Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Choosing the Right Architecture for Your Nessus Agent Deployment

As organizations adapt to work-from-home mandates, we detail the three most common configurations for securing your remote workforce using Nessus Agent deployments.

In several of our recent blog posts, we’ve discussed the various reasons that organizations, including government agencies, might deploy Nessus Agents to protect their newly distributed workforces. As part of the changes precipitated by emergency remote work mandates, it’s important to maintain vulnerability metrics for your entire organization. These scans are crucial to protecting assets that have changed location from the office to employees’ households, as well as new assets like personal laptops and phones being introduced into your enterprise IT environment.

Nessus Agents are a perfect way of conducting this due diligence. They enable local scan policies on devices that are not dependent on a connection to the office network. Outside of a work-from-home situation, Nessus Agents are also excellent alternatives for gathering vulnerability information on hosts that have frequently changing credentials and assets that have been hardened to prevent external login.

Three ways to set up your Nessus Agent deployment

There are several ways to architect a Nessus Agent deployment depending on your specific needs. Detailed below are a few of the most common use cases.

1. Standalone Tenable.io

Tenable.io has the native capability to communicate with Nessus Agents over the internet. This is ideal for prospective or current Tenable.io customers that want to deploy agents quickly and utilize Tenable-provided, cloud-facing scanners as an “eye in the sky” for assets not typically visible to internal scanners. The diagram below depicts this configuration, which requires no additional deployment outside of the Nessus Agents on each host. You can read our recent blog for further instructions on how to configure Nessus Agents with Tenable.io.

2. Tenable.io as proxy to on-premise Tenable.sc

Tenable.io can also be used as a proxy for Nessus Agents to Tenable.sc. This is a great scenario for organizations that have limited resources for managing additional infrastructure, or those that may not control the external pieces of their network. In this configuration, the Nessus Agent gets its scan instructions from the user’s Tenable.io container and aggregates the data back to Tenable.io. From this point, the data is ready to be ingested into an internal Tenable.sc console for a holistic view with the rest of the internally-available data. 

This solution is great for customers who want to have external visibility of their data without a VPN connection to the internal network. They enjoy simplified scanning of their external assets with the available cloud scanning capabilities found within Tenable.io, as well as easy agent data aggregation and the mature reporting structure of Tenable.sc. You can visit our Tenable Community article for easy step-by-step instructions on how to link your Nessus Agents across Tenable.io and Tenable.sc.

3. Standalone Tenable.sc

If you are using the Tenable.sc platform, Nessus Manager can act as a proxy for Nessus Agents. There are two ways to architect this setup: 

Placing Nessus Manager in the demilitarized zone (DMZ)

This scenario is beneficial for organizations with lots of devices that are off the corporate network and don’t reliably connect to a VPN for internal access. This is becoming a much more prominent method of operation as single sign-on (SSO) solutions and forward-facing web applications replace the need to use a VPN for the majority of a person’s workday. 

A firewall rule can be made between the internal Tenable.sc console and the Nessus Manager residing in the DMZ. This allows Tenable.sc to collect the data without creating additional risk of exposure. Additionally, customers can change the management port so the administrative interface of Nessus Manager isn’t exposed to the Internet. This ensures that any device with an agent and internet connection can still reach the Nessus Manager, and removes the limitation of needing a VPN solution to collect scan data.

Placing Nessus Manager inside the organization’s network

Another option for Nessus Manager is to deploy it within your enterprise network, usually on the same segment as the Tenable.sc console. This is advantageous for organizations that have employees who reliably connect to a VPN, or any organization that wants to maintain vulnerability data within its network. In this situation, you can scan devices for real-time vulnerabilities as they connect to the VPN, without the worry of missing an active scan cycle from a Nessus Agent. This strategy reduces the likelihood of an active Nessus scan saturating a VPN link. Instead, each host uses its own resources and the results are staggered back to the network.

A note on large-scale deployments

Every piece of guidance is enhanced by additional documentation, and Nessus Agent deployment is no exception. For large scale considerations, Tenable provides documentation that contains helpful tips around the scaling relationship between Nessus Agents and Nessus Managers, scan staggering and automated deployment mechanisms. As always, the Tenable Community is another great place to post questions and read about the experience of other security managers.

Secure your workforce with special surge licenses

In recent weeks, we’ve received many inquiries from customers asking for guidance around securing their added remote workforce assets. We’re eager to help the security community protect these newly mobilized workforces, and towards that end we are offering multiple short-term licensing options:

  • For Tenable.sc and Nessus Professional customers: We are offering a free Tenable.io license with unlimited agent scanning available through June 15, 2020.
  • For Tenable.io customers: Tenable will help you extend existing Tenable.io licenses immediately, for free, through June 15, 2020. 
  • For prospective Tenable customers: We offer free trials and evaluation licenses to give you first-hand experience with the products prior to purchase. Request a demo or free trial to learn more about how Nessus Agents can help manage your cyber risk.

For more information on the latest research findings and vulnerability advisories during the COVID-19 response, visit our Tenable resource page on protecting your remote workforce.

Related Posts

How to Maximize Compliance Scans with Nessus

By Team Tenable • September 11, 2020 - 1:32pm

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.