Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung PDF herunterladen (Seite 55)

 SSH

2001:DB8::AE59:3FC2 -> SSH

Using the “connections-to-services” option lets you know that the system at 1.1.1.1 and 2001:DB8::AE59:3FC2

uses the SSH protocol. This information may be useful to know regardless of where the service is being used.

The PVS does not log a session-by-session list of communications. Instead, it logs the relationship between the systems.

For example, if system A is detected using the SSH protocol on port 22 connecting to system B, and both systems are

within the focus network, the PVS would log:

 System A browses on port 22

 System B offers a service (listens) on port 22

 System A communicates with System B on port 22

If system B were outside of the focus network, the PVS would not record anything about the service System B offers, and

would also log that System A browses outside of the focus network on port 22. The PVS does not log how often a

connection occurs, only that it occurred at least once. For connections outside of the focus network, the PVS will only log

what ports are browsed, not the actual destinations.

If logging session-by-session network events is a requirement for your network analysis, Tenable offers the

Log Correlation Engine product, which can be used to log firewall, web server, router, and sniffer logs. For

more information, please visit http://www.tenable.com/products/log-correlation-engine.

What this Means for Firewall Rules

If the PVS is placed immediately behind a firewall, such that all of the traffic presented to the PVS is flowing through the

firewall, then the list of served ports and client side ports and the respective IP addresses of the users is readily available.

By using tools such as SecurityCenter’s Vulnerability Analysis interface, information about these ports (both client and

server) can be browsed, sorted, and reported on. Lists of IP addresses and networks using these client and server ports

can also be viewed.

Working with the SecurityCenter

When multiple PVS sensors are managed by a SecurityCenter, users of the SecurityCenter are able to analyze the

aggregate types of open ports, browsed ports, and communication activity occurring on the focus network. Since the

SecurityCenter has several different types of users and privileges, many different IT and network engineering accounts

can be created across an enterprise so they can share and benefit from the information detected by the PVS.

Selecting Rule Libraries and Filtering Rules

Tenable ships an encrypted library of passive vulnerability detection scripts. This file cannot be modified by the end users of

the PVS. However, if certain scripts need to be disabled, they can be specified by the PASL ID and ‘.pasl’ appended, such

as “1234.pasl”, to disable the PASL with the ID of 1234 on a single line in the disabled-scripts.txt file.

If a plugin needs to be disabled, enter its ID on a single line in the disabled-plugins.txt file. If a plugin needs to be made

“realtime”, enter its ID on a single line in the realtime-plugins.txt file.

If any of the referenced files do not exist, simply create them using the appropriate method for the operating system. The file

locations are in the following table for each operating system.

Operating System

File Path

Linux

/opt/pvs/var/pvs

1 2 ... 50 51 52 53 54 55 56 57 58 59 60 ... 78 79

Keine Kommentare

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Betriebsanweisung Seite 55