Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)
Table of Contents Introduction... 3 Nessus Perimeter Service... 3 Subscription and Activation... 3 Multi Scanner Support... 4 Customer Scanning Interface... 5 Scan Policies... 5 Creating and Launching a Scan... 7 Scheduling a Scan... 7 Managing Scans... 8 Viewing Scan Results... 9 Reviewing Scan Results... 9 PCI ASV Validation... 12 Submitting Scan Results for PCI Customer Review... 13 Customer Review Interface... 14 Reviewing Scan Results... 15 Disputing Scan Results... 17 Submitting Attachments as Evidence for a Dispute... 20 Submitting a Scan Report for Tenable Review... 22 PCI ASV Report Formats... 25 Support... 28 Changing Your Password... 28 For More Information... 28 About Tenable Network Security... 29 2
Introduction This document describes Tenable Network Security s Nessus Perimeter Service. Please email any comments and suggestions to support@tenable.com. This document covers the Nessus Perimeter Service as used for vulnerability scanning, assessment, and reporting. The contents of this document include the processes of Perimeter Service subscription and activation, customer scan initiation, vulnerability and compliance reporting, PCI ASV validation, and Perimeter Service support. The Nessus Perimeter Service is available in both Flash and HTML5 interfaces. This document describes the HTML5 interface. If you are using the Flash interface, which is the default only for the Microsoft Internet Explorer browser, please refer to the Nessus Perimeter Service User Guide (Flash Interface) document available through the Tenable Support Portal. A basic understanding of Tenable s Nessus vulnerability scanner, network protocols, vulnerability analysis and remediation, and cloud-based services is assumed. Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. Nessus Perimeter Service The Nessus Perimeter Service is an enterprise-class remote vulnerability scanning service that may be used to audit Internet-facing IP addresses for both network and web application vulnerabilities from the cloud. Subscribers, who log in to Nessus scanners hosted in Tenable's secure data center, may employ the Nessus Perimeter Service to scan any number of Internet-facing sites covering a wide variety of devices enterprise servers, desktop computers, mobile laptops, iphones wherever is convenient and as often as needed, all for one flat fee. The Nessus Perimeter Service portal provides secure access to detailed vulnerability audits and remediation information hosted on Tenable s infrastructure. The Nessus Perimeter Service can be accessed from any computer with Internet access and a standard web browser, as well as from mobile devices including Android and iphone/ipad, providing fixed or mobile scanner command and control, plus access to vulnerability and compliance reports from anywhere, anytime. The Nessus Perimeter Service is supported by a world renowned research team and has the industry s largest vulnerability knowledge base, making it suitable for even the most complex audits. Subscription and Activation Tenable s Nessus Perimeter Service is available as an annual subscription. Subscriptions are available through the Tenable Store. For pricing, please visit the Tenable Store or inquire at subscriptions@tenable.com for more information. A Nessus Perimeter Service subscription package includes: Unlimited scanning of your perimeter systems Web application audits Ability to prepare for security assessments against current PCI standards Up to 2 quarterly report submissions for PCI ASV validation through Tenable Network Security, Inc. 24/7 access to the Tenable Support Portal for access to Nessus knowledgebase and support ticket creation One user account per subscription 3
Upon purchase of a Nessus Perimeter Service subscription, Tenable Product Delivery will notify the customer of product availability via email. The notification email will also include the customer s order number, product expiration date, and a product activation link. An activation help document is available online at: http://static.tenable.com/documentation/ps_activation_help.pdf If you experience any problems with the activation process, please contact licenses@tenable.com. You must include your Customer ID with any inquiry. If you do not have a Customer ID, please include your order number to receive the proper assistance. Multi Scanner Support The Multi Scanner functionality gives your Nessus scanner the ability to delegate vulnerability scanning to multiple secondary servers, or be delegated to perform scans for another. You can use your own Nessus server to act as the primary, or you can configure your Nessus Perimeter Service scanner in the cloud to be the primary. This allows for consolidated reporting in a single Nessus user interface with scheduled scanning and emailing results. The use of this functionality positions companies to create an extended network of Nessus scanners that give added value. Through strategic positioning of the scanners, you are able to not only test for vulnerabilities and misconfigurations, but also examine the system from different viewpoints on the network. This can greatly assist you in ensuring that network screening devices (e.g., firewalls, routers) are properly restricting access to a given system. It is important to note that primary scanners do not reach out to the secondary scanners. Instead, secondary scanners periodically poll the primary scanner they are registered with to receive new instructions. When deploying a network of Nessus scanners using this functionality, this must be kept in mind to ensure that nothing will hinder the secondary scanner in connecting to its primary. 4
Customer Scanning Interface Customers who subscribe to the Nessus Perimeter Service interact with a secure web-based portal. To access the service, all customers require credentials to the portal that are provided by Tenable Network Security upon purchase of the service. The following screen capture displays the portal login page, which offers Nessus HTML5 user interface by default: Initial Nessus Perimeter Service Login Screen For more information on using the Nessus Perimeter Service with the older Flash interface, refer to the Nessus Perimeter Service User Guide (Flash Interface) document, which is available through the Tenable Support Portal. Scan Policies Once logged into the service, Nessus Perimeter Service customers have the option to select one of seven preset scan policies: Perimeter Scan (exhaustive) This policy will use more bandwidth but will find all external TCP-based services hosted in an externally facing network. This policy contains the default settings that will perform an exhaustive perimeter scan: - A fast port scan of 65,536 TCP ports - CGI checks are enabled - Web Application checks are disabled - Low false positives Perimeter Scan (fast) This is an ideal policy to perform as an initial scan. This policy contains the default settings that will perform a quick perimeter scan: - A fast port scan checking the most common 8,000 TCP ports - CGI checks are enabled - Web Application checks are disabled 5
- Low false positives Web App Tests (exhaustive) This policy will perform a web application test on the remote host. The application(s) will be tested for custom vulnerabilities, use the all pairs method for argument testing, check all parameters of each page, and run for a maximum of 24 hours. Web App Tests (fast) This policy will perform a web application test on the remote host. The application will be tested for custom vulnerabilities, use the all pairs method for argument testing, check all parameters of each page, and run for a maximum of 2 hours. PCI-DSS ASV Scan This policy may be used by Perimeter Service customers who wish to perform external vulnerability scans that may be used in a PCI DSS compliance validation effort. More information about performing scans using the PCI DSS ASV Scan policy and scan validation through Tenable s PCI ASV service can be found later in this document. PCI-DSS ASV Scan (low bandwidth) This policy is identical to the PCI DSS ASV Scan policy with the exception of the max_hosts setting, which is set to 2 in order to limit the amount of bandwidth used by Nessus Perimeter Service scans. PCI-DSS ASV Scan (unresponsive hosts) This policy is identical to the PCI DSS ASV Scan policy with the exception of the Ping Host setting, which is disabled to allow Nessus Perimeter Service scans to roll over into different scanning options instead of ceasing to scan a host due to the host being unresponsive to a remote ping. These policies are regularly reviewed and updated by Tenable staff to ensure that they include updates to plugin families and other enhancements to settings. Customers do not have the ability to view or alter any of the preset parameters of the PCI DSS policy. Instead of directly editing preset scan policies, it is highly recommended to make a copy of a preset scan policy and edit the copy. If a preset scan policy has been directly edited, ownership of the policy will change from admin to the Nessus Perimeter Service user and the original settings cannot be automatically restored. The Upload button will allow you to upload previously created policies to the Perimeter Service scanner. Using the Browse dialog box, select the policy from your local system, and click Submit. 6
Creating and Launching a Scan To create a scan, a Nessus Perimeter Service customer enters the Scans section of the service and selects New Scan. The customer then enters a unique name for the scan, the type of scan, selects the policy, and enters the IP address(es), IP range(s), or hostnames of their externally-facing servers that will be the target of the scan. Click Launch to initiate the new scan immediately. Note that the Scanner option will only appear if secondary scanners have been configured. To set up secondary scanners that can be used to conduct scans on behalf of the perimeter scanner, please consult the Nessus 5.2 HTML5 User Guide. More information on the use of additional scanners and the network flow can be found below in the section titled Multi Scanner Support. Scheduling a Scan To initiate a scan as a template, start by creating a new scan via the Scans menu or the Schedules menu. After filling out the basic settings, select Schedule Settings and select the frequency: 7
Once saved, the scheduled scans can be accessed through the Schedules menu at the top: Managing Scans Once started, scans can be paused or stopped during the scan process by using the pause or stop icon to the right of the scan: 8
Viewing Scan Results Results obtained from a scan that is currently in progress can be viewed by selecting the Scans menu and clicking on the scan that is running or completed: Reviewing Scan Results Once a scan has completed, the status will appear under the Scans section along with the date and time that the scan was either last updated or completed. The customer has the option to browse the scan or download the report in a variety of formats, including the.nessus, CSV, PDF, HTML, and Nessus DB file formats. 9
Completed Scan in Vulnerabilities View 10
Export Option to Download Current Scan The HTML report download format allows for the selection of chapter types within the report. Select HTML as the export format, and then click on the chapters to include in the report output: 11
HTML Report Output for Hosts Summary (Executive) Customers are not limited in the number of scans they can perform and reports they can generate during an active subscription to the Nessus Perimeter Service. Detailed information on Nessus policies, scanning, and reporting can be found in the Nessus User Guide available here: http://www.tenable.com/products/nessus/documentation PCI ASV Validation Tenable Network Security, Inc. is a PCI Approved Scanning Vendor (ASV), and is certified to validate vulnerability scans of Internet-facing systems for adherence to certain aspects of the PCI Data Security Standards (PCI DSS). The Nessus Perimeter Service includes a pre-built static PCI DSS policy that adheres to the quarterly scanning requirements of the PCI DSS v2.0. This policy may be used by merchants and providers to initially assess their environments based on PCI DSS requirements, and also to perform external vulnerability scans and generate reports that can be validated by qualified Tenable Network Security staff members for the PCI DSS ASV validation requirement. It is important to note that, while customers can use the PCI DSS scan policy to test their externally-facing systems as often as they wish, a scan must be submitted to Tenable for validation before it can be considered to qualify as a valid PCI ASV scan. Customers are allowed up to two quarterly report submissions for PCI ASV validation through Tenable Network Security, Inc. Once logged into the service, customers have the option to select a policy titled PCI DSS that adheres to the requirements of the PCI ASV Program Guide v2.0 section titled ASV Scan Solution Required Components. Customers do not have the ability to alter any of the preset parameters of this policy. To qualify as a PCI DSS ASV scan for validation through the Nessus Perimeter Service, one of the three PCI- DSS policies must be selected. 12
Submitting Scan Results for PCI Customer Review Customers have the option to submit their scan results to Tenable Network Security for PCI ASV validation. By clicking Submit for PCI, the scan results will be uploaded to an administrative section of the Nessus Perimeter Service (the PCI Scanning Service) for customer review, and the customer will be prompted to log in to the user section of the service to review the findings of the scan results from a PCI DSS perspective. Link to Submit for PCI (highlighted in red) Report Upload and PCI Scanning Service Link Dialog Box 13
Customers are strongly urged to thoroughly review their PCI scan results before submitting their report(s) to Tenable Network Security through the PCI Scanning Service. Reports with failed results are required to undergo a full PCI Scanning Service review cycle, of which Nessus Perimeter Service customers are limited to two (2) per quarterly period. Customer Review Interface PCI Scanning Service Customer Login Screen Once a customer logs into the PCI Validation user section, they are presented with a list of reports that have been submitted by their unique Nessus Perimeter Service login. The Report Filter allows reports to be filtered by Owner, Name, and Status. 14
Reviewing Scan Results To pass a PCI DSS ASV assessment, all items (except for denial of service (DoS) vulnerabilities) listed as Critical, High, or Medium (or with a CVSS score of 4.0 or higher) must either be remediated or disputed by the customer, and all disputed items must either be resolved, accepted as exceptions, accepted as false positives, or mitigated through the use of compensating controls. All items listed as Critical, High, or Medium in the Nessus Perimeter Service can be viewed in detail, and all items carry an option to dispute the item in question. Clicking the name of the scan in the List of Reports allows the user to view a list of hosts and the number of vulnerabilities found on each host, sorted by severity. Clicking the number of Failed Items in the List of Reports will display a list of items that will need to be addressed in order to qualify for a compliant ASV report through Tenable s PCI Scanning Service. Nessus Perimeter Service/PCI Scanning Service customers are responsible for reviewing all of their Failed Items before submitting a scan report to Tenable Network Security. Selecting the Failed Items in the List of Reports allows you to jump directly to the items that may affect your PCI ASV Validation compliance status. 15
Use the green + button under the far left column to expand an individual entry for additional vulnerability details. Scan Report Item Description with Dispute Functionality As shown above, a Dispute button is displayed for each individual item, which allows the customer to enter additional details about vulnerability remediation, or dispute what they believe may be a false positive generated by the initial scan. 16
Disputing Scan Results When an item is disputed, a ticket is created that allows for the selection of an amendment type, the addition of text to the amendment, and any other notes that the customer may want to add prior to submission for review by Tenable Network Security. Once a ticket for a particular item has been created, the customer can view it by selecting the item in question and then selecting View Ticket. 17
Scan Report Item Description with View Ticket Functionality 18
Additional comments can be added by clicking the Edit button, then Add Note, and saving the note into the ticket by clicking Update. 19
Plugin 33929, PCI DSS Compliance, is an administrative plugin that links to the results of other plugins. If a report shows that a host is not PCI DSS compliant, resolving all failed items will then allow plugin 33929 to resolve and be replaced with plugin 33930, PCI DSS Compliance: Passed. In cases of disputes or exceptions, if all failed report items are successfully disputed or given exceptions, an exception can then be given for plugin 33929 based on the remediation of all other report issues. Submitting Attachments as Evidence for a Dispute Once a ticket is created, it is possible to submit supporting evidence as an attachment. After creating a ticket, click the number listed under Open Tickets to display all open tickets: 20
In the List of Tickets screen, click View : When the screen for the open ticket is displayed, options for Upload File and Attach are displayed: Click Browse to navigate to and select the evidence file (screenshot, Word document, PDF, etc.) to be uploaded: Sample Evidence File (no_shiro.png) 21
Next, click Attach to attach the file to the ticket. When completed, the screen will display a message that the file was uploaded successfully: Clicking the Download link next to Attachments will show the names of all files attached to the ticket: Submitting a Scan Report for Tenable Review When tickets have been created for all outstanding report items under user review, the report can then be sent to Tenable Network Security for ASV review. Before a report can be submitted for review, the customer must fill in contact information and agree to an attestation that includes mandatory text as described in the ASV Program Guide. 22
Report Submission Attestation Text If a customer neglects to address any outstanding item for a particular scan before the report is submitted for ASV review, they will be prompted to make sure that a ticket has been created for each item. Any report with outstanding items that have not been addressed by the customer cannot be submitted to Tenable Network Security for review. 23
When a report is finally submitted to Tenable Network Security for review, the status of the report changes from Under User Review to Under Admin Review and the Submit option is removed (greyed out) to prevent the submission of duplicate items or reports. Submitted Report Under Admin Review The Withdraw function within an open ticket is only available once a report has been submitted for review by Tenable s PCI Scanning Service. Be careful when using the Withdraw function; withdrawing a ticket will cause the item in question to be flagged as unresolved due to having inconclusive evidence, and the report as a whole will be deemed as non-compliant. If a Tenable Network Security staff member requests more information or if any other user action is required by the customer for a ticket, an indicator will appear in the customer s List of Reports as shown below: User Action Required Notification 24
The ticket can then be amended by the user and resubmitted to Tenable Network Security for further review. PCI ASV Report Formats Once a scan report has earned compliance status by Tenable s PCI Scanning Service, customers have the option of viewing reports in Attestation Report, Executive Report, or Detailed Report formats. An ASV Feedback Form is also provided to the Nessus Perimeter Service customer. These options are available through the Download icon listed next to each report. The Attestation Report, Executive Report, and Details Report are only available to the customer in PDF format and cannot be edited. 25
Sample Attestation Report 26
Sample Executive Report When a report name and then host name is selected within the web-based interface, a list of items pertaining to the selected report is displayed. List of Items Displayed in the Web Interface 27
Support When a Tenable Nessus Perimeter Service subscription is purchased, the name(s) and email address(es) of your Technical Contact Person(s) is provided to Tenable. A separate Tenable Support Portal account is automatically created for each Technical Contact Person. Support requests are accepted via the Tenable Support Portal, or an email may be sent to support@tenable.com. Note that email requests must be sent from one of the email addresses provided to Tenable as a support contact. Changing Your Password If you need to change your Nessus Perimeter Service password, click on your email address in the upper right hand side of the scanner screen and chose the User Profile option in the drop-down list. After changing your password, a dialogue will display confirming: For More Information Nessus documentation can be found here: http://www.tenable.com/products/nessus/documentation More information about the Tenable Support Portal features can be found here: http://www.tenable.com/expert-resources/whitepapers/tenable-network-security-support-portal http://static.tenable.com/prod_docs/subscription_agreement.pdf If you experience any problems with the registration process, please contact licenses@tenable.com. The Nessus Perimeter Service is supported by email only. Please direct all support related questions to support@tenable.com and provide your Customer ID with a detailed description of the issue you are having. You may also log in to the Tenable Support Portal to generate a support ticket. 28
About Tenable Network Security Tenable Network Security is relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world s largest companies and governments, to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Its Nessus and SecurityCenter solutions continue to set the standard to identify vulnerabilities, prevent attacks and comply with a multitude of regulatory requirements. For more information, please visit www.tenable.com. GLOBAL HEADQUARTERS Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. 29