13. Master Setup

The Greenbone Security Manager allows for the building of a distributed scan system. Hereby it is possible that one GSM remotely controls another GSM for this purpose.

Thereby the controlling GSM is called a master device and the controlled GSM a remote scanner. As soon as two GSMs are configured as master and remote scanner a user can individually configure a scan for the remote scanner via the web interface of the scan master depending on requirements and permissions. Every GSM starting from the midrange models upwards can be used as scan master and control one or more scanners. Every GSM can function as a remote scanner.

The remote scanners are independent GSMs. This is why the administrator must configure the feed updates and release updates locally on the remote scanners as well and ensure their execution. A remote scanner also provides their own graphical interface and own management. This allows for it being able to be used completely independently, however some scans being executed from the master.

Additionally the remote scanner can be configured as sensor. A scan sensor is a GSM that exclusively is being used for the function of scan slave and also completely being managed by the assigned master. This management includes automatic updates of the feeds as well as the automatic updates of release updates. A sensor does not require any network connectivity other than to a sensor master and after initial setup no further administrative tasks.

Remote scanners and slaves can be integrated into a scan master, in order to test those network segments for vulnerabilities that are not accessible in any other way.

Basically the master establishes the connection to the delegated remote scanners. The connection is established by using the Greenbone management protocol (GMP) which uses TCP port 22 (ssh). The feed and release updates send to sensors use the port 22/tcp (ssh) as well. Thus only this one port is required for remote scanners and sensor setup.

But it is very important to distinguish these two features:

  • Remote Scanners: This feature requires the enabling of the GMP protocol on the remote scanner via the console and the setup of the remote scanner via the web GUI on the master. This feature then support the execution of scans via the remote scanner.
  • Sensors: This feature requires the setup of the master-sensor relationship via the console on both the master and the sensor. This feature then supports the synchronization of the feed and GOS updates from the master to the sensor and the sensors management.
_images/gsm25v-master-gui.png

Configuring the remote scanner on the master

13.1. Setup of the remote scanner

Like with any other GSM the basic setup of a remote scanner is being performed via the serial port. In addition to the network configuration and the administrative access two other basic parameters for the use as slave are required:

  • Configuring of a scan administrator on the slave that allows the master to control the slave. This scan administrator is configured using the console menu. It is being enabled on the remote scanner GSM using Setup/User/Users followed by Admin User.
  • Activation of the remote GMP features. This can be enabled in the menu using Setup/Services followed by GMP.

Afterwards the remote scanners can be set up on the master and a task may be delegated to the remote scanner.

  • To setup the remote scanner on the master navigate to Configuration/Scanners. Create a new remote scanner using new.
  • Choose GMP-Scanner in the Overlay and enter the IP address and the credentials of the scan user generated on the remote scanner.
  • When configuring a new task on the master the new scanner may be chosen to run the task.
  • Verify the scanner using the verify button. If the setup was correctly it will be successfully verified.
_images/task-remote.png

Running a task on the remote scanner

_images/scanner-verify.png

Successful verification of the scanner

13.2. Sensor

For security reasons often it is not possible to scan network segments directly. Most of the time direct access of this segment to the Internet is not desired. In order for a sensor to have the latest NVTs available, the Greenbone Security Feed from the master may be pushed to the sensor and as such allow for a feed synchronization with the sensor. After the initial setup this occurs automatically. As soon as the master synchronized itself with the feed server it will transfer the information to the sensor as well.

To achieve this the master uses the SSH protocol. The following steps are required to setup the communication between the master and the sensor.

  • First login to the console of both the master and the sensor
  • On the master navigate to Setup/Master/Master Identifier followed by Download.
_images/master-download.png

Download the master identifier.

  • Enter the URL in a browser and download the public ssh key of the master (id.pub). Once the key is downloaded the master displays the fingerprint in the console. Do not confirm the fingerprint before uploading the key to the sensor.
  • On the sensor navigate to Setup/Sensor/Configure Master followed by Upload.
  • Enter the URL shown on the console within a browser and upload the file downloaded from the master. After the successful upload the fingerprint of the uploaded key is displayed on the console of the sensor. Compare this fingerprint with the fingerprint displayed on the master. If the fingerprints match confirm the fingerprint both on the master and the sensor.
  • Save the pending modifications on the sensor.
  • Check whether the SSH service is already enabled. On the GSM25V this service is disabled by default. Enable the SSH service by navigating to Setup/Services/SSH followed by State. Save the pending modifications.
  • On the master navigate to Setup/Master.
  • Choose Sensors followed by Add a new sensor.
  • Enter the IP address of the sensor.
  • The master requires the identifier of the sensor. This identifier may either be entered manually or retrieved automatically. To automatically retrieve the identifier choose Auto in the sensor configuration menu on the master. The master will now connect to the sensor and retrieve and display the identifier.
  • Compare the identifier displayed on the master with the identifier on the sensor. The identifier on the sensor may be displayed using Setup/Sensor followed by Fingerprint. If the strings match confirm the identifier on the master.
  • Save the pending modification on the master.
  • Check the successful configuration of this sensor by choosing the appropriate menu option. If any warning is displayed enable the appropriate settings on the sensor.
_images/gmp-warning.png

If GMP is not enabled on the sensor a warning is displayed.

13.2.1. Communicating with the Sensors

The remote scanners and sensors communicate using SSH. This protocol must be allowed through possible existing firewall systems. Hereby the master always establishes the connection to the sensor. For backward compatibility the master also tries to connect to the sensor using the port 9390/tcp. The availability of the port may be switch on the sensor.

The feed update of the delegated scan sensors is being performed selectively either directly from the Greenbone Update Servers or through the master. For updates from the master to the scan sensor SSH (TCP per 22) is being used. If this option is not being used it has to be remembered that a possible firewall situated between the master and the scan sensor blocks this connection without notification (Drop or Deny setting). Instead the establishing of the connection should be allowed (Accept or Permit) or rejected (Reject) with notification as the master will always try to transfer the feed updates to the scan sensor.