此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文描述如何用在身份服务引擎(ISE) 2.1的Qualys配置威胁中心NAC。威胁中心网络访问控制(TC-NAC)功能enable (event)创建授权策略的您根据从威胁和弱点适配器接收的威胁和弱点属性。
Cisco建议您有这些题目基础知识:
Cisco身份服务引擎
Qualys ScanGuard
本文档中的信息基于以下软件和硬件版本:
这是流:
警告:在本文的Qualys配置为实验室目的被执行,请与设计注意事项的Qualys工程师协商
Qualys扫描程序可以从卵文件配置。登陆对Qualys网云并且连接对扫瞄>工具并且选择新>虚拟扫描程序工具
选择仅下载镜像并且选择适当的分配
要获得启动代码您可以去扫瞄>工具,并且选择新>虚拟扫描程序工具和选择我有我的镜像
在输入扫描程序名字后产生您以后将使用您的授权码。
配置在您的选择虚拟化平台的卵。一旦完成,请配置那些设置:
之后扫描程序连接到Qualys并且下载最新的软件和签名。
要验证扫描程序被连接您能连接到扫瞄>工具。
绿色在左边的被连接的符号表明扫描程序准备好,您能也看到LAN IP、广域网扫描程序的IP、版本和签名。
虽然您配置了Qualys扫描程序和Cloud,您必须仍然调整Cloud设置优良确定与ISE工作的集成。请注释,它应该执行,在您通过GUI前配置适配器,因为下载包含CVSS计分的信息库,在第一次后配置适配器。
在Administration >配置> Edit下的Enable (event) TC-NAC服务节点。检查 复选框。
Note:只可以有每配置一个TC-NAC节点。
连接对中心的Administration >的威胁NAC >第三方供应商>Add。点击“Save”。
当Qualys实例过渡准备配置状态,请点击准备好配置在状态的选项。
其余API主机应该是您使用Qualys Cloud,找出您的帐户的那个。在本例中- qualysguard.qg2.apps.qualys.com
帐户应该是那个有管理器权限,其次点击。
ISE下载关于被连接到Qualys Cloud的扫描程序的信息,您能配置PSN到在此页的扫描程序映射。它保证核准终端的所选的扫描程序根据PSN被选择。
先进的设置是有大量文件证明的在ISE 2.1管理指南,链路可以在本文的References部分找到。其次点击并且完成。Qualys对激活状态和知识库下载的实例转变开始。
Note:只可以有每配置一个Qualys实例。
连接对策略>Policy元素>结果>授权>授权配置文件。添加新配置文件。在普通的任务下请选择弱点评估复选框。
应该根据您的网络设计选择根据要求scan interval。
授权配置文件包含那些AV对:
cisco-av-pair = on-demand-scan-interval=48
cisco-av-pair = periodic-scan-enabled=0
cisco-av-pair = va-adapter-instance=796440b7-09b5-4f3b-b611-199fb81a4b99
他们被发送到在访问接受信息包内的网络设备,虽然真正目的他们将告诉应该触发扫描的MNT节点。MNT指示TC-NAC节点与Qualys Cloud联络。
第一个连接触发VA扫描。当扫描完成时, CoA再验证被触发运用新的策略,如果被匹配。
为了验证发现了哪些弱点,请连接对上下文公开性>终端。每终端弱点检查与评分产生它由Qualys。
当选择特定的终端时,关于每个弱点的更多详细资料出现,包括标题和CVEID。
在操作> TC-NAC中居住日志,您能看到老与在CVSS_Base_Score的策略被运用的新的授权和详细资料。
Note:授权情况根据CVSS_Base_Score完成,等于在终端发现的最高的弱点评分。
当VA扫描由TC-NAC Qualys时触发排队扫描,它能查看在扫瞄>扫瞄
之后它过渡了到运行,意味着Qualys网云指示Qualys扫描程序进行实际扫描
当扫描程序执行扫描时,您应该看到“扫描…”在Qualys卫兵的右上角符号
一旦扫描执行过渡了到完成陈述。您能查看结果在扫瞄>扫瞄,挑选必需的扫描和点击视图汇总或视图结果。
在报告您能看到详细的结果,被发现的弱点显示。
为了在ISE的关闭调试连接对管理>System >记录>调试日志配置,挑选TC-NAC节点并且更改日志级别VA运行时间和VA服务组件调试
将被检查的日志- varuntime.log。您能直接地从ISE CLI盯梢它:
ISE21-3ek/admin# show logging应用程序varuntime.log尾标
TC-NAC码头工人接收的指令执行特定的终端的扫描。
2016-06-28 19:06:30,823调试[Thread-70][] va.runtime.admin.mnt.EndpointFileReader - : : : : :- VA :读VA运行时间。[{"operationType":1,"macAddress":"C0:4A:00:14:8D:4B","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"796440b7-09b5-4f3b-b611-199fb81a4b99","psnHostName":"ISE21-3ek","heartBeatTime":0,"lastScanTime":0}]
2016-06-28 19:06:30,824调试[Thread-70][] va.runtime.admin.vaservice.VaServiceRemotingHandler - : : : : :- VA :从Mnt的接收的数据:{"operationType":1,"macAddress":"C0:4A:00:14:8D:4B","ondemandScanInterval":"48","isPeriodicScanEnabled":false,"periodicScanEnabledString":"0","vendorInstance":"796440b7-09b5-4f3b-b611-199fb81a4b99","psnHostName":"ISE21-3ek","heartBeatTime":0,"lastScanTime":0}
一旦结果收到在上下文目录存储所有弱点数据。
2016-06-28 19:25:02,020调试[pool-311-thread-8][] va.runtime.admin.vaservice.VaServiceMessageListener - : : : : :-从VaService的收到的消息:[{"macAddress":"C0:4A:00:14:8D:4B","ipAddress":"10.62.148.63","lastScanTime":1467134394000,"vulnerabilities":["{\"vulnerabilityId\":\"QID-90783\",\"cveIds\":\"CVE-2012-0002,CVE-2012-0152,\",\"cvssBaseScore\":\"9.3\",\"cvssTemporalScore\":\"7.7\",\"vulnerabilityTitle\":\"Microsoft Windows远程桌面协议远程编码执行弱点(MS12-020)\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-38173\",\"cveIds\":\"\",\"cvssBaseScore\":\"9.4\",\"cvssTemporalScore\":\"6.9\",\"vulnerabilityTitle\":\"SSL认证-签名验证出故障的Vulnerability\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-90882\",\"cveIds\":\"\",\"cvssBaseScore\":\"4.7\",\"cvssTemporalScore\":\"4\",\"vulnerabilityTitle\":\"Windows远程桌面协议弱加密方法Allowed\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-90043\",\"cveIds\":\"\",\"cvssBaseScore\":\"7.3\",\"cvssTemporalScore\":\"6.3\",\"vulnerabilityTitle\":\"SMB签署不是Required\",\"vulnerabilityVendor\":\"Qualys\"}","{\"vulnerabilityId\":\"QID-38601\",\"cveIds\":\"CVE-2013-2566,CVE-2015-2808,\",\"cvssBaseScore\":\"4.3\",\"cvssTemporalScore\":\"3.7\",\"vulnerabilityTitle\":\"SSL/TLS使用弱的RC4密码的签字被禁用的或SMB \”, \ “vulnerabilityVendor \” :\ “Qualys \ “}”]}]
2016-06-28 19:25:02,127调试[pool-311-thread-8][] va.runtime.admin.vaservice.VaServiceMessageListener - : : : : :- VA :对上下文db的保存, lastscantime :1467134394000, mac :C0:4A:00:14:8D:4B
2016-06-28 19:25:02,268调试[pool-311-thread-8][] va.runtime.admin.vaservice.VaAdminServiceContext - : : : : :- VA :发送有弹性搜索json到PRI LAN
2016-06-28 19:25:02,272调试[pool-311-thread-8][] va.runtime.admin.vaservice.VaPanRemotingHandler - : : : : :- VA :保存对有弹性搜索:{C0:4A:00:14:8D:4B=[{"vulnerabilityId":"QID-90783","cveIds":"CVE-2012-0002,CVE-2012-0152,","cvssBaseScore":"9.3","cvssTemporalScore":"7.7","vulnerabilityTitle":"Microsoft Windows远程桌面协议远程编码执行弱点(MS12-020)","vulnerabilityVendor":"Qualys"}, {"vulnerabilityId":"QID-38173","cveIds":"","cvssBaseScore":"9.4","cvssTemporalScore":"6.9","vulnerabilityTitle":"SSL认证-签名验证失败的弱点”, “vulnerabilityVendor” :“Qualys”},允许的{"vulnerabilityId":"QID-90882","cveIds":"","cvssBaseScore":"4.7","cvssTemporalScore":"4","vulnerabilityTitle":"Windows远程桌面协议弱加密方法”, “vulnerabilityVendor” :“Qualys”}, {"vulnerabilityId":"QID-90043","cveIds":"","cvssBaseScore":"7.3","cvssTemporalScore":"6.3","vulnerabilityTitle":"SMB签字签字被禁用的或的SMB没要求”, “vulnerabilityVendor” :“Qualys”}, {"vulnerabilityId":"QID-38601","cveIds":"CVE-2013-2566,CVE-2015-2808,","cvssBaseScore":"4.3","cvssTemporalScore":"3.7","vulnerabilityTitle":"SSL/TLS使用弱的RC4密码”, “vulnerabilityVendor” :“Qualys”}]}
将被检查的日志- vaservice.log。您能直接地从ISE CLI盯梢它:
ISE21-3ek/admin# show logging应用程序vaservice.log尾标
弱点评估请求被提交给适配器
2016-06-28 17:07:13,200调试[endpointPollerScheduler-3][] cpm.va.service.util.VaServiceUtil - : : : : :- VA SendSyslog systemMsg :[{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability评估服务”, “TCNAC.Status”, “VA请求被提交给适配器”, “TCNAC.Details”, “VA请求被提交给适配器为processing","TC-NAC.MACAddress","C0:4A:00:14:8D:4B","TC-NAC.IpAddress","10.62.148.63","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]
AdapterMessageListener检查每5分钟扫描的状态,直到完成。
2016-06-28 17:09:43,459调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:为检查扫描结果排队的终端{"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number :1,为扫描排队的终端的编号:0,终端的编号扫描进展中:0"}
2016-06-28 17:14:43,760调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:为检查扫描结果排队的终端{"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number :0,为扫描排队的终端的编号:0,终端的编号扫描进展中:1"}
2016-06-28 17:19:43,837调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:为检查扫描结果排队的终端{"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number :0,为扫描排队的终端的编号:0,终端的编号扫描进展中:1"}
2016-06-28 17:24:43,867调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:为检查扫描结果排队的终端{"AdapterInstanceName":"QUALYS_VA","AdapterInstanceUid":"a70031d6-6e3b-484a-adb0-627f30248ad0","VendorName":"Qualys","OperationMessageText":"Number :0,为扫描排队的终端的编号:0,终端的编号扫描进展中:1"}
适配器是获得QID, CVE'S与CVSS评分一起
2016-06-28 17:24:57,556调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:{"requestedMacAddress":"C0:4A:00:14:8D:4B","scanStatus":"ASSESSMENT_SUCCESS","lastScanTimeLong":1467134394000,"ipAddress":"10.62.148.63","vulnerabilities":[{"vulnerabilityId":"QID-38173","cveIds":"","cvssBaseScore":"9.4","cvssTemporalScore":"6.9","vulnerabilityTitle":"SSL认证-签名验证出故障的Vulnerability","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90043","cveIds":"","cvssBaseScore":"7.3","cvssTemporalScore":"6.3","vulnerabilityTitle":"SMB签署不是Required","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90783","cveIds":"CVE-2012-0002,CVE-2012-0152,","cvssBaseScore":"9.3","cvssTemporalScore":"7.7","vulnerabilityTitle":"Microsoft Windows远程桌面协议远程编码执行弱点(弱的RC4允许的cipher","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-90882","cveIds":"","cvssBaseScore":"4.7","cvssTemporalScore":"4","vulnerabilityTitle":"Windows远程桌面协议弱加密方法MS12-020)","vulnerabilityVendor":"Qualys"},{"vulnerabilityId":"QID-38601","cveIds":"CVE-2013-2566,CVE-2015-2808,","cvssBaseScore":"4.3","cvssTemporalScore":"3.7","vulnerabilityTitle":"SSL/TLS使用的签字被禁用的或SMB”, “vulnerabilityVendor” :“Qualys”}]}
2016-06-28 17:25:01,282 INFO [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-终端详细资料被发送到IRF是{"C0:4A:00:14:8D:4B":[{"vulnerability":{"CVSS_Base_Score":9.4,"CVSS_Temporal_Score":7.7},"time-stamp":1467134394000,"title":"Vulnerability","vendor":"Qualys"}]}
2016-06-28 17:25:01,853调试[endpointPollerScheduler-2][] cpm.va.service.util.VaServiceUtil - : : : : :- VA SendSyslog systemMsg :[{"systemMsg":"91019","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability评估服务”, “TCNAC.Status”, “成功地完成的VA”, “TCNAC.Details”, “完成的VA;找到的弱点的编号:5","TC-NAC.MACAddress","C0:4A:00:14:8D:4B","TC-NAC.IpAddress","10.62.148.63","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]
问题1. ISE获得与CVSS_Base_Score 0.0和CVSS_Temporal_Score的弱点报告0.0,而Qualys Cloud报告包含被发现的弱点。
当检查从Qualys您能看到时的Cloud的报告发现了弱点,然而在ISE您看不到他们。
在vaservice.log看到的调试:
2016-06-02 08:30:10,323 INFO [SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-终端详细资料被发送到IRF是{"C0:4A:00:15:75:C8":[{"vulnerability":{"CVSS_Base_Score":0.0,"CVSS_Temporal_Score":0.0},"time-stamp":1464855905000,"title":"Vulnerability","vendor":"Qualys"}]}
解决方案:
是cvss的评分的原因零是二者之一没有弱点或cvss计分未在Qualys Cloud被启用,在您通过UI前配置适配器。包含cvss的信息库,在配置适配器第一次后,计分被启用的功能下载。您在ISE必须保证CVSS计分是启用的前面,适配器实例被创建了。它可以执行在弱点Management>报告下>设置> CVSS > Enable (event) CVSS计分
问题2. ISE从Qualys Cloud不取得结果回到,即使正确的授权策略被击中了。
被更正的授权策略被匹配了,如果请触发VA扫描。尽管该事实扫描没有执行。
在vaservice.log看到的调试:
2016-06-28 16:19:15,401调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:(Body:'[B@6da5e620(byte[311])'MessageProperties [headers= {}, timestamp=null、messageId=null、userId=null、appId=null、clusterId=null、type=null、correlationId=null, replyTo=null, contentType=application/octet-stream, contentEncoding=null, contentLength=0, deliveryMode=PERSISTENT, expiration=null, priority=0, redelivered=false, receivedExchange=irf.topic.va-reports, receivedRoutingKey=, deliveryTag=9830, messageCount=0])
2016-06-28 16:19:15,401调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-从适配器的消息:触发扫描的{"requestedMacAddress":"24:77:03:3D:CF:20","scanStatus":"SCAN_ERROR","scanStatusMessage":"Error :错误,当trigeringon需求扫瞄码和错误时如下1904年:指定的IP都没有资袼弱点管理scanning.","lastScanTimeLong":0,"ipAddress":"10.201.228.102"}
2016-06-28 16:19:15,771调试[SimpleAsyncTaskExecutor-2][] cpm.va.service.processor.AdapterMessageListener - : : : : :-适配器为Macaddress:24:77:03:3D:CF:20失效的扫描结果, IP Address(DB) :10.201.228.102,设置状态对失败
2016-06-28 16:19:16,336调试[endpointPollerScheduler-2][] cpm.va.service.util.VaServiceUtil - : : : : :- VA SendSyslog systemMsg :[{"systemMsg":"91008","isAutoInsertSelfAcsInstance":true,"attributes":["TC-NAC.ServiceName","Vulnerability评估服务”, “TCNAC.Status”, “VA故障”, “TCNAC.Details”, “触发扫描的错误:错误,当trigering的根据要求扫瞄码和错误时如下1904年:指定的IP都没有资袼弱点管理scanning.","TC-NAC.MACAddress","24:77:03:3D:CF:20","TC-NAC.IpAddress","10.201.228.102","TC-NAC.AdapterInstanceUuid","796440b7-09b5-4f3b-b611-199fb81a4b99","TC-NAC.VendorName","Qualys","TC-NAC.AdapterInstanceName","QUALYS_VA"]}]
解决方案:
Qualys Cloud表明终端的IP地址没有资袼扫描,请保证您添加了终端的IP地址到弱点Management>资产>主机资产>New > IP被跟踪主机