Juniper Secure Analytics Managing Vulnerability Assessment

Juniper Secure Analytics

Managing Vulnerability Assessment

Release

2014.4

Published: 2015-02-23

Copyright 2015, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright 2015, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Juniper Secure Analytics Managing Vulnerability AssessmentCopyright 2015, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright 2015, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Part 1 Juniper Secure Analytics Vulnerability Assessment

Chapter 1 Vulnerability Assessment Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Vulnerability Assessment Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Managing Beyond Security Automatic Vulnerability Detection SystemScanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Beyond Security Automatic Vulnerability Detection System Scanner

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Adding a Beyond Security AVDS Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 3 Digital Defense Inc AVS Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Digital Defense Inc AVS Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Adding a Digital Defense Inc AVS Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 4 Managing eEye Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

eEye Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Adding an eEye REM SNMP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Adding an eEye REM JDBC Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing the Unrestricted Java Cryptography Extension . . . . . . . . . . . . . . . . . . . . 17

Chapter 5 Managing IBM Security AppScan Enterprise Scanners . . . . . . . . . . . . . . . . . 19

IBM Security SiteProtector Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Creating a Customer User Type for IBM AppScan . . . . . . . . . . . . . . . . . . . . . . . . . 20

Enabling Integration with IBM Security AppScan Enterprise . . . . . . . . . . . . . . . . . 20

Creating an Application Deployment Map in IBM Security AppScan

Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Publishing the Completed Reports in IBM AppScan . . . . . . . . . . . . . . . . . . . . . . . . 22

Adding an IBM AppScan Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 6 Managing an IBM Security Guardium Scanner . . . . . . . . . . . . . . . . . . . . . . . . 25

IBM Security Guardium Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Adding an IBM Security Guardium Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . 26

iiiCopyright 2015, Juniper Networks, Inc.

Chapter 7 Managing IBM Security SiteProtector Scanner . . . . . . . . . . . . . . . . . . . . . . . . 29

IBM Security SiteProtector Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Adding an IBM SiteProtector Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 8 Managing IBM Security Tivoli Endpoint Manager Scanner . . . . . . . . . . . . . . 33

IBM Security Tivoli Endpoint Manager Scanner Overview . . . . . . . . . . . . . . . . . . . 33

Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner . . . . . . . . 33

Chapter 9 Managing Foundstone FoundScan Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Foundstone FoundScan Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Adding a Foundstone FoundScan Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Importing Certificates for Foundstone FoundScan . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 10 Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Microsoft SCCM Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

WMI Enablement on Scanner Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Adding a Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 11 Managing nCircle IP360 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

nCircle IP360 Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Exporting nCircle IP360 Scan Results To an SSH Server . . . . . . . . . . . . . . . . . . . . 46

Adding a nCircle IP360 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 12 Managing Nessus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Nessus Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Adding a Nessus Scheduled Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Adding an Nessus Live Scan with the XMLRPC API . . . . . . . . . . . . . . . . . . . . . . . . 52

Adding a Nessus Scheduled Result Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Adding a Nessus Completed Report Import with the XMLRPC API . . . . . . . . . . . . 55

Chapter 13 Managing NMap Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

NMap Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Adding a NMap Remote Result Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Adding a NMap Remote Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 14 Managing Qualys Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Qualys Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Adding a Qualys Detection Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Adding a Qualys Scheduled Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Adding a Qualys Scheduled Import Asset Report . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Adding a Qualys Scheduled Import Scan Report . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Chapter 15 Managing Juniper Profiler NSM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Juniper Profiler NSM Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Adding a Juniper NSM Profiler Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 16 Managing Rapid7 NeXpose Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Rapid7 NeXpose Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Adding a Rapid7 NeXpose Scanner API Site Import . . . . . . . . . . . . . . . . . . . . . . . . 75

Adding a Rapid7 NeXpose Scanner Local File Import . . . . . . . . . . . . . . . . . . . . . . . 77

Copyright 2015, Juniper Networks, Inc.iv

Juniper Secure Analytics Managing Vulnerability Assessment

Chapter 17 Managing netVigilance SecureScout Scanner . . . . . . . . . . . . . . . . . . . . . . . . . 79

netVigilance SecureScout Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Adding a netVigilance SecureScout Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter 18 Managing McAfee Vulnerability Manager Scanner . . . . . . . . . . . . . . . . . . . . . 83

McAfee Vulnerability Manager Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . 83

Adding a Remote XML Import Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Adding a McAfee Vulnerability Manager SOAP API Scan . . . . . . . . . . . . . . . . . . . . 85

Creating Certificates for McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . 87

Processing Certificates for McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . 88

Importing Certificates For McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . . 89

Chapter 19 Managing SAINT Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

SAINT Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring a SAINTwriter Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Adding a SAINT Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Chapter 20 Managing Tenable SecurityCenter Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Tenable SecurityCenter Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Adding a Tenable SecurityCenter Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 21 Managing Axis Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Axis Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Adding an AXIS Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 22 Positive Technologies MaxPatrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Positive Technologies MaxPatrol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Integrating Positive Technologies MaxPatrol with JSA . . . . . . . . . . . . . . . . . . . . . 102

Adding a Positive Technologies MaxPatrol Scanner . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 23 Scheduling a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Viewing the Status Of a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Chapter 24 Managing the Supported Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 109

Supported Vulnerability Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

vCopyright 2015, Juniper Networks, Inc.

Table of Contents

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Part 1 Juniper Secure Analytics Vulnerability Assessment

Chapter 2 Managing Beyond Security Automatic Vulnerability Detection SystemScanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 3: Beyond Security AVDS Vulnerability Scanner Authentication

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 6 Managing an IBM Security Guardium Scanner . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 4: IBM AppScan Enterprise Scanner Authentication Options . . . . . . . . . . . 26

Chapter 10 Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 5: Microsoft SCCM Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 12 Managing Nessus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 6: Nessus Scheduled Result Authentication Options . . . . . . . . . . . . . . . . . . 54

Chapter 13 Managing NMap Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 7: NMap Remote Result Import Authentication Options . . . . . . . . . . . . . . . 58

Table 8: NMap Remote Live Scan Authentication Options . . . . . . . . . . . . . . . . . . 60

Chapter 18 Managing McAfee Vulnerability Manager Scanner . . . . . . . . . . . . . . . . . . . . . 83

Table 9: Remote XML Import Authentication Options . . . . . . . . . . . . . . . . . . . . . . 84

Chapter 19 Managing SAINT Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Table 10: SAINT Vulnerability Authentication Options . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 21 Managing Axis Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Table 11: AXIS Scanner - SFTP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Table 12: AXIS Scanner - SMB Share Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 22 Positive Technologies MaxPatrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Table 13: Positive Technologies MaxPatrol Scanner Details . . . . . . . . . . . . . . . . . 101

Table 14: Positive Technologies MaxPatrol Scanner SFTP Properties . . . . . . . . . 102

Table 15: Positive Technologies MaxPatrol Scanner SMB Share Properties . . . . . 103

Chapter 23 Scheduling a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Table 16: VA Scanner CIDR Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Table 17: VA Scanner Priority Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table 18: Scan Schedule Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Chapter 24 Managing the Supported Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 109

viiCopyright 2015, Juniper Networks, Inc.

Table 19: Supported Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Copyright 2015, Juniper Networks, Inc.viii


About the Documentation

Documentation and Release Notes on page ix

Documentation Conventions on page ix

Documentation Feedback on page xi

Requesting Technical Support on page xii

Documentation and Release Notes

To obtain the most current version of all Juniper Networkstechnical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page x defines notice icons used in this guide.

ixCopyright 2015, Juniper Networks, Inc.

http://www.juniper.net/techpubs/http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page x defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

A policy term is a named structurethat defines match conditions andactions.

Junos OS CLI User Guide

RFC 1997,BGPCommunities Attribute

Introduces or emphasizes importantnew terms.

Identifies guide names.

Identifies RFC and Internet draft titles.

Italic text like this

Configure themachines domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright 2015, Juniper Networks, Inc.x


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub ;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

In the Logical Interfaces box, selectAll Interfaces.

To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

Online feedback rating systemOn any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html, simply click the

stars to rate the content, anduse thepop-up form toprovideuswith informationabout

your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

xiCopyright 2015, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.htmlhttps://www.juniper.net/cgi-bin/docbugreport/

E-mailSendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

Find CSC offerings: http://www.juniper.net/customers/support/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright 2015, Juniper Networks, Inc.xii


mailto:[email protected]?subject=http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/InfoCenter/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xiiiCopyright 2015, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

PART 1

Juniper Secure Analytics VulnerabilityAssessment

Vulnerability Assessment Scanner on page 3

Managing Beyond Security Automatic Vulnerability Detection System

Scanner on page 5

Digital Defense Inc AVS Scanner on page 9

Managing eEye Scanner on page 13

Managing IBM Security AppScan Enterprise Scanners on page 19

Managing an IBM Security Guardium Scanner on page 25

Managing IBM Security SiteProtector Scanner on page 29

Managing IBM Security Tivoli Endpoint Manager Scanner on page 33

Managing Foundstone FoundScan Scanner on page 37

Microsoft SCCM Scanner on page 41

Managing nCircle IP360 Scanner on page 45

Managing Nessus Scanner on page 49

Managing NMap Scanner on page 57

Managing Qualys Scanner on page 63

Managing Juniper Profiler NSM Scanner on page 71

Managing Rapid7 NeXpose Scanner on page 75

Managing netVigilance SecureScout Scanner on page 79

Managing McAfee Vulnerability Manager Scanner on page 83

Managing SAINT Scanner on page 91

Managing Tenable SecurityCenter Scanner on page 95

Managing Axis Scanner on page 97

Positive Technologies MaxPatrol on page 101

Scheduling a Vulnerability Scan on page 105

Managing the Supported Vulnerability Scanner on page 109

1Copyright 2015, Juniper Networks, Inc.

CHAPTER 1

Vulnerability Assessment Scanner

This chapter describes about the following sections:

Vulnerability Assessment Scanner Overview on page 3

Vulnerability Assessment Scanner Overview

Integration with vulnerability assessment scanners provide administrators and security

professionals information build vulnerability assessment profiles for network assets.

References to Juniper Secure Analytics (JSA) apply to all products capable of collecting

vulnerability assessment information. Products that support scanners include JSA.

Assets andasset profiles created for servers andhosts in your network provide important

information toassist youwhen resolving security issues.Networks, servers, and individual

hosts within the network can be extremely complicated. The ability to collect data and

view information about an asset is the purpose of the Assets tab. The goal is to connect

offenses triggered in your system to physical or virtual assets to provide a starting point

ina security investigation.Assetdata ishelpful to identify threats, to identify vulnerabilities,

services, ports, andmonitor asset usage in your network.

The Assets tab in JSA is intended to provide a unified view of the information known

about your assets. As more information is provided to the system through vulnerability

assessment, the system updates the asset profile and incrementally builds a complete

picture about your asset. Vulnerability assessment profiles use correlated event data,

network activity, andbehavioral changes to determine the threat level and vulnerabilities

present on critical business assets in your network. Integration with vulnerability

assessment products provides administrators the ability to schedule scans and ensure

that vulnerability information is relevant for assets in the network.

To collect vulnerability assessment information for JSA, administrators can select a

scanner from the following support scanner list:

For the list of support scanner products, see

Managing the Supported Vulnerability Scanner on page 109.

For the configuration options to add a vulnerability scanner to JSA, see

ManagingBeyondSecurityAutomaticVulnerabilityDetectionSystemScanneronpage5.

Managing eEye Scanner on page 13.


Managing an IBM Security Guardium Scanner on page 25.

Managing IBM Security AppScan Enterprise Scanners on page 19.

Managing IBM Security Tivoli Endpoint Manager Scanner on page 33.

Managing nCircle IP360 Scanner on page 45.

Managing Nessus Scanner on page 49.

Managing NMap Scanner on page 57.

Managing Qualys Scanner on page 63.

Managing Foundstone FoundScan Scanner on page 37.

Managing Juniper Profiler NSM Scanner on page 71.

Managing Rapid7 NeXpose Scanner on page 75.

Managing netVigilance SecureScout Scanner on page 79.

Managing McAfee Vulnerability Manager Scanner on page 83.

Managing SAINT Scanner on page 91.

Managing Axis Scanner on page 97.

Managing Tenable SecurityCenter Scanner on page 95.

To add a scan schedule to import the vulnerability data, see

Scheduling a Vulnerability Scan on page 105.

To view the status of the scan to verify the successful data import, see Viewing the

Status Of a Vulnerability Scan on page 106.



CHAPTER 2

Managing Beyond Security AutomaticVulnerability Detection System Scanner


Beyond Security Automatic Vulnerability Detection System Scanner

Overview on page 5

Adding a Beyond Security AVDS Vulnerability Scanner on page 5

Beyond Security Automatic Vulnerability Detection SystemScanner Overview

Vulnerability assessment is theevaluationofassets in thenetwork to identify andprioritize

potential security issues. Juniper Secure Analytics (JSA) products that support

Vulnerability Assessment can import vulnerability data from external scanner products

to identify vulnerabilities profiles for assets.

Vulnerability assessment profiles use correlated event data, network activity, and

behavioral changes to determine the threat level and vulnerabilities present on critical

businessassets in your network. Asexternal scanners generate scandata, JSAcan retrieve

the vulnerability data with a scan schedule.

To configure a Beyond Security AVDS scanner, see Adding a Beyond Security AVDS

Vulnerability Scanner on page 5.

RelatedDocumentation

Vulnerability Assessment Scanner Overview on page 3.

Adding a Beyond Security AVDS Vulnerability Scanner on page 5.

Viewing the Status Of a Vulnerability Scan on page 106

Adding a Beyond Security AVDS Vulnerability Scanner

Beyond Security Automated Vulnerability Detection System (AVDS) appliances create

vulnerability data in Asset Export Information Source (AXIS) format. AXIS formatted

files can be imported by XML files that can be imported.

To successfully integrate a Beyond Security AVDS vulnerabilities with Juniper Secure

Analytics (JSA), youmust configure your Beyond Security AVDS appliance to publish

vulnerability data to anAXIS formattedXML results file. The XML vulnerability datamust


be published to a remote server that is accessible by using Secure File Transfer Protocol

(SFTP). The term remote server refers toanyappliance, 3rdpartyhost, or network storage

location that can host the published XML scan result files.

Themost recentXMLresultscontainingBeyondSecurityAVDSvulnerabilitiesare imported

to when a scan schedule starts. Scan schedules determine the frequency with which

vulnerability data created by Beyond Security AVDS is imported. After you add your

Beyond Security AVDS appliance to JSA, you can then create a scan schedule to import

the scan result files. Vulnerabilities from the scan schedule updates the Assets tab after

the scan schedule completes.

To add a Beyond Security AVDS Vulnerability Scanner to JSA:

1. Click the Admin tab.

2. Click the VA Scanners icon.

3. Click Add.

4. In theScannerName field, typeanameto identify yourBeyondSecurityAVDSscanner.

5. From theManagedHost list, select themanaged host from your JSA deployment that

manages the scanner import.

6. From the Type list, select Beyond Security AVDS.

7. In the Remote Hostname field, type the IP address or host name of the system that

contains the published scan results from your Beyond Security AVDS scanner.

8. Choose one of the following authentication options as described in Table 3 on page6.

Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options

DescriptionOption

To authenticate with a username and password:

1. In the Login Username field, type a username that has access to retrieve the scan results fromthe remote host.

2. In the Login Password field, type the password associated with the username.

Login Username

To authenticate with a key-based authentication file:

1. Select the Enable Key Authentication check box.

2. In the Private Key File field, type the directory path to the key file.

The default is directory for the key file is /opt/ qradar/conf/vis.ssh.key.

If a key file does not exist, you must create the vis.ssh.key file.

Enable Key Authorization

9. In the Remote Directory field, type the directory location of the scan result files.

10. In the File Name Pattern field, type a regular expression (regex) required to filter the

list of files specified in the Remote Directory. All matching files are included in the

processing.

The default value is .*\.xml. The .*\.xml pattern imports all xml files in the remote

directory.



11. In the Max Reports Age (Days) field, type the maximum file age for your scan results

file. Files that are older than the specified days and timestamp on the report file are

excluded when the schedule scan starts. The default value is 7 days.

12. To configure the Ignore Duplicates option:

Select this check box to track files that have already been processed by a scan

schedule. This option prevents a scan result file from being processed a second

time.

Clear this checkbox to import vulnerability scan results each time thescanschedule

starts. This option can lead to multiple vulnerabilities being associated with an

asset.

If a result file is not scannedwithin 10 days, the file is removed from the tracking list

and is processed the next time the scan schedule starts.

13. To configure a CIDR range for your scanner:

a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR

range from the network list.

b. Click Add.

14. Click Save.

15. On the Admin tab, click Deploy Changes.

To create a scan schedule, see Scheduling a Vulnerability Scan on page 105



Viewing the Status Of a Vulnerability Scan on page 106

Adding an eEye REM SNMP Scan on page 13


Chapter 2: Managing Beyond Security Automatic Vulnerability Detection System Scanner

CHAPTER 3

Digital Defense Inc AVS Scanner


Digital Defense Inc AVS Scanner Overview on page 9

Adding a Digital Defense Inc AVS Scanner on page 9

Digital Defense Inc AVS Scanner Overview

You can add a Digital Defense Inc AVS scanner to your Juniper Secure ANalytics (JSA)

deployment.

Before you begin

Before youadd this scanner, a server certificate is required to supportHTTPSconnections.

JSA supports certificates with the following file extensions: .crt, .cert, or .der. To copy a

certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the

following options:

Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by

using SCP or SFTP.

SSH into theconsoleormanagedhost and retrieve thecertificatebyusing the following

command: /opt/qradar/bin/getcert.sh . A certificate is then downloaded from the specified host name or IP andplaced into /opt/qradar/conf/trusted_certificates directory in the appropriate format.


Adding a Digital Defense Inc AVS Scanner on page 9


Adding an eEye REM JDBC Scan on page 15



Adding a Digital Defense Inc AVS Scanner

About this task


At intervals that are determined by a scan schedule, Juniper Secure Analytics (JSA)

imports themost recent XML results that contain Digital Defense Inc AVS vulnerabilities.

To enable communication with the Digital Defense Inc AVS scanner, JSA uses the

credentials that you specify in the scanner configuration.

The following list provides more information about Digital Defense Inc AVS scanner

parameters:

Remote Hostname

The host name of the remote server that hosts the Digital Defense Inc AVS scanner.

Remote Port

The port number of the remote server that hosts the Digital Defense Inc AVS scanner.

Remote URL

The URL of the remote server that hosts the Digital Defense Inc AVS scanner.

Client ID

Themaster client ID that uses to connect to the Digital Defense Inc AVS scanner.

Host Scope

When set to Internal, retrieves the active view for the internal hosts of theDigital Defense

Inc AVS scanner. When set to External, retrieves the external active view of the Digital

Defense Inc AVS scanner.

Retrieve Data For Account

The Default option indicates that the data is included from only the specified Client ID.

If you want to include data from the Client ID and all its sub accounts, select All Sub

Accounts. If you want to specify a single, alternate client ID, select Alternate Client ID.

CorrelationMethod

Specifies the method by which vulnerabilities are correlated.

The All Available option queries the Digital Defense Inc vulnerability catalog and

attempts to correlate vulnerabilities that are based on all the references that are

returned for that specific vulnerability. Referencesmight includeCVE,Bugtraq,Microsoft

Security Bulletin, and OSVDB. Multiple references often correlate to the same

vulnerability, but returns more results and take longer to process than the CVE option.

The CVE option correlates vulnerabilities that are based only on the CVE-ID.

Procedure

To add a Digital Defense Inc AVS Scanner:


2. On the navigation menu, click Data Sources.




4. Click Add.

5. From the Type list box, select Digital Defense Inc AVS.

6. Configure the parameters.

7. To configure the CIDR ranges you want this scanner to consider, type the CIDR range,

or click Browse to select the CIDR range from the network list.

8. Click Add.

9. Click Save.


What to do next

After you add your Digital Defense Inc AVS scanner, you can add a scan schedule to

retrieve your vulnerability information.


Digital Defense Inc AVS Scanner Overview on page 9




Chapter 3: Digital Defense Inc AVS Scanner

CHAPTER 4

Managing eEye Scanner


eEye Scanner Overview on page 13



Installing the Unrestricted Java Cryptography Extension on page 17

eEye Scanner Overview

Juniper Secure Analytics (JSA) can collect vulnerability data from eEye REM Security

Management console or eEye Retina CS scanners.

The following protocol options are available to collect vulnerability information from

eEye scanners:

AddaSNMPprotocol eEye scanner. See Adding an eEyeREMSNMPScan onpage 13.

Add a JDBC protocol eEye scanner. See Adding an eEye REM JDBC Scan on page 15.





Adding an eEye REMSNMPScan

Administrators canadda scanner to collect vulnerability data over SNMP fromeEyeREM

or CS Retina scanners.

To use CVE identifiers and descriptions, youmust copy the audits.xml file from your eEye

REM scanner to the managed host responsible for listening for SNMP data. If your

managedhost is inadistributeddeployment, youmustcopy theaudits.xml to theconsole

first and SSH the file to /opt/qradar/conf/audits.xml on themanaged host. The default

location of audits.xml on the eEye scanner is%ProgramFiles(x86)%\eEye Digital

Security\Retina CS\Applications\RetinaManager\Database\audits.xml.


To receive themostup-to-dateCVE information, administratorsmustperiodically update

Juniper Secure Analytics (JSA) with the latest audits.xml file.

Procedure

To add an eEye REM scanner to JSA:



3. Click Add.

4. In the Scanner Name field, type a name to identify your SecureScout server.



6. From the Type list, select eEye REMScanner.

7. From the Import Type list, select SNMP.

8. In the Base Directory field, type a location to store the temporary files that contain

the eEye REM scan data. The default directory is /store/tmp/vis/eEye/.

9. In theCacheSize field, type the number of transactions youwant to store in the cache

before the SNMP data is written to the temporary file. The default is 40.

The default value is 40 transactions.

10. In the Retention Period field, type the time period, in days, that the system stores scan

information. If a scan schedule has not imported data before the retention period

expires, the scan information from the cache is deleted.

11. Select theUseVulnerabilityDatacheckbox tocorrelateeEyevulnerabilities toCommon

Vulnerabilities and Exposures (CVE) identifiers and description information.

12. In the Vulnerability Data File field, type the directory path to the eEye audits.xml file.

13. In the Listen Port field, type the port number that is used to monitor for incoming

SNMP vulnerability information from your eEye REM scanner.

The default port is 1162.

14. In the Source Host field, type the IP address of the eEye scanner.

15. From the SNMP Version list, select the SNMP protocol version.

The default protocol is SNMPv2.

16. In the Community String field, type the SNMP community string for the SNMPv2

protocol. For example, Public.

17. From the Authentication Protocol list, select the algorithm to authenticate SNMPv3

traps. The options include:

SHASelect thisoption touseSecureHashAlgorithm(SHA)asyourauthentication

protocol.

MD5Select this option to use Message Digest 5 (MD5) as your authentication

protocol.



18. In the Authentication Password field, type the password that you want to use to

authenticate SNMPv3 communication.

The passwordmust include aminimum of eight characters.

19. FromtheEncryptionProtocol list, select theSNMPv3decryptionalgorithm.Theoptions

include:

DESSelect this option to use the Data Encryption Standard (DES).

AES128Select this option touse the 128-bitAdvancedEncryptionStandard (AES).

AES192Select thisoption touse the 192-bitAdvancedEncryptionStandard(AES).

AES256Select this option to use the 256-bit Advanced Encryption Standard

(AES).

20. In the Encryption Password field, type the password required to decrypt SNMPv3

traps.




b. Click Add.

22. Click Save.

23.On the Admin tab, click Deploy Changes.

Select one of the following options:

If you do not use SNMPv3 or use low-level SNMP encryption, you are now ready to

create a scan schedule. See Scheduling a Vulnerability Scan on page 105.

If your SNMPv3 configuration uses AES192 or AES256 encryption, youmust install the

unrestricted Java cryptography extension on each console or managed host that

receives SNMPv3 traps. See Installing the Unrestricted Java Cryptography Extension

on page 17.


Installing the Unrestricted Java Cryptography Extension on page 17



Adding an eEye REM JDBC Scan

Administrators can add a scanner to collect vulnerability data over JDBC from eEye REM

or CS Retina scanners.

Before you configure Juniper Secure Analytics (JSA) to poll for vulnerability data, we

suggest you create a database user account and password for JSA. If you assign the user

account read-only permission to the RetinaCSDatabase, you can restrict access to the

database that contains the eEye vulnerabilities. The JDBC protocol enables JSA to log


Chapter 4: Managing eEye Scanner

in and poll for events from the MSDE database. Ensure that no firewall rules block

communicationbetween theeEye scanner and theconsoleormanagedhost responsible

for polling with the JDBC protocol. If you use database instances, youmust verify port

1433 is available for the SQL Server Browser Service to resolve the instance name.

Procedure

To add an eEye REM JDBC scanner to JSA:



3. Click Add.




6. From the Type list, select eEye REMScanner.

7. From the Import Type list, select JDBC.

8. In the Hostname field, type the IP address or the host name of the eEye database.

9. In the Port field, type 1433.

10. Optional. In the Database Instance field, type the database instance for the eEye

database.

If a database instance is not used, administrators can leave this field blank.

11. In the Username field, type the username required to query the eEye database.

12. In the Password field, type the password required to query the eEye database.

13. In the Domain field, type the domain required, if required, to connect to the eEye

database.

If the database is configured for Windows and inside a domain, youmust specify the

domain name.

14. In the Database Name field, type RetinaCSDatabase as the database name.

15. Select the Use Named Pipe Communication check box if named pipes are required to

communicate to the eEye database. By default, this check box is clear.

16. Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an

authentication protocol. By default, this check box is clear.

The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol

when communicating with SQL servers that require NTLMv2 authentication. The Use

NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers

that do not require NTLMv2 authentication.

17. To configure a CIDR range for the scanner:

a. In the text field, type the CIDR range you want this scanner to consider or click

Browse to select a CIDR range from the network list.



b. Click Add.

18. Click Save.


To create a scan schedule, see Scheduling a Vulnerability Scan on page 105.





Installing the Unrestricted Java Cryptography Extension

The Java Cryptography Extension (JCE) is a Java framework that is required to decrypt

advanced cryptography algorithms for AES 192-bit or AES 256-bit SNMPv3 traps.

Eachmanaged host that receives SNMPv3 trapswith high-level requires the unrestricted

JCE. Youmust repeat this process on each appliance that listens If you require advanced

cryptography algorithms for SNMP communication, youmust update the existing

cryptography extension on your managed host with an unrestricted JCE.

Procedure

To Install theUnrestricted JavaCryptographyExtension to JuniperSecureAnalytics (JSA):

1. Using SSH, log in to your JSA console.

2. To verify the version of Java on the console, type the following command:

java -version

NOTE: The JCE file must match the version of the Java installed on theconsole.

3. Download the latest version of the Java Cryptography Extension.

4. Secure copy (SCP) the local.policy.jar and US_export_policy.jar file to the following

directory of the console:

/opt/ibm/java-[version]/jre/lib/security/

5. Optional. Distributed deployments require administrators to copy the local.policy.jar

and US_export_policy.jar files from the console appliance to the managed host.

To create a scan schedule, see Scheduling a Vulnerability Scan on page 105.


Adding a Beyond Security AVDS Vulnerability Scanner on page 5




Chapter 4: Managing eEye Scanner

CHAPTER 5

Managing IBM Security AppScanEnterprise Scanners


IBM Security SiteProtector Scanner Overview on page 19

Creating a Customer User Type for IBM AppScan on page 20

Enabling Integration with IBM Security AppScan Enterprise on page 20

CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21

Publishing the Completed Reports in IBM AppScan on page 22

Adding an IBM AppScan Vulnerability Scanner on page 22

IBM Security SiteProtector Scanner Overview

The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses

vulnerability data from IBM SiteProtector scanners through Java Database Connectivity

(JDBC) queries.

The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table

and polls for new vulnerabilities each time a scan schedule starts. The Compare field

enables the query to retrieve any new vulnerabilities from the RealSecureDB table to

ensure thatduplicatevulnerabilitiesarenot imported.Whenthe IBMSiteProtector scanner

is configured, the administrator can create a SiteProtector user account specifically for

polling vulnerability data. After the user account is created, the administrator can verify

that there are no firewalls that reject queries on the port configured to poll the database.

To configure an IBM Security SiteProtector scanner, see Adding an IBM SiteProtector



Adding an IBM SiteProtector Vulnerability Scanner on page 29




Creating a Customer User Type for IBMAppScan

Custom user types allow administrators to perform limited and specific administrative

tasks andmust be created before you can assign permissions.

Procedure

To create a customer user type for IBM AppScan:

1. Log in to your IBM AppScan Enterprise appliance.

2. Click the Administration tab.

3. On the User Types page, click Create.

4. Select all of the following user permissions:

Configure Juniper Secure Analytics (JSA) IntegrationSelect this check box to allow

users to access the JSA integration options for AppScan Enterprise.

Publish to JSASelect this check box to allow JSA access to published scan report

data.

JSA Service AccountSelect this check box to add access to the REST API for the

user account. This permission does not provide access the user interface.

5. Click Save.

You are now ready to enable integration permissions. See Enabling Integrationwith IBM

Security AppScan Enterprise on page 20.





Enabling Integration with IBM Security AppScan Enterprise

IBM Security AppScan Enterprise must be configured to enable integration with Juniper

Secure Analytics (JSA). To complete these steps, youmust be logged in with the user

type you created in the previous step.

Procedure

To enable integration with IBM SecurityAppScan Enterprise:


2. On the Navigation menu, select Network Security Systems.

3. On the JSA Integration Setting pane, click Edit.

4. Select the Enable JSA Integration check box.



Any reports previously published to JSA are displayed. If any of the reports displayed are

no longer required, you can remove them from the list. As you publish additional reports

to JSA, the reports are displayed in this list.

You are now ready to configure the Application Deployment Mapping in AppScan

Enterprise. See Creating an Application Deployment Map in IBM Security AppScan

Enterprise on page 21.





Creating an Application Deployment Map in IBM Security AppScan Enterprise

TheApplication DeploymentMap allowsAppScan Enterprise to determine the locations

hosting the application in your production environment.

As vulnerabilities are discovered, AppScan Enterprise knows the locations of the hosts

and the IP addresses affected by the vulnerability. If an application is deployed to several

hosts, thenAppScanEnterprise generatesa vulnerability for eachhost in the scan results.

Procedure

To create an application deployment map in IBM Security AppScan Enterprise:


2. On the Navigation menu, select Network Security Systems.

3. On the Juniper Secure Analytics (JSA) Integration Setting pane, click Edit.

4. In the Application test location (host or pattern) field, type the test location of your

application.

5. In the Application production location (host) field, type the IP address of your

production environment.

To add vulnerability information to JSA, your Application Deployment Mapping must

include an IP address. Any vulnerability data without an IP address is excluded from

JSA if the IP address is not available in the AppScan Enterprise scan results.

6. Click Add.

7. Repeat this procedure to map anymore production environments in AppScan

Enterprise.

8. Click Done.

You are now ready to publish completed reports. See Publishing theCompletedReports

in IBM AppScan on page 22.





Chapter 5: Managing IBM Security AppScan Enterprise Scanners


Publishing the Completed Reports in IBMAppScan

Completed vulnerability reports generated by AppScan Enterprise must bemade

accessible to Juniper Secure Analytics (JSA) by publishing the report.

Procedure

To publish the completed reports in IBM AppScan:

1. Click the Jobs & Reports tab.

2. Navigate to the security report you want to make available to JSA.

3. On themenubar of any security report, selectPublish>Grant to provide report access

to JSA.

4. Click Save.

You are now ready to enable integration permissions. See Adding an IBM AppScan






Adding an IBMAppScan Vulnerability Scanner

Adding a scanner enables administrators to define which scan reports in IBM Security

AppScan are collected by Juniper Secure Analytics (JSA).

Administrators can addmultiple IBM AppScan scanners to JSA, each with a different

configuration. Multiple configurations provide JSA the ability to import AppScan data for

specific results. The scan schedule determines the frequency with which scan result are

imported from the REST web service in IBM AppScan Enterprise.

Procedure

To add an IBM AppScan Vulnerability Scanner to JSA:



3. Click Add.

4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise

scanner.





6. From the Type list, select IBM AppScan Scanner.

7. In the ASE Instance Base URL field, type the full base URL of the AppScan Enterprise

instance.

This field supports HTTP and HTTPS addresses. For example,

http://myasehostname/ase/.

8. From the Authentication Type list, select one of the following options:

Windows AuthenticationSelect this option to useWindows Authentication with

the REST web service.

Jazz AuthenticationSelect this option to use Jazz Authentication with the REST

web service.

9. In the Username field, type the username required to retrieve scan results from

AppScan Enterprise.

10. In thePassword field, type thepassword required to retrieve scan results fromAppScan

Enterprise.

11. In the Report Name Pattern field, type a regular expression (regex) required to filter

the list of vulnerability reports available from AppScan Enterprise.

By default, the Report Name Pattern field contains .* as the regex pattern. The .*

pattern imports all scan reports that are published to JSA. All matching files from the

file pattern are processed by JSA. You can specify a group of vulnerability reports or

an individual report using a regex pattern.


a. In the text field, type the CIDR range for the scanner or click Browse to select a

CIDR range from the network list.

b. Click Add.

13. Click Save.


You are now ready to create a scan schedule for IBM Security AppScan Enterprise. See







Chapter 5: Managing IBM Security AppScan Enterprise Scanners

http://myasehostname/ase/

CHAPTER 6

Managing an IBM Security GuardiumScanner


IBM Security Guardium Scanner Overview on page 25

Adding an IBM Security Guardium Vulnerability Scanner on page 26

IBM Security Guardium Scanner Overview

IBM InfoSphere Guardium appliances are capable of exporting database vulnerability

information that can be critical to protecting customer data.

IBM Guardium audit processes export the results of tests that fail the Common

Vulnerability and Exposures (CVE) tests generated when running security assessment

tests on your IBM Guardium appliance. The vulnerability data from IBM Guardiummust

be exported to a remote server or staging server in Security ContentAutomationProtocol

(SCAP) format. JSA can then retrieve the scan results from the remote server storing the

vulnerability using SFTP.

IBM Guardium only exports vulnerability from databases containing failed CVE test

results. If there are no failed CVE tests, IBM Guardiummay not export a file at the end of

the security assessment. For information on configuring security assessment tests and

creating an audit process to export vulnerability data in SCAP format, see your IBM

InfoSphere Guardium documentation.

After you have configured your IBM Guardium appliance, you are ready to configure JSA

to import the results from the remote server hosting the vulnerability data. Youmust add

an IBM Guardium scanner to JSA and configure the scanner to retrieve data from your

remote server. Themost recent vulnerabilities are imported by JSA when you create a

scan schedule. Scan schedules allow you to determine the frequency with which JSA

requests data from the remote server host your IBM Guardium vulnerability data.

Integration overview for IBM InfoSphere Guardium and JSA.

To integrate IBM InfoSphere Guardiumwith JSA:

1. Onyour IBM InfoSphereGuardiumappliance, createanSCAPfilewithyour vulnerability

information. See your IBM Security InfoSphere Guardium documentation.


2. On your JSA console, add an IBM Guardium scanner. See Adding an IBM Security

Guardium Vulnerability Scanner on page 26.

3. On your JSA console, create a scan schedule to import scan result data. See

Scheduling a Vulnerability Scan on page 105


Adding an IBM Security Guardium Vulnerability Scanner on page 26



Adding an IBM Security GuardiumVulnerability Scanner

Adding a scanner allows Juniper Secure Analytics (JSA) to collect SCAP vulnerability

files from IBM InfoSphere Guardium.

Administrators can addmultiple IBM Guardium scanners to JSA, each with a different

configuration. Multiple configurations provide JSA the ability to import vulnerability data

for specific results. The scan schedule determines the frequency with which the SCAP

scan result are imported from IBM InfoSphere Guardium.

Procedure

To add an IBM Security Guardium Vulnerability Scanner to JSA:



3. Click Add.

4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise

scanner.



6. From the Type list, select IBMGuardium SCAP Scanner.

7. Chooseoneof the followingauthenticationoptionsasdescribed inTable4onpage26.

Table 4: IBMAppScan Enterprise Scanner Authentication Options

DescriptionOption

To authenticate with a username and password:

1. In the Login Username field, type a username that has access to retrieve the scan results fromthe remote host.

2. In the Login Password field, type the password associated with the username.

Login Username



Table 4: IBMAppScan Enterprise Scanner Authentication Options (continued)

DescriptionOption

To authenticate with a key-based authentication file:

1. Select the Enable Key Authentication check box.

2. In the Private Key File field, type the directory path to the key file.

The default is directory for the key file is /opt/ qradar/conf/vis.ssh.key.

If a key file does not exist, you must create the vis.ssh.key file.

Enable Key Authorization

8. To configure the Ignore Duplicates option:

Select this check box to track files that have already been processed by a scan

schedule. This option prevents a scan result file from being processed a second

time.

Clear this checkbox to import vulnerability scan results each time thescanschedule

starts. This option can lead to multiple vulnerabilities being associated with an

asset.

If a result file is not scannedwithin 10 days, the file is removed from the tracking list

and is processed the next time the scan schedule starts.




b. Click Add.

10. Click Save.


You are now ready to create a scan schedule for IBM InfoSphere Guardium. See







Chapter 6: Managing an IBM Security Guardium Scanner

CHAPTER 7

Managing IBM Security SiteProtectorScanner

This chapter describes about the following sections.



IBM Security SiteProtector Scanner Overview

The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses

vulnerability data from IBM SiteProtector scanners through Java Database Connectivity

(JDBC) queries.

The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table

and polls for new vulnerabilities each time a scan schedule starts. The Compare field

enables the query to retrieve any new vulnerabilities from the RealSecureDB table to

ensure thatduplicatevulnerabilitiesarenot imported.Whenthe IBMSiteProtector scanner

is configured, the administrator can create a SiteProtector user account specifically for

polling vulnerability data. After the user account is created, the administrator can verify

that there are no firewalls that reject queries on the port configured to poll the database.

To configure an IBM Security SiteProtector scanner, see Adding an IBM SiteProtector






Adding an IBM SiteProtector Vulnerability Scanner

Juniper Secure Analytics (JSA) can poll IBM InfoSphere SiteProtector appliances for

vulnerability data with JDBC.

Administrators can addmultiple IBMSiteProtector scanners to JSA, eachwith a different

configuration. Multiple configurations provide JSA with the ability to query SiteProtector

and only import results from specific CIDR ranges. The scan schedule determines the


frequencywithwhich thedatabaseon theSiteProtector scanner isqueried for vulnerability

data.

Procedure

To add an IBM SiteProtector Vulnerability scanner to JSA:



3. Click Add.




6. From the Type list, select IBM SiteProtector Scanner.

7. In the Hostname field, type the IP address or the host name of the IBM SiteProtector

database that contains vulnerabilities to import.

8. In the Port field, type 1433 as the port for the IBM SiteProtector database.

9. In the Username field, type the username required to query the IBM SiteProtector

database.

10. In the Password field, type the password required to query the IBM SiteProtector

database.

11. In the Domain field, type the domain required, if required, to connect to the IBM

SiteProtector database.

If the database is configured for Windows and inside a domain, youmust specify the

domain name.

12. In the Database Name field, type RetinaCSDatabase as the database name.

13. In the Database Instance field, type the database instance for the IBM SiteProtector

database. If you are not using a database instance, you can leave this field blank.

14. Select the Use Named Pipe Communication check box if named pipes are required to

communicate to the IBM SiteProtector database. By default, this check box is clear.

15. Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an

authentication protocol. By default, this check box is clear.

The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol

when communicating with SQL servers that require NTLMv2 authentication. The Use

NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers

that do not require NTLMv2 authentication.




b. Click Add.



17. Click Save.


You are now ready to create a scan schedule. See







Chapter 7: Managing IBM Security SiteProtector Scanner

CHAPTER 8

Managing IBM Security Tivoli EndpointManager Scanner


IBM Security Tivoli Endpoint Manager Scanner Overview on page 33

Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33

IBM Security Tivoli Endpoint Manager Scanner Overview

The IBM Tivoli Endpoint Manager scanner module accesses vulnerability data from IBM

Tivoli EndpointManager using the SOAPAPI installedwith theWebReports application.

TheWeb Reports application for Tivoli Endpoint Manager is required to retrieve

vulnerability data from Tivoli Endpoint Manager for Juniper Secure Analytics (JSA).

Administrators can create a user in IBM Tivoli Endpoint Manager for JSA to use when the

system collects vulnerabilities.

NOTE: JSA is compatible with IBM Tivoli Endpoint Manager versions 8.2.x.However, administrators can use the latest version of IBM Tivoli EndpointManager that is available.

To add an IBM Tivoli Endpoint Manager scanner, see Adding an IBM Security Tivoli

Endpoint Manager Vulnerability Scanner on page 33.


Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33



Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner

Juniper Secure Analytics (JSA) accesses vulnerability data from IBM Tivoli Endpoint

Manager using the SOAP API installed with theWeb Reports application.


You can addmultiple IBM Tivoli Endpoint Manager scanners in JSA, eachwith a different

configuration to determine which CIDR ranges you want the scanner to consider.

Multiple configurations for a single IBM Tivoli Endpoint Manager scanner allows you to

create individual scanners for collecting specific result data from specific locations or

vulnerabilities for specific types of operating systems.

Procedure

To add an IBM Security Tivoli Endpoint Manager Vulnerability scanner to JSA:



3. Click Add.




6. From the Type list, select IBM Tivoli Endpoint Manager.

7. In the Hostname field, type the IP address or hostname of the IBM Tivoli Endpoint

Manager containing the vulnerabilities you want to retrieve with the SOAP API.

8. In the Port field, type the port number used to connect to the IBM Tivoli Endpoint

Manager using the SOAP API.

By default, port 80 is the port number for communicating with IBM Tivoli Endpoint

Manager. If you use HTTPS, youmust update this field with the HTTPS port number,

which for most configurations is port 443.

9. Select the Use HTTPS check box to connect securely with the HTTPS protocol.

If you select this check box, the hostname or IP address you specify uses HTTPS to

connect to your IBM Tivoli Endpoint Manager.

If a certificate is required to connect using HTTPS, youmust copy any certificates

required by the JSA console or managed host to the following directory:

/opt/qradar/conf/trusted_certificates

NOTE: JSA support certificates with the following file extensions: .crt,.cert, or .der. Any required certificates should be copied to the trustedcertificates directory before you save and deploy your changes.

10. In the Username field, type the username required to access IBM Tivoli Endpoint

Manager.

11. In the Password field, type the password required to access IBM Tivoli Endpoint

Manager.






b. Click Add.

13. Click Save.


You are now ready to create a scan schedule for IBM Security Tivoli Endpoint Manager.

See Scheduling a Vulnerability Scan on page 105.




Foundstone FoundScan Scanner Overview on page 37


Chapter 8: Managing IBM Security Tivoli Endpoint Manager Scanner

CHAPTER 9

Managing Foundstone FoundScanScanner


Foundstone FoundScan Scanner Overview on page 37

Adding a Foundstone FoundScan Scanner on page 38

Importing Certificates for Foundstone FoundScan on page 39

Foundstone FoundScan Scanner Overview

The Foundstone FoundScan scanner queries the FoundScan Engine for host and

vulnerability information from the FoundScan OpenAPI.

Juniper Secure Analytics (JSA) supports Foundstone FoundScan versions 5.0 to 6.5.

The FoundScan appliancemust include a scan configuration that runs regularly to keep

the host and vulnerability results current. To ensure that the FoundScan scanner is able

to retrieve scan information, make sure the FoundScan systemmeets the following

requirements:

The FoundScan application must be active. Since the API provides access to the

FoundScanapplication, administrators can verify that the FoundScanapplication runs

continuously on the FoundScan server.

The scan data to importmust be complete and visible in the FoundScan user interface

to retrieve scan results. If the scan is scheduled to be removed after completion, the

results must be imported by the scan schedule before the scan is removed from

FoundScan.

The appropriate user privileges must be configured in the FoundScan application to

enablecommunicationbetweenJSAandFoundScan.TheFoundScanOpenAPIprovides

host and vulnerability information. All vulnerabilities for a host assigned are assigned

to port 0.

Toconnect toFoundScan, theFoundScanEngine requiresauthenticationwithclient-side

certificates. FoundScan includes a default certificate authority and client certificates

that are the same for all scanner installations. The FoundScan plug-in also includes

certificates for usewithFoundScan5.0. If theFoundScanServer uses customcertificates,


administrators must import the appropriate certificates and keys. Instructions on how

to import certificates is provided in this configuration documentation.

ToaddaFounScanAPI vulnerability scan, see AddingaFoundstoneFoundScanScanner

on page 38.




Adding a Foundstone FoundScan Scanner on page 38

Adding a Foundstone FoundScan Scanner

Administrators canaddaFoundstoneFoundScanscanner tocollecthostandvulnerability

information through the FoundScan Open API.

Procedure

To add a Foundstone FoundScan scanner to Juniper Secure Analytics (JSA):



3. Click Add.




Certificates for your FoundScan scanner must reside on themanaged host selected

in the Managed Host list.

6. From the Type list, select FoundScan Scanner.

7. In the SOAP API URL field, type the IP address or hostname of the Foundstone

FoundScan that contains the vulnerabilities you want to retrieve with the SOAP API.

For example, https://foundstone IP address:SOAP port , the default value is https://

localhost:3800.

8. In the Customer Name field, type the name of the customer that belongs to the

username.

9. In the User Name field, type the username required to access the Foundstone

FoundScan server.

10. Optional. In the Client IP Address field, type the IP address of the server that youwant

to perform the scan. By default, this value is not used; however, is necessary when

administrators validate some scan environments.

11. Optional. In the Password field, type the password required to access the Foundstone

FoundScan server.

12. In the Portal Name field, type the portal name.



https://foundstoneIP address:SOAP porthttps:// localhost:3800https:// localhost:3800

This field can be left blank for JSA. For more information, see your FoundScan

administrator.

13. In the Configuration Name field, type the scan configuration name that exists in

FoundScan and to which the user has access.

Make sure this scan configuration is active or runs frequently.

14. In the CA Truststore field, type the directory path and filename for the CA truststore

file.

The default path is /opt/qradar/conf/foundscan.keystore.

15. In the CA Keystore field, type the directory path and filename for the client keystore.

The default path is /opt/qradar/conf/foundscan.truststore.




b. Click Add.

17. Click Save.


Administrators can now import certificates from your FoundScan server to enable

communication. See Importing Certificates for Foundstone FoundScan on page 39.




Importing Certificates for Foundstone FoundScan on page 39

Importing Certificates for Foundstone FoundScan

Administrators that use customcertificates or a version of Foundstone FoundScan lower

thanV5.0must import theappropriate certificates to themanagedhost fromthescanner

configuration.

The scanner must be added to amanaged host in the scan configuration before

certificates are imported from the FoundScan server. The certificates must be imported

to the correct managed host to collect vulnerability and host scan data.

Procedure

To import the certificates:

1. Obtain the twocertificate filesand thepassphrase fromyourFoundScanadministrator.

The TrustedCA.pem file is the CA certificate for the FoundScan engine.


Chapter 9: Managing Foundstone FoundScan Scanner

The Portal.pem file certificate is the private key that includes the certificate chain

for the client.

2. Using SSH, copy the two pem files to the managed host assigned in your FoundScan

configuration. If you have a distributed deployment, youmust copy the files to the

console and SSH the files from the console appliance to the managed host.

3. Navigate to the directory location of the pem files.

4. To remove theprevious keystore certificate fromthemanagedhost, type the following

command:

rm -f / opt/qradar/conf/foundscan.keystore

5. To remove theprevious truststorecertificate fromthemanagedhost, type the following

command:

rm -f / opt/qradar/conf/foundscan.truststore

6. To import the pem files to your managed host, type the following command:

/opt/qradar/bin/ foundstone-cert-import.sh [TrustedCA.pem] [Portal.pem]

7. Repeat the certificate import for any more managed hosts in your deployment that

connect to the Foundstone FoundScan appliance.

You are now ready to create a scan schedule. See





nCircle IP360 Scanner Overview on page 45



CHAPTER 10

Microsoft SCCM Scanner

This chapter describes the following sections:

Microsoft SCCM Scanner Overview on page 41

WMI Enablement on Scanner Host on page 41

Adding a Microsoft SCCM Scanner on page 42

Microsoft SCCMScanner Over

Documents

Juniper Secure Analytics Managing Vulnerability Assessment