NVT Sync a security risk?

Hi everyone,

So here is another thread to address another issue of mine. But before that, a big thanks to those who has been responding to my threads.

Okay, so right now this is more of a network security infrastructure question.

Imagine we want to have a Master - Slave distribution in a network. But due to the nature of Scanners (you have to constantly check and get nvt updates), such nodes will have to send out RSYNC requests to the internet on port 873.

But to keep the infra secure, you would do network segregation, having 2 firewall layers, DMZ zones. And you want to conduct VA scanning through SLAVEs located internally, trusted zones, within L2 (OSI layer).

Hence, allowing slaves to reach out to the INTERNET would be a security risk.

In this scenario, how can network architects design their network with OpenVAS Slave scanners to do VA, and get its NVT updates without bringing back possible cyber intrusions?

======Let’s get specific=============================
Okay so you have the setup below.

        Internet
           |          Proxy (to go internet)
        Firewall        |
           |-----------DMZ (Master sits here?)
        Firewall
           |
          LAN (Slaves here, to scan hosts directly on L2)

You might be thinking, okay why master is sitting in DMZ. I was thinking maybe we can have the master distribute the nvt updates, to the slaves. So that the slaves do not open traffic directly to the internet - the master would do that instead.

At least, only the master is “exposed”.

So really the question is: How do you do NVT syncs without jeopardizing yourself with port 873?

================================================

Thanks for reading, and please let me know your advice. If you can be detailed about it, please go ahead, that would be immensely helpful.

Cheers!

1 Like

That is one problem, that the commercial Greenbone Appliance already solved for you.

If you build your GVM tool chain on your one, you have to solve it as well on OS level.
The community feed is ONLY available via RSYNC that´s it and proxies are not supported by the GCE.

Hi Lukas,

Thanks for your response!

How does (technically) the commercial version solve it?

Also, may I ask if there is a offline way to update NVT?

Cheers!

I have solved almost same kind of setup by setting up a local rsync service in Master. So Master gets updates from community feed, stores them in “mirror” directories and rsyncd distributes them to slaves when requested. This way only Master requires 873 access to Internet and slaves can use whatever port you want to access the Master. I use the default rsync port.
Naturally, all this requires modifications to sync scripts. First, you need to create a new script which updates the “mirror” feed. You can get these commands from greenbone-sync scripts, just get rsync commands with all arguments and modify the target directory according your setup.
Next, you need to create “local” versions of greenbone-sync scripts which you use in slaves. Only thing you need to modify is the target rsync server from greenbone to your local master (where your rsyncd is running). Thats it.
EDIT: Just to clarify, the local mirror doesn’t have to be in Master, it could be separate e.g. VM which just gets updates and serves them further with rsync.

2 Likes

Hi Aylatalo,

Thanks for your explanation and renewed hope on this!

When you mean creating new script for “mirror” feed, can you help explain further? I’m not quite getting this part. How would I create a script that would store the feeds, and how can the scanners know “where” to look from the master? I have knowledge on networking only…

And to summarize:

  1. Get a machine in DMZ (so that it makes sense to be exposed to Internet) to be repository of feeds

  2. Get all slave scanners to get feeds from this DMZ machine by changing the “destination” of the sync scripts.

Is that it?

Can we take it further, my email is jjacec@gmail.com. I’m really interested in what you have to enlighten! :smiley:

Thanks a lot!! :smiley:

Please, find here mirroring script and sample configuration file for rsyncd.
On mirror machine do following steps:

  1. Create local mirror directories for each feed.
  2. Edit mirroring script accordingly
  3. Test mirroring script -> local mirror directories should now be in sync with community feeds
  4. Install rsyncd & configure rsyncd to distribute your mirror directories

On OpenVAS slave do following steps:

  1. Create /etc/openvas/greenbone-nvt-sync.conf with following content:
    COMMUNITY_NVT_RSYNC_FEED =rsync://your-mirror-machine:/nvt-feed

  2. Create /etc/openvas/greenbone-certdata-sync.conf with following content:
    COMMUNITY_CERT_RSYNC_FEED= rsync://your-mirror-machine:/cert-data

  3. Create /etc/openvas/greenbone-scapdata-sync.conf with following content:
    COMMUNITY_SCAP_RSYNC_FEED =rsync://your-mirror-machine:/scap-data

Slave should now sync with your local mirror. My installation is CentOS7 with Atomicorp repo. Location of these configuration files may be different depending on your Linux and/or OpenVAS distribution.

EDIT: typo

2 Likes

Hi Aylatalo,

Thanks for the detailed explanation!

However, can you elaborate on creating mirror directories and script? I know very little on this.

I understand this question is moving away from the OpenVAS, but I would really like some guidance and direction on this issue of creating a local mirror.

Cheers!

If you want to use the script as is, just create mirror-directories with commands:

mkdir -p /var/lib/openvas/feed-mirror/nvt-feed
mkdir -p /var/lib/openvas/feed-mirror/scap-data
mkdir -p /var/lib/openvas/feed-mirror/cert-data

Once you have the script in your system (either upload the file or just paste text to editor), make sure that the script has execute permissions:

chmod +x greenbone-feed-sync-local.sh

Also, I found a potential problem with greenbone-certdata-sync script. If the script still uses the community feed server even you have set /etc/openvas/greenbone-certdata-sync.conf properly, you need to edit the script with text editor of your choice. You need to change this line:

[ -r \"/etc/openvas/greenbone-certdata-sync.conf\" ] && . \"/etc/openvas/greenbone-certdata-sync.conf\"

to this:

[ -r /etc/openvas/greenbone-certdata-sync.conf ] && . /etc/openvas/greenbone-certdata-sync.conf

As you notice, using source edition requires at least some knowledge and basic skills with Linux.

3 Likes

Hi Aylatalo,

Thanks for the detailed information as always :slight_smile:

I’ll try that and see how it goes!

I’m also considering using rsync, at least for now I managed to do a rsync of the master to the slaves.

Cheers!