page 18 Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Creating a Customer User Type for IBM AppScan on page 16 Adding an IBM AppScan Vulnerability Scanner Adding a scanner enables administrators to define which scan reports in IBM Security AppScan are collected by Juniper Secure Analytics (JSA). Administrators can add multiple IBM AppScan scanners to JSA, each with a different configuration. Multiple configurations provide JSA the ability to import AppScan data for specific results. The scan schedule determines the frequency with which scan result are imported from the REST web service in IBM AppScan Enterprise. To add an IBM AppScan Vulnerability Scanner to JSA: 1. Click the Admin tab. 2. Click the VA Scanners icon. 3. Click Add. 4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise scanner. 5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import. 6. From the Type list, select IBM AppScan Scanner. 18

33 Chapter 4: Managing IBM Security AppScan Enterprise Scanners 7. In the ASE Instance Base URL field, type the full base URL of the AppScan Enterprise instance. This field supports HTTP and HTTPS addresses. For example, 8. From the Authentication Type list, select one of the following options: Windows Authentication Select this option to use Windows Authentication with the REST web service. Jazz Authentication Select this option to use Jazz Authentication with the REST web service. 9. In the Username field, type the username required to retrieve scan results from AppScan Enterprise. 10. In the Password field, type the password required to retrieve scan results from AppScan Enterprise. 11. In the Report Name Pattern field, type a regular expression (regex) required to filter the list of vulnerability reports available from AppScan Enterprise. By default, the Report Name Pattern field contains.* as the regex pattern. The.* pattern imports all scan reports that are published to JSA. All matching files from the file pattern are processed by JSA. You can specify a group of vulnerability reports or an individual report using a regex pattern. 12. To configure a CIDR range for your scanner: a. In the text field, type the CIDR range for the scanner or click Browse to select a CIDR range from the network list. b. Click Add. 13. Click Save. 14. On the Admin tab, click Deploy Changes. You are now ready to create a scan schedule for IBM Security AppScan Enterprise. See Scheduling a Vulnerability Scan on page 93. Related Documentation Publishing the Completed Reports in IBM AppScan on page 18 Creating an Application Deployment Map in IBM Security AppScan Enterprise on page 17 Creating a Customer User Type for IBM AppScan on page 16 19

34 Juniper Secure Analytics Managing Vulnerability Assessment 20

35 CHAPTER 5 Managing an IBM Security Guardium Scanner This chapter describes about the following sections: IBM Security Guardium Scanner Overview on page 21 Adding an IBM Security Guardium Vulnerability Scanner on page 22 IBM Security Guardium Scanner Overview IBM InfoSphere Guardium appliances are capable of exporting database vulnerability information that can be critical to protecting customer data. IBM Guardium audit processes export the results of tests that fail the Common Vulnerability and Exposures (CVE) tests generated when running security assessment tests on your IBM Guardium appliance. The vulnerability data from IBM Guardium must be exported to a remote server or staging server in Security Content Automation Protocol (SCAP) format. Juniper Secure Analytics (JSA) can then retrieve the scan results from the remote server storing the vulnerability using SFTP. IBM Guardium only exports vulnerability from databases containing failed CVE test results. If there are no failed CVE tests, IBM Guardium may not export a file at the end of the security assessment. For information on configuring security assessment tests and creating an audit process to export vulnerability data in SCAP format, see your IBM InfoSphere Guardium documentation. After you have configured your IBM Guardium appliance, you are ready to configure Juniper Secure Analytics (JSA) to import the results from the remote server hosting the vulnerability data. You must add an IBM Guardium scanner to JSA and configure the scanner to retrieve data from your remote server. The most recent vulnerabilities are imported by JSA when you create a scan schedule. Scan schedules allow you to determine the frequency with which JSA requests data from the remote server host your IBM Guardium vulnerability data. Integration overview for IBM InfoSphere Guardium and JSA. 21

36 Juniper Secure Analytics Managing Vulnerability Assessment To integrate IBM InfoSphere Guardium with JSA: 1. On your IBM InfoSphere Guardium appliance, create an SCAP file with your vulnerability information. See your IBM Security InfoSphere Guardium documentation. 2. On your JSA console, add an IBM Guardium scanner. See Adding an IBM Security Guardium Vulnerability Scanner on page On your JSA console, create a scan schedule to import scan result data. See Scheduling a Vulnerability Scan on page 93 Related Documentation Adding an IBM Security Guardium Vulnerability Scanner on page 22 Publishing the Completed Reports in IBM AppScan on page 18 Adding an IBM Security Guardium Vulnerability Scanner Adding a scanner allows Juniper Secure Analytics (JSA) to collect SCAP vulnerability files from IBM InfoSphere Guardium. Administrators can add multiple IBM Guardium scanners to JSA, each with a different configuration. Multiple configurations provide JSA the ability to import vulnerability data for specific results. The scan schedule determines the frequency with which the SCAP scan result are imported from IBM InfoSphere Guardium. To add an IBM Security Guardium Vulnerability Scanner to JSA: 1. Click the Admin tab. 2. Click the VA Scanners icon. 3. Click Add. 4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise scanner. 5. From the Managed Host list, select the managed host from your JSA deployment that manages the scanner import. 6. From the Type list, select IBM Guardium SCAP Scanner. 7. Choose one of the following authentication options as described in Table 4 on page 22. Table 4: IBM AppScan Enterprise Scanner Authentication Options Option Description Login Username To authenticate with a username and password: 1. In the Login Username field, type a username that has access to retrieve the scan results from the remote host. 2. In the Login Password field, type the password associated with the username. 22