12. Integration with other Systems

The Greenbone GSM appliance can be connected to other systems. This chapter covers the possible options. Some systems have been integrated already into the GSM by Greenbone Networks. This includes the verinice ITSM system, the Sourcefire IPS Defense Center and the Nagios Monitoring System. A couple of further integrations such as Palo Alto, are described in chapter scanners. The following sections will instruct in these possibilities and give instructions for the configuration.

12.1. Integration with third-party vendors

The GSM has numerous interfaces that allow for the communication with third-party vendors. This section covers the options for an integration and connection with other systems.

Hereby the GSM offers the following interfaces:

Greenbone Management Protocol (GMP)
The OpenVAS Management Protocol allows to completely remote control the GSM appliance. The protocol supports the creating of users, creating and starting of scan tasks and downloading reports, and so on.
Connecting additional scanners via OSP
The OpenVAS Scanner Protocol (OSP) is a standardized interface for different vulnerability scanners. Arbitrary scanners can be integrated seamless into the GSM vulnerability management. Controlling the scanners and handling the results works in the same way for all scanners.
Report Format
The GSM can present the scan results in any format. To do so the GSM already comes with a multitude of pre-installed report formats. Additional report formats can be downloaded from Greenbone or developed in collaboration with Greenbone.
Alert via Syslog, E-Mail, SNMP-Trap or HTTP.
Automatic result forwarding through connectors.
These connectors are being created by Greenbone, verified and integrated into the GSM.
Monitoring via SNMP
On the web site http://docs.greenbone.net/API/SNMP/snmp-gos-3.1.en.html provides the current MIB file (Management Information Base). MIB files describe the files that can be queried by SNMP about the equipment.

12.1.1. OSP Scanner

The OpenVAS Scanner Protocol resembles the Greenbone Management Protocol (GMP, see chapter Greenbone Management Protocol). It is XML based, stateless and does not require a permanent connection for communication. The design allows for embedding of additional scanners seamlessly into GSM.

The GSM comes with a number of OSP scanners on board, see chapter scanners.

The open format allows to develop arbitrary own OSP scanners. Greenbone provides the protocol documentation and a base framework for programmers, see chapter osp.

12.2. Verinice

Verinice (see http://verinice.org/en/) is a free Open Source Information Security Management System (ISMS), developed by the company SerNet (see http://sernet.de/en/).

_images/integration_verinice-20130422_620x347.png

The GSM may be integrated with verinice.

Verinice is suitable for:

  • vulnerability remediation workflow
  • implementing the BSI IT-Baseline Protection Catalogues
  • performing risk analysis based on ISO 27005
  • operating an ISMS based on ISO 27001
  • performing an IS assessment per VDA specifications
  • proof of Compliance with standards such as ISO 27002, IDW PS 330

The Greenbone Security Manager can support the modelling and implementation of IT Baseline Protection as well as the operation of an ISMS.

For this Greenbone offers two report plugins for the export of data from the GSM into verinice:

  • Verinice-ISM containing all scan results
  • Verinice-ITG containing the scan results of a BSI IT-Baseline Protection scan

The option exists to transfer data completely automated from the Greenbone Security Manager to verinicePRO, the server extension of verinice.

Following the manual import of reports from the GSM in the free verinice version is covered. For support with the use of the connector please contact SerNET or Greenbone.

12.2.1. IT Security Management

The report plugin for verinice is pre-configured and is available as Verinice-ISM.

With this report plugin Greenbone supports the vulnerability remediation workflow in verinice.

Hereby the notes (notes objects, see section Notes) of the scan results play a central role for the Verinice-ISM plugin. Verinice uses the notes to create objects for processing. If there are no notes in a task only the assets will be imported as well as the complete vulnerability report. Exclusively such vulnerabilities that have a note will be imported by verinice as vulnerabilities. This allows controlling the import in fine detail.

Note

Why are only vulnerabilities transferred where a note is attached?

Within the entire security process for vulnerabilities, there must be a single point where the decision is made which vulnerability must be resolved and which are tolerable. This decision is made in the vulnerability management, by tagging the vulnerabilities accordingly.

The remediation workflow targets at solving any of the managed issues. Within the remediation workflow it is not allowed to decide about tolerating an issue.

Afterwards the report needs to be saved as Verinice ISM-Report. A .vna file will be created. This is a zip file containing the data of the GSM scan.

Start verinice to import. In verinice open the ISM perspective. Import the catalogue Implementation Assistance for ISO27001. Create an organization. Afterwards the screen should look like figure Verinice offers an ISM perspective..

_images/veriniceism.png

Verinice offers an ISM perspective.

12.2.1.1. Importing of the ISM Scan

In the verinice interface chose the import option in the Information Security Model.

_images/ismimport.png

The import button is located in the Information Security Model window.

Now select your ISM report. The remaining parameters can be kept with their default settings.

_images/itgreport.png

Select the report in the dialog.

The results of the ISM report were imported and can be unfolded in Vernice. Thereby only the results were imported that had notes included in the GSM report.

_images/ismunfold.png

Through the creation of notes the import of vulnerabilities can be controlled.

The process to track vulnerabilities for the imported organization can be separated into two sub processes:

  • Creation of tasks
  • Remediation of vulnerabilities

12.2.1.2. Creation of Tasks

Before creating tasks the data for the organization must be prepared with the following steps:

  • After the first import of an organization it must be moved to the top level from the group of imported objects. Cut the organization and paste it back into the top level again.

    _images/ismcut.png

    The imported organization must be moved to the top level.

  • The assets and controls must be grouped. In the context menu in the top most asset and control group select the option Group with Tags... In figure The assets have already been grouped. this has already been done.

    _images/ismgroup.png

    The assets have already been grouped.

  • All assets groups must be assigned a person responsible. Assign a person to one or more asset groups. Hereby create the person and assign them with drag&drop. The successful assignment is being displayed in the Relations window.

    _images/ismrelation.png

    The connection of individual objects can be confirmed in the in the Relations window.

  • After all the asset groups have been assigned to a person responsible, the process to remediate the vulnerabilities can be started from the context menu of the organization. Select from the context menu of an organization the task Greenbone: Start Vulnerability Tracking. First it will be verified if all asset groups are assigned to a person and controls are grouped. The result of the verification will be displayed in a dialog. The user can continue and create tasks or cancel the creation.

12.2.1.3. Remediation of Vulnerabilities

The created tasks can be managed with the help of the task view or the web fronted of the verinice.Pro version (under: ISO 27000 tasks). The task to remediate vulnerabilities is called Remediate Vulnerabilities. A task contains controls, scenarios and assets that are connected to a control group and are assigned to a person responsible.

This process now takes place with the following steps:

  • The person responsible must remediate the vulnerabilities for all assets.
  • If the deadline for the task Remediate Vulnerabilities expires a reminder email will be sent to the person responsible.
  • After completion of a task called Remediate Vulnerabilities all connection between assets and scenarios that were assigned to a task are being deleted.
  • A control is marked as implemented if no asset is assigned to the scenario anymore. If other connections to assets still exist the status is being marked as partly. Afterwards the process is being completed.

12.2.2. IT Security Baseline

Greenbone provides a special configuration (IT Security Baseline scan including discovery for verinice) as well as an IT Security Baseline report plugin (Verinice ITG), which allows for the export of a report suited for verinice.

For optimum results the scan configuration needs to be imported. The report plugin is now shipped with the GSM. A manual import is not required anymore.

For optimum results in the scan it is helpful to perform an authenticated scan (see section Authenticated Scan and Credentials).

As soon as the scan is completed export it in the verinice ITG format. A file with the extension .vna is being created. This is a ZIP archive in which the results of the scans are stored. This file can be loaded by verinice directly.

Following for clarity purposes a scan is being used with only one host.

Open verinice and change into the IT Security Baseline start perspective (see figure Verinice opens the already modelled IT bond.). If no IT bond has been created yet the middle view will still be empty.

_images/verinice-start.png

Verinice opens the already modelled IT bond.

12.2.2.1. Importing of the ITG Scan

In the verinice interface select the import function in the IT Security Baseline model.

_images/itgimport.png

The Import button is located in the BSI model window.

Now select the ITG report. The remaining parameters can be kept with their default settings.

_images/itgreport.png

Select the report on the dialog.

The results of the ISM report were imported and can be unfolded in Vernice.

_images/veriniceunfold.png

The imported data can be unfolded in verinice.

The imported objects are named by the target in the GSM or their IP address. Every imported object has a sub-object GSM result with the activity results of the scan.

Now the IT Security Baseline modules can be added. For this select a server by right clicking on it. In the context menu select Greenbone: Automatically assign components. Verinice now will be choosing the appropriate components to model the system based on the tags set by the GSM.

_images/verinicemodule.png

Now the IT Security Baseline components can be selected automatically.

Now the results of the scans can be added into the control catalogue. Hereby select the server object and select the option Greenbone: Automatic Base Security Check from the context menu.

12.3. Nagios

Nagios can integrate the scan results in its monitoring tasks as additional test. In this case the scanned systems are automatically matched with the monitored systems. With this the scan results are eventually available for the alert rules and other processes of Nagios.

_images/integration_nagios_2000x1125.png

When linking Nagios with GSM, Nagios will assume the controlling role. Nagios regularly and automatically retrieves the newest scan results from Greenbone Security Manager. This is done via a Nagios plugin (“check_omp”).

Follow the step-by-step instructions to connect the GSM to Nagios as part of the Open Monitoring Distribution (OMD) are covered as an example. Other products like Icinga, Centreon etc. might require small adjustments to the described steps.

_images/multisite.png

The configuration is done by example on an empty sample site.

12.3.1. Configuration of the GSM User

For access the plugin requires a user used to login to the appliance.
On the GSM and for this user, a scan target (or multiple ones) must be set up with all hosts of which the security status is to be monitored. The sample configuration used here assumes that there is only one relevant target but technically it is possible to link complex setups with multiple targets and multiple GSMs.

The GSM user account provided for queries by the Nagios plugin must be owner of the relevant scan targets or at least have unrestricted reading access to them. The tasks should be run as scheduled scans regularly.

In addition network access via OMP to the GSM appliance must be possible. Therefore the OMP access must be activated in the GOS-Admin-Menu via the command line (see sections Activating the GMP Protocol and omp)

12.3.2. Configuring the Plugin

Greenbone provides the check_omp plugin. This Nagios plugin may be called by the monitoring solution. Further information about this plugin and the download location are located in section check_omp.

Copy the plugin to /opt/omd/sites/site/local/lib/nagios/plugins/.

First check if the plugin can reach the GSM through the network, OMP was activated and the user was created properly. In the following command replace the IP address with the IP address of your GSM and provide the user name and password you created.

omd-host# /opt/omd/sites/<site>/local/lib/nagios/plugins/check_omp -H 192.168.255.12 \
-u omd -w password --ping
OMP OK: Alive and kicking!

Next check if you also have access to the data. The easiest way is to do this via the command line.

omd-host# /opt/omd/sites/<site>/local/lib/nagios/plugins/check_omp -H 192.168.255.12 \
-u omd -w password --status -T KVM-Hosts --last-report -F 192.168.255.199
OMP CRITICAL: 4 vulnerabilities found - High : 1 Medium : 1 Low : 2
|High=1 Medium=1 Low=2
_images/host-tags.png

The host tag labels the systems that are being monitored by the GSM.

_images/rule.png

This rule checks the status in the GSM for every host with the tag Monitored by GSM.

If the tests were successful the check can be integrated into the web administration frontend WATO. For this switch to the web interface Multisite for your OMD page (see figure The configuration is done by example on an empty sample site.).

First create the host tag (figure The host tag labels the systems that are being monitored by the GSM.). It labels the hosts that are also being scanned by the GSM appliance. For this select Host Tags in the left menu and here create a new task.

New create a new rule (figure This rule checks the status in the GSM for every host with the tag Monitored by GSM.), that analyzes the host tag. For this select in the left menu in Host & Service Parameters the option Active Checks. In the next menu select Classical Active and Passive Nagios Checks. Then create a new rule (figure This rule checks the status in the GSM for every host with the tag Monitored by GSM.) in the current folder (Create Rule in Folder Main Directory). Remember to use the following command:

$USER2$/check_omp -H <gsm -ip> -u <user> -w <password> --status -T <report > \
--last --report -F $HOSTADDRESS$

Now the host has to be created or configure in a way that it has the respective host tag (see figure Every host scanned by the GSM now must have the tag.).

_images/omd-host.png

Every host scanned by the GSM now must have the tag.

After the changes have been activated in the multisite (Activate Changes) the status information is available in the graphical interface.

_images/omd-status.png

The GSM status is now being displayed in the multisite.

So that the user name and password are not being displayed in the graphical interface they can be saved as variables to the file /opt/omd/sites/site/etc/nagios/resource.cfg:

############################################
# OMD settings, please use them to make your config
# portable, but dont change them
$USER1$=/omd/sites/produktiv/lib/nagios/plugins
$USER2$=/omd/sites/produktiv/local/lib/nagios/plugins
$USER3$=produktiv
$USER4$=/omd/sites/produktiv
############################################
# set your own macros here:
$USER5$=omd
$USER6$=kennwort

Now the username and the password can be replaced with the variables USER5 and USER6 in WATO.

12.4. Firepower Management Center

The Cisco Firepower Management Center (former Sourcefire Intrusion Prevention System) (IPS) is one of the leading solution for intrusion detection and defense in computer networks. As a Network Intrusion Detection System (NIDS) it is being tasked with the discovery, alerting and the defense against attacks on the network.

For the Firepower to correctly identify and classify attacks it requires as close as possible information about the systems in the network, the installed applications as well as their possible vulnerabilities. For this purpose the Firepower System has its own asset database that can be augmented with information from the GSM. Additionally the Sourcefire system can start an automatic scan if it suspects anything.

The connection methods are available:

  1. Automatic data transfer from the GSM to the NIDS/IDS

    If the GSM and NIDS/IDS are configured respectively the data transfer from the GSM to the NIDS/IPS can be utilized easily, like any other alert functionality of the GSM. After completion of the scan it will be forwarded as an alert to the NIDS/IPS in respect to the desired criteria. If the scan task is being run automatically on a weekly basis you get a fully automated alerting and optimization system.

  2. Active control of the GSM by the NIDS/IPS

    In the operation of the NIDS/IPS suspected incidents on systems with high risk can occur. In such a case the NIDS/IPS can instruct the GSM to check the system [1].

To use the connection in the options 1 and 2 the GSM as well as the Sourcefire Defense Center must be prepared. In the GSM a report plugin must be installed and on the Defense Center receiving the data must be enabled.

12.4.1. Installation of the Report Plugin

The report plugin can be obtained from the Greenbone web site under http://download.greenbone.net/rfps/sourcefire-1.1.0.xml.

Download the plug in and install it on the GSM. Remember to verify and activate the plugin after importing (see section Import of additional plugins).

_images/sf-plugin.png

The report plugin processes the data for Sourcefire.

12.4.2. Configuration of the Host-Input-API clients

_images/host-input-api1.png

The GSM must be set up in the Defense Center.

Log into the Sourcefire Defense Center and create a Host-Input-Client. The Host-Input-API is an interface through which the Defense Center accepts data from other applications for its asset database. This option can be found in the web interface under System->Local->Registration. There change into the Host Input Client register. Here create the GSM appliance. It is important to enter the IP address of the appliance that the appliance will use to connect to the Defense Center. The connection is TLS encrypted. The Defense Center creates a private key and certificate automatically. In the certificate the IP address entered above will be used as Common Name and verified when the client is establishing a connection. If the client uses a different IP address the connection fails.

The created PKCS12 file is optionally secured by a password.

Afterwards the certificate and the key are being created and made available as a download. Download this file.

_images/host-input-api2.png

The created PKCS12 file must be downloaded.

12.4.3. Configuration of Alerts on the GSM

Now the respective Alerts must be set up on the GSM. For this switch to Configuration/Alerts. Enter the data of the Sourcefire system and the supply the PKCS12 file.

_images/sf-connector.png

The PKCS12 file is being used by the connector for authentication.

If a password was entered when the client was created the PKCS12 must be decrypted before loading it onto the GSM. For this you can use the following command under Linux:

$ openssl pkcs12 -in encrypted.pkcs12 -nodes -out decrypted.pcks12
Enter Import Password : password
MAC verified OK
$

Footnotes

[1]This control does not exist as a finalized Remediation for the Sourcefire system but it can be implemented via OMP (see chapter Greenbone Management Protocol).

12.5. Splunk

The Greenbone Security Manager may be configured to forward the scan results to a splunk enterprise installation for further analysis and correlation.

The Splunk integration requires the installation of the Greenbone-Splunk-App on the splunk server. The download and installation of the app are explained in section Splunk Application.

Once the app is installed on the splunk server the GSM may be instructed to send the results to the splunk server. This section will cover the configuration of the GSM.

12.5.1. Configuration of the Splunk Alert

To configure the GSM navigate to Configuration followed by Alerts. Create a new alert by clicking the icon new.

Setup the alert and specify a name and a comment. Choose the event and the Condition for the forwarding of the results to the Splunk server. The defaults are probably appropriate for most environments.

Scroll down to the option Send to host. Fill in the IP address of the splunk server and the port of the Greenbone App. This tcp port is 7680 by default. This setting can be checked using the Splunk Web-Gui via Settings->Data inputs->TCP (see section Splunk Application). Choose the XML format.

_images/splunk5.png

Configuration of the splunk alert.

This alert can now be added to the appropriate tasks. Navigate to Scan Management and create a new task using the alert. The alert may even be added to already existing tasks because the alert does not modify the scan behavior.

For testing purposes existing reports may be processed by the alert. Navigate to Scan Management followed by Reports. Choose any existing report and switch to the Summary and Download view. Here you can process the report using any configured alert.

_images/splunk6.png

Processing an existing report using the alert.

12.5.2. Accessing the Information in Splunk

To access the information in Splunk switch to the Greenbone dashboard. The Greenbone dashboard within the Splunk web interface will display the vulnerabilities found within the last 7 days.

_images/splunk7.png

The Greenbone dashboard provides a quick overview.

Since the information forwarded by the GSM is indexed by Splunk you can use the Search view to search for any data.

_images/splunk8.png

The splunk server supports complex searches.

Some supported indexes are:

  • host
  • source, sourcetype
  • date_hour, date_minute, date_month, date_year, date_mdate, date_wday, date_zone
  • VulnerabilityResultNvtCVE
  • VulnerabilityResultNvtCVSS
  • VulnerabilityResultQod
  • VulnerabilityResultSeverity
  • VulnerabilityResultThreat