Vulnerability management

The UTMStack built-in vulnerability scanner can detect known and unknown vulnerabilities in the network. How can you keep safe your network if you do not know its weaknesses?

New scan

This chapter describes how to configure a new scan.

New scan

New scan

Go to Vulnerabilties>New scan.

Create a new task and then execute the scan. You can configure the following parameters:

Field name

Description

Name

A descriptive name to identify the scan

Comments

The optional comment allows specifying background information.

Target

Select a previously configured target from the drop-down-list.

Schedules

Select a previously configured schedule from the drop-down-list

Add target

Add a new target: A target could be a website, web application, server, or network device that you would like to scan for security vulnerabilities

Run once

To launch the scan once

Add schedule

To schedule the job to run at a different time

Add result to assets

Selecting this option will make the systems available to the asset management.

Apply override

The severity of a result can be modified. This is called override. Overrides change the display of the results,

Alterable task

Allows for modification of the task even though reports were already created. The consistency between reports can no longer be guaranteed if tasks are altered.

Min QoD

The minimum specified quality of detection for the addition of the results to the asset database.

Auto delete reports

This option may automatically delete old reports.

Scanner

By default, only the built-in OpenVAS and CVE scanners are supported.

Scan configuration

UTMStack comes with eight pre-configured scan configurations for the OpenVAS scanner

Network source interface

You can choose the source interface for the scan.

Max executed NVTs per hosts

Select the speed of the scan on one host.

Maximum scanned hosts

If many NVTs run simultaneously on a system or more systems are scanned at the same time, the scan may have a negative impact on either the performance of the scanned systems, the network, or the UTMStack appliance itself. These values may be tweaked

1.1Add target

target is a website, web application, server, or network device that you would like to scan for security vulnerabilities

You can define a new scan target as follows:

Name: Choose a descriptive name.

Comment: The optional comment allows specifying background information.

Hosts: Manual entry of the hosts that should be scanned, separated by commas

Exclude Hosts: Manual entry of the hosts that should be excluded from the list mentioned above separated by commas.

Reverse lockup only: Only scan IP addresses that can be resolved into a DNS name.

Reverse lockup unify: If multiple IP addresses resolve to the same DNS name the DNS name will only get scanned once.

Port list: Port list used for the scan. You can add a port list or select them by clicking on the drop-down-list: All TCP, All privileged TCP, etc.

Alive Test: This option specifies the method to check if a target is reachable. Options are:

Credential for authenticated checks: A credentialed scan can recover more details about a host than one without credentials. You can add new credentials and select the port. By default are configured SSH and SMB credentials:

 

Overview

This chapter describes the overview page.

Overview

Overview

Go to the Vulnerabilities tab, and click to display a drop-down list with three options:

  1. New scan
  2. Overview
  3. Scan results

vulnerability2.png

Click on Overview to display the ASSET VULNERABILITY DASHBOARD:

The dashboard is made up of 3 rows of visualizations:

The first row displays:

Click on any pie slide to display an Asset Discovery dashboard providing exhaustive info: name, hostname and IP, host OS, severity, system, and discovery. You can filter by time.

2.2 The second row displays:

operating-system-by-severity.png

Click on any bar to display the Asset Discovery dashboard described above.

2.3 The severity levels

severity-info.png

Findings of the severity levels High and Medium are most important and should be addressed with priority. Before addressing medium level findings, high-level findings should be addressed.

Findings of the severity levels Low and Log are mostly interesting for detail understanding. These findings are filtered out by default but can hold very interesting information.

2.4 The third row is a map displaying the Host topology. The map visualizes IP addresses that belong to network hosts. The different colors represent different severity levels. Mouse over the map to see the hostname, OS, IP address, and the severity.

host-topology.png

Click on any host to see more detailed info:

HOSTNAME, SEVERITY, OPERATIVE SYSTEM, and DATE OF DISCOVERY.

You can save a report to a PDF document and filter by time.

 

Scan results

Scan results

Scan results

  1. Scan results.

In this section, you can configure and manage the scans.

Clicking on scan results displays the vulnerabilities configuration view.

scan-results.png

This view shows a table listing the scans. The list can be sorted in ascending or descending order and displays the following columns:

3.1 The following scan configurations are already available:

3.3 View Results

This page shows the results for a task. It displays three graphs and a table.

Graphs

Table

For every result, the following information is displayed:

VULNERABILITY

Name of the found vulnerability. By clicking on the Name, details of the vulnerability are shown

SEVERITY

The severity of the vulnerability

QOD

Quality of Detection and shows the reliability of the detection of a vulnerability.

LOCATION

Port number and protocol type used to find the vulnerability on the host. By clicking on the Name, details of the vulnerability are shown

DATE

Date and time of the report creation

ASSET

Asset for which the result was found. The IP address is displayed. Click on Asset to view the asset detail

 

3.4 Filters

The user can employ the filters to display only the most significant results.

UTMStack provides the following filter parameters:

3.5 Status

Delete requested: The task was deleted. The actual deletion process can take some time, as reports need to be deleted as well.

Done: The task has been completed successfully

New: The task has not been run since it was created.

Requested: The task was just started.

Running: The task is currently running

Stop requested: The task was requested to stop recently. However, the scan engine has not yet reacted to this request.

Stopped: The task was stopped. The latest report is possibly not yet complete. After restarting the scanner, the task will be resumed automatically.

Internal error: An error has occurred, and the task was interrupted. The latest report is possibly not complete yet or is missing entirely.

All: All tasks

 3.6 Targets

This view shows a table with the list of targets.  The next columns are displayed:

 

Name

A descriptive name should be chosen if possible.

Hosts

Manual entry of the hosts that should be scanned, separated by commas,

Port list

Port list used if the target is used for a scan

Action

Three available options: task using the target, edit schedule, and target in use

 

Scan results

Schedules

3.7 Schedules.

Select a previously configured schedule from the tabular list. The following details are displayed:

Action: You can execute the following actions:

You can filter the results by Name, first run, next run, period, and duration.

Click on the New schedule tab to configure a new schedule.

Scan results

Port List

3.8 Ports list.

Managing Port Lists. All existing port lists can be displayed by clicking on the Port List tab.

For all port lists the following information is displayed:

Name Name of the port list. A global port list is marked with.

Comment: Associated comments

Last modification: Date and time of the last modification

Total: Total number of ports in the port list.

TCP:  Number of TCP ports in the port list.

UDP: Number of UDP ports in the port list.

You can filter the results by Name, time, and Port Ranges: Manual entry of the TCP, UDP ports ranges. If entering manually, the port ranges are separated by commas.

For all port lists, the following actions are available:

3.8.1 A new port list can be created as follows:

  1. Click on New Port List to display a popup window
  2. The following details of the port list can be defined:

Name Definition of the Name. The Name can be chosen freely.

Comment: An optional comment can contain additional information.

TCP:  Number of TCP ports in the port list.

UDP: Number of UDP ports in the port list

  1. Click Save.
Scan results

Credentials

3.9 Credentials.

Credentials for local security checks are required to allow NVTs to log into target systems, e.g., for locally checking the presence of all vendor security patches.

An authenticated scan can provide more vulnerability details on the scanned system. The scan requires the prior setup of user credentials. These credentials are used to authenticate to different services on the target system. In some circumstances, the results could be limited by the permissions of the users used.

All existing credentials can be displayed by clicking on the Credentials tab.

For all credentials, the following information is displayed:

Name: Name of the credential

Type: Chosen credential type.

Allow insecure use: Indication whether the GSM can use the credential for unencrypted or otherwise insecure authentication methods.

Login: The user name for the credential if a credential type that requires a user name is chosen.

For all credentials, the following actions are available:

Click on the Name of a credential to display the details of the credential.

Creating a Credential

A new credential can be created as follows:

Click on New credential and configure the next parameters:

Name: Definition of the Name. The Name can be chosen freely.

Comment: An optional comment can contain additional information

Allow insecure use: Select whether UTMStack can use the credential for unencrypted or otherwise insecure authentication methods.

Username: Definition of the login name used to authenticate on the scanned target system.

Password: Definition of the password used to authenticate on the scanned target system.