Escolar Documentos
Profissional Documentos
Cultura Documentos
COPYRIGHT
Copyright 2012 McAfee, Inc. Do not copy without permission.
TRADEMARKS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States
and other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR
A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS
SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Contents
McAfee Vulnerability Manager best practices.................................................. 5
Initial planning ............................................................................................... 5
Setup .............................................................................................................. 8
iii
Contents
iv
Initial planning
The ultimate goal of a vulnerability management program is to ensure that valuable systems are
available to serve their intended purpose and that they are at as little risk as possible from being
adversely affected by security events.
When implementing a vulnerability management program, this is an important guiding principle which
will help prioritize what to do, and what to focus on first.
Before starting any device discovery or vulnerability scanning, you should set up basic guidelines for
how to group and classify devices. These guidelines will be used throughout the process of discovering
devices, assigning priority and ownership, determining vulnerabilities and mitigating the risk by
deploying patches or other countermeasures.
Initial planning
How much risk can we accept?
Asset value
When creating asset groups, think about the business value (Criticality) of the assets in a group. This
is important because many aspects of an ongoing vulnerability management process will become
easier and priorities become clearer if you consider the business value of an asset. For example, both
remediation and risk assessment can benefit from a clear prioritization of assets simply because the
more important systems and devices should receive attention before other assets. This principle helps
the security and operations teams mitigate the most risk with available resources.
When assigning the criticality to assets, consider the following questions: (please note that this is
intended merely as examples and should not be viewed as an all-inclusive list of questions)
How would my business be impacted if this system was unavailable? This is arguably one of the most
important questions to answer. A business critical system can be defined as one that stores
business critical data and/or participates in a vital function or transaction process. A system being
unavailable might not just be the direct result of, for example, a Denial of Service (DoS) attack,
but also a result of the subsequent recovery and possibly forensics efforts. An attack that takes
only seconds to complete can result in several days, even weeks, of downtime.
Can my business function without this system? This question is slightly different and perhaps more
pointed than the previous. Systems that a business cannot function at all without are highly
critical and should be the first to receive attention, to mitigate risk and prepare for any possible
events. If the answer to this question is yes, the system is likely not very important.
How many users are depending on this system? Any system servicing many users should be
considered important. The more users depending on the system, the more important it is. If users
on the system are carrying out functions that are vital to the business, the value of that system
increases.
Are other systems depending on this system? Answering this question might require insight into the
architecture and configuration of networks and systems. Any system that other assets depend on
should be regarded as important. If the system in question is the only system on the network
carrying out that particular function, it should be regarded as important. A good example of a
highly important system would be a firewall through which all Internet communications occur.
Once the basic system classification guidelines have been established, you can quickly create
meaningful groups of assets within McAfee Vulnerability Manager and assign a criticality to these
groups and to individual assets as necessary.
Another very important aspect of establishing policies and guidelines is to identify practical and
achievable targets for the organizations security posture.
How much exposure can we accept for how long? The longer a system remains unpatched (or
otherwise is at risk), the more likely it is that the system will eventually be affected. In answering
this question, you could consider criteria such as the importance of the system in question,
whether it contains business-critical data and/or sensitive data, and so on. What would be the
impact if the system was to become unavailable or compromised? As a general rule of thumb,
systems which contain very sensitive data, perform business-critical functions, or otherwise are
very important should not be left exposed very long.
Initial planning
How much risk can we accept?
How quickly can we deal with the assessment results? How quickly can we remediate? One of the
unavoidable questions when defining policy and goals is the question of how quickly an
organization can react to findings from a vulnerability scan. In order for a vulnerability
management program to be successful, resources must be in place to remediate vulnerabilities,
adjust firewall rules and packet filters and/or deploy risk-mitigating technologies such as firewalls
and IPS products.
Setup
Number of servers required
Setup
This section provides information on how to prepare to deploy McAfee Vulnerability Manager.
Number of servers
Notes
0 2,500
2,500
10,000
10,001
20,000
Setup
Number of servers required
Number of
live IPs
Number of servers
Notes
20,001 >100,000
Setup
Prepare your setup
Other network traffic (business-critical data/sessions). Any active scanning technology, such as
McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an
unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager
provides robust and detailed controls that allow customers to optimize the scanning behavior and
speed of McAfee Vulnerability Manager. The product has default settings that have proved safe
and effective in most networks. However, no matter how McAfee Vulnerability Manager is
deployed and configured, you should always pay attention to network segments, WAN links,
firewalls, and so on, where particularly important data is passing. Consider a remote site that is
transmitting transactions from a website through a congested or slow WAN link during local
business hours. Since this system only operates during certain hours, you should configure scans
so that the environment is scanned while the web server is not processing transactions and not
relying on bandwidth on the WAN link.
Security or performance. When two product servers are used, McAfee recommends that you deploy
the enterprise manager on one system and the other product components on the second system.
This provides more security because the enterprise manager can be placed outside your firewall,
so users can access it, while the second system can be placed inside the firewall to gather
accurate data from scanned systems. However, having the scan engine and scan controller on the
same system as the database can slow performance, based on the amount of data being
processed. To improve performance when using two product servers, you could separate the scan
engine and scan controller from the database. For example: the enterprise manager, scan engine,
and scan controller on one system and the database and other McAfee Vulnerability Manager
components on the second system.
10
Network architecture. The API server should be in close proximity (network-wise) to the database
and the enterprise manager web portal. This provides the best performance for users accessing
McAfee Vulnerability Manager using the enterprise manager. In other words, when deciding on
which appliance to use for the API server, choose the appliance that has no firewalls, WAN links,
congested networks, packet shapers, and so on, between itself, the database, and the enterprise
manager.
Network latency. The API server should be placed so that there is minimal latency between itself,
the enterprise manager, and the database.
Setup
Prepare your setup
Scanning. The API server can run on an appliance that also hosts a scan engine. In a large
environment with many users concurrently accessing the enterprise manager, the API server will
be servicing many concurrent requests as a result of the activity of the users accessing the web
portal. Under these circumstances, the scan engine on this appliance should not be used for
scanning, so resources are dedicated to the API server. In these scenarios, McAfee recommends
that you revoke access to the scan engine in the user rights management system to ensure that
the scan engine on this appliance is not used for actual scanning.
Note: The suggested maximum number of scans running at the same time for any scan engine is
5 concurrent scans with 10 subscans each. A scan can be divided into subscans to increase scan
speeds.
The following table is intended to act as a conservative guideline when determining where and how to
place the API server:
IP
addresses
Appliances
1-2500
1-15
Installed with
database and
web portal
Yes
2501
10000
16-30
Installed with
database
Yes
10001 20000
>31
Installed on a
dedicated
server
No
20001+
>3
>31
Installed on a
dedicated
server
No
Concurrent Location of
portal users the API
server
Scan
engine
API server sharing hardware with database. In most deployments (except for large environments),
installing the API server on the same product server as the database is advantageous for several
reasons:
Responsiveness. Co-locating the API server with the database completely negates any
questions regarding network latency or access. On the other hand, it also takes resources
away from the database.
Secure location. The database appliance is typically located in a highly secure environment.
Efficient use of resources. For almost all environments, co-locating the API server with the
database ensures that the investment in McAfee Vulnerability Manager appliance hardware is
used to the best degree possible.
11
Setup
Prepare your setup
appliance hardware. For example, a McAfee MVM3100 running only the configuration manager can
manage approximately 100 appliances.
The following table is intended to act as a conservative guideline when determining where to place the
configuration manager component.
Configuration manager
Appliances
Scan engine
Yes
Yes
3 - 10
No
No
10 - 100
12
Setup
Prepare your setup
In most network environments, like a corporate intranet, each scan engine should be deployed with a
dedicated scan controller on the same appliance. This is the recommended deployment.
Figure 1: Product deployment with a scan engine and scan controller on the same system
13
Setup
Prepare your setup
Scan engines and scan controllers can be deployed independently. For example, when security or
network topology do not allow scan engines to directly connect to the database. The database server
might be behind a firewall, or otherwise isolated from the rest of the network. In this configuration,
one or more scan controllers would straddle the firewall, connecting on one side to the database, and
on the other side accepting HTTPS connections from multiple scan engines. In this configuration, the
API server and configuration manager server would also need to straddle the firewall.
Figure 2: Product deployment with scan engines and scan controllers on separate systems
Note: Under typical load, each scan controller can support up to 40 scan engines when run on an
MVM3100 (as of the McAfee Vulnerability Manager 7.0.2 patch).
Product updates
In order for a McAfee Vulnerability Manager system to obtain new vulnerability checks, threat alerts,
OS signature updates, and product patches, the FSUPDATE process must be running. The FSUPDATE
process contacts the McAfee Vulnerability Manager update servers and retrieves update packages
which then are stored in the database. Once in the database, the update packages are distributed by
the configuration manager and applied as necessary. In order for this process to function
automatically, at least one scan engine must be able to reach the Internet. Please note that while the
FSUPDATE process is, by default, installed on all scan engines, it should be running on only one
appliance. FSUPDATE requires a user name and password to authenticate to the McAfee Vulnerability
Manager update server. Your user name and password is issued along with your product license key.
Product updates are retrieved from update.foundstone.com, ports TCP 443 and 80. Set up an
exclusion for this address to retrieve product updates.
14
Setup
Prepare your setup
The MVM3100 cannot have a proxy provided. When possible, set up a proxy exclusion for susupdate.foundstone.com, port TCP 80. This address is for operating system updates. These updates
have been tested by quality assurance before being released.
MSTSC/Console (for Windows XP SP2 and earlier, Windows Vista prior to SP1, Windows 2003)
Running the McAfee Vulnerability Manager application in any virtualized remote desktop session
(outside of the admin or console session) will greatly impact McAfee Vulnerability Manager
performance.
Network requirements
McAfee Vulnerability Manager components use the network ports and protocols in the following tables.
If there is a firewall separating components, these ports and protocols must be opened in your firewall
configuration before installing McAfee Vulnerability Manager 7.5.
The network requirements diagrams use a distributed deployment architecture to display
communication paths. If you use a different deployment architecture, be sure to note which system is
running a McAfee Vulnerability Manager component, and use the port number and communication
path specified in the communication path tables.
The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability
Manager components and connecting to external components. External components include other
databases, McAfee ePO databases, LDAP or Active Directory servers, and external ticketing or issue
management systems.
15
Setup
Prepare your setup
Title
Description
System 1 Enterprise
manager
Enterprise manager
System 3 Database***
Scan controller
API server
Scan engine
Data synchronization
service
Notification service
Database
Configuration manager
Report engine
Scan engine
Authenticated User
Assessment management
search results
Ports: 443 or 80
Port: 3800
API service
Port: 1433
(SSL over) TCP/IP
Scan data
Port: 1433
(SSL over) TCP/IP
Data synchronization
service*
Port: 1433
Notification service**
Port: 1433
Scan data
Port: 1433
(SSL over) TCP/IP
Report data
Port: 1433
(SSL over) TCP/IP
16
Setup
Prepare your setup
10
Generating reports or
Ports: 3802
changing report templates
REST over HTTPS or HTTP
11
Generated reports
Ports: 443 or 80
REST over HTTPS or HTTP
12
Ports: 443 or 80
HTTPS or HTTP
*Changing the location of the data synchronization service changes the communication path(s)
displayed in this diagram.
**Changing the location of the notification service changes the communication path(s) displayed in
this diagram.
***Changing the location of the configuration manager requires a communication path between the
configuration manager and the database, using Port: 1433, (SSL over) TCP/IP.
Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The
communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL
over) TCP/IP.
Title
Description
Scan controller
API server
Scan engine
Data synchronization
service
Notification service
17
Setup
Prepare your setup
Notification service**
Port: 162
SNMP
Notification service**
Port: 161
SNMP
Notification service**
Port: 25
SMTP
Data synchronization
service*
Port: 389
Data synchronization
service*
Port: 1433
LDAP
*Changing the location of the data synchronization service changes the communication path(s)
displayed in this diagram.
**Changing the location of the notification service changes the communication path(s) displayed in
this diagram.
18
Discovery scans
Create effective discovery scans
Discovery scans
This section provides information on some of the more common techniques and practices to help you
get the best results from a deployed McAfee Vulnerability Manager solution.
19
Discovery scans
Optimization
Network impact
As mentioned elsewhere in this document, any type of network-based assessment technology works
by sending out packets to the targets and observing responses. As such, it is unavoidable that there
will be some amount of network traffic introduced by such technologies. This traffic naturally appears
highest if you were to measure the amount of packets leaving the scan engines network interface. As
a product of how most modern networks transmit and distribute traffic, the amount of packets
actually reaching each individual target system is exponentially less. The vast majority of modern
networks and systems handle assessment traffic with no problems whatsoever. However, certain
types of devices and conditions do warrant caution:
Intrusion Detection System (IDS) sensors. These are, by design, intended to react to traffic patterns
resembling an attack or a major event such as a worm. IDS or IPS (Intrusion Prevention System)
sensors should be configured so that they will not react to traffic from McAfee Vulnerability
Manager.
Legacy devices. Certain devices might be so old and/or fragile that even very light scanning can
have an adverse effect. These devices are typically systems running very old operating systems or
highly unstable applications. A good approach can be to test these legacy devices and applications
in a test lab prior to the full deployment of McAfee Vulnerability Manager.
Improperly configured devices. Some devices might be configured to log all packets, sessions,
transactions, and so on, in extreme detail. While such a configuration might be appropriate for
implementing, tuning, and troubleshooting such devices initially, it can often lead to problems in
production mode due to very large log files. Devices employing this very detailed logging might be
overwhelmed when trying to log the many packets and sessions a typical vulnerability scan
produces.
Packet-modification software/hardware. If a McAfee Vulnerability Manager scan is done through a
program or device that controls computer network traffic (generally known as packet-shapers),
scanning might be impacted negatively due to an increase in the amount of time required to
retrieve results from targets. This might produce inaccuracies in the scan results.
To put things in perspective if devices are adversely affected by a non-intrusive scan, they are so
fragile that they would very likely have been affected even more if a real malicious event had
occurred. Most IT professionals agree that it is better this happens under controlled circumstances
than during a real security event.
Optimization
An important aspect of ensuring successful discovery scans is to understand how to best optimize
your scan settings. As all networks, systems, and environments are different as well as the
requirements imposed by regulatory, corporate and operational policies the default settings of
McAfee Vulnerability Manager must therefore provide the best possible discovery capability and
accuracy and remain non-intrusive. As a result, the default settings, while safe and relevant, can be
optimized to individual environments.
Specifically for device discovery scans, the goal of any optimization effort should be to configure the
discovery parameters such that no more than what is absolutely necessary to discover a device and
accurately identify its operating system is included in the scan.
Before discussing a number of example scenarios where optimization is beneficial, some background
information about the device discovery process is needed.
When attempting to discover live devices in a given IP address range, the discovery process follows
this process:
20
Discovery scans
Optimization
ARP cache interrogation. First, the scan engine looks in its local ARP cache to determine if the MAC
address of a target IP address is known. If it is, it indicates that host is alive and has been
communicated with very recently. If nothing is found, then the discovery process continues to
step 2.
ICMP probes. The discovery process sends ICMP echo requests (ping) to each IP address not
discovered during step 1 (other ICMP packet types can be enabled). If a response is received from
the target IP address, the host is considered live and discovered.
TCP port probes. The discovery process sends TCP SYN packets to specific ports on each IP
address not discovered during step 2. If an IP address responds with a SYN-ACK packet, the host
is considered live.
UDP port probes. As the fourth and last step in the discovery process, UDP packets are sent to any
IP address not yet found as being live. These packets contain properly formatted UDP-based
protocol messages. If a properly formatted protocol message is received from a targeted host,
that host is considered live. Any IP address that has not responded to any probe at this point in
the process is considered down and will not be processed further.
Example 1
A scan engine is deployed near the network core in a NOC. From this location, the scan engine
has network visibility to all networks in the organization. Security policy dictates that firewalls be
in place to segregate remote locations from the NOC. Security policy also dictates that these
firewalls must block ICMP traffic to and from the NOC.
In this example, the default settings would accurately discover all hosts on the remote network, but
would also spend a considerable amount of time needlessly attempting to discover hosts by ICMP
packets. In such a scenario, you could disable the use of ICMP packets which would save considerable
time and bandwidth.
Example 2
A scan engine is scanning hosts through a firewall. The firewall is configured such that only
properly established TCP sessions are allowed to traverse the firewall.
In this example, TCP host discovery would, by default, not yield accurate results due to the default
technique of half open or SYN Scanning. You would need to enable full TCP handshakes for host
discovery and also for service discovery. (This setting is available on the Settings tab when editing or
creating a scan.)
Example 3
A scan engine needs to scan 10.0.0.0 10.255.255.255. This address space covers multiple
locations, some of which are reached via slow WAN links and others being robust, high bandwidth
network segments.
In this example, the challenge lies in finding settings that are effective and accurate both for the slow
segments of the network, and for the fast segments of the network. The safest approach will be to
optimize the parameters to fit the slowest parts of the network. Depending on the number of slow and
fast network segments, it might be advantageous to create separate scans for the slow and fast
network segments. The following example discusses these scenarios in more detail.
Example 4
Hosts on a remote network must be discovered. The only path to the remote network is via a very
slow WAN link. The discovery must be done outside of production hours to avoid any impact on
business critical systems and the data they send and receive across the WAN link.
In scenarios where very little bandwidth is available, you should consider two major factors: sending
as few packets as possible, and mitigating the impact of packet loss. The first concern can be
addressed by making the following adjustments:
21
Discovery scans
Optimization
Slow the scan down. McAfee Vulnerability Manager allows you to adjust the number of milliseconds
between each packet in the discovery process. This is perhaps the single most powerful tool you
can use to decrease the number of packets sent per second. The default value is a compromise
between speed and efficiency. To optimize a scan for low bandwidth, increase the number of
milliseconds between each packet during discovery. This slows down the rate at which packets are
sent, and reduces the bandwidth used at any given point in time. Reducing scan speed as
described above is a simple and effective way of reducing bandwidth requirements. However,
reducing the scan speed is always a trade-off, as a slower scan will take longer.
Note: This only affects discovery scans. Vulnerability scans cannot be slowed down using
interpacket delay. To slow down vulnerability scans, reduce the number of sub scans.
Reduce number of packets sent. Another very effective way of optimizing a scan for low bandwidth
situations is to reduce the number of packets sent to each host. This requires some knowledge
about the target environment. For example, you could disable the use of ICMP packets for
discovery. Doing so eliminates a significant amount of packets sent, but also implies that any
device that only can be discovered using ICMP would not be found by a scan with ICMP disabled.
Another approach is to reduce the number of TCP and UDP ports included in the host discovery. In
an environment where no or few hosts are reached via a firewall, reducing the number of UDP
ports to include only UDP ports 53 and 161 effectively cuts down the amount of packets sent in a
discovery scan. Likewise, in an environment predominantly consisting of Window- based web and
email servers, you could reduce the TCP port list to contain only ports 25, 80, 110, 135, 443, and
445.
Reduce the number of sub scans. McAfee Vulnerability Manager employs a technique by which a
scan is divided into multiple independent virtual scans. The purpose of this is to increase
performance for large networks by scanning more devices at the same time. For the purpose of
optimizing for low bandwidth, you should reduce the amount of parallel scanning performed. Do
this by raising the threshold that triggers the use of sub scans (called the IP Threshold) and also
by reducing the number of Scan objects (synonymous with sub scans). These two adjustments
effectively reduce the amount of parallel scanning and further reduces the number of packets sent
simultaneously.
Specify ports (McAfee ePO or credential methods only). When using McAfee ePolicy Orchestrator
(McAfee ePO) or credential methods to identify Windows operating systems (assessing only for
authenticated checks), specify ports 445 and 139 only to authenticate the system. This eliminates
the need to discover all ports to perform OS identification. The drawback is there will be an
incomplete list of Network Services detected in the report.
Example 5
A B-class of address space on a robust high speed network segment must be discovered in as
little time as possible.
In this example, the goal is quite the opposite as the previous example now the goal is to scan as
fast as possible. The adjustments necessary are, to some extent, the opposite of those discussed in
the previous example:
22
Speed the scan up. By reducing the inter-packet delay, scan speed increases significantly but so
does the amount of network traffic generated.
Reduce the number of packets sent. Reducing the number of packets sent is effective in increasing
scan speeds as well as in reducing the amount of bandwidth used.
Increase the number of sub scans. The concept of sub scans is intended to increase the scan
performance of McAfee Vulnerability Manager by dividing a scan into multiple independent virtual
scan elements. Each sub scan processes its own section of address space, and does so in parallel
with other sub scans. This parallel scanning and processing drastically decreases the amount of
time it takes to scan a given amount of address space but also produces a much higher number of
packets per second.
Discovery scans
Initial discovery
Initial discovery
The purpose of the initial set of discovery scans is to build awareness of the environment. It is
assumed that, at this point, you do not know what devices to expect in which network segments. It is
therefore necessary to be able to discover any device. This requirement means that you should not
remove any probe or packet types from the default discovery scan profile template. The safest
approach is to conduct the discovery scan in a slower fashion than would be expected in a well-known
environment. If you know about particularly slow network segments, McAfee advises that you run
separate scans for those segments, and reduce the speed of those scans.
23
Discovery scans
Initial discovery
24
Vulnerability scans
Target scans to each asset group/environment
Vulnerability scans
Before using vulnerability scans, you should consider how to structure the scanning regimen to obtain
the most useful results. As McAfee Vulnerability Manager is very scalable and can easily scan many
assets, you could be overloaded with information. To avoid this, consider the following suggestions:
Focus on assets that matter most. By considering the asset values and prioritizations as discussed
previously, start by focusing on the devices that are most vital to the organization.
Focus on vulnerabilities that matters most. By targeting high risk vulnerabilities as the first step,
any organization quickly reaps the benefits of their vulnerability management programs.
Develop corporate scanning policies. Many organizations have successfully developed corporate
standard scanning templates. These can easily be derived from public standards such as SANS,
NIST, CIS, and so on. This is one of the most important steps to take. A properly focused
scanning regimen can prove highly effective and ease the adoption of a vulnerability management
technology.
Consider what your risk mitigation/remediation capacity is. A vulnerability management program is
only truly effective if risk is being mitigated, patches are being deployed, and so on. As such, a
very important factor in developing a successful scanning regimen is to consider how much
capacity your organization has for remediating vulnerabilities and/or utilizing other risk mitigation
strategies. Implementing a scanning schedule that produces more results than what can be
processed will lead to frustration and an inefficient approach to securing the organization.
A common mistake is to simply let a vulnerability scan detect every single high, medium and low risk
vulnerability across all networks in an organization. This approach, while seemingly simple, typically
results in information overload system administrators buckle under the workload of keeping up with
the endless stream of information and change requests, and IT security teams can appear ineffective
and appear to show lack of progress.
A more successful approach is to create targeted scans. By tailoring scans to each distinct
environment and applying, for example, a corporate top 20 scan policy, results will be much more
manageable and much more visible when reporting to executive management. A corporate top 20
scan is a scan that targets 20 vulnerabilities that have been identified as being important to your
organization. Whether to target 10, 20, 30, or more vulnerabilities is best decided by the individual
organization but, regardless of how many vulnerabilities are targeted, the focused approach described
here has proven highly successful with most current customers of McAfee Vulnerability Manager.
Example 1
An asset group contains all Windows-based web servers which are publicly accessible. This web
farm is hosting a vital e-commerce application.
In this example, a scan containing all non-intrusive checks for Windows web servers and general webbased vulnerabilities could be a good starting point. Such a scan focuses on the most critical assets in
this particular organization, namely the e-commerce web front end. Since these devices are exposed
to the Internet and are vital to the business of the company, this scan should target all severities of
vulnerabilities. Even low risk information leakage vulnerabilities are unacceptable to this particular
organization. Limiting the scope of the scan to only web vulnerabilities, and to just this particular
asset group, ensures that the results are manageable and that priority and attention is given to
systems vital to the business.
McAfee Vulnerability Manager 7.5 Best Practices Guide
25
Vulnerability scans
How graphing and trending can improve security
Example 2
An asset group contains all Windows XP workstations in a particular campus for a large
international organization. These workstations are all managed by a central entity and the
population of workstations is expected to be fairly static.
In this example, a scan could target only Windows vulnerabilities of high and medium risk. Attempting
to track and resolve every single low risk vulnerability in a large workstation environment is often not
considered a worthwhile effort.
Example 1
In this example, you select all of the Microsoft patch and hotfix vulnerability checks that apply to your
network. Once this vulnerability filter is saved, you can select it when setting up a scan configuration
for each group or environment. Such a scan would check assets to ensure all appropriate patches and
hotfixes are applied.
Example 2
In this example, a scan could target specific programs you don't want installed on your network. Such
a scan would search your network for unwanted programs installed on any asset specified in the scan
configuration. The report will display which assets have the unwanted programs installed and you can
view a brief summary of what issues the installed program could cause to your network.
26
Vulnerability scans
Optimize vulnerability scans
Most Prevalent Vulnerabilities Shows the ten vulnerabilities that affect the most number of
assets in your organization or group. Change the minimum security level to focus on a
vulnerability severity level, and higher. This monitor allows you to drill down to see which systems
are vulnerable.
Most Prevalent Operating Systems Shows the ten operating systems used the most on
assets in your organization or group. This monitor allows you to drill down to see which systems
use the operating system.
Vulnerability Count by Severity Shows the number of High, Medium, Low, and Informational
vulnerabilities, based on all of the assets in your organization or group. This monitor allows you to
drill down and see all of the vulnerabilities discovered, on all systems in the organization or group,
by severity.
Vulnerability Percentage by Severity Shows the total percentage of High, Medium, Low, and
Informational vulnerabilities affecting assets in your organization or group. This monitor allows
you to drill down and see all of the vulnerabilities discovered, on all systems in the organization or
group, by severity.
Organization Vulnerability Count Trend Shows a trend graph of the High, Medium, Low, and
Informational vulnerabilities affecting assets in your organization or group. You can change this
monitor to view the FoundScore.
Better scan performance. By optimizing a scan, the time to completion is less. This is especially
helpful in situations where a service window permits only a very limited time to scan, or in very
large environments.
More efficient scans. A more efficient scan uses less bandwidth on the network and can complete
in less time.
Increase the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan
engine console. By increasing the number of FSL threads, each scan will be able to process more
FSL scripts simultaneously and thus scan quicker. By default, this is set to 20. The maximum
number of concurrent FSL threads is 30.
Create more sub scans. This parameter is controlled on the Settings tab when creating or editing
a scan, under the Optimize icon. By increasing the number of sub scans, you can effectively
increase the number of virtual, independent, instances of scans. In other words, by increasing the
number of sub scans, a scan will be divided in to a higher number of independent virtual instances
and thus process more hosts at the same time. The default value is 5 and can be increased to 10.
Note that increasing the number of sub scans will, in addition to conducting the scan faster, also
consume more resources on the underlying hardware platform, typically in the form of more
memory usage and higher CPU utilization.
27
Vulnerability scans
Optimize vulnerability scans
Note: The suggested maximum number of scans for any scan engine is 5 concurrent scans with
10 subscans each.
Lower the batch size threshold for triggering sub scans. This parameter is controlled on the
Settings tab when creating or editing a scan, under the Optimize icon. Sub scans are used
only when the batch size of a scan exceeds a certain threshold. By lowering this threshold, the
parallel processing is used for smaller scans also.
Decrease the FSL thread count. This parameter is set on the McAfee Vulnerability Manager scan
engine console. By decreasing the number of FSL threads, each scan will be able to process less
FSL scripts simultaneously and thus scan slower.
Create fewer sub scans. By decreasing the number of sub scans, you can effectively decrease the
number of virtual, independent, instances of scans. In other words, by decreasing the number of
sub scans, a scan will be divided into a lower number of independent virtual instances and thus
process fewer hosts at the same time.
Raise the threshold for when to trigger sub scans. Sub scans are used only when the size of a scan
exceeds a certain threshold. By increasing this threshold (batch size), the virtualization is used
mostly for larger scans.
Note: This might speed-up scanning for large address pools with only a few hosts.
28
29
30
Exclude anything you know that does not need to be scanned for vulnerabilities. You can exclude
paths and parameters when configuring a scan.
A web application scan will only search the directory and any linked pages from the web address
provided. You must include anything you want to scan that is not in the directory or linked from
the web address being scanned. You can include pages and directories when configuring a scan.
A web application might use the same web page to present different images or products. Each
image or product is given a unique identifier so the same page can be used and only the unique
identifier needs to change to display the correct item. When scanning this part of a web
application, you want to scan the page for vulnerabilities, but you might not want to scan each
unique identifier (which could be thousands or hundreds of thousands of unique identifiers). You
can use the Determine URL Uniqueness setting in a scan configuration to scan the page but ignore
the unique identifiers. For example, if all of your products have a unique numeric value, set
Determine URL Uniqueness to ignore parameters with numeric values.
If you are scanning forms in your web application, you must know what will happen if the scan
tries to modify or manipulate the form. You should also exclude anything that could be destructive
or problematic. For example, you could reset a password by scanning a form. If you are scanning
authentication forms, you should include form credentials to show failures in the report. You
should also specify the input fields (organization, user name, and password) in the scan credential
to get the expected results. You can also include specific results that display on the web page
after a successful logon to verify form authentication.
You can exclude directories or pages to improve scan performance. You should exclude an Admin
directory or pages that will log off the user.
If your network connections are reliable (will not cause timeouts) and your server performance
can handle it, you could reduce the inter-request delay to reduce the scan time. McAfee
recommends not running a web scan while the web application is in production because this could
affect the scan, your users, or both. You should also consider what is between the scan engine
and the target. Your connection could be reliable, but a router could affect the connection and
could end with a Denial of Service.
Custom reports
Improve your web application scans
Custom reports
Foundstone Asset Reports allow you to create custom reports based on templates you create. This
allows a wide variety of reports to be generated and automatically distributed, with a much greater
degree of freedom than is available in Scan Reports. Common questions that Asset Reports can help
answer include:
To answer these questions, you create an appropriate Asset Report Template to gather the data and
report information about your network.
31
What is a threat?
Before beginning to describe the inner workings of the TCM, we should clarify what a threat is and
how it is different from a vulnerability.
A threat is in its simplest form an event, whereas a vulnerability is a condition. The TCM helps to
measure the likelihood that an event will affect hosts in the environment managed by McAfee
Vulnerability Manager.
So in other words, the more severe the underlying vulnerability, the higher the asset value and the
more accurate the match, the more at risk a system is from the threat in question.
32
The list of hosts produced by a correlation is prioritized so the hosts at the most risk are at the top of
the list. This helps you understand where to deploy risk mitigation resources, and thus helps you
focus on mitigating the most risk with the available resources.
Additionally, the list produced by the TCM will also show if an open trouble ticket already exists for the
host in question.
33
Optimize performance
Performance parameters
Optimize performance
This guide provides information on configuring McAfee Vulnerability Manager 7.5 to optimize its
performance over your network and to configure it to your environment. By default, McAfee
Vulnerability Manager 7.5 is already optimized for small to medium networks; its default parameters
minimize impact on network resources. However for organizations with large networks (Class B or
greater), optimizing McAfee Vulnerability Manager 7.5 will help ensure that the scans will complete in
a timely manner.
Selecting the correct scan parameters for your network can affect the speed and accuracy of your
scans, and the impact on your network. See Recommended Settings on page 45 for suggestions on
how to optimize McAfee Vulnerability Manager 7.5 for various environments. Use them as guidelines
for setting up scans on your network.
Note: Use care when adjusting these parameters from the default values; they significantly impact
scan accuracy, scan duration, and network bandwidth consumption.
Performance parameters
The following table shows the effect that increasing parameter values has on the scan speed, required
bandwidth, and scan accuracy.
Key
Increase in value
Decrease in value
none
No effect
Performance
parameters
Scan speed
Required
bandwidth
Scan
accuracy
Increased ICMP/UDP/TCP
Time-outs
none
Increased # of Passes
Service Discovery
Increased # of Passes
Host Discovery
Increased Number of
Scan Objects
none
34
Optimize performance
Host Discovery options
Performance
parameters
Scan speed
Required
bandwidth
Scan
accuracy
Increased Batch-size
Vulnerability Scan
none
Increased Packet
Interval
none
none
35
Optimize performance
Services options
Services options
You can fine-tune the following options for new or existing scans. In the portal, to create a new scan
select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be
found on the Settings tab in the scan configuration wizard, under the Host options.
Optimize performance
Credential options
Credential options
You can fine-tune the following options for new or existing scans. In the portal, to create a new scan
select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These settings can be
found on the Settings tab in the scan configuration wizard, under the Host options.
Windows Domain
Windows Workgroup
Windows Individual Host
Windows Default
Shell Domain
Shell Individual Host
Shell Default
Web Domain
Web Server
Web Default
Web Application URL
37
Optimize performance
Optimize options
Each method of authentication requires a user ID (user name), and some methods require a
password. The database stores the encrypted user names and passwords for this scan. When the scan
begins, McAfee Vulnerability Manager 7.5 uses this information to attempt authentication on each
discovered host system.
Optimize options
You can set the following options to optimize performance for new or existing scans. In the portal, to
create a new scan select Scans | New Scan, to edit an existing scan select Scans | Edit Scans. These
settings can be found on the Settings tab in the scan configuration wizard, under the Optimize
options.
Number of passes
This option controls the number of times ICMP, UDP, and TCP requests, or pings, are sent to target IP
address ranges during the scan host discovery sequence.
McAfee recommends three passes; use fewer passes for a faster, less thorough scan. For external
scans, McAfee testing reveals that approximately 95% of all active hosts are discovered on the initial
38
Optimize performance
Optimize options
pass, about 4+% are included in the second pass, and the remaining percentage are discovered in the
final pass.
For internal scans, most, if not all, devices are discovered in the first pass.
Batch size
This setting controls the number of IP addresses that are scanned simultaneously. Though the default
value of 1024 IP addresses is recommended for small scans, select a larger batch size to speed up the
scan of a large environment. Values can be 32, 64, 128, 256, 512, 1024, 2048, 4096, and 8192 IP
addresses.
For example, assume you are scanning a class C network (256 IP addresses). The following table
shows the number of scans each different batch size would require.
Batch
size
Scan segments
(256 IP addresses)
64
128
256
Packet interval
This setting controls the amount of time that McAfee Vulnerability Manager 7.5 takes to send each
packet across the network. Without a minimal inter-packet delay, McAfee Vulnerability Manager 7.5
would flood the network with packets, causing routers to drop scan traffic destined for target hosts
and affecting the accuracy of the scan.
Though 15 milliseconds is the default value, select a higher value, such as 20-25 milliseconds, when
scanning a highly distributed network such as a global WAN. Use lower delays, such as 10
milliseconds, over smaller networks with a cleaner backbone to improve scan performance without
sacrificing scan accuracy.
39
Optimize performance
Other scanning options
Caution: Even small increases in the Packet Interval affect scan durations. Use caution when adding
delays to large scans.
Assume that a very small scan sends out 1000 packets. Sending them all at once would take very
little time. But consider the effects of adding a small delay:
Delay
10ms
10 seconds
25ms
25 seconds
10ms
25ms
Vulnerable only: Returns only vulnerability data from scanned hosts. This is the default selection
when creating a new scan.
All: Returns all data collected from scanned hosts (vulnerable, not vulnerable, indeterminate).
Note: Returning all results (full results) is only available with HTML reports.
40
Optimize performance
Scan configuration options
Configure the FSL Thread Count setting in enterprise manager on the General Settings page (select
Manage | Engines and click Preferences for the scan engine).
Increase in value
Decrease in value
41
Optimize performance
Scan configuration options
Scan speed
Required
bandwidth
Perform Tracerouting
42
Optimize performance
Scan configuration options
43
Optimize performance
Scan configuration options
Windows checks
These checks run only if there is remote administrative access to the target Windows host. The time
consumed for the Windows checks to authenticate, fail or succeed, and execute if successfully
authenticated is higher than most checks.
If proper access is not available as with external scans, disable the Windows checks to improve scan
performance.
44
Network size
For the purposes of describing network sizes, this guide uses the following size definitions:
Types of scans
McAfee Vulnerability Manager 7.5 lets you customize your scans to your needs. Scan types can range
from simple discovery scans to full vulnerability scans. The following table provides a quick overview
with cross references for each of the scan types on various networks. The most common scans include
the following:
Single Vulnerability Scan Use this scan to scan for a single vulnerability check
Asset Discovery Scan The Asset Discovery Scan searches for the various devices on your
network. All scans perform discovery services and the other scan types look for additional
information, based on the findings from the discovery scan.
SANS/FBI Top 20 Scan This scan searches only for the vulnerabilities that have been identified
by the Federal Bureau of Investigation (FBI) as the top 20 most common vulnerabilities.
Full Vulnerability Scan The full scan lets you pick and choose the types of vulnerability checks to
run against the network.
WWW Application Assessment Scan This scan searches the network for web applications. It
probes for web applications, looks for access points and weaknesses that could provide access
into the network, and searches for various vulnerabilities associated with web applications.
Note: Use these templates as guidelines. Consider your network configuration and refine the settings
as needed. Refer to this guide and the online help for more information on each setting.
Medium
networks
Small
networks
Single Vulnerability
Scan
Asset Discovery
Scan
See page 57
See page 51
SANS/FBI Top 20
Scan
See page 59
See page 53
Full Vulnerability
Scan
Not
recommended
see page 55
for notes
See page 48
Web Application
Assessment Scan
Not
See
recommended
see for notes
See page 51
Small
networks use
the same
settings for all
types of
scans.
45
Performance expectations
Using these settings you can scan 65536 ports on one system in about 7 to 12 seconds.
McAfee engineers have spent considerable time and effort tuning the scanning engine to provide the
best accuracy. Although another scanner could theoretically scan all ports faster than this, they won't
be more accurate since sending thousands of packets per second will probably cause routers and/or
the target systems to drop significant numbers of packets.
46
Recommended settings
Scan Ranges
Batch Size
1024-8192 Higher
settings make the scan
faster, but generate more
network traffic
Module Selection
Discovery
ON (always ON)
Recommended settings
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
Shell Module
Host Discovery
Service Discovery
General Assessment
Module
ON
ON
ICMP: Timeout
(Advanced)
1000ms
OFF
Number of Passes
ON
47
Vulnerability Checks
Options
Recommended settings
UDP: Ports
UDP: Timeout
2000ms
OFF
ON
TCP: Ports
TCP: Timeout
2000ms
OFF
Number of Passes
ON
Service Fingerprinting
Options
OFF
Vulnerability Checks
SANS/FBI Top 20
OFF
IP threshold
256
ON
48
Recommended settings
Scan Ranges
Batch Size
128
Module Selection
Discovery
ON (always ON)
Host Discovery:
ICMP
Recommended settings
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
OFF
Shell Module
OFF
General Assessment
Module
ON
ON
Echo Request
(Advanced)
ON
Timestamp Request
(Advanced)
OPTIONAL
OPTIONAL
Information Request
(Advanced)
OPTIONAL
Timeout (Advanced)
2000ms
ON
Ports
Timeout (Advanced)
2000ms
OFF
OPTIONAL
ON
49
Recommended settings
Ports
Timeout (Advanced)
4000ms
OFF
OFF
Host Discovery
Number of Passes
Service Discovery:
UDP
ON
Ports
Timeout
2000ms
OFF
ON
Ports
Timeout
4000ms
OFF
Service Discovery
Number of Passes
Service Discovery
Service Discovery
Service Fingerprinting
Options
OFF
Vulnerability Checks
SANS/FBI Top 20
OPTIONAL
Service Discovery:
TCP
or select Vulnerability
Checks and Non-Intrusive
Vulnerability Checks
ON
or use SANS/FBI defaults
Options: Scan
Acceleration
50
Non-Intrusive
ON
IP threshold
256
Options: Reporting
Recommended settings
ON
scan completion
Recommended
settings
Scan Ranges
Batch Size
4096
Module Selection
Discovery
ON (always ON)
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
OFF
Shell Module
OFF
General Assessment
Module
OFF
ON
51
Recommended
settings
Echo Request
(Advanced)
ON
Timestamp Request
(Advanced)
OPTIONAL
OPTIONAL
Information Request
(Advanced)
OPTIONAL
Timeout (Advanced)
1000ms
OFF
ON
Ports
Timeout (Advanced)
2000ms
OFF
OFF
Host Discovery
Number of Passes
Service Discovery:
UDP
OFF
Service Discovery:
TCP
ON
Ports
Service Discovery
52
Timeout
2000ms
OFF
Number of Passes
Recommended
settings
OFF
SANS/FBI Top 20
OFF
Vulnerability Checks
OFF
Options: Scan
Acceleration
IP threshold
256
10
Options: Reporting
ON
Vulnerability Checks
scan completion
Recommended
settings
Scan Ranges
Batch Size
128
Module Selection
Discovery
ON (always ON)
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
OFF
Shell Module
OFF
General Assessment
Module
ON
ON
Host Discovery:
ICMP
53
ON
Timestamp Request
(Advanced)
OPTIONAL
OPTIONAL
Information Request
(Advanced)
OPTIONAL
Timeout (Advanced)
1000ms
OFF
ON
Ports
Timeout (Advanced)
4000ms
OFF
OFF
Host Discovery
Number of Passes
Service Discovery:
UDP
ON
Ports
Allow McAfee
Vulnerability Manager to
determine ports
Timeout
2000ms
OFF
ON
Ports
Allow McAfee
Vulnerability Manager to
determine ports
Timeout
2000ms
OFF
Service Discovery
Number of Passes
Service Discovery
ON
Service Discovery
Service Fingerprinting
Options
OFF
Service Discovery:
TCP
54
Recommended
settings
Recommended
settings
Vulnerability Checks
SANS/FBI Top 20
ON
ON
Options: Scan
Acceleration
IP threshold
256
10
Options: Reporting
ON
scan completion
Recommended
settings
Scan Ranges
Batch Size
128
Module Selection
Discovery
ON (always ON)
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
OFF
Shell Module
OFF
General Assessment
Module
ON
ON
Host Discovery:
ICMP
55
ON
Timestamp Request
(Advanced)
OPTIONAL
OPTIONAL
Information Request
(Advanced)
OPTIONAL
Timeout (Advanced)
1000ms
OFF
ON
Ports
Timeout (Advanced)
2000ms
OFF
OFF
Host Discovery
Number of Passes
Service Discovery:
UDP
ON
Ports
Allow McAfee
Vulnerability Manager to
determine ports
Timeout
2000ms
OFF
ON
Ports
Allow McAfee
Vulnerability Manager to
determine ports
Timeout
2000ms
OFF
Number of Passes
Service Discovery:
TCP
Service Discovery
56
Recommended
settings
Vulnerability Checks
Recommended
settings
ON
Service Fingerprinting
Options
OFF
SANS/FBI Top 20
OFF
Vulnerability Checks
ON
And select all of the nonintrusive checks
Non-Intrusive
ON
Options: Scan
Acceleration
IP threshold
256
10
Options: Reporting
ON
scan completion
Recommended
settings
Scan Ranges
Batch Size
8192
Module Selection
Discovery
ON (always ON)
57
Host Discovery
Service Discovery
Vulnerability Checks
Options
Recommended
settings
Web Application
Assessment Module
OFF
Windows Host
Assessment Module
OFF
OFF
Shell Module
OFF
General Assessment
Module
OFF
ON
ICMP: Timeout
(Advanced)
1000ms
OFF
OFF
Number of Passes
OFF
ON
TCP: Ports
TCP: Timeout
2000ms
OFF
Number of Passes
OFF
Service Fingerprinting
Options
OFF
SANS/FBI Top 20
OFF
Vulnerability Checks
OFF
IP threshold
256
10
ON
scan completion
58
Batch Size
128
Module Selection
Discovery
ON (always ON)
OFF
OFF
OFF
Shell Module
OFF
ON
ON
Host Discovery
59
Service Discovery
Vulnerability Checks
Options
ON
OPTIONAL
OPTIONAL
OPTIONAL
Timeout (Advanced)
1000ms
OFF
OFF
Number of Passes
ON
UPD: Ports
Allow McAfee
Vulnerability Manager to
determine ports
ON
TCP: Ports
Allow McAfee
Vulnerability Manager to
determine ports
TCP: Timeout
2000ms
OFF
Number of Passes
ON
OFF
SANS/FBI Top 20
ON
ON
IP threshold
256
10
ON
scan completion
60
Vulnerability Checks
ON
Options
IP threshold
256
10
ON
scan completion
61