Nessus + RHN Satellite - Red Hat Summit

Compliance Issues Can Be a Growing PainEach industry affected by its own compliance rules(FDCC, HIPPA, SOX, PCI, and many, many more)Executive summary of all the requirements:“Control your network, keep it tight and up todate, be able to prove it”

REQUIREMENTPROPOSED SOLUTIONS

REQUIREMENTPROPOSED SOLUTIONS

Requirement 11: Regularly Test SecuritySystems and ProcessesRegular audits of the perimeter (or network) by 3rdparties (every quarter) – Very typical of many auditsTypical example: ecommerce site scanned by a PCIASV (“Approved Scanning Vendor”)PCI ASV scans use Nessus and other scanners to dotheir jobs Note: Tenable Network Security is now a PCI ASV

Issues with Auditors in General“False positives”: Red Hat backports security patches. Asite advertising “Apache 2.2.4” may not be vulnerableto all flaws affecting Apache < 2.2.18. No doubt, mostvendors prefer a false positive to a false negative.Findings can now be disputed. However:This is costly (charged per scan) and time consuming(where to get the information).

The False Positive IssueCondition:ExistsCondition:Does Not ExistDetectedValid:True PositiveInvalid:False PositiveNot DetectedInvalid:False NegativeValid:True Negative

Issues with Some AuditorsHow to prepare for an audit and be ready to explain whysome findings are false positives?How to prove that patches are applied regularly?What if your patch schedule does not fit the quarterlyscans?Explaining how Red Hat backporting works

Red Hat Satellite

Strategies to Manage ContentRHEL 5 5 .1 5 .2 5 .xClientsCustom 5.0-devCloneCustom 5.0-prod1)Client is built via kickstart from Red Hat channel kickstart tree2)Activation key reconfigures client (dev or prod?)3)Sat Admin creates 2 custom channels for dev & production clients4)Sat Admin regularly compares custom dev channel vs. Red Hat and merges selected security updates, fixes,feature enablements5)Dev systems do QA validation6)Sat Admin merges dev to prod at reduced intervals after QA certifies dev channel7)Sat Admin schedules updates for prod clients

Red Hat Satellite (cont.)Red Hat Satellite is a great way to manage one’snetwork in a compliant way. However, we still need to:- Prove that every host scanned is indeed managed bySatellite- Prove that every host scanned is patched (regularly)- Prove that every host is configured properly from asecurity point of view

Red Hat Satellite (cont.)SystemsauditedNot every host related toaudits is managed bySatellite (yet)Systems managedby SatelliteDifferent views betweenSatellite and the scanresults

Red Hat Satellite: Unlocking the Power of the APIConnect to the Satelliteserver via XML-RPC libraryAuthenticateSession Key* Normal Satellite serverpermissions/roles applyPerform queries andoperations of interestLogout (when Auth)

Red Hat Satellite:Nessus Integration with RHN SatelliteSatellite APIIntegrationSoftware DistributionAccount ManagementChannel ManagementMonitoringProvisioningAPILAYERXML-RPCThe API layer can be used to integrate with disparate systems by makingremote procedure calls using XML over HTTP

Nessus + RHN SatelliteEach time Nessus scans ahost, it can connect to thelocal RHN Satellite serverand ask –Do you manage it?ANDHow do you manage it?

NessusWidely-deployed vulnerability scanner with open source roots,since 1998Nearly 50,000 vulnerability and configuration pluginsUsed by many auditorsScans a network for remote and local vulnerabilities andmisconfigurationsLeast-expensive commercial vulnerability scanner ($1500/year,unlimited targets; still free for home, non-commercial use)Also includes web app scanning, local policy audits, and more... -http://www.nessus.org for more informationFor organizations with multiple Nessus scanners, TenableSecurityCenter for centralized management and reporting

How to Use Nessus for Scanning?Products can NOT be certifiedOnly service providers can be certified as ApprovedScanning Vendors (ASVs)Nessus prepares you for a scan: It provides the resultsthat most ASVs will reportHelps you detect “false positives” and documentresolution

Nessus + RHN SatelliteWhat if the hosts scanned have not been updated yet?(outside of regular patch schedule)Report on missing patchesCorrelation is the key!

Nessus + RHN SatelliteHow to prove that patches are applied regularly?Nessus will do a per-host Satellite report showing thehistory of applied patchesAccurate reporting is key!

Nessus + RHN SatelliteReports contain both the results found remotely andinformation gathered from SatelliteArms you with all the facts you need to successfullypass your audit:- Host is managed by Satellite- Host is up to date- Host is patched regularly

DEMO

Tenable SecurityCenter + RHN Satellite

QUESTIONS?http://www.redhat.com/red_hat_network/http://www.nessus.org/http://blog.tenable.com29