Integrating beSECURE

This guide provides information on integrating Genian NAC and beSECURE, a vulnerability management system.

Overview

beSECURE's vulnerability inspection function can be leveraged by Genian NAC to inspect new nodes accessing a managed network, and apply Genian NAC tags to vulnerable nodes so that they can be blocked and remediated.

Process

  1. Genian NAC detects new node
  2. Genian NAC identifies target for vulnerability assessment
  3. Genian NAC sends request to beSECURE for vulnerability assessment
  4. beSECURE performs vulnerability assessment
  5. If a vulnerability is found, beSECURE sends an alert to Genian NAC
  6. Genian NAC applies a tag to the vulnerable node
  7. Genian NAC takes enforcement action against the node

Pre-Requisites

Generating Genian API Key for beSECURE

  1. In the Genian NAC Web Console, Navigate to Management > User and use the Tasks menu to create a new "superAdmin" account, or use an existing account.
  2. In the General section of the User configuration, use the Generate API Key button, then click update.

Prepare Networking

Verify that the Genian NAC Policy Server and the beSECURE server can communicate using HTTP TCP/80 ans HTTPS TCP/443

Prepare Genian NAC Tag

Create a tag to be assigned to vulnerable nodes under Preferences > Tag, or use an existing tag.

Configuring beSECURE

Create a Contact ID

  1. Go to DevOps> Admin> Accounts> Contacts and click the + button to create. The Contact Name and Contact Email have no functional impact on the integrations function.

    Item Value Info
    Contact Name Genian-API Required input
    Contact Email contact@genians.com Email to receive report
    Contact Phone 010-1001-1001 Phone number for Contact ID
  2. Click create

Create a Account ID

  1. Go to Admin> Accounts> List and click the + button to create.

    Item Value Info
    User Name Genian-API  
    Password Status Never Expires  
    Password    
    2FA   Disable 2FA
    Security Profile Default  
    Account Profile Scanning User  
    Language English Select Desired Language
    Timezone America/New York Select desired Timezone
    Contact Genian API Select Contact ID created in previous step
  2. Click create, and the Account Details screen necessary for the next step should appear.

Create an API Key

This API key will be used by Genian NAC to request a vulnerability scan.

  1. Click the API Key tab and go to API Generator.
  2. Check if the API Key has been properly generated. (If the API Key does not exist, click the blank to automatically generate it.)

Create an Organization

This will create a management group for the vulnerability info requested by Genian NAC.

  1. Go to Admin> Organizations > List and click the + button to create.

    Item Value Info
    Organization Name Genians  
    Parent Name   Optional value
    Logo   Optional value
    Scan Range Modification Only with Scanner Ownership  
    Scan Range Overlapping Allowed  
    Results Show in Summary  
  2. Go to the Reporting tab and select the Contact ID (Genian-API) you created earlier.

  3. Click create.

Set Up Management Group Authority

  1. Go to the Permission tab in Organization Details.
  2. Move the following to the right side "Assigned" section
    • Owned By: Genian API
    • Association(s): Genian API
  3. click Modfify

Assigning the Scanner

  1. Go to Admin> Deployment> LSS, select the scanner to be used, and check the ID of the vulnerability scanner. In our example, it is 6ECA855F. (At this time, note that the scanner must be connected to the target network.)
  2. Grant permission to use the scanner.
  3. Select Genian API – Genian-API from Available on the left and change it to Assigned.
  4. Go to Admin > Accounts > Contacts and select the newly created Contact ID.
  5. Go to Owned By in Contact Details and change Genian API-Genian-API to Assigned.
  6. After writing as above, click Modify and proceed to the next step.

Set Genian NAC Target Server

  1. Go to DevOps> More> Server> Integration

  2. Click on the Genians logo to set up.

    Item Value Info
    URL https://[Policy-Server IP]:8443 Enter policy Server IP with port 8443, or the URL of your Policy server
    API Key c6233cfd-a1a8-4ce3-XXXX-61fa87951b38 Enter the API Key generated for your Genian NAC superUser account
    Tag Name beSECURE_Tag Enter the name of the tag you wish to assign to vulnerable nodes

Configuring Genian NAC

Configure Log Filter

To identify nodes that must be scanned and alert beSECURE, a log filter must be created. In this example we will create a filter to identify newly detected nodes that were recognized by a network sensor.

  1. Select the Log tab, and click the filter search bar.

  2. Enter "New Node detected. BY='SENSOR'" in the Description field.

  3. Click Save to the right of the search bar, and configure options on the next screen.

  4. Check off the Webhook option, and configure it as shown below:

    Item Value Info
    Method POST  
    URL https:{beSECURE IP}/json.cgi beSECURE IP
    CHARSET UTF-8 Optional value
    POST data See example below Set contents to be sent to beSECURE, refer to #comment lines for where to find value in beSECURE
    Content-Type Application/x-www-form-urlencoded  
    # POST data inputs
    # apikey is the api key for accessing beSECURE
    apikey=8DF7011F-F05C-3810-XXXX-A6C84B198A1A&
    primary=admin&
    secondary=networks&
    action=quickadd&
    network_range={_IP}&
    network_name=New node {_IP} {_DATETIME}&
    # Organization ID is "network parent".
    network_parent=E9FABA8E&
    # Scanner ID is "network scanner".
    network_scanner=6ECA855F&
    quickadd_webscan=no&
    # Contact ID is "contact".
    contact=00B26938&
    network_routine=immediately
    

Create Grouping and Enforcement Settings

Under Policy > Group:

  1. Click Tasks > Create to create a new Node Group.
  2. Under General enter an ID and Description and set the Status to Enabled.
  3. Under Condition, click Add to add the previously created “beSECURE” tag.
  4. Click Save.

Under Policy > Enforcement Policy:

  1. Click Tasks > Create to create a new Enforcement Policy.
  2. Follow the wizard and select the previously created “beSECURE-vulnerability-detected” Node Group.
  3. Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user.
  4. Click Save.

With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to System > Sensor > Edit Sensor Settings and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page.

Testing and Validation

  1. Introduce a machine that contains a vulnerability known to beSECURE into a network segment This machine should be detected as a new node by Genian NAC, and trigger the log filter POST alert. (If the node is already known to Genian NAC, remove the node from the list using Tasks > Node and Device > Remove Node)
  2. beSECURE will conduct a vulnerability assesment of the node.
  3. The test node should have Tag assigned once the alert is received from beSECURE.
  4. The node will then be Layer 2 quarantined in real-time by Genian NAC, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.