SYSTEM DEPLOYMENT & SECURITY AUDITING WITH RHN SATELLITE & NESSUS Akash Chandrashekar Senior Solution Architect, Red Hat Lee Kinser Solution Architect, Red Hat Jack Daniel Technical Product Manager, Tenable Network Security
Compliance Issues Can Be a Growing Pain Each industry affected by its own compliance rules (FDCC, HIPPA, SOX, PCI, and many, many more) Executive summary of all the requirements: Control your network, keep it tight and up to date, be able to prove it
REQUIREMENT PROPOSED SOLUTIONS
REQUIREMENT PROPOSED SOLUTIONS
Requirement 11: Regularly Test Security Systems and Processes Regular audits of the perimeter (or network) by 3rd parties (every quarter) Very typical of many audits Typical example: ecommerce site scanned by a PCI ASV ( Approved Scanning Vendor ) PCI ASV scans use Nessus and other scanners to do their jobs Note: Tenable Network Security is now a PCI ASV
Issues with Auditors in General False positives : Red Hat backports security patches. A site advertising Apache 2.2.4 may not be vulnerable to all flaws affecting Apache < 2.2.18. No doubt, most vendors prefer a false positive to a false negative. Findings can now be disputed. However: This is costly (charged per scan) and time consuming (where to get the information).
The False Positive Issue Condition: Exists Condition: Does Not Exist Detected Valid: True Positive Invalid: False Positive Not Detected Invalid: False Negative Valid: True Negative
Issues with Some Auditors How to prepare for an audit and be ready to explain why some findings are false positives? How to prove that patches are applied regularly? What if your patch schedule does not fit the quarterly scans? Explaining how Red Hat backporting works
Red Hat Satellite
Strategies to Manage Content RHEL 5 5.1 5.2 5.x Clients Custom 5.0-dev Clone Custom 5.0-prod 1)Client is built via kickstart from Red Hat channel kickstart tree 2)Activation key reconfigures client (dev or prod?) 3)Sat Admin creates 2 custom channels for dev & production clients 4)Sat Admin regularly compares custom dev channel vs. Red Hat and merges selected security updates, fixes, feature enablements 5)Dev systems do QA validation 6)Sat Admin merges dev to prod at reduced intervals after QA certifies dev channel 7)Sat Admin schedules updates for prod clients
Red Hat Satellite (cont.) Red Hat Satellite is a great way to manage one s network in a compliant way. However, we still need to: - Prove that every host scanned is indeed managed by Satellite - Prove that every host scanned is patched (regularly) - Prove that every host is configured properly from a security point of view
Red Hat Satellite (cont.) Systems audited Not every host related to audits is managed by Satellite (yet) Systems managed by Satellite Different views between Satellite and the scan results
Red Hat Satellite: Unlocking the Power of the API Connect to the Satellite server via XML-RPC library Authenticate Session Key * Normal Satellite server permissions/roles apply Perform queries and operations of interest Logout (when Auth)
Red Hat Satellite: Nessus Integration with RHN Satellite Satellite API Integration Software Distribution Account Management Channel Management Monitoring Provisioning API LAYER XML-RPC The API layer can be used to integrate with disparate systems by making remote procedure calls using XML over HTTP
Nessus + RHN Satellite Each time Nessus scans a host, it can connect to the local RHN Satellite server and ask Do you manage it? AND How do you manage it?
Nessus Widely-deployed vulnerability scanner with open source roots, since 1998 Nearly 50,000 vulnerability and configuration plugins Used by many auditors Scans a network for remote and local vulnerabilities and misconfigurations Least-expensive commercial vulnerability scanner ($1500/year, unlimited targets; still free for home, non-commercial use) Also includes web app scanning, local policy audits, and more... - http://www.nessus.org for more information For organizations with multiple Nessus scanners, Tenable SecurityCenter for centralized management and reporting
How to Use Nessus for Scanning? Products can NOT be certified Only service providers can be certified as Approved Scanning Vendors (ASVs) Nessus prepares you for a scan: It provides the results that most ASVs will report Helps you detect false positives and document resolution
Nessus + RHN Satellite What if the hosts scanned have not been updated yet? (outside of regular patch schedule) Report on missing patches Correlation is the key!
Nessus + RHN Satellite How to prove that patches are applied regularly? Nessus will do a per-host Satellite report showing the history of applied patches Accurate reporting is key!
Nessus + RHN Satellite Reports contain both the results found remotely and information gathered from Satellite Arms you with all the facts you need to successfully pass your audit: - Host is managed by Satellite - Host is up to date - Host is patched regularly
DEMO
Tenable SecurityCenter + RHN Satellite
QUESTIONS? http://www.redhat.com/red_hat_network/ http://www.nessus.org/ http://blog.tenable.com 2 9