Dragon Intrusion Defense System support for Nessus and the PVS
Today Tenable announced a partnership with Enterasys Networks that enables customers of both companies to operate Nessus and/or the Passive Vulnerability Scanner (PVS) directly on the Dragon sensor. Customers who have existent or planned Tenable and Enterasys security solutions should consider this deployment option. This blog entry discusses several deployment scenarios as well as interaction between Tenable and Enterasys security solutions.
Ease of Deployment and Integration
If your organization has multiple Dragon sensors in place, both Nessus and the PVS can be deployed on these devices. Typically, a Dragon IDS sensor is optimally deployed for passive network monitoring with a PVS as well as active vulnerability scanning with Nessus.
If your organization has a Tenable Security Center, Nessus scanners and Dragon sensors, but has not deployed the Passive Vulnerability Scanner, deploying them on the Dragon sensors can provide immediate benefits. Adding passive vulnerability data to your Security Center will increase the accuracy of your discovered assets and vulnerabilities. It will also increase the accuracy of the correlation between the IDS events detected by Dragon and the vulnerabilities on your network.
If you organization is engineering a network monitoring solution, deploying Dragon, Nessus and the PVS on one platform simplifies the architecture and maximizes your resources.
Tenable engineers have developed unique installation packages for Nessus and the PVS which install directly onto the Dragon IDS appliance. Enterasys customers should contact Tenable's sales staff to obtain download information for these packages.
The ideal use case is to deploy the PVS and/or Nessus on a Dragon sensor in passive mode which isn't currently reaching maximum CPU usage. If your Dragon sensor is inline in "prevention" mode, adding on Nessus and/or the PVS is not advised. Neither Nessus or the PVS were designed for inline analysis.
Enterasys and Tenable Product Interaction
The Security Center receives IDS events from the Dragon management console. These events undergo realtime vulnerability correlation such that real attacks that are likely to succeed are immediately highlighted. The accuracy of this correlation is greatly enhanced with realtime network vulnerability monitoring by the PVS.
The Security Center can also extend the information discovered by Dragon securely to different political or business groups within your organization. This allows groups to gain access to IDS events targeting just their network or assets without the need to deploy a dedicated sensor. Each group can view their security data through a web interface, create custom reports and produce animations and visualizations in a three dimensional user interface.
For even greater event correlation, the Tenable Log Correlation Engine (LCE) accepts IDS events from Dragon sensors and can correlate these with netflow, system logs, firewalls and many other devices. The LCE has many specific TASL correlation scripts which correlate IDS events with network change, new device behaviors, known hacker compromise techniques and worms/botnet communication patterns.
For More Information
Tenable has several webinars and white papers available online which discuss VA/IDS correlation and well as event correlation in general.
- Correlating IDS events with Vulnerabilities Webinar
- Good and Bad uses of Vulnerability Data for IDS Event Correlation Blog
- Network Based Anomaly Detection Webinar
- VA/IDS Correlation White Paper
- Event Correlation White Paper