IBM Proventia Network Enterprise Scanner User Manual

Download

IBM Proventia Network Enterprise Scanner

User Guide

Version 1.3

IBM Internet Security Systems

Produced in the United States of America.

IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than IBM Internet Security Systems (IBM ISS). Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. IBM Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall IBM ISS be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if IBM Internet Security Systems has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by IBM Internet Security Systems. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM Internet Security Systems, and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents IBM Internet Security Systems, Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to

August 15, 2007

support@iss.net

Contents

Preface

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How to Use Enterprise Scanner Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Part I: Getting Started

Chapter 1: Introduction to Enterprise Scanner

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Introducing Background Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Migrating from Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Enterprise Scanner Communication Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Component Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

The SiteProtector System Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2: Installing and Configuring an Agent

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Setting Up Your Appliance for Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Appliance-Level Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Explicit-Trust Authentication with an Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Registering Enterprise Scanner to Connect to the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . 37

Logging On to the SiteProtector Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 3: Running Your First Scans

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Finding Your Agent, Assets, and Policies in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . 44

Running Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Background Scanning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Background Scanning Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 4: Setting Up Scanning Permissions for Users

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Enterprise Scanner User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Considerations for Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Creating User Groups in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Changing Group Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Contents

Part II: Configuring Enterprise Vulnerability Protection

Chapter 5: Introduction to Enterprise Scanner Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Introduction to Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Contents of Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Viewing Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Descriptions of Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Descriptions of Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Policy Inheritance with Enterprise Scanner Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Policy Inheritance with Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Policy Inheritance with Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 6: Defining Background Scans

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Determining When Background Scans Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

How Policies Apply to Ad Hoc and Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Background Scanning Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Enabling Background Scanning (Scan Control Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Defining Periods of Allowed Scanning (Scan Window Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Excluding Assets from Scans (Scan Exclusion Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Defining Network Services (Network Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Defining Assessment Credentials (Assessment Credentials Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Key Parameters for Defining Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 7: Configuring Discovery and Assessment Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

How Policies Apply to Discovery and Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Defining Assets to Discover (Discovery Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Defining Assessment Details Introduction (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Description of Check Information (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Grouping and Displaying Checks (Assessment Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Defining Common Assessment Settings (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Chapter 8: Defining Agent Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Defining Scanning Network Interfaces (ESM Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Considerations for Subtask Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Defining Perspectives (Network Locations Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Defining Alert Logging (Notification Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Defining Agent Passwords (Access Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Defining Agent Interfaces (Networking Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Defining the Date and Time Settings of the Agent (Time Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Defining Services to Run on the Agent (Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Part III: Scanning

Chapter 9: Understanding Scanning Processes in SiteProtector

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

What is Perspective? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Defining Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

One Way to Use Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Scan Jobs and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Types of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Priorities for Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

IBM Internet Security Systems

Contents

Stages of a Scanning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Optimizing Cycle Duration, Scan Windows, and Subtasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Chapter 10: Monitoring Scans

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Finding Your Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Job Information in the Command Jobs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Viewing Runtime Details about Discovery Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Viewing Discovery Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Viewing Discovery Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Viewing Discovery Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Viewing Runtime Details about Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Viewing Assessment Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Viewing Assessment Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Viewing Base Assessment and Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Chapter 11: Managing Scans

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Stopping and Restarting Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Suspending and Enabling All Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Minimum Scanning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Generally Expected Scanning Behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Expected Scanning Behaviors for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Expected Scanning Behaviors for Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Identifying Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Part IV: Analysis, Tracking, and Remediation

Chapter 12: Interpreting Scan Results

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Setting Up a Summary Page for Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Viewing Vulnerabilities in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

OS Identification (OSID) in Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

How OSID Is Updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Viewing Vulnerabilities by Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Viewing Vulnerabilities by Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Viewing Vulnerabilities by Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Viewing Vulnerabilities by Vuln Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Assessment Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Report Sorting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Chapter 13: Tracking and Remediation

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Ticketing and Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Possible Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Overview of the Remediation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Remediation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 14: Running Ad Hoc Scans

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Understanding How Ad Hoc Scans Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Expected Behavior for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Running an Ad Hoc Discovery Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Contents

Running an Ad Hoc Assessment Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Part V: Maintenance

Chapter 15: Performing Routine Maintenance

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Logging On to Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Shutting Down Your Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Removing an Agent from SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Options for Backing up Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Backing Up Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Using Full System Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Acquiring Your Enterprise Scanner Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Preparing to Reinstall an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Reinstalling an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Chapter 16: Updating Enterprise Scanner

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Section A: Understanding the XPU Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

XPU Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Consoles to Use for XPUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

XPU Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Section B: Configuring the XPU Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Configuring Explicit-Trust Authentication with an XPU Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Configuring an Alternate Update Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuring an HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Configuring Notification Options for XPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Section C: Scheduling Updates and Manually Updating an Agent . . . . . . . . . . . . . . . . . . . 225

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Update Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Scheduling a One-Time Firmware Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Configuring Automatic Downloads and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Manually Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Chapter 17: Viewing Agent Status

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

The Proventia Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Viewing Status in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Viewing Agent Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Viewing Application Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Viewing System Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Chapter 18: Enterprise Scanner Logs and Alerts

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Types of Alerts and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Viewing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Viewing Different Types of Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Downloading an Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Clearing the Alerts Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

IBM Internet Security Systems

Contents

Viewing ES and System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Viewing ES Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Downloading ES Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

System Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Getting Log Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Changing Logging Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Contents

IBM Internet Security Systems

Preface

Overview

Introduction This is the User Guide for the IBM Proventia Network Enterprise Scanner appliance

(Enterprise Scanner) from IBM Internet Security Systems, Inc. (IBM ISS), which includes the following models: the ES750 and the ES1500. The Enterprise Scanner appliance is a vulnerability detection agent that is designed for the enterprise customer.

Scope This User Guide explains how to use Enterprise Scanner (and the IBM SiteProtector

system) through the entire vulnerability management process, including configuring the agent, configuring scans, monitoring scans, tracking and remediation, and maintaining the agent.

Audience This Guide is written for security analysts and managers who are responsible for

managing the vulnerabilities of assets of an enterprise network.

User background To use Enterprise Scanner you must understand your network topology and the criticality

of your assets. In addition, because Enterprise Scanner is managed through the SiteProtector Console, you must have a working knowledge of the SiteProtector system, including how to set up views, manage users and user permissions, and policies.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Preface

How to Use Enterprise Scanner Documentation

Introduction This topic describes the documentation that explains how to use Enterprise Scanner and

the SiteProtector system.

Using this guide This guide is organized according to the workflows needed to protect your enterprise:

Workflow Description

Part I, Getting Started Install and configure the appliance.

Part II, Configuring Enterprise Vulnerability Protection

Part III, Scanning Follow scans through the scanning process.

Part IV, Analysis, Tracking, and Remediation

Part V, Maintenance Perform scheduled maintenance, such as product updates and log

Tabl e 1: Vulnerability management workflows in the User Guide

Set up a continuous scanning environment for your enterprise.

Monitor the protection status of your assets and your efforts to remediate vulnerabilities

maintenance, as well as tasks such as troubleshooting and performing unscheduled maintenance

Related publications The following related publications contain information that can help you use Enterprise

Scanner more effectively:

Document Description

IBM Proventia Network Enterprise Scanner Quick Start Card

Help Context-sensitive Help that contains procedures for tasks you

Contains out-of-the-box instructions for setting up your Enterprise Scanner agent.

perform in the Proventia Manager and in the SiteProtector Console.

the SiteProtector system documents

Enterprise Scanner–Internet Scanner Migration Guide

IBM Proventia Network Enterprise Scanner Policy Migration Utility

Tabl e 2: Related publications for Enterprise Scanner

Documents available on the IBM ISS Web site that provide information about using the SiteProtector system and the SiteProtector Console.

Provides an overview and compares the functionality between Enterprise Scanner and the IBM Internet Scanner Software. This Guide discusses feature differences between the two products and provides examples of how you can migrate from Internet Scanner to Enterprise Scanner.

Describes the policy transition from Internet Scanner to Enterprise Scanner. You can import an existing Internet Scanner policy and use the utility to map it to an Enterprise Scanner policy. The utility identifies any checks that cannot be migrated. You can then save and export the new Enterprise Scanner policy.

IBM Internet Security Systems

How to Use Enterprise Scanner Documentation

Version of the SiteProtector system

You manage your Enterprise Scanner agent through a SiteProtector Console. The information in this guide about the SiteProtector system refers to Proventia Management SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31).

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Preface

Getting Technical Support

Introduction IBM ISS provides technical support through its Web site and by email or telephone.

The IBM ISS Web site

The IBM Internet Security Systems (IBM ISS) Resource Center Web site (

www.iss.net/support/

) provides direct access to online user documentation, current

http://

versions listings, detailed product literature, white papers, and the Technical Support Knowledgebase.

Support levels IBM ISS offers three levels of support:

● Standard

● Select

● Premium

Each level provides you with 24x7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at

clientservices@iss.net

if you do not know the level of support your

organization has selected.

Hours of support The following table provides hours for Technical Support at the Americas and other

locations:

Location Hours

Americas 24 hours a day

All other locations

Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding IBM ISS published holidays

Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.

Tabl e 3: Hours for technical support

Contact information The following table provides electronic support information and telephone numbers for

technical support requests:

Regional Office

North America Connect to the MYISS

Latin America

Tabl e 4: Contact information for technical support

Electronic Support Telephone Number

Standard:

section of our Web site:

www.iss.net

support@iss.net

(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Select and Premium:

Refer to your Welcome Kit or call your Primary Designated Contact for this information.

(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

IBM Internet Security Systems

Getting Technical Support

Regional

Electronic Support Telephone Number

Office

Europe, Middle

support@iss.net

(44) (1753) 845105

East, and Africa

Asia-Pacific, Australia, and the Philippines

Japan

support@iss.net

support@isskk.co.jp

(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Domestic: (81) (3) 5740-4065

Tabl e 4: Contact information for technical support (Continued)

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Preface

IBM Internet Security Systems

Part I

Getting Started

Chapter 1

Introduction to Enterprise Scanner

Overview

Introduction Enterprise Scanner is the assessment component of the IBM Proventia Enterprise Security

Platform. Enterprise Scanner is based on a model in which vulnerability detection is treated like a continuous network monitoring task rather than the ad hoc scanning model used by earlier vulnerability management systems. Enterprise Scanner automates the process of discovering and assessing your network assets through continuous background scanning of your network. This model allows you to track the remediation effort and use reports to evaluate your network’s security status at any time.

In addition to the continuous network monitoring, Enterprise Scanner gives you the ability to configure and run ad hoc scans. Ad hoc scanning allows you to run a one-time scan to discover new assets or to assess the vulnerability status of existing assets at any time. Ad hoc scans are useful when you need to take immediate action because assets have been added to your network or new vulnerabilities have been announced.

New concepts The beginning chapters of this guide introduce the key concepts behind the conceptual

framework of Enterprise Scanner, including background scanning. You should familiarize yourself with the key concepts so that you will have a basis for understanding the approach and procedures in the rest of the guide.

For Internet Scanner users

In this chapter This chapter contains the following topics:

If you are an Internet Scanner user, you should read this chapter carefully. It explains important similarities and differences between Internet Scanner and Enterprise Scanner.

Topi c Page

New Features 18

Key Concepts 20

Introducing Background Scanning 21

Migrating from Internet Scanner 22

Enterprise Scanner Communication Channels 23

Component Descriptions 25

The SiteProtector System Components 26

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 1: Introduction to Enterprise Scanner

New Features

Introduction Enterprise Scanner Version 1.3 provides an update to the firmware, and introduces a

smaller, portable version of the appliance hardware, the ES750.

Enterprise Scanner Version 1.2 fixed some known issues, and it introduced features to improve discovery speed and assessment accuracy:

● ICMP ping

● application fingerprinting

● SSH support

ICMP ping A discovery scan can run faster if it can determine which assets in the scanning range are

available, and then scan only those assets with operating system identification (OSID) techniques. The ICMP ping option in the Enterprise Scanner Discovery policy determines which assets are available, as follows:

● At the beginning of each scanning window, the agent sends four (4) ICMP ping

commands to each asset identified in the discovery policy.

● The agent considers each asset that responds to a command as available, and keeps

track of all available assets.

When to use ICMP ping

Application fingerprinting

Non-standard port assignments

● The discovery scan then continues to scan only the available assets.

The ICMP ping function is especially useful in the following cases:

● The network is sparsely populated.

● Every asset on the network is configured to respond to ICMP ping commands.

To configure ICMP ping, see “Defining Assets to Discover (Discovery Policy)” on page 99.

The application fingerprinting option identifies which applications are communicating over which ports and discovers any non-standard port usage. If you enable the application fingerprinting option, you must select from the following:

● Run checks that apply to the protocol of the application communicating over a port,

such as HTTP.

● Run checks that apply to the specific application communicating over a port, such as

Apache running Coldfusion.

Individuals in a corporation may use non-standard port assignments thinking that the practice increases network security. Using non-standard port assignments may make it harder—although not impossible—for an intruder to determine which applications are communicating on ports. The practice may also hide critical vulnerabilities from your agent, however, which could understate the real risk to a corporate network.

When to use

Application fingerprinting is especially useful in the following cases:

application fingerprinting

● You know that some applications on the network communicate over non-standard

ports.

IBM Internet Security Systems

New Features

● You are unaware of any non-standard port assignments, but you want to be sure.

To configure application fingerprinting, see “Defining Common Assessment Settings (Assessment Policy)” on page 106.

Support for SSH communication protocol to run vulnerability checks

Enterprise Scanner 1.2 can communicate with SSH-capable devices such as Unix hosts, routers and switches through an encrypted, secure communication protocol. SSH greatly diminishes the threat that critical information will be intercepted and used for malicious intent. This capability allows X-Force to create new vulnerability checks for non-network exposed services, similar to the current Windows patch checks. For more information about SSH, go to

http://www.openssh.com/

To configure SSH, see “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 1: Introduction to Enterprise Scanner

Key Concepts

Introduction Enterprise Scanner is the next generation scanning appliance from IBM ISS. As a

component of the Enterprise Security Platform, Enterprise Scanner delivers true enterprise scalability and scanning load balancing. Designed to run on Linux, Enterprise Scanner delivers the core functionality necessary in today's enterprise environments.

Centralized control Enterprise Scanner works with the SiteProtector system to provide centralized security

management for your enterprise assets. After you install and configure your appliance, you use the SiteProtector Console for scan management, tracking and remediation, and reporting.

Asset-centric approach

Background scanning

Ad hoc scanning and auditing

You probably already think about your vulnerability management in terms of your assets. You know to prioritize your efforts to protect your most critical assets first and to provide the same type of protection for similar assets. Enterprise Scanner makes this easier by separating policies for groups of assets from the policies for agents:

● Asset policies define scanning requirements for groups of assets, including IP

addresses to scan, checks to run, and how often to refresh information.

● Agent policies define how agents operate, including the location in the network from

which they operate. That network location is called perspective.

Background scanning is an automated, cyclical process that incorporates the key operational concepts of the Enterprise Scanner vulnerability detection model. Background scanning is explained in more detail in “Introducing Background Scanning” on page 21.

Enterprise Scanner supports ad hoc scanning, but it is not designed to be an auditing tool. You could use the ad hoc scanning capability between scheduled background scans for the following types of needs:

● For network reconfiguration, you could use ad hoc scanning to refresh your discovery

and vulnerability information.

● For a new threat, you could use ad hoc scanning to assess the risk to your assets.

Load balancing Enterprise Scanner makes it easier for you to respond to the dynamic nature of an

enterprise network. You can create pools of agents to share a scanning load. You can add agents or remove agents without having to change any discovery or assessment configuration parameters. You can also adjust other operational parameters to ensure that you have the coverage you need.

Perspective definitions

You have different expectations for scanning results based on the location of an agent in relation to the assets it scans. For example, results would be different depending on whether you scanned a group of assets from inside a firewall or outside a firewall. (See “What is Perspective?” on page 124.) In Enterprise Scanner, perspective definitions serve several purposes:

● They identify locations on your network from which scanning is performed.

● They indicate where agents are connected to your network so that load balancing can

occur across agents that share a perspective.

● They indicate the location from which groups of assets should be scanned.

IBM Internet Security Systems

Introducing Background Scanning

Introduction What does it mean to say that Enterprise Scanner is based on a model in which

vulnerability detection is treated more like a network monitoring task than it is in earlier vulnerability management models? By adapting the network monitoring model to vulnerability management, Enterprise Scanner provides a highly flexible scanning environment that automatically maintains the viability of your vulnerability information.

Importance of network monitoring models

Network monitoring systems run continuously, always providing timely information about the security posture of your network. For the most part, you set the system up, and it gathers the information you need to ensure your network’s security. When network monitoring is in place, you can spend more time analyzing vulnerability data and less time managing the system.

Vulnerability management needs

While you probably do not want to run scans constantly, you do want to scan your network for new assets and assess your assets to detect vulnerabilities with a reasonable frequency—without slowing down your network. You may also have a wide range of assets, some of which are more valuable to you than others. If you cannot scan every asset with the same frequency, you want to make sure your most critical assets receive the needed level of attention.

Previous models In previous models of vulnerability management, you would schedule scans to run on a

specific day and to start at an exact time. Scheduled scans have the following consequences:

● The scan would start at the scheduled time and run until it finished, whether that took

two hours or two days.

● Long running scans could interfere with your congested network times.

● You could not prioritize scans to scan your most critical assets first.

Approach to

Background scanning recognizes the following:

background scanning

● The most efficient way to scan may include long-running scans.

● Long-running scans should not have to run during high-traffic periods when they

could contribute to network congestion.

● Assessment priorities should focus on the most critical assets first.

Reasons to use background scanning

Enterprise Scanner does not require a scan to run non-stop until it finishes. Instead, a background scan runs during selected hours of the day over multiple days. Enterprise Scanner manages the scan, and automatically restarts the scan based on refresh cycles that you define. Refresh cycles may last from one day to several months.

Key concepts In summary, the key concepts of background scanning are the following:

● You use scanning refresh cycles to define automatically recurring scans.

● You define hours of the day (scanning windows) during which scanning is allowed.

● You identify critical assets that require priority attention.

● You define locations of agents and perspectives to scan assets as network locations.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 1: Introduction to Enterprise Scanner

Migrating from Internet Scanner

Introduction The approach to protecting your enterprise with Enterprise Scanner is different from the

one used by Internet Scanner. If you understand the major conceptual differences before you begin, the implementation details will make more sense to you.

What Enterprise Scanner does not do

Developing a migration strategy

Enterprise Scanner is not a standalone application. It only works with assets in a SiteProtector database. You can use it for ad hoc scanning, but it is not intended to be an auditing tool.

For more information about developing a migration strategy, see the Enterprise Scanner- Internet Scanner Migration Guide. This Guide provides an overview and compares the functionality between Enterprise Scanner and Internet Scanner. This Guide discusses feature differences between the two products and provides examples of how you can migrate from Internet Scanner to Enterprise Scanner.

Migration tools To migrate policies from Internet Scanner to Enterprise Scanner, download the IBM

Proventia Network Enterprise Scanner Policy Migration Utility and instructions from the IBM

ISS Download Center.

Using Internet Scanner with Enterprise Scanner

You can use Internet Scanner with Enterprise Scanner, which you may want to do as you migrate from Internet Scanner. You should migrate completely to Enterprise Scanner, however, because its tighter integration with the SiteProtector system significantly reduces the effort and cost involved in scanning your enterprise and managing your vulnerabilities.

Comparison table The following table provides a high-level comparison of the major differences between

Internet Scanner and Enterprise Scanner:

Function Internet Scanner Enterprise Scanner

Configuring scans Defines scans and scan

policies based on the scanner.

Identifies a specific scanner to scan assets.

Management console Works with the SiteProtector

system or without the SiteProtector system through its local management interface.

Timing of scans Ad hoc scans; recurring scans

when used with the SiteProtector system.

Scan processes Discovery and assessment in

the same process.

Remediation Manual process. Automated process with

Tabl e 5: Major differences between Internet Scanner and Enterprise Scanner

Defines scans and scan policies based on the needs of a group of assets.

Defines an agent, or a group of agents among which the scanning is distributed.

Works only with the SiteProtector system.

Ad hoc and recurring background scanning cycles.

Separate discovery and assessment processes.

ticketing functions in the SiteProtector system.

IBM Internet Security Systems

Enterprise Scanner Communication Channels

Introduction This topic discusses the communication channels Enterprise Scanner uses. In normal

operations, Enterprise Scanner communicates with these external components:

● OneTrust Infrastructure

● the SiteProtector system

● user consoles

● assets on the network

Architecture diagram

Figure 1 shows the communication paths between Enterprise Scanner and the SiteProtector system:

Figure 1: Enterprise Scanner architecture

Network interfaces Enterprise Scanner uses network interfaces as follows:

Interface Purpose

Management To communicate with the SiteProtector system.

Scanning To communicate with assets.

Tabl e 6: Management and scanning interfaces

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 1: Introduction to Enterprise Scanner

Port usage Table 7 describes port usage from the point of view of Enterprise Scanner:

Network Interface Port Communication With

Management Inbound from 3995 TCP The SiteProtector Agent Manager.

Inbound from 3994 TCP The X-Press Update Server.

Inbound on 443 TCP The user’s Web browser.

Inbound on 22 TCP An SSH shell on a user’s computer.

Scanning Any TCP outbound

Any UDP Any ICMP

Tabl e 7: Port usage for Enterprise Scanner

The assets being scanned by the agent.

IBM Internet Security Systems

Component Descriptions

Introduction This topic describes the purpose of communication between Enterprise Scanner and other

components.

OneTrust

OneTrust Infrastructure provides two services to Enterprise Scanner:

Infrastructure

● Provides the licenses for the appliance.

Note: You must acquire a new or an updated license manually on the Licensing page

in the Proventia Manager. For more information about connectivity requirements, see “Acquiring Your Enterprise Scanner Licenses” on page 207.

● Provides updates for firmware and assessment content updates.

Note: You can configure automatic downloading and installation of updates through

the SiteProtector Console or through your Agent Manager. Updates are available either through the IBM ISS Download Center or from a locally managed Update Server.

User interfaces You can access and view information gathered by the Enterprise Scanner through one or

both consoles as described in the following table:

Component Description

SiteProtector Console The interface where you perform all the SiteProtector system

tasks, including the following:

• configure and manage the appliance

• create and manage security policies

• enable alerts and logging

• set up users and user permissions

• monitor security events and vulnerabilities on your network

• generate reports

Proventia Manager A Web-based interface for managing the agent.

Tabl e 8: User Console components

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 1: Introduction to Enterprise Scanner

The SiteProtector System Components

Introduction The SiteProtector system is a centralized management system that provides command,

control, and monitoring capabilities over all of your IBM Internet Security Systems (IBM ISS) products, including the Enterprise Scanner appliance. The SiteProtector system documentation provides thorough descriptions of all of its components. This topic provides brief descriptions of the components that affect Enterprise Scanner users the most.

The SiteProtector system components

The following major components make up the SiteProtector system:

Component Description

Agent manager The Agent Manager provides the ability to configure, update, and

manage the appliance in the SiteProtector system. It also manages the alternate update server, called the SiteProtector XPress Update Server.

As the appliance generates security data, the Agent manager facilitates the data processing required for you to view the data in the SiteProtector Console.

The appliance sends a heartbeat signal through the management Interface to its Agent Manager on a routine basis to indicate that it is active and to receive policies and updates from the Agent Manager. The time between heartbeats is user-defined option.

Application Server The Application Server provides remote access functionality for

the SiteProtector Console.

SiteProtector Database The SiteProtector Database stores the following information:

• security data generated by your IBM ISS products

• statistics for security events

• the update status of all products

• the SiteProtector system user accounts and permissions

Update Server A server on your internal network that contains the X-Press

Updates (XPUs) for only your licensed IBM ISS products.

Tabl e 9: The SiteProtector system components

IBM Internet Security Systems

Chapter 2

Installing and Configuring an Agent

Overview

Introduction Installing and configuring your Enterprise Scanner is a multi-stage process. The process

includes connecting the agent to the network, configuring appliance-level settings, and configuring the appliance to connect with the SiteProtector system. This chapter explains those tasks.

Reinstalling an agent

In this chapter This chapter contains the following topics:

If you need to reinstall an Enterprise Scanner agent, see “Preparing to Reinstall an Enterprise Scanner Agent” on page 208 and “Reinstalling an Enterprise Scanner Agent” on page 209.

Topi c Page

Before You Begin 28

Process Overview 29

Setting Up Your Appliance for Initial Configuration 31

Configuring Appliance-Level Settings 33

Configuring Explicit-Trust Authentication with an Agent Manager 35

Registering Enterprise Scanner to Connect to the SiteProtector System 37

Logging On to the SiteProtector Console 40

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 2: Installing and Configuring an Agent

Before You Begin

Introduction This topic provides introductory information and explains considerations for installing

your Enterprise Scanner agent.

User interfaces The following table describes the interfaces you use for each configuration phase:

Interface Purpose

Proventia Setup Assistant To configure network and administrative settings for the agent

immediately after you turn on or reinstall the agent.

Proventia Manager To configure agent settings to enable the agent to work with the

SiteProtector system.

To monitor and troubleshoot the agent.

To change low-level settings that you chose in the Proventia Setup Assistant.

To perform manual maintenance functions, such as manually downloading and installing updates or manually backing up and restoring your agent.

SiteProtector Console To set up and manage your vulnerability management processes.

To change the agent settings.

Location of your agent—perspective

Using multiple agents and perspective

Tabl e 10 : Configuration interfaces

When you scan a group of assets, you anticipate and interpret results based on the location of your agent relative to the location of the assets. Scanning a group of assets from inside a firewall, for example, produces different results than scanning the same group of assets from outside the firewall. In Enterprise Scanner, you use perspective to define a logical network location.

If you plan to install multiple agents now, or in the future, you should consider perspective before you proceed. If you do not intend to install multiple agents, you can use the default, Global perspective.

Reference: For a complete explanation of perspective, see “What is Perspective?” on

page 124, “Defining Perspectives” on page 125, and “One Way to Use Perspective” on page 126.

IBM Internet Security Systems

Process Overview

Introduction Follow the Installation process checklist in this topic to determine the tasks you need to

perform to install and configure your Enterprise Scanner agent. To track your progress, print the checklist and mark each step as you complete it.

Important prerequisites

Installation process checklist

Before you install and configure your agent, check the applicable Read Me document and the known issues:

● The Read Me file lists the X-Press Updates (XPUs) that you must install.

Note: Some XPUs may apply to the SiteProtector system components, such as to the

SiteProtector database.

● To find the list of known issues, log on to the IBM ISS Knowledgebase (

www.iss.net/support/

Tip: Ty pe

3442

in the Search Text box, and select

), and then search the knowledgebase for Answer ID 3442.

Answer ID

in the Search By list.

http://

Complete these tasks to install and configure Enterprise Scanner:

Description Reference

Connect your appliance to the network and



set it up for terminal emulation.

Run the Proventia Setup Assistant to



configure appliance-level settings and initial agent parameters.

Use the Proventia Network Enterprise Scanner Quick Start Card or see “Setting Up Your Appliance for Initial Configuration” on page 31.

Use the Proventia Network Enterprise Scanner Quick Start Card or see “Configuring Appliance-Level Settings” on page 33.

Create a backup of your system



configuration settings

Optionally, set up explicit-trust authentication



with the SiteProtector Agent Manager.

Acquire the license for your agent. “Acquiring Your Enterprise Scanner



Install the latest X-Press Updates (XPUs) for



firmware and assessment content either manually or by setting up scheduled updates.

Configure your agent to work with the



SiteProtector system.

As an option, run verification scans to verify



your installation and to become familiar with scanning with Enterprise Scanner.

Configure the policies that define the agent’s



characteristics.

Tabl e 11 : Stages of installation and configuration

“Backing Up Configuration Settings” on page 204.

“Configuring Explicit-Trust Authentication with an Agent Manager” on page 35.

Licenses” on page 207.

• Chapter 16, "Updating Enterprise Scanner" on page 211

• Help in the Proventia Manager

“Registering Enterprise Scanner to Connect to the SiteProtector System” on page 37.

Chapter 3, "Running Your First Scans" on page 41.

Chapter 8, "Defining Agent Policies" on page 109.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 2: Installing and Configuring an Agent

Description Reference

Configure policies for groups of assets that



you want an agent to scan.

Set up the SiteProtector system for



vulnerability management.

Tabl e 11 : Stages of installation and configuration (Continued)

Chapter 6, "Defining Background Scans" on page 81 and Chapter 7, "Configuring Discovery and Assessment Policies" on page 97.

Chapter 12, "Interpreting Scan Results" on page 167.

IBM Internet Security Systems

Setting Up Your Appliance for Initial Configuration

Introduction To configure the initial appliance settings, you must connect the appliance to the network

and set up a terminal emulation session with your appliance. You can use a laptop or a mobile desktop.

Using Microsoft emulation

Terminal emulation programs are installed with Microsoft and Linux operating systems. Documentation for using them should be provided by the vendor. A common Microsoft emulation program is HyperTerminal. You can start it as follows:

● Click Start on the taskbar, and then click All

Programs

→Accessories→Communications→HyperTerminal.

Requirements You need the following items to set up terminal emulation:

● a computer with a terminal emulation program that you connect to the appliance with

an RS-232 serial (COM) port

● the power cord that came in the box with the appliance

● the serial cable with an RJ45 connection that came in the box with the appliance

● a static IP address for the Management network interface

Procedure To connect with terminal emulation:

1. Connect the power cord to the power receptacle on the back of the appliance, and plug the cord into the power source.

2. Connect the Management Port to a router or a switch on your network that has connectivity with the SiteProtector system that will manage your agent.

3. Connect Scan Port (if connecting the ES750) or Scan Port 1 (if connecting the ES1500) to the network to scan.

4. Connect the laptop or mobile desktop to the same network as the appliance using the Ethernet adapter on the computer and a standard Ethernet cable.

5. Plug the RJ45 connection into the Console outlet on the appliance, and plug the other end of the cable into a serial port on the back of the computer.

6. Start your terminal emulation program with the following settings:

Setting Value

Baud rate 9600

Flow control Hardware

Data bits 8

Parity None

Stop bits 1

Emulation VT100

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 2: Installing and Configuring an Agent

7. Turn on the appliance.

Initialization messages appear in the window.

Note: If messages do not appear after the appliance starts, press the ENTER key.

8. Go to “Configuring Appliance-Level Settings” on page 33.

IBM Internet Security Systems

Configuring Appliance-Level Settings

Introduction To configure appliance-level settings, you must log in to the appliance and run the

Proventia Setup Assistant. Appliance-level settings define the network and administrative settings for the agent. You can change most of the settings later through the Proventia Manager or through the SiteProtector Console.

Prerequisite Set up the terminal emulation program as described in “Setting Up Your Appliance for

Initial Configuration” on page 31.

Procedure To configure basic settings:

1. With the terminal emulation connection to your appliance, wait for the

unconfigured.appliance login:

prompt to appear.

2. Type

3. Type

admin

for the login, and then press ENTER.

admin

for the password, and then press ENTER.

The Welcome to the Proventia Manager Setup Wizard screen appears.

4. Press

5. Press the

6. Press the

7. Review the information required for the wizard, select Next, and then press

ENTER to advance to the next screen.

SPACE BAR to select I accept (End User License Agreement for IBM ISS), press

the

DOWN ARROW to select Next, and then press ENTER.

SPACE BAR to select I accept (Linux End User License Agreement), press the

DOWN ARROW to select Next, and then press ENTER.

ENTER.

Tip: The keyboard navigation Help appears at the top of each configuration screen.

8. Continue with the Proventia Setup Assistant, and refer to the following table for the requirements of each screen:

Important: You will see only the screens that apply to your configuration choices.

Screen Descriptions

Hostname The fully qualified domain name for the Enterprise Scanner

appliance.

Management Interface (eth0)

Important: In the Hostname box, press

unconfigured.appliance

The IP Address, Netmask (subnet mask), and Gateway for the management port that connects to the SiteProtector system.

, and then type the host name.

BACKSPACE to erase

Scanning Interface (eth1)

Nameservers One or more of the Primary, Secondary, and Te rtiary

DNS Search Path A space-delimited list of domain names that make up your DNS

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

The IP Address, Netmask (subnet mask), and Gateway (IP) for the scanning interface (data port) that connects to your network.

Nameservers to use for resolving DNS names.

Note: The nameservers are used by both the management network interface (eth0) and the scanning network interface (eth1).

search path.

Chapter 2: Installing and Configuring an Agent

Screen Descriptions

Time Zone The Time Zone for your appliance.

Date and Time The current Month, Day, Year, Hours, and Minutes for your

Root Password The password required to log on to the operating system of your

Tip: Press ENTER to display the choices in the list, and then press the up and down arrows to select a choice.

appliance.

Important: You must use a 24-hour time format.

Note: If the date and time are correct, you do not need to change

anything. You only need to change fields that are not already correct in the Current System Date and Current System Time boxes.

appliance.

Administrator Password

Proventia Manager Password

The password required to access the Proventia Setup Assistant on the appliance.

The password required to access Proventia Manager through a Web browser over a network connection.

Bootloader Whether to require (Enable) or not require (Disable) the Bootloader

(root) password for backup and restore operations only.

Caution: If you enable the Bootloader password, you must use a serial connection to the agent through a serial port and supply a password to backup or restore the appliance; you do not need to be connected for other operations.

Settings Review A list of all the configuration settings you have chosen.

Tip: Press the

DOWN ARROW to see the complete list of settings

and to see the Finish button.

9. Select Finish, and then press ENTER.

The Setup Complete screen appears.

10. Press the

ENTER.

ESC key, select Ye s to exit the Proventia Setup Assistant, and then press

11. Disconnect your cables as follows:

If you are using… Then disconnect the following cables…

terminal emulation • the RJ45 connection from the serial port on the back of the

PXE bootserver for a reinstallation (see “Reinstalling an Enterprise Scanner Agent” on page 209)

12. Do one of the following:

■ If you want to configure explicit trust with your Agent Manager, go to

“Configuring Explicit-Trust Authentication with an Agent Manager” on page 35

■ If you want to continue setting up your appliance, go to “Registering Enterprise

Scanner to Connect to the SiteProtector System” on page 37.

computer

• the RJ45 connection from the serial port on the back of the computer

• the red crossover cable from management port of the appliance to the Ethernet port on the boot server computer.

• and then press

CTRL+G to eject the installation disk.

IBM Internet Security Systems

Configuring Explicit-Trust Authentication with an Agent Manager

Introduction By default, the SiteProtector Agent Manager and your agent use first-time trust

authentication to establish a secure communication channel. If your environment requires a higher level of security, you can follow the procedures in this topic to set up explicittrust authentication.

Note: First-time-trust authentication level is used by default. Using explicit-trust

authentication is optional.

Prerequisite Make sure your agent is not registered with the SiteProtector system before you continue.

Task overview Configuring explicit-trust authentication with an Agent Manager is a four-task process:

Task Description

Task 1 : Cle arin g first-time-trust certificates

Task 1: Clearing first-timetrust certificates

Task 2: Copying the Agent Manager certificate

Task 3: Editing the local properties file

Task 4: Enabling explicit-trust authentication

Tabl e 12 : Tasks for configuring explicit-trust authentication with an Agent Manager

With first-time-trust, server certificates are stored in a directory on the Enterprise Scanner agent the first time a connection is made between the agent and the Agent Manager. You must remove those certificates before you can use explicit-trust authentication.

Note: If the agent has never established communication with the Agent Manager, skip Task 1.

You must manually copy the Agent Manager's certificate to a specific location on the agent for explicit-trust to work.

The communications modules for the appliance read their authentication configuration from a file, and you must change that file to identify the certificate used for explicit-trust authentication.

You must register with the Agent Manager, specify explicit-trust authentication, and reboot the agent.

To clear first-time-trust certificates:

1. Locate the

/var/spool/crm/leafcerts

directory on the appliance.

2. If this directory is empty, go to Task 2.

Note: The directory is empty if the agent has not registered with the SiteProtector

system.

3. Optionally, copy the entire

4. Delete the contents of the

crm

folder to a local location to make a backup of it.

leafcerts

folder on the appliance.

Task 2 : Cop y ing t he

To copy the Agent Manager's certificate:

Agent Manager certificate

1. Locate the computer that hosts your SiteProtector Agent Manager, and then locate the folder where the Agent Manager is installed.

Note: The default location is

Manager

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

C:\Program Files\ISS\SiteProtector\Agent

Chapter 2: Installing and Configuring an Agent

2. Find the Certificate’s subdirectory under this directory, and then find a file with the

.PEM

extension.

Note: There should be only one file with this extension.

3. Copy this file (using FTP or an FTP application) to the following path on the agent:

/var/spool/crm/cacerts/

4. Rename the file as follows:

dccert.pem

Task 3: Editing the local properties file

Task 4 : Ena blin g explicit-trust authentication

To edit the local properties file:

1. On the agent, find the file named

2. Open this file for editing, and then locate the setting

3. Set the

value=''

value='/var/spool/crm/cacerts/dccert.pem'

/etc/crm/rsPostLocalProperties.xml

parm name='aCertFile

4. Save the file.

To enable explicit-trust authentication on the agent:

1. On the navigation pane in Proventia Manager, click System, and then click

Management

→Registration.

2. Select the Register with SiteProtector check box.

3. Either create a new Agent Manager configuration or open an existing one.

4. Select

explicit-trust

from the Authentication Level list.

5. Do one of the following:

■ To configure a new Agent Manager, complete the process as explained in

“Registering Enterprise Scanner to Connect to the SiteProtector System” on page 37.

■ To change an existing Agent Manager, click OK, and then click Save Changes.

6. Reboot the appliance.

IBM Internet Security Systems

Registering Enterprise Scanner to Connect to the SiteProtector System

Introduction You must register your agent with the SiteProtector system before you can run scans. Use

Proventia Manager to register and authenticate your agent. You can also change the initial configuration settings that you configured with the Proventia Setup Assistant.

Prerequisites Before you register with the SiteProtector system, make sure you have done the following:

● Acquired the license for your agent. See “Acquiring Your Enterprise Scanner

Licenses” on page 207.

● Installed the latest X-Press Updates (XPUs). See Chapter 16, "Updating Enterprise

Scanner" on page 211.

Connection method Use a Web browser over a secure connection to the appliance’s management interface to

connect to the Proventia Manager for Enterprise Scanner.

Requirements You must meet the following requirements to connect to the Proventia Manager:

Requirement

You must be able to connect with the appliance from your computer with a Web browser over



an HTTPS connection.

Credentials that allow the following:



• communication with the SiteProtector Agent Manager

• authentication with the SiteProtector system for access to more secure information, such as credentials defined in the Assessment Credentials policy

Note: This can be any account that is a member of the SiteProtector Administrators group. You may use the same credentials for both if the account is set up correctly.

Tabl e 13 : Requirements for logging in to the Proventia Manager

Procedure To configure the agent to connect to the SiteProtector system:

1. Open a browser on a computer that has network access to the management network interface of the agent.

2. In the Address box, type

https://

followed by the DNS name or the IP address

assigned to the management network interface in the Proventia Setup Assistant.

3. Accept any messages about security certificates.

Important: You must accept the certificates that the agent sends. These certificates

establish a secure session between you and your agent.

4. When you see the Connect to Manager User name (

admin

your_appliance_name

window, type the Proventia

) and the Password you created for that user name in the

Proventia Setup Assistant.

The Proventia Manager Home window appears.

5. Click System on the navigation pane, and then click Management

Note: It may take a while for Java to initialize the first time you do this.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

→Registration.

Chapter 2: Installing and Configuring an Agent

6. Configure your SiteProtector system account as follows:

Field Description

Local Settings Override SiteProtector Group Settings

Registers the agent with the SiteProtector system to enable the agent to scan.

How to handle policy updates:

• Select the check box if you want the agent to use the configuration settings you define in Proventia Manager until you change those settings for the agent group in the SiteProtector system.

Tip: This setting prevents the agent from starting to function before you have entirely defined its behavior. You should use this option.

• Clear the check box if you want the agent to inherit currently defined settings from the agent group in the SiteProtector system.

Tip: You should not use this option.

Desired SiteProtector Group for Sensor

The name of the group where the agent is registered in the SiteProtector system.

Note: The SiteProtector system creates the group if it is not already there.

Heartbeat Interval (secs) The number of seconds you want the agent to wait between the

times it contacts the SiteProtector system for changed policies and updates to firmware and assessment content.

Range: 60 to 86,400 seconds (1 minute to 2 days). You should use the default of 3600.

7. In the Agent Manager Configuration section, click Add.

8. Configure the Agent Manager in the Add Agent Manager Configuration window as follows:

Field Description

Authentication Level The level of authentication to use to communicate with the

SiteProtector system.

Important: To use explicit-trust communication, you must also complete “Configuring Explicit-Trust Authentication with an Agent Manager” on page 35.

Name A meaningful name that corresponds to the SiteProtector Agent

Manager.

Agent Manager Address The DNS name or the IP address of the SiteProtector Agent

Manager.

Agent Manager Port The port number on which alerts are sent to the SiteProtector

system.

Note: The default port number is 3995. If you change the default port number, you must also configure the port number locally on the SiteProtector Agent Manager.

Account Name The account name for the Agent Manager.

IBM Internet Security Systems

Registering Enterprise Scanner to Connect to the SiteProtector System

Tip: You can define additional Agent Managers to use as backups. Arrange them in

order of preference, with the most preferred first in the list.

9. If your agent must use a password to connect with the Agent Manager, click Enter Password, and then type the password in the Password and Confirm Password boxes.

10. If a proxy HTTPS server is installed on the network between the agent and the SiteProtector system, select the Use Proxy Settings check box, and then configure the proxy as follows:

Field Description

Proxy Server Address The DNS name or the IP address of the proxy server.

Proxy Server Port The HTTPS port number of the proxy server.

Proxy Username If required, the user ID the agent needs to authenticate with the

proxy server.

Proxy Password The password that goes with the user ID if the agent needs one to

authenticate with the proxy server.

11. Click OK, and then click Save Changes.

The Authentication page appears.

12. Type the SiteProtector Account and Password for the SiteProtector Account that allows you to access sensitive information, such as logon credentials for asset accounts.

13. Click Save.

After the first heartbeat, your agent appears in the SiteProtector system in the group you designated.

Note: This operation may take several minutes. Wait until this page is refreshed in

your browser before you continue.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 2: Installing and Configuring an Agent

Logging On to the SiteProtector Console

Introduction Use the SiteProtector Console to set up users and user groups, configure scans, and

monitor the protection status of your Site.

Requirement You must meet the following requirements to log on to the SiteProtector Console:

● You must install the SiteProtector Console on your computer.

● You must have a user ID and password for the SiteProtector system.

Procedure To log on to the SiteProtector Console:

1. Click Start on the taskbar, and then click All

Programs

2. Do one of the following:

■ If the Site is already defined in the SiteProtector system, select it.

■ If the Site is not already defined in the SiteProtector system, right-click My Sites,

select New name of the Site in the Server box.

3. If you do not use the default port number (3998), type the port number of the Site server to communicate with in the Port box.

4. Type your SiteProtector User name.

→ISS→SiteProtector→Console.

→Site from the pop-up menu, and then type the IP address or the DNS

Note: If your user name is part of a domain, use the following format:

domain_name\user_name

5. Type your Password.

6. Click OK.

The Site Manager appears.

IBM Internet Security Systems

Chapter 3

Running Your First Scans

Overview

Introduction This chapter guides you through the process of quickly running basic ad hoc and

background scans for discovery and for assessment. These scans accomplish the following:

● Verify that you have set up Enterprise Scanner to work correctly with the

SiteProtector system.

● Introduce you to the basic workflow of scanning with Enterprise Scanner.

● Provide a foundation of understanding that you can build upon as you customize

scanning for your Site.

When to use Follow the procedures in this chapter immediately after you install an Enterprise Scanner

agent and before you make any configuration changes in the SiteProtector Console. Scanning processes vary slightly depending on your configuration. The procedures in this chapter assume that you have not configured the agent beyond the basic installation.

Important: If you have configured any of the policies before you follow the procedures in

the chapter, your results may not be the same.

Tips are optional The instructions in this chapter provide the choice of setting up scans quickly with the

minimum amount of detail or of setting up scans at a slower pace with more detail:

If you want to… You can…

run through the scans quickly and pick up details later as you work more with the agent

learn more about the details of scanning now refer to the information included in the Tips.

Tabl e 14 : How to use Tips

In this chapter This chapter contains the following topics:

Topi c Page

Basic Concepts 43

Finding Your Agent, Assets, and Policies in the SiteProtector System 44

Running Ad Hoc Scans 46

ignore any information in Tip statements.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Topi c Page

Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans 50

Background Scanning Overview 54

Background Scanning Process 55

IBM Internet Security Systems

Basic Concepts

Introduction This topic explains basic concepts about your Enterprise Scanner agent that you need to

know before you begin. Keep these in mind as you work with the agent. If you have used the IBM ISS Internet Scanner application, some of the differences are significant.

Types of scans Enterprise Scanner runs the following types of scans:

Type of Scan Description

Ad hoc One-time scans for discovery and/or for assessment.

Background Recurring, cyclical scans that refresh your discovery and/or assessment

information at user-defined intervals.

Tabl e 15 : Definitions of ad hoc and background scans

Discovery separate from assessment

With Enterprise Scanner, discovery scans and assessment scans are separate for both ad hoc and background scans. You may, however, link scans so that an assessment scan does not run until the corresponding discovery scan has finished.

Scopes of scans The scopes of discovery and assessment scans are based on the following settings:

Type of Scan Scope

Discovery Operates on IP addresses—single and/or ranges—that you assign to the

scan.

Note: The group you use for discovery scans may already contain assets. Those assets do not have to belong to the IP range of the scan.

Assessment Operates on the assets in a group in the SiteProtector system.

Tabl e 16 : Scope of discovery and assessment scans

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Finding Your Agent, Assets, and Policies in the SiteProtector System

Introduction This topic explains how to find agents, assets, and policies in the SiteProtector Console by

using the configuration of the examples in this chapter.

Agent and asset groups

Enterprise Scanner location

Location of assets A group that you scan could have subgroups, and you could use the rules of policy

Illustration Figure 2 illustrates the location of the groups for the Enterprise Scanner agent and the

The assets that you scan may be in the same group as your agent, but they do not have to be. The agent is associated with the groups it scans based on perspective—not on the group to which it belongs. In the examples, the Enterprise Scanner agent and the group of assets to scan are in different groups.

When you registered your Enterprise Scanner agent with the SiteProtector system, you added it to a group that appears in the SiteProtector Console. To modify policies and customize your agent’s scanning behavior, you must locate that group. For the examples in this chapter, the agent is in the CorporateScanners group.

inheritance to change scanning behaviors for subgroups. For the examples in this chapter, the assets to scan are in a single group, the CorporateScanningGroups group.

assets to scan for the examples in this chapter:

Figure 2: Groups used in scanning examples

IBM Internet Security Systems

Finding Your Agent, Assets, and Policies in the SiteProtector System

Using the default perspective

For an initial installation of Enterprise Scanner, you should have no problem using the default perspective, Global. If you are in an established installation where you must use a different perspective, check with your security manager before you continue.

Important: The examples in this chapter use a user-defined perspective, Corporate. Where

the perspective in the examples is Corporate, your perspective should appear as Global. For more information about setting up a perspective, see pages 124–126.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Running Ad Hoc Scans

Introduction Follow the procedure in this topic to run an ad hoc discovery scan and an ad hoc

assessment scan against a group in the SiteProtector system. Although the scans run separately, you can configure both scans at the same time. In the example, you will set up the assessment scan to run after the discovery scan has finished. IP addresses to keep the scan time short. Include assets that are known to have vulnerabilities, if possible.

Tips are optional These instructions guide you through the process without explaining every detail. If you

are interested in the details, refer to the information in the Tips for different steps. If you are not interested in the details, you can ignore the tips.

Procedure To run ad hoc scans:

1. On the SiteProtector Console, set up a tab with the Asset view (See page 74.), and then create or select a group to scan.

2. Right-click the group, and then select Scan from the pop-up menu.

The Scan window appears.

Tip: Use a small range of

Figure 3: Window for selecting ad hoc or background scanning

3. Select Network Enterprise Scanner/Ad-Hoc Scan, and then click OK.

The Remote Scan window appears.

IBM Internet Security Systems

4. Select Adhoc Scan Control on the left pane.

The Ad Hoc Scan Control policy appears.

Running Ad Hoc Scans

Figure 4: Ad Hoc Scan Control policy

5. In the Ad hoc Discovery section, do the following:

■ Select the Perform one-time discovery scan of this group check box.

■ Type

First Ad Hoc Discovery Scan

in the Job name box.

6. In the Ad Hoc Assessment section, do the following:

■ Select the Perform one-time assessment scan of this group check box.

■ Type

■ Select the Wait for discovery scan to complete before scheduling assessment scan

First Ad Hoc Assessment Scan

in the Job name box.

check box.

7. Leave the perspective in the Perform one-time scan from this perspective list at its default setting, Global.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

8. Click Discovery on the left pane.

The Discovery policy appears.

Figure 5: Ad hoc discovery policy

9. Type the IP addresses to scan (in dotted-decimal or CIDR notation) of the assets to discover in the IP range(s) to scan box as follows:

■ Type an IP address, and then press ENTER (or type a comma).

■ Type a range of IP addresses, and then press ENTER (or type a comma).

IBM Internet Security Systems

10. Click Assessment on the left pane.

The Assessment policy appears.

Note: The default settings run all the non-DoS (Denial of Service) checks.

Running Ad Hoc Scans

Figure 6: Ad hoc assessment policy

Tip:

If you want to see or change the checks that run, select the Checks tab. For information about viewing checks, see “Grouping and Displaying Checks (Assessment Policy)” on page 103.

Tip: If you want to see or change any common assessment settings, select the

Common Settings tab. For information about changing common settings, see “Defining Common Assessment Settings (Assessment Policy)” on page 106.

11. Click OK.

The system schedules an ad hoc discovery scan job in the Command Jobs window in the SiteProtector system. The ad hoc assessment scan does not run until the ad hoc discovery scan has finished.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans

Introduction Follow the procedure in this topic to monitor the ad hoc discovery and ad hoc assessment

scans.

Procedure To monitor the scans:

1. Right-click the group on the navigation pane, select Properties from the pop-up menu, and then click Command Jobs on the navigation pane.

Tip: Or click the Control jobs icon on the toolbar.

The ad hoc discovery scan appears in the Command Jobs window, and the task name appears under the Object column.

2. Click the Details-[Linked]First Ad Hoc Discovery tab.

The job-level statistics for the job appear.

Figure 7: Job-level statistics for an ad hoc discovery scan

Note:

set up to run after the discovery scan has finished. The same prefix is attached to the assessment scan to indicate that it is linked with a discovery scan.

Tip: The status starts out as Pending, may go back-and-forth between Idle and

Processing until it finishes, and then its status is Completed.

Tip: For more information about how scan jobs run and how to find information

about them, see Chapter 10, "Monitoring Scans" on page 135.

[Linked] prepended to the task name indicates that the assessment scan was

IBM Internet Security Systems

Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans

3. Select the Activity tab.

The task-level statistics for the job appear:

Figure 8: An ad hoc discovery job in the Command Jobs window

4. After the discovery scan has finished, set up a tab with the Asset view (See page 74.), and then select the group.

The discovered assets appear on the right pane.

Note: If the assets do not appear, press F5 to refresh the view.

Figure 9: Assets discovered during a Discovery scan

Tip:

Assessment scans assess assets by user-assigned criticality levels to ensure that

the most critical assets are scanned first. Assets discovered by an Enterprise Scanner agent have a default criticality of Unassigned. For information about assigning criticality to assets, see “Scan Jobs and Related Terms” on page 127.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

5. To monitor the progress of the assessment scan, right-click the group on the navigation pane, select Properties from the pop-up menu, and then click Command Jobs on the navigation pane.

Tip: Or click the Control jobs icon on the toolbar.

Note: The assessment scan will not start until the discovery scan has finished.

The Command Jobs window appears and the ad hoc assessment scan appears in the Command Jobs window along with the completed discovery scan.

6. To view statistics about the tasks in the job, select the Activity tab.

Details about the tasks appear in the Activity tab.

Figure 10: Task-level statistics for the linked ad hoc assessment scan

Tip:

Pending, may go back-and-forth between Idle and Processing until it finishes, and then its status is Completed.

The task name appears under the Object column. The status starts out as

Tip: For more information about how scan jobs run and how to find information

about them, see Chapter 10, "Monitoring Scans" on page 135.

7. After the job has finished, select the Analysis view, and then select the group.

IBM Internet Security Systems

Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans

8. To see if the scan identified any vulnerabilities for any of the assets in the group, select one of the vulnerability views:

■ Vuln Analysis - Asset

■ Vuln Analysis - Detail

■ Vuln Analysis - Object

■ Vuln Analysis - Vuln Name

The vulnerabilities found by the scan, if any, appear on the right pane, as in the following figure of the Vuln Analysis - Detail view.

Figure 11: View of vulnerability details in the CorporateScanningGroups Group

Tip:

If the events do not appear, adjust display parameters, such as the Start and End

times.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Background Scanning Overview

Introduction You can run ad hoc scans whenever necessary, but you get the greatest benefit from

Enterprise Scanner when you set up cyclical scans to run automatically in the background.

Reference: For a description of background scanning, see “Key Concepts” on page 20.

About these procedures

Background discovery and background assessment scans run separately, just as ad hoc discovery and assessment scans do. The process for setting up background discovery and background assessment scans is very similar. The process in this topic combines the procedures for both types of scans in one set of procedures.

Before you begin When you complete this process, you will have defined a cycle of scanning for a group of

assets that will repeat until you disable it. If you want to continue these scans after the testing period, you can change the settings as needed for your environment. If you want to discontinue these scans, you can stop them. The procedure for stopping the scans follows the process for starting them.

Tip: Use a small range of IP addresses to keep the

scan time short. Include assets that are known to have vulnerabilities, if possible.

Tips are optional These instructions guide you through the process without explaining every detail. If you

are interested in the details, refer to the information in the Tips for different steps. If you are not interested in the details, you can ignore the tips.

IBM Internet Security Systems

Background Scanning Process

Introduction If you have read the information about background scanning in the previous topic, you

can use the procedures below to set up background scans.

Task overview Setting up background scanning is a five-task process:

Task Affected Policy Policy Changes

1 Discovery Enable background discovery scanning and define the range of IP

addresses to scan.

2 Assessment Enable background assessment scanning and define which checks to

run.

3 Scan Window Optionally, define the days and hours that scanning is allowed.

4 Scan Control Define the start date of the first scanning cycle, and the length of each

scanning cycle.

5 All Save policies and monitor scans.

Tabl e 17 : Tasks to set up background scanning

Task 1 : Defi ne background discovery scans

Important: You must perform these tasks in the order given.

To set up background discovery scans:

1. In your SiteProtector Console, set up a tab with the Policy view (See page 74.), and then create or select a group for the range of IP addresses to discover.

2. Right-click the group, and then select Manage Policy from the pop-up menu.

3. Select

Network Enterprise Scanner

in the Agent Type list.

4. If the correct version of Enterprise Scanner is not displayed in the Ver s io n list, select it.

Tip: The version may apply to the agent whose properties you are defining or to the

agent responsible for scanning the group whose properties you are defining.

Tip: Enterprise Scanner policies may apply to one or more versions, as indicated in

the policy view. If you use multiple agents at different versions that do not share the same policy, you must define separate policies for each version.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

5. Select

Asset

in the Mode list.

The list of asset policies for Enterprise Scanner appears on the right pane.

Figure 12: Asset policies for Enterprise Scanner

6. On the right pane, right-click the Discovery policy, and then select Override from the pop-up menu.

7. Click Yes to open the policy for editing.

The Discovery policy appears.

Figure 13: The Discovery policy for the CorporateScanningGroups group

8. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to discover in the IP range(s) to scan box as follows:

■ Type an IP address, and then press ENTER (or type a comma).

■ Type a range of IP addresses, and then press ENTER (or type a comma).

Example: 172.1.1.100-172.1.1.200

Tip: Discovery policies cannot be inherited from a parent. Each group must have its

own Discovery policy.

IBM Internet Security Systems

Background Scanning Process

Task 2 : Defi ne background assessment scans

To set up background assessment scans:

1. On the navigation pane, select the group to scan.

2. On the right pane, right-click the Assessment policy, and then select Override from the pop-up menu.

Important: Even if you want to run the scan with the default policy settings, you must

open the policy to populate it before you start a scan.

3. Click Yes to open the policy for editing.

The Assessment policy appears.

Note: The default settings run all the non-DoS (Denial of Service) checks.

Figure 14: The Assessment policy for the CorporateScanningGroups group

Tip:

If you want to see or change the checks that run, select the Checks tab. For information about viewing checks, see “Grouping and Displaying Checks (Assessment Policy)” on page 103.

Tip: If you want to see or change any common assessment settings, select the

Common Settings tab. For information about changing common settings, see “Defining Common Assessment Settings (Assessment Policy)” on page 106.

Tip: Assessment policies for subgroups are inherited from a parent group if the

assessment policy is defined for the parent group. If the policy is inherited, it displays the parent’s name in the group’s policy list.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Task 3 : Defi ne when scanning is allowed

To define when scanning is allowed:

1. On the navigation pane, select the group to scan.

2. On the right pane, right-click the Scan Window policy, and then select Override from the pop-up menu.

3. Click Yes to open the policy for editing.

The Scan Window policy appears.

Figure 15: The Scan Window policy for the CorporateScanningGroups group

Tip:

Scan window policies are inherited by default from a parent group if the Scan

window policy is defined for the parent group.

4. Select the Discovery Windows tab.

IBM Internet Security Systems

Background Scanning Process

5. For the purposes of testing, choose 2 or three hours each day, including the current hour or the next two hours so that your background scans can start soon.

Note: You can select the periods of allowed scanning using the following methods:

If you want to… Then…

Task 4 : Enab le scanning and define length of scanning cycles

allow scanning during specific hours

at any time click Fill All.

remove all defined scans periods

Note: Scanning hours are selected; non-scanning hours are not selected.

click and drag your cursor over those hours for each day that you want to allow scanning.

All squares turn black.

click Clear All.

All squares turn white.

6. Select the Assessment Windows tab, and select hours for the assessment windows just as you did for discovery.

7. Select the Time Zone tab.

8. Select the time zone during which you want the scan windows to be open from the Time zone for windows defined in this policy list.

Note: Typically, you would choose the same time zone as the time zone of the assets

in the group.

To enable scanning and to define the length of scanning cycles:

1. On the navigation pane, select the group to scan.

2. Right-click the Scan Control policy, and then select Override from the pop-up menu.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

3. Click Yes to open the policy for editing.

The Scan Control policy appears.

Figure 16: The Scan Control policy for the CorporateScanningGroups group

4. In the Background Discovery section, select the Enable background discovery scanning of this group check box.

5. Type

Quick Background Discovery Scan

6. Select today’s date in the Cycle start date list, and then select duration boxes.

7. In the Background Assessment section, select the Enable background assessment scanning of this group check box.

8. Type

Quick Background Assessment Scan

9. Select the Use Discovery’s start date/duration and wait for discovery scan to complete before scheduling assessment scan check box.

10. Leave the perspective in the Perform background scans from this perspective list at

its default setting, Global.

Tip: A customized perspective allows you to limit the portion of the network from

which a given sensor can operate. For more information about using perspective, see

in the Task name box.

2 Day(s)

in the Task name box.

IBM Internet Security Systems

in the Cycle

“What is Perspective?” on page 124, “Defining Perspectives” on page 125, and “One Way to Use Perspective” on page 126.

Task 5: Finishing To finish setting up background scanning:

1. From the Action menu, select Save All.

The Apply Changes? window appears.

Background Scanning Process

Figure 17: The Apply Changes? window for saving policies

2. Click OK.

3. To monitor the progress of the scan, right-click the group on the navigation pane, and then select Properties from the pop-up menu.

4. Select Command Jobs from the left pane.

The background scans appear in the Command Jobs window, and the task names appear under the Object column.

Note: If you set your scan cycle to start at a later date, the jobs are scheduled at

midnight on the first day of the new scan cycle and run when the first scan window opens.

5. You can view the Details and Activities tabs for the job just as you did for the ad hoc scans. (See “Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans” on page 50.)

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 3: Running Your First Scans

Disabling background scans

To disable background scans:

1. On the navigation pane, select the group you scanned.

2. Set up a tab with the Policy view (See page 74.).

3. Right-click the Scan Control policy, and then select Override from the pop-up menu.

4. Click Yes to open the policy for editing.

5. If you want to disable background discovery scans, in the Background Discovery section, clear the Enable background discovery scanning of this group check box.

6. If you want to disable background assessment scans, in the Background Assessment section, clear the Enable background assessment scanning of this group check box.

7. From the Action menu, click Save All.

8. Click OK.

IBM Internet Security Systems

Chapter 4

Setting Up Scanning Permissions for Users

Overview

Introduction After you register your agent with the SiteProtector system, you can control access to it

through the permissions in the SiteProtector system. Permissions in the SiteProtector system are flexible so that you can define access at different levels of granularity. You can set permissions for the following levels:

● globally

● for a user or a group of users

● for a group of assets

● for policies

Example You may grant a security manager access to all Enterprise Scanner permissions with a

single global setting. You may add other users but restrict them to a subset of Enterprise Scanner functions by using one or more of the other types of permissions.

Complete documentation

In this chapter This chapter contains the following topics:

This chapter provides introductory information about setting permissions and explains permissions as they relate to Enterprise Scanner functions. For complete documentation about permissions in the SiteProtector system, see the SiteProtector Configuration Guide, available on the IBM ISS Web site.

Topi c Page

Enterprise Scanner Permissions 64

Enterprise Scanner User Groups 65

Considerations for Enterprise Scanner Permissions 66

Creating User Groups in the SiteProtector System 67

Changing Group Permissions 68

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 4: Setting Up Scanning Permissions for Users

Enterprise Scanner Permissions

Introduction This topic describes the predefined permissions in the SiteProtector system that apply to

Enterprise Scanner users. You define Enterprise Scanner permissions just as you do for other permissions in the SiteProtector system.

Permissions Table 18 describes the default Enterprise Scanner permissions:

Enterprise Scanner Permission

Ad Hoc Scan Whether you can run an ad hoc scan.

Agent Whether you can manually refresh agents.

Assessment Credentials Policy

Assessment Policy Whether you can view and/or modify the

Discovery Policy Whether you can view and/or modify the

Network Locations Policy

Policy Whether you can modify any policy whose

Description View Modify Control

Note: The Modify Policy permission is automatically granted with this permission.

Whether you can view and/or modify the policy.

policy.

Whether you can view the Network Locations policy.

Important: See “Scanning without full permissions” on page 65 for important information about users with restricted permissions.

permissions are not granted explicitly, including the Scan Control policy, which enables background scanning.

Proventia Manager Whether you can launch Proventia Manager

Scan Window Policy

Tabl e 18 : Enterprise Scanner Group permissions

from the SiteProtector Console.

Whether you can view and/or modify the policy.

IBM Internet Security Systems

Enterprise Scanner User Groups

Introduction This topic describes the predefined user groups in the SiteProtector system that apply to

Enterprise Scanner users. You add Enterprise Scanner users to the SiteProtector system and define their Enterprise Scanner permissions just as you do for any type of the SiteProtector system user.

All predefined user groups

User groups for Enterprise Scanner

Scanning without full permissions

The SiteProtector system includes the following predefined User Groups:

● Administrator

● Analyst

● Assessment Manager

● Desktop Manager

● Network Manager

● Operator

● Server Manager

The SiteProtector User Group intended specifically for Enterprise Scanner users is Assessment Manager; however, the Administrator and Analyst groups also provide full access to Enterprise Scanner permissions. You can assign Enterprise Scanner permissions to other users or other groups.

To perform any Enterprise Scanner scan with SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31 or later, a user must have permission to view the Network Locations policy. This permission is granted for the predefined user groups that provide full Enterprise Scanner permissions. If you define users or user groups with restricted permissions, you must grant this permission explicitly. The way you grant permission is based on the inheritance behavior of your policy:

If you… Then you…

do not change the inheritance behavior of the policy

change the inheritance behavior of the policy

Tabl e 19 : Granting permission to the Network Locations policy

Important: Users who do not have permission to view the Network Locations policy—

can define the permission once at the Site level.

you must grant the permission for the group where you need the permission and for all the groups above it in the hierarchy.

either through group association or by a specific grant—cannot run Enterprise Scanner scans. If those users try to run a scan, they receive an error message that the scan cannot be run because a policy is not defined.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 4: Setting Up Scanning Permissions for Users

Considerations for Enterprise Scanner Permissions

Introduction This topic provides background information about adding groups and users in the

SiteProtector system.

Prerequisite To add a user or a group to a SiteProtector User Group, you need the exact Windows

account information, including computer name or domain name and user name. If you do not have that information, you can do the following:

If you want to add… Then use…

local users and groups Windows Computer Management to locate the information before

you add the user or group.

domain users and groups the Check Names function in the user interface to locate the

information as you add the user or group.

Tabl e 20 : Finding required account information

About group-level permissions

Group-level permissions control a user’s ability to view, modify, and work with agents and assets in a specific group. For example, group-level permissions control whether a user can scan a group of assets with Enterprise Scanner or apply an XPU to the agents in a group. Group-level permissions do not provide Site-wide functionality. They only provide permission to perform actions on the assets in the group where they are assigned.

Because of the specific and flexible nature of group-level permissions, you can use them to maintain very specific control over a user’s actions in the SiteProtector system. For example, you can set group-level permissions such that three users have different permissions for the same group.

Managing group-

You should perform the following tasks before you configure group-level permissions:

level permissions

● set up asset groups

● import assets into the asset groups

You may, however, configure group-level permissions before you set up asset groups and import assets, and then assign group-level permissions as necessary. Subgroups you create later automatically inherit these permissions.

Ungrouped assets When you import assets before you set up asset groups, the SiteProtector system puts the

assets in the Ungrouped assets folder. To assign permissions to ungrouped assets, you must use the global permission, Managing Ungrouped Assets.

IBM Internet Security Systems

Creating User Groups in the SiteProtector System

Introduction A SiteProtector User Group is a group of users who have the same set of global and

group-level permissions. SiteProtector User Groups are useful because they allow you to control the permissions for an entire group of users simultaneously according to their role in your organization.

Creating SiteProtector user groups

Adding members to SiteProtector user groups

To create a SiteProtector User Group:

1. On the left pane, select the Site Group where you want to create the User Group.

2. On the To o ls menu, click User Groups.

The User Groups window appears.

3. On the left pane, click Add, and then type the name for the new User Group.

4. Press

ENTER.

5. If you want to describe the group,

6. Click OK.

To add members to SiteProtector User Groups:

1. On the left pane, select the Site Group where you want to add members to a User Group.

2. On the To o ls menu, click User Groups.

The User Groups window appears.

3. On the left pane, select the group you want to modify.

4. In the Members section, click Add.

5. Use the following table to determine your next step:

If you want to add... To the SiteProtector user group, then type the complete

account...

local users or groups using the following syntax:

• computer name\user name

•

If you do not know the complete account information, then you must look it up using Windows Computer Management.

domain users or groups using the following syntax:

• domain name\user name

• domain name\group name

If you do not know the complete account name, click Check Names to look it up.

The Select User and Groups window appears.

6. Click OK.

7. Select the name in the list you want to add to the User Group, and then click OK.

The user or group is added to the SiteProtector User Group and is granted all the permissions granted to that User Group.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

computer name\group name

Chapter 4: Setting Up Scanning Permissions for Users

Changing Group Permissions

Introduction This topic explains how to add and delete group permissions, how to change inheritance

properties, and how to change group owners.

Granting group-level permissions

Removing grouplevel permissions

To grant group-level permissions to a user or group:

1. On the left pane, right-click a group, and then select Properties.

2. Click the Permissions icon.

3. In the Users and/or Groups column, select the user or group.

4. In the Manage Security section, select the circle that corresponds to the permission you want to grant.

The circle turns black indicating that the permission is granted.

5. Click the Save icon.

6. Close the Properties tab.

To remove group-level permissions from a user or group:

1. On the left pane, right-click a group, and then select Properties.

2. The Group Properties tab appears.

3. Click the Permissions icon.

4. In the Users and/or Groups column, select the user or group.

5. In the Manage Security section, clear the circle that corresponds to the permission you want to grant.

The circle turns white, indicating that the permission is removed.

6. Click the Save icon.

Configuring advanced permissions

7. Close the Properties tab.

To configure advanced permissions:

1. On the left pane, right-click a group, and then select Properties.

2. Click the Permissions icon.

Important: A group owner or a user with Full Access to all Functionality can assign

advanced permissions.

3. Click Advanced.

The Advanced Properties window appears.

4. If you do not want this group to inherit advanced permissions from the parent group, clear the Inherit from parent group check box on the Permissions tab.

5. Select the Owner tab.

6. To change the owner of this group, type all or part of the user name or group in the Change Owner box, and then click Check Names.

7. Select the new owner, and then click OK to return to the Advanced Properties window.

8. Click OK.

IBM Internet Security Systems

Part II

Configuring Enterprise

Vulnerability Protection

Chapter 5

Introduction to Enterprise Scanner Policies

Overview

Introduction Enterprise Scanner includes a number of specialized policies that enable you to define

discovery and assessment scans to run as either ad hoc or background scans. Enterprise Scanner uses a combination of those policies to perform each type of scan. By using multiple policies, Enterprise Scanner provides a more flexible scanning environment. To help you take advantage of that flexibility, this chapter explains what each policy defines and how each policy affects different types of scans.

Scope This chapter provides background information for understanding the Enterprise Scanner

policies. For detailed information about setting up policies, see the following chapters:

● Chapter 6, "Defining Background Scans" on page 81

● Chapter 7, "Configuring Discovery and Assessment Policies" on page 97

● Chapter 8, "Defining Agent Policies" on page 109

In this chapter This chapter contains the following topics:

Topi c Page

Introduction to Asset and Agent Policies 72

Contents of Asset and Agent Policies 73

Viewing Asset and Agent Policies 74

Descriptions of Asset Policies 75

Descriptions of Agent Policies 76

Policy Inheritance with Enterprise Scanner Policies 77

Policy Inheritance with Agent Policies 78

Policy Inheritance with Asset Policies 79

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 5: Introduction to Enterprise Scanner Policies

Introduction to Asset and Agent Policies

Introduction The most important difference with Enterprise Scanner policies is the difference between

asset and agent policies:

● Asset policies apply to groups of assets and describe the security policy for those

assets.

● Agent policies apply to Enterprise Scanner appliances and primarily describe

operational settings for the agents or global settings for all scans. In addition, some agent policies apply to only one agent.

● Some policies define characteristics that apply to both assets and agents.

Approach to asset and agent policies

The approach to scanning with Enterprise Scanner considers the differences between asset and agent policies:

● When you configure policies for scanning a group of assets, you first identify IP

addresses to discover. Then, you identify assessment-related characteristics, such as which checks to run for those assets. You do not define any characteristics of the scanning agent, except to identify the potential pool (perspective) of agents to run the scan.

● When you define characteristics of an agent, you define operational features, such as

how to divide discovery and assessment scans into subtasks, the passwords for the agent’s accounts, and its perspective; but you do not define security-related parameters.

Advantages By separating asset and agent policies, scanning is flexible and easily scalable, as

demonstrated in the following examples:

● You can configure assessment scans for two groups of assets with different security

needs—such as a group of Web servers and a group on an internal subnet. After the initial configuration, you could scan both groups with the same agent without changing any policies on the agent or on the groups of assets.

● You can also respond to changes in your network more easily. If a group of assets

grows, and you need to increase the scanning power for that group; you can add an agent to the pool (by assigning it to the correct perspective). After you set up the agent and register it with your the SiteProtector system, the agent immediately begins to share the workload for the pool of agents assigned to that perspective.

● Likewise, you could remove an agent from a pool, and the agents that remain would

continue to share the work load assigned to that pool.

IBM Internet Security Systems

Contents of Asset and Agent Policies

Introduction This topic provides high-level descriptions of the contents of asset and agent policies.

Contents for each type of policy

The following table describes the general contents of asset policies and agent policies:

Type of Policy Content of Policies

Asset • Information about how to run discovery and/or assessment scans against

the group.

• For discovery scans, which IP addresses to scan.

• For assessment scans, which checks to run, and other assessment parameters.

• On which days to run scans and during which hours to run them.

• How frequently to run scans to refresh information about the assets in a group.

• Which assets in the group, if any, that you do not want to scan.

• List of accounts and log on credentials to use for assets in a group.

• How to associate service names with TCP and UDP ports.

Agent • How to manage log files.

• The passwords to use for local accounts.

• How to manage scans by dividing them into smaller subtasks per task.

• The relative location of the agent on the network, known as its perspective.

• How to apply updates to the agent.

• Network configuration settings and DNS servers for the network interfaces.

Tabl e 21 : Contents of asset and agent policies

Illustration Figure 18 illustrates how asset and agent policies are grouped with the agent or the group

of assets to which they apply in the SiteProtector Console:

Figure 18: Enterprise Scanner asset and agent policies in a SiteProtector Console

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 5: Introduction to Enterprise Scanner Policies

Viewing Asset and Agent Policies

Introduction In the SiteProtector Console, you can view asset and agent policies together, or you can

view them separately. If you view the policies separately, you can use the views and tabs in the SiteProtector system to easily move back and forth between asset and agent policies.

Tabs a nd vi ews In the SiteProtector Console, you select a group or an agent on the navigation pane, and

information about it appears in a tab on the right pane. The information displayed is based on the view you select for the tab, such as an Agent, an Asset, or a Policy view. To view policies, you must select the Policy view.

Seeing different

To see different types of information about a group or an agent, you can do the following:

views

● Change the view of a tab.

● Open multiple tabs with different views for one or more groups.

Changing views To change the view of a tab:

● In the SiteProtector Console, select a tab, and then select a different view from the

view list.

Note: The view list is located at the top of the Console on the right side.

Opening a new tab To op e n a ne w tab:

● In the SiteProtector Console, right-click a tab, select New Tab from the pop-up menu,

and then select a view from that pop-up menu.

The new tab appears as the last tab on the right.

Procedure To view Enterprise Scanner policies:

1. In the SiteProtector Console, set up a tab to display policies. (See page 74.)

2. On the left pane, select the asset or agent whose policies you want to view.

3. If you want to see policies from a different repository, select the repository from the Repository Name list.

4. Select

5. Select your version of Enterprise Scanner for the agent from the Ve rs i o n list.

Note: The version may apply to the agent whose properties you are defining or to the

agent responsible for scanning the group whose properties you are defining.

Important: Enterprise Scanner policies may apply to one or more versions, as

indicated in the policy view. If you use multiple agents at different versions that do not share the same policy, you must define separate policies for each version.

6. Do one of the following:

■ To view all policies, select

■ To view asset policies, select

■ To view agent policies, select

Network Enterprise Scanner

All

from the Mode list.

Asset

Agent

from the Agent Type list.

from the Mode list.

IBM Internet Security Systems

Descriptions of Asset Policies

Introduction This topic describes the policies that define scanning requirements for groups of assets

(asset policies).

Asset policy descriptions

Table 22 describes the asset policies:

Icon Policy Description

Assessment Defines the following for assessment scans:

• which checks to run against assets in the group

• assessment check parameters

• common settings for assessment scans

Assessment Credentials

Discovery Defines the following for discovery scans:

Network Locations

Network Services Defines the ports on which services run.

Scan Control Controls the following:

Contains logon account information for running checks that require authenticated access.

• IP addresses and address ranges for a scan to discover

• how to handle discovered assets

Defines relative locations of agents on the network to use as scanning perspectives. For assets, think of perspective as the location from which you want to scan the assets in the group.

• whether discovery and/or assessment scanning is enabled

• refresh cycles for background discovery and assessment scans

• the perspective from which to run background scans against this group

Important: This policy initiates background scanning. Do not save it until you have completely configured background scanning.

Scan Exclusion Defines IP addresses and/or ports that you want to exclude from

Scan Window Defines the allowable windows for background discovery and/or

Tabl e 22 : Descriptions of the asset policies

a. You can have only one Network Locations policy. It defines perspectives that are used by all agents and

assets at the Site. It appears once for the Site at the Site Group level.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

assessment scans.

assessment scanning as well as the time zone for the scanning windows.

Tip: Optionally, you can limit ad hoc scans to run only during open scanning windows.

Chapter 5: Introduction to Enterprise Scanner Policies

Descriptions of Agent Policies

Introduction This topic describes the policies that define how Enterprise Scanner agents operate (agent

policies).

Agent policy descriptions

Table 23 describes the agent policies:

Icon Policy Description

Access

ESMa (Enterprise

Scanner Module)

Network Locations

Networking

Notification Defines the following:

Services

Defines the passwords for the Enterprise Scanner local accounts, and enables (requires) or disables the bootloader (root) password for some operations.

Defines the perspective assigned to a scanning network interface and defines how to divide discovery and assessment tasks into manageable subtasks.

Defines the relative location of the agent on the network, which is the agent’s scanning perspective.

Defines the following:

• network configuration settings

• DNS servers and search paths for the network interfaces and for the scanning network interface

• Enables alert logging and notification for system warning, system error, and system informative events

• Allows you to fine-tune Enterprise Scanner options with advanced parameters

Defines whether to enable or disable the SSH protocol between the agent and the SiteProtector Update Server.

Note: If you want to set up explicit-trust authentication between an agent and a SiteProtector Update Server, you could use SSH to copy the server’s certificate from the server to your agent. (p.220)

Time

Update Settings Defines how to handle downloads, installation, and notification for

Tabl e 23 : Descriptions of the agent policies

a. You must define this policy separately for each agent. An agent cannot inherit it from other groups or share

it with other agents in the same group.

b. You can have only one Network Locations policy. It defines perspectives that are used by all agents and

assets at the Site. It appears once for the Site at the Site Group level.

Defines the following:

• the date and time zone in which the agent operates

• whether to use network time protocol (NTP) on the agent

firmware and assessment content updates.

IBM Internet Security Systems

Policy Inheritance with Enterprise Scanner Policies

Introduction The inheritance properties of policies enable you to set up your scanning environment in a

hierarchical group structure. Even if you understand policy inheritance with other IBM ISS agents, you should understand the slight variations with Enterprise Scanner policies. For the best results, read the documentation before you set up a group structure and define policies.

General inheritance behavior

Inheritance with Enterprise Scanner policies

Inheritance indicators

In general, inheritance works as follows:

● When you define a policy for a group in your group structure, the policy

automatically applies to the group’s subgroups unless a subgroup already has its own version of the policy. Then, that subgroup retains its version of the policy.

● You can break the inheritance at any level in the group structure by redefining

(overriding) the policy for a subgroup. When you define a policy for a subgroup, the changes apply to its subgroups.

● If you have defined a policy for a subgroup, and you want to apply that policy to

groups above the subgroup, you can promote the policy to a higher group.

As you plan your Site grouping structure for vulnerability management, keep these points in mind:

● Most asset policies follow the general rules of inheritance.

● Many agent policies apply only to a single agent or scanning network interface.

● Some asset and some agent policies have specialized inheritance characteristics. These

differences are described in more detail in later topics.

Policies for a group appear in a Policy tab in the SiteProtector Console. When you select a group on the left pane of the SiteProtector Console, policies applicable to the group appear on the right pane. The inheritance indicators of the policies appear in the Inheriting From column as follows:

If the Inheriting From Value is…

blank

Inheriting from the factory defaults

a_group_name

Tabl e 24 : Group policy inheritance indicators

Initially blank or inherited from default?

The initial inheritance indicators for agent policies may be blank or Inheriting from the factory defaults depending on whether you override the SiteProtector system group

settings when you register your agent with the SiteProtector system:

● If you override the settings, the agent’s settings are applied to the SiteProtector system

policies, so the Inheriting From column is blank.

● If you do not override the settings, the column follows the inheritance described in

Table 24, above; however, you must configure the unconfigured policies.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Then, …

the policy is defined for the asset or agent group selected on the left pane.

you have chosen to override the policy with one that is defined higher in the group structure, but a higher-level policy is not defined.

the policy is inherited from the referenced group.

Chapter 5: Introduction to Enterprise Scanner Policies

Policy Inheritance with Agent Policies

Introduction This topic describes rules of inheritance for agent policies. It also explains where policies

appear in the SiteProtector Console, based on the ways in which you can define them.

Rules for policy inheritance

Agent policies in the Console

The following rules describe policy inheritance for agent policies:

● You must define a unique Access, ESM, Networking, Services, and Time policy for

each agent.

● You can allow the Notification and Update policies to inherit their definitions from

policies defined higher in the group structure.

● You can define only one Network Locations policy, to be used by all agents and assets.

That policy must be defined at the Site Group level.

You work with policies in a Policy tab in the SiteProtector Console. When you select an agent on the left pane, the agent’s policies appear on the right pane. If you expand the agent node, the policies also appear below the agent. Figure 19 is an example of agent policies for an agent in the CorporateScanners group:

Figure 19: Example of agent policies in a Policy tab in the SiteProtector system

Examples of

Table 25 describes the inheritance indicators illustrated in Figure 19:

inheritance indicators

Inheriting From Val ue

blank

Inheriting from the factory defaults

A_Group_Name

Tabl e 25 : Agent policy inheritance indicators

Description

The agent policies—Access, ESM, Networking, Services, and Time—are defined at the agent level.

All of the policies are defined at the agent or Cancun group level. None of the policies inherit from the factory defaults.

The Notification and Update Settings policies appear on the left pane under Cancun, indicating that they are defined for the Cancun group. The Inheriting From column on the right pane confirms that the agent inherits the policies from Cancun.

IBM Internet Security Systems

Policy Inheritance with Asset Policies

Introduction This topic describes rules of inheritance for asset policies. It also explains where policies

appear in the SiteProtector Console, based on the ways in which you can define them.

Rules for policy inheritance

Asset policies in the Console

The following rules describe policy inheritance for agent policies:

● You can define only one Network Locations policy, at the Site level, to be used for all

agents and assets in your entire group structure.

● A Discovery policy applies to only the group for which you define it.

● The remaining policies are inheritable. A subgroup inherits a policy from the first

group higher than itself in the group structure that has a defined policy.

You work with policies in a Policy tab in the SiteProtector Console. When you select a group on the left pane, the group’s policies appear on the right pane. If you expand the group, the policies also appear below the group. Figure 20 is an example of asset policies in the CorporateScanningGroups group:

Figure 20: Example of asset policies in a Policy tab in the SiteProtector system

Examples of

The following table uses Figure 20 to illustrate the inheritance indicators:

inheritance indicators

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Inheriting From Val ue

blank

Inheriting from the factory defaults

A_Group_Name

Tabl e 26 : Asset policy inheritance indicators

Description

The Assessment, Discovery, Scan Control, and Scan Window policies are defined at the selected group level—

The agent is configured to use the Assessment Credentials and Scan Exclusion policies defined at a higher level, but neither policy is defined in the agent’s group structure.

The Network Services policy is defined at the Cancun level.

CorporateScanningGroups.

Chapter 5: Introduction to Enterprise Scanner Policies

IBM Internet Security Systems

Chapter 6

Defining Background Scans

Overview

Introduction This chapter describes the minimum requirements and the options available for defining

background scanning. Since ad hoc scans use some of the background policies, this chapter also describes the impact of those shared policies on ad hoc scans. In addition, checklists in this chapter guide you through the process of setting up background scans.

Scope This chapter describes all the asset policies except for the Discovery and Assessment

policies. For descriptions of those policies, see Chapter 7, "Configuring Discovery and Assessment Policies" on page 97.

Prerequisite Before you modify policies, you must understand how to locate them in the SiteProtector

Console. For an introduction to viewing policies, see “Viewing Asset and Agent Policies” on page 74.

In this chapter This chapter contains the following topics:

Topi c Page

Determining When Background Scans Run 82

How Policies Apply to Ad Hoc and Background Scans 84

Background Scanning Checklists 86

Enabling Background Scanning (Scan Control Policy) 87

Defining Periods of Allowed Scanning (Scan Window Policy) 89

Excluding Assets from Scans (Scan Exclusion Policy) 91

Defining Network Services (Network Services Policy) 92

Defining Assessment Credentials (Assessment Credentials Policy) 94

Key Parameters for Defining Scan Jobs 96

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Determining When Background Scans Run

Introduction This topic describes two important concepts for background scanning—scanning refresh

cycles and scanning windows. These concepts control when background scans run.

Scanning refresh cycles

A scanning refresh cycle is the maximum duration (in days, weeks, or months) of a background scan. You define scanning refresh cycles separately for discovery and for assessment scans in a Scan Control policy, and the cycles apply to the scans for all groups that the policy controls.

Important points

Refresh cycles affect scanning as follows:

about refresh cycles

● Refresh cycles apply to background discovery and background assessment scans;

they do not apply to ad hoc scans.

● At the end of a refresh cycle, any background scanning jobs that are still running are

stopped and do not run to completion. Their status appears as Expired.

● The refresh cycle begins at midnight on the first day of the cycle, and the jobs for that

cycle are scheduled in the Command Jobs window at that time.

Scanning windows Scanning windows are the hours that are available for scanning each day of the week. A

scan that runs only during scanning windows pauses when a window closes and resumes when the window reopens.

Scans affected by

Scanning windows affect scans as follows:

scanning windows

● Scanning windows apply to all background scans for the groups controlled by a

particular Scan Windows policy.

● When you run an ad hoc scan, you choose whether to confine the scan to the user-

defined scanning windows.

Cycle and window dependencies

Background scanning for a group requires a refresh cycle and one or more scanning windows. Although you define refresh cycles and scanning windows in different policies, they work together to define the extent of your background scans. The cycle defines the duration, or elapsed time, of the scan; the scanning windows define the days and hours when scanning may occur during the cycle.

Example Figure 21 illustrates a two-week scanning refresh cycle that has different scan windows

for weekdays and for each day of the weekend. In this example, scans can run from 10:00

IBM Internet Security Systems

Determining When Background Scans Run

P.M. until 2:00 A.M on weekdays, from noon until midnight on Saturday, and all day Sunday:

Figure 21: Example of refresh cycles and scanning windows

Flexibility Because you define refresh cycles and scanning windows in different policies, you can use

the policy inheritance properties to more precisely define your scans. For example, you could define refresh cycles and apply the Scan Control policy to a group with several subgroups. For each subgroup, you could define different scan windows to control the amount of scanning on different parts of your network at different times. For more about policy inheritance, see “Policy Inheritance with Enterprise Scanner Policies” on page 77.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

How Policies Apply to Ad Hoc and Background Scans

Introduction Policies apply to ad hoc and to background scans as follows:

● Agent policies apply to both ad hoc and background scans.

● Asset policies apply to both ad hoc and background scans; however, you can

reconfigure some asset policies when you define an ad hoc scan.

Two types of scans Table 27 describes ad hoc and background scans:

Type of Scan Description

Ad hoc One-time scans that you start manually for discovery and/or assessment scans,

usually in response to network changes or newly discovered threats.

Note: You can run an ad hoc scan immediately, or you can run it only during the scan windows defined for the group in the Scan Window policy.

Background Automatic, recurring scans that run on separately definable refresh cycles for

discovery and for assessment scanning.

Tabl e 27 : Descriptions of ad hoc and background scans

Asset policies and ad hoc scans

Changing Assessment and Discovery policies

Table 28 defines configuration options for policies used by ad hoc scans:

Background asset policies that… Are as follows:

you can reconfigure for ad hoc scans • Assessment

• Discovery

differ for ad hoc scans Scan Control

contain the same settings for ad hoc scans as for background scans

Tabl e 28 : Asset policies for ad hoc and background scans

• Assessment Credentials

•Network Services

• Scan Exclusion

Note: This policy applies only to assessment scans, but it applies to both ad hoc and background scans.

• Scan Window (optional)

An ad hoc scan initially uses any settings currently configured in the Assessment and Discovery policies for the group. You can run the scan with those settings, or you can modify the settings. Table 29 describes the advantages of each method:

If you… Then you…

use the configured settings can easily start an ad hoc scan that duplicates a configured

background scan.

modify the configured settings

Tabl e 29 : Changes to Assessment and Discovery policies

cannot save the policy. Therefore, the changes apply to only that ad hoc scan and do not affect configured background scans.

IBM Internet Security Systems

How Policies Apply to Ad Hoc and Background Scans

Scan Control policy You cannot configure refresh cycles or scan windows for ad hoc scans because they are not

included in the ad hoc Scan Control policy. Table 30 describes how refresh cycles and scan windows from the background Scan control policy affect ad hoc scans:

Scan window and refresh cycle examples

Option from Background Scan Control Policy

Scan Windows You can choose whether to run an ad hoc scan only during the

Refresh cycles Ad hoc scans are never bound by the refresh cycles that apply to

Tabl e 30 : Ad hoc Scan Control policy

Impact on Ad Hoc Scans

open scan windows defined for background scans and to pause when the windows close.

background scans. Ad hoc scans continue to scan until they finish or until you stop them. Ad hoc scans pause when scan windows close if you choose the option to run the scans only during open scan windows.

Assume the following:

● Your scanning refresh cycle is every two days.

● Scanning windows run from 8:00 P.M. until midnight and from 1:00 A.M. until

4:00 A.M. each day.

Consider the following cases:

At 11:00 P.M. on the… You start an ad hoc scan that takes three hours. The

scan runs from 11:00 P.M. until midnight, and then…

first night of a refresh cycle the scan runs from 1:00 A.M. until 3:00 A.M. on the second

day of the same refresh cycle.

second night of a refresh cycle the scan runs from 1:00 A.M. until 3:00 A.M. on the first day

of the next refresh cycle.

Tabl e 31 : Examples of scan windows and refresh cycles with ad hoc scans

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Background Scanning Checklists

Introduction You can set up background scans by configuring only the required policies, or you can

fully customize background scans by configuring additional policies. This topic describes the minimum requirements to set up background discovery and background assessment scanning. You should also use any other policies that help you configure you scanning environment to meet your security goals.

Checklist for background discovery scans

Checklist for background assessment scans

The following table describes the requirements for setting up background discovery scanning for a group:

Requirement

Apply a Discovery policy to the group.



See “Defining Assets to Discover (Discovery Policy)” on page 99.

Apply a Scan Window policy to the group (either directly or through inheritance from a higher



group).

See “Defining Periods of Allowed Scanning (Scan Window Policy)” on page 89.

Optional: Apply an Assessment Credentials policy to the group for better OS identification.



See “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94.

Apply a Scan Control policy to the group (either directly or through inheritance from a higher



group).

See “Enabling Background Scanning (Scan Control Policy)” on page 87.

Tabl e 32 : Checklist for background discovery scanning

The following table describes the requirements for setting up background assessment scanning for a group:

Requirement

Verify that the group already contains assets, possibly from a recent discovery scan.



Apply an Assessment policy to the group (either directly or through inheritance from a higher



group).

See “Defining Assessment Details Introduction (Assessment Policy)” on page 100.

Apply a Scan Window policy to the group (either directly or through inheritance from a higher



group).

See “Defining Periods of Allowed Scanning (Scan Window Policy)” on page 89.

Optional: Apply an Assessment Credentials policy to the group for better OS identification.



See “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94.

Apply a Scan Control policy to the group (either directly or through inheritance from a higher



group).

See “Enabling Background Scanning (Scan Control Policy)” on page 87.

Tabl e 33 : Checklist for background discovery scanning

IBM Internet Security Systems

Enabling Background Scanning (Scan Control Policy)

Introduction Background scanning is based on scanning refresh cycles. Refresh cycles define how

frequently you want to rerun scans for a group. Use the Scan Control policy to define the duration of refresh cycles and to assign user-defined perspectives to scans.

Note: Background scans run during open scan windows that you define in the Scan

Window policy.

Important: This policy initiates background scanning, so you should configure it after

you have configured the other policies required for background scanning.

Scope The Scan Control policy applies to background discovery and background assessment

scans. This policy does not affect ad hoc scans. Consequently, the behavior for ad hoc scans is different:

● An ad hoc discovery scan runs only on the group where you define the scan.

● An ad hoc assessment scan applies to the group where you define the scan and to all

the subgroups. This is different from background scans in that background scanning behavior is determined by which Scan Control policy applies to each subgroup.

Procedure To enable scanning:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Scan Control policy for that group.

3. Select the Enable background discovery/assessment scanning of this group check box, for the type(s) of background scanning you want to define, in the Background Discovery and Background Assessment sections.

4. Configure background scanning for each type of scan as follows:

Field Description

Task name The name you want to appear for the scanning job in the

Cycle start date The date on which you want the refresh cycle to start.

Cycle duration The length (up to 3 digits) of the refresh cycle as one of the

Command Jobs window.

Note: This name identifies the scan when it runs, so choose a meaningful name.

Note: Scans are scheduled in the Command Jobs window in the SiteProtector Console at midnight at the beginning of a refresh cycle.

following units:

• days

• weeks

•months

Current cycle start date The beginning date of the current refresh cycle. (Display only.)

Next cycle start date The beginning date of the next refresh cycle. (Display only.)

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Field Description

Wait for discovery scan to complete before scheduling assessment scan

Delays the start of the assessment scan until the discovery scan has finished to ensure that the discovery scan has identified all discoverable assets before the assessment scan begins.

Note: This check box is available for assessment scans only. When you enable this check box, the fields for the cycle dates and times for the assessment scan are not available.

5. If you want to scan from a user-defined perspective, select a perspective from the Perform background scans from this perspective (Network location) box.

Tip: If you have not yet defined the perspective, click the Configure Network

Location icon to open the Network Locations policy (See page 112.) and define a new

perspective.

IBM Internet Security Systems

Defining Periods of Allowed Scanning (Scan Window Policy)

Introduction Use the Scan Window policy to define the following:

● hours of allowed scanning for discovery scans (scan windows)

● hours of allowed scanning for assessment scans (scan windows)

● the time zone in which you want the scanning to occur, which is usually the time zone

of the assets

Important: By default, scanning is allowed at any time. If you want to limit scanning, be

sure to define scan windows.

Scope The Scan Window policy applies to background discovery and assessment scans. For an

ad hoc scan, you can choose whether to run the scan only during the windows defined in this policy or to run the scan without restriction.

Default behavior By default, all scan windows are open, so scanning is allowed at any time. When you open

a Scan Window policy, however, the default changes; and all scan windows are closed. If you modify a Scan Window policy, be sure to define scan windows for discovery and for assessment scans.

Important: If you start a scan when there are no scan windows, the job appears in the

Command Jobs window in the Idle state. The job will not run until you define scan windows.

Rules for defining

The following rules apply to scan windows:

scan windows

● You define the scan windows for discovery and assessment policies separately, on

separate tabs of the policy.

Important: Be sure to define a scan window for both types of scans if you intend to

run both as background scans.

● You can define scan windows only in increments of hours, so the minimum scan

window is one hour.

● You can define as many scan windows as you want on any day of the week.

Important consideration for multiple agents

If you have multiple agents, you should stagger your scan windows to allow the discovery scan to finish before the assessment scan begins. If a discovery scan adds assets to a group while an assessment scan is running, there is no guarantee that those assets will be included in the assessment scan.

Procedure To define periods of allowed scanning:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Scan Window policy for that group.

3. Select the Discovery Windows tab or the Assessment Windows tab.

Note: Scanning hours are selected; non-scanning hours are not selected.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

4. Select the periods of allowed scanning using the following methods:

If you want to… Then…

allow scanning during specific hours

allow scanning at any time

remove all defined scans periods

Important: To enable background scanning, you must define at least one scan

click and drag your cursor over the hours in each day to allow scanning.

click Fill All.

click Clear All.

window.

5. Select the Time Zone tab.

6. Select the time zone during which you want the scan windows to run from the Time zone for scan windows list.

Note: Typically, you use the time zone of the assets in the group. For example, you

may be in the Eastern time zone but scanning assets in the Pacific time zone. You would define your scanning hours according to the considerations of the Pacific time zone, and then set your appliance to the Pacific time zone.

IBM Internet Security Systems

Excluding Assets from Scans (Scan Exclusion Policy)

Introduction Use the Scan Exclusion policy to define specific ports and/or assets to exclude from a scan

of a group of assets. You should define the Scan Exclusion policy at a high level in your group structure and allow the lower groups to inherit from it. If needed, you can then override the policy at lower groups.

Scope The Scan Exclusion policy applies to assessment scans that run as either background or ad

hoc scans. The policy does not apply to discovery scans.

Policy content Each Scan Exclusion policy defines the following information for the policy’s associated

asset group (and the groups that inherit from it):

● A list of ports against which no assessment checks will be run. (No checks run against

these ports on any host in the group. This applies to both TCP and UDP ports.)

● A list of IP addresses not to scan.

Excluding ports To exclude ports from a scan:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Scan Exclusion policy for that group.

3. Use a combination of typing the ports numbers and choosing the port numbers as follows:

■ Type the ports to exclude, separated by commas, in the Excluded Ports box.

■ Click Well Known Ports, and then select the ports to exclude.

Tip: You can use the standard multiple-select techniques of SHIFT to select a range,

CTRL to select random ports.

Excluding assets To exclude assets from a scan:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Scan Exclusion policy for that group.

3. Type the IP addresses (in CIDR or dotted-decimal notation) of the hosts to exclude in the Excluded Hosts box as follows:

■ Type an IP address, and then press ENTER (or type a comma).

■ Type a range of IP addresses, and then press ENTER (or type a comma).

Example: 172.1.1.100-172.1.1.200

Note: A red box may appear around the Excluded Hosts box as you type until the

data is validated.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Defining Network Services (Network Services Policy)

Introduction Use the Network Services policy to define service names associated with TCP and UDP

ports. You can modify some properties of a default service in the policy, and you can add your own customized services to the policy.

Scope The Network Services policy applies to assessment scans that run as either background or

ad hoc scans.

Default settings The IBM ISS X-Force defines the default Network Services policy and may update the

policy in an X-Press Update (XPU). The default policy applies to all groups that do not override it. The service names defined in the policy are referenced as target types in Enterprise Scanner check definitions. X-Force adds a service name when a new check uses a service that was not previously defined in the policy.

Policy inheritance and updates

A Network Services policy, defined in association with a group, overrides the default definitions for only those services explicitly referenced in the user-defined policy. A userdefined Network Services policy includes only explicit overrides of inherited service definitions. This ensures that all groups automatically inherit XPU updates to the default Network Services policy.

Service definition The network services policy includes the following information about each service:

● service name

● service description

● port number

● protocol (TCP or UDP)

● whether some (or all) instances of the service operate over SSL on this port within

your network

● whether to include the port in the service scan

● whether you have customized a default service or created a custom service

Procedure To configure network services:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Network Services policy for that group.

3. For default or customized services, you can do the following:

■ To disable a service definition, clear the Enabled check box for that service.

■ To change the description of a service, slowly click Description twice to enter edit

mode, and then change the description.

■ For each service that operates over SSL in at least some part of your network, select

the May use SSL check box for that service.

IBM Internet Security Systems

Defining Network Services (Network Services Policy)

■ To allow service scans for this service over any TCP and UDP ports specified in the

Assessment policy, select the Service scan check box.

Note: You cannot change the Service name, Port, or Protocol of default services. You

cannot delete default services.

4. For customized services, you can do the following:

■ To add a service, click the add icon.

■ To modify a service, select the service, and then click the modify icon.

■ To delete a service, select the service, and then click the delete icon.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Defining Assessment Credentials (Assessment Credentials Policy)

Introduction Use the Assessment Credentials policy to define authentication credentials that your

agent can use to log on to the accounts of the assets it scans. Enterprise Scanner uses all instances of the credentials defined for the group when it scans assets in the group. You may define all credentials in one policy, and use that policy for the entire site. You may also create multiple instances of the policy to use for different groups.

Scope The Assessment Credentials policy applies to every type of scan.

Windows and Unix accounts

The requirements of the fields in the policy may differ for Windows and for Unix accounts. Those differences are described in the procedure below.

Procedure To define assessment credentials:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Assessment Credentials policy.

3. Click Add.

The Add Assessment Credentials window appears.

4. Provide the following account information:

Field Description

Username The user identification for an account.

Password The password to use with the Username to log into an account.

Account Type Windows Local

Indicates the user account is defined locally on a single Windows device. The account is used to attempt logon to a single Windows device. When you choose this option, you must provide a Windows host name in the Domain/Host box.

Windows Domain/Workgroup

Indicates the user account is defined in a Windows Domain or Workgroup. The account is used to attempt logon to all Windows devices within the domain or workgroup. When you choose this option, you must provide the Windows Domain or Workgroup name in the Domain/Host box.

Windows Active Directory

Indicates the user account is defined in a Windows Active Directory Domain. The account will be used to attempt logon to all Windows devices within the Active Directory domain. When you choose this option, you must provide the Active Directory Domain name in the Domain/Host box.

IBM Internet Security Systems

Defining Assessment Credentials (Assessment Credentials Policy)

Field Description

SSH Local

Indicates the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box.

SSH Domain

Indicates the user account is defined for Unix devices that allow SSH logons. In this context, Domain loosely refers to a set of devices, rather than to a specific type of domain. The account is used to attempt to log on to all SSH devices covered by the policy. When you choose this option, you should supply a descriptive name in the Domain/Host box. This is for documentation purposes only—it is not used by Enterprise Scanner.

Domain/Host One of the following:

• For Windows accounts, the domain or host name to which the account applies.

• For SSH Local accounts, the IP address of the device to which the account applies.

• For SSH Domain accounts, any text.

Account Level One of the following:

• Administrator

•User

• Guest

Caution: To avoid inadvertently locking out an account, do not add an account more

than once.

5. Click OK.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 6: Defining Background Scans

Key Parameters for Defining Scan Jobs

Introduction If you understand how to define ad hoc and background scans with Enterprise Scanner,

you can use this topic to quickly reference key scanning parameters.

Key parameters The following table describes how to find and configure key parameters to define scans:

If you want to… Then, open the… And then…

define perspectives to use for your Site

define the perspective of an agent

define the perspective from which you want to scan a group with a background scan

define the perspective from which you want to scan a group with an ad hoc scan

define the number of assets in a subgroup to scan in one

subtask

define the duration of the scanning cycle—the amount of time that passes before the scans automatically run again and refresh the data—for a group of assets

Network Locations policy for the Site

ESM policy for the agent select the network location

Scan Control policy for the group to scan

Remote Scan (ad hoc) policy (right-click a group, and then select Scan from the pop-up menu)

ESM policy for the agent change the Maximum IPs per

Scan Control policy for the group to scan

add a new Network Location Name.

from the Perspective (Network location) list.

select the perspective from the

Perform background scans from this perspective (Network location) list.

select the perspective from the

Perform one-time scan from this perspective (network location) list.

discovery subtask and/or the Maximum assets per assessment subtask boxes.

configure Cycle start date and Cycle duration for discovery

and for assessment scans.

define the windows when scanning is allowed

Tabl e 34 : Key scanning parameters

a. For guidance in determining the size of subtasks, see “Considerations for Subtask Sizes” on page 111.

Scan Window policy for the group to scan

configure the Discovery Windows and the

Assessment Windows.

IBM Internet Security Systems

Chapter 7

Configuring Discovery and Assessment Policies

Overview

Introduction The major effort in defining discovery and assessment background scans is in configuring

the Discovery and Assessment policies. This chapter describes the options available in those policies. To finish configuring a background scan or to run an ad hoc scan, see the references below.

Scanning dependencies

Prerequisite Before you modify policies, you must understand how to locate them in the SiteProtector

In this chapter This chapter contains the following topics:

The Discovery and Assessment policies define only a portion of the requirements for background and for ad hoc scanning.

● For additional background scanning requirements, see Chapter 6, "Defining

Background Scans" on page 81.

● For additional ad hoc scanning requirements, see Chapter 14, "Running Ad Hoc

Scans" on page 191.

Console. For an introduction to viewing policies, see “Viewing Asset and Agent Policies” on page 74.

Topi c Page

How Policies Apply to Discovery and Assessment Scans 98

Defining Assets to Discover (Discovery Policy) 99

Defining Assessment Details Introduction (Assessment Policy) 100

Description of Check Information (Assessment Policy) 101

Grouping and Displaying Checks (Assessment Policy) 103

Defining Common Assessment Settings (Assessment Policy) 106

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 7: Configuring Discovery and Assessment Policies

How Policies Apply to Discovery and Assessment Scans

Introduction With Enterprise Scanner, you define discovery scans and assessment scans separately.

Agent and asset policies apply to discovery and assessment scans as follows:

● Agent policies describe the scanning behavior of the agent, and they apply to both

discovery and assessment scans.

Note: The ESM (Enterprise Scanner Module) agent policy does, however, include

some separate settings for discovery and assessment scans.

● Asset policies apply to discovery scans, to assessment scans, or to both, depending on

the policy.

Scope of scanning The scopes of discovery and assessment scans are defined as follows:

Type of Scan Scope

Discovery The IP addresses that you assign to the scan for a single group.

Note: The group you use for discovery scans may already contain assets. Those assets do not have to belong to the IP range of the scan.

Assessment The assets in a group and any included subgroups, based on policy inheritance.

Note: The list of assets included in a scan is based on the assets in the group when the scan job is posted to the Command Jobs window—not the assets in the group when you save assessment policies.

Tabl e 35 : Scope of discovery and assessment scans

Asset policies Table 36 identifies which asset policies apply to discovery scans, which apply to

assessment scans, and which apply to both:

Policy Discovery Assessment

Assessment n/a

Assessment Credentials

Discovery

Network Locations

Network Services n/a

Scan Control

Scan Exclusion n/a

n/a

Scan Window

Tabl e 36 : Asset policies that affect discovery and assessment scans

IBM Internet Security Systems

Defining Assets to Discover (Discovery Policy)

Introduction A Discovery policy defines parameters used to perform discovery on a portion of a

network. In a discovery task, a range of IP addresses is scanned to locate active network interfaces, and the type of device associated with each active network interface is determined through OS identification.

OS discovery requirements

Before it can perform OS fingerprinting on an asset, your agent must find one open and one closed port. To find an open and a closed port, the agent scans ports 1–1023 and any other ports specified in the applicable Network Services policy.

Scope The Discovery policy applies to background discovery scans. An ad hoc scan reads this

policy and uses its settings to initialize the ad hoc discovery scan. You can change the settings in the ad hoc scan without changing the background policy.

Procedure To define discovery ranges:

1. In the SiteProtector Console, set up a tab to display asset policies. (See page 74.)

2. On the navigation pane, select a group, and then open the Discovery policy for that group.

3. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to discover in the IP range(s) to scan box as follows:

■ Type an IP address, and then press ENTER (or type a comma).

■ Type a range of IP addresses, and then press ENTER (or type a comma).

Example: 172.1.1.100-172.1.1.200

Note: A red box appears around the IP range(s) to scan box until the data is

validated.

4. If you want to ping each IP address before starting to scan any assets, in order to exclude unreachable hosts from the scan, select the Ping hosts in this range, before scanning, to exclude unreachable hosts check box.

5. If you want to add newly discovered assets to the group where you have defined the scan—rather than to the Ungrouped Assets group—select the Add newly discovered assets to group check box.

Note: This check box is enabled by default.

6. If you want to add previously known assets that are already defined in other groups to the scan group, select the Add previously known assets to group (if not already in group) check box.

Note: This check box is enabled by default.

IBM Proventia Network Enterprise Scanner User Guide, Version 1.3

Chapter 7: Configuring Discovery and Assessment Policies

Defining Assessment Details Introduction (Assessment Policy)

Introduction An Assessment policy defines parameters that specify how to assess a group of assets. The

policy contains two tabs, and the instructions for each tab are provided as follows:

For this tab… See…

Checks “Description of Check Information (Assessment Policy)” on page 101 and

“Grouping and Displaying Checks (Assessment Policy)” on page 103.

Common Settings “Defining Common Assessment Settings (Assessment Policy)” on page 106.

Tabl e 37 : Information about each tab in the Assessment policy

Scope The Assessment policy applies only to assessment scans that run in the background. Ad

hoc scans read this policy and use its settings to initialize the ad hoc Assessment policy. You can change the ad hoc version of the policy without changing the saved background version.

Policy contents An Assessment policy includes the following information:

● a list of assessment checks

● check-specific configuration parameters

● common assessment settings that define additional scanning behavior

100

IBM Internet Security Systems

IBM Proventia Network Enterprise Scanner User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual