How it Works
IBM
Loading...
P
Q
R
Loading...
Loading...
Proventia Network Enterprise Scanner
User Manual
268 pgs3.05 Mb0

IBM Proventia Network Enterprise Scanner User Manual

IBM Proventia Network Enterprise Scanner
User Guide
Version 1.3
IBM Internet Security Systems
© Copyright IBM Corporation 1997, 2007. IBM Global Services Route 100 Somers, NY 10589 U.S.A.
Produced in the United States of America.
All Rights Reserved.
IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than IBM Internet Security Systems (IBM ISS). Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. IBM Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall IBM ISS be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if IBM Internet Security Systems has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by IBM Internet Security Systems. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM Internet Security Systems, and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents IBM Internet Security Systems, Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to
August 15, 2007
support@iss.net
.
Contents
Preface
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How to Use Enterprise Scanner Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Part I: Getting Started
Chapter 1: Introduction to Enterprise Scanner
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introducing Background Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Migrating from Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Enterprise Scanner Communication Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Component Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
The SiteProtector System Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2: Installing and Configuring an Agent
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Setting Up Your Appliance for Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Appliance-Level Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Explicit-Trust Authentication with an Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Registering Enterprise Scanner to Connect to the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . 37
Logging On to the SiteProtector Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 3: Running Your First Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Finding Your Agent, Assets, and Policies in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . 44
Running Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Background Scanning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Background Scanning Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 4: Setting Up Scanning Permissions for Users
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Enterprise Scanner User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Considerations for Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Creating User Groups in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Changing Group Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
3
Contents
Part II: Configuring Enterprise Vulnerability Protection
Chapter 5: Introduction to Enterprise Scanner Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Introduction to Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Contents of Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Descriptions of Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Descriptions of Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Policy Inheritance with Enterprise Scanner Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Policy Inheritance with Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Policy Inheritance with Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 6: Defining Background Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Determining When Background Scans Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
How Policies Apply to Ad Hoc and Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Background Scanning Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Enabling Background Scanning (Scan Control Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Defining Periods of Allowed Scanning (Scan Window Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Excluding Assets from Scans (Scan Exclusion Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Defining Network Services (Network Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Defining Assessment Credentials (Assessment Credentials Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Key Parameters for Defining Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Chapter 7: Configuring Discovery and Assessment Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
How Policies Apply to Discovery and Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Defining Assets to Discover (Discovery Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Defining Assessment Details Introduction (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Description of Check Information (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Grouping and Displaying Checks (Assessment Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Defining Common Assessment Settings (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 8: Defining Agent Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Defining Scanning Network Interfaces (ESM Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Considerations for Subtask Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Defining Perspectives (Network Locations Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Defining Alert Logging (Notification Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Defining Agent Passwords (Access Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Defining Agent Interfaces (Networking Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Defining the Date and Time Settings of the Agent (Time Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Defining Services to Run on the Agent (Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Part III: Scanning
Chapter 9: Understanding Scanning Processes in SiteProtector
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
What is Perspective? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Defining Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
One Way to Use Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Scan Jobs and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Types of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Priorities for Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4
IBM Internet Security Systems
Contents
Stages of a Scanning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Optimizing Cycle Duration, Scan Windows, and Subtasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Chapter 10: Monitoring Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Finding Your Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Job Information in the Command Jobs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Viewing Runtime Details about Discovery Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Viewing Discovery Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Viewing Discovery Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Viewing Discovery Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Viewing Runtime Details about Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Viewing Assessment Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Viewing Assessment Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Viewing Base Assessment and Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Chapter 11: Managing Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Stopping and Restarting Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Suspending and Enabling All Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Minimum Scanning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Generally Expected Scanning Behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Expected Scanning Behaviors for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Expected Scanning Behaviors for Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Identifying Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Part IV: Analysis, Tracking, and Remediation
Chapter 12: Interpreting Scan Results
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting Up a Summary Page for Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Viewing Vulnerabilities in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
OS Identification (OSID) in Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
How OSID Is Updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Viewing Vulnerabilities by Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Viewing Vulnerabilities by Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Viewing Vulnerabilities by Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Viewing Vulnerabilities by Vuln Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Assessment Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Report Sorting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Chapter 13: Tracking and Remediation
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Ticketing and Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Possible Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Overview of the Remediation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Remediation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 14: Running Ad Hoc Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Understanding How Ad Hoc Scans Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Expected Behavior for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Running an Ad Hoc Discovery Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
5
Contents
Running an Ad Hoc Assessment Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Part V: Maintenance
Chapter 15: Performing Routine Maintenance
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Logging On to Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Shutting Down Your Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Removing an Agent from SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Options for Backing up Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Backing Up Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using Full System Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Acquiring Your Enterprise Scanner Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Preparing to Reinstall an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Reinstalling an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Chapter 16: Updating Enterprise Scanner
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Section A: Understanding the XPU Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
XPU Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Consoles to Use for XPUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
XPU Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Section B: Configuring the XPU Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Configuring Explicit-Trust Authentication with an XPU Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring an Alternate Update Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring an HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring Notification Options for XPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Section C: Scheduling Updates and Manually Updating an Agent . . . . . . . . . . . . . . . . . . . 225
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Update Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Scheduling a One-Time Firmware Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configuring Automatic Downloads and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Manually Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Chapter 17: Viewing Agent Status
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
The Proventia Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Viewing Status in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Viewing Agent Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Viewing Application Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Viewing System Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter 18: Enterprise Scanner Logs and Alerts
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Types of Alerts and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Viewing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Viewing Different Types of Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Downloading an Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Clearing the Alerts Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
6
IBM Internet Security Systems
Contents
Viewing ES and System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Viewing ES Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Downloading ES Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
System Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Getting Log Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Changing Logging Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
7
Contents
8
IBM Internet Security Systems
Preface
Overview
Introduction This is the User Guide for the IBM Proventia Network Enterprise Scanner appliance
(Enterprise Scanner) from IBM Internet Security Systems, Inc. (IBM ISS), which includes the following models: the ES750 and the ES1500. The Enterprise Scanner appliance is a vulnerability detection agent that is designed for the enterprise customer.
Scope This User Guide explains how to use Enterprise Scanner (and the IBM SiteProtector
system) through the entire vulnerability management process, including configuring the agent, configuring scans, monitoring scans, tracking and remediation, and maintaining the agent.
Audience This Guide is written for security analysts and managers who are responsible for
managing the vulnerabilities of assets of an enterprise network.
User background To use Enterprise Scanner you must understand your network topology and the criticality
of your assets. In addition, because Enterprise Scanner is managed through the SiteProtector Console, you must have a working knowledge of the SiteProtector system, including how to set up views, manage users and user permissions, and policies.
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
9
Preface
How to Use Enterprise Scanner Documentation
Introduction This topic describes the documentation that explains how to use Enterprise Scanner and
the SiteProtector system.
Using this guide This guide is organized according to the workflows needed to protect your enterprise:
Workflow Description
Part I, Getting Started Install and configure the appliance.
Part II, Configuring Enterprise Vulnerability Protection
Part III, Scanning Follow scans through the scanning process.
Part IV, Analysis, Tracking, and Remediation
Part V, Maintenance Perform scheduled maintenance, such as product updates and log
Tabl e 1: Vulnerability management workflows in the User Guide
Set up a continuous scanning environment for your enterprise.
Monitor the protection status of your assets and your efforts to remediate vulnerabilities
maintenance, as well as tasks such as troubleshooting and performing unscheduled maintenance
Related publications The following related publications contain information that can help you use Enterprise
Scanner more effectively:
Document Description
IBM Proventia Network Enterprise Scanner Quick Start Card
Help Context-sensitive Help that contains procedures for tasks you
Contains out-of-the-box instructions for setting up your Enterprise Scanner agent.
perform in the Proventia Manager and in the SiteProtector Console.
the SiteProtector system documents
Enterprise Scanner–Internet Scanner Migration Guide
IBM Proventia Network Enterprise Scanner Policy Migration Utility
Tabl e 2: Related publications for Enterprise Scanner
10
Documents available on the IBM ISS Web site that provide information about using the SiteProtector system and the SiteProtector Console.
Provides an overview and compares the functionality between Enterprise Scanner and the IBM Internet Scanner Software. This Guide discusses feature differences between the two products and provides examples of how you can migrate from Internet Scanner to Enterprise Scanner.
Describes the policy transition from Internet Scanner to Enterprise Scanner. You can import an existing Internet Scanner policy and use the utility to map it to an Enterprise Scanner policy. The utility identifies any checks that cannot be migrated. You can then save and export the new Enterprise Scanner policy.
IBM Internet Security Systems
How to Use Enterprise Scanner Documentation
Version of the SiteProtector system
You manage your Enterprise Scanner agent through a SiteProtector Console. The information in this guide about the SiteProtector system refers to Proventia Management SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31).
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
11
Preface
Getting Technical Support
Introduction IBM ISS provides technical support through its Web site and by email or telephone.
The IBM ISS Web site
The IBM Internet Security Systems (IBM ISS) Resource Center Web site (
www.iss.net/support/
) provides direct access to online user documentation, current
http://
versions listings, detailed product literature, white papers, and the Technical Support Knowledgebase.
Support levels IBM ISS offers three levels of support:
Standard
Select
Premium
Each level provides you with 24x7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at
clientservices@iss.net
if you do not know the level of support your
organization has selected.
Hours of support The following table provides hours for Technical Support at the Americas and other
locations:
Location Hours
Americas 24 hours a day
All other locations
Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding IBM ISS published holidays
Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.
Tabl e 3: Hours for technical support
Contact information The following table provides electronic support information and telephone numbers for
technical support requests:
Regional Office
North America Connect to the MYISS
Latin America
Tabl e 4: Contact information for technical support
12
Electronic Support Telephone Number
Standard:
section of our Web site:
www.iss.net
support@iss.net
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Select and Premium:
Refer to your Welcome Kit or call your Primary Designated Contact for this information.
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
IBM Internet Security Systems
Getting Technical Support
Regional
Electronic Support Telephone Number
Office
Europe, Middle
support@iss.net
(44) (1753) 845105
East, and Africa
Asia-Pacific, Australia, and the Philippines
Japan
support@iss.net
support@isskk.co.jp
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Domestic: (81) (3) 5740-4065
Tabl e 4: Contact information for technical support (Continued)
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
13
Preface
14
IBM Internet Security Systems
Part I
Getting Started
Chapter 1
Introduction to Enterprise Scanner
Overview
Introduction Enterprise Scanner is the assessment component of the IBM Proventia Enterprise Security
Platform. Enterprise Scanner is based on a model in which vulnerability detection is treated like a continuous network monitoring task rather than the ad hoc scanning model used by earlier vulnerability management systems. Enterprise Scanner automates the process of discovering and assessing your network assets through continuous background scanning of your network. This model allows you to track the remediation effort and use reports to evaluate your network’s security status at any time.
In addition to the continuous network monitoring, Enterprise Scanner gives you the ability to configure and run ad hoc scans. Ad hoc scanning allows you to run a one-time scan to discover new assets or to assess the vulnerability status of existing assets at any time. Ad hoc scans are useful when you need to take immediate action because assets have been added to your network or new vulnerabilities have been announced.
New concepts The beginning chapters of this guide introduce the key concepts behind the conceptual
framework of Enterprise Scanner, including background scanning. You should familiarize yourself with the key concepts so that you will have a basis for understanding the approach and procedures in the rest of the guide.
For Internet Scanner users
In this chapter This chapter contains the following topics:
If you are an Internet Scanner user, you should read this chapter carefully. It explains important similarities and differences between Internet Scanner and Enterprise Scanner.
Topi c Page
New Features 18
Key Concepts 20
Introducing Background Scanning 21
Migrating from Internet Scanner 22
Enterprise Scanner Communication Channels 23
Component Descriptions 25
The SiteProtector System Components 26
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
17
Chapter 1: Introduction to Enterprise Scanner
New Features
Introduction Enterprise Scanner Version 1.3 provides an update to the firmware, and introduces a
smaller, portable version of the appliance hardware, the ES750.
Enterprise Scanner Version 1.2 fixed some known issues, and it introduced features to improve discovery speed and assessment accuracy:
ICMP ping
application fingerprinting
SSH support
ICMP ping A discovery scan can run faster if it can determine which assets in the scanning range are
available, and then scan only those assets with operating system identification (OSID) techniques. The ICMP ping option in the Enterprise Scanner Discovery policy determines which assets are available, as follows:
At the beginning of each scanning window, the agent sends four (4) ICMP ping
commands to each asset identified in the discovery policy.
The agent considers each asset that responds to a command as available, and keeps
track of all available assets.
When to use ICMP ping
Application fingerprinting
Non-standard port assignments
The discovery scan then continues to scan only the available assets.
The ICMP ping function is especially useful in the following cases:
The network is sparsely populated.
Every asset on the network is configured to respond to ICMP ping commands.
To configure ICMP ping, see “Defining Assets to Discover (Discovery Policy)” on page 99.
The application fingerprinting option identifies which applications are communicating over which ports and discovers any non-standard port usage. If you enable the application fingerprinting option, you must select from the following:
Run checks that apply to the protocol of the application communicating over a port,
such as HTTP.
Run checks that apply to the specific application communicating over a port, such as
Apache running Coldfusion.
Individuals in a corporation may use non-standard port assignments thinking that the practice increases network security. Using non-standard port assignments may make it harder—although not impossible—for an intruder to determine which applications are communicating on ports. The practice may also hide critical vulnerabilities from your agent, however, which could understate the real risk to a corporate network.
When to use
Application fingerprinting is especially useful in the following cases:
application fingerprinting
You know that some applications on the network communicate over non-standard
ports.
18
IBM Internet Security Systems
New Features
You are unaware of any non-standard port assignments, but you want to be sure.
To configure application fingerprinting, see “Defining Common Assessment Settings (Assessment Policy)” on page 106.
Support for SSH communication protocol to run vulnerability checks
Enterprise Scanner 1.2 can communicate with SSH-capable devices such as Unix hosts, routers and switches through an encrypted, secure communication protocol. SSH greatly diminishes the threat that critical information will be intercepted and used for malicious intent. This capability allows X-Force to create new vulnerability checks for non-network exposed services, similar to the current Windows patch checks. For more information about SSH, go to
http://www.openssh.com/
.
To configure SSH, see “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94.
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
19
Chapter 1: Introduction to Enterprise Scanner
Key Concepts
Introduction Enterprise Scanner is the next generation scanning appliance from IBM ISS. As a
component of the Enterprise Security Platform, Enterprise Scanner delivers true enterprise scalability and scanning load balancing. Designed to run on Linux, Enterprise Scanner delivers the core functionality necessary in today's enterprise environments.
Centralized control Enterprise Scanner works with the SiteProtector system to provide centralized security
management for your enterprise assets. After you install and configure your appliance, you use the SiteProtector Console for scan management, tracking and remediation, and reporting.
Asset-centric approach
Background scanning
Ad hoc scanning and auditing
You probably already think about your vulnerability management in terms of your assets. You know to prioritize your efforts to protect your most critical assets first and to provide the same type of protection for similar assets. Enterprise Scanner makes this easier by separating policies for groups of assets from the policies for agents:
Asset policies define scanning requirements for groups of assets, including IP
addresses to scan, checks to run, and how often to refresh information.
Agent policies define how agents operate, including the location in the network from
which they operate. That network location is called perspective.
Background scanning is an automated, cyclical process that incorporates the key operational concepts of the Enterprise Scanner vulnerability detection model. Background scanning is explained in more detail in “Introducing Background Scanning” on page 21.
Enterprise Scanner supports ad hoc scanning, but it is not designed to be an auditing tool. You could use the ad hoc scanning capability between scheduled background scans for the following types of needs:
For network reconfiguration, you could use ad hoc scanning to refresh your discovery
and vulnerability information.
For a new threat, you could use ad hoc scanning to assess the risk to your assets.
Load balancing Enterprise Scanner makes it easier for you to respond to the dynamic nature of an
enterprise network. You can create pools of agents to share a scanning load. You can add agents or remove agents without having to change any discovery or assessment configuration parameters. You can also adjust other operational parameters to ensure that you have the coverage you need.
Perspective definitions
You have different expectations for scanning results based on the location of an agent in relation to the assets it scans. For example, results would be different depending on whether you scanned a group of assets from inside a firewall or outside a firewall. (See “What is Perspective?” on page 124.) In Enterprise Scanner, perspective definitions serve several purposes:
They identify locations on your network from which scanning is performed.
They indicate where agents are connected to your network so that load balancing can
occur across agents that share a perspective.
They indicate the location from which groups of assets should be scanned.
20
IBM Internet Security Systems
Introducing Background Scanning
Introducing Background Scanning
Introduction What does it mean to say that Enterprise Scanner is based on a model in which
vulnerability detection is treated more like a network monitoring task than it is in earlier vulnerability management models? By adapting the network monitoring model to vulnerability management, Enterprise Scanner provides a highly flexible scanning environment that automatically maintains the viability of your vulnerability information.
Importance of network monitoring models
Network monitoring systems run continuously, always providing timely information about the security posture of your network. For the most part, you set the system up, and it gathers the information you need to ensure your network’s security. When network monitoring is in place, you can spend more time analyzing vulnerability data and less time managing the system.
Vulnerability management needs
While you probably do not want to run scans constantly, you do want to scan your network for new assets and assess your assets to detect vulnerabilities with a reasonable frequency—without slowing down your network. You may also have a wide range of assets, some of which are more valuable to you than others. If you cannot scan every asset with the same frequency, you want to make sure your most critical assets receive the needed level of attention.
Previous models In previous models of vulnerability management, you would schedule scans to run on a
specific day and to start at an exact time. Scheduled scans have the following consequences:
The scan would start at the scheduled time and run until it finished, whether that took
two hours or two days.
Long running scans could interfere with your congested network times.
You could not prioritize scans to scan your most critical assets first.
Approach to
Background scanning recognizes the following:
background scanning
The most efficient way to scan may include long-running scans.
Long-running scans should not have to run during high-traffic periods when they
could contribute to network congestion.
Assessment priorities should focus on the most critical assets first.
Reasons to use background scanning
Enterprise Scanner does not require a scan to run non-stop until it finishes. Instead, a background scan runs during selected hours of the day over multiple days. Enterprise Scanner manages the scan, and automatically restarts the scan based on refresh cycles that you define. Refresh cycles may last from one day to several months.
Key concepts In summary, the key concepts of background scanning are the following:
You use scanning refresh cycles to define automatically recurring scans.
You define hours of the day (scanning windows) during which scanning is allowed.
You identify critical assets that require priority attention.
You define locations of agents and perspectives to scan assets as network locations.
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
21
Chapter 1: Introduction to Enterprise Scanner
Migrating from Internet Scanner
Introduction The approach to protecting your enterprise with Enterprise Scanner is different from the
one used by Internet Scanner. If you understand the major conceptual differences before you begin, the implementation details will make more sense to you.
What Enterprise Scanner does not do
Developing a migration strategy
Enterprise Scanner is not a standalone application. It only works with assets in a SiteProtector database. You can use it for ad hoc scanning, but it is not intended to be an auditing tool.
For more information about developing a migration strategy, see the Enterprise Scanner- Internet Scanner Migration Guide. This Guide provides an overview and compares the functionality between Enterprise Scanner and Internet Scanner. This Guide discusses feature differences between the two products and provides examples of how you can migrate from Internet Scanner to Enterprise Scanner.
Migration tools To migrate policies from Internet Scanner to Enterprise Scanner, download the IBM
Proventia Network Enterprise Scanner Policy Migration Utility and instructions from the IBM
ISS Download Center.
Using Internet Scanner with Enterprise Scanner
You can use Internet Scanner with Enterprise Scanner, which you may want to do as you migrate from Internet Scanner. You should migrate completely to Enterprise Scanner, however, because its tighter integration with the SiteProtector system significantly reduces the effort and cost involved in scanning your enterprise and managing your vulnerabilities.
Comparison table The following table provides a high-level comparison of the major differences between
Internet Scanner and Enterprise Scanner:
Function Internet Scanner Enterprise Scanner
Configuring scans Defines scans and scan
policies based on the scanner.
Identifies a specific scanner to scan assets.
Management console Works with the SiteProtector
system or without the SiteProtector system through its local management interface.
Timing of scans Ad hoc scans; recurring scans
when used with the SiteProtector system.
Scan processes Discovery and assessment in
the same process.
Remediation Manual process. Automated process with
Tabl e 5: Major differences between Internet Scanner and Enterprise Scanner
Defines scans and scan policies based on the needs of a group of assets.
Defines an agent, or a group of agents among which the scanning is distributed.
Works only with the SiteProtector system.
Ad hoc and recurring background scanning cycles.
Separate discovery and assessment processes.
ticketing functions in the SiteProtector system.
22
IBM Internet Security Systems
Enterprise Scanner Communication Channels
Enterprise Scanner Communication Channels
Introduction This topic discusses the communication channels Enterprise Scanner uses. In normal
operations, Enterprise Scanner communicates with these external components:
OneTrust Infrastructure
the SiteProtector system
user consoles
assets on the network
Architecture diagram
Figure 1 shows the communication paths between Enterprise Scanner and the SiteProtector system:
Figure 1: Enterprise Scanner architecture
Network interfaces Enterprise Scanner uses network interfaces as follows:
Interface Purpose
Management To communicate with the SiteProtector system.
Scanning To communicate with assets.
Tabl e 6: Management and scanning interfaces
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
23
Chapter 1: Introduction to Enterprise Scanner
Port usage Table 7 describes port usage from the point of view of Enterprise Scanner:
Network Interface Port Communication With
Management Inbound from 3995 TCP The SiteProtector Agent Manager.
Inbound from 3994 TCP The X-Press Update Server.
Inbound on 443 TCP The user’s Web browser.
Inbound on 22 TCP An SSH shell on a user’s computer.
Scanning Any TCP outbound
Any UDP Any ICMP
Tabl e 7: Port usage for Enterprise Scanner
The assets being scanned by the agent.
24
IBM Internet Security Systems
Component Descriptions
Component Descriptions
Introduction This topic describes the purpose of communication between Enterprise Scanner and other
components.
OneTrust
OneTrust Infrastructure provides two services to Enterprise Scanner:
Infrastructure
Provides the licenses for the appliance.
Note: You must acquire a new or an updated license manually on the Licensing page
in the Proventia Manager. For more information about connectivity requirements, see “Acquiring Your Enterprise Scanner Licenses” on page 207.
Provides updates for firmware and assessment content updates.
Note: You can configure automatic downloading and installation of updates through
the SiteProtector Console or through your Agent Manager. Updates are available either through the IBM ISS Download Center or from a locally managed Update Server.
User interfaces You can access and view information gathered by the Enterprise Scanner through one or
both consoles as described in the following table:
Component Description
SiteProtector Console The interface where you perform all the SiteProtector system
tasks, including the following:
configure and manage the appliance
create and manage security policies
enable alerts and logging
set up users and user permissions
monitor security events and vulnerabilities on your network
generate reports
Proventia Manager A Web-based interface for managing the agent.
Tabl e 8: User Console components
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
25
Chapter 1: Introduction to Enterprise Scanner
The SiteProtector System Components
Introduction The SiteProtector system is a centralized management system that provides command,
control, and monitoring capabilities over all of your IBM Internet Security Systems (IBM ISS) products, including the Enterprise Scanner appliance. The SiteProtector system documentation provides thorough descriptions of all of its components. This topic provides brief descriptions of the components that affect Enterprise Scanner users the most.
The SiteProtector system components
The following major components make up the SiteProtector system:
Component Description
Agent manager The Agent Manager provides the ability to configure, update, and
manage the appliance in the SiteProtector system. It also manages the alternate update server, called the SiteProtector X­Press Update Server.
As the appliance generates security data, the Agent manager facilitates the data processing required for you to view the data in the SiteProtector Console.
The appliance sends a heartbeat signal through the management Interface to its Agent Manager on a routine basis to indicate that it is active and to receive policies and updates from the Agent Manager. The time between heartbeats is user-defined option.
Application Server The Application Server provides remote access functionality for
the SiteProtector Console.
SiteProtector Database The SiteProtector Database stores the following information:
security data generated by your IBM ISS products
statistics for security events
the update status of all products
the SiteProtector system user accounts and permissions
Update Server A server on your internal network that contains the X-Press
Updates (XPUs) for only your licensed IBM ISS products.
Tabl e 9: The SiteProtector system components
26
IBM Internet Security Systems
Chapter 2
Installing and Configuring an Agent
Overview
Introduction Installing and configuring your Enterprise Scanner is a multi-stage process. The process
includes connecting the agent to the network, configuring appliance-level settings, and configuring the appliance to connect with the SiteProtector system. This chapter explains those tasks.
Reinstalling an agent
In this chapter This chapter contains the following topics:
If you need to reinstall an Enterprise Scanner agent, see “Preparing to Reinstall an Enterprise Scanner Agent” on page 208 and “Reinstalling an Enterprise Scanner Agent” on page 209.
Topi c Page
Before You Begin 28
Process Overview 29
Setting Up Your Appliance for Initial Configuration 31
Configuring Appliance-Level Settings 33
Configuring Explicit-Trust Authentication with an Agent Manager 35
Registering Enterprise Scanner to Connect to the SiteProtector System 37
Logging On to the SiteProtector Console 40
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
27
Chapter 2: Installing and Configuring an Agent
Before You Begin
Introduction This topic provides introductory information and explains considerations for installing
your Enterprise Scanner agent.
User interfaces The following table describes the interfaces you use for each configuration phase:
Interface Purpose
Proventia Setup Assistant To configure network and administrative settings for the agent
immediately after you turn on or reinstall the agent.
Proventia Manager To configure agent settings to enable the agent to work with the
SiteProtector system.
To monitor and troubleshoot the agent.
To change low-level settings that you chose in the Proventia Setup Assistant.
To perform manual maintenance functions, such as manually downloading and installing updates or manually backing up and restoring your agent.
SiteProtector Console To set up and manage your vulnerability management processes.
To change the agent settings.
Location of your agent—perspective
Using multiple agents and perspective
Tabl e 10 : Configuration interfaces
When you scan a group of assets, you anticipate and interpret results based on the location of your agent relative to the location of the assets. Scanning a group of assets from inside a firewall, for example, produces different results than scanning the same group of assets from outside the firewall. In Enterprise Scanner, you use perspective to define a logical network location.
If you plan to install multiple agents now, or in the future, you should consider perspective before you proceed. If you do not intend to install multiple agents, you can use the default, Global perspective.
Reference: For a complete explanation of perspective, see “What is Perspective?” on
page 124, “Defining Perspectives” on page 125, and “One Way to Use Perspective” on page 126.
28
IBM Internet Security Systems
Process Overview
Process Overview
Introduction Follow the Installation process checklist in this topic to determine the tasks you need to
perform to install and configure your Enterprise Scanner agent. To track your progress, print the checklist and mark each step as you complete it.
Important prerequisites
Installation process checklist
Before you install and configure your agent, check the applicable Read Me document and the known issues:
The Read Me file lists the X-Press Updates (XPUs) that you must install.
Note: Some XPUs may apply to the SiteProtector system components, such as to the
SiteProtector database.
To find the list of known issues, log on to the IBM ISS Knowledgebase (
www.iss.net/support/
Tip: Ty pe
3442
in the Search Text box, and select
), and then search the knowledgebase for Answer ID 3442.
Answer ID
in the Search By list.
http://
Complete these tasks to install and configure Enterprise Scanner:
Description Reference
9
Connect your appliance to the network and
set it up for terminal emulation.
Run the Proventia Setup Assistant to
configure appliance-level settings and initial agent parameters.
Use the Proventia Network Enterprise Scanner Quick Start Card or see “Setting Up Your Appliance for Initial Configuration” on page 31.
Use the Proventia Network Enterprise Scanner Quick Start Card or see “Configuring Appliance-Level Settings” on page 33.
Create a backup of your system
configuration settings
Optionally, set up explicit-trust authentication
with the SiteProtector Agent Manager.
Acquire the license for your agent. “Acquiring Your Enterprise Scanner
Install the latest X-Press Updates (XPUs) for
firmware and assessment content either manually or by setting up scheduled updates.
Configure your agent to work with the
SiteProtector system.
As an option, run verification scans to verify
your installation and to become familiar with scanning with Enterprise Scanner.
Configure the policies that define the agent’s
characteristics.
Tabl e 11 : Stages of installation and configuration
“Backing Up Configuration Settings” on page 204.
“Configuring Explicit-Trust Authentication with an Agent Manager” on page 35.
Licenses” on page 207.
Chapter 16, "Updating Enterprise Scanner" on page 211
Help in the Proventia Manager
“Registering Enterprise Scanner to Connect to the SiteProtector System” on page 37.
Chapter 3, "Running Your First Scans" on page 41.
Chapter 8, "Defining Agent Policies" on page 109.
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
29
Chapter 2: Installing and Configuring an Agent
Description Reference
9
Configure policies for groups of assets that
you want an agent to scan.
Set up the SiteProtector system for
vulnerability management.
Tabl e 11 : Stages of installation and configuration (Continued)
Chapter 6, "Defining Background Scans" on page 81 and Chapter 7, "Configuring Discovery and Assessment Policies" on page 97.
Chapter 12, "Interpreting Scan Results" on page 167.
30
IBM Internet Security Systems
Loading...
+ 238 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use