16 Using a Master-Sensor Setup

Note

This chapter documents all possible menu options.

However, not all appliance models support all of these menu options. The model overview provides information about whether a specific feature is available on the used appliance model.

Due to security reasons it is often not possible to scan specific network segments directly. For example, direct access to the internet may be prohibited. To overcome this issue, the Greenbone Enterprise Appliance supports the setup of a distributed scan system: two or more appliances in different network segments can be connected securely in order to run vulnerability tests for those network segments that are otherwise not accessible.

In this case, one appliance controls one or more other appliances remotely. A controlling appliance is referred to as a “master” and a controlled appliance is referred to as a “sensor”.

Master

  • All appliance models from Greenbone Enterprise 400/DECA can be used as a master (see Chapter 3).

Sensor

  • All appliance models except for Greenbone Enterprise ONE can be used as a sensor.

  • The appliance models Greenbone Enterprise 35 and 25V can only be used as a sensor and are always controlled by a master.

  • All sensors can be managed directly by the master including automatic or manual feed updates as well as upgrades of the Greenbone Operating System (GOS).

  • A sensor does not require any network connectivity other than to the master and the scan targets.

  • A sensor does not require any further administrative steps after the initial setup.

  • If a sensor should perform scans remotely, it has to be configured as a remote scanner.

    • The user can configure a scan for the remote scanner individually using the web interface of the master depending on requirements and permissions.

    • The remote scanner runs the scan and relays the results to the master where all vulnerability information is managed.

    • The connection to a remote scanner is established by using the Open Scanner Protocol (OSP) via SSH.

The connection between master and sensor is established using the Secure Shell (SSH) protocol via port 22/TCP. For backward compatibility, port 9390/TCP can be used (see Chapter 16.3).

To distinguish between the sensor and remote scanner terminology:

  • Sensors

    This feature requires the setup of the master-sensor link using the GOS administration menu of both the master and the sensor. This feature then supports the remote feed synchronization and the upgrade management of the sensor.

  • Remote Scanners

    This feature requires the setup of the remote scanner using the web interface on the master. This feature then supports the execution of scans via the sensor.

16.1 Configuring a Master-Sensor Setup

A master can be linked to a sensor as follows:

  1. Open the GOS administration menu of both the master and the sensor (see Chapter 7.1.2.2).

  2. In the GOS administration menu of the master, select Setup and press Enter.

  3. Select Master and press Enter.

  4. Select Master Identifier and press Enter.

  5. Select Download and press Enter (see Fig. 16.1).

    _images/gos_menu_master_1.png

    Fig. 16.1 Configuring the master

  6. Open the web browser and enter the displayed URL.

  7. Download the PUB file.

    → When the key is downloaded, the GOS administration menu of the master displays the fingerprint of the key for verification.

    Important

    Do not confirm the fingerprint until the key is uploaded to the sensor.

  8. In the GOS administration menu of the sensor, select Setup and press Enter.

  9. Select Sensor and press Enter.

  10. Select Configure Master and press Enter (see Fig. 16.2).

    _images/gos_menu_sensor_1.png

    Fig. 16.2 Configuring the sensor

  11. Select Upload and press Enter.

  12. Open the web browser and enter the displayed URL.

  13. Click Browse…, select the previously downloaded PUB file and click Upload.

    → When the key is uploaded, the GOS administration menu of the sensor displays the fingerprint of the key for verification.

  14. Compare the fingerprint to the fingerprint displayed in the GOS administration menu of the master.

    If the fingerprints match, press Enter in both GOS administration menus.

  15. In the GOS administration menu of the sensor, select Save and press Enter.

  16. Perform twice: press Tab and press Enter.

  17. Select Services and press Enter.

  18. Select SSH and press Enter.

  19. Select SSH State and press Enter.

    → SSH is enabled on the sensor.

  20. Select Save and press Enter.

  21. Press Tab to select Back and press Enter.

  22. Select OSP and press Enter.

    Note

    On the Greenbone Enterprise 35 and Greenbone Enterprise 25V, OSP is always enabled and cannot be disabled. This menu option is therefore not available on these models. Continue with step 26.

  23. Press Enter to enable OSP.

    → A message informs that the changes have to be saved (see Chapter 7.1.3).

  24. Press Enter to close the message.

  25. Select Save and press Enter.

    → OSP is enabled on the sensor.

  26. In the GOS administration menu of the master, select Setup and press Enter.

  27. Select Master and press Enter.

  28. Select Sensors and press Enter.

  29. Select Add a new sensor and press Enter.

  30. Enter the IP address or the host name of the sensor in the input box and press Enter.

    → Additional menu options for the sensor configuration are shown (see Fig. 16.3, see Chapter 16.2).

    _images/gos_menu_sensor_2.png

    Fig. 16.3 Sensor configuration menu

  31. Select Auto and press Enter.

    → The master connects to the sensor automatically and retrieves the identifier.

    The fingerprint of the identifier is displayed in the GOS administration menu of the master.

  32. In the GOS administration menu of the sensor, select Setup and press Enter.

  33. Select Sensor and press Enter.

  34. Select Sensor Identifier and press Enter.

  35. Select Fingerprint and press Enter.

  36. Compare the fingerprint to the fingerprint displayed in the GOS administration menu of the master.

    If the fingerprints match, press Enter in the GOS administration menu of the master.

  37. Select Save and press Enter.

  38. Select Test and press Enter.

    → The configuration of the sensor is tested.

    If the test fails, a warning with instructions is displayed (see Fig. 16.4).

    _images/gos_menu_sensortest.png

    Fig. 16.4 Testing the sensor configuration

Note

Once configured successfully, sensors can be managed directly on the master using the GOS administration menu (see Chapters 7.3.5 and 7.3.7).

16.2 Managing all Configured Sensors

All sensors configured on a master can be displayed as follows:

  1. Select Setup and press Enter.

  2. Select Master and press Enter.

  3. Select Sensors and press Enter.

    → Actions for all configured sensors are displayed (see Fig. 16.5).

The following actions are available:

Testing all sensor connections

Test whether all sensors are configured correctly. If the test fails, a warning with instructions is displayed.

Update all sensor protocols

Update all sensor protocol configurations on the master.

Edit/Delete the sensor …

Open the menu for configuring a specific sensor (see Fig. 16.3). The following actions are available:

  • Setting the address of the sensor.

  • Setting the remote port of the sensor.

  • Setting the proxy for the sensor.

  • Setting the sensor identifier.

  • Enabling/disabling automatic feed updates on the sensor if the feed is updated on the master.

  • Setting the port and the identifier automatically.

  • Testing the correct configuration of the sensor.

  • Deleting the sensor.

Add a new sensor

Configure a new sensor (see Chapter 16.1).

_images/gos_menu_configured_sensors.png

Fig. 16.5 Managing all configured sensors

16.3 Deploying Sensors in Secure Networks

For master-sensor setups the master stores all vulnerability information and credentials. A sensor does not store any information permanently (except for VTs).

Due to this the master needs to be placed in the highest security zone with communication to the outside (to the sensors). All communication is initiated from the master in the higher security zone down to the sensor in the lower security zone.

Note

A firewall separating the different zones only needs to allow connections from the master to the sensor. No additional connections need to be allowed into the higher security zone.

Master and sensor appliances communicate via the SSH protocol. Port 22/TCP is used by default. For backward compatibility, port 9390/TCP can be used. This can be configured as follows:

  1. In the GOS administration menu of the sensor, select Setup and press Enter.

  2. Select Sensor and press Enter.

  3. Select Port 9390 and press Enter.

  4. Select Save and press Enter.

On sensors, Greenbone Enterprise Feed updates and GOS upgrades can be downloaded either directly from the Greenbone servers or using the master. In the second case, only the master contacts the Greenbone servers and distributes the corresponding files to all connected sensors.

To prevent the sensor from contacting the Greenbone servers, automatic synchronization can be disabled as follows:

  1. In the GOS administration menu of the sensor, select Setup and press Enter.

  2. Select Feed and press Enter.

  3. Select Synchronisation and press Enter.

  4. Select Save and press Enter.

Tip

As an additional layer of security a source and destination NAT rule on a firewall using stateful packet inspection (SPI) can be used to avoid the need of default routes on the appliances.

16.4 Configuring a Sensor as a Remote Scanner

Note

In order to configure a sensor as a remote scanner, all steps in Chapter 16.1 have to be completed first.

Sensors can be used as remote scanning engines (scanners) on the master in addition to the default OpenVAS and CVE scanners. For this, the sensor must be configured as a remote scanner using the web interface of the master.

A new remote scanner can be configured as follows:

  1. Log into the web interface of the master.

  2. Select Configuration > Scanners in the menu bar.

  3. Create a new scanner by clicking .

  4. Enter the name of the remote scanner in the input box Name (see Fig. 16.6).

    _images/remote_scanner_new.png

    Fig. 16.6 Configuring the remote scanner on the master

  5. Select Greenbone Sensor in the drop-down list Type.

    Note

    It is mandatory to select Greenbone Sensor. The type OSP Scanner must not be used.

  6. Enter the IP address or the host name of the sensor in the input box Host.

  7. Click Save to create the remote scanner.

    → The scanner is created and displayed on the page Scanners.

  8. In the row of the newly created remote scanner, click to verify the scanner.

    → If the setup is correct, the scanner is successfully verified.

Tip

Scanners are configured on a per-user basis. Scanners can be created for each user or permissions can be used to grant usage rights to other users (see Chapter 9.4).

16.5 Using a Remote Scanner

After a sensor is configured as a remote scanner, it can be selected as the scanner when creating a new scan task or a new audit (see Chapters 10.2.2 and 12.2).

_images/remote_scanner_task.png

Fig. 16.7 Selecting the remote scanner for a task or audit

Tip

There are two options for using the remote scanner for an existing task or audit:

  • If the task/audit is marked as alterable in the column Name (see Chapters 10.8 and 12.2.3), change the scanner of the task/audit.

  • Clone the task/audit and change the scanner of the clone.