Integrating beSECURE
This guide provides information on integrating Genian ZTNA and beSECURE, a vulnerability management system.
Overview
beSECURE's vulnerability inspection function can be leveraged by Genian ZTNA to inspect new nodes accessing a managed network, and apply Genian ZTNA tags to vulnerable nodes so that they can be blocked and remediated.
Process
Genian ZTNA detects new node
Genian ZTNA identifies target for vulnerability assessment
Genian ZTNA sends request to beSECURE for vulnerability assessment
beSECURE performs vulnerability assessment
If a vulnerability is found, beSECURE sends an alert to Genian ZTNA
Genian ZTNA applies a tag to the vulnerable node
Genian ZTNA takes enforcement action against the node
Pre-Requisites
Generating Genian API Key for beSECURE
In the Genian ZTNA Web Console, Navigate to Management > User and use the Tasks menu to create a new "superAdmin" account, or use an existing account.
In the General section of the User configuration, use the Generate API Key button, then click update.
Prepare Networking
Verify that the Genian ZTNA Policy Server and the beSECURE server can communicate using HTTP TCP/80 and HTTPS TCP/443. Ensure that the session can be initiated in bi-directionlly.
(The connection port information of Genian ZTNA is in System> Service Management> Connection Port in the UI .)
Prepare Genian ZTNA Tag
Create a tag to be assigned to vulnerable nodes under Preferences > Tag, or use an existing tag.
Configuring beSECURE
Create a Contact ID
Go to DevOps> Admin> Accounts> Contacts and click the + button to create. The Contact Name and Contact Email have no functional impact on the integrations function.
Item
Value
Info
Contact Name
Genian-API
Required input
Contact Email
Email to receive report
Contact Phone
010-1001-1001
Phone number for Contact ID
Click create
Create a Account ID
Go to Admin> Accounts> List and click the + button to create.
Item
Value
Info
User Name
Genian-API
Password Status
Never Expires
Password
2FA
Disable 2FA
Security Profile
Default
Account Profile
Scanning User
Language
English
Select Desired Language
Timezone
America/New York
Select desired Timezone
Contact
Genian API
Select Contact ID created in previous step
Click create, and the Account Details screen necessary for the next step should appear.
Create an API Key
This API key will be used by Genian ZTNA to request a vulnerability scan.
Click the API Key tab and go to API Generator.
Check if the API Key has been properly generated. (If the API Key does not exist, click the blank to automatically generate it.)
Create an Organization
This will create a management group for the vulnerability info requested by Genian ZTNA.
Go to Admin> Organizations > List and click the + button to create.
Item
Value
Info
Organization Name
Genians
Parent Name
Optional value
Logo
Optional value
Scan Range Modification
Only with Scanner Ownership
Scan Range Overlapping
Allowed
Results
Show in Summary
Go to the Reporting tab and select the Contact ID (Genian-API) you created earlier.
Click create.
Assigning the Scanner
Go to Admin> Deployment> LSS, select the scanner to be used, and check the ID of the vulnerability scanner. In our example, it is 6ECA855F. (At this time, note that the scanner must be connected to the target network.)
Grant permission to use the scanner.
Select Genian API – Genian-API from Available on the left and change it to Assigned.
Go to Admin > Accounts > Contacts and select the newly created Contact ID.
Go to Owned By in Contact Details and change Genian API-Genian-API to Assigned.
After writing as above, click Modify and proceed to the next step.
Set Genian ZTNA Target Server
Go to DevOps> More> Server> Integration
Click on the Genians logo to set up.
Item
Value
Info
URL
https://[Policy-Server IP]:8443
Enter policy Server IP with port 8443, or the URL of your Policy server
API Key
c6233cfd-a1a8-4ce3-XXXX-61fa87951b38
Enter the API Key generated for your Genian ZTNA superUser account
Tag Name
beSECURE_Tag
Enter the name of the tag you wish to assign to vulnerable nodes
Configuring Genian ZTNA
Configure Log Filter
To identify nodes that must be scanned and alert beSECURE, a log filter must be created. In this example we will create a filter to identify newly detected nodes that were recognized by a network sensor.
Select the Log tab, and click the filter search bar.
Enter "New Node detected. BY='SENSOR'" in the Description field.
Click Save to the right of the search bar, and configure options on the next screen.
Check off the Webhook option, and configure it as shown below:
Item
Value
Info
Method
POST
URL
https:{beSECURE IP}/json.cgi
beSECURE IP
CHARSET
UTF-8
Optional value
POST data
See example below
Set contents to be sent to beSECURE, refer to #comment lines for where to find value in beSECURE
Content-Type
Application/x-www-form-urlencoded
# POST data inputs # apikey is the api key for accessing beSECURE apikey=8DF7011F-F05C-3810-XXXX-A6C84B198A1A& primary=admin& secondary=networks& action=quickadd& network_range={_IP}& network_name=New node {_IP} {_DATETIME}& # Organization ID is "network parent". network_parent=E9FABA8E& # Scanner ID is "network scanner". network_scanner=6ECA855F& quickadd_webscan=no& # Contact ID is "contact". contact=00B26938& network_routine=immediately
Create Grouping and Enforcement Settings
Under Policy > Group:
Click Tasks > Create to create a new Node Group.
Under General enter an ID and Description and set the Status to Enabled.
Under Condition, click Add to add the previously created “beSECURE” tag.
Click Save.
Under Policy > Enforcement Policy:
Click Tasks > Create to create a new Enforcement Policy.
Follow the wizard and select the previously created “beSECURE-vulnerability-detected” Node Group.
Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user.
Click Save.
With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to System > Sensor > Edit Sensor Settings and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page.
Testing and Validation
Introduce a machine that contains a vulnerability known to beSECURE into a network segment This machine should be detected as a new node by Genian ZTNA, and trigger the log filter POST alert. (If the node is already known to Genian ZTNA, remove the node from the list using Tasks > Node and Device > Remove Node)
beSECURE will conduct a vulnerability assesment of the node.
The test node should have Tag assigned once the alert is received from beSECURE.
The node will then be Layer 2 quarantined in real-time by Genian ZTNA, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.