eEye Digital Security

Best Practices
Retina Tips & Tricks for a Successful Deployment

VLast Updated: Q210

Page 1 of 29

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

2010 eEye Digital Security. All Rights Reserved. This document contains information which is protected by US Copyright and pre-existing nondisclosure agreement between eEye and company identified as Prepared For on title page. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of eEye Digital Security.

For the latest updates to this document, please contact your Preview Representative. Warranty This document is supplied on an "as is" basis with no warranty and no support.

Limitations of Liability In no event shall eEye Digital Security be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted or included with this material.

Disclaimer All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. eEye Digital Security is not associated with any other vendors or products mentioned in this document.

2|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Contents Deployment Recommendations............................................................................ 4

Example One - Critical Vulnerabilities Only ........................................................................................................... 4 Example Two - Statistical Sampling....................................................................................................................... 5 Example Three - Targeted Scanning Based On Business Function ..................................................................... 6

Retina CS Installation Checklist............................................................................ 8 REM Installation Checklist .................................................................................... 9 Appliance Versus Software Decision Matrix ....................................................... 10 Retina Recommended Scan Throttling Settings For Bandwidth Control ............ 11 Credential Scanning Settings for Windows Hosts .............................................. 12 Retina in a Virtual Environment .......................................................................... 14 Retina, Host Scanning Considerations ............................................................... 16 Endpoint Protection Platform and Anti-Virus White Listing Considerations ........ 18 Retina Protection Agents - Special Server Considerations ................................ 19 Scanning or Auditing UNIX or Linux Systems .................................................... 20 Creating and Address Group Import File ............................................................ 21 How to Enable SUDO Support for Retina........................................................... 22 Setting Up MySQL for Database Scanning ........................................................ 27 Retina Architecture, Ports, Protocols, and Components .................................... 29

3|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Deployment Recommendations
This section outlines the phased approach to a conservative roll out of a vulnerability assessment and management program within any organization. The methodology takes into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults. The examples in this document outline three approaches to a deployment that can be cross implemented to discover the health of the environment in phases. Example One - Critical Vulnerabilities Only eEye Digital Security's Retina Solution allows for the customization of scanning by Smart Groups and Report Templates. By managing Smart Groups and Templates, scan targets can be limited to testing of only critical vulnerabilities that can adversely affect the environment. This will reveal areas that sensitive data and system compromises could negatively affect the infrastructure.

Figure 1, Audit Groups Sorted by High Severity

This approach has several advantages over full audit scanning: Audits that could have adverse effects on user accounts or websites are not executed Vulnerabilities that could be exploited with little to no user intervention will be accurately identified The volume of potential compliance data and information messages will be eliminated Business units and security teams can focus on the highest priority items that could interrupt normal business operations. This approach allows for targeted scanning of devices with only the highest severity items to identify: How well patch management is functions to meet remediation requirements 4|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

If devices with sensitive data can be comprised with minimal to no intervention Devices that contain severe vulnerabilities and are potentially end of life can be identified for replacement

This approach has a few disadvantages: Low severity compliance related audits will be missed Basic audits for usernames, groups, rogue services and process will not be identified Application based vulnerabilities may be excluded Example Two - Statistical Sampling Many regulatory compliance initiatives including the PCI DSS allow for statistical sampling of assets to perform an effective vulnerability management strategy. In order for this approach to be successful, a sample of all types of devices must be represented in a group of approximately 10% of the environment. In addition, proof of image standardization for hosts like desktops is required to validate the statistical sampling approach. Please consider the following: All operating systems in the environment All application in the infrastructure All hardware and network devices and printers All of the devices type above must be included in the target group. No version or platform can be excluded. The sample can be scanned with all audits or targeted vulnerabilities to report on the trends within the environment.

Figure 2, Sample Set of Scanned Assets for Statistical Sampling, Desktops Only
Statistical Sampling has several advantages: Limited targets and risk to production devices Validation of compliance management initiatives and image standardization Rapid scan times compared to evaluating the entire infrastructure Consolidated reports based on samples

5|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

In contrast, the disadvantages to this approach: No rogue asset identification Bottom n vulnerabilities and one offs are not identified but are still susceptible to an attack

Example Three - Targeted Scanning Based On Business Function Many devices in an environment provide supporting functions to a business but have no direct connectivity to critical information. Consider a web application. Only the web server and supporting infrastructure should have access to any middleware and databases. A web application vulnerability assessment scan will reveal any flaws and any users can only penetrate the target through this single entry point. Therefore, assessing every workstation that only interfaces with critical data via the web is over kill. A better approach follows the where is the gold approach. The business must identify where all of the critical business systems are and group them accordingly. Scans of these devices will target all possible entry points and should only occur during a predefined and acceptable scan window. This approach informs all parties that a network scan is going to occur (in case of a fault or outage) and that all critical systems are free from high rated risks.

Figure 3. Hosts Grouped by Domain and Displayed in a Topology View

Advantages to this approach: Scans occur only at acceptable times Systems housing sensitive data are validated to be risk free Disadvantages for targeted scanning: Non critical systems are not assessed and could be used as a beach head to infiltrate an organization The manual process of identifying hosts may lead to missing systems for targeted scans. No rogue asset detection

6|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

This section outlined three different phased approaches to a conservative roll out of a vulnerability management program. The methodologies presented take into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults within an organization that may have little to no experience with vulnerability assessment scanning. The examples in this document can be cross implemented to discover the health of the environment in phases and ensure a smooth successful rollout of this type of solution. eEye Professional Services are available to assess the risk and compliance objectives, and can provide a phased rollout approach to meeting any business requirements. Based on our experience with clients of similar size, and the overall security and business goals of your organization, eEye is confident that our solutions and services can meet your needs.

7|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina CS Installation Checklist

Hardware Requirements CPU - 2.0 GHz or higher; Dual Core or higher recommended RAM - 2 GB minimum; 4 GB or higher recommended Hard Drive - 300 MB HD for Software and 20 GB HD for databases, NTFS required Software Requirements Windows Server 2003 SP2 or higher (32 or 64 bit) or MS Windows Server 2008 or R2 (32 or 64 bit) MS IIS (Internet Information Services) 6.0 or higher MS .NET Framework 3.5 or higher SQL 2005 Server SP1 or higher, MS SQL 2008 Server For Evaluation: MS SQL 2005 Express is included with Retina CS MS Internet Explorer 7.0 or higher Oracle Sun Java 6.0 SE Update 21 or higher Adobe Flash Player 9.0 or higher Network Interface Card, Network Connection, and Internet Access Verification Does the server meet or exceed the hardware and software requirements? Verify there are no runtime issues with the server and it is functioning correctly? Verify Microsoft IIS is installed and the default page displays without errors? Verify MS .NET Framework 3.5 or higher is loaded properly? MS SQL server running properly without any connectivity issues? Verify there are no issues with internet connectivity and DNS resolution? Installation Download Software and License Keys from www.eeye.com/clients Install Retina CS (follow the installation wizard) Configure Retina CS (follow the configuration wizard) If required, install the Retina Network Security Scanner (RNSS) If required, configure RNSS to communicate with Retina CS If required, deploy Blink or Retina Protection Agents from Retina CS Common Issues .NET Framework should be installed after MS IIS and properly configured before the Retina CS Installation Retina CS is not supported on a Domain Controller or Microsoft Small Business Server Confirm internet connectivity, DNS resolution, and all proxy settings required for internet connectivity Client workstations dont have the latest version of Oracle Sun Java and Adobe Flash Player installed Complete

8|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

REM Installation Checklist

Hardware Requirements CPU - 2.0 GHz or higher; Dual Core or higher recommended RAM - 2 GB minimum; 4 GB or higher recommended Hard Drive - 300 MB HD for Software and 20 GB HD for databases, NTFS required Software Requirements Windows Server 2003 SP2 or higher (32 bit) or MS Windows Server 2008 (32 or 64 bit) MS IIS (Internet Information Services) 6.0 or higher MS .NET Framework 2.0 or higher (and ASP.NET on 2003) SQL 2005 Server SP1 or higher, MS SQL 2008 Server For Evaluation: MS SQL 2005 Express is included with Retina REM Events Manager MS Internet Explorer 6.0 or higher Oracle Sun Java 6.0 SE Update 21 or higher (for client workstations) Network Interface Card, Network Connection, and Internet Access Verification Verify server meets or exceeds the hardware and software requirements? Verify there are no runtime issues with the server and it is functioning correctly? Verify Microsoft IIS is installed and the default page displays without errors? Verify MS .NET Framework 2.0 or higher is loaded properly? Verify MS SQL server running properly without any connectivity issues? Verify there are no issues with internet connectivity and DNS resolution? Installation Download Software and License Keys from www.eeye.com/clients Install the REM Events Manager executable (follow the installation wizard) Configure the REM Events Manager (follow the configuration wizard) Install the REM Events Server executable (follow the installation wizard) If required, install the Retina Network Security Scanner (RNSS) If required, configure RNSS to communicate with REM If required, deploy Blink or Retina Protection Agents from REM Common Issues .NET Framework should be installed after MS IIS and properly configured before the REM Installation REM is not supported on a Domain Controller or Microsoft Small Business Server Confirm internet connectivity, DNS resolution, and all proxy settings required for internet connectivity Client workstations dont have the latest version of Oracle Sun Java installed Complete

9|Page

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Appliance Versus Software Decision Matrix

This simple matrix enables you to prioritize your needs, providing you with an immediate business justification summary. By completing this matrix, we may better evaluate the ideal eEye solution sets to match your specific needs. Please score each business criteria below and grade each on a scale of 1 to 5 (1 = low, 5 = high). Then total each column. The highest score will provide you with business justification details.

Grade Appliance Grade Software Rapid Deployment Lower Cost for Licensing Only Easier Maintenance and Lower Flexible Deployment with TCO Software Scanners Easier Procurement Process Limited Raised Floor Rack Space Unsecure Physical Existing Server Reallocation Environments Geographical Deployment Unlimited Scalability Different Budgets, Hardware Different Budgets, Software Only Only Optimized Policy and Server Policy Limiting New Hardware for Operations, No Tweaking on a Network Hardened and Embedded Licensing of Operating System Operating System and Database (if needed) Policy Limiting New Software Non-Standard Architectural on a Network Requirements and Ports TOTALS TOTALS

10 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina Recommended Scan Throttling Settings For Bandwidth Control

The following recommendations for Retina Scan Throttling should be implemented when scanning over links in a high speed data center or over a wide area network considering the slowest (smallest pipe) to a remote target. Slowest Common Link 10 GB Full Duplex 1 GB Full Duplex 100MB Full Duplex 100MB Half Duplex 10MB Full Duplex 10MB Half Duplex 256k Frame Relay 128k ISDN 56k Dial Up Scan (Targets) 64* 48* 24 12 10 5 3 2 1 Adaptive Speed 5 5 5 4 3 2 1 1 1 Ping Timeout 1 2 3 3 4 4 5 5 5 Data Timeout 1 2 3 3 4 4 5 5 5

These values can be set in the Retina Network Security Scanner, in the REM Security Management Console, or in Retina CS per Retina Scan Engine or assigned globally for all attached scanners. These guidelines are based on bandwidth calculations for non saturated links and results may vary based on individual network conditions and latency.

* Each increase in the number of targets (by 24) increases RAM utilization on the scanner. An additional 1GB of RAM should be included for 48 simultaneous targets and an additional 2GB of RAM for 64 targets.

11 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Credential Scanning Settings for Windows Hosts

There are some settings configured/enabled by default in Windows (including Vista and 2008 Server) that could limit the results of a Retina Vulnerability Scan. Windows Vista and 2008 Server have several additional security measures that were implemented which affect the ability for Retina to remotely assess it as a target host for anything that requires local access which is used by our registry and file audits. As separated below, several of the options mentioned are also concerns for other editions of Windows except that the default settings in Vista/2008 are more restrictive and need to be reviewed. Please note, since Retina uses the same authentication methods as a user, with required permissions, trying to access the same information from within Windows and is therefore not an issue that is specific to Retina. Before making the changes below, first verify that your company's security policy allows for this remote access. However, by not implementing the following changes, the results from Retina will be affected accordingly. Note: Blink's local copy of Retina (Vulnerability Assessment) is not affected by this and provides an excellent way to adhere to corporate policy and get vulnerability data simultaneously. In order to properly scan Windows machines (Including Vista and 2008 Server), please check and perform the following: 1) Local security policy setting: "Network access: Sharing and security model for local accounts" is set to "Guest". Purpose: For the specified account used when scanning remotely to inherit its local permissions, this needs to be changed to "Classic" as follows (the same can be changed similarly from the Domain policy): a) From the Control Panel, select "Administrative Tools". b) Select "Local Security Settings". c) From the left pane, expand "Security Settings" -> Local Policies -> Security Options. d) From the right pane, scroll down to "Network access: Sharing and security model for local accounts" and modify it to "Classic". After exiting from the Management Console, the setting should take effect immediately. 2) Windows firewall is enabled by default and prevents remote access to both. Purpose: Allows proper communication between the Retina scanner and the target host. a) From the Control Panel, select Windows Firewall b) Either disable the Windows Firewall or make exceptions for File and Print Sharing 3) Remote registry is disabled by default. Purpose: For Retina to be able to read the registry keys and values, this service needs to be enabled as follows: a) From the Control Panel, select "Administrative Tools". b) Select "Services". c) Search for the name "Remote registry" and double-click the entry. d) In the dialog box, press the "Start button". Also from here, it can be configured to start automatically upon system startup by setting the "Startup type" to "Automatic". 4) Local security policy setting: "Network access: LAN Manager authentication level" is set to "Send NTLMv2 response only". 12 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Purpose: The setting should match as what is configured on the Retina scanner so that proper authentication protocols are used. The option in found as follows: a) From the Control Panel, select "Administrative Tools". b) Select "Local Security Settings". c) From the left pane, expand "Security Settings" -> Local Policies -> Security Options. d) From the right pane, search for the option in question and compare both what is configured on the scanner and target host. Testing suggests that the system may require a reboot after making the change and doesn't necessarily take affect immediately. Specific to Vista and 2008 Server: 5) UAC (User Account Control) is enabled by default and can be disabled only from the registry. Please note, this involves modifying the registry and the usual precaution about backing it up prior to proceeding any further applies. Purpose: In order to authenticate without UAC remotely, the below registry key must be set to allow this. For further information visit: http://support.microsoft.com/kb/942817 Create the following registry key and value: a) From the "Run" dialog box (Press WINDOWS_KEY + 'r'), type "regedit.exe" which starts the Registry Editor. b) Locate the following registry key: HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system c) In this registry key, create the following DWORD value and set it to '1': LocalAccountTokenFilterPolicy d) A system reboot is required after making the change and doesn't take affect immediately.

13 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina in a Virtual Environment

Virtualization offers a wide array of benefits from Power and Environmental constraints to Physical space limitations and Disaster recovery efforts. eEye Digital Security, a leader in the Vulnerability Management and host based security space realizes these benefits potentially offer significant value to our install base and is in full support of virtualization. Although virtualization is in many ways identical to running on physical hardware from a software perspective, there are certain caveats that are unique to a connection sensitive application such as a vulnerability assessment scanner. Having an extremely diverse customer base including the largest deployments of Active Vulnerability assessment in both the Commercial and Government sectors, eEye Digital Security has had a significant amount of experience with various virtualized environments and the challenges that can go along with them. As virtualized environments and configurations vary widely there are not any specific installation instructions unique to virtualized installations of eEye Digital Security Software. Standard instructions and user documentation should be adhered to during installation of the products. eEye has developed a set of recommendations that, based on our experience in working with our install base currently employing virtual environments, have lead to successful deployments and ongoing Vulnerability Management operations. The following are best practice recommendations and offer no warrantee as environments and configurations can vary based on virtualization vendors, implementations, and hardware. 1. Dedicated Network Interface Cards Retina should have a dedicated physical NIC for the session so UDP packets are not dropped when a shared NIC could have high utilization. We have seen in some cases a highly utilized or maxed out Virtualization system favor established TCP connections over half-open or SYN only connections. This can have an undesirable affect on scan results. REM components are much less connection sensitive that the scanner in this type of deployment. 2. MS SQL Database MS SQL should not be virtualized unless database considerations are taken for virtualization and best practices implemented per the virtualization vendor. As known, MS SQL server requires a significant amount of resources to function correctly. We have seen quite a few cases where the REM components and especially MS SQL instances have been given far inadequate amounts of resources. This always results in poor performance. Disk speed and utilization is also a contributor to performance. MS SQL is by nature disk intensive and performs well when fast disks are employed as well as functionality affording multiple, simultaneous, writes commonly delivered by a RAID array. Bottom line, virtualization of a machine does not change the resources required for it to function properly. Under powering SQL or REM components can have a drastic impact on performance and user experience. 3. Dedicated Virtual Machines Virtual machines for Retina and REM should not be shared with other applications. Retina, REM, and MS SQL are all enterprise class pieces of Software. Enterprise class software is optimally designed to run on enterprise class hardware. Shared resources generally lead to overburdened machines and again poor performance and user experience. 4. Industrial Virtualization Suites

14 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

There are many options when selecting a virtualization suite. eEye Digital security does not recommend one particular suite in specific but we do recommend choosing an industrial grade, server level, solution with commercial support and maintenance. VMWare ESX, Parallels, and Virtual Server are all acceptable technologies. Using workstation or other non industrial virtualization technology is not recommended.

15 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina, Host Scanning Considerations

The list below represents known hosts and applications that are susceptible to crashes and performance anomalies when being scanned by eEye Digital Securitys Retina Network Vulnerability Assessment Scanner or other third party network based vulnerability assessment solution. New users of a network based vulnerability assessment solution should review this list and verify that these devices and applications, and the unacceptable revisions for them, are not present in the environment prior to a scan. If they are present, they should be excluded from a scanning range until proper remediation can occur. This list will be updated by eEye in the event any new anomalies are detected using network based vulnerability assessment scanners against new hosts and applications. If you encounter an anomaly with a device not on this list, please upon a support ticket at: http://www.eeye.com/html/support/request/index.html Known Solutions with Scanning Anomalies Cisco Catalyst 6500 o All Cisco Catalyst 6500 Switches with a firmware less than 12.2.17d-SXB1 are affected o The Switch with have a Kernel Panic when scanned and reboot. o The flaw is linked to a known IKE Vulnerability in the IOS Resolution: Cisco IOS versions greater than 12.2.17d-SXB1 have the vulnerability fixed. TAC Reference CSCed30113 http://www.cisco.com/en/US/products/products_security_advisory09186a0080572f55.shtml. IBM Tivoli Mobile Client Agent o The host based agent crashes with a message of Error "No endpoints were found on the machine. Setup cannot continue or similar when being scanned. o The solution is installed and operating normally prior to a scan. Resolution: None at this time. IBM Tivoli has been notified of a fault within their solution when being scanned. Computer Associates Unicenter NSM 3.x o CA Unicenter NSM Trap Receivers will fail on Windows 2000 and 2003 SP1 when scanned using Retina o The anomaly is technically not a CA issue but a hanging API within Windows Server OS Resolution: The following hotfix from Microsoft fixes prevents Windows SNMP API hangs: Microsoft KB article 931565: http://support.microsoft.com/?id=931565 Computer Associates Brightstor o Brightstor for Novell will not properly close ports 6050 and 6666 after being scanned. o Exact versions of Brightstor for Novell are unknown Resolution: Update to the latest revisions of Brightstor agents. VMWare ESX 3 Evaluation Version Only o The default download version of VMWare ESX 3 will crash or disable the following ESX Services and render remote administration unavailable. VMware ESX Server Host Agent Services 16 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

VMware ESX Server Host Agent Watchdog VMware ESX Server Host Agent Resolution: Apply current maintenance and/or apply maintenance to current GA release to eliminate the anomaly. Novell Netware Servers o Netware Servers may abend during a vulnerability assessment scan. o Exact versions of Netware not known at this time. Resolution: o Turn off Enumerate Shares option when scanning Novell Servers. o Apply latest maintenance from Novell o Unload Compaq.nlm Veritas NetBackup o At least Veritas Netbackup 5.1 Maintenance Pack 6 is susceptible o Process bpjava-msvc.exe crashes upon a scan Resolution This Application is Currently Under Investigation. Digital OpenVMS DecNet Consoles o Circa 1999 DecNet Terminals operating over TCP/IP o No firmware upgrades available from Compaq or HP Resolution Isolate client network via firewalls and VLANs. Do not scan.

General Issues In general, these types of devices have been identified as potentially faulty to network based vulnerability assessment scans. Special care should be given to these classes of devices since updates and firmware revisions are not always present. Older PBX Systems with IP Interfaces (non VoIP) Facility Maintenance Solutions such as Fire Alarms with an IP Interface Manufacturing Equipment with firmware based IP

17 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Endpoint Protection Platform and Anti-Virus White Listing Considerations

The Retina Network Security Scanner is available as software, appliance, or managed services. As a software solution it is available on the Microsoft Windows Operating System and requires a configuration that should be accordance with security best practices and regulatory compliance initiatives for your organization. To that end, the host should be protected, at a minimum with an anti-virus solution. The guidelines below should be applied to any installation regardless vendor and for any type of anti-virus, host based intrusion prevention, or endpoint protection platform: The real time anti-virus scanner should exclude the ..\Retina 5 and ..\Common Files\eEye Digital Security\ directory. At a minimum exclude the following:

o o o o

%Program Files%\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe %Program Files%\eEye Digital Security\Retina 5\Retina.exe %Program Files%\eEye Digital Security\Retina 5\Scanner\ %Program Files%\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe

Disable anti-virus on-access scanning for network drives and mapped drives. If this is not done, credentialed scanning to a targets C$ will scan remote files and degrade the scanners capabilities. Disable any host based intrusion protection (HIPS) modules or exclude RetinaEngine.exe from HIPS to prevent false positives during a scan on the local hosts security engine. Disable the local Firewall on the scanner machine or make an exclusion for RetinaEngine.exe to have access to all remote ports, protocols, and IP addresses. This rule should have a high priority and be stateful. Disable email filtering proxies on the security solution. Some security solutions create a faux port 25 for scanning incoming mail. If this is active, it will cause scan results to create ghost machines all with port 25 open.

Vendor Specific Considerations: Symantec Endpoint Protection (SEP) 11 has a network provider that is in front of LAN Manager. This inspects all Retina traffic. The SEP11 network provider priority order needs to be dropped to the bottom of the list in order to resolve any traffic filtering issues to scan targets.

18 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina Protection Agents - Special Server Considerations

The Retina Protection Agent is designed to be professional grade security for clients in security conscious environments. By design, the Retina Protection can be installed on various Microsoft Windows Platforms starting with Windows 2000 and operating all the way through Windows Server 2008. When operating on any server platform from Microsoft, whether it is Windows 2000, 2003, or 2008 server editions, special consideration needs to be given to the monitoring compatibilities of Retina and the amount of overhead associated with wire based packet inspection by protocol. These special considerations have been outlined below and will require policy settings in Retina CS or the local agent in order to compensate for the load on the solution. Server Specification CPU Utilization Memory Consumption Operating Systems Maximum Recommended Values Average less than 60% capacity Less than 80% committed during peak usage 2000, 2000 Server, XP, 2003, 2003 Server (32bit only), Vista SP1 (32 and 64 bit), Server 2008 (32 and 64 bit), Member Services Only Domain Controllers should be tested thoroughly before deployment.

Domain

Special Considerations: High volume NetBIOS or http traffic may consume excessive CPU and memory resources for continuous packet inspection. Both the Retina Protection Agent and Retina CS provide vehicles for process and port exclusions to allow trusted applications to bypass the IPS in high volume scenarios. In rare cases, eEye recommends disabling IPS packet processing completely for these systems and may be required as a last resort for server stability. Server based applications may trip IPS rules and can be managed in the Retina Protection Agent or Retina CS by: o Registering the application with the IPS o Modifying the Rule to larger thresholds o Disabling the Rule o Trusting the host IP address (Note: This is a last resort recommendation since all communications through the IPS are trusted and bypass all rules.)

19 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Scanning or Auditing UNIX or Linux Systems

Scanning or auditing a UNIX/Linux system with Retina is similar to scanning or auditing a Windows system. The main key with Unix/Linux devices is the Credential that Retina uses to access the UNIX system. Retina, when auditing UNIX/Linux systems, will attempt to remotely access the target system using SSH. The credential, used by Retina, must be allowed to login using SSH. The SSH server can use v1 or v2 of the SSH protocol. The authentication method must be Password based. When configuring Retina to audit UNIX/Linux systems, a credential that is allowed to login using SSH should be added to the Retina credential manager. Usually, the credential is added as \, the typical format for win32 systems. For the UNIX/Linux systems, you do not need to add the domain part of the credential. For example: Win32 Credential: MYDOMAIN\Administrator UNIX credential: Administrator Linux credential: root When creating a scan job in Retina, you can select the stored credentials which allow Retina to have both a win32 credential and a UNIX/Linux credential. When the target system is scanned, the stored credentials will be tried until one is found to allow access or none are allowed. There are some configuration settings for the SSHD daemon that must be considered. Retina will only perform Password Authentication. This means the Password/Authentication option in the SSHD config file must be set to Yes. To use the root account for access, you must also allow this in the SSHD configuration as well by setting PermitRootLogin to Yes. The Protocol can be 1 or 2 or both. The hosts.allow and host.deny files should be configured to control access from remote systems. Most major UNIX/Linux vendors use a version of OpenSSH. The above referenced settings are typical of OpenSSH implementations. Specific versions of UNIX could vary to some degree. The important idea is that Retina doesn't know or have any preference to one implementation or the other. You do not need root access. It is generally a bad practice to allow root access from anywhere except the console itself. Allowing root to connect using any means remotely is not recommended. Retina, when scanning remote systems, will attempt to find identifiers for known vulnerabilities through several methods. One common method is to review the package database to determine what patches could be installed. Depending on the UNIX/Linux system itself, the package database may not allow a non-privileged user access to it. If this occurs, you may need to add the user that will be used within Retina to some specific groups. SUDO support is available, contact eEye Technical Support for more details.
**Note: When scanning a UNIX system, you will want to look for this specific audit in the results to indicate if the SSH tunnel was NOT established during the scan. If you find this audit in the results, stop and investigate why SSH was not established and then re-scan. If you use any Audit Group other than All Audits, please ensure that this audit is included in the Audit Group before scanning. Audit Name: SSH Local Access not available

20 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Creating and Address Group Import File

The RTI file contains multiple types of IP address notations that can be included or omitted. The file format is a standard text file with a entry on each line. To create an RTI file: 1.) In a standard text file, include the IP address by entering one IP address per line. 2.) To omit an address, type the IP address, then enclose the entry in parenthesis. 3.) Save the file with a .rti extension. 4.) Using the Address Group wizard in Retina, import the file. Example, the following is an RTI files with included and omitted IP addresses. Beginning of file-192.168.0.1 192.168.0.10-192.168.0.20 (192.168.0.15) desktop.domain.com 192.168.1.0/24 (192.168.1.100-192.168.1.200) --end of file

21 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

How to Enable SUDO Support for Retina

In order to provide for more flexibility for scanning of Unix/Linux targets, Retina additionally supports environments that implement the SUDO security framework. SUDO support in Retina is disabled by default and is configured through registry entries. To Enable SUDO perform the following: 1.) Use the Windows Registry Editor (Start > Run > regedit) to view the following registry key, and add the following value to this key, or modify it if the value already exists: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\eEye\Retina\5.0\Settings\AuditRemote For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\Retina\5.0\Settings\AuditRemote Value: EnableSUDO Value Type: REG_DWORD Value Data: 0x0 (Hex) - Default (SUDO off) 2.) Set the EnableSUDO data to 1 Value: EnableSUDO Value Type: REG_DWORD Value Data: 0x1 (Hex) - SUDO on Retina uses several commands that include meta-characters and it has been found that some shells to not interpret the commands correctly. If the SSH logs indicate that there are errors on some commands, we provide for SUDO to run a sub-shell which handles meta-characters correctly on the eEye tested systems. To Enable SUDO Sub-shell perform the following: 1.) Use the Windows Registry Editor (Start > Run > regedit) to view the following registry key, and add the following value to this key, or modify it if the value already exists: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\eEye\Retina\5.0\Settings\AuditRemote For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\Retina\5.0\Settings\AuditRemote Value: EnableSUDOSubShell Value Type: REG_DWORD Value Data: 0x1 (Hex) - Default (SUDO Sub-shell on) 2.) Ensure the EnableSUDOSubShell data is set to 1. 22 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

When EnableSUDO is set to 1 and this value is set to 1, Retina will use the shell sub-shell option $SHELL c to issue commands where $SHELL is the environment variable that specifies the shell to run. eEye recommends setting this value to 1 if SUDO support is enabled.

SUDO Configuration Guidelines, The SUDOERS Configuration File The following is meant to serve as a general guide to configuring sudo on a UNIX/Linux based system for integration with the Retina Network Security Scanner. It should not be considered a complete guide as the functionality for sudo is quite extensive and therefore beyond the scope of this guide. Parts of this guide require that the user enter super user mode. Be advised that root access to the system should only be given to trusted users as improper use could result in system inoperability. Administrators should consult their Security Best Practices to ensure that systems are properly secured and configured. Prior to configuring sudo, it is recommended that all available documentation be consulted at the product website (http://www.sudo.ws). Notes: In the instructions to follow, IUSR_RETINA is the SSH user account used for both scanning the target system and the account used for sudo user privileges specifications. This account is used while configuring sudo, however one does not need to login with this account in order to configure sudo; any user with super user access can be used. When editing the sudoers file, replace this name with the actual account name used for scanning the target. Basic Configuration This configuration is based on information found in the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html). This configuration will allow the specified sudo user to execute any command with elevated privileges. 1.) Open a shell console and enter super user mode: IUSR_RETINA@nixhost:~$ su nixhost:~# 2.) Edit the sudoers configuration file, for example: nixhost:~# sudo e /etc/sudoers -ornixhost:~# sudoedit /etc/sudoers -ornixhost:~# visudo 3.) This opens the default editor specified in SUDO_EDITOR. Under the section titled User privilege specification, insert the user name of the Retina user account. # User privilege specification IUSR_RETINA ALL=(ALL) ALL 4.) Save the sudoers configuration file. If not changed, sudo will typically display a message upon exiting, such as 23 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

sudo: /etc/sudoers unchanged. 5.) Logout or exit super user mode: nixhost:~# exit IUSR_RETINA@nixhost:~$ 6.) Test the configuration (results may vary depending on system configuration): IUSR_RETINA@nixhost:~$ id uid=1000(IUSR_RETINA) gid=1000(IUSR_RETINA) groups=1000(IUSR_RETINA) IUSR_RETINA@nixhost:~$ sudo id Password: uid=0(root) gid=0(root) groups=0(root) According to the output, when running the id command without sudo the uid is 1000 and when running id command with sudo the uid is 0 or root. Sudo is now configured with a basic configuration.

Advanced Configuration Sudo can be configured to allow a user to execute a restricted command set. An advanced configuration will allow the sudo user to execute commands specified in the sudoers file with elevated privileges. In most cases, commands will need to be added to sudoers if higher privileges are needed to execute restricted commands or enter a restricted directory. This section describes the process for obtaining the commands used by Retina. Configuring sudo to use features such as Aliases, User Specifications, and RunAs Specifications are beyond the scope of this guide. For more information on configuring these features, consult the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html). To obtain the commands used by Retina for use in an advanced sudo configuration: 1.) Execute a credentialed scan against the target. Upon scan completion, navigate to RETINA_INSTALL_DIRECTORY\Logs (e.g. C:\Program Files\eEye Digital Security\Retina 5\Logs). 2.) Open the SSH Log, xxxx_SSHLOGa.b.c.d.log, where a.b.c.d is the targets IP address (e.g. 1234_SSHLOG10.100.100.10.log). Executed commands are marked by entries in the log that contain: xx:xx:xx:xxxx 0xXXXX RETSSH(a.b.c.d): **************** INPUT BUFFER ****************. Output of executed commands are marked by entries that contain: xx:xx:xx:xxxx 0xXXXX RETSSH(a.b.c.d): **************** OUTPUT BUFFER ****************. 3.) Record the commands that are to be permitted on the target system. Note: Allow commands may not need to be added. In particular only the first command may need to be added if the operation following it is a pipe or shell logic. Furthermore, use of Retinas sudo sub-shell feature will cause all 24 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

commands to be passed into another shell. In this case, the target $SHELL would only be needed as sudo support is not recursive. 4.) Edit and save the sudoers file following the guidance of the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html).

25 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Scanning Using SNMP

In order to scan Routers and Switches with SNMP, you need to ensure the proper Community Name is in Retina's SNMP community name file. Procedure 1. Browse to the following directory: C:\Program Files\eEye Digital Security\Retina 5\Database\Reference Note: Use the installation directory where Retina is installed. 2. Open the file name 'snmpcn' with either Notepad or Wordpad. 3. Append the Community Name at the bottom and save the file. 4. Restart the eEye Retina Engine via Start > Run > Services.msc. 5. Re-run the Scan to include the new Community Names added.

26 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Setting Up MySQL for Database Scanning

In order for Retina Vulnerability Assessment Scanner to scan a MySQL database, you will need to have the MySQL ODBC Drivers installed and supply Retina with the additional credentials for the database in order to scan for vulnerabilities. MySql ODBC Drivers can be downloaded here: http://dev.mysql.com/downloads/connector/odbc/ Procedure: 1. Go to Start > Administrator Tools 2. Launch 'Data Sources (ODBC)' 3. Go to Drivers tab 4. Search for MySQL driver 5. If no driver is found, then download and install the latest GA released MySQL driver from the MySQL website 6. Verify that a remote connection can be established using the 'mysql' tool provided with the MySQL database installation Example: mysql --host=ipaddress -u username -p Additional information is available in the Retina and MySQL documentation.

27 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Setting Up Oracle for Database Scanning

In order for Retina Vulnerability Assessment Scanner to scan an Oracle database, you will need to have the Oracle ODBC Drivers installed and supply Retina with the additional credentials for the database in order to scan for vulnerabilities. Oracle ODBC Drivers can be downloaded here: http://www.oracle.com/technology/software/tech/windows/odbc/index.html Procedure: 1. Copy the entire "instant_client" folder to the scanner system 2. Run the file "odbc_install.exe" 3. After the installation completes, replace the tnsnames.ora file thats in instant_client folder with the clients proper tnsnames.ora from your Oracle installation 4. Once copied to the system you will need to add TNS_ADMIN in the environment variables with the correct path to tnsnames.ora location 5. Retina will detect the driver and use it for assessment 6. Credentials should be applied in the Credential Manager for authenticated scanning

28 | P a g e

Best Practices
eEye Digital Security

Retina Tips & Tricks for a Successful Deployment

Retina Architecture, Ports, Protocols, and Components

29 | P a g e