Creating a Scan Profile
In JSA Vulnerability Manager, you configure scan profiles to specify how and when your network assets are scanned for vulnerabilities.
You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative >Scan Profiles.
On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP Addresses on the Details tab of the Scan Profile Configuration page. In addition, you can also configure the following optional settings.
If you added more scanners to your JSA Vulnerability Manager deployment, select a scanner from the Scan Server list. This step is unnecessary if you want to use dynamic scanning.
To enable this profile for on-demand scanning, click the On Demand Scanning Enabled check box.
By selecting this option, you make the profile available to use if you want to trigger a scan in response to a custom rule event. It also enables on-demand vulnerability scanning by using the right-click menu on the Assets page.
By selecting the Dynamic Server Selection check box, you can choose the most appropriate scanner that is available. Ensure that you define the scanners in the Administrative >Scanners page.
Security profiles must be updated with an associated domain. Domain-level restrictions are not applied until the security profiles are updated, and the changes are deployed.
To scan your network by using a predefined set of scanning criteria, select a scan type from the Scan Policies list.
If you configured centralized credentials for assets, click the Use Centralized Credentials check box. For more information, see the Juniper Secure Analytics Administration Guide.
Click Save.
In JSA Vulnerability Manager, you configure scan profiles to specify how and when your network assets are scanned for vulnerabilities.
Creating an External Scanner Scan Profile
In JSA Vulnerability Manager, you can configure scan profiles to use a hosted scanner to scan assets in your DMZ.
JSA Vulnerability Manager must be configured with a hosted scanner. For more information, see Scanning the assets in your DMZIn JSA Vulnerability Manager, you can connect to an external scanner and scan the assets in your DMZ for vulnerabilities..
-
Click the Vulnerabilities tab.
-
In the navigation pane, click Administrative >Scan Profiles.
-
On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP Addresses on the Details tab of the Scan Profile Configuration page. To create an external scanner profile, you must also follow the remaining steps in this procedure.
-
To create an external scanner profile, use the following procedure.
-
From the Scan Server list, select IbmExternalScanner.
-
From the Scan Policies list, select Full Scan or Web Scan.
-
Click the Domain and Web App tab. In the Virtual Webs pane, enter the domain and IP address information for the websites and applications that you want to scan.
-
Click Save.
Note:Authenticated scans are not conducted from the external scanner.
-
Creating a Benchmark Profile
To create Center for Internet Security compliance scans, you must configure benchmark profiles. You use CIS compliance scans to test for Windows and Red Hat Enterprise Linux CIS benchmark compliance.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative >Scan Profiles.
On the toolbar, click Add Benchmark.
-
If you want to use pre-defined centralized credentials, select the Use Centralized Credentials checkbox.
Credentials that are used to scan Linux operating systems must have root privileges. Credentials that are used to scan Windows operating systems must have administrator privileges.
If you are not using dynamic scanning, select a JSA Vulnerability Manager scanner from the Scan Server list.
-
To enable dynamic scanning, click the Dynamic server selection checkbox.
If you configured domains in the Domain Management window in the Admin tab, you can select a domain from the Domain list. Only assets within the CIDR ranges and domains that are configured for your scanners are scanned.
In the When To Scan tab, set the run schedule, scan start time, and any pre-defined operational windows.
In the Email tab, define what information to send about this scan and to whom to send it.
If you are not using centralized credentials, add the credentials that the scan requires in the Additional Credentials tab.
Credentials that are used to scan Linux operating systems must have root privileges. Credentials that are used to scan Windows operating systems must have administrator privileges.
Click Save.
Running Scan Profiles Manually
In JSA Vulnerability Manager you can run one or more scan profile manually.
You can also schedule scans to run at a future date and time. For more information, see Scan Scheduling.
Ensure that a vulnerability processor is deployed. For more information, see Verifying That a Vulnerability Processor is Deployed.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative >Scan Profiles.
On the Scan Profiles page, select the check box on the row assigned to the scan profiles that you want to run.
Note:To find the scan profiles you want to run, use the toolbar Name field to filter scan profiles by name.
On the toolbar, click Run.
By default, scans complete a fast scan by using the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) protocol. A fast scan includes most ports in the range 1 - 1024.
Rescanning an Asset by Using the Right-click Menu Option
In JSA Vulnerability Manager, you can quickly rescan an asset by using the right-click option.
The right-click scan option is also available on the JSA Offenses tab, and the JSA Risk Manager sub-net asset view.
Click the Vulnerabilities tab.
In the navigation pane, select Manage Vulnerabilities >By Asset.
On the By Asset page, identify the asset that you want to rescan.
Right-click the IP Address and select Run Vulnerability Scan.
In the Run Vulnerability Scan window, select the scan profile that you want use when the asset is rescanned.
The scanning process requires a scan profile. The scan profile determines the scanning configuration options that are used when the scan runs.
To view a scan profile in the Run Vulnerability Scan window, you must select the On Demand Scanning Enabled check box in the Details tab on the Scan Profile Configuration page.
Note:The scan profile that you select might be associated with multiple scan targets or IP address ranges. However, when you use the right-click option, only the asset that you select is scanned.
Click Scan Now.
Click Close Window.
To review the progress of your right-click scan, in the navigation pane, click Scan Results.
Right-click scans are identified by the prefix RC:.
Scan Profile Details
In JSA Vulnerability Manager, you can describe your scan, select the scanner that you want to use, and choose from a number of scan policy options.
Scan profile details are specified in the Details tab, in the Scan Profile Configuration page.
See especially the following options:
Options |
Description |
---|---|
Use Centralized Credentials |
Specifies that the profile uses pre-defined credentials. Centralized credentials are defined in the Admin >System Configuration >Centralized Credentials window. |
Scan Server |
The scanner that you select depends on your network configuration. For example, to scan DMZ assets, then select a scanner that has access to that area of your network. The Controller scan server is deployed with the vulnerability processor on your JSA console or JSA Vulnerability Manager managed host. Note:
You can have only 1 vulnerability processor in your deployment. However, you can deploy multiple scanners either on dedicated JSA Vulnerability Manager managed host scanner appliances or JSA managed hosts. |
On Demand Scanning |
Enables on-demand asset scanning for the profile. Use the right-click menu on the Assets page to run on-demand vulnerability scanning. By selecting this option, you also make the profile available to use if you want to trigger a scan in response to a custom rule event. By enabling on-demand scanning, you also enable dynamic scanning. |
Dynamic server selection |
Specifies whether you want to use a separate vulnerability scanner for each CIDR range that you scan. During a scan, JSA Vulnerability Manager automatically distributes the scanning activity to the correct scanner for each CIDR range that you specify. If you configured domains in the Domain Management window of the Admin tab, you can also select the domain that you want to scan. |
Bandwidth Limit |
The scanning bandwidth. The default setting is medium. Note:
If you select a value greater than 1000 kbps, you can affect network performance. |
Scan Policies |
The pre-configured scanning criteria about ports and protocols. For more information, see Authenticated Patch Scans. |