Best Practices Guide McAfee Vulnerability Manager 7.5 COPYRIGHT Copyright © 2012 McAfee, Inc. Do not copy without permission. TRADEMARKS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. Issued 5/15/2012 15:06 / McAfee Vulnerability Manager Best Practices Guide Contents McAfee Vulnerability Manager best practices.................................................. 5 Initial planning ............................................................................................... 5 How to group assets .......................................................................................................... 5 Asset value ....................................................................................................................... 6 How much risk can we accept? ............................................................................................ 6 Setup .............................................................................................................. 8 Number of servers required ................................................................................................ 8 Prepare your setup .......................................................................................................... 10 Place the API server .................................................................................................. 10 Place the configuration manager ................................................................................. 11 Place scan engines and scan controllers ....................................................................... 12 Product updates ........................................................................................................ 14 Remote access to McAfee Vulnerability Manager appliances ............................................ 15 Network requirements ............................................................................................... 15 Discovery scans ............................................................................................ 19 Build an asset inventory with McAfee Vulnerability Manager .................................................. 19 Create effective discovery scans ........................................................................................ 19 Network impact ............................................................................................................... 20 Optimization ................................................................................................................... 20 Summary of discovery scan optimization ...................................................................... 23 Initial discovery............................................................................................................... 23 Sorting and grouping ................................................................................................. 24 Vulnerability scans ....................................................................................... 25 Target scans to each asset group/environment ................................................................... 25 Plan your scanning schedule ....................................................................................... 26 Target scans for specific vulnerabilities............................................................................... 26 How graphing and trending can improve security ................................................................ 26 Using the dashboard .................................................................................................. 27 Optimize vulnerability scans ............................................................................................. 27 How to increase scan speeds ...................................................................................... 27 How to decrease scan speeds ..................................................................................... 28 Web applications scans ................................................................................ 29 Where to start with web application scanning ...................................................................... 29 View web application scan reports ..................................................................................... 29 Improve your web application scans .................................................................................. 30 Custom reports ............................................................................................. 31 Threat assessment using the Threat Correlation Module .............................. 32 What is a threat? ............................................................................................................. 32 Threat Correlation Module ................................................................................................ 32 View the Threat Correlation Module output ......................................................................... 32 How to mitigate the risk ............................................................................................. 33 Optimize performance .................................................................................. 34 Performance parameters .................................................................................................. 34 Host Discovery options ..................................................................................................... 35 Full connect scan ...................................................................................................... 35 McAfee Vulnerability Manager 7.5 Best Practices Guide iii Contents Services options .............................................................................................................. 36 Enable Load Balancer Detection .................................................................................. 36 Services running on non-standard ports ....................................................................... 36 Credential options ........................................................................................................... 37 Scanning with credentials ........................................................................................... 37 Optimize options ............................................................................................................. 38 ICMP / UDP / TCP timeouts......................................................................................... 38 Number of passes ..................................................................................................... 38 Number of scan objects ............................................................................................. 39 Batch size ................................................................................................................ 39 Packet interval .......................................................................................................... 39 Scan vulnerability saving option .................................................................................. 40 Other scanning options .................................................................................................... 40 Foundstone Scripting Language (FSL) threads .............................................................. 40 Scan configuration options................................................................................................ 41 Impact of specific scans ............................................................................................. 41 Perform tracerouting (network mapping)...................................................................... 42 About vulnerability checks in McAfee Vulnerability Manager ............................................ 43 Turning off specific vulnerability checks ....................................................................... 43 Recommended scan settings ........................................................................ 45 Settings: Settings: Settings: Settings: Settings: Settings: Settings: Settings: iv Full-port scans .................................................................................................. 46 Scan for a single vulnerability.............................................................................. 46 Full vulnerability scan (up to 2560 hosts).............................................................. 48 Asset discovery (up to 65536 hosts) .................................................................... 51 SANS/FBI Top 20 scan (up to 65536 hosts) .......................................................... 53 Full vulnerability scan (up to 65536 hosts) ............................................................ 55 Asset discovery (up to 16,700,000 hosts) ............................................................. 57 SANS/FBI Top 20 scan (up to 16,700,000 hosts) ................................................... 59 McAfee Vulnerability Manager 7.5 Best Practices Guide McAfee Vulnerability Manager best practices This guide contains information and instructions on planning, setting up, and using the product to help you establish the standards, settings and policies appropriate for your organization. Note: The McAfee® Foundstone® product is now known as McAfee Vulnerability Manager. For this release, some portions of the product retain the Foundstone label. Initial planning The ultimate goal of a vulnerability management program is to ensure that valuable systems are available to serve their intended purpose and that they are at as little risk as possible from being adversely affected by security events. When implementing a vulnerability management program, this is an important guiding principle which will help prioritize what to do, and what to focus on first. Before starting any device discovery or vulnerability scanning, you should set up basic guidelines for how to group and classify devices. These guidelines will be used throughout the process of discovering devices, assigning priority and ownership, determining vulnerabilities and mitigating the risk by deploying patches or other countermeasures. How to group assets A good starting point is to consider which aspects of a particular device type would make for a good device grouping classifier. For example: Should all systems on the 4th floor be grouped together? Should all UNIX servers be grouped together? Often times, an organization will have maintenance and monitoring policies and procedures in place. Such policies can be a good starting point for deciding on how to group devices in McAfee Vulnerability Manager. In fact, many customers will indeed group their assets in a way that closely matches how systems and devices are already managed and monitored. For example, if all Windows servers in one building are managed by the same team (or by the same individual in smaller organizations), it would seem logical for these Windows servers to be discovered, profiled, assessed, and remediated in a similar fashion. Likewise, if all printers on the fourth floor of building B are maintained by the same IT team, grouping these printers together would be a logical decision. Please note that McAfee Vulnerability Manager requires assets to be unique in the asset table of the database. This means that one asset can participate in only one asset group at any given time. McAfee Vulnerability Manager 7.5 Best Practices Guide 5 Initial planning How much risk can we accept? Asset value When creating asset groups, think about the business value (Criticality) of the assets in a group. This is important because many aspects of an ongoing vulnerability management process will become easier and priorities become clearer if you consider the business value of an asset. For example, both remediation and risk assessment can benefit from a clear prioritization of assets simply because the more important systems and devices should receive attention before other assets. This principle helps the security and operations teams mitigate the most risk with available resources. When assigning the criticality to assets, consider the following questions: (please note that this is intended merely as examples and should not be viewed as an all-inclusive list of questions) • • • • How would my business be impacted if this system was unavailable? This is arguably one of the most important questions to answer. A business critical system can be defined as one that stores business critical data and/or participates in a vital function or transaction process. A system being unavailable might not just be the direct result of, for example, a Denial of Service (DoS) attack, but also a result of the subsequent recovery and possibly forensics efforts. An attack that takes only seconds to complete can result in several days, even weeks, of downtime. Can my business function without this system? This question is slightly different and perhaps more pointed than the previous. Systems that a business cannot function at all without are highly critical and should be the first to receive attention, to mitigate risk and prepare for any possible events. If the answer to this question is “yes,” the system is likely not very important. How many users are depending on this system? Any system servicing many users should be considered important. The more users depending on the system, the more important it is. If users on the system are carrying out functions that are vital to the business, the value of that system increases. Are other systems depending on this system? Answering this question might require insight into the architecture and configuration of networks and systems. Any system that other assets depend on should be regarded as important. If the system in question is the only system on the network carrying out that particular function, it should be regarded as important. A good example of a highly important system would be a firewall through which all Internet communications occur. Once the basic system classification guidelines have been established, you can quickly create meaningful groups of assets within McAfee Vulnerability Manager and assign a criticality to these groups and to individual assets as necessary. Another very important aspect of establishing policies and guidelines is to identify practical and achievable targets for the organization’s security posture. How much risk can we accept? How much risk an organization can accept is highly dependent on the nature of its business. For example, organizations that store, process or use sensitive personal information can accept very little risk and are often subject to strict regulatory requirements governing how certain processes, systems, and controls must be in place to safeguard sensitive information about users, citizens, patients, and so on. To begin the process of determining the acceptable amount of risk, consider questions such as the following: • 6 How much exposure can we accept for how long? The longer a system remains unpatched (or otherwise is at risk), the more likely it is that the system will eventually be affected. In answering this question, you could consider criteria such as the importance of the system in question, whether it contains business-critical data and/or sensitive data, and so on. What would be the impact if the system was to become unavailable or compromised? As a general rule of thumb, systems which contain very sensitive data, perform business-critical functions, or otherwise are very important should not be left exposed very long. McAfee Vulnerability Manager 7.5 Best Practices Guide Initial planning How much risk can we accept? • How quickly can we deal with the assessment results? How quickly can we remediate? One of the unavoidable questions when defining policy and goals is the question of how quickly an organization can react to findings from a vulnerability scan. In order for a vulnerability management program to be successful, resources must be in place to remediate vulnerabilities, adjust firewall rules and packet filters and/or deploy risk-mitigating technologies such as firewalls and IPS products. McAfee Vulnerability Manager 7.5 Best Practices Guide 7 Setup Number of servers required Setup This section provides information on how to prepare to deploy McAfee Vulnerability Manager. Number of servers required The number, type, and placement of product servers depend on the total amount of address space, total number of live devices, network topology, desired scan performance, network constraints, and network policies. Note: McAfee Vulnerability Manager supports only servers running English-language operating systems. The following matrix provides guidelines for determining the number of McAfee Vulnerability Manager servers. Number of live IPs Number of servers Notes 0 – 2,500 One product server with an All- Ideal for small networks in-One configuration and product evaluations 2,500 – 10,000 Two product servers: One configured as enterprise manager web portal and the other configured as a database, API server, scan controller, and a scan engine with additional components. Very common configuration for small to mid-sized deployments 10,001 – 20,000 Two product servers: One configured as enterprise manager web portal and the other configured as database, API server, scan controller, and scan engine with additional components. Well-suited for large, distributed environments One product server configured as a dedicated scan engine. 8 McAfee Vulnerability Manager 7.5 Best Practices Guide Setup Number of servers required Number of live IPs Number of servers Notes 20,001 >100,000 Three product servers: One configured as enterprise manager web portal, one configured as database, and one configured as API server, scan controller, and scan engine with additional components. Ideal for large, global, distributed and diverse networks n product servers configured as dedicated secondary scan engines. Consider these factors: • • • • Number of IP addresses to be scanned. The primary factor is the number of IP addresses to be scanned. Small to medium-sized networks, as well as installations for product evaluation purposes, can deploy a single product server. Larger networks are better accommodated with additional hardware. Network connectivity to, and reachability of, all desired target environments. A scan engine must be able to reach its targets for the results to provide value. When placing scan engines, consider the networks that are to be scanned and place the scan engine so that it is able to reach the maximum number of assets with as few firewalls or packet filtering devices as possible. Firewall traversing. The purpose of a firewall is to restrict traffic to legitimate users and prohibit traffic that might be malicious. Depending upon the nature of the vulnerability and the discovery methodology, vulnerability scanning signatures might resemble malicious traffic and be blocked or filtered by a firewall or port filter. The result of such well-intentioned security devices might be that the quality of data returned from a vulnerability scan is adversely affected. For example, hosts behind a firewall might not be discovered correctly or at all, or a firewall might make it appear that every host behind the firewall is present when they are not. Another possible effect is that discovery and assessments might take longer to complete when having to traverse a firewall compared to scans that do not have to traverse firewalls. A common technique to mitigate the impact is to either avoid sending the assessment traffic through a firewall altogether, or to create an exception rule in the firewall rule base to allow any and all packets to and from the scan engine to traverse the firewall unaltered. WAN links and latency. To ensure a manageable vulnerability assessment schedule, McAfee Vulnerability Manager employs various timing and monitoring components. Such components monitor the total time a thread has taken to run a check against a host. If a certain threshold is exceeded, the thread is terminated under the assumption that the host is down, or that packets have been lost in transit to or from the host. This technique is necessary to ensure that a scan is not in an infinite waiting state. Therefore, WAN links, or heavily congested networks in general, might need special consideration in a deployment. Tests have shown that scanning via WAN links with a latency of more than 150 milliseconds is likely to produce results of an improper quality. For example, a set of systems can only be reached via a WAN link, then consider placing a scan engine in the remote environment so scanning is done locally and not be subject to packet loss and timeouts that are common on a congested WAN link. McAfee Vulnerability Manager 7.5 Best Practices Guide 9 Setup Prepare your setup • • Other network traffic (business-critical data/sessions). Any active scanning technology, such as McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager provides robust and detailed controls that allow customers to optimize the scanning behavior and speed of McAfee Vulnerability Manager. The product has default settings that have proved safe and effective in most networks. However, no matter how McAfee Vulnerability Manager is deployed and configured, you should always pay attention to network segments, WAN links, firewalls, and so on, where particularly important data is passing. Consider a remote site that is transmitting transactions from a website through a congested or slow WAN link during local business hours. Since this system only operates during certain hours, you should configure scans so that the environment is scanned while the web server is not processing transactions and not relying on bandwidth on the WAN link. Security or performance. When two product servers are used, McAfee recommends that you deploy the enterprise manager on one system and the other product components on the second system. This provides more security because the enterprise manager can be placed outside your firewall, so users can access it, while the second system can be placed inside the firewall to gather accurate data from scanned systems. However, having the scan engine and scan controller on the same system as the database can slow performance, based on the amount of data being processed. To improve performance when using two product servers, you could separate the scan engine and scan controller from the database. For example: the enterprise manager, scan engine, and scan controller on one system and the database and other McAfee Vulnerability Manager components on the second system. Prepare your setup When planning a deployment of new systems in large environments, you should initially deploy on a limited scale in a controlled, non-production environment. Doing so does have advantages. Deploying a new technology in a “sandbox” environment makes it easy to get staff trained on the technology in an environment where mistakes will have little or no impact to the operations of business critical systems. However, you should pay close attention to how well such a sandbox environment resembles the production networks where the technology will ultimately operate. As described elsewhere in this document, several types of security devices, network topologies, and so on, can have an impact on the performance and accuracy of scanning and should be considered when deploying McAfee Vulnerability Manager in a test lab. Place the API server There is an API server that the enterprise manager portal uses to communicate with the database. Any request initiated by a client browser is sent to the enterprise manager which, in turn, sends requests to the API server, which then communicates with the database. This architecture has distinct advantages in that it allows McAfee Vulnerability Manager to offload processing and communications to a process external to the enterprise manager and database. Consider the following when deciding which appliance will run the API server: • • 10 Network architecture. The API server should be in close proximity (network-wise) to the database and the enterprise manager web portal. This provides the best performance for users accessing McAfee Vulnerability Manager using the enterprise manager. In other words, when deciding on which appliance to use for the API server, choose the appliance that has no firewalls, WAN links, congested networks, packet shapers, and so on, between itself, the database, and the enterprise manager. Network latency. The API server should be placed so that there is minimal latency between itself, the enterprise manager, and the database. McAfee Vulnerability Manager 7.5 Best Practices Guide Setup Prepare your setup • Scanning. The API server can run on an appliance that also hosts a scan engine. In a large environment with many users concurrently accessing the enterprise manager, the API server will be servicing many concurrent requests as a result of the activity of the users accessing the web portal. Under these circumstances, the scan engine on this appliance should not be used for scanning, so resources are dedicated to the API server. In these scenarios, McAfee recommends that you revoke access to the scan engine in the user rights management system to ensure that the scan engine on this appliance is not used for actual scanning. Note: The suggested maximum number of scans running at the same time for any scan engine is 5 concurrent scans with 10 subscans each. A scan can be divided into subscans to increase scan speeds. The following table is intended to act as a conservative guideline when determining where and how to place the API server: IP addresses Appliances 1-2500 1 1-15 Installed with database and web portal Yes 2501 – 10000 2 16-30 Installed with database Yes 10001 20000 3 >31 Installed on a dedicated server No 20001+ >3 >31 Installed on a dedicated server No • Concurrent Location of portal users the API server Scan engine API server sharing hardware with database. In most deployments (except for large environments), installing the API server on the same product server as the database is advantageous for several reasons: • Responsiveness. Co-locating the API server with the database completely negates any questions regarding network latency or access. On the other hand, it also takes resources away from the database. • Secure location. The database appliance is typically located in a highly secure environment. • Efficient use of resources. For almost all environments, co-locating the API server with the database ensures that the investment in McAfee Vulnerability Manager appliance hardware is used to the best degree possible. Place the configuration manager The McAfee Vulnerability Manager Configuration Manager (previously known as the Foundstone Configuration Manager or FCM) handles configuration options for the McAfee Vulnerability Manager installation and deploys updates to McAfee Vulnerability Manager appliances. There is only one configuration manager server for a McAfee Vulnerability Manager installation. Note: The suggested maximum number of appliances running McAfee Vulnerability Manager components in a deployment is limited by the number of appliances the configuration manager can manage. This is determined by the CPU and memory bandwidth of the configuration manager McAfee Vulnerability Manager 7.5 Best Practices Guide 11 Setup Prepare your setup appliance hardware. For example, a McAfee MVM3100 running only the configuration manager can manage approximately 100 appliances. The following table is intended to act as a conservative guideline when determining where to place the configuration manager component. Configuration manager Appliances Location of configuration manager Scan engine 1 Installed with database and enterprise manager Yes 2 Installed with database Yes 3 - 10 Installed with database No Installed on a dedicated server No 10 - 100 Place scan engines and scan controllers A scan engine is a McAfee Vulnerability Manager component that performs network-based discovery and assessment of host systems targeted by a scan configuration. There can be many scan engines per McAfee Vulnerability Manager installation. A scan controller is a McAfee Vulnerability Manager component that assigns work to, and receives results from, the scan engines assigned to it. There can be many scan controllers per McAfee Vulnerability Manager installation, each controlling one or more scan engines. The scan controller is new with McAfee Vulnerability Manager 7.5 and contains functionality previously handled directly by each scan engine. By default, scan engines are automatically assigned to scan controllers by configuration manager, but the scan engines can be manually assigned to a scan controller. The scan engine connects to the assigned scan controller using the HTTPS protocol. The scan controller connects to the database using the Microsoft SQL protocol. Both components must connect to the FC Server using the SSL protocol to receive configuration changes and software updates. 12 McAfee Vulnerability Manager 7.5 Best Practices Guide Setup Prepare your setup In most network environments, like a corporate intranet, each scan engine should be deployed with a dedicated scan controller on the same appliance. This is the recommended deployment. Figure 1: Product deployment with a scan engine and scan controller on the same system McAfee Vulnerability Manager 7.5 Best Practices Guide 13 Setup Prepare your setup Scan engines and scan controllers can be deployed independently. For example, when security or network topology do not allow scan engines to directly connect to the database. The database server might be behind a firewall, or otherwise isolated from the rest of the network. In this configuration, one or more scan controllers would straddle the firewall, connecting on one side to the database, and on the other side accepting HTTPS connections from multiple scan engines. In this configuration, the API server and configuration manager server would also need to straddle the firewall. Figure 2: Product deployment with scan engines and scan controllers on separate systems Note: Under typical load, each scan controller can support up to 40 scan engines when run on an MVM3100 (as of the McAfee Vulnerability Manager 7.0.2 patch). Product updates In order for a McAfee Vulnerability Manager system to obtain new vulnerability checks, threat alerts, OS signature updates, and product patches, the FSUPDATE process must be running. The FSUPDATE process contacts the McAfee Vulnerability Manager update servers and retrieves update packages which then are stored in the database. Once in the database, the update packages are distributed by the configuration manager and applied as necessary. In order for this process to function automatically, at least one scan engine must be able to reach the Internet. Please note that while the FSUPDATE process is, by default, installed on all scan engines, it should be running on only one appliance. FSUPDATE requires a user name and password to authenticate to the McAfee Vulnerability Manager update server. Your user name and password is issued along with your product license key. Product updates are retrieved from update.foundstone.com, ports TCP 443 and 80. Set up an exclusion for this address to retrieve product updates. 14 McAfee Vulnerability Manager 7.5 Best Practices Guide Setup Prepare your setup The MVM3100 cannot have a proxy provided. When possible, set up a proxy exclusion for susupdate.foundstone.com, port TCP 80. This address is for operating system updates. These updates have been tested by quality assurance before being released. Remote access to McAfee Vulnerability Manager appliances MVM3100s, MVM3000s, and MVM2100s can be configured to accept connections from a Remote Desktop Connection or Terminal Services client, and can be restricted by client IP. When accessing an appliance remotely, always connect to the console session using Microsoft Remote Desktop Client. Select Start | Run, enter CMD and use one of the command lines: • MSTSC/Admin (for Windows XP SP3, Windows Vista SP1, Windows 2008) • MSTSC/Console (for Windows XP SP2 and earlier, Windows Vista prior to SP1, Windows 2003) Running the McAfee Vulnerability Manager application in any virtualized remote desktop session (outside of the admin or console session) will greatly impact McAfee Vulnerability Manager performance. Network requirements McAfee Vulnerability Manager components use the network ports and protocols in the following tables. If there is a firewall separating components, these ports and protocols must be opened in your firewall configuration before installing McAfee Vulnerability Manager 7.5. The network requirements diagrams use a distributed deployment architecture to display communication paths. If you use a different deployment architecture, be sure to note which system is running a McAfee Vulnerability Manager component, and use the port number and communication path specified in the communication path tables. The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability Manager components and connecting to external components. External components include other databases, McAfee ePO databases, LDAP or Active Directory servers, and external ticketing or issue management systems. Connecting McAfee Vulnerability Manager components Figure 3: Network requirements McAfee Vulnerability Manager 7.5 Best Practices Guide 15 Setup Prepare your setup McAfee Vulnerability Manager component communication paths # Title Description System 1 – Enterprise manager Enterprise manager System 2 – API service, scan controller, and scan engine System 3 – Database*** Scan controller API server Scan engine Data synchronization service Notification service Database Configuration manager Report engine System 5 – Scan Engine Scan engine Authenticated User Users log on to the enterprise manager. Assessment management search results Ports: 443 or 80 Command and control Port: 3800 System 4 – Report server 1 2 SOAP over HTTPS or HTTP SOAP over HTTPS or HTTP 3 API service Port: 1433 (SSL over) TCP/IP 4 Scan data Port: 1433 (SSL over) TCP/IP 5 6 Data synchronization service* Port: 1433 Notification service** Port: 1433 (SSL over) TCP/IP (SSL over) TCP/IP 7 Scan data Port: 1433 (SSL over) TCP/IP 8 Report data Port: 1433 (SSL over) TCP/IP 9 16 Scan data (scan engine to Ports: 3803 scan controller) REST over HTTPS or HTTP McAfee Vulnerability Manager 7.5 Best Practices Guide Setup Prepare your setup 10 Generating reports or Ports: 3802 changing report templates REST over HTTPS or HTTP 11 Generated reports Ports: 443 or 80 REST over HTTPS or HTTP 12 Web browser traffic Ports: 443 or 80 HTTPS or HTTP *Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. **Changing the location of the notification service changes the communication path(s) displayed in this diagram. ***Changing the location of the configuration manager requires a communication path between the configuration manager and the database, using Port: 1433, (SSL over) TCP/IP. Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL over) TCP/IP. Connecting external components Figure 4: External component communications External component communication paths # Title Description System 2 – API service, scan controller, and scan engine A External ticketing or issue management B External SMTP server Scan controller API server Scan engine Data synchronization service Notification service McAfee Vulnerability Manager 7.5 Best Practices Guide 17 Setup Prepare your setup C External LDAP / Active Directory (AD) D External McAfee ePO Database 1 Notification service** Port: 162 SNMP 2 Notification service** Port: 161 SNMP 3 Notification service** Port: 25 SMTP 4 5 Data synchronization service* Port: 389 Data synchronization service* Port: 1433 LDAP (SSL over) TCP/IP *Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. **Changing the location of the notification service changes the communication path(s) displayed in this diagram. 18 McAfee Vulnerability Manager 7.5 Best Practices Guide Discovery scans Create effective discovery scans Discovery scans This section provides information on some of the more common techniques and practices to help you get the best results from a deployed McAfee Vulnerability Manager solution. Build an asset inventory with McAfee Vulnerability Manager Keeping on top of what devices are available on the network remains one of the most fundamental challenges for IT security and operations professionals alike. McAfee Vulnerability Manager is uniquely suited to provide this information in a timely and manageable manner. Before any identification of vulnerabilities and threats is undertaken, a detailed asset inventory should be built. The benefits of using a network based asset discovery technique range from efficiency to operational ease. For example, an IT security or security ops team might find themselves struggling with reaching the appropriate people within an organization to gather the necessary asset data. Other times an organization might not have updated asset information. Being able to discover devices on the network with no prior knowledge effectively solves these problems. Create effective discovery scans McAfee Vulnerability Manager comes pre-configured with scan templates. A quick and easy way to create a discovery scan is to base a scan on the “Asset Discovery” scan template. Such a scan will sweep the targeted IP ranges and detect any live devices that respond to the various probes sent by McAfee Vulnerability Manager. A detailed description of the discovery process is available later in this section. The nature of how any network based device discovery technique discovers devices on a network entails sending certain packet types to the target and observing responses. Certain devices are configured so they do not emit any response to unsolicited traffic. This includes firewalls and other devices that employ a local firewall/filtering capability. Such devices are intended to not appear on the network when subjected to probes. As such, they might not appear in the asset inventory built by McAfee Vulnerability Manager. Several possible remedies for this condition are available. The most commonly used method entails leveraging any centralized management capability of, for example, firewall modules on desktop PCs. If the firewall module on a desktop PC is under centralized management, it is easy and very advantageous to create an exception rule in the firewall’s rule base allowing the device to respond to probes and connection requests from a vulnerability management system such as McAfee Vulnerability Manager. This technique allows organizations to reap the benefits of using host-based shielding techniques and still be able to identify these devices and subject them to vulnerability assessments. McAfee Vulnerability Manager 7.5 Best Practices Guide 19 Discovery scans Optimization Network impact As mentioned elsewhere in this document, any type of network-based assessment technology works by sending out packets to the targets and observing responses. As such, it is unavoidable that there will be some amount of network traffic introduced by such technologies. This traffic naturally appears highest if you were to measure the amount of packets leaving the scan engine’s network interface. As a product of how most modern networks transmit and distribute traffic, the amount of packets actually reaching each individual target system is exponentially less. The vast majority of modern networks and systems handle assessment traffic with no problems whatsoever. However, certain types of devices and conditions do warrant caution: • • • • Intrusion Detection System (IDS) sensors. These are, by design, intended to react to traffic patterns resembling an attack or a major event such as a worm. IDS or IPS (Intrusion Prevention System) sensors should be configured so that they will not react to traffic from McAfee Vulnerability Manager. Legacy devices. Certain devices might be so old and/or fragile that even very light scanning can have an adverse effect. These devices are typically systems running very old operating systems or highly unstable applications. A good approach can be to test these legacy devices and applications in a test lab prior to the full deployment of McAfee Vulnerability Manager. Improperly configured devices. Some devices might be configured to log all packets, sessions, transactions, and so on, in extreme detail. While such a configuration might be appropriate for implementing, tuning, and troubleshooting such devices initially, it can often lead to problems in production mode due to very large log files. Devices employing this very detailed logging might be overwhelmed when trying to log the many packets and sessions a typical vulnerability scan produces. Packet-modification software/hardware. If a McAfee Vulnerability Manager scan is done through a program or device that controls computer network traffic (generally known as packet-shapers), scanning might be impacted negatively due to an increase in the amount of time required to retrieve results from targets. This might produce inaccuracies in the scan results. To put things in perspective — if devices are adversely affected by a non-intrusive scan, they are so fragile that they would very likely have been affected even more if a real malicious event had occurred. Most IT professionals agree that it is better this happens under controlled circumstances than during a real security event. Optimization An important aspect of ensuring successful discovery scans is to understand how to best optimize your scan settings. As all networks, systems, and environments are different — as well as the requirements imposed by regulatory, corporate and operational policies — the default settings of McAfee Vulnerability Manager must therefore provide the best possible discovery capability and accuracy and remain non-intrusive. As a result, the default settings, while safe and relevant, can be optimized to individual environments. Specifically for device discovery scans, the goal of any optimization effort should be to configure the discovery parameters such that no more than what is absolutely necessary to discover a device and accurately identify its operating system is included in the scan. Before discussing a number of example scenarios where optimization is beneficial, some background information about the device discovery process is needed. When attempting to discover live devices in a given IP address range, the discovery process follows this process: 20 McAfee Vulnerability Manager 7.5 Best Practices Guide Discovery scans Optimization 1 ARP cache interrogation. First, the scan engine looks in its local ARP cache to determine if the MAC address of a target IP address is known. If it is, it indicates that host is alive and has been communicated with very recently. If nothing is found, then the discovery process continues to step 2. 2 ICMP probes. The discovery process sends ICMP echo requests (ping) to each IP address not discovered during step 1 (other ICMP packet types can be enabled). If a response is received from the target IP address, the host is considered live and discovered. 3 TCP port probes. The discovery process sends TCP SYN packets to specific ports on each IP address not discovered during step 2. If an IP address responds with a SYN-ACK packet, the host is considered live. 4 UDP port probes. As the fourth and last step in the discovery process, UDP packets are sent to any IP address not yet found as being live. These packets contain properly formatted UDP-based protocol messages. If a properly formatted protocol message is received from a targeted host, that host is considered live. Any IP address that has not responded to any probe at this point in the process is considered down and will not be processed further. The following are examples of optimization scenarios. Example 1 A scan engine is deployed near the network core in a NOC. From this location, the scan engine has network visibility to all networks in the organization. Security policy dictates that firewalls be in place to segregate remote locations from the NOC. Security policy also dictates that these firewalls must block ICMP traffic to and from the NOC. In this example, the default settings would accurately discover all hosts on the remote network, but would also spend a considerable amount of time needlessly attempting to discover hosts by ICMP packets. In such a scenario, you could disable the use of ICMP packets which would save considerable time and bandwidth. Example 2 A scan engine is scanning hosts through a firewall. The firewall is configured such that only properly established TCP sessions are allowed to traverse the firewall. In this example, TCP host discovery would, by default, not yield accurate results due to the default technique of “half open” or “SYN Scanning.” You would need to enable full TCP handshakes for host discovery and also for service discovery. (This setting is available on the Settings tab when editing or creating a scan.) Example 3 A scan engine needs to scan 10.0.0.0 – 10.255.255.255. This address space covers multiple locations, some of which are reached via slow WAN links and others being robust, high bandwidth network segments. In this example, the challenge lies in finding settings that are effective and accurate both for the slow segments of the network, and for the fast segments of the network. The safest approach will be to optimize the parameters to fit the slowest parts of the network. Depending on the number of slow and fast network segments, it might be advantageous to create separate scans for the slow and fast network segments. The following example discusses these scenarios in more detail. Example 4 Hosts on a remote network must be discovered. The only path to the remote network is via a very slow WAN link. The discovery must be done outside of production hours to avoid any impact on business critical systems and the data they send and receive across the WAN link. In scenarios where very little bandwidth is available, you should consider two major factors: sending as few packets as possible, and mitigating the impact of packet loss. The first concern can be addressed by making the following adjustments: McAfee Vulnerability Manager 7.5 Best Practices Guide 21 Discovery scans Optimization • Slow the scan down. McAfee Vulnerability Manager allows you to adjust the number of milliseconds between each packet in the discovery process. This is perhaps the single most powerful tool you can use to decrease the number of packets sent per second. The default value is a compromise between speed and efficiency. To optimize a scan for low bandwidth, increase the number of milliseconds between each packet during discovery. This slows down the rate at which packets are sent, and reduces the bandwidth used at any given point in time. Reducing scan speed as described above is a simple and effective way of reducing bandwidth requirements. However, reducing the scan speed is always a trade-off, as a slower scan will take longer. Note: This only affects discovery scans. Vulnerability scans cannot be slowed down using interpacket delay. To slow down vulnerability scans, reduce the number of sub scans. • • • Reduce number of packets sent. Another very effective way of optimizing a scan for low bandwidth situations is to reduce the number of packets sent to each host. This requires some knowledge about the target environment. For example, you could disable the use of ICMP packets for discovery. Doing so eliminates a significant amount of packets sent, but also implies that any device that only can be discovered using ICMP would not be found by a scan with ICMP disabled. Another approach is to reduce the number of TCP and UDP ports included in the host discovery. In an environment where no or few hosts are reached via a firewall, reducing the number of UDP ports to include only UDP ports 53 and 161 effectively cuts down the amount of packets sent in a discovery scan. Likewise, in an environment predominantly consisting of Window- based web and email servers, you could reduce the TCP port list to contain only ports 25, 80, 110, 135, 443, and 445. Reduce the number of sub scans. McAfee Vulnerability Manager employs a technique by which a scan is divided into multiple independent virtual scans. The purpose of this is to increase performance for large networks by scanning more devices at the same time. For the purpose of optimizing for low bandwidth, you should reduce the amount of parallel scanning performed. Do this by raising the threshold that triggers the use of sub scans (called the “IP Threshold”) and also by reducing the number of “Scan objects” (synonymous with sub scans). These two adjustments effectively reduce the amount of parallel scanning and further reduces the number of packets sent simultaneously. Specify ports (McAfee ePO or credential methods only). When using McAfee ePolicy Orchestrator (McAfee ePO) or credential methods to identify Windows operating systems (assessing only for authenticated checks), specify ports 445 and 139 only to authenticate the system. This eliminates the need to discover all ports to perform OS identification. The drawback is there will be an incomplete list of Network Services detected in the report. Example 5 A B-class of address space on a robust high speed network segment must be discovered in as little time as possible. In this example, the goal is quite the opposite as the previous example — now the goal is to scan as fast as possible. The adjustments necessary are, to some extent, the opposite of those discussed in the previous example: • • • 22 Speed the scan up. By reducing the inter-packet delay, scan speed increases significantly but so does the amount of network traffic generated. Reduce the number of packets sent. Reducing the number of packets sent is effective in increasing scan speeds as well as in reducing the amount of bandwidth used. Increase the number of sub scans. The concept of sub scans is intended to increase the scan performance of McAfee Vulnerability Manager by dividing a scan into multiple independent virtual scan elements. Each sub scan processes its own section of address space, and does so in parallel with other sub scans. This parallel scanning and processing drastically decreases the amount of time it takes to scan a given amount of address space but also produces a much higher number of packets per second. McAfee Vulnerability Manager 7.5 Best Practices Guide Discovery scans Initial discovery Summary of discovery scan optimization An important part of optimizing a discovery scan to suit various environments and requirements is to adjust the number, type, and composition of probes (packets) sent. This tuning and optimization is best accomplished as part of the on-going process of discovering, assessing, remediating, and verifying devices and vulnerabilities. The reason for this is that performing a highly accurate optimization that does not have adverse effects on the quality of the results requires some level of knowledge about the environment. As a result, initial discovery scans are often configured to have a broad and thorough nature to ensure that everything is discovered. As you grow more knowledgeable about the environment, discovery scans can be focused more precisely without running the risk of misidentifying devices, or not discovering devices altogether. One of the previous examples in this document describes how it is beneficial to remove ICMP packets and/or certain TCP ports from the list of packet types used to discover a host. In order to do this and not run the risk of missing devices and/or identifying devices incorrectly, you must have some amount of knowledge about the environment, and in doing so understand whether it is appropriate to disable these packet types. The best approach to discovery scan optimization is to start with reasonable and safe defaults, and then through an ongoing process, enhance and develop discovery scan templates that match the environmental requirements. The goal of such a process is to understand the characteristics of each distinct environment to such a degree that it is possible to optimize the discovery scan parameters without compromising the quality of the discovery data. In other words, it might be beneficial to develop scans that are designed specifically to suit the needs of each distinct environment. While some organizations have some level of advance knowledge about their environments, which is very useful, this document describes a process that requires no advance knowledge and will help you understand and build the asset inventory. Tip: If your networks/hosts are generated or installed from a standard image, scan against the image to build a discovery scan template. Initial discovery The purpose of the initial set of discovery scans is to build awareness of the environment. It is assumed that, at this point, you do not know what devices to expect in which network segments. It is therefore necessary to be able to discover any device. This requirement means that you should not remove any probe or packet types from the default discovery scan profile template. The safest approach is to conduct the discovery scan in a slower fashion than would be expected in a well-known environment. If you know about particularly slow network segments, McAfee advises that you run separate scans for those segments, and reduce the speed of those scans. McAfee Vulnerability Manager 7.5 Best Practices Guide 23 Discovery scans Initial discovery Sorting and grouping Once the initial device discovery is complete, McAfee Vulnerability Manager contains a detailed device inventory. You should now begin the process of sorting devices into asset groups and assigning a business value (criticality) to each device. One grouping strategy is to base asset groups on the asset owners and the teams responsible for maintaining the systems in question. The asset management module of McAfee Vulnerability Manager (Manage | Assets) makes it easy to create groups and populate these with assets. For example, if you wanted to create an asset group of all Windows servers in a particular subnet, simply use the Advanced Search option to create a search that returns all hosts where the keywords “Windows” and “Server” appear in the OS name, and belong to the subnet in question. Once the search is complete, simply add the assets found by the search to the asset group “Windows Servers”. 24 McAfee Vulnerability Manager 7.5 Best Practices Guide Vulnerability scans Target scans to each asset group/environment Vulnerability scans Before using vulnerability scans, you should consider how to structure the scanning regimen to obtain the most useful results. As McAfee Vulnerability Manager is very scalable and can easily scan many assets, you could be overloaded with information. To avoid this, consider the following suggestions: • • • • Focus on assets that matter most. By considering the asset values and prioritizations as discussed previously, start by focusing on the devices that are most vital to the organization. Focus on vulnerabilities that matters most. By targeting high risk vulnerabilities as the first step, any organization quickly reaps the benefits of their vulnerability management programs. Develop corporate scanning policies. Many organizations have successfully developed corporate standard scanning templates. These can easily be derived from public standards such as SANS, NIST, CIS, and so on. This is one of the most important steps to take. A properly focused scanning regimen can prove highly effective and ease the adoption of a vulnerability management technology. Consider what your risk mitigation/remediation capacity is. A vulnerability management program is only truly effective if risk is being mitigated, patches are being deployed, and so on. As such, a very important factor in developing a successful scanning regimen is to consider how much capacity your organization has for remediating vulnerabilities and/or utilizing other risk mitigation strategies. Implementing a scanning schedule that produces more results than what can be processed will lead to frustration and an inefficient approach to securing the organization. A common mistake is to simply let a vulnerability scan detect every single high, medium and low risk vulnerability across all networks in an organization. This approach, while seemingly simple, typically results in information overload — system administrators buckle under the workload of keeping up with the endless stream of information and change requests, and IT security teams can appear ineffective and appear to show lack of progress. A more successful approach is to create targeted scans. By tailoring scans to each distinct environment and applying, for example, a corporate top 20 scan policy, results will be much more manageable and much more visible when reporting to executive management. A corporate top 20 scan is a scan that targets 20 vulnerabilities that have been identified as being important to your organization. Whether to target 10, 20, 30, or more vulnerabilities is best decided by the individual organization but, regardless of how many vulnerabilities are targeted, the focused approach described here has proven highly successful with most current customers of McAfee Vulnerability Manager. Target scans to each asset group/environment Focus on vulnerabilities most important for that environment. More specifically, a successful practice is to design your scan configurations to match a well designed asset inventory. Example 1 An asset group contains all Windows-based web servers which are publicly accessible. This web farm is hosting a vital e-commerce application. In this example, a scan containing all non-intrusive checks for Windows web servers and general webbased vulnerabilities could be a good starting point. Such a scan focuses on the most critical assets in this particular organization, namely the e-commerce web front end. Since these devices are exposed to the Internet and are vital to the business of the company, this scan should target all severities of vulnerabilities. Even low risk information leakage vulnerabilities are unacceptable to this particular organization. Limiting the scope of the scan to only web vulnerabilities, and to just this particular asset group, ensures that the results are manageable and that priority and attention is given to systems vital to the business. McAfee Vulnerability Manager 7.5 Best Practices Guide 25 Vulnerability scans How graphing and trending can improve security Example 2 An asset group contains all Windows XP workstations in a particular campus for a large international organization. These workstations are all managed by a central entity and the population of workstations is expected to be fairly static. In this example, a scan could target only Windows vulnerabilities of high and medium risk. Attempting to track and resolve every single low risk vulnerability in a large workstation environment is often not considered a worthwhile effort. Plan your scanning schedule Deciding on when to scan what, and how often, requires some insight into how your assets are grouped, their importance, and also some close consideration of what conditions and vulnerabilities are most important to resolve first. As mentioned previously, a good approach can be to scan your asset groups with targeted scans reflecting the asset groups’ contents and business value. Many organizations have adopted a scanning schedule that reflects the business value of the various asset groups. For example, scan the most important assets more often, looking for high risk vulnerabilities or other conditions that, if exploited, could cause severe interruptions to the business. Target scans for specific vulnerabilities Focus on vulnerabilities most important for your network. Search through the list of vulnerability checks and save the resulting list as a vulnerability filter. Use the filters you create to act as a template so you can quickly create standard, identical scans for each group or environment. Example 1 Scanning assets for approved Microsoft patches and hotfixes. In this example, you select all of the Microsoft patch and hotfix vulnerability checks that apply to your network. Once this vulnerability filter is saved, you can select it when setting up a scan configuration for each group or environment. Such a scan would check assets to ensure all appropriate patches and hotfixes are applied. Example 2 Scanning assets for potentially unwanted programs. In this example, a scan could target specific programs you don't want installed on your network. Such a scan would search your network for unwanted programs installed on any asset specified in the scan configuration. The report will display which assets have the unwanted programs installed and you can view a brief summary of what issues the installed program could cause to your network. How graphing and trending can improve security An important aspect of an ongoing vulnerability management program is to keep track of whether or not progress is made. McAfee Vulnerability Manager is extremely well suited for this purpose. Several automated and detailed progress tracking features are available. Common for these features are that they all are designed to make it easy to understand if the organization (or parts of it) is making progress and improving its security posture. 26 McAfee Vulnerability Manager 7.5 Best Practices Guide Vulnerability scans Optimize vulnerability scans Using the dashboard The dashboard provides summary information for vulnerabilities, operating systems, severity, and vulnerability count trending. • • • • • Most Prevalent Vulnerabilities – Shows the ten vulnerabilities that affect the most number of assets in your organization or group. Change the minimum security level to focus on a vulnerability severity level, and higher. This monitor allows you to drill down to see which systems are vulnerable. Most Prevalent Operating Systems – Shows the ten operating systems used the most on assets in your organization or group. This monitor allows you to drill down to see which systems use the operating system. Vulnerability Count by Severity – Shows the number of High, Medium, Low, and Informational vulnerabilities, based on all of the assets in your organization or group. This monitor allows you to drill down and see all of the vulnerabilities discovered, on all systems in the organization or group, by severity. Vulnerability Percentage by Severity – Shows the total percentage of High, Medium, Low, and Informational vulnerabilities affecting assets in your organization or group. This monitor allows you to drill down and see all of the vulnerabilities discovered, on all systems in the organization or group, by severity. Organization Vulnerability Count Trend – Shows a trend graph of the High, Medium, Low, and Informational vulnerabilities affecting assets in your organization or group. You can change this monitor to view the FoundScore. Optimize vulnerability scans As discussed previously, it is possible and highly advantageous to optimize your scans so they perform as best as possible. The benefits of scan optimization include: • • Better scan performance. By optimizing a scan, the time to completion is less. This is especially helpful in situations where a service window permits only a very limited time to scan, or in very large environments. More efficient scans. A more efficient scan uses less bandwidth on the network and can complete in less time. How to increase scan speeds Where situations call for faster scans, you can make the following adjustments: • • Increase the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan engine console. By increasing the number of FSL threads, each scan will be able to process more FSL scripts simultaneously and thus scan quicker. By default, this is set to 20. The maximum number of concurrent FSL threads is 30. Create more sub scans. This parameter is controlled on the “Settings” tab when creating or editing a scan, under the “Optimize” icon. By increasing the number of sub scans, you can effectively increase the number of virtual, independent, instances of scans. In other words, by increasing the number of sub scans, a scan will be divided in to a higher number of independent virtual instances and thus process more hosts at the same time. The default value is 5 and can be increased to 10. Note that increasing the number of sub scans will, in addition to conducting the scan faster, also consume more resources on the underlying hardware platform, typically in the form of more memory usage and higher CPU utilization. McAfee Vulnerability Manager 7.5 Best Practices Guide 27 Vulnerability scans Optimize vulnerability scans Note: The suggested maximum number of scans for any scan engine is 5 concurrent scans with 10 subscans each. • Lower the batch size threshold for triggering sub scans. This parameter is controlled on the “Settings” tab when creating or editing a scan, under the “Optimize” icon. Sub scans are used only when the batch size of a scan exceeds a certain threshold. By lowering this threshold, the parallel processing is used for smaller scans also. How to decrease scan speeds Where situations call for slower scans, you can make the following adjustments: • • • Decrease the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan engine console. By decreasing the number of FSL threads, each scan will be able to process less FSL scripts simultaneously and thus scan slower. Create fewer sub scans. By decreasing the number of sub scans, you can effectively decrease the number of virtual, independent, instances of scans. In other words, by decreasing the number of sub scans, a scan will be divided into a lower number of independent virtual instances and thus process fewer hosts at the same time. Raise the threshold for when to trigger sub scans. Sub scans are used only when the size of a scan exceeds a certain threshold. By increasing this threshold (batch size), the virtualization is used mostly for larger scans. Note: This might speed-up scanning for large address pools with only a few hosts. 28 McAfee Vulnerability Manager 7.5 Best Practices Guide Web applications scans View web application scan reports Web applications scans McAfee Vulnerability Manager web application scans are different compared to the other product scans. With other product scans, you are scanning one target for multiple vulnerabilities and you can have more than one target per scan configuration. With web applications, there is no way of knowing exactly how many pages, links, or forms the web application has. Each web application could have several forms, hundreds of links and thousands of pages, with each being scanned for vulnerabilities. McAfee recommends scanning one web application per scan configuration. Where to start with web application scanning It is important to know what your web application site map looks like, especially when reviewing a web scan report. By knowing your web application site map you will know if all or only part of your web application has been scanned. Using the Informational Web Crawl scan template will give you a site map of your web application. Even if you already have a site map, it is recommended that you use the web crawl template and compare your site map with the one discovered by the product. Once you have your site map, start with a Light Web Scan to find any critical vulnerabilities. The light scan is set to run for two hours. If you web application has a large number of pages, has pages with large file sizes, or has a large number of forms, the light scan might terminate before scanning the entire web application. If this happens, you can modify the scan configuration to lengthen the scan time or remove the time limit. Here are some other guidelines for scanning your web applications. • • • Keep a backup of your web application (i.e. database, server). Scan your web applications during off hours, not when the servers are in production. Scanning while a web application is being used could cause problems for your users. A better option is to scan your web application in a test environment Know what type of browser or device the web application is designed for (i.e. mobile phones, Microsoft Internet Explorer, Mozilla Firefox). For example, if you are scanning a web application for mobile phones, the scan engine is not recognized as a mobile unit. You must configure your web application to recognize all devices during the scan. When you are done scanning, remember to change the settings back. View web application scan reports To view the scan results, look at the web application scan report. The web application scan report contains both product specific vulnerabilities and web application vulnerabilities. Product specific vulnerabilities include known issues for a specific product, like Apache, IIS, and PHP. web application vulnerabilities include cross-site scripting, header vulnerabilities, and vulnerabilities found while injecting malicious code patterns. The web portion of a report contains the web application vulnerability information. McAfee Vulnerability Manager 7.5 Best Practices Guide 29 Web applications scans Improve your web application scans Improve your web application scans Optimizing scan settings is based on your web application and you might need to experiment with the settings to find what works best for your web application. McAfee has some general guidelines to help you out. • • • • • • 30 Exclude anything you know that does not need to be scanned for vulnerabilities. You can exclude paths and parameters when configuring a scan. A web application scan will only search the directory and any linked pages from the web address provided. You must include anything you want to scan that is not in the directory or linked from the web address being scanned. You can include pages and directories when configuring a scan. A web application might use the same web page to present different images or products. Each image or product is given a unique identifier so the same page can be used and only the unique identifier needs to change to display the correct item. When scanning this part of a web application, you want to scan the page for vulnerabilities, but you might not want to scan each unique identifier (which could be thousands or hundreds of thousands of unique identifiers). You can use the Determine URL Uniqueness setting in a scan configuration to scan the page but ignore the unique identifiers. For example, if all of your products have a unique numeric value, set Determine URL Uniqueness to ignore parameters with numeric values. If you are scanning forms in your web application, you must know what will happen if the scan tries to modify or manipulate the form. You should also exclude anything that could be destructive or problematic. For example, you could reset a password by scanning a form. If you are scanning authentication forms, you should include form credentials to show failures in the report. You should also specify the input fields (organization, user name, and password) in the scan credential to get the expected results. You can also include specific results that display on the web page after a successful logon to verify form authentication. You can exclude directories or pages to improve scan performance. You should exclude an Admin directory or pages that will log off the user. If your network connections are reliable (will not cause timeouts) and your server performance can handle it, you could reduce the inter-request delay to reduce the scan time. McAfee recommends not running a web scan while the web application is in production because this could affect the scan, your users, or both. You should also consider what is between the scan engine and the target. Your connection could be reliable, but a router could affect the connection and could end with a Denial of Service. McAfee Vulnerability Manager 7.5 Best Practices Guide Custom reports Improve your web application scans Custom reports Foundstone Asset Reports allow you to create custom reports based on templates you create. This allows a wide variety of reports to be generated and automatically distributed, with a much greater degree of freedom than is available in Scan Reports. Common questions that Asset Reports can help answer include: • • • • • • • What vulnerabilities are present on our Windows workstations? Servers? What vulnerabilities have been remedied, and what new vulnerabilities have been introduced, in the last 3 months? What machines outside of my DMZ are operating as web servers? What vulnerabilities exist on machines where I am responsible for administration? What high-severity vulnerabilities exist in my environment? What machines in my global enterprise have not been patched against MS06-040? Over the last 24 months, has my network become effectively more secure, or less secure? To answer these questions, you create an appropriate Asset Report Template to gather the data and report information about your network. McAfee Vulnerability Manager 7.5 Best Practices Guide 31 Threat assessment using the Threat Correlation Module View the Threat Correlation Module output Threat assessment using the Threat Correlation Module McAfee Vulnerability Manager features a Threat Correlation Module designed to help IT security staff, decision makers, and executives keep track of how the organization responds to events, how fast and how well remediation is conducted, and the general threat level to which the organization is exposed. What is a threat? Before beginning to describe the inner workings of the TCM, we should clarify what a threat is and how it is different from a vulnerability. A threat is in its simplest form an event, whereas a vulnerability is a condition. The TCM helps to measure the likelihood that an event will affect hosts in the environment managed by McAfee Vulnerability Manager. Threat Correlation Module The TCM requires very little set up and customization. It does, however, function best and deliver the most help and value when scans, asset groups, and asset values are properly configured. When that is the case, the threat correlation module will, with a few mouse clicks, help you understand which assets are at how much risk from what. Simply click the “Correlate” button for a given vulnerability and the threat correlation module displays a prioritized list of the devices affected by that threat. View the Threat Correlation Module output As mentioned previously, the TCM produces a list of hosts that are at risk from a particular threat. The hosts at the top of the list are hosts that are at the most risk. This risk score is calculated as a product of the value of the device (asset criticality), the severity of the vulnerability and the quality of the match made by the threat correlation module. The TCM works by considering the following parameters of a threat to determine the match: • • • • • What OS does the threat affect? What port would have to be open in order for the threat to be effective against a host? What service needs to be running in order for the threat to be effective against a host? What banners would be indicative of a vulnerable host? Is the host already known to be vulnerable to the condition the threat pertains to? So in other words, the more severe the underlying vulnerability, the higher the asset value and the more accurate the match, the more at risk a system is from the threat in question. 32 McAfee Vulnerability Manager 7.5 Best Practices Guide Threat assessment using the Threat Correlation Module View the Threat Correlation Module output The list of hosts produced by a correlation is prioritized so the hosts at the most risk are at the top of the list. This helps you understand where to deploy risk mitigation resources, and thus helps you focus on mitigating the most risk with the available resources. Additionally, the list produced by the TCM will also show if an open trouble ticket already exists for the host in question. How to mitigate the risk For each threat known by the TCM, a countermeasure, or risk mitigation recommendation, is also known. These recommendations are authored and maintained by McAfee Avert Labs on an ongoing basis. Following the risk mitigation steps described in the TCM can be a quick and simple way of resolving the vulnerability or exposure permanently. Use TCM as a proactive tool to notify asset owners of potential issues. Threats are not a true indication that a vulnerability is present. McAfee Vulnerability Manager 7.5 Best Practices Guide 33 Optimize performance Performance parameters Optimize performance This guide provides information on configuring McAfee Vulnerability Manager 7.5 to optimize its performance over your network and to configure it to your environment. By default, McAfee Vulnerability Manager 7.5 is already optimized for small to medium networks; its default parameters minimize impact on network resources. However for organizations with large networks (Class B or greater), optimizing McAfee Vulnerability Manager 7.5 will help ensure that the scans will complete in a timely manner. Selecting the correct scan parameters for your network can affect the speed and accuracy of your scans, and the impact on your network. See Recommended Settings on page 45 for suggestions on how to optimize McAfee Vulnerability Manager 7.5 for various environments. Use them as guidelines for setting up scans on your network. Note: Use care when adjusting these parameters from the default values; they significantly impact scan accuracy, scan duration, and network bandwidth consumption. Performance parameters The following table shows the effect that increasing parameter values has on the scan speed, required bandwidth, and scan accuracy. Key Increase in value Decrease in value none No effect Performance parameters Scan speed Required bandwidth Scan accuracy Turn on TCP Full Connect Increased ICMP/UDP/TCP Time-outs none Increased # of Passes – Service Discovery Increased # of Passes – Host Discovery Increased Number of Scan Objects none Turn on Advanced UDP Scanning 34 McAfee Vulnerability Manager 7.5 Best Practices Guide Optimize performance Host Discovery options Performance parameters Scan speed Required bandwidth Scan accuracy Increased Batch-size – Vulnerability Scan none Increased Packet Interval none Increased FSL Threads none Host Discovery options You can fine-tune the following options for new or existing scans. In the portal, to create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be found on the Settings tab in the scan configuration wizard, under the Host options. Figure 5: Scan configuration – Hosts settings Full connect scan This feature for TCP port scanning provides better accuracy than TCP SYN scanning. But, it increases the scan time because it sends a packet, waits for a response from the host, and then sends another packet (a three-way handshake). Though SYN scanning is fairly accurate over a LAN, select the Full connect scan feature for better accuracy on scans over the Internet (external). Also, select this option when running a minimum number of passes with maximum accuracy for a more comprehensive scan. McAfee Vulnerability Manager 7.5 Best Practices Guide 35 Optimize performance Services options Services options You can fine-tune the following options for new or existing scans. In the portal, to create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be found on the Settings tab in the scan configuration wizard, under the Host options. Figure 6: Scan configuration - Services settings Figure 7: Services settings - Advanced options Enable Load Balancer Detection McAfee Vulnerability Manager provides a load balancer detection feature that you can enable in your scan configurations. You can find this under the Services Advanced Options, on the Settings tab. This feature detects the presence of load balancers on your network. It displays the load balancer as a node on the Network Topology Report. Selecting this option results in a longer scanning process. Services running on non-standard ports McAfee Vulnerability Manager can scan non-standard ports for common services like HTTP, FTP, POP3, TELNET and several others. Rogue applications or end-users might set up these services on nonstandard ports to avoid detection. You can find this under the Services Advanced Options, on the Settings tab. 36 McAfee Vulnerability Manager 7.5 Best Practices Guide Optimize performance Credential options Credential options You can fine-tune the following options for new or existing scans. In the portal, to create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be found on the Settings tab in the scan configuration wizard, under the Host options. Figure 8: Scan configuration – Credentials settings Scanning with credentials McAfee Vulnerability Manager can use credentials to authenticate itself to a Windows, UNIX, or infrastructure host. This allows the FSL scripts to access the Windows registry and other information. Infrastructure hosts are other network devices, such as Cisco routers and switches. This feature lets you add credentials to authenticate an account on a host: • • • • • • • • • • • Windows Domain Windows Workgroup Windows Individual Host Windows Default Shell Domain Shell Individual Host Shell Default Web Domain Web Server Web Default Web Application URL McAfee Vulnerability Manager 7.5 Best Practices Guide 37 Optimize performance Optimize options Each method of authentication requires a user ID (user name), and some methods require a password. The database stores the encrypted user names and passwords for this scan. When the scan begins, McAfee Vulnerability Manager 7.5 uses this information to attempt authentication on each discovered host system. Optimize options You can set the following options to optimize performance for new or existing scans. In the portal, to create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be found on the Settings tab in the scan configuration wizard, under the Optimize options. Figure 9: Scan configuration – Optimize settings ICMP / UDP / TCP timeouts The default timeout values are set for optimal external discovery scans. Adjust the timeout values slightly lower for a faster scan or slightly higher for a more thorough, slower scan. To optimize internal scans, set the ICMP timeout to 1500ms and the TCP timeout to 2000ms. Number of passes This option controls the number of times ICMP, UDP, and TCP requests, or pings, are sent to target IP address ranges during the scan host discovery sequence. McAfee recommends three passes; use fewer passes for a faster, less thorough scan. For external scans, McAfee testing reveals that approximately 95% of all active hosts are discovered on the initial 38 McAfee Vulnerability Manager 7.5 Best Practices Guide Optimize performance Optimize options pass, about 4+% are included in the second pass, and the remaining percentage are discovered in the final pass. For internal scans, most, if not all, devices are discovered in the first pass. Number of scan objects This option specifies the maximum number of sub-scans the system will use if the number of IP addresses exceeds the IP threshold. Scan objects is the technical term for a sub-scan. Set the number of scan objects from 1 to 10. The Number of Scan Objects setting has a strong impact on both scan performance and bandwidth utilization. For example, if a scan uses 10 subscans, it runs 10 smaller scans simultaneously. Although this substantially increases the performance, it also increases the impact on the scan server by adding 9 additional scans. For example, if you had five different scan configurations running simultaneously, and each uses 10 scan objects, you would be running the equivalent of 50 concurrent scans, which is a heavy load for the most robust scan server and a solid network infrastructure. Batch size This setting controls the number of IP addresses that are scanned simultaneously. Though the default value of 1024 IP addresses is recommended for small scans, select a larger batch size to speed up the scan of a large environment. Values can be 32, 64, 128, 256, 512, 1024, 2048, 4096, and 8192 IP addresses. For example, assume you are scanning a class C network (256 IP addresses). The following table shows the number of scans each different batch size would require. Batch size Scan segments (256 IP addresses) 64 4 128 2 256 1 Batch size recommendations – vulnerability scans For vulnerability scans, select a smaller batch size. Large batches can slow the overall scan time because the batch has to wait for scripts to either complete or timeout. To maximize scan efficiency, performance, and bandwidth utilization, select a batch size of 1024 or lower for vulnerability scans. Packet interval This setting controls the amount of time that McAfee Vulnerability Manager 7.5 takes to send each packet across the network. Without a minimal inter-packet delay, McAfee Vulnerability Manager 7.5 would flood the network with packets, causing routers to drop scan traffic destined for target hosts and affecting the accuracy of the scan. Though 15 milliseconds is the default value, select a higher value, such as 20-25 milliseconds, when scanning a highly distributed network such as a global WAN. Use lower delays, such as 10 milliseconds, over smaller networks with a cleaner backbone to improve scan performance without sacrificing scan accuracy. McAfee Vulnerability Manager 7.5 Best Practices Guide 39 Optimize performance Other scanning options Caution: Even small increases in the Packet Interval affect scan durations. Use caution when adding delays to large scans. Assume that a very small scan sends out 1000 packets. Sending them all at once would take very little time. But consider the effects of adding a small delay: Delay Time to send 1000 packets 10ms 10 seconds 25ms 25 seconds Now consider a scan that sends 750,000 packets: Delay Time to send 750,000 packets 10ms 7,500 seconds (2 hours 5 minutes) 25ms 18,750 seconds (over 5 hours) Scan vulnerability saving option Some reporting, like compliance scans, might require all data collected from a scanned host (vulnerable, not vulnerable, and indeterminate). In the product, you can set whether all data or only vulnerability data is saved from scanned hosts. Saving all data collected from a scanned host (vulnerable, not vulnerable, indeterminate) can result in a large amount of data being collected (approximately nine times when compared to returning only vulnerable data). When creating scan configurations that will collect all data, it is recommended to have 10,000 hosts as the maximum number to scan. You can find this feature in the Optimize settings on the Settings tab of a scan configuration. Vulnerable only: Returns only vulnerability data from scanned hosts. This is the default selection when creating a new scan. All: Returns all data collected from scanned hosts (vulnerable, not vulnerable, indeterminate). Note: Returning all results (full results) is only available with HTML reports. Other scanning options You can fine-tune speed and size options for new or existing scans in the enterprise manager. Foundstone Scripting Language (FSL) threads The FSL Thread Count setting is the number of threads running in parallel to execute FSL vulnerability check scripts. Increase the default (20 threads) to 30 for a faster scan when vulnerability checking is enabled for a scan. Increasing this setting improves scan performance, but also uses more network bandwidth. 40 McAfee Vulnerability Manager 7.5 Best Practices Guide Optimize performance Scan configuration options Configure the FSL Thread Count setting in enterprise manager on the General Settings page (select Manage | Engines and click Preferences for the scan engine). Figure 10: Engine options – General settings Though increasing the number of FSL threads used improves scan performance, it increases network traffic and can impact the performance of the scan server. Each FSL thread uses approximately 1 MB of virtual memory, and each scan object uses the full set of threads available. A scan configured to use 30 FSL threads running 10 concurrent subscans could consume up to 300 MB of virtual memory for a single scan at its peak. Scan configuration options When creating a scan configuration, there are Optimize and Vuln Selection options for improving scan performance. Impact of specific scans The following table shows the impact of different scan features on the scanning speed and required bandwidth. Key Increase in value Decrease in value McAfee Vulnerability Manager 7.5 Best Practices Guide 41 Optimize performance Scan configuration options Specific scan features Scan speed Required bandwidth Perform Tracerouting Run Brute Force Checks Run Windows Checks Perform tracerouting (network mapping) The network topology maps in McAfee Vulnerability Manager 7.5 are created using the results of ICMP and TCP traceroutes to each live host. This information lets you see high-risk areas, allowing you to make a quick assessment of the risk posture among subnets. If a large number of live hosts are anticipated and a network topology map is not desired, disable this feature to gain a slight improvement in the speed of the scan and a significant improvement in the time needed to generate a report upon the scan’s completion. The Network Mapping setting is part of the scan configuration wizard for both new scans and existing scans. Go to the Settings tab in the scan configuration wizard, under the Optimize options. Figure 11: Scan configuration – Optimize settings 42 McAfee Vulnerability Manager 7.5 Best Practices Guide Optimize performance Scan configuration options About vulnerability checks in McAfee Vulnerability Manager McAfee Vulnerability Manager 7.5 runs vulnerability checks against devices that match the profile of the individual vulnerability. It matches the vulnerabilities with hosts whose operating system type, open ports, and protocols meet the specifications. For example, a Windows server is not assessed for a Linux vulnerability, a Cisco router without port 69 open is not assessed for TFTP vulnerability, and a UNIX server with only UDP-based DNS running is not assessed for a TCP-based DNS vulnerability. As the number of selected checks and active hosts increases, scans take more time to ensure that all vulnerabilities are discovered. McAfee Vulnerability Manager 7.5 includes a large number of web server checks, and scans on environments with many web servers take more time than scans on comparable networks running other network services. If the purpose of a scan is to perform a network inventory, turn off vulnerability checking. Turning off specific vulnerability checks The Brute Force and Windows checks have the most potential for slowing down a scan. These checks are part of the scan configuration wizard, on the Settings tab, under Vuln Selection. Figure 12: Scan configuration – Vulnerability selection settings McAfee Vulnerability Manager 7.5 Best Practices Guide 43 Optimize performance Scan configuration options Brute Force checks These checks successively guess a large series of commonly used user names and passwords against a target host. Given the nature of the testing, many user names and passwords fail, causing the script execution to take longer than most other types of scripts. If you are less concerned about discovering easily guessed usernames and passwords, disable Brute Force checks. Windows checks These checks run only if there is remote administrative access to the target Windows host. The time consumed for the Windows checks to authenticate, fail or succeed, and execute if successfully authenticated is higher than most checks. If proper access is not available as with external scans, disable the Windows checks to improve scan performance. 44 McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Scan configuration options Recommended scan settings This section provides suggested settings for setting up scans. They are based on the best-practices developed by McAfee's Sales Engineers. The settings are determined by the size of the network and by the type of scan. Network size For the purposes of describing network sizes, this guide uses the following size definitions: • • • Small Network – Up to 10 Class C networks (2560 potentially live hosts) Medium Networks – Up to a Class B network (65536 potentially live hosts) Large Networks – Up to a Class A network (16.7 million potentially live hosts) Types of scans McAfee Vulnerability Manager 7.5 lets you customize your scans to your needs. Scan types can range from simple discovery scans to full vulnerability scans. The following table provides a quick overview with cross references for each of the scan types on various networks. The most common scans include the following: • • • • • Single Vulnerability Scan – Use this scan to scan for a single vulnerability check Asset Discovery Scan – The Asset Discovery Scan searches for the various devices on your network. All scans perform discovery services and the other scan types look for additional information, based on the findings from the discovery scan. SANS/FBI Top 20 Scan – This scan searches only for the vulnerabilities that have been identified by the Federal Bureau of Investigation (FBI) as the top 20 most common vulnerabilities. Full Vulnerability Scan – The full scan lets you pick and choose the types of vulnerability checks to run against the network. WWW Application Assessment Scan – This scan searches the network for web applications. It probes for web applications, looks for access points and weaknesses that could provide access into the network, and searches for various vulnerabilities associated with web applications. Note: Use these templates as guidelines. Consider your network configuration and refine the settings as needed. Refer to this guide and the online help for more information on each setting. Scan size and type Large networks Medium networks Small networks Single Vulnerability Scan Use the Single Vulnerability Scan recommendations below for all sizes. Asset Discovery Scan See page 57 See page 51 SANS/FBI Top 20 Scan See page 59 See page 53 Full Vulnerability Scan Not recommended – see page 55 for notes See page 48 Web Application Assessment Scan Not See recommended – see for notes See page 51 Small networks use the same settings for all types of scans. McAfee Vulnerability Manager 7.5 Best Practices Guide 45 Recommended scan settings Settings: Scan for a single vulnerability Settings: Full-port scans A full-port scan is designed to detect all open ports on a system. Optimize an all-port scan • • • Set the packet delay to zero. Set the timeouts to 500 ms. Use SYN scanning. Performance expectations Using these settings you can scan 65536 ports on one system in about 7 to 12 seconds. McAfee engineers have spent considerable time and effort tuning the scanning engine to provide the best accuracy. Although another scanner could theoretically scan all ports faster than this, they won't be more accurate since sending thousands of packets per second will probably cause routers and/or the target systems to drop significant numbers of packets. Settings: Scan for a single vulnerability When you have to create a scan to look for a single vulnerability, such as the Microsoft Windows RPC DCOM vulnerability that caused trouble in August 2003, use these recommended settings to optimize your scan. Enterprise manager settings 46 Enterprise manager parameters for single vulnerability scan Recommended settings Scan Ranges Batch Size 1024-8192 – Higher settings make the scan faster, but generate more network traffic Module Selection Discovery ON (always ON) McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: Scan for a single vulnerability Enterprise manager parameters for single vulnerability scan Recommended settings Web Application Assessment Module OFF Windows Host Assessment Module ON - Select the single check you want to use. Ensure that credentials are supplied. Note: Set to OFF if you are checking for a single Shell vulnerability. Wireless Discovery and Assessment Module OFF Shell Module ON - Select the single check you want to use. Ensure that credentials are supplied. Note: Set to OFF if you are checking for a single Windows vulnerability. Host Discovery Service Discovery General Assessment Module ON Use ICMP Discovery ON ICMP: Timeout (Advanced) 1000ms Use UDP Ports OFF Use TCP Ports OFF (to increase speed) Number of Passes 1 Use UDP Ports ON McAfee Vulnerability Manager 7.5 Best Practices Guide 47 Recommended scan settings Settings: Full vulnerability scan (up to 2560 hosts) Enterprise manager parameters for single vulnerability scan Vulnerability Checks Options Recommended settings UDP: Ports Use only the ports that are affected by the vulnerability UDP: Timeout 2000ms Use advanced UDP Scanning Technique OFF Use TCP Ports ON TCP: Ports Use only the ports that are affected by the vulnerability TCP: Timeout 2000ms TCP: Full connect scan OFF Number of Passes 1 Perform banner grabbing ON Service Fingerprinting Options OFF Vulnerability Checks ON – Select the single check you want to use SANS/FBI Top 20 OFF IP threshold 256 Number of Scan Objects 5 Create report upon scan completion ON Settings: Full vulnerability scan (up to 2560 hosts) These settings for this full scan are optimized for small environments with fewer than 10 class C networks. Create the scan configuration from the enterprise manager. This table describes only those settings that affect the scan performance. The other settings are arbitrary. Enterprise manager settings (All scans – Small network) 48 Enterprise manager parameters for full vulnerability scan on a small network Recommended settings Scan Ranges Batch Size 128 Module Selection Discovery ON (always ON) McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: Full vulnerability scan (up to 2560 hosts) Enterprise manager parameters for full vulnerability scan on a small network Host Discovery: ICMP Host Discovery: UDP Host Discovery: TCP Recommended settings Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module ON Use ICMP Discovery ON Echo Request (Advanced) ON Timestamp Request (Advanced) OPTIONAL Address Mask Request (Advanced) OPTIONAL Information Request (Advanced) OPTIONAL Timeout (Advanced) 2000ms Use UDP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout (Advanced) 2000ms Use advanced UDP Scanning Technique (Advanced) OFF Use UDP Static Source Port (Advanced) OPTIONAL Use TCP Ports ON McAfee Vulnerability Manager 7.5 Best Practices Guide 49 Recommended scan settings Settings: Full vulnerability scan (up to 2560 hosts) Enterprise manager parameters for full vulnerability scan on a small network Recommended settings Ports Allow McAfee Vulnerability Manager to determine ports Timeout (Advanced) 4000ms Full connect scan (Advanced) OFF Use TCP Static Source Port (Advanced) OFF Host Discovery Number of Passes 1 Service Discovery: UDP Use UDP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 2000ms Use advanced UDP Scanning Technique OFF Use TCP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 4000ms Full connect scan OFF Service Discovery Number of Passes 1 Service Discovery Perform banner grabbing ON Service Discovery Service Fingerprinting Options OFF Vulnerability Checks SANS/FBI Top 20 OPTIONAL Service Discovery: TCP or select Vulnerability Checks and Non-Intrusive Vulnerability Checks ON or use SANS/FBI defaults Options: Scan Acceleration 50 Non-Intrusive ON IP threshold 256 McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: Asset discovery (up to 65536 hosts) Enterprise manager parameters for full vulnerability scan on a small network Options: Reporting Recommended settings Number of Scan Objects 5 Create report upon ON scan completion Settings: Asset discovery (up to 65536 hosts) This scan is optimal for running asset discovery scans on any size network that is smaller than a Class B. This type of scan discovers the devices on the network. The reports provide the operating system types, machine names, and a network topology of the networks scanned. Note: This high-level scan does not detect all of the services that could possibly be listening on discovered hosts. In order to get a more detailed view of these services, enable Allow McAfee Vulnerability Manager to determine which ports to scan on the Services page, but not on the Host Discovery page. This significantly increases the duration of the scan, but it performs a more exhaustive service scan on discovered hosts and results in a more detailed report. The following table describes only those settings in the enterprise manager scan settings that affect the scan performance. The other settings are arbitrary. See the online help for additional information. Enterprise manager settings (Asset discovery scan – Medium network) Enterprise manager parameters for asset discovery scan on a medium network Recommended settings Scan Ranges Batch Size 4096 Module Selection Discovery ON (always ON) Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module OFF Use ICMP Discovery ON Host Discovery: ICMP McAfee Vulnerability Manager 7.5 Best Practices Guide 51 Recommended scan settings Settings: Asset discovery (up to 65536 hosts) Enterprise manager parameters for asset discovery scan on a medium network Recommended settings Echo Request (Advanced) ON Timestamp Request (Advanced) OPTIONAL Address Mask Request (Advanced) OPTIONAL Information Request (Advanced) OPTIONAL Timeout (Advanced) 1000ms Host Discovery: UDP Use UDP Ports OFF Host Discovery: TCP Use TCP Ports ON Ports 21, 22, 25, 135, 80 Timeout (Advanced) 2000ms Full connect scan (Advanced) OFF Use TCP Static Source Port (Advanced) OFF Host Discovery Number of Passes 1 Service Discovery: UDP Use UDP Ports OFF Service Discovery: TCP Use TCP Ports ON Ports 21, 22, 23, 25, 80, 111, 135, 445 ON and choose “Allow McAfee Vulnerability Manager to determine which ports to scan” for a more exhaustive search. Choose “Allow McAfee Vulnerability Manager to determine which ports to scan” for a more exhaustive search. Service Discovery 52 Timeout 2000ms Full connect scan OFF Number of Passes 1 McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: SANS/FBI Top 20 scan (up to 65536 hosts) Enterprise manager parameters for asset discovery scan on a medium network Recommended settings Perform banner grabbing OFF Service Fingerprinting Options OFF SANS/FBI Top 20 OFF Vulnerability Checks OFF Options: Scan Acceleration IP threshold 256 Number of Scan Objects 10 Options: Reporting Create report upon ON Vulnerability Checks scan completion Settings: SANS/FBI Top 20 scan (up to 65536 hosts) Use these settings for running a SANS/FBI Top 20 Vulnerability Scan on a medium-sized network. The settings are optimized for any size network up to a Class B. It provides the operating system types, machine names, and a network topology and reports the discovery of any of the top 20 vulnerabilities on the FBI list. The enterprise manager settings are described in the following tables. These tables do not describe settings on the scan configuration pages that do not affect the performance of a scan. For example, they do not discuss the name of the scan configuration or how it is scheduled to run. See the online help for additional information. Enterprise manager settings (SANS/FBI Top 20 scan – Medium network) Enterprise manager parameters for full vulnerability scan on a medium network Recommended settings Scan Ranges Batch Size 128 Module Selection Discovery ON (always ON) Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module ON Use ICMP Discovery ON Host Discovery: ICMP McAfee Vulnerability Manager 7.5 Best Practices Guide 53 Recommended scan settings Settings: SANS/FBI Top 20 scan (up to 65536 hosts) Enterprise manager parameters for full vulnerability scan on a medium network Echo Request (Advanced) ON Timestamp Request (Advanced) OPTIONAL Address Mask Request (Advanced) OPTIONAL Information Request (Advanced) OPTIONAL Timeout (Advanced) 1000ms Host Discovery: UDP Use UDP Ports OFF Host Discovery: TCP Use TCP Ports ON Ports 21, 22, 25, 135, 80 Timeout (Advanced) 4000ms Full connect scan (Advanced) OFF Use TCP Static Source Port (Advanced) OFF Host Discovery Number of Passes 1 Service Discovery: UDP Use UDP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 2000ms Use advanced UDP Scanning Technique OFF Use TCP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 2000ms Full connect scan OFF Service Discovery Number of Passes 1 Service Discovery Perform banner grabbing ON Service Discovery Service Fingerprinting Options OFF Service Discovery: TCP 54 Recommended settings McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: Full vulnerability scan (up to 65536 hosts) Enterprise manager parameters for full vulnerability scan on a medium network Recommended settings Vulnerability Checks SANS/FBI Top 20 ON Exclude Intrusive Checks ON Options: Scan Acceleration IP threshold 256 Number of Scan Objects 10 Options: Reporting Create report upon ON scan completion Settings: Full vulnerability scan (up to 65536 hosts) Use these settings for running a non-intrusive Full Vulnerability Scan on a medium-sized network. The settings are optimized for any size network up to a Class B with up to 65536 potentially live hosts. It provides the operating system types, machine names, and a network topology and all vulnerability categories of the networks scanned. The enterprise manager scan settings are described in the following tables. These tables do not describe settings on the scan configuration pages that do not affect the performance of a scan. For example, they do not discuss the name of the scan configuration or how it is scheduled to run. See the online help for additional information. Enterprise manager settings (Full vulnerability scan – Medium network) Enterprise manager parameters for full vulnerability scan on a medium network Recommended settings Scan Ranges Batch Size 128 Module Selection Discovery ON (always ON) Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module ON Use ICMP Discovery ON Host Discovery: ICMP McAfee Vulnerability Manager 7.5 Best Practices Guide 55 Recommended scan settings Settings: Full vulnerability scan (up to 65536 hosts) Enterprise manager parameters for full vulnerability scan on a medium network Echo Request (Advanced) ON Timestamp Request (Advanced) OPTIONAL Address Mask Request (Advanced) OPTIONAL Information Request (Advanced) OPTIONAL Timeout (Advanced) 1000ms Host Discovery: UDP Use UDP Ports OFF Host Discovery: TCP Use TCP Ports ON Ports 21, 22, 25, 135, 80 Timeout (Advanced) 2000ms Full connect scan (Advanced) OFF Use TCP Static Source Port (Advanced) OFF Host Discovery Number of Passes 1 Service Discovery: UDP Use UDP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 2000ms Use advanced UDP Scanning Technique OFF Use TCP Ports ON Ports Allow McAfee Vulnerability Manager to determine ports Timeout 2000ms Full connect scan OFF Number of Passes 1 Service Discovery: TCP Service Discovery 56 Recommended settings McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: Asset discovery (up to 16,700,000 hosts) Enterprise manager parameters for full vulnerability scan on a medium network Vulnerability Checks Recommended settings Perform banner grabbing ON Service Fingerprinting Options OFF SANS/FBI Top 20 OFF Vulnerability Checks ON And select all of the nonintrusive checks Non-Intrusive ON Options: Scan Acceleration IP threshold 256 Number of Scan Objects 10 Options: Reporting Create report upon ON scan completion Settings: Asset discovery (up to 16,700,000 hosts) These settings are optimized for discovering all devices on a network in extremely large environments of multiple class B’s or class A address space. The results provide the operating system types, machine names, and a network topology of the networks scanned. This is a high-level view and does not provide all the services that could be listening on discovered hosts. Turning on all services for this type of scan is not recommended as the data presented will be extremely large. For a detailed view of individual hosts, smaller scans should be used to provide a report that can be used on an operational basis. Notes: Changes to these parameters can add significant times to the scan. These parameters are optimal for this type of scan. Using them, a scan of this magnitude should be able to complete within 24 hours. Do not attempt to run a vulnerability assessment on this size of a network; the amount of information alone would be overwhelming. Imagine a report with 10,000 live hosts and each consisting of 3 vulnerabilities each (most systems have more than 3 each). This is a total of 30,000 vulnerabilities within one extremely large report. McAfee recommends that you define regions or business units by IP address ranges prior to configuring a scan. When you enter IP addresses into McAfee Vulnerability Manager, use scan labels to correlate this information in the reports. Enterprise manager settings (Asset discovery scan – Large network) Enterprise manager parameters for asset discovery scan on a large network Recommended settings Scan Ranges Batch Size 8192 Module Selection Discovery ON (always ON) McAfee Vulnerability Manager 7.5 Best Practices Guide 57 Recommended scan settings Settings: Asset discovery (up to 16,700,000 hosts) Enterprise manager parameters for asset discovery scan on a large network Host Discovery Service Discovery Vulnerability Checks Options Recommended settings Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module OFF Use ICMP Discovery ON ICMP: Timeout (Advanced) 1000ms Use UDP Ports OFF Use TCP Ports OFF Number of Passes 1 Use UDP Ports OFF Use TCP Ports ON TCP: Ports 21, 23, 25, 80, 135 TCP: Timeout 2000ms TCP: Full connect scan OFF Number of Passes 1 Perform banner grabbing OFF Service Fingerprinting Options OFF SANS/FBI Top 20 OFF Vulnerability Checks OFF IP threshold 256 Number of Scan Objects 10 Create report upon ON scan completion 58 McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts) Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts) These settings are optimized for discovering all devices on a network in extremely large environments of multiple class B’s or class A address space for compliance with the SANS/FBI Top 20 list. The resulting report provides the operating system types, machine names, network topology, and the top 20 vulnerability categories of the networks scanned. Note: Class A scans typically generate thousands of vulnerabilities. This list can quickly become overwhelming from a management perspective. McAfee recommends using the SANS / FBI Top 20 on large networks. While McAfee Vulnerability Manager can scan large networks within reasonable time, McAfee recommends that you chose a smaller network size for more comprehensive, full vulnerability checks and Web Application Assessment scans. Changes to these parameters can add significant times to the scan. These parameters are optimal for this type of scan and can complete within 24-48 hours. McAfee recommends that you define regions or business units by IP address ranges prior to configuring a scan. When you enter IP addresses into McAfee Vulnerability Manager, use scan labels to correlate this information in the reports. Enterprise manager settings (SANS/FBI Top 20 scan – Large network) Enterprise manager parameters for SANS/FBI Top 20 Recommended scan on a large network settings Scan Ranges Batch Size 128 Module Selection Discovery ON (always ON) Web Application Assessment Module OFF Windows Host Assessment Module OFF Wireless Discovery and Assessment Module OFF Shell Module OFF General Assessment Module ON Use ICMP Discovery ON Host Discovery McAfee Vulnerability Manager 7.5 Best Practices Guide 59 Recommended scan settings Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts) Enterprise manager parameters for SANS/FBI Top 20 Recommended scan on a large network settings Service Discovery Vulnerability Checks Options Echo Request (Advanced) ON Timestamp Request (Advanced) OPTIONAL Address Mask Request (Advanced) OPTIONAL Information Request (Advanced) OPTIONAL Timeout (Advanced) 1000ms Use UDP Ports OFF Use TCP Ports OFF Number of Passes 1 Use UDP Ports ON UPD: Ports Allow McAfee Vulnerability Manager to determine ports Use TCP Ports ON TCP: Ports Allow McAfee Vulnerability Manager to determine ports TCP: Timeout 2000ms Full connect scan OFF Number of Passes 1 Perform banner grabbing ON Service Fingerprinting Options OFF SANS/FBI Top 20 ON Exclude Intrusive Checks ON IP threshold 256 Number of Scan Objects 10 Create report upon ON scan completion 60 Vulnerability Checks Exclude Intrusive Checks ON Options IP threshold 256 McAfee Vulnerability Manager 7.5 Best Practices Guide Recommended scan settings Settings: SANS/FBI Top 20 scan (up to 16,700,000 hosts) Enterprise manager parameters for SANS/FBI Top 20 Recommended scan on a large network settings Number of Scan Objects 10 Create report upon ON scan completion McAfee Vulnerability Manager 7.5 Best Practices Guide 61
© Copyright 2026 Paperzz