Integrating beSECURE ==================== This guide provides information on integrating Genian ZTNA and beSECURE, a vulnerability management system. Overview -------- beSECURE's vulnerability inspection function can be leveraged by Genian ZTNA to inspect new nodes accessing a managed network, and apply Genian ZTNA tags to vulnerable nodes so that they can be blocked and remediated. Process ------- #. Genian ZTNA detects new node #. Genian ZTNA identifies target for vulnerability assessment #. Genian ZTNA sends request to beSECURE for vulnerability assessment #. beSECURE performs vulnerability assessment #. If a vulnerability is found, beSECURE sends an alert to Genian ZTNA #. Genian ZTNA applies a tag to the vulnerable node #. Genian ZTNA takes enforcement action against the node Pre-Requisites -------------- Generating Genian API Key for beSECURE '''''''''''''''''''''''''''''''''''''' #. In the Genian ZTNA Web Console, Navigate to **Management > User** and use the **Tasks** menu to create a new "superAdmin" account, or use an existing account. #. In the **General** section of the User configuration, use the **Generate API Key** button, then click update. Prepare Networking '''''''''''''''''' Verify that the Genian ZTNA Policy Server and the beSECURE server can communicate using HTTP TCP/80 and HTTPS TCP/443. Ensure that the session can be initiated in **bi-directionlly**. (The connection port information of Genian ZTNA is in System> Service Management> Connection Port in the UI .) Prepare Genian ZTNA Tag '''''''''''''''''''''''' Create a tag to be assigned to vulnerable nodes under **Preferences > Tag**, or use an existing tag. Configuring beSECURE -------------------- Create a Contact ID ''''''''''''''''''' #. Go to **DevOps> Admin> Accounts> Contacts** and click the **+** button to create. The Contact Name and Contact Email have no functional impact on the integrations function. .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "Contact Name", "Genian-API", "Required input" "Contact Email", "contact@genians.com", "Email to receive report" "Contact Phone", "010-1001-1001", "Phone number for Contact ID" #. Click **create** Create a Account ID ''''''''''''''''''' #. Go to **Admin> Accounts> List** and click the **+** button to create. .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "User Name", "Genian-API", "" "Password Status", "Never Expires", "" "Password", "", "" "2FA", "", "Disable 2FA" "Security Profile", "Default", "" "Account Profile", "Scanning User", "" "Language", "English", "Select Desired Language" "Timezone", "America/New York", "Select desired Timezone" "Contact", "Genian API", "Select Contact ID created in previous step" #. Click **create**, and the **Account Details** screen necessary for the next step should appear. Create an API Key ''''''''''''''''' This API key will be used by Genian ZTNA to request a vulnerability scan. #. Click the **API Key** tab and go to **API Generator**. #. Check if the API Key has been properly generated. (If the API Key does not exist, click the blank to automatically generate it.) Create an Organization '''''''''''''''''''''' This will create a management group for the vulnerability info requested by Genian ZTNA. #. Go to **Admin> Organizations > List** and click the **+** button to create. .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "Organization Name", "Genians", "" "Parent Name", "", "Optional value" "Logo", "", "Optional value" "Scan Range Modification", "Only with Scanner Ownership", "" "Scan Range Overlapping", "Allowed", "" "Results", "Show in Summary", "" #. Go to the **Reporting** tab and select the Contact ID (Genian-API) you created earlier. #. Click **create**. Set Up Management Group Authority ''''''''''''''''''''''''''''''''' #. Go to the **Permission** tab in Organization Details. #. Move the following to the right side "Assigned" section - Owned By: Genian API - Association(s): Genian API #. click **Modfify** Assigning the Scanner ''''''''''''''''''''' #. Go to **Admin> Deployment> LSS**, select the scanner to be used, and check the ID of the vulnerability scanner. In our example, it is 6ECA855F. (At this time, note that the scanner must be connected to the target network.) #. Grant permission to use the scanner. #. Select Genian API – Genian-API from Available on the left and change it to Assigned. #. Go to **Admin > Accounts > Contacts** and select the newly created Contact ID. #. Go to **Owned By** in Contact Details and change Genian API-Genian-API to Assigned. #. After writing as above, click **Modify** and proceed to the next step. Set Genian ZTNA Target Server '''''''''''''''''''''''''''''' #. Go to **DevOps> More> Server> Integration** #. Click on the Genians logo to set up. .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "URL", "https://[Policy-Server IP]:8443", "Enter policy Server IP with port 8443, or the URL of your Policy server" "API Key", "c6233cfd-a1a8-4ce3-XXXX-61fa87951b38 ", "Enter the API Key generated for your Genian ZTNA superUser account" "Tag Name", "beSECURE_Tag", "Enter the name of the tag you wish to assign to vulnerable nodes" Configuring Genian ZTNA ------------------------ Configure Log Filter '''''''''''''''''''' To identify nodes that must be scanned and alert beSECURE, a log filter must be created. In this example we will create a filter to identify newly detected nodes that were recognized by a network sensor. #. Select the **Log** tab, and click the filter search bar. #. Enter "New Node detected. BY='SENSOR'" in the **Description** field. #. Click **Save** to the right of the search bar, and configure options on the next screen. #. Check off the **Webhook** option, and configure it as shown below: .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "Method", "POST", "" "URL", "https:{beSECURE IP}/json.cgi", "beSECURE IP" "CHARSET", "UTF-8", "Optional value" "POST data", "See example below", "Set contents to be sent to beSECURE, refer to #comment lines for where to find value in beSECURE" "Content-Type", "Application/x-www-form-urlencoded", "" :: # POST data inputs # apikey is the api key for accessing beSECURE apikey=8DF7011F-F05C-3810-XXXX-A6C84B198A1A& primary=admin& secondary=networks& action=quickadd& network_range={_IP}& network_name=New node {_IP} {_DATETIME}& # Organization ID is "network parent". network_parent=E9FABA8E& # Scanner ID is "network scanner". network_scanner=6ECA855F& quickadd_webscan=no& # Contact ID is "contact". contact=00B26938& network_routine=immediately Create Grouping and Enforcement Settings '''''''''''''''''''''''''''''''''''''''' Under **Policy > Group**: #. Click **Tasks > Create** to create a new Node Group. #. Under General enter an ID and Description and set the Status to Enabled. #. Under Condition, click Add to add the previously created “beSECURE” tag. #. Click **Save**. Under **Policy > Enforcement Policy**: #. Click **Tasks > Create** to create a new Enforcement Policy. #. Follow the wizard and select the previously created “beSECURE-vulnerability-detected” Node Group. #. Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user. #. Click **Save**. With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to **System > Sensor > Edit Sensor Settings** and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page. Testing and Validation ---------------------- #. Introduce a machine that contains a vulnerability known to beSECURE into a network segment This machine should be detected as a new node by Genian ZTNA, and trigger the log filter POST alert. (If the node is already known to Genian ZTNA, remove the node from the list using **Tasks > Node and Device > Remove Node**) #. beSECURE will conduct a vulnerability assesment of the node. #. The test node should have Tag assigned once the alert is received from beSECURE. #. The node will then be Layer 2 quarantined in real-time by Genian ZTNA, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.