Every organization has different needs related to their vulnerability management program based on the scanner used (i.e., cloud or on-premises), the places where sensors are deployed, the technology environment, and desired outcomes. But the following deployment best practices apply to most everyone.
Additional Scanners Required
Conducting actor scans through a firewall or other network devices can impact scan results or the network device itself. It’s best to deploy additional Nessus scanners in hard-to-reach places, like portions that are segregated behind firewalls. Because the scanners reside on the same network segment as their target, they can access systems without network topology issues interfering with their operation.
Scaling Your Tenable Vulnerability Management Scan
For scaling purposes, Tenable recommends deploying an additional scanner for at least every 1,000 intended scan targets. For large-scale scans, customers should assign scanners to scanner groups to enable load share. Users should then place passive network monitor listeners in each network segment for full network coverage. Passive network scanners are placed on a span port, virtual span port, or network tap. This allows Tenable to see all network traffic in all directions (i.e., inbound, outbound, and host to host) as long as it traverses the network device from which Nessus network monitor is receiving data. Network admins can also place a listener at the ingress and egress points to audit communications into and out of the environment.
Perimeter
Each sensor should have at least two network interfaces rated for a maximum of 1GB of traffic: one for management and one for listening. With the special license and specific hardware traffic, you can monitor up to 10GB. Deploying Nessus agents on a per-host basis can help overcome obstacles like systems with uncertain connectivity (i.e., remote offices and mobile laptops). Agents can conduct local vulnerability, configuration, and compliance assessments. Agents are ideal for deploying with a standard system image to ensure greater asset coverage. A best practice is to have all new agents join the default group for easy new agent identification and later sorting. You can automate this process during installation or by using the built-in command line tool.
Tenable Vulnerability Management Distributed Network
Tenable Vulnerability Management includes access to Tenable’s distributed network of cloud scanners for scanning public-facing assets. These don’t require deployment efforts and are maintained by Tenable. Tenable also provides Nessus as a preauthorized scanning solution in the AWS marketplace for Amazon Elastic Compute Cloud (Amazon EC2). It can also scan AWS EC2 assets. As it uses a pre-built integration, identifying assets to be scanned in real time is an automatic process. Tenable also offers third-party connectors for AWS and Qualys. AWS Cloud Trail must be configured and an IAM permissions policy created prior to creating the AWS connector.
If you need assistance with Tenable Vulnerability Management, advice on deployment practices, or turnkey vulnerability management support, contact NuHarbor today!
