enterprise-2-web enterprise-2-web Randy Reitz and Tim Rupp Randy Reitz and Tim Rupp InterLab 2006 InterLab 2006
end user overview end user overview ● scan-me-now scan-me-now – small web based vulnerability scanner small web based vulnerability scanner ● nessquik nessquik – powerful web based GUI for Nessus powerful web based GUI for Nessus ● splunk splunk – log file search engine log file search engine ● st & e st & e – system test, and evaluation checklist system test, and evaluation checklist
enterprise overview enterprise overview ● inventory inventory – near real-time network node inventory near real-time network node inventory ● scanner farm scanner farm – around-the-clock pinger, port scanner and vulnerability scanner around-the-clock pinger, port scanner and vulnerability scanner ● tissue tissue – event issue tracker event issue tracker
scan-me-now scan-me-now ● easy vulnerability scans easy vulnerability scans ● command line or browser command line or browser ● critical vulnerabilities or all plugins critical vulnerabilities or all plugins ● can only scan the machine you are coming from can only scan the machine you are coming from ● outputs report to webpage which you can save outputs report to webpage which you can save http://security.fnal.gov/scanmenow.html
nessquik nessquik ● granular control of plugins to use in a scan granular control of plugins to use in a scan ● leverage certificates for access control leverage certificates for access control ● scheduled scanning scheduled scanning ● monitor your scan progress monitor your scan progress ● reports in HTML or text reports in HTML or text ● save scan settings for the future save scan settings for the future https://shamus.fnal.gov/nessquik-2.0
splunk splunk ● full-text search engine for logs full-text search engine for logs ● combine and search different log sources combine and search different log sources ● includes an API via SOAP and REST that will likely be includes an API via SOAP and REST that will likely be used by CST in the future used by CST in the future ● very fast, AJAX-ish interface very fast, AJAX-ish interface ● able to quickly search massive datasets able to quickly search massive datasets http://whoknowswhat.fnal.gov:8000/
st & e st & e ● traffic lights signal when items have expired, in real-time traffic lights signal when items have expired, in real-time ● spans + AJAX for fast loading of content spans + AJAX for fast loading of content ● drop down arrows providing unlimited levels of tasks drop down arrows providing unlimited levels of tasks ● update log, satisfy evaluation update log, satisfy evaluation ● powerful admin interface to define access powerful admin interface to define access ● leverage certificates for access control leverage certificates for access control https://roaster.fnal.gov/ste2/
inventory inventory ● find active network nodes - ping response or ARP entry find active network nodes - ping response or ARP entry ● find aged network nodes find aged network nodes ● use nmap port scan to create observation: use nmap port scan to create observation: – estimate node OS estimate node OS – collect open (listening) TCP ports collect open (listening) TCP ports ● collapse observation in Inventory database collapse observation in Inventory database ● find recent observations for more scanning find recent observations for more scanning
inventory inventory
scanner farm scanner farm ● for nodes with "interesting" services: for nodes with "interesting" services: – test node with set of published critical vulnerabilities test node with set of published critical vulnerabilities – test node configuration for policy compliance (Kerberos) test node configuration for policy compliance (Kerberos)
TIssue TIssue ● create event when scanner finds an "issue" create event when scanner finds an "issue" ● find registered info for node find registered info for node ● notify administrator or user notify administrator or user ● submit event to work flow submit event to work flow
TIssue in brief TIssue in brief
Recommend
More recommend
