TCP Metrics Report

by Cody Dumont
March 20, 2014

Report File: 

Tenable's Chief Security Officer Marcus Ranum is posting a Security Metrics series on SecurityWeek.Com  (Introduction and Welcome - Security Metrics). The first posting on February 13, 2014, starts off with talking about metrics. This report illustrates how SC CV can collect and report on TCP port usage metrics.  The report uses all methods of collecting port usage statistics, (Nessus, PVS, NetFlow, and NetMon), from all the Tenable products and combines them into single report for analysis.

The report is available in the SecurityCenter 4.7 Report app feed, an app store of dashboards, reports and assets.  The report requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.5
  • PVS 4.0.1
  • LCE 4.2.2
  • TenableNetFlowMonitor - Optional
  • TenableNetworkMonitor - Optional

This report provides security professionals with detailed statistics for TCP port usage across all Tenable products. For each product (Nessus, PVS and LCE), a chapter is dedicated to port usage statistics. To keep the size of the report, all the components have been limited to 25 results. These numbers can be modified and then the report can be launched as needed. Additionally, limiting the report by asset or network will allow the report to run more efficiently.

Chapters

Open Port Summary - This chapter presents the put from the “netstat” command using plugin 14272 “netstat portscanner (SSH)”. Additionally, for Windows computers, the process information is also present using the plugin 34220 “Netstat Portscanner (WMI)”. The data in this chapter provides the statistical data for systems and the TCP ports on which they are listening. For Unix or Linux systems, the process port usage can be collected using audit files. See this discussion post for details:  https://discussions.nessus.org/thread/7082

TCP Trusted Client Connections - This chapter uses the PVS plugin 3, “Internal client trusted connection” to report connections from clients to servers on various ports. A trusted connection is when both the client and server are part of the internal network and a successful TCP three-way handshake is completed.

TCP Trusted Server Connection - This chapter uses the PVS plugin 15, “Internal server trusted connection” to report connections from servers to clients on various ports. A trusted connection is when both the client and server are part of the internal network and a successful TCP three-way handshake is completed.

Outbound External Connections - This chapter uses the PVS plugin 16, “Outbound external connection” to report connections from clients to external servers on various ports. An external connection is when both the server and the client are not part of the monitored network and a successful TCP three-way handshake is completed.

Tenable Network Monitor (TNM) - The data in this chapter displays the statistical port usage data collected using the TNM.  The TNM is designed to monitor network traffic and send session information to the LCE server. It can also sniff syslog messages sent from one point to another and treat them as if they were originally sent directly to the LCE. 

Tenable NetFlow Monitor (TFM) - The data in this chapter displays the statistical port usage data collected using the TFM.  The TFM client takes advantage of the ability in most modern routers to use the NetFlow protocol to send network session statistics to remote collectors for processing and reporting. This enables you to monitor network traffic without having to install a sniffer on a hub or switched SPAN port.