Managing dynamic discovery of assets

What is Dynamic Discovery, and why use it?

It may not be unusual for your organization’s assets to fluctuate in number, type, and state, on a fairly regular basis. As staff numbers grow or recede, so does the number of workstations. Servers go on line and out of commission. Employees who are traveling or working from home plug into the network at various times using virtual private networks (VPNs).

This fluidity underscores the importance of having a dynamic asset inventory. Relying on a manually maintained spreadsheet is risky. There will always be assets on the network that are not on the list. And, if they’re not on the list, they're not being managed. Result: added risk.

One way to manage a "dynamic inventory," is to run discovery scans on a regular basis. See Configuring asset discovery. This approach is limited because scan provides a snapshot of your asset inventory at the time of the scan. Another approach, Dynamic Discovery, allows you to discover and track assets without running a scan. It involves initiating a connection with a server or API that manages an asset environment, such as one for virtual machines, and then receiving periodic updates about changes in that environment. This approach has several benefits:

Verifying that your license enables relevant features

The following types of Discovery Connections require the Dynamic Discovery option:

For McAfee Data Exchange Layer connections, your license must also enable the Adaptive Security option.

For ActiveSync connections that allow you to discover mobile devices, your license must enable the Mobile option.

To verify that your license enables Virtual Discovery:

  1. Click the Administration icon.

The Security Console displays the Administration page.

  1. Click the Manage link for Security Console.

The Security Console displays the Security Console Configuration panel.

  1. Click the Licensing link.

The Security Console displays the Licensing page.

  1. See if the Dynamic Discovery or Mobile feature is checked, depending on your needs.

Discovering mobile devices

An increasing number of users are connecting their personal mobile devices to corporate networks. These devices increase and expand attack surfaces in your environment with vulnerabilities that allow attackers to bypass security restrictions and perform unauthorized actions or execute arbitrary code.

You can discover devices with Apple iOS or Google Android operating systems that are connected to Microsoft Exchange over ActiveSync. All versions of iOS and Android are supported.

The Security Console discovers mobile devices that are managed with Microsoft Exchange ActiveSync protocol. The Dynamic Discovery feature currently supports Exchange versions 2010 and 2013 and Office 365.

You can connect to the mobile data via one of three Microsoft Windows server configurations:

The advantage of using one of the WinRM configurations is that asset data discovered through one of these methods includes the most recent time that each mobile device was synchronized with the Exchange server. This can be useful if you do not want your reports to include data from old devices that are no longer in use on the network. You can create a dynamic asset group for mobile devices with old devices filtered out. See Performing filtered asset searches.

Preparing for Dynamic Discovery of mobile devices

Depending on which Windows server configuration you are using, you will need to take some preliminary steps to prepare your target environment for discovery.

LDAP/AD

For the discovery connection, the Security Console requires credentials for a user with read permission on the mobile device objects in Active Directory. The user must be a member of the Organization Management Security Group in Microsoft Exchange or a user that has been granted read access to the mobile device objects.This allows the Security Console to perform LDAP queries.

Take the following steps on the AD server to grant account Read-only permissions to the AD Organizational Unit(s) (OU) that contain users with ActiveSync (Mobile) devices:

Selecting the Users OU in ADSI Edit

  1. Start the Active Directory Service Interfaces Editor (ADSI Edit) and connect to the AD environment.
  2. Select the OU that contains users with ActiveSync (Mobile) devices. In this example, the Users OU contains users with ActiveSync devices.
  3. Right-click the Users OU and select Properties.
  4. Select the Security tab.
  5. Click the Add button and add the user account that the Security Console will use for connecting to the AD server.
  6. Select the user and click Advanced.
  7. Select the user and click Edit .
  8. From the Applies to drop-down list, select Descendant msExchActiveSyncDevice objects.

Repeat the previous steps for any additional OUs containing ActiveSync (Mobile) devices.

WinRM

The setup requirements and steps in the target environment are practically identical for PowerShell and Office 365 configurations:

Servers and credentials

Note:  The WinRM gateway may also be the Exchange server or Nexpose, if the Security Console is running on Windows.

Setting up the WinRM gateway

Note:  Consult a Windows server administrator if you are unfamiliar with these procedures.

The WinRM gateway must have an available https WinRM listener at port 5986. Typical steps to enable this include the following:

  1. Verify that the server has a Server Authentication certificate installed that is not expired or self-signed. For more information, see https://technet.microsoft.com/en-us/library/cc731183.aspx .
  2. Enable the WinRM https listener:

C:\> winrm quickconfig -transport:https

 

  1. Increase the WinRM memory limit with a PowerShell command (Minimum setting is 1024 MB; but 2048 MB is recommended.):

[PS] C:\> set-item wsman:localhost\Shell\MaxMemoryPerShellMB 2048

 

  1. Open port 5986 on the Windows firewall:

C:\> netsh advfirewall firewall add rule name=
"Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986

The following instructions are available for enabling WinRM for an account other than administrator: http://docs.scriptrock.com/kb/using-winrm-without-admin-rights.html

Network connectivity

Troubleshooting WinRM connection issues

If WinRM fails using a domain controller as WinRM gateway, see the blog at http://www.projectleadership.net/blogs_details.php?id=3154 for assistance. Typically, running setspn -L [server_name] returns two WinRM configurations; but, in this case, none are displayed.

If the PowerShell script fails with error Process is terminated due to StackOverflowException., the WinRM memory limit is insufficient. Increase the setting by running the PowerShell command:

[PS] C:\> set-item wsman:localhost\Shell\MaxMemoryPerShellMB 2048

Troubleshooting Exchange connectivity

To verify and troubleshoot Exchange connectivty, open the PowerShell Windows WinRM gateway server with the WinRM credentials. Then run the following Powershell command with your Exchange user credentials and the Exchange server fully qualified domain name for your organization:

$cred = Get-Credential

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeserver.domain.com/ -credential $cred

Import-PSSession $s

Get-ActiveSyncDevice

This will display a window to enter the credentials. If the New-PSSession fails this indicates that the remote PowerShell connection to the Exchange server failed.

If the Get-ActiveSyncDevices command returns not devices, this may indicate that your Exchange account has insufficient permission to perform the query.

Troubleshooting connections with the Office 365 configuration

The Office 365 configuration works exactly like the PowerShell configuration, except that it communicates with Microsoft's Exchange server in the Cloud and connects to the gateway somewhat differently via PowerShell.

Use the following script to troubleshoot Office365 exchange connectivity:

$cred = Get-Credential

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell -credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $s

Get-ActiveSyncDevice

After preparing your network for discovery, see Creating and managing Dynamic Discovery connections.

General best practices for managing mobile discovery

To optimize discovery results on a continuing basis, observe some best practices for managing your environment:

Test your environment

Test your ActiveSync environment to verify all components are working and communicating properly. This will help improve your coverage.

Create device access rules

Creating rules for ActiveSync devices in your network further expands your control. You can, for example, create rules for approving quarantined devices.

Manage and increase device partnerships

Individual users in your organization may use multiple devices, each with its own partnership or set of ActiveSync attributes created during the initial synchronization. Additionally, users routinely upgrade from one version of a device to another, which also increases the potential number of partnerships to support. Managing these partnerships is important for tracking ActiveSync devices in your environment. It involves the removal of old devices from the Exchange server, which can help create a more accurate mobile risk assessment.

Discovering Amazon Web Services instances

If your organization uses Amazon Web Services (AWS) for computing, storage, or other operations, Amazon may occasionally move your applications and data to different hosts. By initiating Dynamic Discovery of AWS instances and setting up dynamic sites, you can scan and report on these instances on a continual basis. The connection occurs via the AWS API.

In the AWS context, an instance is a copy of an Amazon Machine Image running as a virtual server in the AWS cloud. The scan process correlates assets based on instance IDs. If you terminate an instance and later recreate it from the same image, it will have a new instance ID. That means that if you scan a recreated instance, the scan data will not be correlated with that of the preceding incarnation of that instance. The results will be two separate instances in the scan results.

Preparing for Dynamic Discovery in an AWS environment

Before you initiate Dynamic Discovery and start scanning in an AWS environment, you need to:

Inside or outside the AWS network?

When configuring your AWS connection, you can specify whether:

These configurations determine which additional settings and configurations you will need.

Outside the network: Creating an IAM user

If your Security Console is located outside the AWS network, the AWS Application Programming Interface (API) must be able to recognize it as a trusted entity before allowing it to connect and discover AWS instances. To make this possible, you will need to create IAM user, which is an AWS identity for the Security Console, with permissions that support Dynamic Discovery. When you create an IAM user, you will also create an access key that the Security Console will use to log onto the API.

Learn about IAM users and how to create them.

Note:  When you create an IAM user, make sure to select the option to create an access key ID and secret access key. You will need these credentials when setting up the discovery connection. You will have the option to download these credentials. Be careful to download them in a safe, secure location.

Note:  When you create an IAM user, make sure to select the option to create a custom policy.

Inside the network: Creating an IAM role

If your Security Console is installed on an AWS instance and, therefore, inside the AWS network, you need to create an IAM role for that instance. A role is simply a set of permissions. You will not need to create an IAM user or access key for the Security Console.

Learn about IAM users and how to create them.

Note:  When you create an IAM role, make sure to select the option to create a custom policy.

Creating a custom policy for your IAM user or role

When creating an IAM user or role, you will have to apply a policy to it. A policy defines your permissions within the AWS environment. Amazon requires your AWS policy to include minimal permissions for security reasons. To meet this requirement, select the option create a custom policy.

You can create the policy in JSON format using the editor in the AWS Management Console. The following code sample implements the minimum policy needed by Nexpose and indicates how the policy should be defined:

{

"Version": "2012-10-17",

"Statement": [

{ "Sid": "NexposeScanEngine", "Effect": "Allow", "Action":

[ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeAddresses" ], "Resource": [ "*" ] }

]

}

 

Scan Engine inside or outside AWS network

It is a best practice to scan AWS instances with a distributed Scan Engine that is deployed within the AWS network, also known as the Elastic Compute Cloud (EC2) network. This allows you to scan private IP addresses and collect information that may not be available with public IP addresses, such as internal databases.

If your Scan Engine is inside the AWS network, Nexpose will discover and scan assets using their private IPs.

Note:  If the private IP space in your AWS network overlaps with the private IP space in your corporate network, some assets in AWS may share the same IP address as assets in your corporate network.

If your Scan Engine is outside the AWS network, Nexpose will only scan assets with Elastic IP (EIP) addresses assigned to them. Nexpose will use these EIPs when scanning. You will not be able to manually edit the asset list in your site configuration or in a manual scan window. Dynamic Discovery will include instances without EIP addresses, but they will not appear in the asset list for the site configuration.

Discovering virtual machines managed by VMware vCenter or ESX/ESXi

An increasing number of high-severity vulnerabilities affect virtual targets and devices that support them, such as the following:

Merely keeping track of virtual assets and their various states and classifications is a challenge in itself. To manage their security effectively you need to keep track of important details: For example, which virtual machines have Windows operating systems? Which ones belong to a particular resource pool? Which ones are currently running? Having this information available keeps you in synch with the continual changes in your virtual asset environment, which also helps you to manage scanning resources more efficiently. If you know what scan targets you have at any given time, you know what and how to scan.

In response to these challenges the application supports dynamic discovery of virtual assets managed by VMware vCenter or ESX/ESXi.

Once you initiate Dynamic Discovery it continues automatically as long as the discovery connection is active.

Preparing the target VMware environment for Dynamic Discovery

To perform dynamic discovery in VMware environments, Nexpose can connect to either a vCenter server or directly to standalone ESX(i) hosts.

To determine if the application supports a connection to an ESX(i) host that is managed by vCenter, consult VMware’s interoperability matrix at http://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php.

The application supports direct connections to the following ESX(i) versions:

You must configure your VMware vSphere deployment to communicate through HTTPS. To perform Dynamic Discovery, the Security Console initiates connections to the vSphere application program interface (API) via HTTPS.

If Nexpose and your target vCenter or virtual asset host are in different subnetworks that are separated by a device such as a firewall, you will need to make arrangements with your network administrator to enable communication, so that the application can perform Dynamic Discovery.

Make sure that port 443 is open on the vCenter or virtual machine host because the application needs to contact the target in order to initiate the connection.

When creating a discovery connection, you will need to specify account credentials so that the application can connect to vCenter or the ESX/ESXi host. Make sure that the account has permissions at the root server level to ensure all target virtual assets are discoverable. If you assign permissions on a folder in the target environment, you will not see the contained assets unless permissions are also defined on the parent resource pool. As a best practice, it is recommended that the account have read-only access.

Make sure that virtual machines in the target environment have VMware Tools installed on them. Assets can be discovered and will appear in discovery results if they do not have VMware Tools installed. However, with VMware Tools, these target assets can be included in dynamic sites. This has significant advantages for scanning. See Configuring a site using a Dynamic Discovery connection.

Discovering assets through DHCP log queries

This connection extends your visibility into your asset inventory by exposing assets that may not be otherwise apparent. Scan Engines query DHCP server logs, which dynamically update with fresh asset information every five seconds. The engines pass the results of these queries to the Security Console. For each DHCP connection, you assign a specific Scan Engine.

On first connection, the method will yield the current DHCP lease table. When initially established, the connection discovers assets in the current DHCP lease table. While the connection remains active, it continuously discovers new assets the DHCP server detects and existing assets that renew their IP addresses.

You can leverage the number of distributed Scan Engines to communicate with multiple DHCP servers and to connect with these servers in less accessible locations, such as behind firewalls or on the network perimeter.

Note:  The DHCP method only discovers assets that have not yet been discovered by Nexpose through a different method or through a scan.

Two DHCP collection options are available:

Preparing the target environment for Dynamic Discovery through DHCP Directory Watcher method

Note:  The current implementation of DHCP discovery with the Directory Watcher method supports Microsoft Server 2008 and 2012.

Make sure your Microsoft DHCP configuration enables logging. Also, it is strongly recommended that you move the log files to a directory that is separate from the DHCP database files. Microsoft DHCP stores log data in a separate file for each day of the week and overwrites each file on a weekly basis.

Tip:  The default directory path of the DHCP log file is in Windows 2008 is %windir%\System32\Dhcp. The path in Windows 2012 is %systemroot%\System32\Dhcp.

Discovering assets managed by McAfee ePolicy Orchestrator

The McAfee ePolicy Orchestrator connection allows Nexpose to collect information from McAfee ePolicy Orchestrator (ePO) about the assets it manages. Nexpose can scan the assets managed by ePO and provide additional vulnerability assessment. If configured with an McAfee Data Exchange Layer (DXL) discovery connection, it can monitor these assets for malicious file detection events and perform automated actions such as adding tags that can give you context you need to understand your risk and your next steps.You can also configure Nexpose to publish risk scores to an ePO dashboard and share its vulnerability information with McAfeeThreat Intelligence Exchange (TIE). To learn more about the DXL and TIE components, see Discovering vulnerability data collected by McAfee Data Exchange Layer (DXL).

Note:  Assets are synchronized from ePO once per day.

McAfee ePolicy Orchestrator connections must be created from the Administration page. To learn more, see Creating a connection outside of a site configuration.

The recommended best practice is to connect all assets managed by ePO into a single static site, and then use dynamic asset groups to categorize and scan the assets. To learn more, see Using dynamic asset groups.

Note:  In order to create an McAfee ePolicy Orchestrator connection, you will need to have a static site already configured. You can use an existing site or create a new one. If creating a new one, you may need to add an asset as a placeholder since the ePO connection will not be available yet.

If the Rapid7 Nexpose extension is installed on the ePO server, a dashboard will be created in ePO. If an McAfee ePolicy Orchestrator connection is configured to push risk scores back to ePO as described in Creating and managing Dynamic Discovery connections, then once you scan the assets, this dashboard will show the top ten highest-risk assets managed by ePO, as determined by Nexpose's vulnerability assessment and risk scoring system.

To view the Rapid7 Nexpose Insight: Top 10 Riskiest Systems dashboard in McAfee ePolicy Orchestrator:

  1. Log on to the ePO installation using an account with Dashboards permission and Nexpose Run Command permission.
  2. Navigate to the Dashboards section as described in the Dashboards and Monitors section of the McAfee ePolicy Orchestrator Help.
  3. From the drop-down menu, select Rapid7 Nexpose Insight Summary.

  1. The Rapid7 Nexpose Insight: Top 10 Riskiest Systems dashboard appears in the ePO interface. For information on actions you can perform with this dashboard, refer to the McAfee ePolicy Orchestrator Help.

Preparing the target environment for discovery through McAfee ePolicy Orchestrator

In order to discover assets managed by McAfee ePolicy Orchestrator with Nexpose, you must install the Rapid7 Nexpose extension in McAfee ePolicy Orchestrator. The extension can be downloaded from http://download2.rapid7.com/download/NeXpose-v4/epo-extension/Rapid7Nexpose.zip.

Once the extension is installed, a user called NexposeServiceUser will be automatically created. Enable this user and set a valid password to use in the connection from Nexpose.

Discovering vulnerability data collected by McAfee Data Exchange Layer (DXL)

This connection allows Nexpose to collect information from McAfee Data Exchange Layer about information discovered by Security McAfee Vulnerability Manager. Configuring an McAfee Data Exchange Layer discovery connection allows you to monitor malicious file detection events generated by McAfee Threat Intelligence Exchange (TIE). You can then set Nexpose Automated Actions to automatically tag the asset if the malicious file detection events occur. Applying a criticality tag with an automated action can automatically adjust the risk score of the asset and therefore potentially affect the list of highest-risk assets in the ePO dashboard. For more information, see Discovering assets managed by McAfee ePolicy Orchestrator on page 1.

McAfee Data Exchange Layer connections must be created outside a site configuration, from the Administration page. To learn more, see Creating a connection outside of a site configuration.

Preparing the target environment for connection through McAfee Data Exchange Layer

In order to use the McAfee Data Exchange Layer connection with Nexpose, you must install the Rapid7 Nexpose extension in McAfee ePolicy Orchestrator. The extension can be downloaded from http://download2.rapid7.com/download/NeXpose-v4/epo-extension/Rapid7Nexpose.zip.

Create a service user specifically designated for use with this connection. The user should be in an ePO permission set with the DXL McAfee MePO Certificate Creation permission assigned.

Note:  When you save a DXL configuration, a service topic will be automatically created in the DXL fabric, since the Find details of a vulnerability setting is always on. When Nexpose is shut down for an hour, the service topic will be shut down – a new one will be created upon restarting Nexpose.

Discovering assets managed by Active Directory

The Active Directory connection allows Nexpose to collect information from the catalog of assets in Active Directory. This reduces the effort for network administrators to keep the asset list in Nexpose updated. Nexpose also pulls in OS information from Active Directory where available, so you can create asset groups by the hostname and the OS, or automatically add newly discovered assets into existing asset groups.

Note:  Assets are synchronized from Active Directory once per day.

Active Directory discovery connections must be created from the Administration page. To learn more, see Creating a connection outside of a site configuration.

Note:  In order to create an Active Directory connection, you will need to have a static site already configured. You can use an existing site or create a new one. If creating a new one, you may need to add an asset as a placeholder since the Active Directory connection will not be available yet.

Creating and managing Dynamic Discovery connections

This action provides Nexpose the information it needs to contact a server or process that manages the asset environment.

You must have Global Administrator permissions to create or manage Dynamic Discovery connections. See Managing users and authentication.

Creating a connection in a site configuration

If you want to create a connection while configuring a new site, click the Create site button on the Home page.
OR
Click the Create tab at the top of the page and then select Site from the drop-down list.

If you want to create a connection for an existing site, click that site's Edit icon in the Sites table on the Home page.

  1. Click the Assets link in the site configuration .
  1. Select Connection as the option for specifying assets.
  2. Click Create Connection.
  1. Select a connection type:

Selecting a discovery connection type

Enter the information for a new connection with Exchange ActiveSync (LDAP):

  1. Enter a unique name for the new connection on the New connection tab.
  1. Enter the name of the Active Directory (AD) server to which the Security Console will connect.
  2. Select a protocol from the drop-down list.

LDAPS, which is LDAP over SSL, is the more secure option and is recommended if it is enabled on your AD server.

  1. Enter a user name and password for a member of the Organization Management Security Group in Microsoft Exchange.

This  account will enable the Security Console to discover mobile devices connected to the AD server.

Note:  Once you save credentials in this setting, changes will not take effect until you restart Nexpose.

  1. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  1. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection with Exchange ActiveSync (WinRM/PowerS/hell or WinRM/Office 365):

  1. Enter a unique name for the new connection on the New connection tab.
  1. Enter the name of the of the WinRM gateway server to which the Security Console will connect.
  2. Enter a user name and password for an account that has WinRM permissions for the gateway server.
  3. Enter the fully qualified domain name of the Exchange server that manages the mobile device information.
  1. Enter a user name and password for an administrator account or a user account that has View-Only Organizational Management or higher role of the Organization Management Security Group in Microsoft Exchange.
  1. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  1. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (AWS):

  1. Enter a unique name for the new connection on the New connection tab.
  1. From the drop-down list, select the geographic region where your AWS instances are deployed.
  2. If the Security Console is deployed inside the AWS network, select the appropriate check box. (Note that this is an unusual configuration; in most cases, the Security Console will be outside the AWS network.) If you indicate that the Security Console is inside the AWS network, the Credentials link disappears from the left navigation pane. You do not need to configure credentials, since the AWS API recongizes the IAM role of the AWS instance that the Security Console is installed on.
  3. If the Scan Engine you will use to scan the AWS environment is deployed inside the AWS network, select the appropriate check box. This wil enable the application to scan private IP addresses.

Setting up a connection with Nexpose Scan Engine inside the AWS network and Security Console outside

  1. If prompted to do so (Security Console outside the AWS network), enter an Access Key ID and Secret Access Key with which the application will log on to the AWS API.
  1. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  2. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (VMware vSphere).

  1. Enter a unique name for the new connection on the New connection tab.
  1. Enter a fully qualified domain name for the server that the Security Console will contact in order to discover assets.
  2. Enter a port number and select the protocol for the connection.
  1. Enter a user name and password with which the Security Console will log on to the server. Make sure that the account has access to any virtual machine that you want to discover.
  2. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  3. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (DHCP-Directory Watcher).

  1. Enter a unique name for the new connection.
  2. Select an event source type.
  3. Select the Directory Watcher collection method.
  1. Enter a network path to the folder containing the DHCP server logs to be queried. Use the format //server/path/to/folder. The server can be either a host name or IP address.
  2. Select the Scan Engine that will collect the DHCP server log information.
  3. Enter the administrative user name and password for accessing the DHCP server.
  4. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  5. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (DHCP-Syslog).

Note:  Syslog is the only available collection method for the Infoblox Trinzic event source.

  1. Enter a unique name for the new connection.
  2. Select an event source type.
  3. Select the Syslog collection method.
  1. Enter the number for the port that the syslog parser listens on for log entries related to asset information.
  2. Select the protocol for the port that the syslog parser listens on for log entries related to asset information.
  3. Select the Scan Engine that will collect the DHCP server log information.
  4. Click Save. The connection appears in the Connection drop-down list, which you can view by clicking Select Connection.
  5. Continue with Initiating Dynamic Discovery.

Creating a connection outside of a site configuration

  1. Click the Administration tab.
  2. On the Administration page, under Discovery Options, click the create link for Connections.

The Security Console displays the General page of the Asset Discovery Connection panel.

  1. On the General page, select a connection type:

s_nx_admin_discovery_connection_general_AWS.jpg

Selecting a discovery connection type outside of a site configuration

Enter the information for a new connection (mobile devices)

  1. Enter a unique name for the new connection on the General page.
  2. Click Connection.

The Security Console displays the Connection page.

  1. Enter the name of the Active Directory (AD) server to which the Security Console will connect.
  2. Select a protocol from the drop-down list.

LDAPS, which is LDAP over SSL, is the more secure option and is recommended if it is enabled on your AD server.

  1. Click Credentials.

The Security Console displays the Credentials page.

  1. Enter a user name and password for a member of the Organization Management Security Group in Microsoft Exchange.

This  account will enable the Security Console to discover mobile devices connected to the AD server.

  1. Click Save.
  2. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (AWS)

  1. Enter a unique name for the new connection on the General page.
  2. Click Connection.

The Security Console displays the Connection page.

  1. From the drop-down list, select the geographic region where your AWS instances are deployed.
  2. If the Security Console is deployed inside the AWS network, select the appropriate check box. (Note that this is an unusual configuration; in most cases, the Security Console will be outside the AWS network.) If you indicate that the Security Console is inside the AWS network, the Credentials link disappears from the left navigation pane. You do not need to configure credentials, since the AWS API recongizes the IAM role of the AWS instance that the Security Console is installed on.
  3. If the Scan Engine you will use to scan the AWS environment is deployed inside the AWS network, select the appropriate check box. This wil enable the application to scan private IP addresses. See Inside or outside the AWS network?.
  4. If your Security Console and the Scan Engine you will use to scan the AWS environment are deployed inside the AWS network, select the check box. This will make the application to scan private IP addresses.
  5. If you indicate that the Security Console is inside the AWS network, the Credentials link disappears from the left navigation pane. You do not need to configure credentials, since the AWS API recongizes the IAM role of the AWS instance that the Security Console is installed on. In this case, simply click Save and ignore the following steps.
  6. Click Credentials.

The Security Console displays the Credentials page.

  1. Enter an Access Key ID and Secret Access Key with which the application will log on to the AWS API.
  2. Click Save.
  3. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (VMware vSphere)

  1. Enter a unique name for the new connection on the General page.
  2. Click Service.

The Security Console displays the Service page.

  1. Enter a fully qualified domain name for the server that the Security Console will contact in order to discover assets.
  2. Enter a port number and select the protocol for the connection.
  3. Click Credentials.

The Security Console displays the Credentials page.

  1. Enter a user name and password with which the Security Console will log on to the server. Make sure that the account has access to any virtual machine that you want to discover.
  2. Click Save.
  3. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (DHCP-Directory Watcher)

  1. Enter a unique name for the new connection on the General page.
  2. Click Service.
  1. On the Service page, select an event source.
  2. Select Directory Watcher as the collection method.
  3. Enter a network path to the folder containing the DHCP server logs to be monitored. Use the format //server/path/to/folder. The server can be either a host name or IP address.
  4. Select the Scan Engine that will collect the DHCP server log information.
  5. Click Credentials.
  1. On the Credentials page, enter the administrative user name and password for accessing the DHCP server.
  2. Click Save.
  3. Continue with Initiating Dynamic Discovery.

Tip:  If you create a connection and later change it to reference a different DHCP server, your asset discovery results will change. Therefore, if it is important to you to associate assets with specific DHCP servers in Nexpose, consider associating the name of the connection with the DHCP server and changing that name if you change the referenced server. Also, note that you cannot create duplicate DHCP connections.

Enter the information for a new connection (DHCP-Syslog)

Note:  Syslog is the only available data collection method for the Infoblox Trinzic event source.

  1. Enter a unique name for the new connection on the General page.
  2. Click Service.
  1. On the Service page, select an event source type.
  2. Select the Syslog collection method.
  1. Select the number of the port that the syslog parser listens on for log entries related to asset information.
  2. Select the protocol for the port that the syslog parser listens on for log entries related to asset information.
  3. Select the Scan Engine that will collect the DHCP server log information.
  4. Click Save.
  5. Continue with Initiating Dynamic Discovery.

Enter the information for a new connection (McAfee ePolicy Orchestrator)

  1. Enter a unique name for the new connection.
  1. Enter the username and password for the user to connect to McAfee ePolicy Orchestrator (ePO). For security best practices, this should be a service user exclusively for use with the Nexpose integration. The Nexpose ePo extension automatically creates a user called NexposeServiceUser.
  2. Enter the IP address or the hostname of the server where ePO is installed.
  3. Enter the port on which ePO is running.
  4. If the ePO server uses a self-signed certificate, select Untrusted Certificate Permitted. Otherwise, leave it clear.
  5. Select Consume McAfee ePolicy Orchestrator assets. This setting is necessary for the initial configuration in order for Nexpose to collect information about the assets. If you do not want to continue to collect information about the assets on an ongoing basis (for instance, if you believe the information will seldom change), you can return to the configuration at a later time and clear this setting.
  1. Select a site to which to associate the assets.
  1. To populate the Rapid7 Nexpose Insight: Top 10 Riskiest Systems dashboard in ePO with data, select Push risk scores. The data will be automatically updated whenever a Nexpose scan finds risk score changes in ePO managed assets.
  2. If desired, click Test Credential to confirm that the username and password connect as expected.
  3. Click Save.
  4. Navigate back to the site. The assets will have populated within the site. You can now create dynamic asset groups and scan the assets.

Enter the information for a new connection (Active Directory)

  1. Enter a unique name for the new connection.
  2. Enter the Server IP or host name of the Active Directory (AD) server to which the Security Console will connect.
  3. Select a protocol from the drop-down list.

LDAPS, which is LDAP over SSL, is the more secure option and is recommended if it is enabled on your AD server.

  1. Enter a user name and password, and optionally click Test Credential to confirm that the credentials connect as expected.
  2. If desired, use the Base Query field to specify the portion of the Domain Component (DC) tree you would like to import, and the Search Query field to further qualify the computers you would like to discover, using an LDAP Query.
  3. Select Consume Active Directory (LDAP) assets. This setting is necessary for the initial configuration in order for Nexpose to collect information about the assets. If you do not want to continue to collect information about the assets on an ongoing basis (for instance, if you believe the information will seldom change), you can return to the configuration at a later time and clear this setting.
  4. Select a site to which to associate the assets.
  5. If desired, click the Preview button to see the top 50 results of your query to make sure your query is working as expected.
  6. Click Save.
  7. Navigate back to the site. The assets will have populated within the site. The time it takes to completely populate the site will vary, based on how long it takes the active directory to respond to the query. You can now create dynamic asset groups and scan the assets.

Enter the information for a new connection (McAfee Data Exchange Layer)

  1. Enter a unique name for the new connection.
  1. Enter the username and password for the user to connect to McAfee ePolicy Orchestrator (ePO), which generates certificates that allow communication with McAfee Data Exchange Layer (DXL). For security best practices, this should be a service user that was created specifically for use with the Nexpose integration. The user should be in an ePO permission set with the DXL McAfee MePO Certificate Creation permission assigned. Your IP address and hostname will be the same as for your ePO connection, but the username and password should be different
  2. Enter the IP address or the hostname of the server where ePO with McAfee Data Exchange Layer is installed.
  3. Enter the port on which ePO is running.
  4. Select Find details of a vulnerability to gather vulnerability details that have already been collected. This setting is checked by default and cannot be modified. The setting is mandatory because it enables clients to get additional details for a particular vulnerability that Nexpose publishes.
  5. Select Publish vulnerabilities to publish information about vulnerabilities discovered by Nexpose back to McAfee Data Exchange Layer.
  1. If desired, click Test Credential to confirm that the username and password connect to ePO as expected.
  2. Click Save.

Note:  Once an Security McAfee Data Exchange Layer (DXL) connection has been saved, additional changes will not apply until the Nexpose Security Console is restarted. You can edit, test, and save the credential configuration but the changes will only be applied upon Nexpose Security Console restart. This also applies to deleting a connection; although the deleted connection will no longer appear in the Nexpose Security Console interface, you will not be able to create a new DXL connection with the same credential configuration until a Nexpose Security Console restart.

Enter the information for a new connection (Microsoft Azure)

  1. Enter a unique name for the new connection.
  2. Enter the tenant ID associated with your Azure instance.
  3. Enter the application ID associated with the Rapid7 application created in your Azure AD instance.
  4. Enter the application secret key generated for the Rapid7 application created in your Azure AD instance.
  5. If desired, click Test Credential to confirm that the connection is successful.
  6. Select Synchronize Microsoft Azure assets to import Azure assets and remove stale assets.
  7. Select a site to which to associate the assets.
  8. To exclude specific assets from being imported, enter the tags in the Do not import assets with the following tags: box. The format is key: value + key: value +... If this box is empty, all assets are imported.
  9. Select Import tags to import all Azure tags.
  10. To include specific tags, enter these tags in the Only import the following tags: box. The format is key: value + key: value +... If this box is empty, all tags are imported.
  11. Click Save.

Viewing and changing available connections

To view available connections or change a connection configuration take the following steps:

  1. Go to the Administration page.
  2. Click manage for Discovery Connections.

The Security Console displays the Discovery Connections page.

  1. Click Edit for a connection that you wish to change.
  2. Enter information in the Asset Discovery Connection panel.
  3. Click Save.
  4. Continue with Initiating Dynamic Discovery.

OR

  1. Click the Dynamic Discovery link that appears in the upper-right corner of the Security Console Web interface, below the user name.

The Security Console displays the Filtered asset discovery page.

  1. Click the Manage for connections.

The Security Console displays the Asset Discovery Connection panel

  1. Enter the information in the appropriate fields.
  2. Click Save.
  1. Continue with Initiating Dynamic Discovery.

On the Discovery Connections page, you can also delete connections or export connection information to a CSV file, which you can view in a spreadsheet for internal purposes.

You cannot delete a connection that has a dynamic site or an in-progress scan associated with it. Also, changing connection settings may affect asset membership of a dynamic site. See Configuring a site using a Dynamic Discovery connection. You can determine which dynamic sites are associated with any connection by going to the Discovery Management page. See Monitoring Dynamic Discovery.

If you change a connection by using a different account, it may affect your discovery results depending which virtual machines the new account has access to. For example: You first create a connection with an account that only has access to all of the advertising department’s virtual machines. You then initiate discovery and create a dynamic site. Later, you update the connection configuration with credentials for an account that only has access to the human resources department’s virtual machines. Your dynamic site and discovery results will still include the advertising department’s virtual machines; however, information about those machines will no longer be dynamically updated. Information is only dynamically updated for machines to which the connecting account has access.

Initiating Dynamic Discovery

This action involves having the Security Console contact the server or API and begin discovering virtual assets. After the application performs initial discovery and returns a list of discovered assets, you can refine the list based on criteria filters, as described in the following topic. To perform Dynamic Discovery, you must have the Manage sites permission. See Configuring roles and permissions.

Note:  This process does not apply to McAfee ePolicy Orchestrator, McAfee Data Exchange Layer, or Active Directory connections. With those connection types, discovery takes place automatically when you initiate the connection.

  1. After creating a connection (see Creating a connection in a site configuration, click Select Connection.
  2. Select the desired option from the drop-down list.

Nexpose establishes the connection and performs discovery. A table appears and lists information about each discovered asset.

Assets displayed in a VMware connection

Note:  Assets discovered through a dynamic connection also appear on the Assets page. See Comparing scanned and discovered assets

Initiating discovery outside of a site configuration

  1. Click the Administration icon.
  1. On the Administration page, under Discovery Options, click the create link for Connections.

The Security Console displays the General page of the Asset Discovery Connection panel.

  1. Select the appropriate discovery connection name from the drop-down list labeled Connection.
  1. Click Discover Assets.

Note:   With new, changed, or reactivated discovery connections, the discovery process must complete before new discovery results become available. There may be a slight delay before new results appear in the Web interface.

Nexpose establishes the connection and performs discovery. A table appears and lists the following information about each discovered asset.

Displayed values for discovered assets

For mobile devices, the table includes the following:

For AWS connections, the table includes the following:

For VMware connections, the table includes the following:

For DHCP connections, the table includes the following:

After performing the initial discovery, the application continues to discover assets as long as the discovery connection remains active. The Security Console displays a notification of any inactive discovery connections in the bar at the top of the Security Console Web interface. You can also check the status of all discovery connections on the Discovery Connections page. See Creating and managing Dynamic Discovery connections.

If you create a discovery connection but don’t initiate discovery with that connection, or if you initiate a discovery but the connection becomes inactive, you will see an advisory icon in the top, left corner of the Web interface page. Roll over the icon to see a message about inactive connections. The message includes a link that you can click to initiate discovery.

After Nexpose discovers assets, they also appear in the Discovered by Connection table on the Assets page. See Locating and working with assets for more information.

Using filters to refine Dynamic Discovery

You can use filters to refine Dynamic Discovery results based on specific discovery criteria. For example, you can limit discovery to assets that are managed by a specific resource pool or those with a specific operating system.

Note:  This process does not apply to McAfee ePolicy Orchestrator, McAfee Data Exchange Layer, or Active Directory connections.

Note:  If a set of filters is associated with a dynamic site, and if you change filters to include more assets than the maximum number of scan targets in your license, you will see an error message instructing you to change your filter criteria to reduce the number of discovered assets.

Using filters has a number of benefits. You can limit the sheer number of assets that appear in the discovery results table. This can be useful in an environment with a high number of virtual assets. Also, filters can help you discover very specific assets. You can discover all assets within an IP address range, all assets that belong to a particular resource pool, or all assets that are powered on or off. You can combine filters to produce more granular results. For example, you can discover all of Windows 7 virtual assets on a particular host that are powered on.

For every filter that you select, you also select an operator that determines how that filter is applied. Then, depending on the filter and operator, you enter a string or select a value for that operator to apply.

You can create dynamic sites based on different sets of discovery results and track the security issues related to these types of assets by running scans and reports. See Configuring a site using a Dynamic Discovery connection.

Selecting filters for mobile devices

Three filters are available for mobile device connections:

Operating System

With the Operating System filter, you can discover assets based on their operating systems. This filter works with the following operators:

User

With the User filter, you can discover assets based on their associated user accounts. This filter works with the following operators:

Last Sync Time

Note:  This filter is only available with WinRM/PowerShell and WinRM/Office 365 Dynamic Discovery connections.

With the Last Synch Time filter, you can track mobile devices based on the most recent time they synchronized with the Exchange server. This filter can be useful if you do not want your reports to include data from old devices that are no longer in use on the network. It works with the following operators.

Selecting filters and operators for AWS connections

Eight filters are available for AWS connections:

Availability Zone

With the Availability Zone filter, you can discover assets located in specific Availability Zones. This filter works with the following operators:

Guest OS family

With the Guest OS family filter, you can discover assets that have, or do not have, specific operating systems. This filter works with the following operators:

Instance ID

With the Instance ID filter, you can discover assets that have, or do not have, specific Instance IDs. This filter works with the following operators:

Instance name

With the Instance Name filter, you can discover assets that have, or do not have, specific Instance IDs. This filter works with the following operators:

Instance state

With the Instance state filter, you can discover assets (instances) that are in, or are not in, a specific operational state. This filter works with the following operators:

Instance states include Pending, Running, Shutting down, Stopped, or Stopping.

Instance type

With the Instance type filter, you can discover assets that are, or are not, a specific instance type. This filter works with the following operators:

Instance types include c1.medium, c1.xlarge,c3.2xlarge, c3.4xlarge, or c3.8xlarge.

Note:  Dynamic Discovery search results may also include m1.small or t1.micro instance types, but Amazon does not currently permit scanning of these types.

IP address

With the IP address filter, you can discover assets that match or do not have a specific IP address, or that have IP addresses, or do not have IP addresses, within a specific range. This filter works with the following operators:

When you select the is in the range of or is not in the range of filters, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range.

The format for IPv4 addresses is a “dotted quad.” Example:

192.168.2.1 to 192.168.2.254

You can combine multiple search types in your query to focus on very specific assets. For instance, you can search for IP addresses in the range 192.168.2.1 to 192.168.2.254, but exclude 192.168.2.7 and 192.168.2.199.

Region

With the Region type filter, you can discover assets that are in, or are not in, a specific geographic region. This filter works with the following operators:

Regions include Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Ireland), or South American (Sao Paulo).

Selecting filters and operators for VMware connections

Eight filters are available for VMware connections:

Cluster

With the Cluster filter, you can discover assets that belong, or don’t belong, to specific clusters. This filter works with the following operators:

Datacenter

With the Datacenter filter, you can discover assets that are managed, or are not managed, by specific datacenters. This filter works with the following operators:

Guest OS family

With the Guest OS family filter, you can discover assets that have, or do not have, specific operating systems. This filter works with the following operators:

Host

With the Host filter, you can discover assets that are guests, or are not guests, of specific host systems. This filter works with the following operators:

IP address

With the IP address filter, you can discover assets that match or do not have a specific IP address, or that have IP addresses, or do not have IP addresses, within a specific range. This filter works with the following operators:

When you select the is in the range of or is not in the range of filters, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range.

Power state

With the Power state filter, you can discover assets that are in, or are not in, a specific power state. This filter works with the following operators:

Power states include on, off, or suspended.

Resource pool path

With the Resource pool path filter, you can discover assets that belong, or do not belong, to specific resource pool paths. This filter works with the following operators:

You can specify any level of a path, or you can specify multiple levels, each separated by a hyphen and right arrow: ->. This is helpful if you have resource pool path levels with identical names.

For example, you may have two resource pool paths with the following levels:

Human Resources 

Management

Workstations 

Advertising

Management 

Workstations

The virtual machines that belong to the Management and Workstations levels are different in each path. If you only specify Management in your filter, the application will discover all virtual machines that belong to the Management and Workstations levels in both resource pool paths.

However, if you specify Advertising -> Management -> Workstations, the application will only discover virtual assets that belong to the Workstations pool in the path with Advertising as the highest level.

Virtual machine name

With the Virtual machine name filter, you can discover assets that have, or do not have, a specific name. This filter works with the following operators:

Selecting filters and operators for DHCP connections

Three filters are available for VMware connections:

Host

With the Host filter, you can discover assets based on host names. This filter works with the following operators:

IP address

With the IP address filter, you can discover assets that match or do not have a specific IP address, or that have IP addresses, or do not have IP addresses, within a specific range. This filter works with the following operators:

When you select the is in the range of or is not in the range of filters, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range.

MAC address

With the MAC address filter, you can discover assets based on MAC addresses. This filter works with the following operators:

Combining discovery filters

If you use multiple filters, you can have the application discover assets that match all the criteria specified in the filters, or assets that match any of the criteria specified in the filters.

The difference between these options is that the all setting only returns assets that match the discovery criteria in all of the filters, whereas the any setting returns assets that match any given filter. For this reason, a search with all selected typically returns fewer results than any.

For example, a target environment includes 10 assets. Five of the assets run Ubuntu, and their names are Ubuntu01, Ubuntu02, Ubuntu03, Ubuntu04, and Ubuntu05. The other five run Windows, and their names are Win01, Win02, Win03, Win04, and Win05. Suppose you create two filters. The first discovery filter is an operating system filter, and it returns a list of assets that run Windows. The second filter is an asset filter, and it returns a list of assets that have “Ubuntu” in their names.

If you discover assets with the two filters using the all setting, the application discovers assets that run Windows and have “Ubuntu” in their asset names. Since no such assets exist, no assets will be discovered. However, if you use the same filters with the any setting, the application discovers assets that run Windows or have “Ubuntu” in their names. Five of the assets run Windows, and the other five assets have “Ubuntu” in their names. Therefore, the result set contains all of the assets.

Configuring and applying filters

Note:   If a virtual asset doesn’t have an IP address, it can only be discovered and identified by its host name. It will appear in the discovery results, but it will not be added to a dynamic site. Assets without IP addresses cannot be scanned.

After you initiate discovery as described in the preceding section, and the Security Console displays the results table, take the following steps to configure and apply filters:

Configure the filters.

  1. Click Add Filters.

A filter row appears.

  1. Select a filter type from the left drop-down list.
  2. Select an operator from the right drop-down list.
  3. Enter or select a value in the field to the right of the drop-down lists.
  4. To add a new filter, click the + icon.

A new filter row appears. Set up the new filter as described in the preceding step.

  1. Add more filters as desired. To delete any filter, click the appropriate - icon.

After you configure the filters, you can apply them to the discovery results.

Or, click Reset to clear all filters and start again.

Apply the filters.

  1. Select the option to match any or all of the filters from the drop-down list below the filters.
  2. Click Filter.

The discovery results table now displays assets based on filtered discovery.

Applying Dynamic Discovery filters within a site configuration

Monitoring Dynamic Discovery

Note:  Assets discovered through McAfee ePolicy Orchestrator connections are not virtual and therefore appear in the regular Assets list.

Since discovery is an ongoing process as long as the connection is active, you may find it useful to monitor events related to discovery. The Discovery Statistics page includes several informative tables:

Dynamic Discovery is not meant to enumerate the host types of virtual assets. The application categorizes each asset it discovers as a host type and uses this categorization as a filter in searches for creating dynamic asset groups. See Performing filtered asset searches. Possible host types include Virtual machine and Hypervisor. The only way to determine the host type of an asset is by performing a credentialed scan. So, any asset that you discover through Dynamic Discovery and do not scan with credentials will have an Unknown host type, as displayed on the scan results page for that asset. Dynamic discovery only finds virtual assets, so dynamic sites will only contain virtual assets.

Note:  Listings in the Events table reflect discovery over the preceding 30 days.

To monitor Dynamic Discovery, take the following steps:

  1. Click the Administration icon.
  1. In the Discovery Options area of the Administration page, click the View link for Events.

s_nx_admin_discovery_statistics_AWS.jpg

Viewing discovery statistics

Configuring a site using a Dynamic Discovery connection

To create a dynamic site you must meet the following prerequisites:

Note:  This process does not apply to McAfee ePolicy Orchestrator or McAfee Data Exchange Layer connections.

If you attempt to create a site based on a number of discovered assets that exceeds the maximum number of scan targets in your license, you will see an error message instructing you to change your filter criteria to reduce the number of discovered assets. See Using filters to refine Dynamic Discovery.

Note:   When you create a site using a Dynamic Discovery connection, all assets that meet the site’s filter criteria will not be correlated to assets that are part of existing sites. An asset that is listed in two sites is essentially regarded as two assets from a license perspective.

After creating and initiating a discovery connection, you can continue configuring a site.

Topics for site configuration

Managing assets in a dynamically changing site

For many types of Dynamic Discovery connections, as long as the connection is active, asset membership in a the site is subject to change whenever changes occur in the target environment.

Note:  Types of connections whose sites can change dynamically in this way include connections to Amazon Web Services, DHCP log servers, and VMware servers. Due to the way assets are discovered through McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL), sites using those types of connections will not update dynamically in this way. To learn more, see Discovering assets managed by McAfee ePolicy Orchestrator.

You can also change asset membership by changing the discovery connection or filters. See Using filters to refine Dynamic Discovery.

To view and change asset membership:

  1. Click that Edit icon of the site you want to edit in the Sites table on the Home page.
  2. Select the Assets tab.
  3. The Connection option for specifying assets is already selected. Do not change it.
  4. Click Select Connection.
  5. Select a different connection from the drop-down list if desired.
  1. Click the Filters button to change asset membership if desired. Using filters to refine Dynamic Discovery.
  1. Click Save in the Site Configuration.

Whenever a change occurs in the target discovery environment, such as new virtual machines being added or removed, that change is reflected in the dynamic site asset list. This keeps your visibility into your target environment current.

Another benefit is that if the number of discovered assets in the dynamic site list exceeds the number of maximum scan targets in your license, you will see a warning to that effect before running a scan. This ensures that you do not run a scan and exclude certain assets. If you run a scan without adjusting the asset count, the scan will target assets that were previously discovered. You can adjust the asset count by refining the discovery filters for your site.

If you change the discovery connection or discovery filter criteria for a dynamic site that has been scanned, asset membership will be affected in the following ways: All assets that have not been scanned and no longer meet new discovery filter criteria, will be deleted from the site list. All assets that have been scanned and have scan data associated with them will remain on the site list whether or not they meet new filter discovery criteria. All newly discovered assets that meet new filter criteria will be added to the dynamic site list.