manualshive.com logo in svg

IBM Proventia Network Enterprise, User Manual

Share
Download
IBM Proventia Network Enterprise User Manual Download Page 256

Glossary

256

IBM Internet Security Systems

p

perspective—

A user-defined network location from which agents scan assets on a network. The hosts, services, 

and vulnerabilities discovered for a range of IP addresses vary based on the agent’s perspective. 

Proventia Manager—

A Web-based management interface.

Proventia Setup Assistant (psa)—

A text-only Web interface for initial configuration of the Enterprise Scanner 

appliance. 

proxy server address—

The IP address of the proxy server.

proxy server port—

The port number of the proxy server.

r

root password—

The password used to log on to the operationg system of the appliance.

s

Scan Control policy—

The scan control policy is used to enable either a discovery or assessment scan.

Scan Exclusion policy—

The scan exclusion policy defines the list of ports against which no assessment checks 

should be run and the list of IP addresses for which hosts that should not be scanned.

scan progress—

The number of scan jobs currently in progress.

Scan Window policy—

The scan window policy defines the times of the day during which discovery and 

assessment scanning are allowed against the assets in a group.

scanning—

A term that encompasses both discovery and assessment scanning.

scanning interface—

The interface that communicates with assets and services being scanned.

scheduler log—

The log for the Enterprise Scanner task scheduler.

settings review—

A list of all configuration settings.

SiteProtector—

A centralized management system that provides command, control, and monitoring capabilities 

over all IBM ISS products, including the Enterprise Scanner appliance.

SiteProtector Console—

The interface where you perform all SiteProtector-related tasks.

SiteProtector Database—

The SiteProtector Database that stores security data generated by IBM ISS products.

source IP—

The source IP address for an alert sent to the SiteProtector Console.

subtask—

A subcomponent of the job that defines and manages a portion of the total scanning work.

t

target count—

A filter used by the count of target hosts.

Summary of Contents for Proventia Network Enterprise

Page 1: ...IBM Internet Security Systems IBM Proventia Network Enterprise Scanner User Guide Version 1 3 ...

Page 2: ...d any use of this information is at the user s own risk IBM Internet Security Systems disclaims all warranties either expressed or implied including the warranties of merchantability and fitness for a particular purpose In no event shall IBM ISS be liable for any damages whatsoever including direct indirect incidental consequential or special damages arising from the use or dissemination hereof ev...

Page 3: ...itial Configuration 31 Configuring Appliance Level Settings 33 Configuring Explicit Trust Authentication with an Agent Manager 35 Registering Enterprise Scanner to Connect to the SiteProtector System 37 Logging On to the SiteProtector Console 40 Chapter 3 Running Your First Scans Overview 41 Basic Concepts 43 Finding Your Agent Assets and Policies in the SiteProtector System 44 Running Ad Hoc Scan...

Page 4: ...4 Key Parameters for Defining Scan Jobs 96 Chapter 7 Configuring Discovery and Assessment Policies Overview 97 How Policies Apply to Discovery and Assessment Scans 98 Defining Assets to Discover Discovery Policy 99 Defining Assessment Details Introduction Assessment Policy 100 Description of Check Information Assessment Policy 101 Grouping and Displaying Checks Assessment Policy 103 Defining Commo...

Page 5: ...g Behaviors 156 Expected Scanning Behaviors for Ad Hoc Scans 157 Expected Scanning Behaviors for Background Scans 159 Identifying Error Conditions 161 Troubleshooting Tips 163 Part IV Analysis Tracking and Remediation Chapter 12 Interpreting Scan Results Overview 167 Setting Up a Summary Page for Vulnerability Management 168 Viewing Vulnerabilities in the SiteProtector Console 170 OS Identificatio...

Page 6: ...ion Settings 217 Section B Configuring the XPU Environment 219 Overview 219 Configuring Explicit Trust Authentication with an XPU Server 220 Configuring an Alternate Update Location 221 Configuring an HTTP Proxy 222 Configuring Notification Options for XPUs 223 Section C Scheduling Updates and Manually Updating an Agent 225 Overview 225 Update Process 226 Scheduling a One Time Firmware Update 227 ...

Page 7: ...Enterprise Scanner User Guide Version 1 3 Viewing ES and System Logs 246 Viewing ES Logs 247 Downloading ES Log Files 248 System Log Descriptions 249 Getting Log Status Information 250 Changing Logging Detail 251 Glossary 253 Index 259 ...

Page 8: ...8 Contents IBM Internet Security Systems ...

Page 9: ...BM SiteProtector system through the entire vulnerability management process including configuring the agent configuring scans monitoring scans tracking and remediation and maintaining the agent Audience This Guide is written for security analysts and managers who are responsible for managing the vulnerabilities of assets of an enterprise network User background To use Enterprise Scanner you must u...

Page 10: ...workflows in the User Guide Document Description IBM Proventia Network Enterprise Scanner Quick Start Card Contains out of the box instructions for setting up your Enterprise Scanner agent Help Context sensitive Help that contains procedures for tasks you perform in the Proventia Manager and in the SiteProtector Console the SiteProtector system documents Documents available on the IBM ISS Web site...

Page 11: ...ner User Guide Version 1 3 Version of the SiteProtector system You manage your Enterprise Scanner agent through a SiteProtector Console The information in this guide about the SiteProtector system refers to Proventia Management SiteProtector 2 0 Service Pack 6 1 SiteProtector DBSP 6 31 ...

Page 12: ...ed Hours of support The following table provides hours for Technical Support at the Americas and other locations Contact information The following table provides electronic support information and telephone numbers for technical support requests Location Hours Americas 24 hours a day All other locations Monday through Friday 9 00 A M to 6 00 P M during their local time excluding IBM ISS published ...

Page 13: ... East and Africa support iss net 44 1753 845105 Asia Pacific Australia and the Philippines support iss net 1 888 447 4861 toll free 1 404 236 2700 Japan support isskk co jp Domestic 81 3 5740 4065 Regional Office Electronic Support Telephone Number Table 4 Contact information for technical support Continued ...

Page 14: ...Preface 14 IBM Internet Security Systems ...

Page 15: ...Part I Getting Started ...

Page 16: ......

Page 17: ...to run a one time scan to discover new assets or to assess the vulnerability status of existing assets at any time Ad hoc scans are useful when you need to take immediate action because assets have been added to your network or new vulnerabilities have been announced New concepts The beginning chapters of this guide introduce the key concepts behind the conceptual framework of Enterprise Scanner i...

Page 18: ...ul in the following cases The network is sparsely populated Every asset on the network is configured to respond to ICMP ping commands To configure ICMP ping see Defining Assets to Discover Discovery Policy on page 99 Application fingerprinting The application fingerprinting option identifies which applications are communicating over which ports and discovers any non standard port usage If you enab...

Page 19: ...canner 1 2 can communicate with SSH capable devices such as Unix hosts routers and switches through an encrypted secure communication protocol SSH greatly diminishes the threat that critical information will be intercepted and used for malicious intent This capability allows X Force to create new vulnerability checks for non network exposed services similar to the current Windows patch checks For ...

Page 20: ...orporates the key operational concepts of the Enterprise Scanner vulnerability detection model Background scanning is explained in more detail in Introducing Background Scanning on page 21 Ad hoc scanning and auditing Enterprise Scanner supports ad hoc scanning but it is not designed to be an auditing tool You could use the ad hoc scanning capability between scheduled background scans for the foll...

Page 21: ...re your most critical assets receive the needed level of attention Previous models In previous models of vulnerability management you would schedule scans to run on a specific day and to start at an exact time Scheduled scans have the following consequences The scan would start at the scheduled time and run until it finished whether that took two hours or two days Long running scans could interfer...

Page 22: ...ternet Scanner with Enterprise Scanner You can use Internet Scanner with Enterprise Scanner which you may want to do as you migrate from Internet Scanner You should migrate completely to Enterprise Scanner however because its tighter integration with the SiteProtector system significantly reduces the effort and cost involved in scanning your enterprise and managing your vulnerabilities Comparison ...

Page 23: ... these external components OneTrust Infrastructure the SiteProtector system user consoles assets on the network Architecture diagram Figure 1 shows the communication paths between Enterprise Scanner and the SiteProtector system Figure 1 Enterprise Scanner architecture Network interfaces Enterprise Scanner uses network interfaces as follows Interface Purpose Management To communicate with the SiteP...

Page 24: ...work Interface Port Communication With Management Inbound from 3995 TCP The SiteProtector Agent Manager Inbound from 3994 TCP The X Press Update Server Inbound on 443 TCP The user s Web browser Inbound on 22 TCP An SSH shell on a user s computer Scanning Any TCP outbound Any UDP Any ICMP The assets being scanned by the agent Table 7 Port usage for Enterprise Scanner ...

Page 25: ...es Note You can configure automatic downloading and installation of updates through the SiteProtector Console or through your Agent Manager Updates are available either through the IBM ISS Download Center or from a locally managed Update Server User interfaces You can access and view information gathered by the Enterprise Scanner through one or both consoles as described in the following table Com...

Page 26: ...s the alternate update server called the SiteProtector X Press Update Server As the appliance generates security data the Agent manager facilitates the data processing required for you to view the data in the SiteProtector Console The appliance sends a heartbeat signal through the management Interface to its Agent Manager on a routine basis to indicate that it is active and to receive policies and...

Page 27: ... those tasks Reinstalling an agent If you need to reinstall an Enterprise Scanner agent see Preparing to Reinstall an Enterprise Scanner Agent on page 208 and Reinstalling an Enterprise Scanner Agent on page 209 In this chapter This chapter contains the following topics Topic Page Before You Begin 28 Process Overview 29 Setting Up Your Appliance for Initial Configuration 31 Configuring Appliance L...

Page 28: ...iple agents now or in the future you should consider perspective before you proceed If you do not intend to install multiple agents you can use the default Global perspective Reference For a complete explanation of perspective see What is Perspective on page 124 Defining Perspectives on page 125 and One Way to Use Perspective on page 126 Interface Purpose Proventia Setup Assistant To configure net...

Page 29: ...art Card or see Setting Up Your Appliance for Initial Configuration on page 31 Run the Proventia Setup Assistant to configure appliance level settings and initial agent parameters Use the Proventia Network Enterprise Scanner Quick Start Card or see Configuring Appliance Level Settings on page 33 Create a backup of your system configuration settings Backing Up Configuration Settings on page 204 Opt...

Page 30: ...nt an agent to scan Chapter 6 Defining Background Scans on page 81 and Chapter 7 Configuring Discovery and Assessment Policies on page 97 Set up the SiteProtector system for vulnerability management Chapter 12 Interpreting Scan Results on page 167 9 Description Reference Table 11 Stages of installation and configuration Continued ...

Page 31: ...ial COM port the power cord that came in the box with the appliance the serial cable with an RJ45 connection that came in the box with the appliance a static IP address for the Management network interface Procedure To connect with terminal emulation 1 Connect the power cord to the power receptacle on the back of the appliance and plug the cord into the power source 2 Connect the Management Port t...

Page 32: ...Agent 32 IBM Internet Security Systems 7 Turn on the appliance Initialization messages appear in the window Note If messages do not appear after the appliance starts press the ENTER key 8 Go to Configuring Appliance Level Settings on page 33 ...

Page 33: ...TER 6 Press the SPACE BAR to select I accept Linux End User License Agreement press the DOWN ARROW to select Next and then press ENTER 7 Review the information required for the wizard select Next and then press ENTER Tip The keyboard navigation Help appears at the top of each configuration screen 8 Continue with the Proventia Setup Assistant and refer to the following table for the requirements of...

Page 34: ...ed to log on to the operating system of your appliance Administrator Password The password required to access the Proventia Setup Assistant on the appliance Proventia Manager Password The password required to access Proventia Manager through a Web browser over a network connection Bootloader Whether to require Enable or not require Disable the Bootloader root password for backup and restore operat...

Page 35: ...ontents of the leafcerts folder on the appliance Task 2 Copying the Agent Manager certificate To copy the Agent Manager s certificate 1 Locate the computer that hosts your SiteProtector Agent Manager and then locate the folder where the Agent Manager is installed Note The default location is C Program Files ISS SiteProtector Agent Manager Task Description Task 1 Clearing first time trust certifica...

Page 36: ...locate the setting parm name aCertFile 3 Set the value to value var spool crm cacerts dccert pem 4 Save the file Task 4 Enabling explicit trust authentication To enable explicit trust authentication on the agent 1 On the navigation pane in Proventia Manager click System and then click Management Registration 2 Select the Register with SiteProtector check box 3 Either create a new Agent Manager con...

Page 37: ...o the management network interface of the agent 2 In the Address box type https followed by the DNS name or the IP address assigned to the management network interface in the Proventia Setup Assistant 3 Accept any messages about security certificates Important You must accept the certificates that the agent sends These certificates establish a secure session between you and your agent 4 When you s...

Page 38: ...ed SiteProtector Group for Sensor The name of the group where the agent is registered in the SiteProtector system Note The SiteProtector system creates the group if it is not already there Heartbeat Interval secs The number of seconds you want the agent to wait between the times it contacts the SiteProtector system for changed policies and updates to firmware and assessment content Range 60 to 86 ...

Page 39: ...lick OK and then click Save Changes The Authentication page appears 12 Type the SiteProtector Account and Password for the SiteProtector Account that allows you to access sensitive information such as logon credentials for asset accounts 13 Click Save After the first heartbeat your agent appears in the SiteProtector system in the group you designated Note This operation may take several minutes Wa...

Page 40: ...SiteProtector Console 1 Click Start on the taskbar and then click All Programs ISS SiteProtector Console 2 Do one of the following If the Site is already defined in the SiteProtector system select it If the Site is not already defined in the SiteProtector system right click My Sites select New Site from the pop up menu and then type the IP address or the DNS name of the Site in the Server box 3 If...

Page 41: ...Scanning processes vary slightly depending on your configuration The procedures in this chapter assume that you have not configured the agent beyond the basic installation Important If you have configured any of the policies before you follow the procedures in the chapter your results may not be the same Tips are optional The instructions in this chapter provide the choice of setting up scans quic...

Page 42: ...Chapter 3 Running Your First Scans 42 IBM Internet Security Systems Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans 50 Background Scanning Overview 54 Background Scanning Process 55 Topic Page ...

Page 43: ...ns so that an assessment scan does not run until the corresponding discovery scan has finished Scopes of scans The scopes of discovery and assessment scans are based on the following settings Type of Scan Description Ad hoc One time scans for discovery and or for assessment Background Recurring cyclical scans that refresh your discovery and or assessment information at user defined intervals Table...

Page 44: ...ent groups Enterprise Scanner location When you registered your Enterprise Scanner agent with the SiteProtector system you added it to a group that appears in the SiteProtector Console To modify policies and customize your agent s scanning behavior you must locate that group For the examples in this chapter the agent is in the CorporateScanners group Location of assets A group that you scan could ...

Page 45: ...e no problem using the default perspective Global If you are in an established installation where you must use a different perspective check with your security manager before you continue Important The examples in this chapter use a user defined perspective Corporate Where the perspective in the examples is Corporate your perspective should appear as Global For more information about setting up a ...

Page 46: ...hat are known to have vulnerabilities if possible Tips are optional These instructions guide you through the process without explaining every detail If you are interested in the details refer to the information in the Tips for different steps If you are not interested in the details you can ignore the tips Procedure To run ad hoc scans 1 On the SiteProtector Console set up a tab with the Asset vie...

Page 47: ...m one time discovery scan of this group check box Type First Ad Hoc Discovery Scan in the Job name box 6 In the Ad Hoc Assessment section do the following Select the Perform one time assessment scan of this group check box Type First Ad Hoc Assessment Scan in the Job name box Select the Wait for discovery scan to complete before scheduling assessment scan check box 7 Leave the perspective in the P...

Page 48: ...scovery policy appears Figure 5 Ad hoc discovery policy 9 Type the IP addresses to scan in dotted decimal or CIDR notation of the assets to discover in the IP range s to scan box as follows Type an IP address and then press ENTER or type a comma Type a range of IP addresses and then press ENTER or type a comma ...

Page 49: ...Checks tab For information about viewing checks see Grouping and Displaying Checks Assessment Policy on page 103 Tip If you want to see or change any common assessment settings select the Common Settings tab For information about changing common settings see Defining Common Assessment Settings Assessment Policy on page 106 11 Click OK The system schedules an ad hoc discovery scan job in the Comman...

Page 50: ...w and the task name appears under the Object column 2 Click the Details Linked First Ad Hoc Discovery tab The job level statistics for the job appear Figure 7 Job level statistics for an ad hoc discovery scan Note Linked prepended to the task name indicates that the assessment scan was set up to run after the discovery scan has finished The same prefix is attached to the assessment scan to indicat...

Page 51: ...t view See page 74 and then select the group The discovered assets appear on the right pane Note If the assets do not appear press F5 to refresh the view Figure 9 Assets discovered during a Discovery scan Tip Assessment scans assess assets by user assigned criticality levels to ensure that the most critical assets are scanned first Assets discovered by an Enterprise Scanner agent have a default cr...

Page 52: ...n the Command Jobs window along with the completed discovery scan 6 To view statistics about the tasks in the job select the Activity tab Details about the tasks appear in the Activity tab Figure 10 Task level statistics for the linked ad hoc assessment scan Tip The task name appears under the Object column The status starts out as Pending may go back and forth between Idle and Processing until it...

Page 53: ...ct one of the vulnerability views Vuln Analysis Asset Vuln Analysis Detail Vuln Analysis Object Vuln Analysis Vuln Name The vulnerabilities found by the scan if any appear on the right pane as in the following figure of the Vuln Analysis Detail view Figure 11 View of vulnerability details in the CorporateScanningGroups Group Tip If the events do not appear adjust display parameters such as the Sta...

Page 54: ...res for both types of scans in one set of procedures Before you begin When you complete this process you will have defined a cycle of scanning for a group of assets that will repeat until you disable it If you want to continue these scans after the testing period you can change the settings as needed for your environment If you want to discontinue these scans you can stop them The procedure for st...

Page 55: ...e list 4 If the correct version of Enterprise Scanner is not displayed in the Version list select it Tip The version may apply to the agent whose properties you are defining or to the agent responsible for scanning the group whose properties you are defining Tip Enterprise Scanner policies may apply to one or more versions as indicated in the policy view If you use multiple agents at different ver...

Page 56: ... 7 Click Yes to open the policy for editing The Discovery policy appears Figure 13 The Discovery policy for the CorporateScanningGroups group 8 Type the IP addresses in dotted decimal or CIDR notation of the assets to discover in the IP range s to scan box as follows Type an IP address and then press ENTER or type a comma Type a range of IP addresses and then press ENTER or type a comma Example 17...

Page 57: ...ote The default settings run all the non DoS Denial of Service checks Figure 14 The Assessment policy for the CorporateScanningGroups group Tip If you want to see or change the checks that run select the Checks tab For information about viewing checks see Grouping and Displaying Checks Assessment Policy on page 103 Tip If you want to see or change any common assessment settings select the Common S...

Page 58: ...e right pane right click the Scan Window policy and then select Override from the pop up menu 3 Click Yes to open the policy for editing The Scan Window policy appears Figure 15 The Scan Window policy for the CorporateScanningGroups group Tip Scan window policies are inherited by default from a parent group if the Scan window policy is defined for the parent group 4 Select the Discovery Windows ta...

Page 59: ...ct the time zone during which you want the scan windows to be open from the Time zone for windows defined in this policy list Note Typically you would choose the same time zone as the time zone of the assets in the group Task 4 Enable scanning and define length of scanning cycles To enable scanning and to define the length of scanning cycles 1 On the navigation pane select the group to scan 2 Righ...

Page 60: ...t and then select 2 Day s in the Cycle duration boxes 7 In the Background Assessment section select the Enable background assessment scanning of this group check box 8 Type Quick Background Assessment Scan in the Task name box 9 Select the Use Discovery s start date duration and wait for discovery scan to complete before scheduling assessment scan check box 10 Leave the perspective in the Perform ...

Page 61: ...nitor the progress of the scan right click the group on the navigation pane and then select Properties from the pop up menu 4 Select Command Jobs from the left pane The background scans appear in the Command Jobs window and the task names appear under the Object column Note If you set your scan cycle to start at a later date the jobs are scheduled at midnight on the first day of the new scan cycle...

Page 62: ...cy and then select Override from the pop up menu 4 Click Yes to open the policy for editing 5 If you want to disable background discovery scans in the Background Discovery section clear the Enable background discovery scanning of this group check box 6 If you want to disable background assessment scans in the Background Assessment section clear the Enable background assessment scanning of this gro...

Page 63: ...prise Scanner permissions with a single global setting You may add other users but restrict them to a subset of Enterprise Scanner functions by using one or more of the other types of permissions Complete documentation This chapter provides introductory information about setting permissions and explains permissions as they relate to Enterprise Scanner functions For complete documentation about per...

Page 64: ...Whether you can manually refresh agents 9 Assessment Credentials Policy Whether you can view and or modify the policy 9 9 Assessment Policy Whether you can view and or modify the policy 9 9 Discovery Policy Whether you can view and or modify the policy 9 9 Network Locations Policy Whether you can view the Network Locations policy Important See Scanning without full permissions on page 65 for impor...

Page 65: ...anning without full permissions To perform any Enterprise Scanner scan with SiteProtector 2 0 Service Pack 6 1 SiteProtector DBSP 6 31 or later a user must have permission to view the Network Locations policy This permission is granted for the predefined user groups that provide full Enterprise Scanner permissions If you define users or user groups with restricted permissions you must grant this p...

Page 66: ...roup level permissions you can use them to maintain very specific control over a user s actions in the SiteProtector system For example you can set group level permissions such that three users have different permissions for the same group Managing group level permissions You should perform the following tasks before you configure group level permissions set up asset groups import assets into the ...

Page 67: ... To add members to SiteProtector User Groups 1 On the left pane select the Site Group where you want to add members to a User Group 2 On the Tools menu click User Groups The User Groups window appears 3 On the left pane select the group you want to modify 4 In the Members section click Add 5 Use the following table to determine your next step The Select User and Groups window appears 6 Click OK 7 ...

Page 68: ...2 The Group Properties tab appears 3 Click the Permissions icon 4 In the Users and or Groups column select the user or group 5 In the Manage Security section clear the circle that corresponds to the permission you want to grant The circle turns white indicating that the permission is removed 6 Click the Save icon 7 Close the Properties tab Configuring advanced permissions To configure advanced per...

Page 69: ...Part II Configuring Enterprise Vulnerability Protection ...

Page 70: ......

Page 71: ...ow each policy affects different types of scans Scope This chapter provides background information for understanding the Enterprise Scanner policies For detailed information about setting up policies see the following chapters Chapter 6 Defining Background Scans on page 81 Chapter 7 Configuring Discovery and Assessment Policies on page 97 Chapter 8 Defining Agent Policies on page 109 In this chapt...

Page 72: ...l perspective of agents to run the scan When you define characteristics of an agent you define operational features such as how to divide discovery and assessment scans into subtasks the passwords for the agent s accounts and its perspective but you do not define security related parameters Advantages By separating asset and agent policies scanning is flexible and easily scalable as demonstrated i...

Page 73: ...to run discovery and or assessment scans against the group For discovery scans which IP addresses to scan For assessment scans which checks to run and other assessment parameters On which days to run scans and during which hours to run them How frequently to run scans to refresh information about the assets in a group Which assets in the group if any that you do not want to scan List of accounts a...

Page 74: ...t the top of the Console on the right side Opening a new tab To open a new tab In the SiteProtector Console right click a tab select New Tab from the pop up menu and then select a view from that pop up menu The new tab appears as the last tab on the right Procedure To view Enterprise Scanner policies 1 In the SiteProtector Console set up a tab to display policies See page 74 2 On the left pane sel...

Page 75: ...e used by all agents and assets at the Site It appears once for the Site at the Site Group level Defines relative locations of agents on the network to use as scanning perspectives For assets think of perspective as the location from which you want to scan the assets in the group Network Services Defines the ports on which services run Scan Control Controls the following whether discovery and or a...

Page 76: ...ite It appears once for the Site at the Site Group level Defines the relative location of the agent on the network which is the agent s scanning perspective Networkinga Defines the following network configuration settings DNS servers and search paths for the network interfaces and for the scanning network interface Notification Defines the following Enables alert logging and notification for syste...

Page 77: ...ies follow the general rules of inheritance Many agent policies apply only to a single agent or scanning network interface Some asset and some agent policies have specialized inheritance characteristics These differences are described in more detail in later topics Inheritance indicators Policies for a group appear in a Policy tab in the SiteProtector Console When you select a group on the left pa...

Page 78: ...he SiteProtector Console When you select an agent on the left pane the agent s policies appear on the right pane If you expand the agent node the policies also appear below the agent Figure 19 is an example of agent policies for an agent in the CorporateScanners group Figure 19 Example of agent policies in a Policy tab in the SiteProtector system Examples of inheritance indicators Table 25 describ...

Page 79: ...cies in the Console You work with policies in a Policy tab in the SiteProtector Console When you select a group on the left pane the group s policies appear on the right pane If you expand the group the policies also appear below the group Figure 20 is an example of asset policies in the CorporateScanningGroups group Figure 20 Example of asset policies in a Policy tab in the SiteProtector system E...

Page 80: ...Chapter 5 Introduction to Enterprise Scanner Policies 80 IBM Internet Security Systems ...

Page 81: ...policies see Chapter 7 Configuring Discovery and Assessment Policies on page 97 Prerequisite Before you modify policies you must understand how to locate them in the SiteProtector Console For an introduction to viewing policies see Viewing Asset and Agent Policies on page 74 In this chapter This chapter contains the following topics Topic Page Determining When Background Scans Run 82 How Policies ...

Page 82: ...of the cycle and the jobs for that cycle are scheduled in the Command Jobs window at that time Scanning windows Scanning windows are the hours that are available for scanning each day of the week A scan that runs only during scanning windows pauses when a window closes and resumes when the window reopens Scans affected by scanning windows Scanning windows affect scans as follows Scanning windows a...

Page 83: ...cycles and scanning windows in different policies you can use the policy inheritance properties to more precisely define your scans For example you could define refresh cycles and apply the Scan Control policy to a group with several subgroups For each subgroup you could define different scan windows to control the amount of scanning on different parts of your network at different times For more a...

Page 84: ...ually in response to network changes or newly discovered threats Note You can run an ad hoc scan immediately or you can run it only during the scan windows defined for the group in the Scan Window policy Background Automatic recurring scans that run on separately definable refresh cycles for discovery and for assessment scanning Table 27 Descriptions of ad hoc and background scans Background asset...

Page 85: ... You can choose whether to run an ad hoc scan only during the open scan windows defined for background scans and to pause when the windows close Refresh cycles Ad hoc scans are never bound by the refresh cycles that apply to background scans Ad hoc scans continue to scan until they finish or until you stop them Ad hoc scans pause when scan windows close if you choose the option to run the scans on...

Page 86: ...Scan Window Policy on page 89 Optional Apply an Assessment Credentials policy to the group for better OS identification See Defining Assessment Credentials Assessment Credentials Policy on page 94 Apply a Scan Control policy to the group either directly or through inheritance from a higher group See Enabling Background Scanning Scan Control Policy on page 87 Table 32 Checklist for background disco...

Page 87: ... from background scans in that background scanning behavior is determined by which Scan Control policy applies to each subgroup Procedure To enable scanning 1 In the SiteProtector Console set up a tab to display asset policies See page 74 2 On the navigation pane select a group and then open the Scan Control policy for that group 3 Select the Enable background discovery assessment scanning of this...

Page 88: ...n the Network Locations policy See page 112 and define a new perspective Wait for discovery scan to complete before scheduling assessment scan Delays the start of the assessment scan until the discovery scan has finished to ensure that the discovery scan has identified all discoverable assets before the assessment scan begins Note This check box is available for assessment scans only When you enab...

Page 89: ...tart a scan when there are no scan windows the job appears in the Command Jobs window in the Idle state The job will not run until you define scan windows Rules for defining scan windows The following rules apply to scan windows You define the scan windows for discovery and assessment policies separately on separate tabs of the policy Important Be sure to define a scan window for both types of sca...

Page 90: ...can windows list Note Typically you use the time zone of the assets in the group For example you may be in the Eastern time zone but scanning assets in the Pacific time zone You would define your scanning hours according to the considerations of the Pacific time zone and then set your appliance to the Pacific time zone If you want to Then allow scanning during specific hours click and drag your cu...

Page 91: ...ses not to scan Excluding ports To exclude ports from a scan 1 In the SiteProtector Console set up a tab to display asset policies See page 74 2 On the navigation pane select a group and then open the Scan Exclusion policy for that group 3 Use a combination of typing the ports numbers and choosing the port numbers as follows Type the ports to exclude separated by commas in the Excluded Ports box C...

Page 92: ...eferenced in the user defined policy A user defined Network Services policy includes only explicit overrides of inherited service definitions This ensures that all groups automatically inherit XPU updates to the default Network Services policy Service definition The network services policy includes the following information about each service service name service description port number protocol T...

Page 93: ...n the Assessment policy select the Service scan check box Note You cannot change the Service name Port or Protocol of default services You cannot delete default services 4 For customized services you can do the following To add a service click the add icon To modify a service select the service and then click the modify icon To delete a service select the service and then click the delete icon ...

Page 94: ...ion pane select a group and then open the Assessment Credentials policy 3 Click Add The Add Assessment Credentials window appears 4 Provide the following account information Field Description Username The user identification for an account Password The password to use with the Username to log into an account Account Type Windows Local Indicates the user account is defined locally on a single Windo...

Page 95: ...er account is defined for Unix devices that allow SSH logons In this context Domain loosely refers to a set of devices rather than to a specific type of domain The account is used to attempt to log on to all SSH devices covered by the policy When you choose this option you should supply a descriptive name in the Domain Host box This is for documentation purposes only it is not used by Enterprise S...

Page 96: ...rspective Network location list define the perspective from which you want to scan a group with an ad hoc scan Remote Scan ad hoc policy right click a group and then select Scan from the pop up menu select the perspective from the Perform one time scan from this perspective network location list define the number of assets in a subgroup to scan in one subtaska a For guidance in determining the siz...

Page 97: ...nal background scanning requirements see Chapter 6 Defining Background Scans on page 81 For additional ad hoc scanning requirements see Chapter 14 Running Ad Hoc Scans on page 191 Prerequisite Before you modify policies you must understand how to locate them in the SiteProtector Console For an introduction to viewing policies see Viewing Asset and Agent Policies on page 74 In this chapter This cha...

Page 98: ...t policies Table 36 identifies which asset policies apply to discovery scans which apply to assessment scans and which apply to both Type of Scan Scope Discovery The IP addresses that you assign to the scan for a single group Note The group you use for discovery scans may already contain assets Those assets do not have to belong to the IP range of the scan Assessment The assets in a group and any ...

Page 99: ...In the SiteProtector Console set up a tab to display asset policies See page 74 2 On the navigation pane select a group and then open the Discovery policy for that group 3 Type the IP addresses in dotted decimal or CIDR notation of the assets to discover in the IP range s to scan box as follows Type an IP address and then press ENTER or type a comma Type a range of IP addresses and then press ENTE...

Page 100: ... use its settings to initialize the ad hoc Assessment policy You can change the ad hoc version of the policy without changing the saved background version Policy contents An Assessment policy includes the following information a list of assessment checks check specific configuration parameters common assessment settings that define additional scanning behavior For this tab See Checks Description o...

Page 101: ...cates that one or more parameters have been changed from their default settings Note This condition is set automatically when you change or reset a parameter that you can customize Description A short phrase describing the vulnerability detected by the check and the method the check employs to detect it Example Looks at the Windows registry to determine whether an AOL Instant Messaging Client is p...

Page 102: ... the value is 0 the default timeout 5 minutes 300 seconds applies Vulnerability The vulnerability Tag Name for the vulnerability reported by the check Vulnerability ID An unsigned 32 bit integer identifier for the condition reported by the check equal to the SecCheckId of the SecurityChecks table entry in the X Force and SiteProtector databases that describes the condition A condition identifies a...

Page 103: ...up and then open the Assessment policy for that group 3 Do any of the following You can use To column selection choose which information to display Note You can only sort and group by columns that are displayed sorting change the order of vulnerabilities based on one column of information grouping display vulnerabilities sorted by one or more columns of data filtering display vulnerabilities based...

Page 104: ... that group 3 Do any of the following that is sorted and reverse its sort order click the column heading The sort order is reversed in a particular order right click the column heading and then select either Sort Ascending or Sort Descending from the pop up menu when vulnerabilities are displayed in groupings click the column heading and then expand the groups to see the effect of the sorting If y...

Page 105: ... one or more filtering criteria and then click OK Tip You can use the standard multiple select techniques of SHIFT to select a range or CTRL to select individual filter values in each list Disabling or enabling groups of checks To disable or enable groups of checks 1 Use the methods described in this topic to sort the checks in a group that contains checks that want to enable or disable 2 Double c...

Page 106: ...p for a SiteProtector Console without Internet Access in the SiteProtector Help for detailed instructions for setting it up Treatment of X Force Recommendations Enable each X Force recommended check that is not explicitly disabled in this policy Does the following Enables each X Force check that has not been customized by changing one or more settings Determines whether or not new checks added in ...

Page 107: ...of Windows operating systems Run only checks that apply to specific OS best performance If Enterprise Scanner is uncertain about the OS of the asset runs only the checks that apply to the exact version of the operating system Use of Application Fingerprinting Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports and ru...

Page 108: ...et belong to If enabled Enterprise Scanner tries to confirm the account s access level during assessment by checking which local groups the asset belong to Account Lockout Control Allowed account lockout This setting controls how Enterprise Scanner handles accounts that have account lockout protection enabled The account lockout options are as follows No lockout allowed Enterprise Scanner avoids r...

Page 109: ... 5 Introduction to Enterprise Scanner Policies on page 71 provides an introduction to Enterprise Scanner policies That chapter includes background information about locating Enterprise Scanner policies p 74 and about how inheritance works with Enterprise Scanner policies p 77 For more detailed information about policy management see the Help in the SiteProtector Console In this chapter This chapte...

Page 110: ...ocedure To configure a scanning network interface 1 In the SiteProtector Console set up a tab to display agent policies See page 74 2 On the navigation pane expand the Enterprise Scanner agent 3 Select the ESM policy for the agent on the navigation pane 4 Select the row for port 1 and then click the Edit selected items detail button 5 Configure the scanning port as follows Field Description Port A...

Page 111: ...rences in the average response time the profiles of the hosts being scanned the number of appliances sharing the work at each perspective Because of these differences the optimal subtask sizes may differ by perspective Suggestion Because the optimal settings vary by perspective you should generally use the same subtask sizes for all appliances that share a perspective Advantages of different sized...

Page 112: ...Perspective is most important when you have multiple agents located at different locations on your network To distinguish among them you must use more than one perspective Implication of perspective names When you choose a perspective name choose a name that represents the location on the network that the perspective references Consider that technically a perspective represents a set of subnets fr...

Page 113: ...personnel Procedure To enable alert logging 1 In the SiteProtector Console set up a tab to display agent policies See page 74 2 On the navigation pane open the Notification policy for the agent Note The policy may be defined for only the agent or it may be defined for a group at a higher level than the agent 3 Select the Event Notification tab 4 Select the check box for each type of event to enabl...

Page 114: ...igation pane open the Access policy for the agent Note The policy may be defined for only the agent or it may be defined for a group at a higher level than the agent 3 For each password you want to change do the following Type the current password in the Current Password box Click Enter Password type the new password in the Password and in the Confirm Password boxes and then click OK 4 If you want...

Page 115: ...king policy for the agent and then select the Scan Interface tab 4 Configure the scanning network interface as follows Configuring DNS servers and search paths To configure DNS servers and search paths 1 In the SiteProtector Console set up a tab to display agent policies See page 74 2 On the navigation pane expand the Enterprise Scanner agent 3 Select the Networking policy for the agent and then s...

Page 116: ...ain name to your DNS search path type the Domain Name and then click OK 6 If you want to change the order of the domains in your DNS search path select the domain and then click either the up or the down arrow Tertiary DNS Server The tertiary nameserver to use for resolving DNS names Field Description ...

Page 117: ...b to display agent policies See page 74 2 On the navigation pane expand the Enterprise Scanner agent 3 Select the Time policy for the agent 4 To change the date or time click the Date and Time arrow and then do any of the following Select the correct month and date Use the arrows at the top to change the month and year in the calendar Select the hour minutes and A M or P M in the boxes provided fo...

Page 118: ...et Security Systems the agent sends a heartbeat to SiteProtector If you cannot save this policy and refresh the agent immediately set the time as described above in Steps 4 and 5 in the Changing the date and time procedure before you save the policy ...

Page 119: ...y default SSH is enabled but you can disable it in the Services Policy Important If you disable SSH you cannot run remote command line functions on the agent Procedure To enable SSH for the internal interface 1 In the SiteProtector Console set up a tab to display agent policies See page 74 2 On the navigation pane expand the Enterprise Scanner agent 3 Select the Services policy 4 In the SSH sectio...

Page 120: ...Chapter 8 Defining Agent Policies 120 IBM Internet Security Systems ...

Page 121: ...Part III Scanning ...

Page 122: ......

Page 123: ...anning behavior and about tracking scans in SiteProtector see the following chapters Chapter 10 Monitoring Scans on page 135 Chapter 11 Managing Scans on page 151 Prerequisites This chapter uses terms that define scanning parameters that are described in detail in the policy descriptions in Part II Configuring Enterprise Vulnerability Protection Before you continue you should understand scanning w...

Page 124: ...is blocked and no network address translation occurs Use for distributed scanning Perspective makes it possible to easily distribute the workload among multiple agents If you have just one agent in a perspective that agent performs all the scans that run from that perspective If you have two or more agents in a perspective Enterprise Scanner automatically balances the distribution of tasks among t...

Page 125: ...eaning of perspective in different policies Illustration Figure 23 illustrates the relationships between perspectives and policies described in Table 42 Figure 23 Network locations in the ESM Network Locations and Scan Control policies You In the And it applies to define a perspective as a network location Network Locations policy See page 112 the entire Site assign an agent to a perspective ESM p...

Page 126: ...24 Using perspective for scanning inside and outside the firewall Explanation To configure an environment such as the one described in Figure 24 you would do the following 1 Define perspectives to identify the agents at each place on your network for example InsideFirewall and InsideDMZ 2 Install agent S1 inside the DMZ and assign it to the InsideDMZ perspective 3 Install agent S2 inside the firew...

Page 127: ...ob actually starts to create tasks and run subtasks The importance of tasks and subtasks Because a task assumes the criticality of the assets it contains Enterprise Scanner can assign priority factors to tasks based on asset criticality Because tasks run in units determined by subtask size Enterprise Scanner can run subtasks that can run to completion during an open scanning window Term Descriptio...

Page 128: ...se task is identified as Base Assessment Scan for Group Tasks per type of scan Table 45 explains the tasks needed for discovery and assessment scans Management Task Description A job level task A task that appears once for each type of scan It is identified by the name given to the scan One or more Parent level tasks A task that appears for each group and subgroup affected by the scan It is identi...

Page 129: ...t criticality represented in each group Asset criticality affects the priority of the task Example If a scan job includes a group with one subgroup and the group and subgroup contain assets with all levels of criticality the job will run as at least 11 tasks one management task and one task for each criticality in each group Task prioritization Table 46 explains the reasons behind prioritization o...

Page 130: ... that contains all levels of asset criticality Figure 25 Example of an assessment scan with all criticality levels Task order The example in Figure 25 contains an assessment task for each asset criticality level The order of the tasks in the Remote Scan window does not reflect the order in which the tasks run The tasks run in priority order from the highest criticality level to the lowest ...

Page 131: ...heduled when you initiate the scan 2 A job is ready to run follows For background scans or ad hoc scans that run in scan windows the job runs as soon as an open scan window is available For ad hoc scans that can run any time the job runs as soon as possible after you initiate it 3 When a job is scheduled the agent divides it into tasks The first task created for all scans is a management parent ta...

Page 132: ...assets in the rest of the job remain unscanned Important New scan cycles always start from the beginning of the command job even if any tasks or subtasks from the previous scan cycle did not finish Discovery cycle duration Determining the optimal duration for your discovery refresh cycle depends on how frequently you add or change the assets on your network If your network changes frequently you s...

Page 133: ...for a discovery scan or assets for an assessment scan according to the size of your smallest scan window Try to size the quantity of IP addresses and assets to scan according to the duration of your refresh cycle If your scans still do not finish in the time allowed consider reducing the number of checks you run or adding another Enterprise Scanner agent to the perspective ...

Page 134: ...Chapter 9 Understanding Scanning Processes in SiteProtector 134 IBM Internet Security Systems ...

Page 135: ...rise Scanner and SiteProtector schedule scanning jobs and manage scanning tasks see Chapter 9 Understanding Scanning Processes in SiteProtector on page 123 Examples in this chapter The examples in the chapter are from ad hoc scan jobs The results for background scan jobs follow the same patterns In this chapter This chapter contains the following topics Topic Page Finding Your Scan Jobs 136 Job In...

Page 136: ...w includes one scanning job and two maintenance jobs Figure 26 Example of a Command Jobs window Procedure To open a Command Jobs window 1 In the SiteProtector Console right click the Site or a group and then select Properties from the pop up menu Tip Or click the Control jobs icon on the toolbar 2 Select Command Jobs from the options on the left pane The command jobs appear for the selected group ...

Page 137: ...y column displays the SiteProtector computer_name user_name based on resolving the Security ID of the logged on user Progress The Progress column indicates the completion status of the job Progress is shown by a progress bar and a percentage of completion The percentage may decrease temporarily if you stop and restart a job that must rerun subtasks Status Description Cancelled The job was stopped ...

Page 138: ...job provides task level information about the job Figure 27 is an example of the Details tab for an ad hoc discovery scan Figure 27 The Details tab for a discovery scan Discovery scan activity The Activity tab for a discovery scan includes runtime information about tasks It includes the total number of IP addresses in the range of IP addresses to discover the number of IP addresses discovered and ...

Page 139: ...se and reopen the window Illustration Figure 29 is an example of the Remote Scan window showing a tree view list of the discovery job and tasks Figure 29 Remote Scan window with the tree view list of discovery tasks Description The window contains a navigation pane a left pane and a right pane The example in Figure 29 contains only the navigation and left panes Procedure To view job information 1 ...

Page 140: ...a job and the tasks for a scan in the Remote Scan window The details for the job or task that you select on the left pane appear in the right pane This topic provides examples of details for the job and the parent task Job details Figure 30 is an example of the job details for an ad hoc discovery scan Figure 30 Job details for an ad hoc discovery scan ...

Page 141: ...ser Guide Version 1 3 Parent task details In addition to the scanning tasks each job contains a parent task that performs management functions for the job Figure 31 is an example of the parent task details for an ad hoc discovery scan Figure 31 Parent task details for an ad hoc discovery scan ...

Page 142: ... This topic provides an example of task details for an ad hoc discovery task Illustration Scanning task details include parameters that control how the scan runs including user defined parameters Figure 32 is an example of the scanning details for a task Figure 32 Scanning task details for an ad hoc discovery scan ...

Page 143: ...topic describes the information that is available for assessment scans Assessment scan details The Details tab of a scan job provides task level information about the job Figure 33 is an example of the Details tab for a background assessment scan Figure 33 The Details tab for an assessment scan Assessment scan activity The Activity tab for an assessment scan includes runtime information such as a ...

Page 144: ... window showing the tree view list of assessment tasks Description The window contains a navigation pane a left pane and a right pane The example in Figure 35 contains only the navigation and left panes Assessment subtask explanation Assessment scans include a task for each group and then for each asset criticality in each group The example in Figure 35 illustrates the subtasks for an ad hoc asses...

Page 145: ...job in the Command Jobs window and then select Open from the pop up menu 2 Click Results on the left pane The Remote Scan window appears as in the example in Figure 35 criticality_level criticality the criticality of the assets in the subtask for example High or Unassigned This part of the description Describes Table 50 Subtask description Continued ...

Page 146: ...a job and the tasks for a scan in the Remote Scan window The details for the job or task that you select on the left pane appear in the right pane This topic provides examples of details for the job and the parent task Job details Figure 36 is an example of the job details for an ad hoc assessment scan Figure 36 Job details for an ad hoc assessment scan ...

Page 147: ...ser Guide Version 1 3 Parent task details In addition to the scanning tasks each job contains a parent task that performs management functions for the job Figure 37 is an example of the parent task details for an ad hoc assessment scan Figure 37 Parent task details for an ad hoc assessment scan ...

Page 148: ...p to manage the tasks for each asset criticality in the group scanning tasks for each asset criticality in the group This topic provides an example of a base assessment scan details and the task details for an ad hoc assessment scanning task Base assessment scan details Figure 38 is an example of a Base Assessment Scan task for the CorporateScanningGroups group Figure 38 Base assessment scan detai...

Page 149: ... Proventia Network Enterprise Scanner User Guide Version 1 3 Scanning task details Scanning task details include parameters that control how the scan runs Some of these are user defined parameters Figure 39 Scanning task details for an ad hoc assessment scan ...

Page 150: ...Chapter 10 Monitoring Scans 150 IBM Internet Security Systems ...

Page 151: ...se Scanner and SiteProtector schedule scanning jobs and manage scanning tasks see Chapter 9 Understanding Scanning Processes in SiteProtector on page 123 In this chapter This chapter contains the following topics Topic Page Stopping and Restarting Scan Jobs 152 Suspending and Enabling All Background Scans 154 Minimum Scanning Requirements 155 Generally Expected Scanning Behaviors 156 Expected Scan...

Page 152: ...en option This chapter explains the Rerun Pause Resume and Cancel options For information about the Open option see Chapter 10 Monitoring Scans on page 135 Stopping a scan job You can stop and restart jobs with the Pause and Cancel options in the pop up menu for the job in the Command Jobs window Impact of stopping scan jobs Table 52 describes the impact of stopping scans with the Pause and Cancel...

Page 153: ...on subtasks the next day that a scan window is open Command Impact Table 52 Impact of stopping scans Continued Command Impact Rerun The entire scan job runs again Note A job that you rerun is not confined by the refresh cycle therefore it never goes into an Expired state Resume If you resume the scan job only incomplete subtasks run again but they run in their entirety Note If large subtasks must ...

Page 154: ...e Scan Control policy for that group 3 Do one of the following If you want to suspend scans clear the Enable background discovery assessment scanning of this group check box in the Background Discovery and Background Assessment sections for the type s of background scanning you want to suspend If you want to enable scans select the Enable background discovery assessment scanning of this group chec...

Page 155: ...tely To run an ad hoc scan only during periods of allowed scanning 1 Define periods of allowed scanning for discovery and assessment scans in the Scan Windows policy only if you do not want to use the default 2 Start an ad hoc scan to run during open discovery or open assessment windows Background discovery scan To run a background discovery scan 1 Define a Discovery policy 2 Define periods of all...

Page 156: ...ment jobs A single assessment scan covers the group that has the Scan Control policy and any groups that inherit the policy Discovery policies are not inherited See Stopping and Restarting Scan Jobs on page 152 Priority Expect the following regarding scan priority Scans run in priority order as follows ad hoc discovery scans ad hoc assessment scans in order of asset criticality background discover...

Page 157: ...defining scan windows See the next question Q Why would and ad hoc scan not start to process A You did not enable a discovery or an assessment scan when you started the ad hoc scan A You did not define at least one IP address for a discovery scan A If you set up the scan to run during scan windows but you have not defined Scan Windows for the group you are scanning This could happen if you define ...

Page 158: ...ends on how you set up your Scan Control policy If you set up the Scan Control policy so that the assessment scan Then the assessment scan waits for the discovery scan to finish before the assessment scan begins also runs again when you rerun the discovery scan does not wait for the discovery scan to finish before the assessment scan begins does not run again when you rerun the discovery scan ...

Page 159: ... scan job appears in the Command Jobs window when the agent is available provided it is on a valid start date Q How many states does a background job go through A A background job starts out in the Pending state It quickly goes to one of these states The job moves to the Idle state if a scan window is not open The job moves to the Processing state when a scan window is open if an agent is availabl...

Page 160: ...t the following If you set up the Scan Control policy so that the assessment scan Then the assessment scan waits for the discovery scan to finish before the assessment scan begins starts as a separate job for each subgroup as soon as the discovery scan finishes This allows assessment scanning to begin for a subgroup whose discovery scan has finished without having to wait for the discovery scans o...

Page 161: ...cans scheduled Parent Adhoc Scan for Group_Name IGNORED no scans Enabled Note This means that neither Discovery nor Assessment is enabled in the Adhoc Scan Control policy Group Group_Name Stopping Discovery scans due to scan window Group Group_Name Stopping Assessment scans due to scan window Group Group_Name Stopping Discovery to refresh ScanControl Group Group_Name Stopping Assessment to refresh...

Page 162: ...ternet Security Systems No hosts with criticality criticality_level in Group Group_Name Scan not run Error found in the discovery policy scan will not be run Text of Message Table 56 Messages in the Display Task Detail AA window Continued ...

Page 163: ...anticipate or none at all To avoid this problem in the Scan Control policy configure your assessment scan to start after the discovery scan has ended Scan window defined Have you enabled background scanning in a Scan Control policy without defining a scan window in a Scan Window policy Registered and authenticated Have you verified that your agent is authenticated with SiteProtector The status in ...

Page 164: ...Chapter 11 Managing Scans 164 IBM Internet Security Systems ...

Page 165: ...Part IV Analysis Tracking and Remediation ...

Page 166: ......

Page 167: ...rotector Console In this chapter This chapter contains the following topics Topic Page Setting Up a Summary Page for Vulnerability Management 168 Viewing Vulnerabilities in the SiteProtector Console 170 OS Identification OSID in Enterprise Scanner 171 How OSID Is Updated 172 Viewing Vulnerabilities by Asset 173 Viewing Vulnerabilities by Object 175 Viewing Vulnerabilities by Detail 176 Viewing Vul...

Page 168: ...rabilities by day Total number of medium priority vulnerabilities by day Total number of low priority vulnerabilities by day Total number of all vulnerabilities by day Vulnerability History by Month Displays a bar graph that illustrates the following information Total number of high priority vulnerabilities for the month Total number of medium priority vulnerabilities for the month Total number of...

Page 169: ... the group currently selected on the navigation pane select the Update Content on Group Change check box Note If you do not select this check box you must refresh the view to update information after you select a different group 4 If you want to add portlets to a view double click the portlet in the Available list 5 If you want to remove portlets from a view double click the portlet in the Display...

Page 170: ...iteProtector Console you can view vulnerabilities by the following categories Vuln Analysis Assets Vuln Analysis Detail Vuln Analysis Object Vuln Analysis Vuln Name Creating custom views If the default views do not meet your needs you can create custom analysis views When you customize a view you can add or remove columns or filters change the values of filters or rearrange the columns Filtering e...

Page 171: ...rtain than others What determines certainty The certainty with which a source provides a completely accurate OSID is based on the quality of the information available to the source For example OSID from a Desktop agent is always considered certain because the agent has full access to information about the asset OSID from an Enterprise Scanner scan is considered certain if the agent had authenticat...

Page 172: ...he information is no more than the acceptable age defined in the Assessment Policy The OSID matches a valid operating system Exception The concept of certainty was introduced with SiteProtector SP6 so it is undefined for the assets already in SiteProtector Because OSID is undefined SiteProtector accepts the first reported OSID for each asset regardless of its source Rules for updating OSID SitePro...

Page 173: ...plore event data If you do not know the exact IP address use the options in the Operation list to request IP addresses when you do not the exact one to request If you only know the IP address you do not want to see you can exclude one or more IP addresses Target DNS Name Use this filter to display the Domain Name Service DNS name of a host that you suspect is the target of events You can also use ...

Page 174: ...Object Count according to the number of objects that are associated with each row of data in the analysis view This filter filters data only in views that contain the Object Count column For example if you apply this filter to the Attacker view SiteProtector would apply the criteria you specified to each IP address or row that appears in the view Latest Event Use to filter events according to the ...

Page 175: ...leges Medium Security issues that have the potential of granting access or allowing code execution via complex or lengthy exploit procedures or low risk issues applied to major Internet components Low Security issues that deny service or provide non system information that could be used to formulate structured attacks on a target but not directly gain unauthorized access Tag Count Use to filter ev...

Page 176: ...ndicates the impact of the event Vulnerabilities The Status column indicates whether the vulnerability was found Use this filter to show only the statuses that interest you Target IP Use this filter to monitor a specific IP address that you suspect is the target of attacks The IP address can be either internal or external This information is typically modified for you as you explore event data If ...

Page 177: ...is used to differentiate responses from Proventia M Proventia G Enterprise Scanner and so forth Each agent type has its own namespace POST This is an ISS only parameter It will always be POST Default for Enterprise Scanner reason This is used by Enterprise Scanner to detail reasons for vulnerabilities Examples of reasons OS not vulnerable Service behavior and HTTP stream matched result Whether the...

Page 178: ...nerability was found Use this filter to show only the statuses that interest you Event Count Use this filter to determine which events occur most frequently Target Count Use to filter by the count of target hosts Object Count Use to filter events according to the Object Count column in the analysis views SiteProtector calculates the Object Count according to the number of objects that are associat...

Page 179: ...ect the group for which you want to run reports 2 On the right pane select and tab and then select the Report view 3 Right click the report name to create and then select New Report from the pop up menu 4 Customize the report according to your needs on the Report Specification tab Note The default reporting period on the Report Period tab is the previous day which may not provide the results you n...

Page 180: ... A list of the top vulnerabilities by frequency for a specified group and time Vulnerability by Asset A lists of the top assets by number of vulnerabilities for a specified group and time Vulnerability by Group A comparison of vulnerabilities across subgroups of a selected group Vulnerability by OS A comparison of vulnerability counts by Operating Systems Vulnerability Counts A list detected of vu...

Page 181: ... Vulnerability Counts by Asset Vulnerability Detail By Asset Vulnerability Remedies By Asset DNS Name IP Address Operating System Operating System Summary Number of records 5 10 25 50 100 ALL Service Summary Vulnerability Counts Not applicable Top Vulnerabilities Count Vulnerability Name Number of records 5 10 25 50 100 ALL Vulnerability by Asset Asset Value High Severity Medium Severity Low Sever...

Page 182: ...rity Systems Vulnerability Differential Severity Status Vulnerability Names By Asset Vulnerability Summary By Asset DNS Name IP Address Vulnerable Assets Asset Criticality Asset Name DNS Name IP Address Report Sorting Fields Table 66 Sorting options Continued ...

Page 183: ...mline your event tracking and remediation processes This chapter explains how to use information from Enterprise Scanner with the ticketing feature in SiteProtector to manage tracking and remediation In this chapter This chapter contains the following topics Topic Page Ticketing and Enterprise Scanner 184 Possible Scenarios 185 Overview of the Remediation Process 186 Remediation Tasks 187 ...

Page 184: ...set Agent and Analysis views Custom categories You can use the Custom Category tab to add new custom categories with up to five user specified fields SiteProtector ticketing or third party You can use SiteProtector s ticketing tool or configure SiteProtector to export tickets into another action request AR system such as Remedy Help Desk or Remedy Change Management After you have integrated the re...

Page 185: ...on your network Action plan Run a discovery scan to identify all assets on the network If you find an unauthorized asset create a ticket to locate the asset and take appropriate action What services are running Scenario You want to verify that assets on your network are running only approved services Action plan Identify services you do not want to run on any assets in the network Run an assessmen...

Page 186: ...the cycle duration is short enough to verify work items within the time period allocated That is if your company policy states that high risk vulnerabilities be corrected within 24 hours make sure that a background scan happens within 24 hours to verify completion If you do not want to modify the cycle duration for your background scans you can run an ad hoc scan to verify and close tickets that a...

Page 187: ...s you should create a separate ticket for each user Likewise if the ticket due dates are different you should create separate tickets for each due date Note You can create tickets using right click menus from the Asset Agent and Analysis views Task 4 Tracking tickets and editing status Use the ticketing view in SiteProtector to view or edit tickets You can click any column header to sort tickets b...

Page 188: ...s check box if you want the ticketing statuses New Open In Progress and so on to appear in the report Display priority Display Select this check box if you want the ticket s priority Critical High Medium Low to appear in the report Assigned Users Filter Select the individual users that you want to appear in the report These users will appear in the report only if If you selected the Display assign...

Page 189: ...cket status to Pending System Verification If you select this status Enterprise Scanner and SiteProtector work together to determine when work items have been completed Scans refresh vulnerability information and other system information that the ticketing system checks When Enterprise Scanner completes a scan the ticketing system can determine whether situations identified in earlier scans have b...

Page 190: ...Chapter 13 Tracking and Remediation 190 IBM Internet Security Systems ...

Page 191: ...n If you have just installed your Enterprise Scanner agent and you are scanning for the first time you may want follow the quick scanning procedure in Chapter 3 Running Your First Scans on page 41 Scan runtime results Ad hoc scans run as command jobs You can track their progress in the Command Jobs window as described in Chapter 10 Monitoring Scans on page 135 In this chapter This chapter contains...

Page 192: ...Window optional Separately configurable policies You can change the following policies for ad hoc scans when you configure the scan Assessment Discovery Scan Control Changes you make to these policies do not affect the settings for the policies in background scans For an example of the ad hoc scan user interface see Figure 4 on page 47 Policy initialization As a convenience ad hoc scans start with...

Page 193: ...nd assessment scans You can make sure that the ad hoc assessment scan for a group does not start until the ad hoc discovery scan has finished An assessment scan could begin before a discovery scan has finished in a multi agent environment One agent could become available to start the assessment scan while the discovery scan is still running on the other agent s The ad hoc Scan Control policy inclu...

Page 194: ... hoc scans pause during closed scan windows if you restrict the scans to run only during open scan windows Important Do not confuse refresh cycles and scan windows Even if an ad hoc scan runs only during scan windows the scan is still not bound by the refresh cycle Example If you configure a three hour ad hoc scan to start one hour before the end of a refresh cycle the scan continues to run withou...

Page 195: ...duled scanning windows select the Run only during open discovery windows 8 Select a perspective in the Perform one time scan from this perspective Network location list if you want to scan the group from a perspective other than the default Important You must have assigned an agent to the perspective in the ESM policy 9 On the navigation pane select Discovery and then complete the following fields...

Page 196: ... the job when it appears in the Command Jobs window 7 If you want the scan to run only during your scheduled scanning windows select the Run only during open assessment windows 8 If you want to ensure that a discovery scan has finished before the assessment scan starts select the Wait for discovery scan to complete before scheduling assessment scan check box Note Use this option if you define disc...

Page 197: ...Part V Maintenance ...

Page 198: ......

Page 199: ...ntenance procedures that you must perform on the agent In this chapter This chapter contains the following topics Topic Page Logging On to Proventia Manager 200 Shutting Down Your Enterprise Scanner 201 Removing an Agent from SiteProtector 202 Options for Backing up Enterprise Scanner 203 Backing Up Configuration Settings 204 Using Full System Backup Files 206 Acquiring Your Enterprise Scanner Lic...

Page 200: ...hat has network access to the agent 2 In the Address box type https followed by the DNS name or IP address of your agent 3 Accept any messages about security certificates Important You must accept the certificates that the agent sends These certificates establish a secure session between you and your agent 4 When you see the Connect to your_appliance_name window type your Proventia Manager User na...

Page 201: ...an register it with a different SiteProtector see Removing an Agent from SiteProtector on page 202 Agent status In the SiteProtector Console the agent continues to appear Online for a couple of hours If you do not restart the appliance within a couple of hours the status of the agent becomes Inactive The agent goes through the normal statuses when you restart the appliance Procedure To shut down y...

Page 202: ...mportant Never delete a group that contains an agent unless you delete the agent first If you delete a group that contains an agent the group is deleted but the agent goes into the Ungrouped Assets group 4 Log on to the Proventia Manager for your agent See page 200 5 Select System on the navigation pane and then click Management Registration Note It may take a while for Java to initialize the firs...

Page 203: ... Important Use this option to automatically backup your system before it installs updates to avoid having to reconfigure your agent in case of an emergency Using automatic backup files Consider using the automatic update option to create a system backup each time the agent automatically installs a firmware update Reference Configuring Automatic Downloads and Updates on page 228 Clearing the Java c...

Page 204: ...tab 3 Click Add 4 In the Create settings snapshot file section type a name for the settings snapshot file in the Specify a file name box 5 Click Create The new settings snapshot file appears in the Settings Backup table Downloading a settings snapshot file to a computer To download a settings snapshot file to your local computer 1 Log on to the Proventia Manager for your agent See page 200 2 On th...

Page 205: ...e settings snapshot file to apply 4 Click Apply and then click Yes The agent may prompt you for the password that was in effect when you created the snapshot Deleting a settings snapshot file To delete a snapshot file 1 Log on to the Proventia Manager for your agent See page 200 2 On the navigation pane select Backup and Recovery and then select the Settings Backup tab 3 In the Settings Backup tab...

Page 206: ...g a system backup file To create a system backup file 1 Log on to the Proventia Manager for your agent See page 200 2 On the navigation pane select Backup and Recovery and then select the Full Backup tab 3 Click Create System Backup The system creates a full system backup file Note The IP address for the agent is unavailable during the backup process and you cannot access the Proventia Manager in ...

Page 207: ...ur IBM ISS customer ID and your IBM ISS customer ID identifies your licenses You must acquire the licenses associated with your agent s serial number using one of the options described below Three options The options for acquiring licenses depend on how your agent connects to the IBM ISS Download Center Procedure To retrieve the current information for your agent 1 Log on to the Proventia Manager ...

Page 208: ...al hardware The following hardware has not been certified for a PXE boot server but should also work 3Com 3c905C 3c575 and 3c574 Netgear FA51 and FA411 Intel PRO 100 S Mobile Adapter Important IBM ISS supports only the network cards specified in the PXE boot server hardware requirements Prerequisites To reinstall Enterprise Scanner you must have the following a computer to use as a PXE Pre boot eX...

Page 209: ... server computer Important You must use the red crossover cable for this step Do not use a hub or switch because other servers on the network can interfere with the PXE boot server 3 Plug the RJ45 connection of the blue RJ45 to DB9 cable into the Console outlet on the appliance 4 Plug the DB9 connection of the blue RJ45 to DB9 cable into the serial port on the back of the boot server computer 5 In...

Page 210: ... Configuring Appliance Level Settings on page 33 to continue Using terminal emulation If you get to Step 7 in the previous procedure and it appears that the boot server is not accepting input from your keyboard you must set up terminal emulation on another computer You can monitor and respond to the installation process from the terminal emulation program 1 Remove the DB9 connection from the boot ...

Page 211: ...ne time XPUs applying XPUs manually Related XPUs and other update requirements Occasionally you must install XPUs for other products such as for SiteProtector components when you install an XPU for Enterprise Scanner Additional update requirements such as migrating policies may also apply Important When you apply XPUs to Enterprise Scanner check the applicable Enterprise Scanner Read Me document f...

Page 212: ...Chapter 16 Updating Enterprise Scanner 212 IBM Internet Security Systems ...

Page 213: ...Overview Introduction This section provides background information about the XPU process and about using the XPU process with Enterprise Scanner In this section This section contains the following topics Topic Page XPU Basics 214 Updating Options 215 Consoles to Use for XPUs 216 XPU Configuration Settings 217 ...

Page 214: ... enhancements online Help Important Some firmware updates may reboot your agent after installation Assessment content An update that contains security content Table 75 Contents of firmware and assessment content updates Update Location Description IBM ISS Download Center The default location for XPUs for all IBM ISS products Note Your agent must be able to access the IBM ISS Download Center over t...

Page 215: ...roubleshoot and roll back updates from Proventia Manager on the agent but not from SiteProtector Reference Using Full System Backup Files on page 206 Update Option Considerations Automatically download and install updates on a periodic basis Automatic updates keep your agent up to date by regularly downloading and installing updates on a recurring schedule Automatically download and install one ti...

Page 216: ...r instructions Except for functions that are available only in the Proventia Manager the procedures list the instructions for using the function from the SiteProtector Console The procedures for functions that you can perform in the Proventia Manager are similar to the procedures for the Console For additional information about performing a procedure in the Proventia Manager see the Proventia Mana...

Page 217: ...oblem you might be asked to perform tasks on the Advanced Parameters tab Rely on Technical Support to assist you when you are using advanced parameters Important Do not attempt to edit the default values in the Advanced Parameters tab or page in Proventia Manager unless you are working with IBM ISS Technical Support personnel Use this tab page To configure Update Settingsa a This policy applies to...

Page 218: ...Chapter 16 Updating Enterprise Scanner 218 IBM Internet Security Systems ...

Page 219: ...ation to establish a secure communication channel with the XPU Server See page 220 Important Explicit trust authentication requires additional configuration If the agent goes through a proxy server to get to the update location you must have the following information to configure the proxy server See page 222 address and port number of the proxy server whether to enable authentication Note To enab...

Page 220: ...licit trust authentication with the XPU Server 1 Locate the following certificate file on the XPU Server server rsa crt Note The default path of the certificate file on the XPU Server is as follows C Program Files ISS SiteProtector X Press Update Server webserver Apache2 conf ssl crt server rsa crt 2 Use a secure copy tool such as SSH or Windows Secure Copy to copy the certificate file server rsa ...

Page 221: ... the Update Settings Policy for the agent to configure and then select the Alternate Update Server tab 2 Select the Use Alternate Update Server check box 3 Complete the following fields 4 Click Save Changes Field Description Host or IP The DNS name or IP address of the XPU Server Port The port number the XPU Server is using to monitor for download requests For a SiteProtector XPU Server use 3994 T...

Page 222: ...erver 1 From the SiteProtector Console open the Update Settings Policy and then select the Proxy Server tab 2 Select Enable Proxy 3 Complete the following fields Field Description Address The address of the proxy server Port The port of the proxy server Enable Authentication Forces the agent to authenticate to the proxy server Note The User ID and Password are required User ID Password If authenti...

Page 223: ...s Each notification that you enable sends an alert to the SiteProtector Console and to the Proventia Manager Procedure To enable alert logging 1 From the SiteProtector Console open the Update Settings Policy and then select the Event Notification tab 2 Select the check box for each type of event to enable Alert Logging for Available Updates Alert Logging for Update Installation Alert Logging for U...

Page 224: ...Chapter 16 Updating Enterprise Scanner 224 IBM Internet Security Systems ...

Page 225: ...ribed in Section B Configuring the XPU Environment on page 219 Important prerequisite Before you can download and install updates you must acquire the license for your agent Reference Acquiring Your Enterprise Scanner Licenses on page 207 In this section This section contains the following topics Topic Page Update Process 226 Scheduling a One Time Firmware Update 227 Configuring Automatic Download...

Page 226: ...date installation you can enable the Perform Full System Backup Before Installation option on the Automatic Update Settings page Schedule automatic assessment content updates To allow time for updates to download schedule an automatic update check at least one hour before a firmware update or a system backup When you schedule firmware updates consider that the agent may go offline for several minu...

Page 227: ...t you could use the manual update process Procedure To schedule a one time firmware update 1 From the SiteProtector Console open the Update Settings policy for the agent you want to update 2 Select the Update Settings tab 3 In the Firmware Updates section select Schedule One Time Install 4 Type or select the Date and Time that you want the update to be installed 5 In the Which version to Install s...

Page 228: ...pletes a new backup the previous backup is overwritten Configuring automatic updates To configure how the agent handles automatic updates 1 From the SiteProtector Console open the Update Settings Policy 2 Select the Update Settings tab 3 Configure the frequently to check for updates as follows Note Make sure that your agent checks for updates at least one hour before automatic installations to ens...

Page 229: ...Option Description Do Not Install Automatically downloads updates but does not automatically install them You must install them manually or schedule the installation Automatically Install Updates If you select this option the agent may go offline while the firmware is installed Specify when you want the firmware updates to be installed Delayed If you choose to delay installation select Every Day o...

Page 230: ... contain a link for Downloads Pending Tip To see the list of updates before you download them click View Details and then click Download All Available Updates 4 If Firmware updates are available to install click Install Now on the Installs Firmware line Tip If you want to see the list of updates before you install them click View Details and then click Install Firmware Updates 5 Following the inst...

Page 231: ... that is available for Enterprise Scanner in Proventia Manager and in the SiteProtector Console In this chapter This chapter contains the following topics Topic Page The Proventia Manager Home Page 232 Viewing Status in the SiteProtector Console 234 Viewing Agent Status 235 Viewing Application Diagnostics 236 Viewing System Status 237 Viewing System Diagnostics 238 ...

Page 232: ...d The component is in an unknown state Note This status may require immediate attention Table 85 Protection status icons System Status Information Description Model Number The model number of the agent Serial Number The serial number of your agent Network Interfaces The number of interfaces on your agent Base Version Number The base version of the agent software which is one of the following the b...

Page 233: ...h mm ss version x x Example 2004 05 04 16 25 56 version 1 7 Last Assessment Scanner Update The time the agent assessment content was last updated The time is given in the following format yyyy mm dd hh mm ss version x x Last System Backup The time the last system backup was created The time is given in the following format yyyy mm dd hh mm ss Example 2004 05 04 15 49 01 Backup Description The type...

Page 234: ...check your authentication status in the SiteProtector Console Reference See System status on page 232 Procedure To view system status 1 In an Agent or Policy tab in the SiteProtector Console right click an agent and then select Properties from the pop up menu 2 If you want to see system status double click Agent Status on the middle pane and then select Agent Information 3 If you want to see authe...

Page 235: ...ot Procedure To view Enterprise Scanner status 1 Log on to the Proventia Manager for your agent See page 200 2 Select Diagnostics on the navigation pane 3 If you want to refresh the status information select a refresh option from the Refresh Data list Refresh Data You can refresh the page manually or automatically at certain intervals Refresh Now manually refreshes the page every 10 seconds every ...

Page 236: ...lso provides information about the modules that may be helpful to IBM ISS Customer Support if you need to contact them about a problem Procedure To view application diagnostics 1 Log on to the Proventia Manager for your agent See page 200 2 Select Diagnostics on the navigation pane and then select Application Diagnostics 3 If you want to refresh the diagnostics information select a refresh option ...

Page 237: ...Manager for your agent See page 200 2 Select System on the navigation pane 3 If you want to refresh the status information select a refresh option from the Refresh Data list Statistic Description Total memory Amount of memory installed on the agent Used memory Amount of memory currently used by running processes Free memory Amount of unused memory on the agent Table 87 Memory usage descriptions St...

Page 238: ...pport about a problem It contains the following categories of information Processes Disk Usage Services Local Interfaces Interprocess Communication Facility IPCS Memory Usage Procedure To view system diagnostics 1 Log on to the Proventia Manager for your agent See page 200 2 Select Diagnostics on the navigation pane and then select System Diagnostics 3 If you want to refresh the diagnostics inform...

Page 239: ...gent See page 200 Log size Enterprise Scanner performs a refresh procedure to limit the size of individual log files When a log file reaches 50MB Enterprise Scanner backs up and stores the current log file and then generates a new log file In this chapter This chapter contains the following topics Topic Page Types of Alerts and Logs 240 Viewing Alerts 241 Viewing Different Types of Alerts 242 Down...

Page 240: ...details about the scanning processes controlled by the agent or the operational processes running on the appliance Use the Logs menu in the Proventia Manager to select alerts and logs to view as follows Type of Information Description Alerts notifications Informational messages sent from an agent triggered when an event meets set criteria Logs Traces the execution logic of the agent Table 89 Types...

Page 241: ... the Proventia Manager select Logs and then select Alerts Viewing alert details To view detailed information about an alert Click the event name in the Alert Name column of the log file Tip Click the Up or Down arrows to view details of the previous or next alert Viewing alert descriptions To view alert descriptions Click the event information icon The X Force Alert Description of the event appear...

Page 242: ... option Searching for alerts with filtering options To search for alerts with filtering options On the Alerts page in Proventia Manager specify filtering options as follows Filter Option For this filter option Please Select Means that no filter is selected Risk Level Select a risk level High Medium Low Alert Name Type the name of the alert in the Alert Name box Alert type Select an alert type Ente...

Page 243: ...Viewing Different Types of Alerts 243 IBM Proventia Network Enterprise Scanner User Guide Version 1 3 Filter Off Removes filters Filter Option For this filter option ...

Page 244: ... file 1 On the Alerts page in Proventia Manager click Generate new log file from Alerts The Log File Management page appears 2 Select a file to download and then click Download A menu prompts Are you sure you want to download the file 3 Click OK 4 Select Save and then click OK 5 Navigate to the folder where you want to save the file 6 Type a file name and then click Save Log File Name Contents fil...

Page 245: ... events from the Alert log Important Clearing the Alert log deletes the records and removes the alerts from the Alert log page Before you clear the Alert log you may want to save a copy for archiving Procedure To download an Alert log file 1 On the Alerts page in Proventia Manager click Clear current Alerts from event log 2 Click OK 3 The agent clears the Alerts log ...

Page 246: ... page manually or automatically at certain intervals Refresh Now manually refreshes the page every 10 seconds every 20 seconds every 30 seconds every 1 minute every 2 minutes Auto Off disables automatic refreshing Selecting a log To select a log On the navigation pane select Logs and then do one of the following Select ES Logs and then Select a log to view in the Select Log list Select System Logs...

Page 247: ...ervices components The log file includes information about the following interaction with the Sensor and Event services ESM startup other operational details Note This log file is created as tmp issCSFTrace tmp the log file name is changed about half way through the initialization of the CRM Interface Log crm esm log The interface log which details communications between the CRM and the ESM Engine...

Page 248: ...ese backup files when you no longer need them Downloading an ES log file To download an ES log file 1 On the ES Logs page in Proventia Manager click Manage Log Files The Log File Management page appears 2 Select a file to download and then click Download A message prompts Are you sure you want to download the file 3 Click OK 4 Select Save and then click OK 5 Navigate to the folder where you want t...

Page 249: ...vices CrmCommTrace log Low level communication log for the Configuration and Response Module CRM providing information about issdk issDaemon communications with SiteProtector Note This log file is created as tmp issCommTrace tmp the log file name is changed about half way through the initialization of the CRM iss esmScheduler stdout log The stdout and stderr output for the Enterprise Scanner task ...

Page 250: ...cs Procedure To view log status information On the navigation pane in Proventia Manager select Logs Statistic Description Number of Logged Alerts The number of alert events that have been written to the log file Percentage Full The percentage of allocated space that contains alert event log entries Time of Last Alert The date and time the last alert was written to the log file Table 96 Alert event...

Page 251: ...ogging detail with the assistance of your IBM ISS Technical Support Representative Important To avoid setting log levels incorrectly which can impact your scanning performance and fill your disk with logs make sure you work with your IBM ISS Technical Support Representative Affected logs You can change the logging detail settings for these ES Logs CrmTrace log Trace Log crm esm log Interface Log i...

Page 252: ...Chapter 18 Enterprise Scanner Logs and Alerts 252 IBM Internet Security Systems ...

Page 253: ...nt meets set criteria analyst A user in the SiteProtector user group that has global permissions except full access to all functionality assessment content An update from the IBM ISS Center that contains security content Assessment Credentials policy A policy that defines authentication credentials used for accessing and assessing the Windows assets in a group assessment manager A user in the Site...

Page 254: ...tion of a network discovery scan A form of scanning that detects active IP addresses and attempts to determine the type of device associated with each IP address distributed scanning An approach to scanning your network that coordinates the scanning activities of multiple remote and or local scanning agents at different locations across the network DNS search path A space delimited list of domain ...

Page 255: ...that defines and managers the overall scanning requirements of a group l logs The log that traces the execution logic of the agent m management interface The interface that Enterprise Scanner uses to communicate with SiteProtector for configuration and for passing scan results SiteProtector n nameservers The primary secondary and tertiary nameservers to use for resolving DNS names Network Services...

Page 256: ...scanned scan progress The number of scan jobs currently in progress Scan Window policy The scan window policy defines the times of the day during which discovery and assessment scanning are allowed against the assets in a group scanning A term that encompasses both discovery and assessment scanning scanning interface The interface that communicates with assets and services being scanned scheduler ...

Page 257: ... priority tickets by status trace log The log for the Configuration and Response Module u Universal Naming Convention UNC A standard which originated from the UNIX operating system for identifying servers printers and other resources in a network A UNC path preceeds the name of the computer with double slashes or backslashes The path within the computer are separated with a single slash or backsla...

Page 258: ...Glossary 258 IBM Internet Security Systems ...

Page 259: ... Proventia Manager in 232 235 SiteProtector Console in 235 alerts notifications downloading 244 viewing 241 Alternate Update Server tab in Update Settings policy 217 application fingerprinting configuring 107 description of 18 Application Server 26 architecture 23 assessment content last update 233 update recommendations 226 updating 214 Assessment Credentials policy background scanning recommenda...

Page 260: ...ssistant 33 scanning network interface eth1 33 console management 22 25 Proventia Manager 23 25 28 Proventia Setup Assistant 28 SiteProtector 20 23 25 28 criticality definition of 127 priority and 129 Customized column in Assessment policy 101 d database SiteProtector 26 date and time configuring 34 Description column in Assessment policy 101 Discovery policy background scanning requirement 86 con...

Page 261: ...10 17 22 IP addresses excluding from a scan 91 j jobs See scan jobs l licenses acquiring 29 207 OneTrust 25 207 load balancing 20 local configuration settings using instead of SiteProtector policy settings 38 logging on Proventia Manager to 200 scanning assets for 94 SiteProtector Console to 40 logs changing detail of 251 descriptions of 247 249 downloading 244 248 sizes of 239 status of 250 types...

Page 262: ...y of identification 171 rules for updating 172 sources of identification 171 p passwords Admin 114 authentication 39 bootloader root 34 default login 33 Proventia Manager 34 Proventia Manager User 34 root bootloader 34 114 pausing jobs 152 perspective defining for agent 110 definition of 20 using default 124 policies agent 20 29 asset 20 30 descriptions of 75 inheritance examples 78 inheritance of...

Page 263: ...e by discovery and assessment 98 scan windows defining 96 definition of 82 verification scans 55 scanning network interface eth1 23 33 scanning refresh cycles See refresh cycles scans ad hoc 20 22 43 assessment 43 55 audit 20 22 background 20 21 43 54 Command Jobs window in 131 discovery 43 55 error conditions 161 163 expected behaviors 156 minimum requirements 155 priorities of jobs 129 restartin...

Page 264: ...Settings policy configuring policy 217 description of 76 updates alternate update server using an 221 automatic 228 date of last 233 manual 227 one time 227 user documentation Enterprise Scanner Internet Scanner Migration Guide 22 installation 10 Quick Start Card 29 User Guide contents of 9 10 user groups adding members 67 creating 67 definition of 67 permissions 66 v verification scans 29 vulnera...

Page 265: ...ditional terms apply Licensee agrees not to alter disassemble decompile translate adapt or reverse engineer the Runtime Software or the report file RPT format or to use distribute or integrate the Runtime Software with any general purpose report writing data analysis or report delivery product or any other product that performs the same or similar functions as Crystal Decisions product offerings L...

Page 266: ...IS LICENSE 10 Limitation of Liability Circumstances may arise where because of a default on ISS part or other liability Licensee is entitled to recover damages from ISS In each such instance regardless of the basis on which Licensee may be entitled to claim damages from ISS including fundamental breach negligence misrepresentation or other contract or tort claim ISS is liable for no more than 1 da...

Page 267: ...compliance and deliver its certification within forty five 45 days of the request The certification shall state Licensee s compliance or non compliance including the extent of any non compliance ISS may also at any time upon thirty 30 days prior written notice at its own expense appoint a nationally recognized software use auditor to whom Licensee has no reasonable objection to audit and examine u...

Page 268: ......

Reviews:

No comments

Brands by name

Popular brands

Load more brands