Scribd
Upload
231 views23 pages

Tenable

Uploaded by

foreverbikas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
231 views23 pages

Tenable

Uploaded by

foreverbikas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Deployment Guide

Integration with Tenable.io


TABLE OF CONTENTS

INTRODUCTION ....................................................................................................................................................3
PREREQUISITES ....................................................................................................................................................3
KNOWN LIMITATIONS ..........................................................................................................................................3
BEST PRACTICES ...................................................................................................................................................4
CONFIGURATION ..................................................................................................................................................4
WORKFLOW ................................................................................................................................................................. 4
BEFORE YOU GET STARTED .............................................................................................................................................. 4
Download Templates from the Infoblox Community Web-Site............................................................................ 4
Extensible Attributes ............................................................................................................................................ 5
Editing Session Variables ..................................................................................................................................... 6
Supported Notification......................................................................................................................................... 6
Infoblox Permissions ............................................................................................................................................ 7
TENABLE.IO CONFIGURATION........................................................................................................................................... 7
Configure Permissions.......................................................................................................................................... 7
Create a Target Group ......................................................................................................................................... 9
Create a Scan Template ..................................................................................................................................... 10
Generate API Keys .............................................................................................................................................. 11
INFOBLOX NIOS CONFIGURATION .................................................................................................................................. 12
Check if the Security Ecosystem License is Installed........................................................................................... 12
Add/Upload Templates ...................................................................................................................................... 12
Modifying Templates ......................................................................................................................................... 14
Add a Rest API Endpoint .................................................................................................................................... 15
Adding Token ..................................................................................................................................................... 16
Add a Notification .............................................................................................................................................. 17
CHECK THE CONFIGURATION .......................................................................................................................................... 19
Address Object Management Test ..................................................................................................................... 19
SUMMARY ......................................................................................................................................................... 22

Integration with Tenable.io 2


Introduction
Infoblox and Tenable.io together help empower actionable insight into your entire infrastructure’s security
risks, allowing for you to quickly and accurately identify, investigate, and prioritize vulnerabilities and
misconfigurations in your modern IT environment.
Infoblox provides Tenable.io with resources such as IP addresses, Hosts, and potential threats and in
exchange Tenable.io gets improved management on assets and the ability to automatically trigger scans
when security events occur. The integration with Infoblox and Tenable.io allows for quicker remediation
and more insight into the entire network.

Note that all Images in this document were taken in NIOS 8.4

Prerequisites
The following are prerequisites for the integration using Outbound API notifications:
Infoblox:
• Infoblox:
o NIOS 8.3 or higher.
o Security Ecosystem License.
o Outbound API integration templates.
o Prerequisites for the templates (e.g. configured and set extensible attributes).
o Pre-configured services: DNS, DHCP, RPZ, ADP and Threat Analytics.
o NIOS API user with the following permissions (access via API only):
§ All Network Views – RW.
§ All Hosts – RW.
§ All IPv4 Networks – RW.
§ All IPv6 Networks – RW.
§ All IPv4 Ranges – RW.
§ All IPv6 Ranges – RW.
§ All IPv4 DHCP Fixed Addresses/Reservations – RW.
§ All IPv6 DHCP Fixed Addresses/Reservations – RW.
• Tenable.io
o Account with standard permissions

Known Limitations
The current templates support DNS Firewall (RPZ), Threat Insight (DNS Tunneling), Advanced DNS
Protection, Network IPv4, Network IPv6, Range IPv4, Range IPv6, Host IPv4, Host IPv6, Fixed address
IPv4, Fixed address IPv6 and Lease events only. The asset management template does not support
delete or modify events and does not delete or modify IP’s or Host’s from Tenable.io due to limitations
with Tenable.io API. If additional templates become available, they will be found on the Infoblox
community site.

Integration with Tenable.io 3


Best practices
Outbound API templates can be found on the Infoblox community site on the partners integration page.
After registering an account, you can subscribe to the relevant groups and forums. If additional templates
come out, they will be found on the Infoblox community site.
For production systems, it is highly recommended to set the log level for an endpoint to “Info” or higher
(“Warning”, “Error”).
Please refer to the Infoblox NIOS Administrator’s Guide about other best practices, limitations and any
detailed information on how to develop notification templates. The NIOS Administrator’s Guide can be
found through the Help panel in your Infoblox GUI, or on the Infoblox Support portal.

Configuration
Workflow
Tenable.io:
1. Configure Permissions
2. Create a Target Group
3. Create a Scan template.
4. Generate API Keys
Infoblox:
1. Install the Security Ecosystem license if it was not installed.
2. Check that the necessary services and features are properly configured and enabled, including
DNS, DHCP, RPZ, ADP and Threat Analytics.
3. Create the required Extensible Attributes.
4. Download (or create your own) notification templates (Tenable_IO_Assets.txt,
Tenable_IO_Security.txt, Tenable_IO_Session.txt, Tenable_IO_Logout.txt,
Tenable_IO_Login.txt) from the Infoblox community website.
5. Add the templates.
6. Add a REST API Endpoint.
7. Add Notifications.
8. Emulate an event, check Rest API Endpoint debug log and/or verify changes on the grid.

Before you get Started


Download Templates from the Infoblox Community Web-Site
Outbound API templates are an essential part of the configuration. Templates fully control the integration
and steps required to execute the outbound notifications. Detailed information on how to develop
templates can be found in the NIOS Administrator’s guide.
Infoblox does not distribute any templates (out-of-the-box) with the NIOS releases. Templates are
available on the Infoblox community web-site. Templates for the Tenable.io integration will be located in
the “Partners Integrations”. You can find other templates posted in the “API & Integration” forum.
Templates may require additional extensible attributes, parameters or WAPI credentials to be created or
defined. The required configuration should be provided with a template. Don’t forget to apply any changes
required by the template before testing a notification.

Integration with Tenable.io 4


Extensible Attributes
For this integration, the following Extensible Attributes need to be created on the grid.
Table 1. Extensible Attributes

Extensible Attributes Description Type

TNBL_IO_Add_by_Hostname Defines if a host should be synced with List


Tenable.io using a hostname. The hostname
(true, false)
should be resolvable by Tenable.io.

TNBL_IO_Last_Scan Contains a date when an asset was scanned String


last time by a request from Infoblox

TNBL_IO_Scan Defines if an asset should be scanned if RPZ, List


ADP or DNS Tunneling events are triggered
(true, false)

TNBL_IO_Scan_On_Add Defines if an asset should be scanned List


immediately after creation
(true, false)

TNBL_IO_Scan_Template Defines a Tenable.io active scan which should String


be used for scans initiated by Infoblox. List of
possible values should match active scan
names on Tenable.io.

TNBL_IO_Sync Defines if an object should be synced with List


Tenable.io.
(true, false)

TNBL_IO_Sync_Time Contains date/time when the object was String


synchronized.

TNBL_IO_Target_Group Defines a target group in Tenable.io that holds String


the assets to be scanned by Tenable.io.

Editing Instance Variables


Tenable.io templates use instance variables to adjust the templates’ behavior. Instance variables can be
entered through the grid GUI at “Grid” à “Ecosystem” à “Notification” and then selecting the
notification you created at “Edit” à “Templates”.
Table 2. Instance Variables

Instance Variable Description

Integration with Tenable.io 5


Add_Discovery_Data true or false. Defines if a Discovered device should be added to
Tenable.io

Scan_Discovery_Data true or false. Defines if a Discovered device should be scanned


when added to Tenable.io

Discovery_Scan_Template Defines a Tenable.io active scan which should be used for scans
initiated by Infoblox for Discovery events.

Discovery_Target_Group Defines a target group in Tenable.io that holds the assets to be


scanned by Tenable.io

Editing Session Variables


The Tenable_IO_Session template uses two session variables to login to the Tenable.io instance.
Session variables can be entered through the grid GUI at “Grid” à “Ecosystem” à “Outbound
Endpoint” and then selecting the endpoint you created at “Edit” à “Session Management”.
Table 3. Session Variables

Session Variable Description

accessKey A Token that is required to leverage the Tenable.io API.

secretKey A Token that is required to leverage the Tenable.io API.

Supported Notification
A notification can be considered as a "link" between a template, an endpoint and an event. In the
notification properties, you define which event triggers the notification, which template is executed and
with which API endpoint NIOS will establish the connection to. The Tenable.io templates support a subset
of available notifications (refer to the limitations chapter in this guide for more details). In order to simplify
the deployment, only create required notifications and use the relevant filters. It is highly recommended
to configure deduplication for RPZ events and exclude a feed that is automatically populated by Threat
Analytics.
Table 4. Supported Notifications

Notification Description

DNS RPZ DNS queries that are malicious or unwanted

DNS Tunneling Data exfiltration that occurs on the network

Integration with Tenable.io 6


ADP DNS queries that are malicious or unwanted

DHCP Leases Lease events that occur on the network

Object Change Network IPv4 Added/Deleted IPv4 network objects.

Object Change Network IPv6 Added/Deleted network IPv6 objects.

Object Change Range IPv4 Added/Deleted Host IPv4 objects.

Object Change Range IPv6 Added/Deleted Host IPv6 objects.

Object Change Fixed Address IPv4 Added/Deleted fixed/reserved IPv4 objects.

Object Change Fixed Address IPv6 Added/Deleted fixed/reserved IPv6 objects.

Object Change Host Address IPv4 Added/Deleted Host IPv4 objects.

Object Change Host Address IPv6 Added/Deleted Host IPv6 objects.

Infoblox Permissions
The Infoblox and Tenable.io integration requires a few permissions for the integration to work. Navigate
to “Administration” à “Administrators” and add a “Roles”, “Permissions”, “Groups” and
“Admins” to include permissions that are required for the integrations. When creating a new group, under
the “Groups” tab, select the “API” interface under the “Allowed Interfaces” category.

Tenable.io Configuration
Configure Permissions
In order to configure permissions:
1. Navigate to “Settings” à “Users” and click “New User”.

Integration with Tenable.io 7


2. Insert the name and password and enter the Role with permissions levels set to Standard or
higher.

3. Navigate to “Settings” à “Groups” and click “New Group”.

Integration with Tenable.io 8


4. Enter a name for a Group that is not currently being used and click “Add”.

5. Inside the Created Group select “Manage Users” and then click “Add Users”.

6. Click the “User” dropdown and select the user created for the API.

Create a Target Group


7. Navigate to “Scans” à “Target Groups” and select “New Group”.

8. Enter a name for a target group that isn’t being used and for Targets enter any default value for a
place holder.

Integration with Tenable.io 9


9. Under permissions add a group with at least standard permissions and click the drop down next
to the user and choose “Can scan” then click “Save”.

Create a Scan Template


In order to create a scan template:
1. Navigate to “Scans” à “My Scans” and select “New Scan”.

2. On the “Scan Templates” page select the appropriate Scanner template you wish to use.

3. Insert a name that isn’t being used and choose the “Target Group” you created to add assets
from Infoblox to.

Integration with Tenable.io 10


Note: you can configure any other setting as needed.

4. Click Save when you are finished configuring the scan template.

Generate API Keys


In order to Generate API Keys:
1. Navigate to the image for your profile and select “My Account”.

2. Navigate to “API Keys” and click “Generate”.

Integration with Tenable.io 11


3. Here you will find the “Access Key” and the “Secret Key”.

Infoblox NIOS Configuration


Check if the Security Ecosystem License is Installed
Security Ecosystem License is a “Grid Wide” License. Grid wide licenses activate services on all
appliances in the same Grid.
In order to check if the license was installed navigate to “Grid” à “Licenses” à “Grid Wide”.

Add/Upload Templates
In order to upload/add templates:
1. Navigate to “Grid” à “Ecosystem” à “Templates” and click “+” or “+ Add Template”.

Integration with Tenable.io 12


2. Click the “Select” button on the “Add template” window.
3. Click the “Select” button on the “Upload” window. The standard file selection dialog will open.
4. Select the file and Click the “Upload” button on the “Upload” window.
5. Click the “Add” button and the template will be added/uploaded.

6. If a template was previously uploaded, click “Yes” to overwrite the template.

7. You can review the uploaded results in the syslog or by clicking the “View Results” button.

Note: There is no difference between uploading session management and action templates.

Integration with Tenable.io 13


Modifying Templates
NIOS provides the facility to modify the templates via the web-interface.
1. Navigate to “Grid” à “Ecosystem” à “Templates”, and then click the gear icon next to the
template you want to modify.

2. Click the “Edit” button to open up the “Template” window.

3. Click on the Contents tab to view/edit the template.

Integration with Tenable.io 14


The template editor is a simple interface for making changes to templates. It is recommended to only use
the template editor to make minor changes. You can also edit, cut and paste template snippets from a
text editor of your choice.

Note: You cannot delete a template if it is used by an endpoint or by a notification.

Add a Rest API Endpoint


A “REST API Endpoint” is basically a remote system which should receive changes based on a
notification and a configured template. A Grid, for example, can not only send notifications, it can also
receive the notifications from itself (e.g. for testing purposes).
In order to add REST API Endpoints:
1. Navigate to “Grid” à “Ecosystem” à “Outbound Endpoints” and click “+” or “+ Add REST
API Endpoint” buttons. The “Add REST API Endpoint Wizard” window will open.

2. The URI and Name for the appliance you are integrating with are required.
3. The URI should be the IP/FQDN of the appliance you are integrating with, with the correct URI
scheme.
4. Specify “WAPI Integration Username” and “WAPI Integration Password” (NIOS credentials).

Integration with Tenable.io 15


5. (Optional) For debug purposes only: Under “Session Management”, set “Log Level” to
“Debug”.

6. The “accessKey” and “secretKey” can be found when you create the API keys for the user.
Note: When possible, it is recommended to send notifications from a Grid Master Candidate instead of
from the Grid Master.

Adding Token
• Navigate to the “Session Management” tab and add the “Token” to the value fields.

Integration with Tenable.io 16


Add a Notification
An endpoint and a template must be added before you can add a notification.
In order to add notifications:
1. Navigate to “Grid” à “Ecosystem” à “Notification” and click “+” or “+ Add Notification Rule”
then the “Add Notification Wizard” window will open.

2. Specify the notification’s name and select an endpoint (Target), click “Next”.

3. Select an event type and define a filter. Note: For optimal performance, it is best practice to make
the filter as narrow as possible. Click “Next”.

Integration with Tenable.io 17


4. (For Security related notifications only) Check “Enable event deduplication” and specify relevant
parameters. Click “Next”.

5. Select a relevant template and specify the template's parameters if any are required. Click “Save
& Close”.

6. Similarly add rules for other events as well.

Integration with Tenable.io 18


Check the Configuration
(Optional) On the Infoblox grid, navigate to “Grid” à “Ecosystem” à “Outbound Endpoint”, select
Tenable.io endpoint, click on the gear icon and select “Clear Debug Log”

Address Object Management Test


The templates support IPv4/IPv6 Hosts, IPv4/IPv6 Fixed IP/Reservations, IPv4/IPv6 Networks, IPv4/IPv6
Ranges, and DHCP lease events. This use case demonstrates how to manage IP addresses on the
Tenable.io.
1. To create an IPv4 reservation, navigate to "Data Management" à "IPAM". Select an IPv4
network here (say 172.0.0.0/24).
2. Click the drop down next to the “+ Add” button under the toolbar and choose “IPv4 Reservation”.

Integration with Tenable.io 19


3. Click “Next”, then insert the IP “172.0.0.10” into the “IP Address” field.

4. Click on “Next” till you reach the Extensible Attributes window. If the Extensible Attributes have
not already been inherited from the network, set them.

5. Click “Save & Close”.

Integration with Tenable.io 20


6. Select the IP and refresh. The “TNBL_IO_SYNC_TIME” EA is now updated.

7. In the Tenable.io, navigate to “Scans” à “Target Groups” then select the target group you sent
the asset to. The “172.0.0.10” address reservation has been added to the “Targets” list. Refresh
the page if necessary.

Integration with Tenable.io 21


Summary
Infoblox and Tenable.io together help empower actionable insight into your entire infrastructure’s security
risks, allowing for you to quickly and accurately identify, investigate, and prioritize vulnerabilities and
misconfigurations in your modern IT environment.

Integration with Tenable.io 22


Infoblox is leading the way to next-level DDI with its Secure Cloud-Managed Network Services. Infoblox brings next-level security,
reliability and automation to on-premises, cloud and hybrid networks, setting customers on a path to a single pane of glass for network
management. Infoblox is a recognized leader with 50 percent market share comprised of 8,000 customers, including 350 of the
Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054


+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | info@infoblox.com | www.infoblox.com

© 2018 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All other marks are the
property of their respective owner(s).

You might also like