Академический Документы
Профессиональный Документы
Культура Документы
Best Practices
Retina Tips & Tricks for a Successful Deployment
Page 1 of 29
Best Practices
eEye Digital Security
2010 eEye Digital Security. All Rights Reserved. This document contains information which is protected by US Copyright and pre-existing nondisclosure agreement between eEye and company identified as Prepared For on title page. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of eEye Digital Security.
For the latest updates to this document, please contact your Preview Representative. Warranty This document is supplied on an "as is" basis with no warranty and no support.
Limitations of Liability In no event shall eEye Digital Security be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted or included with this material.
Disclaimer All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. eEye Digital Security is not associated with any other vendors or products mentioned in this document.
2|Page
Best Practices
eEye Digital Security
Retina CS Installation Checklist............................................................................ 8 REM Installation Checklist .................................................................................... 9 Appliance Versus Software Decision Matrix ....................................................... 10 Retina Recommended Scan Throttling Settings For Bandwidth Control ............ 11 Credential Scanning Settings for Windows Hosts .............................................. 12 Retina in a Virtual Environment .......................................................................... 14 Retina, Host Scanning Considerations ............................................................... 16 Endpoint Protection Platform and Anti-Virus White Listing Considerations ........ 18 Retina Protection Agents - Special Server Considerations ................................ 19 Scanning or Auditing UNIX or Linux Systems .................................................... 20 Creating and Address Group Import File ............................................................ 21 How to Enable SUDO Support for Retina........................................................... 22 Setting Up MySQL for Database Scanning ........................................................ 27 Retina Architecture, Ports, Protocols, and Components .................................... 29
3|Page
Best Practices
eEye Digital Security
Deployment Recommendations
This section outlines the phased approach to a conservative roll out of a vulnerability assessment and management program within any organization. The methodology takes into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults. The examples in this document outline three approaches to a deployment that can be cross implemented to discover the health of the environment in phases. Example One - Critical Vulnerabilities Only eEye Digital Security's Retina Solution allows for the customization of scanning by Smart Groups and Report Templates. By managing Smart Groups and Templates, scan targets can be limited to testing of only critical vulnerabilities that can adversely affect the environment. This will reveal areas that sensitive data and system compromises could negatively affect the infrastructure.
Best Practices
eEye Digital Security
If devices with sensitive data can be comprised with minimal to no intervention Devices that contain severe vulnerabilities and are potentially end of life can be identified for replacement
This approach has a few disadvantages: Low severity compliance related audits will be missed Basic audits for usernames, groups, rogue services and process will not be identified Application based vulnerabilities may be excluded Example Two - Statistical Sampling Many regulatory compliance initiatives including the PCI DSS allow for statistical sampling of assets to perform an effective vulnerability management strategy. In order for this approach to be successful, a sample of all types of devices must be represented in a group of approximately 10% of the environment. In addition, proof of image standardization for hosts like desktops is required to validate the statistical sampling approach. Please consider the following: All operating systems in the environment All application in the infrastructure All hardware and network devices and printers All of the devices type above must be included in the target group. No version or platform can be excluded. The sample can be scanned with all audits or targeted vulnerabilities to report on the trends within the environment.
Figure 2, Sample Set of Scanned Assets for Statistical Sampling, Desktops Only
Statistical Sampling has several advantages: Limited targets and risk to production devices Validation of compliance management initiatives and image standardization Rapid scan times compared to evaluating the entire infrastructure Consolidated reports based on samples
5|Page
Best Practices
eEye Digital Security
In contrast, the disadvantages to this approach: No rogue asset identification Bottom n vulnerabilities and one offs are not identified but are still susceptible to an attack
Example Three - Targeted Scanning Based On Business Function Many devices in an environment provide supporting functions to a business but have no direct connectivity to critical information. Consider a web application. Only the web server and supporting infrastructure should have access to any middleware and databases. A web application vulnerability assessment scan will reveal any flaws and any users can only penetrate the target through this single entry point. Therefore, assessing every workstation that only interfaces with critical data via the web is over kill. A better approach follows the where is the gold approach. The business must identify where all of the critical business systems are and group them accordingly. Scans of these devices will target all possible entry points and should only occur during a predefined and acceptable scan window. This approach informs all parties that a network scan is going to occur (in case of a fault or outage) and that all critical systems are free from high rated risks.
6|Page
Best Practices
eEye Digital Security
This section outlined three different phased approaches to a conservative roll out of a vulnerability management program. The methodologies presented take into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults within an organization that may have little to no experience with vulnerability assessment scanning. The examples in this document can be cross implemented to discover the health of the environment in phases and ensure a smooth successful rollout of this type of solution. eEye Professional Services are available to assess the risk and compliance objectives, and can provide a phased rollout approach to meeting any business requirements. Based on our experience with clients of similar size, and the overall security and business goals of your organization, eEye is confident that our solutions and services can meet your needs.
7|Page
Best Practices
eEye Digital Security
8|Page
Best Practices
eEye Digital Security
9|Page
Best Practices
eEye Digital Security
Grade Appliance Grade Software Rapid Deployment Lower Cost for Licensing Only Easier Maintenance and Lower Flexible Deployment with TCO Software Scanners Easier Procurement Process Limited Raised Floor Rack Space Unsecure Physical Existing Server Reallocation Environments Geographical Deployment Unlimited Scalability Different Budgets, Hardware Different Budgets, Software Only Only Optimized Policy and Server Policy Limiting New Hardware for Operations, No Tweaking on a Network Hardened and Embedded Licensing of Operating System Operating System and Database (if needed) Policy Limiting New Software Non-Standard Architectural on a Network Requirements and Ports TOTALS TOTALS
10 | P a g e
Best Practices
eEye Digital Security
These values can be set in the Retina Network Security Scanner, in the REM Security Management Console, or in Retina CS per Retina Scan Engine or assigned globally for all attached scanners. These guidelines are based on bandwidth calculations for non saturated links and results may vary based on individual network conditions and latency.
* Each increase in the number of targets (by 24) increases RAM utilization on the scanner. An additional 1GB of RAM should be included for 48 simultaneous targets and an additional 2GB of RAM for 64 targets.
11 | P a g e
Best Practices
eEye Digital Security
Best Practices
eEye Digital Security
Purpose: The setting should match as what is configured on the Retina scanner so that proper authentication protocols are used. The option in found as follows: a) From the Control Panel, select "Administrative Tools". b) Select "Local Security Settings". c) From the left pane, expand "Security Settings" -> Local Policies -> Security Options. d) From the right pane, search for the option in question and compare both what is configured on the scanner and target host. Testing suggests that the system may require a reboot after making the change and doesn't necessarily take affect immediately. Specific to Vista and 2008 Server: 5) UAC (User Account Control) is enabled by default and can be disabled only from the registry. Please note, this involves modifying the registry and the usual precaution about backing it up prior to proceeding any further applies. Purpose: In order to authenticate without UAC remotely, the below registry key must be set to allow this. For further information visit: http://support.microsoft.com/kb/942817 Create the following registry key and value: a) From the "Run" dialog box (Press WINDOWS_KEY + 'r'), type "regedit.exe" which starts the Registry Editor. b) Locate the following registry key: HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system c) In this registry key, create the following DWORD value and set it to '1': LocalAccountTokenFilterPolicy d) A system reboot is required after making the change and doesn't take affect immediately.
13 | P a g e
Best Practices
eEye Digital Security
14 | P a g e
Best Practices
eEye Digital Security
There are many options when selecting a virtualization suite. eEye Digital security does not recommend one particular suite in specific but we do recommend choosing an industrial grade, server level, solution with commercial support and maintenance. VMWare ESX, Parallels, and Virtual Server are all acceptable technologies. Using workstation or other non industrial virtualization technology is not recommended.
15 | P a g e
Best Practices
eEye Digital Security
Best Practices
eEye Digital Security
VMware ESX Server Host Agent Watchdog VMware ESX Server Host Agent Resolution: Apply current maintenance and/or apply maintenance to current GA release to eliminate the anomaly. Novell Netware Servers o Netware Servers may abend during a vulnerability assessment scan. o Exact versions of Netware not known at this time. Resolution: o Turn off Enumerate Shares option when scanning Novell Servers. o Apply latest maintenance from Novell o Unload Compaq.nlm Veritas NetBackup o At least Veritas Netbackup 5.1 Maintenance Pack 6 is susceptible o Process bpjava-msvc.exe crashes upon a scan Resolution This Application is Currently Under Investigation. Digital OpenVMS DecNet Consoles o Circa 1999 DecNet Terminals operating over TCP/IP o No firmware upgrades available from Compaq or HP Resolution Isolate client network via firewalls and VLANs. Do not scan.
General Issues In general, these types of devices have been identified as potentially faulty to network based vulnerability assessment scans. Special care should be given to these classes of devices since updates and firmware revisions are not always present. Older PBX Systems with IP Interfaces (non VoIP) Facility Maintenance Solutions such as Fire Alarms with an IP Interface Manufacturing Equipment with firmware based IP
17 | P a g e
Best Practices
eEye Digital Security
o o o o
%Program Files%\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe %Program Files%\eEye Digital Security\Retina 5\Retina.exe %Program Files%\eEye Digital Security\Retina 5\Scanner\ %Program Files%\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
Disable anti-virus on-access scanning for network drives and mapped drives. If this is not done, credentialed scanning to a targets C$ will scan remote files and degrade the scanners capabilities. Disable any host based intrusion protection (HIPS) modules or exclude RetinaEngine.exe from HIPS to prevent false positives during a scan on the local hosts security engine. Disable the local Firewall on the scanner machine or make an exclusion for RetinaEngine.exe to have access to all remote ports, protocols, and IP addresses. This rule should have a high priority and be stateful. Disable email filtering proxies on the security solution. Some security solutions create a faux port 25 for scanning incoming mail. If this is active, it will cause scan results to create ghost machines all with port 25 open.
Vendor Specific Considerations: Symantec Endpoint Protection (SEP) 11 has a network provider that is in front of LAN Manager. This inspects all Retina traffic. The SEP11 network provider priority order needs to be dropped to the bottom of the list in order to resolve any traffic filtering issues to scan targets.
18 | P a g e
Best Practices
eEye Digital Security
Domain
Special Considerations: High volume NetBIOS or http traffic may consume excessive CPU and memory resources for continuous packet inspection. Both the Retina Protection Agent and Retina CS provide vehicles for process and port exclusions to allow trusted applications to bypass the IPS in high volume scenarios. In rare cases, eEye recommends disabling IPS packet processing completely for these systems and may be required as a last resort for server stability. Server based applications may trip IPS rules and can be managed in the Retina Protection Agent or Retina CS by: o Registering the application with the IPS o Modifying the Rule to larger thresholds o Disabling the Rule o Trusting the host IP address (Note: This is a last resort recommendation since all communications through the IPS are trusted and bypass all rules.)
19 | P a g e
Best Practices
eEye Digital Security
20 | P a g e
Best Practices
eEye Digital Security
21 | P a g e
Best Practices
eEye Digital Security
Best Practices
eEye Digital Security
When EnableSUDO is set to 1 and this value is set to 1, Retina will use the shell sub-shell option $SHELL c to issue commands where $SHELL is the environment variable that specifies the shell to run. eEye recommends setting this value to 1 if SUDO support is enabled.
SUDO Configuration Guidelines, The SUDOERS Configuration File The following is meant to serve as a general guide to configuring sudo on a UNIX/Linux based system for integration with the Retina Network Security Scanner. It should not be considered a complete guide as the functionality for sudo is quite extensive and therefore beyond the scope of this guide. Parts of this guide require that the user enter super user mode. Be advised that root access to the system should only be given to trusted users as improper use could result in system inoperability. Administrators should consult their Security Best Practices to ensure that systems are properly secured and configured. Prior to configuring sudo, it is recommended that all available documentation be consulted at the product website (http://www.sudo.ws). Notes: In the instructions to follow, IUSR_RETINA is the SSH user account used for both scanning the target system and the account used for sudo user privileges specifications. This account is used while configuring sudo, however one does not need to login with this account in order to configure sudo; any user with super user access can be used. When editing the sudoers file, replace this name with the actual account name used for scanning the target. Basic Configuration This configuration is based on information found in the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html). This configuration will allow the specified sudo user to execute any command with elevated privileges. 1.) Open a shell console and enter super user mode: IUSR_RETINA@nixhost:~$ su nixhost:~# 2.) Edit the sudoers configuration file, for example: nixhost:~# sudo e /etc/sudoers -ornixhost:~# sudoedit /etc/sudoers -ornixhost:~# visudo 3.) This opens the default editor specified in SUDO_EDITOR. Under the section titled User privilege specification, insert the user name of the Retina user account. # User privilege specification IUSR_RETINA ALL=(ALL) ALL 4.) Save the sudoers configuration file. If not changed, sudo will typically display a message upon exiting, such as 23 | P a g e
Best Practices
eEye Digital Security
sudo: /etc/sudoers unchanged. 5.) Logout or exit super user mode: nixhost:~# exit IUSR_RETINA@nixhost:~$ 6.) Test the configuration (results may vary depending on system configuration): IUSR_RETINA@nixhost:~$ id uid=1000(IUSR_RETINA) gid=1000(IUSR_RETINA) groups=1000(IUSR_RETINA) IUSR_RETINA@nixhost:~$ sudo id Password: uid=0(root) gid=0(root) groups=0(root) According to the output, when running the id command without sudo the uid is 1000 and when running id command with sudo the uid is 0 or root. Sudo is now configured with a basic configuration.
Advanced Configuration Sudo can be configured to allow a user to execute a restricted command set. An advanced configuration will allow the sudo user to execute commands specified in the sudoers file with elevated privileges. In most cases, commands will need to be added to sudoers if higher privileges are needed to execute restricted commands or enter a restricted directory. This section describes the process for obtaining the commands used by Retina. Configuring sudo to use features such as Aliases, User Specifications, and RunAs Specifications are beyond the scope of this guide. For more information on configuring these features, consult the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html). To obtain the commands used by Retina for use in an advanced sudo configuration: 1.) Execute a credentialed scan against the target. Upon scan completion, navigate to RETINA_INSTALL_DIRECTORY\Logs (e.g. C:\Program Files\eEye Digital Security\Retina 5\Logs). 2.) Open the SSH Log, xxxx_SSHLOGa.b.c.d.log, where a.b.c.d is the targets IP address (e.g. 1234_SSHLOG10.100.100.10.log). Executed commands are marked by entries in the log that contain: xx:xx:xx:xxxx 0xXXXX RETSSH(a.b.c.d): **************** INPUT BUFFER ****************. Output of executed commands are marked by entries that contain: xx:xx:xx:xxxx 0xXXXX RETSSH(a.b.c.d): **************** OUTPUT BUFFER ****************. 3.) Record the commands that are to be permitted on the target system. Note: Allow commands may not need to be added. In particular only the first command may need to be added if the operation following it is a pipe or shell logic. Furthermore, use of Retinas sudo sub-shell feature will cause all 24 | P a g e
Best Practices
eEye Digital Security
commands to be passed into another shell. In this case, the target $SHELL would only be needed as sudo support is not recursive. 4.) Edit and save the sudoers file following the guidance of the sudoers manual (http://www.sudo.ws/sudo/man/sudoers.html).
25 | P a g e
Best Practices
eEye Digital Security
26 | P a g e
Best Practices
eEye Digital Security
27 | P a g e
Best Practices
eEye Digital Security
28 | P a g e
Best Practices
eEye Digital Security
29 | P a g e