IBM Partner Pavilion Proventia Network Enterprise Scanner User Manual
IBM Proventia Network Enterprise Scanner
User Guide
Version 2.3
Copyright statement
© Copyright IBM Corporation 1997, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Publication Date: February 2009
Trademarks and Disclaimer
IBM®and the IBM logo are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both.
ADDME
RealSecure®, SecurePartner™, SecurityFusion™, SiteProtector™, System Scanner™,
Virtual Patch®, X-Force®and X-Press Update are trademarks or registered
trademarks of Internet Security Systems
or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of
International Business Machines Corporation.
Microsoft
in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of
others.
References in this publication to IBM products or services do not imply that IBM
intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without
notice, and may have been altered or changed if you have received it from a
source other than IBM Internet Security Systems (IBM ISS). Use of this information
constitutes acceptance for use in an “AS IS” condition, without warranties of any
kind, and any use of this information is at the user’s own risk. IBM Internet
Security Systems disclaims all warranties, either expressed or implied, including
the warranties of merchantability and fitness for a particular purpose. In no event
shall IBM ISS be liable for any damages whatsoever, including direct, indirect,
incidental, consequential or special damages, arising from the use or dissemination
hereof, even if IBM Internet Security Systems has been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages, so the foregoing limitation may not apply.
™
, Ahead of the threat, BlackICE™, Internet Scanner®, Proventia®,
®
, Windows®, and Windows NT®are trademarks of Microsoft Corporation
™
, Inc. in the United States, other countries,
Reference herein to any specific commercial products, process, or service by trade
name, trademark, manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by IBM Internet Security
Systems. The views and opinions of authors expressed herein do not necessarily
state or reflect those of IBM Internet Security Systems, and shall not be used for
advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release,
but the ever-changing nature of the Internet prevents IBM Internet Security
Systems, Inc. from guaranteeing the content or existence of the resource. When
possible, the reference contains alternate sites or keywords that could be used to
acquire the information by other methods. If you find a broken or inappropriate
link, please send an email message with the topic name, link, and its behavior to
mailto://support@iss.net.
© Copyright IBM Corp. 1997, 2009 iii
iv Enterprise Scanner: User Guide
Contents
Trademarks and Disclaimer ......iii
About this book ...........vii
Related publications ...........viii
Technical support contacts .........viii
Part 1. Scanning from the Proventia
Manager ..............1
Chapter 1. Ad hoc scanning in the
Proventia Manager ..........3
Section A: Network configuration .......4
Configuring the management network interface . 4
Configuring the scanning network interface . . . 5
Configuring scanning interface DNS settings . . 6
Assigning perspective to a scanning interface . . 7
Configuring routes for perspective ......7
Section B: Policy configuration ........8
Defining assets for a discovery scan .....8
Displaying assessment checks by groups ....9
Displaying information about assessment checks 10
Selecting assessment checks with filters ....11
Configuring common assessment settings for an
Assessment policy ...........12
Defining assessment credentials for a policy . . 16
Defining the service names associated with TCP
and UDP ports ............18
Defining ports or assets to exclude from a scan 19
Configuring and saving a scan policy in the
Proventia Manager ...........20
Chapter 2. Interpreting scan results in
the Proventia Manager ........21
Running an ad hoc scan ..........22
Monitoring the status of a scan ........23
Viewing the results of an ad hoc scan .....24
Exporting scan results from Proventia Manager . . 24
Purging scan data from the database ......25
Part 2. Scanning from the
SiteProtector Console .......27
Chapter 3. Enterprise Scanner policies 29
Policy inheritance with Enterprise Scanner policies 30
Deploying an Enterprise Scanner policy from the
policy repository ............31
Migrating a locally managed Enterprise Scanner
agent into SiteProtector ..........32
Viewing asset or agent policies for Enterprise
Scanner................33
Getting vulnerability help for a SiteProtector
Console without Internet access .......34
Agent policies for Enterprise Scanner ......35
Agent policy descriptions for Enterprise Scanner 35
Network Locations policy ........36
Notification policy ...........38
Access policy .............39
Networking policy ...........40
Services policy ............43
Time policy .............44
Update Settings policy..........45
Asset policies for Enterprise Scanner ......45
Asset policy descriptions for Enterprise Scanner 45
Discovery policy............46
Assessment policy ...........48
Assessment Credentials policy .......55
Scan Control policy ...........57
Scan Window policy ..........59
Scan Exclusion policy ..........61
Network Services policy .........62
Ad Hoc Scan Control policy ........64
Chapter 4. Understanding scanning
processes in SiteProtector ......67
What is perspective? ...........68
Defining perspectives ...........69
Scan jobs and related terms .........71
Types of tasks .............72
Priorities for running tasks .........73
Stages of a scanning process .........74
Optimizing cycle duration, scan windows, and
subtasks for Enterprise Scanner........76
Chapter 5. Background scanning in
SiteProtector ............79
Determining when background scans run ....80
How policies apply to ad hoc and background scans 81
Background scanning checklists for Enterprise
Scanner................83
Enabling background scanning ........84
Defining when scanning is allowed ......85
Defining ports or assets to exclude from a scan . . 87
Defining network services .........88
Defining assessment credentials for a policy . . . 89
Chapter 6. Monitoring scans in
SiteProtector ............91
Viewing your scan jobs ..........92
Viewing discovery job results ........92
Viewing assessment job results ........93
Chapter 7. Managing scans in
SiteProtector ............95
Stopping and restarting scan jobs .......96
Suspending and enabling all background scans . . 97
Minimum scanning requirements .......98
© Copyright IBM Corp. 1997, 2009 v
Scanning behaviors for ad hoc scans ......99
Part 3. Maintenance........139
Chapter 8. Interpreting scan results in
SiteProtector ...........103
OS identification (OSID) certainty ......104
How OSID is updated in Enterprise Scanner . . . 105
Setting up a Summary view for vulnerability
management .............106
Summary page for vulnerability management . . 106
Viewing vulnerabilities in the SiteProtector Console
using Enterprise Scanner .........108
Viewing vulnerabilities by asset in Enterprise
Scanner ..............108
Viewing vulnerabilities by detail in Enterprise
Scanner ..............111
Viewing vulnerabilities by object in Enterprise
Scanner ..............113
Viewing vulnerabilities by target operating
system in Enterprise Scanner .......114
Viewing vulnerabilities by vulnerability name in
Enterprise Scanner...........115
Running reports in the SiteProtector Console . . . 117
Types of assessment reports ........117
Viewing an Enterprise Scanner report in the
SiteProtector Console ...........119
Chapter 9. Logs and alerts......121
Log files and alert notification ........122
System logs ..............123
Getting log status information .......124
Enterprise Scanner (ES) logs ........124
Downloading Enterprise Scanner (ES) log files 126
Alerts log ..............127
Downloading and saving an Alerts log ....128
Clearing the Alerts log .........129
Finding specific events in the Alerts log . . . 129
Chapter 10. Ticketing and remediation 133
Ticketing and Enterprise Scanner .......134
Remediation process overview for Enterprise
Scanner ...............135
Remediation tasks for Enterprise Scanner ....136
Chapter 11. Performing routine
maintenance............141
Shutting down your Enterprise Scanner ....142
Removing an agent from SiteProtector .....143
Options for backing up Enterprise Scanner . . . 144
Backing up configuration settings ......145
Making full system backups ........146
Chapter 12. Updating Enterprise
Scanner..............147
XPU basics ..............148
Updating options ............149
Configuring explicit-trust authentication with an
XPU server ..............150
Configuring an Alternate Update location ....151
Configuring an HTTP Proxy ........153
Configuring notification options for XPUs ....153
Scheduling a one-time firmware update ....154
Configuring automatic updates .......154
Manually installing updates ........156
Chapter 13. Viewing the status of the
Enterprise Scanner agent ......157
Proventia Manager Home page .......158
Viewing agent status in the SiteProtector Console 160
Viewing agent status ...........160
Viewing the status of the CAM modules ....161
Troubleshooting the Enterprise Scanner sensor . . 161
Part 4. Appendixes ........163
Appendix. Safety, environmental, and
electronic emissions notices .....165
Index ...............177
vi
Enterprise Scanner: User Guide
About this book
This section describes the audience for this guide; identifies related publications;
and provides contact information.
Audience
Users of this guide should understand their network topology, including the
criticality of network assets. In addition, because Enterprise Scanner can be
managed through the SiteProtector Console, you must have a working knowledge
of the SiteProtector system, including how to set up views, manage users and user
permissions, and deploy policies.
Topics
“Related publications” on page viii
“Technical support contacts” on page viii
© Copyright IBM Corp. 1997, 2009 vii
Related publications
Use this topic to help you access information about your Enterprise Scanner
appliance.
Publications
The following documents are available for download from the IBM ISS
Documentation Web site at http://www.iss.net/support/documentation/.
v IBM Proventia Network Enterprise Scanner Version 2.3 Quick Start Card (Models
ES750 and ES1500)
v IBM Proventia Network Enterprise Scanner Version 2.3 Getting Started Guide
v IBM Proventia Network Enterprise Scanner Version 2.3 User Guide
License agreement
For licensing information on IBM Internet Security System products, download the
IBM Licensing Agreement from http://www.ibm.com/services/us/iss/html/
contracts_landing.html.
Technical support contacts
IBM Internet Security Systems (IBM ISS) provides technical support through its
Web site and by email or telephone.
The IBM ISS Web site
The IBM ISS Customer Support Web page at http://www.ibm.com/services/us/
iss/support/ provides direct access to online user documentation, current versions
listings, detailed product literature, white papers, and the Technical Support
Knowledgebase.
Hours of support
The following table provides hours for Technical Support at the Americas and
other locations:
Table 1. Hours of technical support
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00
P.M. during their local time, excluding IBM
ISS published holidays
Note: If your local support office is located
outside the Americas, you may call or send
an email to the Americas office for help
during off-hours.
Contact information
For contact information, go to the IBM Internet Security Systems Contact Technical
Support Web page at http://www.ibm.com/services/us/iss/support/.
viii Enterprise Scanner: User Guide
Part 1. Scanning from the Proventia Manager
This section explains how to manage scans from the Proventia Manager for the
Enterprise Scanner agent.
Chapters
Chapter 1, “Ad hoc scanning in the Proventia Manager,” on page 3
Chapter 2, “Interpreting scan results in the Proventia Manager,” on page 21
© Copyright IBM Corp. 1997, 2009 1
2 Enterprise Scanner: User Guide
Chapter 1. Ad hoc scanning in the Proventia Manager
This chapter explains how to use perspective and the high-level processes behind
ad hoc scanning from the Proventia Manager.
Section A: Network configuration
“Configuring the management network interface” on page 4
“Configuring the scanning network interface” on page 5
“Configuring scanning interface DNS settings” on page 6
“Assigning perspective to a scanning interface” on page 7
“Configuring routes for perspective” on page 7
Section B: Policy configuration
“Defining assets for a discovery scan” on page 8
“Displaying assessment checks by groups” on page 9
“Displaying information about assessment checks” on page 10
“Selecting assessment checks with filters” on page 11
“Configuring common assessment settings for an Assessment policy” on page 12
“Defining assessment credentials for a policy” on page 16
“Defining ports or assets to exclude from a scan” on page 19
“Configuring and saving a scan policy in the Proventia Manager” on page 20
© Copyright IBM Corp. 1997, 2009 3
Section A: Network configuration
This section explains how to define the network interfaces for the management and
scanning ports, how to assign perspectives to network interfaces, and how to
configure the Enterprise Scanner appliance to select routes for traffic.
Configuring the management network interface
Use the Management Interface tab on the Network Interface Configuration page on
the appliance to configure the management interface network settings (ETH0).
About this task
You configured the management interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the Management Interface tab, and then type or change the following
information:
Option Description
Host Name The fully qualified domain name for the
Interface The management port used by the
IP address The IP address of the management interface
Subnet Mask The IP address of the subnet mask for the
Gateway The address of the network gateway.
Enterprise Scanner agent. Use the format:
gateway1.example.com
Enterprise Scanner agent.
for the agent.
agent.
3. Select the Use Persistent IP if sensor is behind NAT if you want to avoid
conflicts with NAT rules, and then provide the IP address.
4. Click Save Changes.
4 Enterprise Scanner: User Guide
Configuring the scanning network interface
Use the Scan Interface tab on the Network Interface Configuration page on the
appliance to configure the scanning interface network settings (ETH1 - ETH5).
About this task
You configured the scanning interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the Scan Interface tab, and then type or change the following
information:
Option Description
Interface The Ethernet port of the interfaces for the
agent.
IP Address The IP address of the scanning network
interface for the agent.
Subnet Mask The IP address for the scanning network
interface subnet mask of the agent.
Gateway The address of the network gateway.
Maximum IPs per discovery subtask The maximum number of IP addresses to
discover in a subtask (of a task for each scan
job).
Note: This value applies to all discovery
scans that the agent runs.
Maximum assets per assessment subtask The maximum number of assets to scan in a
subtask (of a task for each scan job).
Note: This value applies to all assessment
scans that the agent runs.
Perspective (network location) The name of the network location to
associate with this scanning port.
Values: Global, the default, and any network
locations defined in the Network Locations
policy.
3. Click Save Changes.
Chapter 1. Ad hoc scanning in the Proventia Manager 5
Configuring scanning interface DNS settings
Use the DNS tab on the Network Interface Configuration page on the appliance to
configure the DNS settings for the scanning interface.
About this task
You configured these settings when you set up the appliance with the Proventia
Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the DNS tab.
3. Choose an option:
If you want to... Then...
Specify DNS settings
Add a DNS search path
Edit a DNS search path
Copy and paste a DNS search path
Remove a DNS search path
Change the order of a DNS search path
1. Type the IP addresses for the primary,
secondary, and tertiary DNS servers.
2. Click Save Changes.
1. In the DNS Search Path section, click the
Add icon.
2. Type the domain name to add to the
search list, and then click OK.
3. Click Save Changes.
1. In the DNS Search Path list, select a
domain name, and then click the Edit
icon.
2. Edit the domain name, and then click
OK.
3. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the Copy
icon. The agent copies the search path to
the clipboard.
2. Click the Paste icon. The agent copies the
search path to the end of the list.
3. If necessary, edit the policy, and then
click OK.
4. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the
Remove icon.
2. Click Save Changes.
1. In the DNS Search Path section, select a
domain name.
2. Click the Up or Down arrows.
Tip: It is more efficient to place the most
likely used search path at the top of the
list.
3. Click Save Changes.
6 Enterprise Scanner: User Guide
Assigning perspective to a scanning interface
Use the Network Locations tab on the Network Locations page on the appliance to
assign a perspective (network location) to a scanning interface.
About this task
You can only configure the ETH0 and ETH1 interfaces in Proventia Setup. You
must configure the remaining interfaces on this page (Network Locations page).
When you register the agent with SiteProtector, the perspectives you set here
(ETH2 - ETH5) are not automatically imported by the Network Locations policy in
SiteProtector. You must redefine those perspectives for this policy in SiteProtector.
Procedure
1. Click Configuration → Network Locations in the navigation pane.
2. Click the Network Locations tab.
3. Click the Add icon.
4. Type a name for the perspective in the Network Locations Name field, and
then click OK.
Important: You can only assign one unique perspective per scanning port. You
cannot assign the same perspective to more than one scanning port.
Configuring routes for perspective
Use the Routes tab on the Network Locations page on the appliance to configure
the appliance to select paths for (routes) traffic.
About this task
In a multi-segmented network, you might experience unnecessary network traffic if
your agent traffic is routed through your default gateway. You can reduce network
traffic if you configure routes for perspectives that provide more direct routes to
targeted segments.
Procedure
1. Click Configuration → Network Locations in the navigation pane.
2. Click the Routes tab.
3. Click the Add icon.
4. Complete the following fields:
Option Description
Perspective The perspective for which you are defining a
route.
Destination Network A network segment for which you want to
define a specific route for a perspective.
Gateway The IP address of the router the agent
should use to find IP addresses in the
Destination Network. Use the IP address
that is on the same network as the agent,
not the IP address of the route from inside
the target segment.
Chapter 1. Ad hoc scanning in the Proventia Manager 7
Option Description
Metric If you configure more than one route to the
5. Click Save Changes.
Section B: Policy configuration
This section explains how to configure policy settings in order to manage
vulnerabilities.
Defining assets for a discovery scan
Use the Discovery policy type on the Policy Management page on the appliance to
configure a policy that defines the parameters used to perform a discovery scan on
a portion of a network.
Before you begin
Before it can perform OS fingerprinting on an asset, your agent must find one
open and one closed port. To find an open and a closed port, the agent scans ports
1–1023 and any other ports specified in the applicable Network Services policy.
same segment for one perspective, a number
that indicates the preferred route. The closer
to 1, the more preferred the route.
Note: The numbers you use do not have to
be consecutive.
About this task
In a discovery task, a range of IP addresses is scanned to locate active network
interfaces, and the type of device associated with each active network interface is
determined through OS identification.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Discovery from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to
discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the data is
validated.
5. If you want to ping each IP address before scanning to exclude unreachable
hosts from the scan, select the Ping hosts in this range, before scanning, to
exclude unreachable hosts check box.
6. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the Add
newly discovered assets to group check box.
8 Enterprise Scanner: User Guide
7. If you want to add previously known assets that are already defined in other
groups to the scan group, select the Add previously known assets to group
check box.
Displaying assessment checks by groups
Use the Checks tab in the Assessment policy to group checks by any combination
of columns that you have chosen to display. For example, you might want to see
checks by category, then by severity within that category.
About this task
The current grouping selections are displayed just above the column headers of the
checks.
v If no groups are selected, the following message is displayed on the screen:
Right click on the column header to group by that column.
v If groups are selected, the group names are displayed on in the screen as in the
following example:
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Clear groupings Choose an option:
v Right-click any column header, and then
select Clear Groupings from the pop-up
menu.
v Click Clear Groupings.
Create groupings interactively
1. Right-click a column heading, and then
select Group By from the pop-up menu.
2. Repeat the previous step until you have
created the groupings that you want.
Chapter 1. Ad hoc scanning in the Proventia Manager 9
If you want to... Then...
Create groupings from a selection list
1. Click the Group By icon.
The Group by Columns window
appears.
2. Select a column to group by in the All
Columns list, and then click Add.
The column moves to the Group by these
Columns list.
3. Repeat the previous step for each column
that you want to group by.
4. If you want to remove items from the
list, select an item in the Group by these
Columns list, and then click Remove.
The item and any items below it move to
the All Columns list.
5. Click OK.
Displaying information about assessment checks
Use the Checks tab in the Assessment policy to choose how much information to
display about each assessment check in the Assessment policy.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Add a single column Right-click a column and then select the
column to add from the pop-up menu.
Note: The column appears at the far right.
Remove a single column Right-click a column and then select the
column to remove.
Note: The column is removed.
Add multiple columns Click the Column to display icon, and then
select the check box for each column to add.
Remove multiple columns Click the Column to display icon, and then
clear the check box for each column to
remove.
10 Enterprise Scanner: User Guide
Selecting assessment checks with filters
Use the Checks tab in the Assessment policy to provide filtering values on a
selected list of assessment checks.
About this task
The following rules apply to using regular expressions:
v The match occurs against all columns in the table, whether or not the column is
displayed.
v If you use more than one regular expression, every regular expression must
match for a check to be selected.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Select the Filter check box, and then click Filter.
6. To filter with a regular expression, type one or more regular expressions on
separate lines in the Regular Expression box.
Tip: For example, use http.* to match the value in any column that starts with
http; or use .*http.* to match the value in any column that contains http.
7. To filter by one or more of the remaining filter types, select the values to filter
by in the filtering boxes.
Tip: You can select ranges of filtering values by holding down the SHIFT key
and random filtering values by holding down the CTRL key.
8. Click OK.
Chapter 1. Ad hoc scanning in the Proventia Manager 11
Configuring common assessment settings for an Assessment policy
Use the Common Settings tab in the Assessment policy to choose settings that
define additional scanning behavior for the checks you have selected to run in an
assessment scan.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Common Settings tab.
5. Type the URL or file location for the assessment check Help documentation in
the Help HTML Prefix box:
v The IBM ISS Web site location of up-to-date assessment check
documentation.
v The file location of a locally stored version of the documentation.
6. If you want to run the checks that are enabled by default, including checks
added in an X-Press Update (XPU), select a policy in the Compliance Policies
section.
CAUTION:
Custom Policy (All) runs all vulnerability checks, including DOS checks.
7. Configure options for service discovery in the Service Discovery section:
Option Description
Discover and report TCP services Reports active TCP services for which the
Service Scan flag is enabled in the Network
Services policy.
Discover and report UDP services Reports active UDP services for which the
Service Scan flag is enabled in the Network
Services policy.
8. Configure options for assessment port ranges in the Assessment Port Ranges
section:
Option Description
Ports to scan with generic TCP checks The set of TCP ports to scan with generic
TCP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic TCP check is one whose
target type is tcp.
12 Enterprise Scanner: User Guide
Option Description
Ports to scan with generic UDP checks The set of UDP ports to scan with generic
UDP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic UDP check is one whose
target type is udp.
9. Configure options for using OS information in the Use of OS Information
section:
Option Description
Dynamically determine OS if previously
obtained information is older than
For unverified OS’s: Specify which checks to run if the OS is
The maximum age (in minutes) of usable OS
information.
If the OS information for an asset is older
than the time specified, Enterprise Scanner
reassesses OSID when it runs an assessment
scan.
Default: 120
uncertain.
v Run all checks (lowest performance): If
Enterprise Scanner is uncertain about the
OS of the asset, it runs all assessment
checks.
v Run all checks that apply to general OS
(intermediate performance): If Enterprise
Scanner is uncertain about the OS of the
asset, it runs checks for all versions of an
operating system. (For example, if
Enterprise Scanner is uncertain about
which version a Windows operating
system is, it runs all the checks for all
versions of Win dows operating systems.)
v Run only checks that apply to specific
OS (Best performance): If Enterprise
Scanner is uncertain about the OS of the
asset, runs only the checks that apply to
the exact version of the operating system.
10. Configure options for application fingerprinting in the Use of Application
Fingerprinting section:
Chapter 1. Ad hoc scanning in the Proventia Manager 13
Option Description
Do not perform application fingerprinting Does not try to specifically identify which
applications are communicating over which
ports, and runs the checks as selected in the
Assessment policy.
This option does not identify applications
communicating over non-standard ports.
(Checks are run against standard ports as
defined in the Network Services policy.)
Fingerprint applications and run checks
that apply to application protocol (e.g.,
http)
Fingerprint applications and run checks
that apply to specific application (e.g.,
apache)
Identifies applications communicating over
specific ports, and then runs checks that
apply to the protocol in use.
This option identifies applications
communicating over non-standard ports.
Identifies applications communicating over
specific ports, and then runs checks that
apply only to the application identified.
This option identifies applications
communicating over non-standard ports.
11. The settings in the Account Verification section apply only if an Assessment
Credentials policy is available for the group being scanned.
Option Description
Verify account access level before using
Access domain controllers to verify access
level
Check local group membership to verify
access level
v If disabled, Enterprise Scanner assumes
that whatever is specified in the
Assessment Credentials policy is accurate.
v If enabled, Enterprise Scanner tries to
confirm that the access level specified in
the Assessment Credentials policy is
correct.
Important: You should enable the Check
local group membership to verify access
level if you enable account verification.
v If disabled, Enterprise Scanner does not
communicate with a Domain Controller in
the process of verifying access levels.
v If enabled, Enterprise Scanner tries to
communicate with a Domain Controller in
the process of verifying access levels.
v If disabled, Enterprise Scanner does not
try to confirm the access level for the
account during assessment by checking
which local groups the asset belong to.
v If enabled, Enterprise Scanner tries to
confirm the access level for the account
during assessment by checking which
local groups the asset belong to.
12. Configure the options for locking out accounts in the Account Lockout
Control section:
14 Enterprise Scanner: User Guide
Option Description
Allowed account lockout Select a type of lockout:
v No lockout allowed: Enterprise Scanner
avoids running password guessing checks
if account lockout is enabled on the target
host, or if its status cannot be determined.
v Temporary lockout allowed: Enterprise
Scanner runs password guessing checks
only if the account lockout duration is less
than or equal to the value specified in the
Maximum Allowable Lockout Duration
option later in this section.
v Permanent lockout allowed:Enterprise
Scanner runs password guessing checks
even if the account lockout duration is set
to run infinitely.
Longest allowed temporary lockout Specifies the maximum time (in minutes)
that accounts are allowed to be locked out
by password guessing checks.
This value applies only if Temporary
Lockout Allowed is enabled. When
temporary lockout is allowed, password
guessing checks are run only against assets
whose lockout policy disables locked out
accounts for no more than the maximum
allowed lockout time.
Chapter 1. Ad hoc scanning in the Proventia Manager 15
Defining assessment credentials for a policy
Use the Assessment Credentials policy type on the Policy Management page to
define authentication credentials for your assets.
About this task
The appliance uses authentication credentials to access accounts during assessment
scans. Enterprise Scanner uses all instances of the credentials that are defined for
the group when it scans assets in the group. You can define different instances of
this policy for different groups, which makes it possible to supply different log on
credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets
that run Windows operating systems.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment Credentials from the Policy Types list, and then click Add.
3. Confirm your password, and then click OK.
4. Type a name for the scan policy.
5. In the Assessment Credentials tab, click Add, and then provide the following
account information:
Option Description
Username The user identification for an account.
Password The password to use with the user name to
log into an account.
Account Type: Windows Local Indicates that the user account is defined
locally on a single Windows device. The
account is used to attempt to log in to a
single Windows device.
When you choose this option, you must
provide a Windows host name in the
Domain/Host box.
Account Type: Windows
Domain/Workgroup
Account Type: Windows Active Directory Indicates that the user account is defined in
Indicates that the user account is defined in
a Windows Domain or Workgroup. The
account is used to attempt to log in to all
Windows devices within the domain or
workgroup.
When you choose this option, you must
provide the Windows Domain or Workgroup
name in the Domain/Host box.
a Windows Active Directory Domain. The
account is used to attempt to log in to all
Windows devices within the Active
Directory domain.
16 Enterprise Scanner: User Guide
When you choose this option, you must
provide the Active Directory Domain name
in the Domain/Host box.
Option Description
Account Type: SSH Local
Account Type: SSH Domain
Domain/Host Applies to one of the following domains or
Account Level Applies to one of the following accounts:
Indicates that the user account is defined
locally on a single Unix device that allows
SSH logons. The account is used to attempt
login to a single Unix device.
When you choose this option, you must
provide an IP address in the Domain/Host
box.
Indicates that the user account is defined for
Unix devices that allow SSH logons. In this
context, ″Domain″ loosely refers to a set of
devices, rather than to a specific type of
domain. The account is used to attempt to
log in to all SSH devices covered by the
policy.
When you choose this option, you should
supply a descriptive name in the
Domain/Host box. This is for
documentation purposes only; it is not used
by Enterprise Scanner.
hosts:
v For Windows accounts, the domain or
host name to which the account applies.
v For SSH Local accounts, the IP address of
the device to which the account applies.
v For SSH Domain accounts, any text.
v Administrator
v User
v Guest
Important: To avoid locking an account, do not add the account more than
once.
Chapter 1. Ad hoc scanning in the Proventia Manager 17
Defining the service names associated with TCP and UDP ports
Use the Network Services policy type on the Policy Management page to define
service names associated with TCP and UDP ports.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Network Services from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. For default or customized services, choose an option:
If you want to... Then...
Change the description of a service Slowly click Description two times to switch
to edit mode, and then change the
description.
Allow each service to operate over SSL in
at least some part of your network
Allow service scans for this service over
any TCP and UDP ports specified in the
Assessment policy
Note: You cannot change the Service name, Port, or Protocol of default
services. You cannot delete default services.
5. For customized services, choose an option:
Select the May use SSL check box for that
service.
Select the Service scan check box.
If you want to... Then...
Add a service Click the Add icon.
Modify a service Click the Modify icon.
Delete a service Click the Delete icon.
18 Enterprise Scanner: User Guide
Defining ports or assets to exclude from a scan
Use the Scan Exclusion policy type on the Policy Management page to define
specific ports or assets to exclude from a scan of a group of assets.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Scan Exclusion from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Choose an option:
If you want to... Then...
Exclude ports Use a combination of typing the ports to
exclude and choosing the ports:
v Type the ports to exclude, separated by
commas, in the Excluded Ports box.
v Click Well Known Ports, and then select
the ports to exclude.
Exclude assets Type the IP addresses (in dotted-decimal or
CIDR notation) of the hosts to exclude in the
Excluded Hosts box:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then
press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above,
and then press ENTER.
Note: A red box is displayed around the
Excluded Hosts box until the data is
validated.
Chapter 1. Ad hoc scanning in the Proventia Manager 19
Configuring and saving a scan policy in the Proventia Manager
Use the Policy Management page on the appliance to configure discovery and
assessment scan policies from Proventia Manager for auditing purposes, and then
use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan
Control page.
Before you begin
You will not be able to run scans from Proventia Manager if the appliance is
registered with SiteProtector.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Choose the scan policy that you want to configure from the Policy Types list,
and then click Add.
3. Type a name for the scan policy, and then configure the settings for the scan
policy. Policy names are limited to 32 characters using any combination of
letters or numbers. You cannot use a dash (-) or underscore (_) in the policy
name. You can run the following combinations of scans:
v Discovery scan
v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. The
following table lists which scan policies are required to run an ad hoc scan
from Proventia Manager:
Table 2. Policies used for ad hoc scanning in Proventia Manager
Scan policy Required
Discovery Yes
Assessment Yes
Assessment Credential No
Network Services No
Scan Exclusion No
*You should run a discovery scan policy first (to identify assets on the network) before you
run an assessment scan.
4. Click Save Changes to save the scan policy. You are now ready to run an ad
hoc scan using a configured scan policy.
5. Click Scan → Run Scan in the navigation pane. The LMI Scan Control page is
displayed in Proventia Manager.
20 Enterprise Scanner: User Guide
Chapter 2. Interpreting scan results in the Proventia Manager
This chapter explains how to monitor and view scan results in the Proventia
Manager.
Topics
“Running an ad hoc scan” on page 22
“Monitoring the status of a scan” on page 23
“Viewing the results of an ad hoc scan” on page 24
“Exporting scan results from Proventia Manager” on page 24
“Purging scan data from the database” on page 25
© Copyright IBM Corp. 1997, 2009 21
Running an ad hoc scan
Use the LMI Scan Control page on the appliance to define and run ad hoc scans
for assessment and discovery.
Before you begin
Before you can run a scan, make sure you have configured a scan from the Policy
Management page.
Procedure
1. Click Scan → Run Scan in the navigation pane.
2. Depending on what type of scan you are running (discovery or assessment),
provide a name for the scan job in the Discovery Job Name or Assessment Job
Name field.
Tip: The scan job name is useful when you want to view the results and status
of the scan.
3. From the fields provided in the LMI Scan area, determine what type of scan
you need to run, and then select a configured scan policy from the list. You can
run the following combinations of scans:
v Discovery scan
v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. Because
the appliance does not use a database to store asset information, you must run
a discovery scan followed by an assessment scan.
4. Select what network location (or perspective) you need to run the scan policy
against from the Perform scans from this perspective (Network location) list.
5. Click Save Changes to start the ad hoc scan.
22 Enterprise Scanner: User Guide
Loading...