Integrating beSECURE
This guide provides information on integrating Genian ZTNA and beSECURE, a vulnerability management system.
Overview
beSECURE's vulnerability inspection function can be leveraged by Genian ZTNA to inspect new nodes accessing a managed network, and apply Genian ZTNA tags to vulnerable nodes so that they can be blocked and remediated.
Process
- Genian ZTNA detects new node
- Genian ZTNA identifies target for vulnerability assessment
- Genian ZTNA sends request to beSECURE for vulnerability assessment
- beSECURE performs vulnerability assessment
- If a vulnerability is found, beSECURE sends an alert to Genian ZTNA
- Genian ZTNA applies a tag to the vulnerable node
- Genian ZTNA takes enforcement action against the node
Pre-Requisites
Generating Genian API Key for beSECURE
- In the Genian ZTNA Web Console, Navigate to Management > User and use the Tasks menu to create a new "superAdmin" account, or use an existing account.
- In the General section of the User configuration, use the Generate API Key button, then click update.
Prepare Networking
Verify that the Genian ZTNA Policy Server and the beSECURE server can communicate using HTTP TCP/80 and HTTPS TCP/443. Ensure that the session can be initiated in bi-directionlly.
(The connection port information of Genian ZTNA is in System> Service Management> Connection Port in the UI .)
Prepare Genian ZTNA Tag
Create a tag to be assigned to vulnerable nodes under Preferences > Tag, or use an existing tag.
Configuring beSECURE
Create a Contact ID
Go to DevOps> Admin> Accounts> Contacts and click the + button to create. The Contact Name and Contact Email have no functional impact on the integrations function.
Item Value Info Contact Name Genian-API Required input Contact Email contact@genians.com Email to receive report Contact Phone 010-1001-1001 Phone number for Contact ID Click create
Create a Account ID
Go to Admin> Accounts> List and click the + button to create.
Item Value Info User Name Genian-API Password Status Never Expires Password 2FA Disable 2FA Security Profile Default Account Profile Scanning User Language English Select Desired Language Timezone America/New York Select desired Timezone Contact Genian API Select Contact ID created in previous step Click create, and the Account Details screen necessary for the next step should appear.
Create an API Key
This API key will be used by Genian ZTNA to request a vulnerability scan.
- Click the API Key tab and go to API Generator.
- Check if the API Key has been properly generated. (If the API Key does not exist, click the blank to automatically generate it.)
Create an Organization
This will create a management group for the vulnerability info requested by Genian ZTNA.
Go to Admin> Organizations > List and click the + button to create.
Item Value Info Organization Name Genians Parent Name Optional value Logo Optional value Scan Range Modification Only with Scanner Ownership Scan Range Overlapping Allowed Results Show in Summary Go to the Reporting tab and select the Contact ID (Genian-API) you created earlier.
Click create.
Set Up Management Group Authority
- Go to the Permission tab in Organization Details.
- Move the following to the right side "Assigned" section
- Owned By: Genian API
- Association(s): Genian API
- click Modfify
Assigning the Scanner
- Go to Admin> Deployment> LSS, select the scanner to be used, and check the ID of the vulnerability scanner. In our example, it is 6ECA855F. (At this time, note that the scanner must be connected to the target network.)
- Grant permission to use the scanner.
- Select Genian API – Genian-API from Available on the left and change it to Assigned.
- Go to Admin > Accounts > Contacts and select the newly created Contact ID.
- Go to Owned By in Contact Details and change Genian API-Genian-API to Assigned.
- After writing as above, click Modify and proceed to the next step.
Set Genian ZTNA Target Server
Go to DevOps> More> Server> Integration
Click on the Genians logo to set up.
Item Value Info URL https://[Policy-Server IP]:8443 Enter policy Server IP with port 8443, or the URL of your Policy server API Key c6233cfd-a1a8-4ce3-XXXX-61fa87951b38 Enter the API Key generated for your Genian ZTNA superUser account Tag Name beSECURE_Tag Enter the name of the tag you wish to assign to vulnerable nodes
Configuring Genian ZTNA
Configure Log Filter
To identify nodes that must be scanned and alert beSECURE, a log filter must be created. In this example we will create a filter to identify newly detected nodes that were recognized by a network sensor.
Select the Log tab, and click the filter search bar.
Enter "New Node detected. BY='SENSOR'" in the Description field.
Click Save to the right of the search bar, and configure options on the next screen.
Check off the Webhook option, and configure it as shown below:
Item Value Info Method POST URL https:{beSECURE IP}/json.cgi beSECURE IP CHARSET UTF-8 Optional value POST data See example below Set contents to be sent to beSECURE, refer to #comment lines for where to find value in beSECURE Content-Type Application/x-www-form-urlencoded # POST data inputs # apikey is the api key for accessing beSECURE apikey=8DF7011F-F05C-3810-XXXX-A6C84B198A1A& primary=admin& secondary=networks& action=quickadd& network_range={_IP}& network_name=New node {_IP} {_DATETIME}& # Organization ID is "network parent". network_parent=E9FABA8E& # Scanner ID is "network scanner". network_scanner=6ECA855F& quickadd_webscan=no& # Contact ID is "contact". contact=00B26938& network_routine=immediately
Create Grouping and Enforcement Settings
Under Policy > Group:
- Click Tasks > Create to create a new Node Group.
- Under General enter an ID and Description and set the Status to Enabled.
- Under Condition, click Add to add the previously created “beSECURE” tag.
- Click Save.
Under Policy > Enforcement Policy:
- Click Tasks > Create to create a new Enforcement Policy.
- Follow the wizard and select the previously created “beSECURE-vulnerability-detected” Node Group.
- Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user.
- Click Save.
With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to System > Sensor > Edit Sensor Settings and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page.
Testing and Validation
- Introduce a machine that contains a vulnerability known to beSECURE into a network segment This machine should be detected as a new node by Genian ZTNA, and trigger the log filter POST alert. (If the node is already known to Genian ZTNA, remove the node from the list using Tasks > Node and Device > Remove Node)
- beSECURE will conduct a vulnerability assesment of the node.
- The test node should have Tag assigned once the alert is received from beSECURE.
- The node will then be Layer 2 quarantined in real-time by Genian ZTNA, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.