Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Asset Profiles

 

Asset profiles provide information about each known asset in your network, including what services are running on each asset.

Asset profile information is used for correlation purposes to help reduce false positives. For example, if a source attempts to exploit a specific service running on an asset, then JSA determines if the asset is vulnerable to this attack by correlating the attack to the asset profile.

Asset profiles are automatically discovered if you have flow data or vulnerability assessment (VA) scans configured. For flow data to populate asset profiles, bidirectional flows are required. Asset profiles can also be automatically created from identity events. For more information about VA, see the Juniper Secure Analytics Managing Vulnerability Assessment Guide.

For more information about flow sources, see the Juniper Secure Analytics Administration Guide.

Vulnerabilities

You can use JSA Vulnerability Manager and third-party scanners to identify vulnerabilities.

Third-party scanners identify and report discovered vulnerabilities using external references, such as the Open Source Vulnerability Database (OSVDB), National Vulnerability Database (NVDB), and Critical Watch. Examples of third-party scanners include QualysGuard and nCircle ip360. The OSVDB assigns a unique reference identifier (OSVDB ID) to each vulnerability. External references assign a unique reference identifier to each vulnerability. Examples of external data reference IDs include Common Vulnerability and Exposures (CVE) ID or Bugtraq ID. For more information on scanners and vulnerability assessment, see the Juniper Secure Analytics Vulnerability Manager User Guide.

JSA Vulnerability Manager is a component that you can purchase separately and enable using a license key. JSA Vulnerability Manager is a network scanning platform that provides awareness of the vulnerabilities that exist within the applications, systems, or devices on your network. After scans identify vulnerabilities, you can search and review vulnerability data, remediate vulnerabilities, and rerun scans to evaluate the new level of risk.

When JSA Vulnerability Manager is enabled, you can perform vulnerability assessment tasks on the Vulnerabilities tab. From the Assets tab, you can run scans on selected assets.

For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.

Assets Tab Overview

The Assets tab provides you with a workspace from which you can manage your network assets and investigate an asset's vulnerabilities, ports, applications, history, and other associations.

Using the Assets tab, you can:

  • View all the discovered assets.

  • Manually add asset profiles.

  • Search for specific assets.

  • View information about discovered assets.

  • Edit asset profiles for manually added or discovered assets.

  • Tune false positive vulnerabilities.

  • Import assets.

  • Print or export asset profiles.

  • Discover assets.

  • Configure and manage third-party vulnerability scanning.

  • Start JSA Vulnerability Manager scans.

For information about the Server Discovery option in the navigation pane, see the Juniper Secure Analytics Administration Guide.

For more information about the VA Scan option in the navigation pane, see the Juniper Secure Analytics Risk Manager User Guide.

Viewing an Asset Profile

From the asset list on the Assets tab, you can select and view an asset profile. An asset profile provides information about each profile.

Asset profile information is automatically discovered through Server Discovery or manually configured. You can edit automatically generated asset profile information.

The Asset Profile page provides the information about the asset that is organized into several panes. To view a pane, you can click the arrow (>) on the pane to view more detail or select the pane from the Display list box on the toolbar.

The Asset Profile page toolbar provides the following functions:

Table 1: Asset Profile Page Toolbar Functions

Options

Description

Return to Asset List

Click this option to return to the asset list.

Display

From the list box, you can select the pane that you want to view on the Asset Profile pane. The Asset Summary and Network Interface Summary panes are always displayed.

Edit Asset

Click this option to edit the Asset Profile. See Adding or editing an asset profileAsset profiles are automatically discovered and added; however, you might be required to manually add a profile.

View by Network

If this asset is associated with an offense, this option will allow you to view the list of networks that are associated with this asset. When you click View By Network, the List of Networks window is displayed.

View Source Summary

If this asset is the source of an offense, this option will allow you to view source summary information. When you click View Source Summary, the List of Offenses window is displayed.

View Destination Summary

If this asset is the destination of an offense, this option will allow you to view destination summary information.

When you click View Destination Summary, the List of Destinations window is displayed.

History

Click History to view event history information for this asset. When you click the History icon, the Event Search window is displayed, pre-populated with event search criteria:

You can customize the search parameters, if required. Click Search to view the event history information.

Applications

Click Applications to view application information for this asset. When you click the Applications icon, the Flow Search window is displayed, pre-populated with event search criteria.

You can customize the search parameters, if required. Click Search to view the application information.

Search Connections

Click Search Connections to search for connections. The Connection Search window is displayed.

This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide.

View Topology

Click View Topology to further investigate the asset. The Current Topology window is displayed.

This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide.

Actions

From the Actions list, select Vulnerability History.

This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles
  3. Double-click the asset that you want to view.
  4. Use the options on the toolbar to display the various panes of asset profile information. See Editing an asset profileAsset profiles are automatically discovered and added; however, you might be required to manually add a profile.
  5. To research the associated vulnerabilities, click each vulnerability in the Vulnerabilities pane. See Table 10-10
  6. If required, edit the asset profile. See Editing an asset profileAsset profiles are automatically discovered and added; however, you might be required to manually add a profile.
  7. Click Return to Assets List to select and view another asset, if required.

Adding or Editing an Asset Profile

Asset profiles are automatically discovered and added; however, you might be required to manually add a profile.

When assets are discovered using the Server Discovery option, some asset profile details are automatically populated. You can manually add information to the asset profile and you can edit certain parameters.

You can only edit the parameters that were manually entered. Parameters that were system generated are displayed in italics and are not editable. You can delete system generated parameters, if required.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Choose one of the following options:
    • To add an asset, click Add Asset and type the IP address or CIDR range of the asset in the New IP Address field.

    • To edit an asset, double-click the asset that you want to view and click Edit Asset .

  4. Configure the parameters in the MAC & IP Address pane. Configure one or more of the following options:
    • Click the New MAC Address icon and type a MAC Address in the dialog box.

    • Click the New IP Address icon and type an IP address in the dialog box.

    • If Unknown NIC is listed, you can select this item, click the Edit icon, and type a new MAC address in the dialog box.

    • Select a MAC or IP address from the list, click the Edit icon, and type a new MAC address in the dialog box.

    • Select a MAC or IP address from the list and click the Remove icon.

  5. Configure the parameters in the Names & Description pane. Configure one or more of the following options:

    Parameter

    Description

    DNS

    Choose one of the following options:

    • Type a DNS name and click Add.

    • Select a DNS name from the list and click Edit.

    • Select a DNS name from the list and click Remove.

    NetBIOS

    Choose one of the following options:

    • Type a NetBIOS name and click Add.

    • Select a NetBIOS name from the list and click Edit.

    • Select a NetBIOS name from the list and click Remove.

    Given Name

    Type a name for this asset profile.

    Location

    Type a location for this asset profile.

    Description

    Type a description for the asset profile.

    Wireless AP

    Type the wireless Access Point (AP) for this asset profile.

    Wireless SSID

    Type the wireless Service Set Identifier (SSID) for this asset profile.

    Switch ID

    Type the switch ID for this asset profile.

    Switch Port ID

    Type the switch port ID for this asset profile.

  6. Configure the parameters in the Operating System pane:
    1. From the Vendor list box, select an operating system vendor.

    2. From the Product list box, select the operating system for the asset profile.

    3. From the Version list box, select the version for the selected operating system.

    4. Click the Add icon.

    5. From the Override list box, select one of the following options:

      • Until Next Scan Select this option to specify that the scanner provides operating system information and the information can be temporarily edited. If you edit the operating system parameters, the scanner restores the information at its next scan.

      • Forever Select this option to specify that you want to manually enter operating system information and disable the scanner from updating the information.

    6. Select an operating system from the list.

    7. Select an operating system and click the Toggle Override icon.

  7. Configure the parameters in the CVSS & Weight pane. Configure one or more of the following options:

    Parameter

    Description

    Collateral Damage Potential

    Configure this parameter to indicate the potential for loss of life or physical assets through damage or theft of this asset. You can also use this parameter to indicate potential for economic loss of productivity or revenue. Increased collateral damage potential increases the calculated value in the CVSS Score parameter.

    From the Collateral Damage Potential list box, select one of the following options:

    • None

    • Low

    • Low-medium

    • Medium-high

    • High

    • Not defined

    When you configure the Collateral Damage Potential parameter, the Weight parameter is automatically updated.

    Confidentiality Requirement

    Configure this parameter to indicate the impact on confidentiality of a successfully exploited vulnerability on this asset. Increased confidentiality impact increases the calculated value in the CVSS Score parameter.

    From the Confidentiality Requirement list box, select one of the following options:

    • Low

    • Medium

    • High

    • Not defined

    Availability Requirement

    Configure this parameter to indicate the impact to the asset's availability when a vulnerability is successfully exploited. Attacks that consume network bandwidth, processor cycles, or disk space impact the availability of an asset. Increased availability impact increases the calculated value in the CVSS Score parameter.

    From the Availability Requirement list box, select one of the following options:

    • Low

    • Medium

    • High

    • Not defined

    Integrity Requirement

    Configure this parameter to indicate the impact to the asset's integrity when a vulnerability is successfully exploited. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the calculated value in the CVSS Score parameter.

    From the Integrity Requirement list box, select one of the following options:

    • Low

    • Medium

    • High

    • Not defined

    Weight

    From the Weight list box, select a weight for this asset profile. The range is 0 - 10.

    When you configure the Weight parameter, the Collateral Damage Potential parameter is automatically updated.

  8. Configure the parameters in the Owner pane. Choose one or more of the following options:

    Parameter

    Description

    Business Owner

    Type the name of the business owner of the asset. An example of a business owner is a department manager. The maximum length is 255 characters.

    Business Owner Contact

    Type the contact information for the business owner. The maximum length is 255 characters.

    Technical Owner

    Type the technical owner of the asset. An example of a business owner is the IT manager or director. The maximum length is 255 characters.

    Technical Owner Contact

    Type the contact information for the technical owner. The maximum length is 255 characters.

    Technical User

    From the list box, select the username that you want to associate with this asset profile.

    You can also use this parameter to enable automatic vulnerability remediation for Juniper Secure Analytics Vulnerability Manager. For more information about automatic remediation, see the Juniper Secure Analytics Vulnerability Manager User Guide.

  9. Click Save.

Searching Asset Profiles

You can configure search parameters to display only the asset profiles you want to investigate from the Asset page on the Assets tab.

When you access the Assets tab, the Asset page is displayed populated with all discovered assets in your network. To refine this list, you can configure search parameters to display only the asset profiles you want to investigate.

From the Asset Search page, you can manage Asset Search Groups. For more information about Asset Search Groups. See Asset search groupsUsing the Asset Search Groups window, you can create and manage asset search groups..

The search feature will allow you to search host profiles, assets, and identity information. Identity information provides more detail about log sources on your network, including DNS information, user logins, and MAC addresses.

Using the asset search feature, you can search for assets by external data references to determine whether known vulnerabilities exist in your deployment.

For example:

You receive a notification that CVE ID: CVE-2010-000 is being actively used in the field. To verify whether any hosts in your deployment are vulnerable to this exploit, you can select Vulnerability External Reference from the list of search parameters, select CVE, and then type the following:

2010-000

To view a list of all hosts that are vulnerable to that specific CVE ID.

Note

For more information about OSVDB, see http://osvdb.org/ . For more information about NVDB, see http://nvd.nist.gov/ .

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. On the toolbar, click Search >New Search.
  4. Choose one of the following options:
    • To load a previously saved search, go to Step 5.

    • To create a new search, go to Step 6.

  5. Select a previously saved search:
    1. Choose one of the following options:

      • Optional. From the Group list box, select the asset search group that you want to display in the Available Saved Searches list.

      • From the Available Saved Searches list, select the saved search that you want to load.

      • In the Type Saved Search or Select from List field, type the name of the search you want to load.

    2. Click Load .

  6. In the Search Parameters pane, define your search criteria:
    1. From the first list box, select the asset parameter that you want to search for. For example, Hostname, Vulnerability Risk Classification, or Technical Owner.

    2. From the second list box, select the modifier that you want to use for the search.

    3. In the entry field, type specific information that is related to your search parameter.

    4. Click Add Filter.

    5. Repeat these steps for each filter that you want to add to the search criteria.

  7. Click Search.

You can save your asset search criteria. See Saving asset search criteriaOn the Asset tab, you can save configured search criteria so that you can reuse the criteria. Saved search criteria does not expire..

Saving Asset Search Criteria

On the Asset tab, you can save configured search criteria so that you can reuse the criteria. Saved search criteria does not expire.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Perform a search.
  4. Click Save Criteria .
  5. Enter values for the parameters:

    Parameter

    Description

    Enter the name of this search

    Type the unique name that you want to assign to this search criteria.

    Manage Groups

    Click Manage Groups to manage search groups. This option is only displayed if you have administrative permissions.

    Assign Search to Group(s)

    Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned to the Other group by default.

    Include in my Quick Searches

    Select this check box to include this search in your Quick Search list box, which is on the Assets tab toolbar.

    Set as Default

    Select this check box to set this search as your default search when you access the Assets tab.

    Share with Everyone

    Select this check box to share these search requirements with all users.

Asset Search Groups

Using the Asset Search Groups window, you can create and manage asset search groups.

These groups allow you to easily locate saved search criteria on the Assets tab.

Viewing Search Groups

Use the Asset Search Groups window to view a list group and subgroups.

From the Asset Search Groups window, you can view details about each group, including a description and the date the group was last modified.

All saved searches that are not assigned to a group are in the Other group.

The Asset Search Groups window displays the following parameters for each group:

Table 2: Asset Search Groups Window Toolbar Functions

Function

Description

New Group

To create a new search group, you can click New Group. See Creating a new search groupOn the Asset Search Groups window, you can create a new search group..

Edit

To edit an existing search group, you can click Edit. See Editing a search groupYou can edit the Name and Description fields of a search group..

Copy

To copy a saved search to another search group, you can click Copy. See Copying a saved search to another groupYou can copy a saved search to another group. You can also copy the saved search to more than one group..

Remove

To remove a search group or a saved search from a search group, select the item that you want to remove, and then click Remove. See Removing a group or a saved search from a groupYou can use the Remove icon to remove a search from a group or remove a search group..

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select Search >New Search.
  4. Click on Manage Groups.
  5. View the search groups.

Creating a New Search Group

On the Asset Search Groups window, you can create a new search group.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select Search >New Search.
  4. Click Manage Groups.
  5. Select the folder for the group under which you want to create the new group.
  6. Click New Group.
  7. In the Name field, type a unique name for the new group.
  8. Optional. In the Description field, type a description.
  9. Click OK.

Editing a Search Group

You can edit the Name and Description fields of a search group.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select Search >New Search.
  4. Click Manage Groups.
  5. Select the group that you want to edit.
  6. Click Edit.
  7. Type a new name in the Name field.
  8. Type a new description in the Description field.
  9. Click OK.

Copying a Saved Search to Another Group

You can copy a saved search to another group. You can also copy the saved search to more than one group.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select Search >New Search.
  4. Click Manage Groups.
  5. Select the saved search that you want to copy.
  6. Click Copy.
  7. On the Item Groups window, select the check box for the group you want to copy the saved search to.
  8. Click Assign Groups.

Removing a Group or a Saved Search from a Group

You can use the Remove icon to remove a search from a group or remove a search group.

When you remove a saved search from a group, the saved search is not deleted from your system. The saved search is removed from the group and automatically moved to the Other group.

You cannot remove the following groups from your system:

  • Asset Search Groups

  • Other

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select Search >New Search .
  4. Click Manage Groups.
  5. Select the saved search that you want to remove from the group:
    • Select the saved search that you want to remove from the group.

    • Select the group that you want to remove.

Asset Profile Management Tasks

You can delete, import, and export asset profiles using the Assets tab.

Using the Assets tab, you can delete, import, and export asset profiles.

Deleting Assets

You can delete specific assets or all listed asset profiles.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Select the asset that you want to delete, and then select Delete Asset from the Actions list box.
  4. Click OK.

Importing Asset Profiles

You can import asset profile information.

The imported file must be a CSV file in the following format:

ip,name,weight,description

Where:

  • IP Specifies any valid IP address in the dotted decimal format. For example: 192.168.5.34.

  • Name Specifies the name of this asset up to 255 characters in length. Commas are not valid in this field and invalidate the import process. For example: WebServer01 is correct.

  • Weight Specifies a number from 0 to 10, which indicates the importance of this asset on your network. A value of 0 denotes low importance and 10 is very high.

  • Description Specifies a textual description for this asset up to 255 characters in length. This value is optional.

For example, the following entries might be included in a CSV file:

  • 192.168.5.34,WebServer01,5,Main Production Web Server

  • 192.168.5.35,MailServ01,0,

The import process merges the imported asset profiles with the asset profile information you have currently stored in the system.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. From the Actions list box, select Import Assets.
  4. Click Browse to locate and select the CSV file that you want to import.
  5. Click Import Assets to begin the import process.

Exporting Assets

You can export listed asset profiles to an Extended Markup Language (XML) or Comma-Separated Value (CSV) file.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. From the Actions list box, select one of the following options:
    • Export to XML

    • Export to CSV

  4. View the status window for the status of the export process.
  5. If you want to use other tabs and pages while the export is in progress, click the Notify When Done link.

    When the export is complete, the File Download window is displayed.

  6. On the File Download window, choose one of the following options:
    • Open Select this option to open the export results in your choice of browser.

    • Save Select this option to save the results to your desktop.

  7. Click OK.

Research Asset Vulnerabilities

You can double-click the vulnerability to display more vulnerability details.

The Research Vulnerability Details window provides the following details:

Parameter

Description

Vulnerability ID

Specifies the ID of the vulnerability. The Vuln ID is a unique identifier that is generated by Vulnerability Information System (VIS).

Published Date

Specifies the date on which the vulnerability details were published on the OSVDB.

Name

Specifies the name of the vulnerability.

Assets

Specifies the number of assets in your network that have this vulnerability. Click the link to view the list of assets.

Assets, including exceptions

Specifies the number of assets in your network that have vulnerability exceptions. Click the link to view the list of assets.

CVE

Specifies the CVE identifier for the vulnerability. CVE identifiers are provided by the NVDB.

Click the link to obtain more information. When you click the link, the NVDB website is displayed in a new browser window.

xforce

Specifies the X-Force identifier for the vulnerability.

Click the link to obtain more information. When you click the link, the Internet Security Systems website is displayed in a new browser window.

OSVDB

Specifies the OSVDB identifier for the vulnerability.

Click the link to obtain more information. When you click the link, the OSVDB website is displayed in a new browser window.

Plugin Details

Specifies the JSA Vulnerability Manager ID.

Click the link to view Oval Definitions, Windows Knowledge Base entries, or UNIX advisories for the vulnerability.

This feature provides information on how JSA Vulnerability Manager checks for vulnerability details during a patch scan. You can use it to identify why a vulnerability was raised on an asset or why it was not.

CVSS Score Base

Displays the aggregate Common Vulnerability Scoring System (CVSS) score of the vulnerabilities on this asset. A CVSS score is an assessment metric for the severity of a vulnerability. You can use CVSS scores to measure how much concern a vulnerability warrants in comparison to other vulnerabilities.

The CVSS score is calculated using the following user-defined parameters:

  • Collateral Damage Potential

  • Confidentiality Requirement

  • Availability Requirement

  • Integrity Requirement

For more information about how to configure these parameters, see Adding or editing an asset profileAsset profiles are automatically discovered and added; however, you might be required to manually add a profile.

For more information about CVSS, see http://www.first.org/cvss/ .

Impact

Displays the type of harm or damage that can be expected if this vulnerability is exploited.

CVSS Base Metrics

Displays the metrics that are used to calculate the CVSS base score, including:

  • Access Vector

  • Access complexity

  • Authentication

  • Confidentiality impact

  • Integrity impact

  • Availability impact

Description

Specifies a description of the detected vulnerability. This value is only available when your system integrates VA tools.

Concern

Specifies the effects that the vulnerability can have on your network.

Solution

Follow the instructions that are provided to resolve the vulnerability.

Virtual Patching

Displays virtual patch information that is associated with this vulnerability, if available. A virtual patch is a short-term mitigation solution for a recently discovered vulnerability. This information is derived from Intrusion Protection System (IPS) events. If you want to install the virtual patch, see your IPS vendor information.

Reference

Displays a list of external references, including:

  • Reference Type Specifies the type of reference that is listed, such as an advisory URL or mail post list.

  • URL Specifies the URL that you can click to view the reference.

Click the link to obtain more information. When you click the link, the external resource is displayed in a new browser window.

Products

Displays a list of products that are associated with this vulnerability.

  • Vendor Specifies the vendor of the product.

  • Product Specifies the product name.

  • Version Specifies the version number of the product.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles .
  3. Select an asset profile.
  4. In the Vulnerabilities pane, click the ID or Vulnerability parameter value for the vulnerability you want to investigate.