Adding openvas to opnsense

Started by loden_richard, May 30, 2016, 08:20:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2016, 08:20:36 AM
Hi there,

I was wondering if it is possible to integrate openvas (http://openvas.org/) within opnsense. My problem is, it is not within the pkg source and I can't install the required packages for compiling openvas. Is there an option to enable the sources for it without breaking my opnsense installation?

with best regards

richard
May 30, 2016, 10:42:01 AM #1
Hi Richard,

I'd also like to have a system like OpenVAS available in my network but I'm not an opensense developer and I'm not sure, whether the right place for it is on the firewall?!

Kind regards,
Jochen
May 30, 2016, 11:08:49 AM #2
Hello Jochen,

thanks for your reply. In my setup I have opnsense as my central router which combines LAN, WLAN and WAN. Therefore all of my assets are known by opnsense and could be reached. I want an analysis of the connected assets and their patch levels. Maybe it would be possible to load an jail with openvas installed?

with best regards

richard
May 30, 2016, 12:28:32 PM #3
Hi Richard,

same setup here. Let's see what the devs are saying.

Best regards,
Jochen
June 15, 2016, 12:30:09 PM #4
Bump!

If the question is not specific enough then please provide some information how to integrate openvas ;-)

July 11, 2016, 11:49:01 PM #5
Hi Richard,

Sorry for the delay.

You should be able to build on your OPNsense from the ports tree. You need to run:

# pkg install git
# cd /usr
# git clone https://github.com/opnsense/ports
# cd ports/security

The openvas ports are in "openvas-cli", "openvas-libraries", "openvas-manager", "openvas-scanner". You should be able to compile/install using e.g.:

# cd openvas-cli
# make install

Afterwards it should configure like on stock FreeBSD even without an OPNsense GUI plugin.

Not sure the scope for openvas fits a perimeter firewall or how big the packages/dependencies are. Deferring this for after 16.7.


Cheers,
Franco
July 18, 2016, 02:27:15 PM #6
The plan is within a small network environment is the best place to search actively for vulnerabilities from the edge firewall. All zones connected to the connected network (e.g. internet) are reachable from that point. Alternatively a jail could be hosted with a running vuln. scanner.
I am sure for big networks within companies it would not apply if opnsense is used as edge firewall. I have seen installations for separating internal networks from each other and for that reason it could be a nice feature to be able scan the network which should be separated.
e.g. a scada network (which is not my installation but is an argument for a specific installation of openvas):


The firewalls could also do an additional active security scanning service for ensuring patch levels and so on.
Print
Go Up Pages1
User actions