IBM Partner Pavilion Proventia Network Enterprise Scanner User Manual

IBM Proventia Network Enterprise Scanner
User Guide Version 2.3

Copyright statement
© Copyright IBM Corporation 1997, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Publication Date: February 2009

Trademarks and Disclaimer

IBM®and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME RealSecure®, SecurePartner™, SecurityFusion™, SiteProtector™, System Scanner™, Virtual Patch®, X-Force®and X-Press Update are trademarks or registered trademarks of Internet Security Systems or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.
Microsoft in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than IBM Internet Security Systems (IBM ISS). Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. IBM Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall IBM ISS be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if IBM Internet Security Systems has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
, Ahead of the threat, BlackICE™, Internet Scanner®, Proventia®,
®
, Windows®, and Windows NT®are trademarks of Microsoft Corporation
, Inc. in the United States, other countries,
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by IBM Internet Security Systems. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM Internet Security Systems, and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents IBM Internet Security Systems, Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email message with the topic name, link, and its behavior to mailto://support@iss.net.
© Copyright IBM Corp. 1997, 2009 iii
iv Enterprise Scanner: User Guide

Contents

Trademarks and Disclaimer ......iii
About this book ...........vii
Related publications ...........viii
Technical support contacts .........viii
Part 1. Scanning from the Proventia
Manager ..............1
Chapter 1. Ad hoc scanning in the
Proventia Manager ..........3
Section A: Network configuration .......4
Configuring the management network interface . 4 Configuring the scanning network interface . . . 5 Configuring scanning interface DNS settings . . 6 Assigning perspective to a scanning interface . . 7
Configuring routes for perspective ......7
Section B: Policy configuration ........8
Defining assets for a discovery scan .....8
Displaying assessment checks by groups ....9
Displaying information about assessment checks 10
Selecting assessment checks with filters ....11
Configuring common assessment settings for an
Assessment policy ...........12
Defining assessment credentials for a policy . . 16 Defining the service names associated with TCP
and UDP ports ............18
Defining ports or assets to exclude from a scan 19 Configuring and saving a scan policy in the
Proventia Manager ...........20
Chapter 2. Interpreting scan results in
the Proventia Manager ........21
Running an ad hoc scan ..........22
Monitoring the status of a scan ........23
Viewing the results of an ad hoc scan .....24
Exporting scan results from Proventia Manager . . 24
Purging scan data from the database ......25
Part 2. Scanning from the
SiteProtector Console .......27
Chapter 3. Enterprise Scanner policies 29
Policy inheritance with Enterprise Scanner policies 30 Deploying an Enterprise Scanner policy from the
policy repository ............31
Migrating a locally managed Enterprise Scanner
agent into SiteProtector ..........32
Viewing asset or agent policies for Enterprise
Scanner................33
Getting vulnerability help for a SiteProtector
Console without Internet access .......34
Agent policies for Enterprise Scanner ......35
Agent policy descriptions for Enterprise Scanner 35
Network Locations policy ........36
Notification policy ...........38
Access policy .............39
Networking policy ...........40
Services policy ............43
Time policy .............44
Update Settings policy..........45
Asset policies for Enterprise Scanner ......45
Asset policy descriptions for Enterprise Scanner 45
Discovery policy............46
Assessment policy ...........48
Assessment Credentials policy .......55
Scan Control policy ...........57
Scan Window policy ..........59
Scan Exclusion policy ..........61
Network Services policy .........62
Ad Hoc Scan Control policy ........64
Chapter 4. Understanding scanning
processes in SiteProtector ......67
What is perspective? ...........68
Defining perspectives ...........69
Scan jobs and related terms .........71
Types of tasks .............72
Priorities for running tasks .........73
Stages of a scanning process .........74
Optimizing cycle duration, scan windows, and
subtasks for Enterprise Scanner........76
Chapter 5. Background scanning in
SiteProtector ............79
Determining when background scans run ....80
How policies apply to ad hoc and background scans 81 Background scanning checklists for Enterprise
Scanner................83
Enabling background scanning ........84
Defining when scanning is allowed ......85
Defining ports or assets to exclude from a scan . . 87
Defining network services .........88
Defining assessment credentials for a policy . . . 89
Chapter 6. Monitoring scans in
SiteProtector ............91
Viewing your scan jobs ..........92
Viewing discovery job results ........92
Viewing assessment job results ........93
Chapter 7. Managing scans in
SiteProtector ............95
Stopping and restarting scan jobs .......96
Suspending and enabling all background scans . . 97
Minimum scanning requirements .......98
© Copyright IBM Corp. 1997, 2009 v
Scanning behaviors for ad hoc scans ......99
Part 3. Maintenance........139
Chapter 8. Interpreting scan results in
SiteProtector ...........103
OS identification (OSID) certainty ......104
How OSID is updated in Enterprise Scanner . . . 105 Setting up a Summary view for vulnerability
management .............106
Summary page for vulnerability management . . 106 Viewing vulnerabilities in the SiteProtector Console
using Enterprise Scanner .........108
Viewing vulnerabilities by asset in Enterprise
Scanner ..............108
Viewing vulnerabilities by detail in Enterprise
Scanner ..............111
Viewing vulnerabilities by object in Enterprise
Scanner ..............113
Viewing vulnerabilities by target operating
system in Enterprise Scanner .......114
Viewing vulnerabilities by vulnerability name in
Enterprise Scanner...........115
Running reports in the SiteProtector Console . . . 117
Types of assessment reports ........117
Viewing an Enterprise Scanner report in the
SiteProtector Console ...........119
Chapter 9. Logs and alerts......121
Log files and alert notification ........122
System logs ..............123
Getting log status information .......124
Enterprise Scanner (ES) logs ........124
Downloading Enterprise Scanner (ES) log files 126
Alerts log ..............127
Downloading and saving an Alerts log ....128
Clearing the Alerts log .........129
Finding specific events in the Alerts log . . . 129
Chapter 10. Ticketing and remediation 133
Ticketing and Enterprise Scanner .......134
Remediation process overview for Enterprise
Scanner ...............135
Remediation tasks for Enterprise Scanner ....136
Chapter 11. Performing routine
maintenance............141
Shutting down your Enterprise Scanner ....142
Removing an agent from SiteProtector .....143
Options for backing up Enterprise Scanner . . . 144
Backing up configuration settings ......145
Making full system backups ........146
Chapter 12. Updating Enterprise
Scanner..............147
XPU basics ..............148
Updating options ............149
Configuring explicit-trust authentication with an
XPU server ..............150
Configuring an Alternate Update location ....151
Configuring an HTTP Proxy ........153
Configuring notification options for XPUs ....153
Scheduling a one-time firmware update ....154
Configuring automatic updates .......154
Manually installing updates ........156
Chapter 13. Viewing the status of the
Enterprise Scanner agent ......157
Proventia Manager Home page .......158
Viewing agent status in the SiteProtector Console 160
Viewing agent status ...........160
Viewing the status of the CAM modules ....161
Troubleshooting the Enterprise Scanner sensor . . 161
Part 4. Appendixes ........163
Appendix. Safety, environmental, and
electronic emissions notices .....165
Index ...............177
vi
Enterprise Scanner: User Guide

About this book

This section describes the audience for this guide; identifies related publications; and provides contact information.
Audience
Users of this guide should understand their network topology, including the criticality of network assets. In addition, because Enterprise Scanner can be managed through the SiteProtector Console, you must have a working knowledge of the SiteProtector system, including how to set up views, manage users and user permissions, and deploy policies.
Topics
“Related publications” on page viii
“Technical support contacts” on page viii
© Copyright IBM Corp. 1997, 2009 vii

Related publications

Use this topic to help you access information about your Enterprise Scanner appliance.
Publications
The following documents are available for download from the IBM ISS Documentation Web site at http://www.iss.net/support/documentation/.
v IBM Proventia Network Enterprise Scanner Version 2.3 Quick Start Card (Models
ES750 and ES1500)
v IBM Proventia Network Enterprise Scanner Version 2.3 Getting Started Guide
v IBM Proventia Network Enterprise Scanner Version 2.3 User Guide
License agreement
For licensing information on IBM Internet Security System products, download the IBM Licensing Agreement from http://www.ibm.com/services/us/iss/html/ contracts_landing.html.

Technical support contacts

IBM Internet Security Systems (IBM ISS) provides technical support through its Web site and by email or telephone.
The IBM ISS Web site
The IBM ISS Customer Support Web page at http://www.ibm.com/services/us/ iss/support/ provides direct access to online user documentation, current versions listings, detailed product literature, white papers, and the Technical Support Knowledgebase.
Hours of support
The following table provides hours for Technical Support at the Americas and other locations:
Table 1. Hours of technical support
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00
P.M. during their local time, excluding IBM ISS published holidays Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.
Contact information
For contact information, go to the IBM Internet Security Systems Contact Technical Support Web page at http://www.ibm.com/services/us/iss/support/.
viii Enterprise Scanner: User Guide

Part 1. Scanning from the Proventia Manager

This section explains how to manage scans from the Proventia Manager for the Enterprise Scanner agent.
Chapters
Chapter 1, “Ad hoc scanning in the Proventia Manager,” on page 3
Chapter 2, “Interpreting scan results in the Proventia Manager,” on page 21
© Copyright IBM Corp. 1997, 2009 1
2 Enterprise Scanner: User Guide

Chapter 1. Ad hoc scanning in the Proventia Manager

This chapter explains how to use perspective and the high-level processes behind ad hoc scanning from the Proventia Manager.
Section A: Network configuration
“Configuring the management network interface” on page 4
“Configuring the scanning network interface” on page 5
“Configuring scanning interface DNS settings” on page 6
“Assigning perspective to a scanning interface” on page 7
“Configuring routes for perspective” on page 7
Section B: Policy configuration
“Defining assets for a discovery scan” on page 8
“Displaying assessment checks by groups” on page 9
“Displaying information about assessment checks” on page 10
“Selecting assessment checks with filters” on page 11
“Configuring common assessment settings for an Assessment policy” on page 12
“Defining assessment credentials for a policy” on page 16
“Defining ports or assets to exclude from a scan” on page 19
“Configuring and saving a scan policy in the Proventia Manager” on page 20
© Copyright IBM Corp. 1997, 2009 3

Section A: Network configuration

This section explains how to define the network interfaces for the management and scanning ports, how to assign perspectives to network interfaces, and how to configure the Enterprise Scanner appliance to select routes for traffic.
Configuring the management network interface
Use the Management Interface tab on the Network Interface Configuration page on the appliance to configure the management interface network settings (ETH0).
About this task
You configured the management interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. Click Configuration Network Interfaces in the navigation pane.
2. Click the Management Interface tab, and then type or change the following
information:
Option Description
Host Name The fully qualified domain name for the
Interface The management port used by the
IP address The IP address of the management interface
Subnet Mask The IP address of the subnet mask for the
Gateway The address of the network gateway.
Enterprise Scanner agent. Use the format:
gateway1.example.com
Enterprise Scanner agent.
for the agent.
agent.
3. Select the Use Persistent IP if sensor is behind NAT if you want to avoid conflicts with NAT rules, and then provide the IP address.
4. Click Save Changes.
4 Enterprise Scanner: User Guide
Configuring the scanning network interface
Use the Scan Interface tab on the Network Interface Configuration page on the appliance to configure the scanning interface network settings (ETH1 - ETH5).
About this task
You configured the scanning interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. Click Configuration Network Interfaces in the navigation pane.
2. Click the Scan Interface tab, and then type or change the following
information:
Option Description
Interface The Ethernet port of the interfaces for the
agent.
IP Address The IP address of the scanning network
interface for the agent.
Subnet Mask The IP address for the scanning network
interface subnet mask of the agent.
Gateway The address of the network gateway.
Maximum IPs per discovery subtask The maximum number of IP addresses to
discover in a subtask (of a task for each scan job). Note: This value applies to all discovery scans that the agent runs.
Maximum assets per assessment subtask The maximum number of assets to scan in a
subtask (of a task for each scan job). Note: This value applies to all assessment scans that the agent runs.
Perspective (network location) The name of the network location to
associate with this scanning port. Values: Global, the default, and any network locations defined in the Network Locations policy.
3. Click Save Changes.
Chapter 1. Ad hoc scanning in the Proventia Manager 5
Configuring scanning interface DNS settings
Use the DNS tab on the Network Interface Configuration page on the appliance to configure the DNS settings for the scanning interface.
About this task
You configured these settings when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. Click Configuration Network Interfaces in the navigation pane.
2. Click the DNS tab.
3. Choose an option:
If you want to... Then...
Specify DNS settings
Add a DNS search path
Edit a DNS search path
Copy and paste a DNS search path
Remove a DNS search path
Change the order of a DNS search path
1. Type the IP addresses for the primary, secondary, and tertiary DNS servers.
2. Click Save Changes.
1. In the DNS Search Path section, click the
Add icon.
2. Type the domain name to add to the search list, and then click OK.
3. Click Save Changes.
1. In the DNS Search Path list, select a
domain name, and then click the Edit icon.
2. Edit the domain name, and then click OK.
3. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the Copy icon. The agent copies the search path to the clipboard.
2. Click the Paste icon. The agent copies the search path to the end of the list.
3. If necessary, edit the policy, and then click OK.
4. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the Remove icon.
2. Click Save Changes.
1. In the DNS Search Path section, select a
domain name.
2. Click the Up or Down arrows. Tip: It is more efficient to place the most
likely used search path at the top of the list.
3. Click Save Changes.
6 Enterprise Scanner: User Guide
Assigning perspective to a scanning interface
Use the Network Locations tab on the Network Locations page on the appliance to assign a perspective (network location) to a scanning interface.
About this task
You can only configure the ETH0 and ETH1 interfaces in Proventia Setup. You must configure the remaining interfaces on this page (Network Locations page). When you register the agent with SiteProtector, the perspectives you set here (ETH2 - ETH5) are not automatically imported by the Network Locations policy in SiteProtector. You must redefine those perspectives for this policy in SiteProtector.
Procedure
1. Click Configuration Network Locations in the navigation pane.
2. Click the Network Locations tab.
3. Click the Add icon.
4. Type a name for the perspective in the Network Locations Name field, and
then click OK.
Important: You can only assign one unique perspective per scanning port. You
cannot assign the same perspective to more than one scanning port.
Configuring routes for perspective
Use the Routes tab on the Network Locations page on the appliance to configure the appliance to select paths for (routes) traffic.
About this task
In a multi-segmented network, you might experience unnecessary network traffic if your agent traffic is routed through your default gateway. You can reduce network traffic if you configure routes for perspectives that provide more direct routes to targeted segments.
Procedure
1. Click Configuration Network Locations in the navigation pane.
2. Click the Routes tab.
3. Click the Add icon.
4. Complete the following fields:
Option Description
Perspective The perspective for which you are defining a
route.
Destination Network A network segment for which you want to
define a specific route for a perspective.
Gateway The IP address of the router the agent
should use to find IP addresses in the Destination Network. Use the IP address that is on the same network as the agent, not the IP address of the route from inside the target segment.
Chapter 1. Ad hoc scanning in the Proventia Manager 7
Option Description
Metric If you configure more than one route to the
5. Click Save Changes.

Section B: Policy configuration

This section explains how to configure policy settings in order to manage vulnerabilities.
Defining assets for a discovery scan
Use the Discovery policy type on the Policy Management page on the appliance to configure a policy that defines the parameters used to perform a discovery scan on a portion of a network.
Before you begin
Before it can perform OS fingerprinting on an asset, your agent must find one open and one closed port. To find an open and a closed port, the agent scans ports 1–1023 and any other ports specified in the applicable Network Services policy.
same segment for one perspective, a number that indicates the preferred route. The closer to 1, the more preferred the route. Note: The numbers you use do not have to be consecutive.
About this task
In a discovery task, a range of IP addresses is scanned to locate active network interfaces, and the type of device associated with each active network interface is determined through OS identification.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Discovery from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to
discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER. v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the data is validated.
5. If you want to ping each IP address before scanning to exclude unreachable hosts from the scan, select the Ping hosts in this range, before scanning, to exclude unreachable hosts check box.
6. If you want to add newly discovered assets to the group where you have defined the scan, rather than to the Ungrouped Assets group, select the Add
newly discovered assets to group check box.
8 Enterprise Scanner: User Guide
7. If you want to add previously known assets that are already defined in other groups to the scan group, select the Add previously known assets to group check box.
Displaying assessment checks by groups
Use the Checks tab in the Assessment policy to group checks by any combination of columns that you have chosen to display. For example, you might want to see checks by category, then by severity within that category.
About this task
The current grouping selections are displayed just above the column headers of the checks.
v If no groups are selected, the following message is displayed on the screen:
Right click on the column header to group by that column.
v If groups are selected, the group names are displayed on in the screen as in the
following example:
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Clear groupings Choose an option:
v Right-click any column header, and then
select Clear Groupings from the pop-up menu.
v Click Clear Groupings.
Create groupings interactively
1. Right-click a column heading, and then select Group By from the pop-up menu.
2. Repeat the previous step until you have created the groupings that you want.
Chapter 1. Ad hoc scanning in the Proventia Manager 9
If you want to... Then...
Create groupings from a selection list
1. Click the Group By icon. The Group by Columns window
appears.
2. Select a column to group by in the All Columns list, and then click Add.
The column moves to the Group by these Columns list.
3. Repeat the previous step for each column that you want to group by.
4. If you want to remove items from the list, select an item in the Group by these Columns list, and then click Remove.
The item and any items below it move to the All Columns list.
5. Click OK.
Displaying information about assessment checks
Use the Checks tab in the Assessment policy to choose how much information to display about each assessment check in the Assessment policy.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Add a single column Right-click a column and then select the
column to add from the pop-up menu.
Note: The column appears at the far right.
Remove a single column Right-click a column and then select the
column to remove.
Note: The column is removed.
Add multiple columns Click the Column to display icon, and then
select the check box for each column to add.
Remove multiple columns Click the Column to display icon, and then
clear the check box for each column to remove.
10 Enterprise Scanner: User Guide
Selecting assessment checks with filters
Use the Checks tab in the Assessment policy to provide filtering values on a selected list of assessment checks.
About this task
The following rules apply to using regular expressions: v The match occurs against all columns in the table, whether or not the column is
displayed.
v If you use more than one regular expression, every regular expression must
match for a check to be selected.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Select the Filter check box, and then click Filter.
6. To filter with a regular expression, type one or more regular expressions on
separate lines in the Regular Expression box.
Tip: For example, use http.* to match the value in any column that starts with
http; or use .*http.* to match the value in any column that contains http.
7. To filter by one or more of the remaining filter types, select the values to filter by in the filtering boxes.
Tip: You can select ranges of filtering values by holding down the SHIFT key and random filtering values by holding down the CTRL key.
8. Click OK.
Chapter 1. Ad hoc scanning in the Proventia Manager 11
Configuring common assessment settings for an Assessment policy
Use the Common Settings tab in the Assessment policy to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Common Settings tab.
5. Type the URL or file location for the assessment check Help documentation in
the Help HTML Prefix box: v The IBM ISS Web site location of up-to-date assessment check
documentation.
v The file location of a locally stored version of the documentation.
6. If you want to run the checks that are enabled by default, including checks added in an X-Press Update (XPU), select a policy in the Compliance Policies section.
CAUTION: Custom Policy (All) runs all vulnerability checks, including DOS checks.
7. Configure options for service discovery in the Service Discovery section:
Option Description
Discover and report TCP services Reports active TCP services for which the
Service Scan flag is enabled in the Network Services policy.
Discover and report UDP services Reports active UDP services for which the
Service Scan flag is enabled in the Network Services policy.
8. Configure options for assessment port ranges in the Assessment Port Ranges section:
Option Description
Ports to scan with generic TCP checks The set of TCP ports to scan with generic
TCP checks. You can specify ports using any of the following methods:
v Type a port or range of ports. v Click Well known and select ports from
the list.
v Select All.
Note: A generic TCP check is one whose
target type is tcp.
12 Enterprise Scanner: User Guide
Option Description
Ports to scan with generic UDP checks The set of UDP ports to scan with generic
UDP checks. You can specify ports using any of the following methods:
v Type a port or range of ports. v Click Well known and select ports from
the list.
v Select All.
Note: A generic UDP check is one whose
target type is udp.
9. Configure options for using OS information in the Use of OS Information section:
Option Description
Dynamically determine OS if previously obtained information is older than
For unverified OS’s: Specify which checks to run if the OS is
The maximum age (in minutes) of usable OS information.
If the OS information for an asset is older than the time specified, Enterprise Scanner reassesses OSID when it runs an assessment scan. Default: 120
uncertain. v Run all checks (lowest performance): If
Enterprise Scanner is uncertain about the OS of the asset, it runs all assessment checks.
v Run all checks that apply to general OS
(intermediate performance): If Enterprise
Scanner is uncertain about the OS of the asset, it runs checks for all versions of an operating system. (For example, if Enterprise Scanner is uncertain about which version a Windows operating system is, it runs all the checks for all versions of Win dows operating systems.)
v Run only checks that apply to specific
OS (Best performance): If Enterprise
Scanner is uncertain about the OS of the asset, runs only the checks that apply to the exact version of the operating system.
10. Configure options for application fingerprinting in the Use of Application Fingerprinting section:
Chapter 1. Ad hoc scanning in the Proventia Manager 13
Option Description
Do not perform application fingerprinting Does not try to specifically identify which
applications are communicating over which ports, and runs the checks as selected in the Assessment policy.
This option does not identify applications communicating over non-standard ports. (Checks are run against standard ports as defined in the Network Services policy.)
Fingerprint applications and run checks that apply to application protocol (e.g., http)
Fingerprint applications and run checks that apply to specific application (e.g., apache)
Identifies applications communicating over specific ports, and then runs checks that apply to the protocol in use.
This option identifies applications communicating over non-standard ports.
Identifies applications communicating over specific ports, and then runs checks that apply only to the application identified.
This option identifies applications communicating over non-standard ports.
11. The settings in the Account Verification section apply only if an Assessment Credentials policy is available for the group being scanned.
Option Description
Verify account access level before using
Access domain controllers to verify access level
Check local group membership to verify access level
v If disabled, Enterprise Scanner assumes
that whatever is specified in the Assessment Credentials policy is accurate.
v If enabled, Enterprise Scanner tries to
confirm that the access level specified in the Assessment Credentials policy is correct.
Important: You should enable the Check local group membership to verify access level if you enable account verification.
v If disabled, Enterprise Scanner does not
communicate with a Domain Controller in the process of verifying access levels.
v If enabled, Enterprise Scanner tries to
communicate with a Domain Controller in the process of verifying access levels.
v If disabled, Enterprise Scanner does not
try to confirm the access level for the account during assessment by checking which local groups the asset belong to.
v If enabled, Enterprise Scanner tries to
confirm the access level for the account during assessment by checking which local groups the asset belong to.
12. Configure the options for locking out accounts in the Account Lockout
Control section:
14 Enterprise Scanner: User Guide
Option Description
Allowed account lockout Select a type of lockout:
v No lockout allowed: Enterprise Scanner
avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined.
v Temporary lockout allowed: Enterprise
Scanner runs password guessing checks only if the account lockout duration is less than or equal to the value specified in the
Maximum Allowable Lockout Duration
option later in this section.
v Permanent lockout allowed:Enterprise
Scanner runs password guessing checks even if the account lockout duration is set to run infinitely.
Longest allowed temporary lockout Specifies the maximum time (in minutes)
that accounts are allowed to be locked out by password guessing checks.
This value applies only if Temporary Lockout Allowed is enabled. When temporary lockout is allowed, password guessing checks are run only against assets whose lockout policy disables locked out accounts for no more than the maximum allowed lockout time.
Chapter 1. Ad hoc scanning in the Proventia Manager 15
Defining assessment credentials for a policy
Use the Assessment Credentials policy type on the Policy Management page to define authentication credentials for your assets.
About this task
The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that are defined for the group when it scans assets in the group. You can define different instances of this policy for different groups, which makes it possible to supply different log on credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets that run Windows operating systems.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Assessment Credentials from the Policy Types list, and then click Add.
3. Confirm your password, and then click OK.
4. Type a name for the scan policy.
5. In the Assessment Credentials tab, click Add, and then provide the following
account information:
Option Description
Username The user identification for an account.
Password The password to use with the user name to
log into an account.
Account Type: Windows Local Indicates that the user account is defined
locally on a single Windows device. The account is used to attempt to log in to a single Windows device.
When you choose this option, you must provide a Windows host name in the Domain/Host box.
Account Type: Windows Domain/Workgroup
Account Type: Windows Active Directory Indicates that the user account is defined in
Indicates that the user account is defined in a Windows Domain or Workgroup. The account is used to attempt to log in to all Windows devices within the domain or workgroup.
When you choose this option, you must provide the Windows Domain or Workgroup name in the Domain/Host box.
a Windows Active Directory Domain. The account is used to attempt to log in to all Windows devices within the Active Directory domain.
16 Enterprise Scanner: User Guide
When you choose this option, you must provide the Active Directory Domain name in the Domain/Host box.
Option Description
Account Type: SSH Local
Account Type: SSH Domain
Domain/Host Applies to one of the following domains or
Account Level Applies to one of the following accounts:
Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device.
When you choose this option, you must provide an IP address in the Domain/Host box.
Indicates that the user account is defined for Unix devices that allow SSH logons. In this context, Domainloosely refers to a set of devices, rather than to a specific type of domain. The account is used to attempt to log in to all SSH devices covered by the policy.
When you choose this option, you should supply a descriptive name in the Domain/Host box. This is for documentation purposes only; it is not used by Enterprise Scanner.
hosts: v For Windows accounts, the domain or
host name to which the account applies.
v For SSH Local accounts, the IP address of
the device to which the account applies.
v For SSH Domain accounts, any text.
v Administrator v User v Guest
Important: To avoid locking an account, do not add the account more than once.
Chapter 1. Ad hoc scanning in the Proventia Manager 17
Defining the service names associated with TCP and UDP ports
Use the Network Services policy type on the Policy Management page to define service names associated with TCP and UDP ports.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Network Services from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. For default or customized services, choose an option:
If you want to... Then...
Change the description of a service Slowly click Description two times to switch
to edit mode, and then change the description.
Allow each service to operate over SSL in at least some part of your network
Allow service scans for this service over any TCP and UDP ports specified in the Assessment policy
Note: You cannot change the Service name, Port, or Protocol of default
services. You cannot delete default services.
5. For customized services, choose an option:
Select the May use SSL check box for that service.
Select the Service scan check box.
If you want to... Then...
Add a service Click the Add icon.
Modify a service Click the Modify icon.
Delete a service Click the Delete icon.
18 Enterprise Scanner: User Guide
Defining ports or assets to exclude from a scan
Use the Scan Exclusion policy type on the Policy Management page to define specific ports or assets to exclude from a scan of a group of assets.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Select Scan Exclusion from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Choose an option:
If you want to... Then...
Exclude ports Use a combination of typing the ports to
exclude and choosing the ports: v Type the ports to exclude, separated by
commas, in the Excluded Ports box.
v Click Well Known Ports, and then select
the ports to exclude.
Exclude assets Type the IP addresses (in dotted-decimal or
CIDR notation) of the hosts to exclude in the Excluded Hosts box:
v Type an IP address, and then press ENTER. v Type a range of IP addresses, and then
press ENTER. Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above,
and then press ENTER.
Note: A red box is displayed around the Excluded Hosts box until the data is
validated.
Chapter 1. Ad hoc scanning in the Proventia Manager 19
Configuring and saving a scan policy in the Proventia Manager
Use the Policy Management page on the appliance to configure discovery and assessment scan policies from Proventia Manager for auditing purposes, and then use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan Control page.
Before you begin
You will not be able to run scans from Proventia Manager if the appliance is registered with SiteProtector.
Procedure
1. Click Scan Policy Management in the navigation pane.
2. Choose the scan policy that you want to configure from the Policy Types list,
and then click Add.
3. Type a name for the scan policy, and then configure the settings for the scan
policy. Policy names are limited to 32 characters using any combination of letters or numbers. You cannot use a dash (-) or underscore (_) in the policy name. You can run the following combinations of scans:
v Discovery scan v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. The following table lists which scan policies are required to run an ad hoc scan from Proventia Manager:
Table 2. Policies used for ad hoc scanning in Proventia Manager
Scan policy Required
Discovery Yes
Assessment Yes
Assessment Credential No
Network Services No
Scan Exclusion No
*You should run a discovery scan policy first (to identify assets on the network) before you run an assessment scan.
4. Click Save Changes to save the scan policy. You are now ready to run an ad
hoc scan using a configured scan policy.
5. Click Scan Run Scan in the navigation pane. The LMI Scan Control page is
displayed in Proventia Manager.
20 Enterprise Scanner: User Guide

Chapter 2. Interpreting scan results in the Proventia Manager

This chapter explains how to monitor and view scan results in the Proventia Manager.
Topics
“Running an ad hoc scan” on page 22
“Monitoring the status of a scan” on page 23
“Viewing the results of an ad hoc scan” on page 24
“Exporting scan results from Proventia Manager” on page 24
“Purging scan data from the database” on page 25
© Copyright IBM Corp. 1997, 2009 21

Running an ad hoc scan

Use the LMI Scan Control page on the appliance to define and run ad hoc scans for assessment and discovery.
Before you begin
Before you can run a scan, make sure you have configured a scan from the Policy Management page.
Procedure
1. Click Scan Run Scan in the navigation pane.
2. Depending on what type of scan you are running (discovery or assessment),
provide a name for the scan job in the Discovery Job Name or Assessment Job Name field.
Tip: The scan job name is useful when you want to view the results and status
of the scan.
3. From the fields provided in the LMI Scan area, determine what type of scan
you need to run, and then select a configured scan policy from the list. You can run the following combinations of scans:
v Discovery scan v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. Because the appliance does not use a database to store asset information, you must run a discovery scan followed by an assessment scan.
4. Select what network location (or perspective) you need to run the scan policy
against from the Perform scans from this perspective (Network location) list.
5. Click Save Changes to start the ad hoc scan.
22 Enterprise Scanner: User Guide
Loading...
+ 157 hidden pages