Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription from the date of installation at AMD, Hyderabad Requirements: 1. Architecture The product must scan various network-attached devices, including but not limited to UNIX and Windowsbased machines, web and database servers, routers, printers, firewalls, switches and other types of network equipment for security vulnerabilities. The product must allow for entering of user credentials, including Windows local and domain accounts, and Unix su and sudo over ssh, such that it can authenticate and perform elevated permission checks for patch levels, services, configuration audits, etc. The product must be capable of testing for both local and remote vulnerabilities without the need for a clientside agent installed on the target device, i.e. the product must be agentless. The product must provide a vulnerability database of current exploits, and must provide a method of automated vulnerability database update to keep the database current. The product must Allow for scheduled scanning of devices Allow selected tests to be enabled or disabled during scheduled scans Automatically start and stop scans to the schedule without user interaction Ability to interactively pause and resume scans Not be dependent on operating system ability to schedule tasks and it should also be compatible to IPv6. The product must be able to accept scan targets in multiple formats including hostnames, IP ranges and IP classes. For instance 10.0.1.1 10.0.1.100. Importing of a list of IPs contained within a file must also be supported. It should also support VPN targets ex. X.0.1.1 X.9.0.100. Describe the manner in which targets can be input to the product. The product should support scanning of LAN, VLAN, VPN and Public IPs for any vulnerability. The product must include a policy editor which provides the capability to set up policies to run one or more checks during any scan. (Contd Page-2)
--------------------------Page-2--------------------------- The product must use a central console for conducting security assessments across the enterprise, against a variety of network-attached devices. The centralized console must provide facilities to deploy security policies across multiple instances of the product. The product must support scanning the following operating systems: Microsoft Windows AIX Solaris HP/UX Linux Netware MacOS X Others ( Standard ) The product must support vulnerability scanning and configuration audit for Standard devices. The product must support vulnerability scanning of VMware servers. The product must support users writing their own checks to be performed by the scanner. The scan engine must be available for installation on: Windows Linux MacOS X Solaris VMware as a virtual appliance (VM running in less than 1 GB or virtual memory) 2. Asset Discovery The product must not rely on external scanners for asset discovery, port scanning, or OS identification. The product must support the use of Netstat for rapid and accurate enumeration of open ports on a system when credentials are supplied. The product must support the use of SMB and WMI for scanning Windows systems. The product must be capable of automatically starting remote registry services on Windows systems when performing a credentialed scan, then automatically stopping the service again once the scan is complete. (Contd Page-3)
--------------------------Page-3--------------------------- The scanner must support secure shell (ssh) with su and sudo for escalating privileges for vulnerability scans and configuration audits on Unix systems. Vulnerability Identification The product must detect and rank issues, risks, and vulnerabilities. It must also provide detailed information regarding the nature of the risk and recommendations to mitigate them. The product must report on known weaknesses in a given target identified by security advisory organizations (e.g., Common Vulnerabilities and Exposures database (CVE) or the Open Source Vulnerability Database (OSVDB) or the Security Focus Bugtraq (BID) or any combination of them). The product must support PCI Compliance vulnerability scanning. The product must include pre-defined PCI scan profiles that meet current PCI DSS criteria for network scanning. Functionality must exist to filter all other non-pci relevant vulnerabilities. The products vulnerability database must include checks for: OS Security and Patch Routers & switches Firewalls DNS FTP SMTP RPC SNMP LDAP SMB CGI Web Servers Databases Backdoors Denial of Service Default Accounts Peer-To-Peer Remote Shell (Contd Page-4)
--------------------------Page-4--------------------------- The product must be capable of: detecting services that are running on non-standard ports detecting services configured not to display connection banners testing multiple instances of the same service running on different ports scanning dead hosts (devices which do not respond to ping) The product must include vulnerability scoring according to the industry accepted standard, i.e. the Common Vulnerability Scoring System (CVSS). The product must use information gained from initial scans to attempt further exploits based on the previously obtained information about a given device or host. The product must track vulnerability discovery date and last observed date for filtering and reporting on time based filters. 3. Configuration Audits The product must be capable of configuration and patch auditing of Windows and Unix/Linux systems. The vendor must provide audit policies for Windows, Unix/Linux, applications, N/w devices, and databases. The vendor must provide audit policies supporting the following without extra cost or license: CIS Benchmarks Microsoft best practice HIPAA GLBA OWASP best practices PHI/PII content PCI content Custom content The product must be capable of scanning web servers for common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), HTTP header injection, directory traversal, remote file inclusion and command execution. Malicious Process and Botnet connection detection The product must be capable to detect known malware running on Windows target with building scanning rules. The product must be capable to detect compromised footprint on Windows target, for example, modification of hosts file by know virus or malware The vendor must be capable to detect active botnet connection during scan. (Contd Page-5)
--------------------------Page-5--------------------------- Terms and Conditions The Nessus software should be supplied on a CD License of the product must include all minor upgrades and updates, major upgrades, updates, fixes and patches, signature updates, dashboard template and report template. Setup and policy creations are required. No remote control facility available for any type of work. Any above jobs should be done at AMD complex, Begumpet, Hyderabad by the concerned engineer. Unlimited IP scanning should be supported Payment terms The payment for the software will be made after successful Installation, Commissioning and Testing of the product and on submission of the certificate for three year License from OEM/authorized firm.