Upload
vuduong
View
231
Download
0
Embed Size (px)
Citation preview
Juniper Secure Analytics
Managing Vulnerability Assessment
Release
2014.4
Published: 2015-02-23
Copyright 2015, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright 2015, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Managing Vulnerability AssessmentCopyright 2015, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright 2015, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.html
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Part 1 Juniper Secure Analytics Vulnerability Assessment
Chapter 1 Vulnerability Assessment Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Vulnerability Assessment Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Managing Beyond Security Automatic Vulnerability Detection SystemScanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Beyond Security Automatic Vulnerability Detection System Scanner
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Adding a Beyond Security AVDS Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 3 Digital Defense Inc AVS Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Digital Defense Inc AVS Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Adding a Digital Defense Inc AVS Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 4 Managing eEye Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
eEye Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Adding an eEye REM SNMP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Adding an eEye REM JDBC Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing the Unrestricted Java Cryptography Extension . . . . . . . . . . . . . . . . . . . . 17
Chapter 5 Managing IBM Security AppScan Enterprise Scanners . . . . . . . . . . . . . . . . . 19
IBM Security SiteProtector Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Creating a Customer User Type for IBM AppScan . . . . . . . . . . . . . . . . . . . . . . . . . 20
Enabling Integration with IBM Security AppScan Enterprise . . . . . . . . . . . . . . . . . 20
Creating an Application Deployment Map in IBM Security AppScan
Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Publishing the Completed Reports in IBM AppScan . . . . . . . . . . . . . . . . . . . . . . . . 22
Adding an IBM AppScan Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 6 Managing an IBM Security Guardium Scanner . . . . . . . . . . . . . . . . . . . . . . . . 25
IBM Security Guardium Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Adding an IBM Security Guardium Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . 26
iiiCopyright 2015, Juniper Networks, Inc.
Chapter 7 Managing IBM Security SiteProtector Scanner . . . . . . . . . . . . . . . . . . . . . . . . 29
IBM Security SiteProtector Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Adding an IBM SiteProtector Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 8 Managing IBM Security Tivoli Endpoint Manager Scanner . . . . . . . . . . . . . . 33
IBM Security Tivoli Endpoint Manager Scanner Overview . . . . . . . . . . . . . . . . . . . 33
Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner . . . . . . . . 33
Chapter 9 Managing Foundstone FoundScan Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Foundstone FoundScan Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Adding a Foundstone FoundScan Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Importing Certificates for Foundstone FoundScan . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 10 Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Microsoft SCCM Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
WMI Enablement on Scanner Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Adding a Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 11 Managing nCircle IP360 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
nCircle IP360 Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exporting nCircle IP360 Scan Results To an SSH Server . . . . . . . . . . . . . . . . . . . . 46
Adding a nCircle IP360 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 12 Managing Nessus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Nessus Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Adding a Nessus Scheduled Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Adding an Nessus Live Scan with the XMLRPC API . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding a Nessus Scheduled Result Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Adding a Nessus Completed Report Import with the XMLRPC API . . . . . . . . . . . . 55
Chapter 13 Managing NMap Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
NMap Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Adding a NMap Remote Result Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Adding a NMap Remote Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 14 Managing Qualys Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Qualys Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adding a Qualys Detection Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adding a Qualys Scheduled Live Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding a Qualys Scheduled Import Asset Report . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Adding a Qualys Scheduled Import Scan Report . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Chapter 15 Managing Juniper Profiler NSM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Juniper Profiler NSM Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Adding a Juniper NSM Profiler Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 16 Managing Rapid7 NeXpose Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Rapid7 NeXpose Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Adding a Rapid7 NeXpose Scanner API Site Import . . . . . . . . . . . . . . . . . . . . . . . . 75
Adding a Rapid7 NeXpose Scanner Local File Import . . . . . . . . . . . . . . . . . . . . . . . 77
Copyright 2015, Juniper Networks, Inc.iv
Juniper Secure Analytics Managing Vulnerability Assessment
Chapter 17 Managing netVigilance SecureScout Scanner . . . . . . . . . . . . . . . . . . . . . . . . . 79
netVigilance SecureScout Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Adding a netVigilance SecureScout Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 18 Managing McAfee Vulnerability Manager Scanner . . . . . . . . . . . . . . . . . . . . . 83
McAfee Vulnerability Manager Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . 83
Adding a Remote XML Import Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Adding a McAfee Vulnerability Manager SOAP API Scan . . . . . . . . . . . . . . . . . . . . 85
Creating Certificates for McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . 87
Processing Certificates for McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . 88
Importing Certificates For McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . . 89
Chapter 19 Managing SAINT Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
SAINT Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring a SAINTwriter Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Adding a SAINT Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Chapter 20 Managing Tenable SecurityCenter Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Tenable SecurityCenter Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Adding a Tenable SecurityCenter Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 21 Managing Axis Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Axis Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Adding an AXIS Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Chapter 22 Positive Technologies MaxPatrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Positive Technologies MaxPatrol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Integrating Positive Technologies MaxPatrol with JSA . . . . . . . . . . . . . . . . . . . . . 102
Adding a Positive Technologies MaxPatrol Scanner . . . . . . . . . . . . . . . . . . . . . . . 102
Chapter 23 Scheduling a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Viewing the Status Of a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 24 Managing the Supported Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 109
Supported Vulnerability Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
vCopyright 2015, Juniper Networks, Inc.
Table of Contents
Copyright 2015, Juniper Networks, Inc.vi
Juniper Secure Analytics Managing Vulnerability Assessment
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1 Juniper Secure Analytics Vulnerability Assessment
Chapter 2 Managing Beyond Security Automatic Vulnerability Detection SystemScanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 3: Beyond Security AVDS Vulnerability Scanner Authentication
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 6 Managing an IBM Security Guardium Scanner . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 4: IBM AppScan Enterprise Scanner Authentication Options . . . . . . . . . . . 26
Chapter 10 Microsoft SCCM Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 5: Microsoft SCCM Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 12 Managing Nessus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 6: Nessus Scheduled Result Authentication Options . . . . . . . . . . . . . . . . . . 54
Chapter 13 Managing NMap Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 7: NMap Remote Result Import Authentication Options . . . . . . . . . . . . . . . 58
Table 8: NMap Remote Live Scan Authentication Options . . . . . . . . . . . . . . . . . . 60
Chapter 18 Managing McAfee Vulnerability Manager Scanner . . . . . . . . . . . . . . . . . . . . . 83
Table 9: Remote XML Import Authentication Options . . . . . . . . . . . . . . . . . . . . . . 84
Chapter 19 Managing SAINT Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Table 10: SAINT Vulnerability Authentication Options . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 21 Managing Axis Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 11: AXIS Scanner - SFTP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 12: AXIS Scanner - SMB Share Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 22 Positive Technologies MaxPatrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Table 13: Positive Technologies MaxPatrol Scanner Details . . . . . . . . . . . . . . . . . 101
Table 14: Positive Technologies MaxPatrol Scanner SFTP Properties . . . . . . . . . 102
Table 15: Positive Technologies MaxPatrol Scanner SMB Share Properties . . . . . 103
Chapter 23 Scheduling a Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 16: VA Scanner CIDR Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 17: VA Scanner Priority Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 18: Scan Schedule Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 24 Managing the Supported Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . 109
viiCopyright 2015, Juniper Networks, Inc.
Table 19: Supported Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Copyright 2015, Juniper Networks, Inc.viii
Juniper Secure Analytics Managing Vulnerability Assessment
About the Documentation
Documentation and Release Notes on page ix
Documentation Conventions on page ix
Documentation Feedback on page xi
Requesting Technical Support on page xii
Documentation and Release Notes
To obtain the most current version of all Juniper Networkstechnical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page x defines notice icons used in this guide.
ixCopyright 2015, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/books
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page x defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
A policy term is a named structurethat defines match conditions andactions.
Junos OS CLI User Guide
RFC 1997,BGPCommunities Attribute
Introduces or emphasizes importantnew terms.
Identifies guide names.
Identifies RFC and Internet draft titles.
Italic text like this
Configure themachines domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright 2015, Juniper Networks, Inc.x
Juniper Secure Analytics Managing Vulnerability Assessment
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub ;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
In the Logical Interfaces box, selectAll Interfaces.
To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
Online feedback rating systemOn any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, anduse thepop-up form toprovideuswith informationabout
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
xiCopyright 2015, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/techpubs/index.htmlhttps://www.juniper.net/cgi-bin/docbugreport/
E-mailSendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warrantiesFor product warranty information, visit
http://www.juniper.net/support/warranty/.
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright 2015, Juniper Networks, Inc.xii
Juniper Secure Analytics Managing Vulnerability Assessment
mailto:[email protected]?subject=http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/InfoCenter/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xiiiCopyright 2015, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/support/requesting-support.html
Copyright 2015, Juniper Networks, Inc.xiv
Juniper Secure Analytics Managing Vulnerability Assessment
PART 1
Juniper Secure Analytics VulnerabilityAssessment
Vulnerability Assessment Scanner on page 3
Managing Beyond Security Automatic Vulnerability Detection System
Scanner on page 5
Digital Defense Inc AVS Scanner on page 9
Managing eEye Scanner on page 13
Managing IBM Security AppScan Enterprise Scanners on page 19
Managing an IBM Security Guardium Scanner on page 25
Managing IBM Security SiteProtector Scanner on page 29
Managing IBM Security Tivoli Endpoint Manager Scanner on page 33
Managing Foundstone FoundScan Scanner on page 37
Microsoft SCCM Scanner on page 41
Managing nCircle IP360 Scanner on page 45
Managing Nessus Scanner on page 49
Managing NMap Scanner on page 57
Managing Qualys Scanner on page 63
Managing Juniper Profiler NSM Scanner on page 71
Managing Rapid7 NeXpose Scanner on page 75
Managing netVigilance SecureScout Scanner on page 79
Managing McAfee Vulnerability Manager Scanner on page 83
Managing SAINT Scanner on page 91
Managing Tenable SecurityCenter Scanner on page 95
Managing Axis Scanner on page 97
Positive Technologies MaxPatrol on page 101
Scheduling a Vulnerability Scan on page 105
Managing the Supported Vulnerability Scanner on page 109
1Copyright 2015, Juniper Networks, Inc.
Copyright 2015, Juniper Networks, Inc.2
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 1
Vulnerability Assessment Scanner
This chapter describes about the following sections:
Vulnerability Assessment Scanner Overview on page 3
Vulnerability Assessment Scanner Overview
Integration with vulnerability assessment scanners provide administrators and security
professionals information build vulnerability assessment profiles for network assets.
References to Juniper Secure Analytics (JSA) apply to all products capable of collecting
vulnerability assessment information. Products that support scanners include JSA.
Assets andasset profiles created for servers andhosts in your network provide important
information toassist youwhen resolving security issues.Networks, servers, and individual
hosts within the network can be extremely complicated. The ability to collect data and
view information about an asset is the purpose of the Assets tab. The goal is to connect
offenses triggered in your system to physical or virtual assets to provide a starting point
ina security investigation.Assetdata ishelpful to identify threats, to identify vulnerabilities,
services, ports, andmonitor asset usage in your network.
The Assets tab in JSA is intended to provide a unified view of the information known
about your assets. As more information is provided to the system through vulnerability
assessment, the system updates the asset profile and incrementally builds a complete
picture about your asset. Vulnerability assessment profiles use correlated event data,
network activity, andbehavioral changes to determine the threat level and vulnerabilities
present on critical business assets in your network. Integration with vulnerability
assessment products provides administrators the ability to schedule scans and ensure
that vulnerability information is relevant for assets in the network.
To collect vulnerability assessment information for JSA, administrators can select a
scanner from the following support scanner list:
For the list of support scanner products, see
Managing the Supported Vulnerability Scanner on page 109.
For the configuration options to add a vulnerability scanner to JSA, see
ManagingBeyondSecurityAutomaticVulnerabilityDetectionSystemScanneronpage5.
Managing eEye Scanner on page 13.
3Copyright 2015, Juniper Networks, Inc.
Managing an IBM Security Guardium Scanner on page 25.
Managing IBM Security AppScan Enterprise Scanners on page 19.
Managing IBM Security Tivoli Endpoint Manager Scanner on page 33.
Managing nCircle IP360 Scanner on page 45.
Managing Nessus Scanner on page 49.
Managing NMap Scanner on page 57.
Managing Qualys Scanner on page 63.
Managing Foundstone FoundScan Scanner on page 37.
Managing Juniper Profiler NSM Scanner on page 71.
Managing Rapid7 NeXpose Scanner on page 75.
Managing netVigilance SecureScout Scanner on page 79.
Managing McAfee Vulnerability Manager Scanner on page 83.
Managing SAINT Scanner on page 91.
Managing Axis Scanner on page 97.
Managing Tenable SecurityCenter Scanner on page 95.
To add a scan schedule to import the vulnerability data, see
Scheduling a Vulnerability Scan on page 105.
To view the status of the scan to verify the successful data import, see Viewing the
Status Of a Vulnerability Scan on page 106.
Copyright 2015, Juniper Networks, Inc.4
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 2
Managing Beyond Security AutomaticVulnerability Detection System Scanner
This chapter describes about the following sections:
Beyond Security Automatic Vulnerability Detection System Scanner
Overview on page 5
Adding a Beyond Security AVDS Vulnerability Scanner on page 5
Beyond Security Automatic Vulnerability Detection SystemScanner Overview
Vulnerability assessment is theevaluationofassets in thenetwork to identify andprioritize
potential security issues. Juniper Secure Analytics (JSA) products that support
Vulnerability Assessment can import vulnerability data from external scanner products
to identify vulnerabilities profiles for assets.
Vulnerability assessment profiles use correlated event data, network activity, and
behavioral changes to determine the threat level and vulnerabilities present on critical
businessassets in your network. Asexternal scanners generate scandata, JSAcan retrieve
the vulnerability data with a scan schedule.
To configure a Beyond Security AVDS scanner, see Adding a Beyond Security AVDS
Vulnerability Scanner on page 5.
RelatedDocumentation
Vulnerability Assessment Scanner Overview on page 3.
Adding a Beyond Security AVDS Vulnerability Scanner on page 5.
Viewing the Status Of a Vulnerability Scan on page 106
Adding a Beyond Security AVDS Vulnerability Scanner
Beyond Security Automated Vulnerability Detection System (AVDS) appliances create
vulnerability data in Asset Export Information Source (AXIS) format. AXIS formatted
files can be imported by XML files that can be imported.
To successfully integrate a Beyond Security AVDS vulnerabilities with Juniper Secure
Analytics (JSA), youmust configure your Beyond Security AVDS appliance to publish
vulnerability data to anAXIS formattedXML results file. The XML vulnerability datamust
5Copyright 2015, Juniper Networks, Inc.
be published to a remote server that is accessible by using Secure File Transfer Protocol
(SFTP). The term remote server refers toanyappliance, 3rdpartyhost, or network storage
location that can host the published XML scan result files.
Themost recentXMLresultscontainingBeyondSecurityAVDSvulnerabilitiesare imported
to when a scan schedule starts. Scan schedules determine the frequency with which
vulnerability data created by Beyond Security AVDS is imported. After you add your
Beyond Security AVDS appliance to JSA, you can then create a scan schedule to import
the scan result files. Vulnerabilities from the scan schedule updates the Assets tab after
the scan schedule completes.
To add a Beyond Security AVDS Vulnerability Scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In theScannerName field, typeanameto identify yourBeyondSecurityAVDSscanner.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select Beyond Security AVDS.
7. In the Remote Hostname field, type the IP address or host name of the system that
contains the published scan results from your Beyond Security AVDS scanner.
8. Choose one of the following authentication options as described in Table 3 on page6.
Table 3: Beyond Security AVDS Vulnerability Scanner Authentication Options
DescriptionOption
To authenticate with a username and password:
1. In the Login Username field, type a username that has access to retrieve the scan results fromthe remote host.
2. In the Login Password field, type the password associated with the username.
Login Username
To authenticate with a key-based authentication file:
1. Select the Enable Key Authentication check box.
2. In the Private Key File field, type the directory path to the key file.
The default is directory for the key file is /opt/ qradar/conf/vis.ssh.key.
If a key file does not exist, you must create the vis.ssh.key file.
Enable Key Authorization
9. In the Remote Directory field, type the directory location of the scan result files.
10. In the File Name Pattern field, type a regular expression (regex) required to filter the
list of files specified in the Remote Directory. All matching files are included in the
processing.
The default value is .*\.xml. The .*\.xml pattern imports all xml files in the remote
directory.
Copyright 2015, Juniper Networks, Inc.6
Juniper Secure Analytics Managing Vulnerability Assessment
11. In the Max Reports Age (Days) field, type the maximum file age for your scan results
file. Files that are older than the specified days and timestamp on the report file are
excluded when the schedule scan starts. The default value is 7 days.
12. To configure the Ignore Duplicates option:
Select this check box to track files that have already been processed by a scan
schedule. This option prevents a scan result file from being processed a second
time.
Clear this checkbox to import vulnerability scan results each time thescanschedule
starts. This option can lead to multiple vulnerabilities being associated with an
asset.
If a result file is not scannedwithin 10 days, the file is removed from the tracking list
and is processed the next time the scan schedule starts.
13. To configure a CIDR range for your scanner:
a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR
range from the network list.
b. Click Add.
14. Click Save.
15. On the Admin tab, click Deploy Changes.
To create a scan schedule, see Scheduling a Vulnerability Scan on page 105
RelatedDocumentation
Vulnerability Assessment Scanner Overview on page 3.
Viewing the Status Of a Vulnerability Scan on page 106
Adding an eEye REM SNMP Scan on page 13
7Copyright 2015, Juniper Networks, Inc.
Chapter 2: Managing Beyond Security Automatic Vulnerability Detection System Scanner
Copyright 2015, Juniper Networks, Inc.8
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 3
Digital Defense Inc AVS Scanner
This chapter describes about the following sections:
Digital Defense Inc AVS Scanner Overview on page 9
Adding a Digital Defense Inc AVS Scanner on page 9
Digital Defense Inc AVS Scanner Overview
You can add a Digital Defense Inc AVS scanner to your Juniper Secure ANalytics (JSA)
deployment.
Before you begin
Before youadd this scanner, a server certificate is required to supportHTTPSconnections.
JSA supports certificates with the following file extensions: .crt, .cert, or .der. To copy a
certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the
following options:
Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by
using SCP or SFTP.
SSH into theconsoleormanagedhost and retrieve thecertificatebyusing the following
command: /opt/qradar/bin/getcert.sh . A certificate is then downloaded from the specified host name or IP andplaced into /opt/qradar/conf/trusted_certificates directory in the appropriate format.
RelatedDocumentation
Adding a Digital Defense Inc AVS Scanner on page 9
Adding an eEye REM SNMP Scan on page 13
Adding an eEye REM JDBC Scan on page 15
Vulnerability Assessment Scanner Overview on page 3.
Adding a Beyond Security AVDS Vulnerability Scanner on page 5.
Adding a Digital Defense Inc AVS Scanner
About this task
9Copyright 2015, Juniper Networks, Inc.
At intervals that are determined by a scan schedule, Juniper Secure Analytics (JSA)
imports themost recent XML results that contain Digital Defense Inc AVS vulnerabilities.
To enable communication with the Digital Defense Inc AVS scanner, JSA uses the
credentials that you specify in the scanner configuration.
The following list provides more information about Digital Defense Inc AVS scanner
parameters:
Remote Hostname
The host name of the remote server that hosts the Digital Defense Inc AVS scanner.
Remote Port
The port number of the remote server that hosts the Digital Defense Inc AVS scanner.
Remote URL
The URL of the remote server that hosts the Digital Defense Inc AVS scanner.
Client ID
Themaster client ID that uses to connect to the Digital Defense Inc AVS scanner.
Host Scope
When set to Internal, retrieves the active view for the internal hosts of theDigital Defense
Inc AVS scanner. When set to External, retrieves the external active view of the Digital
Defense Inc AVS scanner.
Retrieve Data For Account
The Default option indicates that the data is included from only the specified Client ID.
If you want to include data from the Client ID and all its sub accounts, select All Sub
Accounts. If you want to specify a single, alternate client ID, select Alternate Client ID.
CorrelationMethod
Specifies the method by which vulnerabilities are correlated.
The All Available option queries the Digital Defense Inc vulnerability catalog and
attempts to correlate vulnerabilities that are based on all the references that are
returned for that specific vulnerability. Referencesmight includeCVE,Bugtraq,Microsoft
Security Bulletin, and OSVDB. Multiple references often correlate to the same
vulnerability, but returns more results and take longer to process than the CVE option.
The CVE option correlates vulnerabilities that are based only on the CVE-ID.
Procedure
To add a Digital Defense Inc AVS Scanner:
1. Click the Admin tab.
2. On the navigation menu, click Data Sources.
Copyright 2015, Juniper Networks, Inc.10
Juniper Secure Analytics Managing Vulnerability Assessment
3. Click the VA Scanners icon.
4. Click Add.
5. From the Type list box, select Digital Defense Inc AVS.
6. Configure the parameters.
7. To configure the CIDR ranges you want this scanner to consider, type the CIDR range,
or click Browse to select the CIDR range from the network list.
8. Click Add.
9. Click Save.
10. On the Admin tab, click Deploy Changes.
What to do next
After you add your Digital Defense Inc AVS scanner, you can add a scan schedule to
retrieve your vulnerability information.
RelatedDocumentation
Digital Defense Inc AVS Scanner Overview on page 9
Adding an eEye REM SNMP Scan on page 13
Adding an eEye REM JDBC Scan on page 15
11Copyright 2015, Juniper Networks, Inc.
Chapter 3: Digital Defense Inc AVS Scanner
Copyright 2015, Juniper Networks, Inc.12
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 4
Managing eEye Scanner
This chapter describes about the following sections:
eEye Scanner Overview on page 13
Adding an eEye REM SNMP Scan on page 13
Adding an eEye REM JDBC Scan on page 15
Installing the Unrestricted Java Cryptography Extension on page 17
eEye Scanner Overview
Juniper Secure Analytics (JSA) can collect vulnerability data from eEye REM Security
Management console or eEye Retina CS scanners.
The following protocol options are available to collect vulnerability information from
eEye scanners:
AddaSNMPprotocol eEye scanner. See Adding an eEyeREMSNMPScan onpage 13.
Add a JDBC protocol eEye scanner. See Adding an eEye REM JDBC Scan on page 15.
RelatedDocumentation
Adding an eEye REM JDBC Scan on page 15
Vulnerability Assessment Scanner Overview on page 3.
Adding a Beyond Security AVDS Vulnerability Scanner on page 5.
Adding an eEye REMSNMPScan
Administrators canadda scanner to collect vulnerability data over SNMP fromeEyeREM
or CS Retina scanners.
To use CVE identifiers and descriptions, youmust copy the audits.xml file from your eEye
REM scanner to the managed host responsible for listening for SNMP data. If your
managedhost is inadistributeddeployment, youmustcopy theaudits.xml to theconsole
first and SSH the file to /opt/qradar/conf/audits.xml on themanaged host. The default
location of audits.xml on the eEye scanner is%ProgramFiles(x86)%\eEye Digital
Security\Retina CS\Applications\RetinaManager\Database\audits.xml.
13Copyright 2015, Juniper Networks, Inc.
To receive themostup-to-dateCVE information, administratorsmustperiodically update
Juniper Secure Analytics (JSA) with the latest audits.xml file.
Procedure
To add an eEye REM scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your SecureScout server.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select eEye REMScanner.
7. From the Import Type list, select SNMP.
8. In the Base Directory field, type a location to store the temporary files that contain
the eEye REM scan data. The default directory is /store/tmp/vis/eEye/.
9. In theCacheSize field, type the number of transactions youwant to store in the cache
before the SNMP data is written to the temporary file. The default is 40.
The default value is 40 transactions.
10. In the Retention Period field, type the time period, in days, that the system stores scan
information. If a scan schedule has not imported data before the retention period
expires, the scan information from the cache is deleted.
11. Select theUseVulnerabilityDatacheckbox tocorrelateeEyevulnerabilities toCommon
Vulnerabilities and Exposures (CVE) identifiers and description information.
12. In the Vulnerability Data File field, type the directory path to the eEye audits.xml file.
13. In the Listen Port field, type the port number that is used to monitor for incoming
SNMP vulnerability information from your eEye REM scanner.
The default port is 1162.
14. In the Source Host field, type the IP address of the eEye scanner.
15. From the SNMP Version list, select the SNMP protocol version.
The default protocol is SNMPv2.
16. In the Community String field, type the SNMP community string for the SNMPv2
protocol. For example, Public.
17. From the Authentication Protocol list, select the algorithm to authenticate SNMPv3
traps. The options include:
SHASelect thisoption touseSecureHashAlgorithm(SHA)asyourauthentication
protocol.
MD5Select this option to use Message Digest 5 (MD5) as your authentication
protocol.
Copyright 2015, Juniper Networks, Inc.14
Juniper Secure Analytics Managing Vulnerability Assessment
18. In the Authentication Password field, type the password that you want to use to
authenticate SNMPv3 communication.
The passwordmust include aminimum of eight characters.
19. FromtheEncryptionProtocol list, select theSNMPv3decryptionalgorithm.Theoptions
include:
DESSelect this option to use the Data Encryption Standard (DES).
AES128Select this option touse the 128-bitAdvancedEncryptionStandard (AES).
AES192Select thisoption touse the 192-bitAdvancedEncryptionStandard(AES).
AES256Select this option to use the 256-bit Advanced Encryption Standard
(AES).
20. In the Encryption Password field, type the password required to decrypt SNMPv3
traps.
21. To configure a CIDR range for your scanner:
a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR
range from the network list.
b. Click Add.
22. Click Save.
23.On the Admin tab, click Deploy Changes.
Select one of the following options:
If you do not use SNMPv3 or use low-level SNMP encryption, you are now ready to
create a scan schedule. See Scheduling a Vulnerability Scan on page 105.
If your SNMPv3 configuration uses AES192 or AES256 encryption, youmust install the
unrestricted Java cryptography extension on each console or managed host that
receives SNMPv3 traps. See Installing the Unrestricted Java Cryptography Extension
on page 17.
RelatedDocumentation
Installing the Unrestricted Java Cryptography Extension on page 17
Vulnerability Assessment Scanner Overview on page 3.
Adding a Beyond Security AVDS Vulnerability Scanner on page 5.
Adding an eEye REM JDBC Scan
Administrators can add a scanner to collect vulnerability data over JDBC from eEye REM
or CS Retina scanners.
Before you configure Juniper Secure Analytics (JSA) to poll for vulnerability data, we
suggest you create a database user account and password for JSA. If you assign the user
account read-only permission to the RetinaCSDatabase, you can restrict access to the
database that contains the eEye vulnerabilities. The JDBC protocol enables JSA to log
15Copyright 2015, Juniper Networks, Inc.
Chapter 4: Managing eEye Scanner
in and poll for events from the MSDE database. Ensure that no firewall rules block
communicationbetween theeEye scanner and theconsoleormanagedhost responsible
for polling with the JDBC protocol. If you use database instances, youmust verify port
1433 is available for the SQL Server Browser Service to resolve the instance name.
Procedure
To add an eEye REM JDBC scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your SecureScout server.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select eEye REMScanner.
7. From the Import Type list, select JDBC.
8. In the Hostname field, type the IP address or the host name of the eEye database.
9. In the Port field, type 1433.
10. Optional. In the Database Instance field, type the database instance for the eEye
database.
If a database instance is not used, administrators can leave this field blank.
11. In the Username field, type the username required to query the eEye database.
12. In the Password field, type the password required to query the eEye database.
13. In the Domain field, type the domain required, if required, to connect to the eEye
database.
If the database is configured for Windows and inside a domain, youmust specify the
domain name.
14. In the Database Name field, type RetinaCSDatabase as the database name.
15. Select the Use Named Pipe Communication check box if named pipes are required to
communicate to the eEye database. By default, this check box is clear.
16. Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an
authentication protocol. By default, this check box is clear.
The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol
when communicating with SQL servers that require NTLMv2 authentication. The Use
NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers
that do not require NTLMv2 authentication.
17. To configure a CIDR range for the scanner:
a. In the text field, type the CIDR range you want this scanner to consider or click
Browse to select a CIDR range from the network list.
Copyright 2015, Juniper Networks, Inc.16
Juniper Secure Analytics Managing Vulnerability Assessment
b. Click Add.
18. Click Save.
19. On the Admin tab, click Deploy Changes.
To create a scan schedule, see Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Adding an eEye REM JDBC Scan on page 15
Vulnerability Assessment Scanner Overview on page 3.
Adding a Beyond Security AVDS Vulnerability Scanner on page 5.
Installing the Unrestricted Java Cryptography Extension
The Java Cryptography Extension (JCE) is a Java framework that is required to decrypt
advanced cryptography algorithms for AES 192-bit or AES 256-bit SNMPv3 traps.
Eachmanaged host that receives SNMPv3 trapswith high-level requires the unrestricted
JCE. Youmust repeat this process on each appliance that listens If you require advanced
cryptography algorithms for SNMP communication, youmust update the existing
cryptography extension on your managed host with an unrestricted JCE.
Procedure
To Install theUnrestricted JavaCryptographyExtension to JuniperSecureAnalytics (JSA):
1. Using SSH, log in to your JSA console.
2. To verify the version of Java on the console, type the following command:
java -version
NOTE: The JCE file must match the version of the Java installed on theconsole.
3. Download the latest version of the Java Cryptography Extension.
4. Secure copy (SCP) the local.policy.jar and US_export_policy.jar file to the following
directory of the console:
/opt/ibm/java-[version]/jre/lib/security/
5. Optional. Distributed deployments require administrators to copy the local.policy.jar
and US_export_policy.jar files from the console appliance to the managed host.
To create a scan schedule, see Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Adding a Beyond Security AVDS Vulnerability Scanner on page 5
Adding an eEye REM SNMP Scan on page 13
Adding an eEye REM JDBC Scan on page 15
17Copyright 2015, Juniper Networks, Inc.
Chapter 4: Managing eEye Scanner
Copyright 2015, Juniper Networks, Inc.18
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 5
Managing IBM Security AppScanEnterprise Scanners
This chapter describes about the following sections:
IBM Security SiteProtector Scanner Overview on page 19
Creating a Customer User Type for IBM AppScan on page 20
Enabling Integration with IBM Security AppScan Enterprise on page 20
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Publishing the Completed Reports in IBM AppScan on page 22
Adding an IBM AppScan Vulnerability Scanner on page 22
IBM Security SiteProtector Scanner Overview
The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses
vulnerability data from IBM SiteProtector scanners through Java Database Connectivity
(JDBC) queries.
The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table
and polls for new vulnerabilities each time a scan schedule starts. The Compare field
enables the query to retrieve any new vulnerabilities from the RealSecureDB table to
ensure thatduplicatevulnerabilitiesarenot imported.Whenthe IBMSiteProtector scanner
is configured, the administrator can create a SiteProtector user account specifically for
polling vulnerability data. After the user account is created, the administrator can verify
that there are no firewalls that reject queries on the port configured to poll the database.
To configure an IBM Security SiteProtector scanner, see Adding an IBM SiteProtector
Vulnerability Scanner on page 29.
RelatedDocumentation
Adding an IBM SiteProtector Vulnerability Scanner on page 29
Enabling Integration with IBM Security AppScan Enterprise on page 20
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
19Copyright 2015, Juniper Networks, Inc.
Creating a Customer User Type for IBMAppScan
Custom user types allow administrators to perform limited and specific administrative
tasks andmust be created before you can assign permissions.
Procedure
To create a customer user type for IBM AppScan:
1. Log in to your IBM AppScan Enterprise appliance.
2. Click the Administration tab.
3. On the User Types page, click Create.
4. Select all of the following user permissions:
Configure Juniper Secure Analytics (JSA) IntegrationSelect this check box to allow
users to access the JSA integration options for AppScan Enterprise.
Publish to JSASelect this check box to allow JSA access to published scan report
data.
JSA Service AccountSelect this check box to add access to the REST API for the
user account. This permission does not provide access the user interface.
5. Click Save.
You are now ready to enable integration permissions. See Enabling Integrationwith IBM
Security AppScan Enterprise on page 20.
RelatedDocumentation
Adding an IBM SiteProtector Vulnerability Scanner on page 29
Creating a Customer User Type for IBM AppScan on page 20
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Enabling Integration with IBM Security AppScan Enterprise
IBM Security AppScan Enterprise must be configured to enable integration with Juniper
Secure Analytics (JSA). To complete these steps, youmust be logged in with the user
type you created in the previous step.
Procedure
To enable integration with IBM SecurityAppScan Enterprise:
1. Click the Administration tab.
2. On the Navigation menu, select Network Security Systems.
3. On the JSA Integration Setting pane, click Edit.
4. Select the Enable JSA Integration check box.
Copyright 2015, Juniper Networks, Inc.20
Juniper Secure Analytics Managing Vulnerability Assessment
Any reports previously published to JSA are displayed. If any of the reports displayed are
no longer required, you can remove them from the list. As you publish additional reports
to JSA, the reports are displayed in this list.
You are now ready to configure the Application Deployment Mapping in AppScan
Enterprise. See Creating an Application Deployment Map in IBM Security AppScan
Enterprise on page 21.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
Enabling Integration with IBM Security AppScan Enterprise on page 20
Adding an IBM SiteProtector Vulnerability Scanner on page 29
Creating an Application Deployment Map in IBM Security AppScan Enterprise
TheApplication DeploymentMap allowsAppScan Enterprise to determine the locations
hosting the application in your production environment.
As vulnerabilities are discovered, AppScan Enterprise knows the locations of the hosts
and the IP addresses affected by the vulnerability. If an application is deployed to several
hosts, thenAppScanEnterprise generatesa vulnerability for eachhost in the scan results.
Procedure
To create an application deployment map in IBM Security AppScan Enterprise:
1. Click the Administration tab.
2. On the Navigation menu, select Network Security Systems.
3. On the Juniper Secure Analytics (JSA) Integration Setting pane, click Edit.
4. In the Application test location (host or pattern) field, type the test location of your
application.
5. In the Application production location (host) field, type the IP address of your
production environment.
To add vulnerability information to JSA, your Application Deployment Mapping must
include an IP address. Any vulnerability data without an IP address is excluded from
JSA if the IP address is not available in the AppScan Enterprise scan results.
6. Click Add.
7. Repeat this procedure to map anymore production environments in AppScan
Enterprise.
8. Click Done.
You are now ready to publish completed reports. See Publishing theCompletedReports
in IBM AppScan on page 22.
RelatedDocumentation
Adding an IBM AppScan Vulnerability Scanner on page 22
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
21Copyright 2015, Juniper Networks, Inc.
Chapter 5: Managing IBM Security AppScan Enterprise Scanners
Creating a Customer User Type for IBM AppScan on page 20
Publishing the Completed Reports in IBMAppScan
Completed vulnerability reports generated by AppScan Enterprise must bemade
accessible to Juniper Secure Analytics (JSA) by publishing the report.
Procedure
To publish the completed reports in IBM AppScan:
1. Click the Jobs & Reports tab.
2. Navigate to the security report you want to make available to JSA.
3. On themenubar of any security report, selectPublish>Grant to provide report access
to JSA.
4. Click Save.
You are now ready to enable integration permissions. See Adding an IBM AppScan
Vulnerability Scanner on page 22.
RelatedDocumentation
Adding an IBM AppScan Vulnerability Scanner on page 22
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Creating a Customer User Type for IBM AppScan on page 20
Adding an IBMAppScan Vulnerability Scanner
Adding a scanner enables administrators to define which scan reports in IBM Security
AppScan are collected by Juniper Secure Analytics (JSA).
Administrators can addmultiple IBM AppScan scanners to JSA, each with a different
configuration. Multiple configurations provide JSA the ability to import AppScan data for
specific results. The scan schedule determines the frequency with which scan result are
imported from the REST web service in IBM AppScan Enterprise.
Procedure
To add an IBM AppScan Vulnerability Scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise
scanner.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
Copyright 2015, Juniper Networks, Inc.22
Juniper Secure Analytics Managing Vulnerability Assessment
6. From the Type list, select IBM AppScan Scanner.
7. In the ASE Instance Base URL field, type the full base URL of the AppScan Enterprise
instance.
This field supports HTTP and HTTPS addresses. For example,
http://myasehostname/ase/.
8. From the Authentication Type list, select one of the following options:
Windows AuthenticationSelect this option to useWindows Authentication with
the REST web service.
Jazz AuthenticationSelect this option to use Jazz Authentication with the REST
web service.
9. In the Username field, type the username required to retrieve scan results from
AppScan Enterprise.
10. In thePassword field, type thepassword required to retrieve scan results fromAppScan
Enterprise.
11. In the Report Name Pattern field, type a regular expression (regex) required to filter
the list of vulnerability reports available from AppScan Enterprise.
By default, the Report Name Pattern field contains .* as the regex pattern. The .*
pattern imports all scan reports that are published to JSA. All matching files from the
file pattern are processed by JSA. You can specify a group of vulnerability reports or
an individual report using a regex pattern.
12. To configure a CIDR range for your scanner:
a. In the text field, type the CIDR range for the scanner or click Browse to select a
CIDR range from the network list.
b. Click Add.
13. Click Save.
14. On the Admin tab, click Deploy Changes.
You are now ready to create a scan schedule for IBM Security AppScan Enterprise. See
Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Publishing the Completed Reports in IBM AppScan on page 22
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Creating a Customer User Type for IBM AppScan on page 20
23Copyright 2015, Juniper Networks, Inc.
Chapter 5: Managing IBM Security AppScan Enterprise Scanners
http://myasehostname/ase/
Copyright 2015, Juniper Networks, Inc.24
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 6
Managing an IBM Security GuardiumScanner
This chapter describes about the following sections:
IBM Security Guardium Scanner Overview on page 25
Adding an IBM Security Guardium Vulnerability Scanner on page 26
IBM Security Guardium Scanner Overview
IBM InfoSphere Guardium appliances are capable of exporting database vulnerability
information that can be critical to protecting customer data.
IBM Guardium audit processes export the results of tests that fail the Common
Vulnerability and Exposures (CVE) tests generated when running security assessment
tests on your IBM Guardium appliance. The vulnerability data from IBM Guardiummust
be exported to a remote server or staging server in Security ContentAutomationProtocol
(SCAP) format. JSA can then retrieve the scan results from the remote server storing the
vulnerability using SFTP.
IBM Guardium only exports vulnerability from databases containing failed CVE test
results. If there are no failed CVE tests, IBM Guardiummay not export a file at the end of
the security assessment. For information on configuring security assessment tests and
creating an audit process to export vulnerability data in SCAP format, see your IBM
InfoSphere Guardium documentation.
After you have configured your IBM Guardium appliance, you are ready to configure JSA
to import the results from the remote server hosting the vulnerability data. Youmust add
an IBM Guardium scanner to JSA and configure the scanner to retrieve data from your
remote server. Themost recent vulnerabilities are imported by JSA when you create a
scan schedule. Scan schedules allow you to determine the frequency with which JSA
requests data from the remote server host your IBM Guardium vulnerability data.
Integration overview for IBM InfoSphere Guardium and JSA.
To integrate IBM InfoSphere Guardiumwith JSA:
1. Onyour IBM InfoSphereGuardiumappliance, createanSCAPfilewithyour vulnerability
information. See your IBM Security InfoSphere Guardium documentation.
25Copyright 2015, Juniper Networks, Inc.
2. On your JSA console, add an IBM Guardium scanner. See Adding an IBM Security
Guardium Vulnerability Scanner on page 26.
3. On your JSA console, create a scan schedule to import scan result data. See
Scheduling a Vulnerability Scan on page 105
RelatedDocumentation
Adding an IBM Security Guardium Vulnerability Scanner on page 26
Publishing the Completed Reports in IBM AppScan on page 22
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Adding an IBM Security GuardiumVulnerability Scanner
Adding a scanner allows Juniper Secure Analytics (JSA) to collect SCAP vulnerability
files from IBM InfoSphere Guardium.
Administrators can addmultiple IBM Guardium scanners to JSA, each with a different
configuration. Multiple configurations provide JSA the ability to import vulnerability data
for specific results. The scan schedule determines the frequency with which the SCAP
scan result are imported from IBM InfoSphere Guardium.
Procedure
To add an IBM Security Guardium Vulnerability Scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise
scanner.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select IBMGuardium SCAP Scanner.
7. Chooseoneof the followingauthenticationoptionsasdescribed inTable4onpage26.
Table 4: IBMAppScan Enterprise Scanner Authentication Options
DescriptionOption
To authenticate with a username and password:
1. In the Login Username field, type a username that has access to retrieve the scan results fromthe remote host.
2. In the Login Password field, type the password associated with the username.
Login Username
Copyright 2015, Juniper Networks, Inc.26
Juniper Secure Analytics Managing Vulnerability Assessment
Table 4: IBMAppScan Enterprise Scanner Authentication Options (continued)
DescriptionOption
To authenticate with a key-based authentication file:
1. Select the Enable Key Authentication check box.
2. In the Private Key File field, type the directory path to the key file.
The default is directory for the key file is /opt/ qradar/conf/vis.ssh.key.
If a key file does not exist, you must create the vis.ssh.key file.
Enable Key Authorization
8. To configure the Ignore Duplicates option:
Select this check box to track files that have already been processed by a scan
schedule. This option prevents a scan result file from being processed a second
time.
Clear this checkbox to import vulnerability scan results each time thescanschedule
starts. This option can lead to multiple vulnerabilities being associated with an
asset.
If a result file is not scannedwithin 10 days, the file is removed from the tracking list
and is processed the next time the scan schedule starts.
9. To configure a CIDR range for your scanner:
a. In the text field, type the CIDR range for the scan or click Browse to select a CIDR
range from the network list.
b. Click Add.
10. Click Save.
11. On the Admin tab, click Deploy Changes.
You are now ready to create a scan schedule for IBM InfoSphere Guardium. See
Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
IBM Security SiteProtector Scanner Overview on page 19
Publishing the Completed Reports in IBM AppScan on page 22
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
27Copyright 2015, Juniper Networks, Inc.
Chapter 6: Managing an IBM Security Guardium Scanner
Copyright 2015, Juniper Networks, Inc.28
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 7
Managing IBM Security SiteProtectorScanner
This chapter describes about the following sections.
IBM Security SiteProtector Scanner Overview on page 29
Adding an IBM SiteProtector Vulnerability Scanner on page 29
IBM Security SiteProtector Scanner Overview
The IBM SiteProtector scanner module for Juniper Secure Analytics (JSA) accesses
vulnerability data from IBM SiteProtector scanners through Java Database Connectivity
(JDBC) queries.
The IBM SiteProtector scanner retrieves vulnerability data from the RealSecureDB table
and polls for new vulnerabilities each time a scan schedule starts. The Compare field
enables the query to retrieve any new vulnerabilities from the RealSecureDB table to
ensure thatduplicatevulnerabilitiesarenot imported.Whenthe IBMSiteProtector scanner
is configured, the administrator can create a SiteProtector user account specifically for
polling vulnerability data. After the user account is created, the administrator can verify
that there are no firewalls that reject queries on the port configured to poll the database.
To configure an IBM Security SiteProtector scanner, see Adding an IBM SiteProtector
Vulnerability Scanner on page 29.
RelatedDocumentation
Adding an IBM SiteProtector Vulnerability Scanner on page 29
Enabling Integration with IBM Security AppScan Enterprise on page 20
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
Adding an IBM SiteProtector Vulnerability Scanner
Juniper Secure Analytics (JSA) can poll IBM InfoSphere SiteProtector appliances for
vulnerability data with JDBC.
Administrators can addmultiple IBMSiteProtector scanners to JSA, eachwith a different
configuration. Multiple configurations provide JSA with the ability to query SiteProtector
and only import results from specific CIDR ranges. The scan schedule determines the
29Copyright 2015, Juniper Networks, Inc.
frequencywithwhich thedatabaseon theSiteProtector scanner isqueried for vulnerability
data.
Procedure
To add an IBM SiteProtector Vulnerability scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your SecureScout server.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select IBM SiteProtector Scanner.
7. In the Hostname field, type the IP address or the host name of the IBM SiteProtector
database that contains vulnerabilities to import.
8. In the Port field, type 1433 as the port for the IBM SiteProtector database.
9. In the Username field, type the username required to query the IBM SiteProtector
database.
10. In the Password field, type the password required to query the IBM SiteProtector
database.
11. In the Domain field, type the domain required, if required, to connect to the IBM
SiteProtector database.
If the database is configured for Windows and inside a domain, youmust specify the
domain name.
12. In the Database Name field, type RetinaCSDatabase as the database name.
13. In the Database Instance field, type the database instance for the IBM SiteProtector
database. If you are not using a database instance, you can leave this field blank.
14. Select the Use Named Pipe Communication check box if named pipes are required to
communicate to the IBM SiteProtector database. By default, this check box is clear.
15. Select the Use NTLMv2 check box if the eEye scanner uses NTLMv2 as an
authentication protocol. By default, this check box is clear.
The Use NTLMv2 check box forces MSDE connections to use the NTLMv2 protocol
when communicating with SQL servers that require NTLMv2 authentication. The Use
NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers
that do not require NTLMv2 authentication.
16. To configure a CIDR range for the scanner:
a. In the text field, type the CIDR range you want this scanner to consider or click
Browse to select a CIDR range from the network list.
b. Click Add.
Copyright 2015, Juniper Networks, Inc.30
Juniper Secure Analytics Managing Vulnerability Assessment
17. Click Save.
18. On the Admin tab, click Deploy Changes.
You are now ready to create a scan schedule. See
Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
Enabling Integration with IBM Security AppScan Enterprise on page 20
CreatinganApplicationDeploymentMap in IBMSecurityAppScanEnterpriseonpage21
31Copyright 2015, Juniper Networks, Inc.
Chapter 7: Managing IBM Security SiteProtector Scanner
Copyright 2015, Juniper Networks, Inc.32
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 8
Managing IBM Security Tivoli EndpointManager Scanner
This chapter describes about the following sections:
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33
IBM Security Tivoli Endpoint Manager Scanner Overview
The IBM Tivoli Endpoint Manager scanner module accesses vulnerability data from IBM
Tivoli EndpointManager using the SOAPAPI installedwith theWebReports application.
TheWeb Reports application for Tivoli Endpoint Manager is required to retrieve
vulnerability data from Tivoli Endpoint Manager for Juniper Secure Analytics (JSA).
Administrators can create a user in IBM Tivoli Endpoint Manager for JSA to use when the
system collects vulnerabilities.
NOTE: JSA is compatible with IBM Tivoli Endpoint Manager versions 8.2.x.However, administrators can use the latest version of IBM Tivoli EndpointManager that is available.
To add an IBM Tivoli Endpoint Manager scanner, see Adding an IBM Security Tivoli
Endpoint Manager Vulnerability Scanner on page 33.
RelatedDocumentation
Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner on page 33
Creating a Customer User Type for IBM AppScan on page 20
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
Adding an IBM Security Tivoli Endpoint Manager Vulnerability Scanner
Juniper Secure Analytics (JSA) accesses vulnerability data from IBM Tivoli Endpoint
Manager using the SOAP API installed with theWeb Reports application.
33Copyright 2015, Juniper Networks, Inc.
You can addmultiple IBM Tivoli Endpoint Manager scanners in JSA, eachwith a different
configuration to determine which CIDR ranges you want the scanner to consider.
Multiple configurations for a single IBM Tivoli Endpoint Manager scanner allows you to
create individual scanners for collecting specific result data from specific locations or
vulnerabilities for specific types of operating systems.
Procedure
To add an IBM Security Tivoli Endpoint Manager Vulnerability scanner to JSA:
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your SecureScout server.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
6. From the Type list, select IBM Tivoli Endpoint Manager.
7. In the Hostname field, type the IP address or hostname of the IBM Tivoli Endpoint
Manager containing the vulnerabilities you want to retrieve with the SOAP API.
8. In the Port field, type the port number used to connect to the IBM Tivoli Endpoint
Manager using the SOAP API.
By default, port 80 is the port number for communicating with IBM Tivoli Endpoint
Manager. If you use HTTPS, youmust update this field with the HTTPS port number,
which for most configurations is port 443.
9. Select the Use HTTPS check box to connect securely with the HTTPS protocol.
If you select this check box, the hostname or IP address you specify uses HTTPS to
connect to your IBM Tivoli Endpoint Manager.
If a certificate is required to connect using HTTPS, youmust copy any certificates
required by the JSA console or managed host to the following directory:
/opt/qradar/conf/trusted_certificates
NOTE: JSA support certificates with the following file extensions: .crt,.cert, or .der. Any required certificates should be copied to the trustedcertificates directory before you save and deploy your changes.
10. In the Username field, type the username required to access IBM Tivoli Endpoint
Manager.
11. In the Password field, type the password required to access IBM Tivoli Endpoint
Manager.
12. To configure a CIDR range for the scanner:
Copyright 2015, Juniper Networks, Inc.34
Juniper Secure Analytics Managing Vulnerability Assessment
a. In the text field, type the CIDR range you want this scanner to consider or click
Browse to select a CIDR range from the network list.
b. Click Add.
13. Click Save.
14. On the Admin tab, click Deploy Changes.
You are now ready to create a scan schedule for IBM Security Tivoli Endpoint Manager.
See Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
Foundstone FoundScan Scanner Overview on page 37
35Copyright 2015, Juniper Networks, Inc.
Chapter 8: Managing IBM Security Tivoli Endpoint Manager Scanner
Copyright 2015, Juniper Networks, Inc.36
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 9
Managing Foundstone FoundScanScanner
This chapter describes about the following sections:
Foundstone FoundScan Scanner Overview on page 37
Adding a Foundstone FoundScan Scanner on page 38
Importing Certificates for Foundstone FoundScan on page 39
Foundstone FoundScan Scanner Overview
The Foundstone FoundScan scanner queries the FoundScan Engine for host and
vulnerability information from the FoundScan OpenAPI.
Juniper Secure Analytics (JSA) supports Foundstone FoundScan versions 5.0 to 6.5.
The FoundScan appliancemust include a scan configuration that runs regularly to keep
the host and vulnerability results current. To ensure that the FoundScan scanner is able
to retrieve scan information, make sure the FoundScan systemmeets the following
requirements:
The FoundScan application must be active. Since the API provides access to the
FoundScanapplication, administrators can verify that the FoundScanapplication runs
continuously on the FoundScan server.
The scan data to importmust be complete and visible in the FoundScan user interface
to retrieve scan results. If the scan is scheduled to be removed after completion, the
results must be imported by the scan schedule before the scan is removed from
FoundScan.
The appropriate user privileges must be configured in the FoundScan application to
enablecommunicationbetweenJSAandFoundScan.TheFoundScanOpenAPIprovides
host and vulnerability information. All vulnerabilities for a host assigned are assigned
to port 0.
Toconnect toFoundScan, theFoundScanEngine requiresauthenticationwithclient-side
certificates. FoundScan includes a default certificate authority and client certificates
that are the same for all scanner installations. The FoundScan plug-in also includes
certificates for usewithFoundScan5.0. If theFoundScanServer uses customcertificates,
37Copyright 2015, Juniper Networks, Inc.
administrators must import the appropriate certificates and keys. Instructions on how
to import certificates is provided in this configuration documentation.
ToaddaFounScanAPI vulnerability scan, see AddingaFoundstoneFoundScanScanner
on page 38.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
Adding a Foundstone FoundScan Scanner on page 38
Adding a Foundstone FoundScan Scanner
Administrators canaddaFoundstoneFoundScanscanner tocollecthostandvulnerability
information through the FoundScan Open API.
Procedure
To add a Foundstone FoundScan scanner to Juniper Secure Analytics (JSA):
1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your SecureScout server.
5. From theManagedHost list, select themanaged host from your JSA deployment that
manages the scanner import.
Certificates for your FoundScan scanner must reside on themanaged host selected
in the Managed Host list.
6. From the Type list, select FoundScan Scanner.
7. In the SOAP API URL field, type the IP address or hostname of the Foundstone
FoundScan that contains the vulnerabilities you want to retrieve with the SOAP API.
For example, https://foundstone IP address:SOAP port , the default value is https://
localhost:3800.
8. In the Customer Name field, type the name of the customer that belongs to the
username.
9. In the User Name field, type the username required to access the Foundstone
FoundScan server.
10. Optional. In the Client IP Address field, type the IP address of the server that youwant
to perform the scan. By default, this value is not used; however, is necessary when
administrators validate some scan environments.
11. Optional. In the Password field, type the password required to access the Foundstone
FoundScan server.
12. In the Portal Name field, type the portal name.
Copyright 2015, Juniper Networks, Inc.38
Juniper Secure Analytics Managing Vulnerability Assessment
https://foundstoneIP address:SOAP porthttps:// localhost:3800https:// localhost:3800
This field can be left blank for JSA. For more information, see your FoundScan
administrator.
13. In the Configuration Name field, type the scan configuration name that exists in
FoundScan and to which the user has access.
Make sure this scan configuration is active or runs frequently.
14. In the CA Truststore field, type the directory path and filename for the CA truststore
file.
The default path is /opt/qradar/conf/foundscan.keystore.
15. In the CA Keystore field, type the directory path and filename for the client keystore.
The default path is /opt/qradar/conf/foundscan.truststore.
16. To configure a CIDR range for the scanner:
a. In the text field, type the CIDR range you want this scanner to consider or click
Browse to select a CIDR range from the network list.
b. Click Add.
17. Click Save.
18. On the Admin tab, click Deploy Changes.
Administrators can now import certificates from your FoundScan server to enable
communication. See Importing Certificates for Foundstone FoundScan on page 39.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
Importing Certificates for Foundstone FoundScan on page 39
Importing Certificates for Foundstone FoundScan
Administrators that use customcertificates or a version of Foundstone FoundScan lower
thanV5.0must import theappropriate certificates to themanagedhost fromthescanner
configuration.
The scanner must be added to amanaged host in the scan configuration before
certificates are imported from the FoundScan server. The certificates must be imported
to the correct managed host to collect vulnerability and host scan data.
Procedure
To import the certificates:
1. Obtain the twocertificate filesand thepassphrase fromyourFoundScanadministrator.
The TrustedCA.pem file is the CA certificate for the FoundScan engine.
39Copyright 2015, Juniper Networks, Inc.
Chapter 9: Managing Foundstone FoundScan Scanner
The Portal.pem file certificate is the private key that includes the certificate chain
for the client.
2. Using SSH, copy the two pem files to the managed host assigned in your FoundScan
configuration. If you have a distributed deployment, youmust copy the files to the
console and SSH the files from the console appliance to the managed host.
3. Navigate to the directory location of the pem files.
4. To remove theprevious keystore certificate fromthemanagedhost, type the following
command:
rm -f / opt/qradar/conf/foundscan.keystore
5. To remove theprevious truststorecertificate fromthemanagedhost, type the following
command:
rm -f / opt/qradar/conf/foundscan.truststore
6. To import the pem files to your managed host, type the following command:
/opt/qradar/bin/ foundstone-cert-import.sh [TrustedCA.pem] [Portal.pem]
7. Repeat the certificate import for any more managed hosts in your deployment that
connect to the Foundstone FoundScan appliance.
You are now ready to create a scan schedule. See
Scheduling a Vulnerability Scan on page 105.
RelatedDocumentation
Creating a Customer User Type for IBM AppScan on page 20
IBM Security Tivoli Endpoint Manager Scanner Overview on page 33
nCircle IP360 Scanner Overview on page 45
Copyright 2015, Juniper Networks, Inc.40
Juniper Secure Analytics Managing Vulnerability Assessment
CHAPTER 10
Microsoft SCCM Scanner
This chapter describes the following sections:
Microsoft SCCM Scanner Overview on page 41
WMI Enablement on Scanner Host on page 41
Adding a Microsoft SCCM Scanner on page 42
Microsoft SCCMScanner Over