4 Replies Latest reply: Nov 13, 2017 7:08 AM by tenablecustomer17 RSS

Need help with cleaning up ACAS

tenablecustomer17 Novice
Visibility: Open to anyone

I'm just going to keep posting this until somebody answers me.

 

****************************************************************

 

Sorry for the vague title, but I have multiple questions that fall under the larger scope of "unorganized ACAS system". So let me give you a bit of my background, then my problem, and hopefully we can meet somewhere in the middle to clean up this mess.

 

Background:

First interaction with ACAS was a few years ago, when in my previous job we transitioned from Retina to ACAS. In that environment, I only dealt with the scanning side of SC, standing up only the Nessus scanners within our enclave, and never dealing with actually installing and standing up the SC server, creating repositories, scan zones, etc. In my current job, I now have access to everything.

 

Issue:

I'm stepping into a system that has been stood up and is currently in use. Unfortunately, because of my lack of experience with SC, I'm a bit confused on how all of this works. Currently, this is how the ACAS server is set up:

 

ACAS server (VM)

4x vnic

1x repository

1x scan zone

1x Nessus scanner

480 assets (mostly windows, some linux)

 

Ok, now here is where it gets strange. The scan zone has 6 different IP ranges. Some of it ranges, some of it subnets. The repository is set up similar, with only one repository with a number of ranges in it. Then you get over to the nessus scanners. There's only one scanner and, as far as I can tell, it's the SC itself. It only has one entry: localhost.

 

So, to recap, we have 4 available IP's associated with the ACAS server. One IP is the SC itself, the other three IP's are supposed to be for the Nessus Scanners, but they're not being used (at least they're not in the Nessus Scanner section). The only scanner in the Nessus Scanner section is the localhost.

 

Questions:

- Is the above setup correct? Just because it's functioning (which it is), that doesn't mean it's right.

 

- Should the different subnets be in different scan zones?

 

- Should I add the other IP's as nessus scanners? Should I remove them?

 

Honestly, that's just the tip of the iceberg. When I showed up, they had multiple scans running daily and they were all overlapping each other. A full network scan, a workstation scan, a windows workstation scan, etc. And then the assets. Looking at it right now, there's roughly 40 separate asset lists. Most are empty, with the ones with actual IP's in them once again overlapping each other. Heck, the "Full Network Scan" didn't even have all the right creds in it nor was it hitting all the boxes. The whole thing top to bottom is a mess.

 

Thanks in advance to any and all that respond. If I can at least get the scan zones and scanners sorted out, I can manage the rest.

  • Re: Need help with cleaning up ACAS
    cybernovice Novice

    Ultimately, I think the answer is it depends.

    Zones relate to where scanners are located.  For example, if you had scanners that were located in a DMZ, and some located inside your enterprise, and maybe some in the cloud. You might want to create zones that match those locations.  So that when you scan a device that is in the DMZ only the DMZ scanners are used.  Or maybe you want the zone to contain a scanner in each of the zones because you have scanners that are only used to scan machines during business hours.  So ultimately it depends on how you want to manage your different scanners and what those scanners actually scan.

     

    I am guessing that since the system has 4 vnics, and there are 4 IPs that are supposed to be used for scanners that those additional vnics were maybe at one point being used as the "additional scanners."  So you have to decide if you really need more scanners or not.

     

    Repositories are again configured based on how you are using SC.  I would recommend that you go visit the Tenable University, which is now available through the support portal, and view the free webinars on how SC works and how repositories can be used.

     

    So, it all just depends.  I hope this helps.

    • Re: Need help with cleaning up ACAS
      tenablecustomer17 Novice

      Holy Moses, an actual response.

       

      So, for starters, I'm just looking for simplicity. I have 6 separate subnets, but they're all in the repository and they're all in one scan zone. I'm fine with leaving that as is, seeing how it's working and we don't have tens of thousands of workstations/servers. We're talking 480 assets.

       

      As for the 4 IP's, that's why I was asking. It looks like it's just scanning with the Security Center (localhost), which is something I've never seen before. Does adding the other IP's as scanners do anything? Does it help? Will it make the scans faster?

       

      The scans (or really, just one scan) is automated. Full network, all subnets, daily (at midnight). The scan usually takes about 5 hours to complete. Is that fine? Is there a better way to do what we're doing here?

       

      To bring this back around, this is all about simplifying the end goal. If I do not need the other nic's for Nessus Scanners, then I'm deactivating them, because all it's doing is quadrupling the findings in the reports. If it's better practice to separate different subnets out to the multiple scanners, then I'll just do that. I, personally, don't need multiple scans done on schedule, since the full scan is daily and I can pull out whatever specific findings I need to report. Also, I can build separate scans if I want specific assets to be scanned.

       

      TL;DR - Is an ACAS scanner that is only running Security Center with no attached Nessus Scanners a proper setup?