Page 1
IBM Proventia Network Enterprise Scanner
User Guide
Version 2.3
Page 2
Copyright statement
© Copyright IBM Corporation 1997, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Publication Date: February 2009
Page 3
Trademarks and Disclaimer
IBM®and the IBM logo are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both.
ADDME
RealSecure®, SecurePartner™, SecurityFusion™, SiteProtector™, System Scanner™,
Virtual Patch®, X-Force®and X-Press Update are trademarks or registered
trademarks of Internet Security Systems
or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of
International Business Machines Corporation.
Microsoft
in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of
others.
References in this publication to IBM products or services do not imply that IBM
intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without
notice, and may have been altered or changed if you have received it from a
source other than IBM Internet Security Systems (IBM ISS). Use of this information
constitutes acceptance for use in an “AS IS” condition, without warranties of any
kind, and any use of this information is at the user’s own risk. IBM Internet
Security Systems disclaims all warranties, either expressed or implied, including
the warranties of merchantability and fitness for a particular purpose. In no event
shall IBM ISS be liable for any damages whatsoever, including direct, indirect,
incidental, consequential or special damages, arising from the use or dissemination
hereof, even if IBM Internet Security Systems has been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages, so the foregoing limitation may not apply.
™
, Ahead of the threat, BlackICE™, Internet Scanner®, Proventia®,
®
, Windows®, and Windows NT®are trademarks of Microsoft Corporation
™
, Inc. in the United States, other countries,
Reference herein to any specific commercial products, process, or service by trade
name, trademark, manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by IBM Internet Security
Systems. The views and opinions of authors expressed herein do not necessarily
state or reflect those of IBM Internet Security Systems, and shall not be used for
advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release,
but the ever-changing nature of the Internet prevents IBM Internet Security
Systems, Inc. from guaranteeing the content or existence of the resource. When
possible, the reference contains alternate sites or keywords that could be used to
acquire the information by other methods. If you find a broken or inappropriate
link, please send an email message with the topic name, link, and its behavior to
mailto://support@iss.net.
© Copyright IBM Corp. 1997, 2009 iii
Page 4
iv Enterprise Scanner: User Guide
Page 5
Contents
Trademarks and Disclaimer ......iii
About this book ...........vii
Related publications ...........viii
Technical support contacts .........viii
Part 1. Scanning from the Proventia
Manager ..............1
Chapter 1. Ad hoc scanning in the
Proventia Manager ..........3
Section A: Network configuration .......4
Configuring the management network interface . 4
Configuring the scanning network interface . . . 5
Configuring scanning interface DNS settings . . 6
Assigning perspective to a scanning interface . . 7
Configuring routes for perspective ......7
Section B: Policy configuration ........8
Defining assets for a discovery scan .....8
Displaying assessment checks by groups ....9
Displaying information about assessment checks 10
Selecting assessment checks with filters ....11
Configuring common assessment settings for an
Assessment policy ...........12
Defining assessment credentials for a policy . . 16
Defining the service names associated with TCP
and UDP ports ............18
Defining ports or assets to exclude from a scan 19
Configuring and saving a scan policy in the
Proventia Manager ...........20
Chapter 2. Interpreting scan results in
the Proventia Manager ........21
Running an ad hoc scan ..........22
Monitoring the status of a scan ........23
Viewing the results of an ad hoc scan .....24
Exporting scan results from Proventia Manager . . 24
Purging scan data from the database ......25
Part 2. Scanning from the
SiteProtector Console .......27
Chapter 3. Enterprise Scanner policies 29
Policy inheritance with Enterprise Scanner policies 30
Deploying an Enterprise Scanner policy from the
policy repository ............31
Migrating a locally managed Enterprise Scanner
agent into SiteProtector ..........32
Viewing asset or agent policies for Enterprise
Scanner................33
Getting vulnerability help for a SiteProtector
Console without Internet access .......34
Agent policies for Enterprise Scanner ......35
Agent policy descriptions for Enterprise Scanner 35
Network Locations policy ........36
Notification policy ...........38
Access policy .............39
Networking policy ...........40
Services policy ............43
Time policy .............44
Update Settings policy..........45
Asset policies for Enterprise Scanner ......45
Asset policy descriptions for Enterprise Scanner 45
Discovery policy............46
Assessment policy ...........48
Assessment Credentials policy .......55
Scan Control policy ...........57
Scan Window policy ..........59
Scan Exclusion policy ..........61
Network Services policy .........62
Ad Hoc Scan Control policy ........64
Chapter 4. Understanding scanning
processes in SiteProtector ......67
What is perspective? ...........68
Defining perspectives ...........69
Scan jobs and related terms .........71
Types of tasks .............72
Priorities for running tasks .........73
Stages of a scanning process .........74
Optimizing cycle duration, scan windows, and
subtasks for Enterprise Scanner........76
Chapter 5. Background scanning in
SiteProtector ............79
Determining when background scans run ....80
How policies apply to ad hoc and background scans 81
Background scanning checklists for Enterprise
Scanner................83
Enabling background scanning ........84
Defining when scanning is allowed ......85
Defining ports or assets to exclude from a scan . . 87
Defining network services .........88
Defining assessment credentials for a policy . . . 89
Chapter 6. Monitoring scans in
SiteProtector ............91
Viewing your scan jobs ..........92
Viewing discovery job results ........92
Viewing assessment job results ........93
Chapter 7. Managing scans in
SiteProtector ............95
Stopping and restarting scan jobs .......96
Suspending and enabling all background scans . . 97
Minimum scanning requirements .......98
© Copyright IBM Corp. 1997, 2009 v
Page 6
Scanning behaviors for ad hoc scans ......99
Part 3. Maintenance........139
Chapter 8. Interpreting scan results in
SiteProtector ...........103
OS identification (OSID) certainty ......104
How OSID is updated in Enterprise Scanner . . . 105
Setting up a Summary view for vulnerability
management .............106
Summary page for vulnerability management . . 106
Viewing vulnerabilities in the SiteProtector Console
using Enterprise Scanner .........108
Viewing vulnerabilities by asset in Enterprise
Scanner ..............108
Viewing vulnerabilities by detail in Enterprise
Scanner ..............111
Viewing vulnerabilities by object in Enterprise
Scanner ..............113
Viewing vulnerabilities by target operating
system in Enterprise Scanner .......114
Viewing vulnerabilities by vulnerability name in
Enterprise Scanner...........115
Running reports in the SiteProtector Console . . . 117
Types of assessment reports ........117
Viewing an Enterprise Scanner report in the
SiteProtector Console ...........119
Chapter 9. Logs and alerts......121
Log files and alert notification ........122
System logs ..............123
Getting log status information .......124
Enterprise Scanner (ES) logs ........124
Downloading Enterprise Scanner (ES) log files 126
Alerts log ..............127
Downloading and saving an Alerts log ....128
Clearing the Alerts log .........129
Finding specific events in the Alerts log . . . 129
Chapter 10. Ticketing and remediation 133
Ticketing and Enterprise Scanner .......134
Remediation process overview for Enterprise
Scanner ...............135
Remediation tasks for Enterprise Scanner ....136
Chapter 11. Performing routine
maintenance............141
Shutting down your Enterprise Scanner ....142
Removing an agent from SiteProtector .....143
Options for backing up Enterprise Scanner . . . 144
Backing up configuration settings ......145
Making full system backups ........146
Chapter 12. Updating Enterprise
Scanner..............147
XPU basics ..............148
Updating options ............149
Configuring explicit-trust authentication with an
XPU server ..............150
Configuring an Alternate Update location ....151
Configuring an HTTP Proxy ........153
Configuring notification options for XPUs ....153
Scheduling a one-time firmware update ....154
Configuring automatic updates .......154
Manually installing updates ........156
Chapter 13. Viewing the status of the
Enterprise Scanner agent ......157
Proventia Manager Home page .......158
Viewing agent status in the SiteProtector Console 160
Viewing agent status ...........160
Viewing the status of the CAM modules ....161
Troubleshooting the Enterprise Scanner sensor . . 161
Part 4. Appendixes ........163
Appendix. Safety, environmental, and
electronic emissions notices .....165
Index ...............177
vi
Enterprise Scanner: User Guide
Page 7
About this book
This section describes the audience for this guide; identifies related publications;
and provides contact information.
Audience
Users of this guide should understand their network topology, including the
criticality of network assets. In addition, because Enterprise Scanner can be
managed through the SiteProtector Console, you must have a working knowledge
of the SiteProtector system, including how to set up views, manage users and user
permissions, and deploy policies.
Topics
“Related publications” on page viii
“Technical support contacts” on page viii
© Copyright IBM Corp. 1997, 2009 vii
Page 8
Related publications
Use this topic to help you access information about your Enterprise Scanner
appliance.
Publications
The following documents are available for download from the IBM ISS
Documentation Web site at http://www.iss.net/support/documentation/.
v IBM Proventia Network Enterprise Scanner Version 2.3 Quick Start Card (Models
ES750 and ES1500)
v IBM Proventia Network Enterprise Scanner Version 2.3 Getting Started Guide
v IBM Proventia Network Enterprise Scanner Version 2.3 User Guide
License agreement
For licensing information on IBM Internet Security System products, download the
IBM Licensing Agreement from http://www.ibm.com/services/us/iss/html/
contracts_landing.html.
Technical support contacts
IBM Internet Security Systems (IBM ISS) provides technical support through its
Web site and by email or telephone.
The IBM ISS Web site
The IBM ISS Customer Support Web page at http://www.ibm.com/services/us/
iss/support/ provides direct access to online user documentation, current versions
listings, detailed product literature, white papers, and the Technical Support
Knowledgebase.
Hours of support
The following table provides hours for Technical Support at the Americas and
other locations:
Table 1. Hours of technical support
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00
P.M. during their local time, excluding IBM
ISS published holidays
Note: If your local support office is located
outside the Americas, you may call or send
an email to the Americas office for help
during off-hours.
Contact information
For contact information, go to the IBM Internet Security Systems Contact Technical
Support Web page at http://www.ibm.com/services/us/iss/support/.
viii Enterprise Scanner: User Guide
Page 9
Part 1. Scanning from the Proventia Manager
This section explains how to manage scans from the Proventia Manager for the
Enterprise Scanner agent.
Chapters
Chapter 1, “Ad hoc scanning in the Proventia Manager,” on page 3
Chapter 2, “Interpreting scan results in the Proventia Manager,” on page 21
© Copyright IBM Corp. 1997, 2009 1
Page 10
2 Enterprise Scanner: User Guide
Page 11
Chapter 1. Ad hoc scanning in the Proventia Manager
This chapter explains how to use perspective and the high-level processes behind
ad hoc scanning from the Proventia Manager.
Section A: Network configuration
“Configuring the management network interface” on page 4
“Configuring the scanning network interface” on page 5
“Configuring scanning interface DNS settings” on page 6
“Assigning perspective to a scanning interface” on page 7
“Configuring routes for perspective” on page 7
Section B: Policy configuration
“Defining assets for a discovery scan” on page 8
“Displaying assessment checks by groups” on page 9
“Displaying information about assessment checks” on page 10
“Selecting assessment checks with filters” on page 11
“Configuring common assessment settings for an Assessment policy” on page 12
“Defining assessment credentials for a policy” on page 16
“Defining ports or assets to exclude from a scan” on page 19
“Configuring and saving a scan policy in the Proventia Manager” on page 20
© Copyright IBM Corp. 1997, 2009 3
Page 12
Section A: Network configuration
This section explains how to define the network interfaces for the management and
scanning ports, how to assign perspectives to network interfaces, and how to
configure the Enterprise Scanner appliance to select routes for traffic.
Configuring the management network interface
Use the Management Interface tab on the Network Interface Configuration page on
the appliance to configure the management interface network settings (ETH0).
About this task
You configured the management interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the Management Interface tab, and then type or change the following
information:
Option Description
Host Name The fully qualified domain name for the
Interface The management port used by the
IP address The IP address of the management interface
Subnet Mask The IP address of the subnet mask for the
Gateway The address of the network gateway.
Enterprise Scanner agent. Use the format:
gateway1.example.com
Enterprise Scanner agent.
for the agent.
agent.
3. Select the Use Persistent IP if sensor is behind NAT if you want to avoid
conflicts with NAT rules, and then provide the IP address.
4. Click Save Changes.
4 Enterprise Scanner: User Guide
Page 13
Configuring the scanning network interface
Use the Scan Interface tab on the Network Interface Configuration page on the
appliance to configure the scanning interface network settings (ETH1 - ETH5).
About this task
You configured the scanning interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the Scan Interface tab, and then type or change the following
information:
Option Description
Interface The Ethernet port of the interfaces for the
agent.
IP Address The IP address of the scanning network
interface for the agent.
Subnet Mask The IP address for the scanning network
interface subnet mask of the agent.
Gateway The address of the network gateway.
Maximum IPs per discovery subtask The maximum number of IP addresses to
discover in a subtask (of a task for each scan
job).
Note: This value applies to all discovery
scans that the agent runs.
Maximum assets per assessment subtask The maximum number of assets to scan in a
subtask (of a task for each scan job).
Note: This value applies to all assessment
scans that the agent runs.
Perspective (network location) The name of the network location to
associate with this scanning port.
Values: Global, the default, and any network
locations defined in the Network Locations
policy.
3. Click Save Changes.
Chapter 1. Ad hoc scanning in the Proventia Manager 5
Page 14
Configuring scanning interface DNS settings
Use the DNS tab on the Network Interface Configuration page on the appliance to
configure the DNS settings for the scanning interface.
About this task
You configured these settings when you set up the appliance with the Proventia
Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. Click Configuration → Network Interfaces in the navigation pane.
2. Click the DNS tab.
3. Choose an option:
If you want to... Then...
Specify DNS settings
Add a DNS search path
Edit a DNS search path
Copy and paste a DNS search path
Remove a DNS search path
Change the order of a DNS search path
1. Type the IP addresses for the primary,
secondary, and tertiary DNS servers.
2. Click Save Changes.
1. In the DNS Search Path section, click the
Add icon.
2. Type the domain name to add to the
search list, and then click OK.
3. Click Save Changes.
1. In the DNS Search Path list, select a
domain name, and then click the Edit
icon.
2. Edit the domain name, and then click
OK.
3. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the Copy
icon. The agent copies the search path to
the clipboard.
2. Click the Paste icon. The agent copies the
search path to the end of the list.
3. If necessary, edit the policy, and then
click OK.
4. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the
Remove icon.
2. Click Save Changes.
1. In the DNS Search Path section, select a
domain name.
2. Click the Up or Down arrows.
Tip: It is more efficient to place the most
likely used search path at the top of the
list.
3. Click Save Changes.
6 Enterprise Scanner: User Guide
Page 15
Assigning perspective to a scanning interface
Use the Network Locations tab on the Network Locations page on the appliance to
assign a perspective (network location) to a scanning interface.
About this task
You can only configure the ETH0 and ETH1 interfaces in Proventia Setup. You
must configure the remaining interfaces on this page (Network Locations page).
When you register the agent with SiteProtector, the perspectives you set here
(ETH2 - ETH5) are not automatically imported by the Network Locations policy in
SiteProtector. You must redefine those perspectives for this policy in SiteProtector.
Procedure
1. Click Configuration → Network Locations in the navigation pane.
2. Click the Network Locations tab.
3. Click the Add icon.
4. Type a name for the perspective in the Network Locations Name field, and
then click OK.
Important: You can only assign one unique perspective per scanning port. You
cannot assign the same perspective to more than one scanning port.
Configuring routes for perspective
Use the Routes tab on the Network Locations page on the appliance to configure
the appliance to select paths for (routes) traffic.
About this task
In a multi-segmented network, you might experience unnecessary network traffic if
your agent traffic is routed through your default gateway. You can reduce network
traffic if you configure routes for perspectives that provide more direct routes to
targeted segments.
Procedure
1. Click Configuration → Network Locations in the navigation pane.
2. Click the Routes tab.
3. Click the Add icon.
4. Complete the following fields:
Option Description
Perspective The perspective for which you are defining a
route.
Destination Network A network segment for which you want to
define a specific route for a perspective.
Gateway The IP address of the router the agent
should use to find IP addresses in the
Destination Network. Use the IP address
that is on the same network as the agent,
not the IP address of the route from inside
the target segment.
Chapter 1. Ad hoc scanning in the Proventia Manager 7
Page 16
Option Description
Metric If you configure more than one route to the
5. Click Save Changes.
Section B: Policy configuration
This section explains how to configure policy settings in order to manage
vulnerabilities.
Defining assets for a discovery scan
Use the Discovery policy type on the Policy Management page on the appliance to
configure a policy that defines the parameters used to perform a discovery scan on
a portion of a network.
Before you begin
Before it can perform OS fingerprinting on an asset, your agent must find one
open and one closed port. To find an open and a closed port, the agent scans ports
1–1023 and any other ports specified in the applicable Network Services policy.
same segment for one perspective, a number
that indicates the preferred route. The closer
to 1, the more preferred the route.
Note: The numbers you use do not have to
be consecutive.
About this task
In a discovery task, a range of IP addresses is scanned to locate active network
interfaces, and the type of device associated with each active network interface is
determined through OS identification.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Discovery from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to
discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the data is
validated.
5. If you want to ping each IP address before scanning to exclude unreachable
hosts from the scan, select the Ping hosts in this range, before scanning, to
exclude unreachable hosts check box.
6. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the Add
newly discovered assets to group check box.
8 Enterprise Scanner: User Guide
Page 17
7. If you want to add previously known assets that are already defined in other
groups to the scan group, select the Add previously known assets to group
check box.
Displaying assessment checks by groups
Use the Checks tab in the Assessment policy to group checks by any combination
of columns that you have chosen to display. For example, you might want to see
checks by category, then by severity within that category.
About this task
The current grouping selections are displayed just above the column headers of the
checks.
v If no groups are selected, the following message is displayed on the screen:
Right click on the column header to group by that column.
v If groups are selected, the group names are displayed on in the screen as in the
following example:
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Clear groupings Choose an option:
v Right-click any column header, and then
select Clear Groupings from the pop-up
menu.
v Click Clear Groupings.
Create groupings interactively
1. Right-click a column heading, and then
select Group By from the pop-up menu.
2. Repeat the previous step until you have
created the groupings that you want.
Chapter 1. Ad hoc scanning in the Proventia Manager 9
Page 18
If you want to... Then...
Create groupings from a selection list
1. Click the Group By icon.
The Group by Columns window
appears.
2. Select a column to group by in the All
Columns list, and then click Add.
The column moves to the Group by these
Columns list.
3. Repeat the previous step for each column
that you want to group by.
4. If you want to remove items from the
list, select an item in the Group by these
Columns list, and then click Remove.
The item and any items below it move to
the All Columns list.
5. Click OK.
Displaying information about assessment checks
Use the Checks tab in the Assessment policy to choose how much information to
display about each assessment check in the Assessment policy.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Choose an option:
If you want to... Then...
Add a single column Right-click a column and then select the
column to add from the pop-up menu.
Note: The column appears at the far right.
Remove a single column Right-click a column and then select the
column to remove.
Note: The column is removed.
Add multiple columns Click the Column to display icon, and then
select the check box for each column to add.
Remove multiple columns Click the Column to display icon, and then
clear the check box for each column to
remove.
10 Enterprise Scanner: User Guide
Page 19
Selecting assessment checks with filters
Use the Checks tab in the Assessment policy to provide filtering values on a
selected list of assessment checks.
About this task
The following rules apply to using regular expressions:
v The match occurs against all columns in the table, whether or not the column is
displayed.
v If you use more than one regular expression, every regular expression must
match for a check to be selected.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Checks tab.
5. Select the Filter check box, and then click Filter.
6. To filter with a regular expression, type one or more regular expressions on
separate lines in the Regular Expression box.
Tip: For example, use http.* to match the value in any column that starts with
http; or use .*http.* to match the value in any column that contains http.
7. To filter by one or more of the remaining filter types, select the values to filter
by in the filtering boxes.
Tip: You can select ranges of filtering values by holding down the SHIFT key
and random filtering values by holding down the CTRL key.
8. Click OK.
Chapter 1. Ad hoc scanning in the Proventia Manager 11
Page 20
Configuring common assessment settings for an Assessment policy
Use the Common Settings tab in the Assessment policy to choose settings that
define additional scanning behavior for the checks you have selected to run in an
assessment scan.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Click the Common Settings tab.
5. Type the URL or file location for the assessment check Help documentation in
the Help HTML Prefix box:
v The IBM ISS Web site location of up-to-date assessment check
documentation.
v The file location of a locally stored version of the documentation.
6. If you want to run the checks that are enabled by default, including checks
added in an X-Press Update (XPU), select a policy in the Compliance Policies
section.
CAUTION:
Custom Policy (All) runs all vulnerability checks, including DOS checks.
7. Configure options for service discovery in the Service Discovery section:
Option Description
Discover and report TCP services Reports active TCP services for which the
Service Scan flag is enabled in the Network
Services policy.
Discover and report UDP services Reports active UDP services for which the
Service Scan flag is enabled in the Network
Services policy.
8. Configure options for assessment port ranges in the Assessment Port Ranges
section:
Option Description
Ports to scan with generic TCP checks The set of TCP ports to scan with generic
TCP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic TCP check is one whose
target type is tcp.
12 Enterprise Scanner: User Guide
Page 21
Option Description
Ports to scan with generic UDP checks The set of UDP ports to scan with generic
UDP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic UDP check is one whose
target type is udp.
9. Configure options for using OS information in the Use of OS Information
section:
Option Description
Dynamically determine OS if previously
obtained information is older than
For unverified OS’s: Specify which checks to run if the OS is
The maximum age (in minutes) of usable OS
information.
If the OS information for an asset is older
than the time specified, Enterprise Scanner
reassesses OSID when it runs an assessment
scan.
Default: 120
uncertain.
v Run all checks (lowest performance): If
Enterprise Scanner is uncertain about the
OS of the asset, it runs all assessment
checks.
v Run all checks that apply to general OS
(intermediate performance): If Enterprise
Scanner is uncertain about the OS of the
asset, it runs checks for all versions of an
operating system. (For example, if
Enterprise Scanner is uncertain about
which version a Windows operating
system is, it runs all the checks for all
versions of Win dows operating systems.)
v Run only checks that apply to specific
OS (Best performance): If Enterprise
Scanner is uncertain about the OS of the
asset, runs only the checks that apply to
the exact version of the operating system.
10. Configure options for application fingerprinting in the Use of Application
Fingerprinting section:
Chapter 1. Ad hoc scanning in the Proventia Manager 13
Page 22
Option Description
Do not perform application fingerprinting Does not try to specifically identify which
applications are communicating over which
ports, and runs the checks as selected in the
Assessment policy.
This option does not identify applications
communicating over non-standard ports.
(Checks are run against standard ports as
defined in the Network Services policy.)
Fingerprint applications and run checks
that apply to application protocol (e.g.,
http)
Fingerprint applications and run checks
that apply to specific application (e.g.,
apache)
Identifies applications communicating over
specific ports, and then runs checks that
apply to the protocol in use.
This option identifies applications
communicating over non-standard ports.
Identifies applications communicating over
specific ports, and then runs checks that
apply only to the application identified.
This option identifies applications
communicating over non-standard ports.
11. The settings in the Account Verification section apply only if an Assessment
Credentials policy is available for the group being scanned.
Option Description
Verify account access level before using
Access domain controllers to verify access
level
Check local group membership to verify
access level
v If disabled, Enterprise Scanner assumes
that whatever is specified in the
Assessment Credentials policy is accurate.
v If enabled, Enterprise Scanner tries to
confirm that the access level specified in
the Assessment Credentials policy is
correct.
Important: You should enable the Check
local group membership to verify access
level if you enable account verification.
v If disabled, Enterprise Scanner does not
communicate with a Domain Controller in
the process of verifying access levels.
v If enabled, Enterprise Scanner tries to
communicate with a Domain Controller in
the process of verifying access levels.
v If disabled, Enterprise Scanner does not
try to confirm the access level for the
account during assessment by checking
which local groups the asset belong to.
v If enabled, Enterprise Scanner tries to
confirm the access level for the account
during assessment by checking which
local groups the asset belong to.
12. Configure the options for locking out accounts in the Account Lockout
Control section:
14 Enterprise Scanner: User Guide
Page 23
Option Description
Allowed account lockout Select a type of lockout:
v No lockout allowed: Enterprise Scanner
avoids running password guessing checks
if account lockout is enabled on the target
host, or if its status cannot be determined.
v Temporary lockout allowed: Enterprise
Scanner runs password guessing checks
only if the account lockout duration is less
than or equal to the value specified in the
Maximum Allowable Lockout Duration
option later in this section.
v Permanent lockout allowed:Enterprise
Scanner runs password guessing checks
even if the account lockout duration is set
to run infinitely.
Longest allowed temporary lockout Specifies the maximum time (in minutes)
that accounts are allowed to be locked out
by password guessing checks.
This value applies only if Temporary
Lockout Allowed is enabled. When
temporary lockout is allowed, password
guessing checks are run only against assets
whose lockout policy disables locked out
accounts for no more than the maximum
allowed lockout time.
Chapter 1. Ad hoc scanning in the Proventia Manager 15
Page 24
Defining assessment credentials for a policy
Use the Assessment Credentials policy type on the Policy Management page to
define authentication credentials for your assets.
About this task
The appliance uses authentication credentials to access accounts during assessment
scans. Enterprise Scanner uses all instances of the credentials that are defined for
the group when it scans assets in the group. You can define different instances of
this policy for different groups, which makes it possible to supply different log on
credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets
that run Windows operating systems.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Assessment Credentials from the Policy Types list, and then click Add.
3. Confirm your password, and then click OK.
4. Type a name for the scan policy.
5. In the Assessment Credentials tab, click Add, and then provide the following
account information:
Option Description
Username The user identification for an account.
Password The password to use with the user name to
log into an account.
Account Type: Windows Local Indicates that the user account is defined
locally on a single Windows device. The
account is used to attempt to log in to a
single Windows device.
When you choose this option, you must
provide a Windows host name in the
Domain/Host box.
Account Type: Windows
Domain/Workgroup
Account Type: Windows Active Directory Indicates that the user account is defined in
Indicates that the user account is defined in
a Windows Domain or Workgroup. The
account is used to attempt to log in to all
Windows devices within the domain or
workgroup.
When you choose this option, you must
provide the Windows Domain or Workgroup
name in the Domain/Host box.
a Windows Active Directory Domain. The
account is used to attempt to log in to all
Windows devices within the Active
Directory domain.
16 Enterprise Scanner: User Guide
When you choose this option, you must
provide the Active Directory Domain name
in the Domain/Host box.
Page 25
Option Description
Account Type: SSH Local
Account Type: SSH Domain
Domain/Host Applies to one of the following domains or
Account Level Applies to one of the following accounts:
Indicates that the user account is defined
locally on a single Unix device that allows
SSH logons. The account is used to attempt
login to a single Unix device.
When you choose this option, you must
provide an IP address in the Domain/Host
box.
Indicates that the user account is defined for
Unix devices that allow SSH logons. In this
context, ″Domain″ loosely refers to a set of
devices, rather than to a specific type of
domain. The account is used to attempt to
log in to all SSH devices covered by the
policy.
When you choose this option, you should
supply a descriptive name in the
Domain/Host box. This is for
documentation purposes only; it is not used
by Enterprise Scanner.
hosts:
v For Windows accounts, the domain or
host name to which the account applies.
v For SSH Local accounts, the IP address of
the device to which the account applies.
v For SSH Domain accounts, any text.
v Administrator
v User
v Guest
Important: To avoid locking an account, do not add the account more than
once.
Chapter 1. Ad hoc scanning in the Proventia Manager 17
Page 26
Defining the service names associated with TCP and UDP ports
Use the Network Services policy type on the Policy Management page to define
service names associated with TCP and UDP ports.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Network Services from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. For default or customized services, choose an option:
If you want to... Then...
Change the description of a service Slowly click Description two times to switch
to edit mode, and then change the
description.
Allow each service to operate over SSL in
at least some part of your network
Allow service scans for this service over
any TCP and UDP ports specified in the
Assessment policy
Note: You cannot change the Service name, Port, or Protocol of default
services. You cannot delete default services.
5. For customized services, choose an option:
Select the May use SSL check box for that
service.
Select the Service scan check box.
If you want to... Then...
Add a service Click the Add icon.
Modify a service Click the Modify icon.
Delete a service Click the Delete icon.
18 Enterprise Scanner: User Guide
Page 27
Defining ports or assets to exclude from a scan
Use the Scan Exclusion policy type on the Policy Management page to define
specific ports or assets to exclude from a scan of a group of assets.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Select Scan Exclusion from the Policy Types list, and then click Add.
3. Type a name for the scan policy.
4. Choose an option:
If you want to... Then...
Exclude ports Use a combination of typing the ports to
exclude and choosing the ports:
v Type the ports to exclude, separated by
commas, in the Excluded Ports box.
v Click Well Known Ports, and then select
the ports to exclude.
Exclude assets Type the IP addresses (in dotted-decimal or
CIDR notation) of the hosts to exclude in the
Excluded Hosts box:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then
press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above,
and then press ENTER.
Note: A red box is displayed around the
Excluded Hosts box until the data is
validated.
Chapter 1. Ad hoc scanning in the Proventia Manager 19
Page 28
Configuring and saving a scan policy in the Proventia Manager
Use the Policy Management page on the appliance to configure discovery and
assessment scan policies from Proventia Manager for auditing purposes, and then
use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan
Control page.
Before you begin
You will not be able to run scans from Proventia Manager if the appliance is
registered with SiteProtector.
Procedure
1. Click Scan → Policy Management in the navigation pane.
2. Choose the scan policy that you want to configure from the Policy Types list,
and then click Add.
3. Type a name for the scan policy, and then configure the settings for the scan
policy. Policy names are limited to 32 characters using any combination of
letters or numbers. You cannot use a dash (-) or underscore (_) in the policy
name. You can run the following combinations of scans:
v Discovery scan
v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. The
following table lists which scan policies are required to run an ad hoc scan
from Proventia Manager:
Table 2. Policies used for ad hoc scanning in Proventia Manager
Scan policy Required
Discovery Yes
Assessment Yes
Assessment Credential No
Network Services No
Scan Exclusion No
*You should run a discovery scan policy first (to identify assets on the network) before you
run an assessment scan.
4. Click Save Changes to save the scan policy. You are now ready to run an ad
hoc scan using a configured scan policy.
5. Click Scan → Run Scan in the navigation pane. The LMI Scan Control page is
displayed in Proventia Manager.
20 Enterprise Scanner: User Guide
Page 29
Chapter 2. Interpreting scan results in the Proventia Manager
This chapter explains how to monitor and view scan results in the Proventia
Manager.
Topics
“Running an ad hoc scan” on page 22
“Monitoring the status of a scan” on page 23
“Viewing the results of an ad hoc scan” on page 24
“Exporting scan results from Proventia Manager” on page 24
“Purging scan data from the database” on page 25
© Copyright IBM Corp. 1997, 2009 21
Page 30
Running an ad hoc scan
Use the LMI Scan Control page on the appliance to define and run ad hoc scans
for assessment and discovery.
Before you begin
Before you can run a scan, make sure you have configured a scan from the Policy
Management page.
Procedure
1. Click Scan → Run Scan in the navigation pane.
2. Depending on what type of scan you are running (discovery or assessment),
provide a name for the scan job in the Discovery Job Name or Assessment Job
Name field.
Tip: The scan job name is useful when you want to view the results and status
of the scan.
3. From the fields provided in the LMI Scan area, determine what type of scan
you need to run, and then select a configured scan policy from the list. You can
run the following combinations of scans:
v Discovery scan
v Discovery and an assessment scan
You cannot run an assessment only scan from the Proventia Manager. Because
the appliance does not use a database to store asset information, you must run
a discovery scan followed by an assessment scan.
4. Select what network location (or perspective) you need to run the scan policy
against from the Perform scans from this perspective (Network location) list.
5. Click Save Changes to start the ad hoc scan.
22 Enterprise Scanner: User Guide
Page 31
Monitoring the status of a scan
Use the Scan Status page on the appliance to view the status of ad hoc discovery
and assessment scans you have initialized from the LMI Scan Control page.
About this task
While Proventia Manager processes the scan, you can perform one of the following
actions on the scan:
Table 3. Processing status of a scan
Action Icon Description
Pause
Resume
Cancel
Procedure
1. Click Scan → Scan Status in the navigation pane.
The Scan Status page appears with a table displaying the status of the scan.
Use the Pause option only
when a job is in the
processing status. Pausing a
job in any other status might
cause problems if you try to
resume or rerun the scan.
Resume the scan after you
have paused it
Cancel the scan altogether
Note: The results of the scan can take up to a minute to display on this page.
2. Click the link for the scan in the Name column to display the results of the
scan on the Scan Results page.
Chapter 2. Interpreting scan results in the Proventia Manager 23
Page 32
Viewing the results of an ad hoc scan
Use the Scan Results page on the appliance to analyze security-related data
discovered by an ad hoc scan.
Procedure
1. Click Scan → Scan Results in the navigation pane.
2. Choose the scan date (time stamp) from the List Scans list, and then click Go.
3. Select the scan job from the Scan Type list, and then click Go. The results of
the scan are displayed in the table.
4. Click View/Manage Log Files.
5. Select the scan job in the File Name list. The name of the log file contains the
date the scan was run and uses this format: lmiScans/mmddyyyy_xxxxx.log
6. Click Download to the download the log file for the scan to a directory on
your computer. Scan data files are located in the /var/log/esm/lmiScans
directory.
Exporting scan results from Proventia Manager
Use the Scan Reports page on the appliance to export scan results to HTML or
CSV files from Proventia Manager.
About this task
This feature provides basic reporting for ad hoc scans initialized from Proventia
Manager. It is not intended to replace the full analysis and reporting functions of
SiteProtector.
Procedure
1. Click Scan → Scan Reports in the navigation pane.
2. Select the discovery or assessment scan that you want to export from the List
Scans list.
3. Select how you want to sort the hosts in the report.
4. Select the Report checks which found no vulnerability check box if you want
to include information about checks that did not find a vulnerability.
5. Depending on the type of report you need to generate, click Generate HTML
Report or Generate CSV Files.
6. Save the file to your local system. Enterprise Scanner uses the following file
name convention for exported results:
Discovery: DiscoveryResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-<jobname>.csv
Assessment: AssessmentResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-<jobname>.csv
Example: A discovery scan that ran on March 30, 2008 at 1:20:39 PM EST with
a scanner name of testscan and a job name of testjob would display the
following file name: DiscoveryResults-20080330-132039EST-testscan-
testjob.csv
24 Enterprise Scanner: User Guide
Page 33
Purging scan data from the database
Use the Scan Results page on the appliance to schedule the removal of scan data
files from the /var/log/esm/lmiScans directory.
Procedure
1. Click Scan → Scan Results in the navigation pane.
2. Click the Purge Scan Data link. The Purge Scan Data window provides the
following information about the current scan data:
Field Description
Number of Scans The number of individual scans, not scan
Disk Space Used by Scans The amount of disk space consumed by the
Total Disk Space Available The amount of available disk space.
Earliest Scan The date of the first scan.
Latest Scan The date of the latest scan.
Purge Scans Older than: Number of Days The number of days in which all scan data
jobs.
scan data.
older than this amount are deleted from the
disk.
Note: When you purge scan data, that data
is also removed from the Scan Status page
and the Scan Results page.
3. Click Go.
Chapter 2. Interpreting scan results in the Proventia Manager 25
Page 34
26 Enterprise Scanner: User Guide
Page 35
Part 2. Scanning from the SiteProtector Console
This section explains how to manage scans from the SiteProtector Console for the
Enterprise Scanner agent.
Chapters
Chapter 3, “Enterprise Scanner policies,” on page 29
Chapter 4, “Understanding scanning processes in SiteProtector,” on page 67
Chapter 5, “Background scanning in SiteProtector,” on page 79
Chapter 6, “Monitoring scans in SiteProtector,” on page 91
Chapter 7, “Managing scans in SiteProtector,” on page 95
Chapter 8, “Interpreting scan results in SiteProtector,” on page 103
Chapter 9, “Logs and alerts,” on page 121
Chapter 10, “Ticketing and remediation,” on page 133
© Copyright IBM Corp. 1997, 2009 27
Page 36
28 Enterprise Scanner: User Guide
Page 37
Chapter 3. Enterprise Scanner policies
This chapter explains how to use Enterprise Scanner policies to customize your
scanning processes. The policies belong to meaningful categories based on their
scope and impact on scans.
Topics
“Policy inheritance with Enterprise Scanner policies” on page 30
“Deploying an Enterprise Scanner policy from the policy repository” on page 31
“Migrating a locally managed Enterprise Scanner agent into SiteProtector” on page
32
“Viewing asset or agent policies for Enterprise Scanner” on page 33
“Getting vulnerability help for a SiteProtector Console without Internet access” on
page 34
“Agent policies for Enterprise Scanner” on page 35
“Asset policies for Enterprise Scanner” on page 45
© Copyright IBM Corp. 1997, 2009 29
Page 38
Policy inheritance with Enterprise Scanner policies
The inheritance properties of policies in SiteProtector provide a flexible and
efficient method for setting up your scanning environment in a hierarchical group
structure.
General inheritance behavior
In general, inheritance works as follows:
v When you define a policy for a group in your group structure, the policy
automatically applies to the subgroups for the group unless a subgroup already
has its own version of the policy. Then, that subgroup retains its version of the
policy.
v You can break the inheritance at any level in the group structure by redefining
(overriding) the policy for a subgroup. When you define a policy for a
subgroup, the changes apply to its subgroups.
v If you have defined a policy for a subgroup that you want to apply to groups
above it, you can promote the policy to a higher group.
Inheritance with Enterprise Scanner policies
As you plan your Site grouping structure for vulnerability management, keep these
points in mind:
v Most asset policies follow the general rules of inheritance.
v Many agent policies apply only to a single agent or scanning network interface.
v Some asset and some agent policies have specialized inheritance characteristics.
These differences are described in more detail in the following topics.
Inheritance indicators
When you select a group in the left pane of the SiteProtector Console, policies
applicable to the group are displayed in the right pane. The inheritance indicators
of the policies are displayed in the Inheriting From column as follows:
Table 4. Policy inheritance indicators
If the Inheriting From Value is... Then...
blank The policy is defined at the group
level/agent selected in the left pane.
UNCONFIGURED You have chosen to override the policy with
one that is defined higher in the group
structure, but a higher-level policy is not
defined.
a_group_name The policy is inherited from the referenced
group.
Initially blank or unconfigured?
The initial inheritance indicators for agent policies can be blank or unconfigured
depending on whether you override SiteProtector group settings when you register
your agent with SiteProtector:
v If you override the settings, the settings for the agent are applied to the
SiteProtector policies, so that the Inheriting From column is blank.
30 Enterprise Scanner: User Guide
Page 39
v If you do not override the settings, the column follows the inheritance described
in the table above; however, you must configure those policies.
Deploying an Enterprise Scanner policy from the policy repository
Use the policy repository to create, edit, and deploy Enterprise Scanner policies in
SiteProtector. The repository keeps an archive of each saved version of your
policies. After creating or editing a policy, you must deploy it to the appropriate
Enterprise Scanner agents or groups.
About this task
Each time you edit a policy, SiteProtector saves a new version in the repository.
You can deploy any version of a policy to an Enterprise Scanner agent or group on
your Site. You can use the default repository in SiteProtector to manage all of your
policies, or create additional repositories to separate different types or groups of
policies.
Important: You cannot delete a policy from the repository if you have deployed it
anywhere in your Site.
Note: Central Responses can only use Network Objects that are in the default
repository.
Procedure
1. Choose an option:
v Drag the policy icon from the repository to the Enterprise Scanner group or
agent in the left pane.
v Right-click the policy icon in the repository, and then select Deploy from the
pop-up menu.
2. To deploy additional policies, click the Policies icon, and then click Add to
select more policies. The Deploy Policy window displays the policy you chose,
and the target(s) it will be deployed to.
3. Click OK.
4. To select a target to deploy the policy to, click the Targets icon, and then select
the Enterprise Scanner groups or agents to deploy this policy to.
5. Click the Schedule icon.
6. To deploy the policy immediately, select Now.
7. To schedule a specific date and time to deploy the policy, select Start Time,
click the list, and then select a date and time for deployment.
8. Click OK.
Chapter 3. Enterprise Scanner policies 31
Page 40
Migrating a locally managed Enterprise Scanner agent into SiteProtector
You must migrate the Enterprise Scanner agent out of the Locally Managed Agents
area to take advantage of the policy features available in SiteProtector.
About this task
If the policies for the Enterprise Scanner agent are managed locally (from Proventia
Manager), they will be displayed in the Locally Managed Agents node.
The Locally Managed Agents node is designed to be a temporary access point for
Enterprise Scanner agents whose local policies have not yet been imported into
SiteProtector. You should move these policies into the policy repository to manage
them in SiteProtector.
Procedure
1. Select the Policy view, and then select Locally Managed Agents.
2. Select the Enterprise Scanner agent, and then select Migrate to Repository from
the pop-up menu.
3. Type a unique policy name for any policy files that duplicate those already in
the repository.
4. Click OK. The policies for the Enterprise Scanner agent are displayed in the
Repository and can be deployed to other Enterprise Scanner groups or agents
in SiteProtector.
32 Enterprise Scanner: User Guide
Page 41
Viewing asset or agent policies for Enterprise Scanner
In the SiteProtector Console, you can view asset and agent policies together, or you
can view them separately. If you view the policies separately, you can use the
views and tabs in SiteProtector to easily move back and forth between asset and
agent policies.
Procedure
1. From the SiteProtector Console, click a tab with the Policy view.
2. From the left pane, select the asset or agent whose policies you want to view.
3. If you want to see policies from a different repository, select that repository.
4. Select Network Enterprise Scanner from the Agent Type list.
5. Select your version of Enterprise Scanner for the agent from the Version list.
Note: The version can apply to the agent whose properties you are defining or
to the agent responsible for scanning the group whose properties you are
defining.
Important: Enterprise Scanner policies can apply to one or more versions, as
indicated in the policy view. If you use multiple agents at different versions
that do not share the same policy, you must define separate policies for each
version.
6. Choose an option:
If you want to view... Then...
All policies Select All from the Mode list.
Asset policies Select Asset from the Mode list.
Agent policies Select Agent from the Mode list.
Chapter 3. Enterprise Scanner policies 33
Page 42
Getting vulnerability help for a SiteProtector Console without Internet access
If you use the SiteProtector Console on a computer without an Internet connection,
you need to store the vulnerability Help on the computer or one it can access over
your company’s network.
Procedure
1. Download the vulnerability Help file (XForceHelpFiles.zip)from
http://www.iss.net/security_center/reference/vuln to a directory on your
computer.
2. When the File Download window opens, click Save to store the files on your
computer.
Important: Do not click Open.
3. After you download the files, specify the full path, including the final
backslash, in the Help HTML Prefix box on the Common Settings panel for
Assessment Scans.
Example: c:\data\XF-help-files\
34 Enterprise Scanner: User Guide
Page 43
Agent policies for Enterprise Scanner
Agent policies apply to Enterprise Scanner appliances and describe operational
settings for the agents or global settings for all scans. In addition, some agent
policies apply to only one agent.
Agent policy descriptions for Enterprise Scanner
Agent policies apply to both ad hoc and background scans.
Contents of an agent policy
The general contents of an agent policy include:
v The passwords to use for local accounts
v Scan management (breaking scans down into smaller subtasks per task)
v The relative location of the agent on the network, known as its perspective
v Updates to the agent
v Network configuration settings and DNS servers for the network interfaces
v Log file management
Policy inheritance with agent policies
The following rules describe policy inheritance for agent policies:
v You must define a unique Access, Networking, Services, and Time policy for
each agent.
v You can set up the Notification and Update policies to inherit their definitions
from policies defined higher in the group structure.
v You can define only one Network Locations policy, to be used for all agents and
assets, at the Site level in your group structure.
In the SiteProtector Console, you select a group in the left pane and the applicable
policies are displayed in the right pane. If you expand the group or agent, the
policies are also displayed below the group or agent.
Chapter 3. Enterprise Scanner policies 35
Page 44
Network Locations policy
Use the Network Locations policy to define the perspective (network location) of
an agent and to define routes for those perspectives.
Note: The Network Locations policy does not automatically import the
perspectives you set up in the Network Locations tab in the Proventia Manager
(LMI). If you have defined perspectives in the Proventia Manager, you must
redefine those perspectives for this policy in SiteProtector.
What is perspective?
A perspective is a name that represents the network location of one or more
agents. You associate a perspective with a group to scan in the Scan Control policy.
The agent(s) assigned to that perspective in the Networking policy run the scans.
Default perspective
The Network Locations policy contains a default perspective, Global, which you
cannot delete. You can use the Global perspective without adding any additional
perspectives, or you can use it along with user-defined perspectives.
When to use additional perspectives
Perspective is most important when you have multiple scanners located at
different locations on your network. To distinguish among them, you must use
more than one perspective.
You can only assign one unique perspective per scanning port. You cannot assign
the same perspective to more than one scanning port.
Perspective names
When you choose a perspective name, choose a name that represents the location
on the network that the perspective references. Consider that, technically, a
perspective represents a set of subnets from which you would expect the same
results for scanning and monitoring your network regardless of where you
connected your scanners within that set of subnets.
Scanning without full permissions
To perform any Enterprise Scanner scan with SiteProtector SP™6.1 or later, a user
must have permission to view the Network Locations policy. This permission is
granted for the predefined user groups that provide full Enterprise Scanner
permissions. If you define users or user groups with restricted permissions, you
must grant this permission explicitly. The way you grant permission is based on
the inheritance behavior of your policy:
If you... Then...
Do not change the inheritance behavior of
the policy
Change the inheritance behavior of the
policy
You can define the permission once at the
Site level.
You must grant the permission for the group
where you need the permission and for all
the groups above it in the hierarchy.
36 Enterprise Scanner: User Guide
Page 45
Important: Users who do not have permission to view the Network Locations
policy, either through group association or by a specific grant, cannot run
Enterprise Scanner scans.
Assigning perspective to a scanning interface
Use the Network Locations tab in the Network Locations policy on the
SiteProtector Console to assign a perspective (network location) to a scanning
interface.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Network Locations
policy for that group.
3. Click the Network Locations tab.
4. Click the Add icon.
5. Type a name for the perspective in the Network Locations Name field, and
then click OK.
Important: You can only assign one unique perspective per scanning port. You
cannot assign the same perspective to more than one scanning port.
Configuring routes for perspective
Use the Routes tab in the Network Locations policy on the SiteProtector Console to
configure the appliance to select paths for (routes) traffic.
About this task
In a multi-segmented network, you might experience unnecessary network traffic if
your agent traffic is routed through your default gateway. You can reduce network
traffic if you configure routes for perspectives that provide more direct routes to
targeted segments.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Network Locations
policy for that group.
3. Click the Routes tab, and then click the Add new item to list icon.
4. Complete the following fields:
Option Description
Perspective The perspective for which you are defining a
route.
Destination Network A network segment for which you want to
define a specific route for a perspective.
Gateway The IP address of the router the agent
should use to find IP addresses in the
Destination Network. Use the IP address
that is on the same network as the agent,
not the IP address of the route from inside
the target segment.
Chapter 3. Enterprise Scanner policies 37
Page 46
Option Description
Metric If you configure more than one route to the
5. Click OK.
Notification policy
Use the Notification policy to configure responses sent from the Enterprise Scanner
appliance to the SiteProtector Console.
Event notification settings for Enterprise Scanner
Use the Event Notification tab in the Notification policy on the SiteProtector
Console to Enterprise Scanner enable the agent to send system events to the
SiteProtector Console.
About this task
You can configure three types of system events:
v System error events
v System warning events
v System informative events
same segment for one perspective, a number
that indicates the preferred route. The closer
to 1, the more preferred the route.
Note: The numbers you use do not have to
be consecutive.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Notification policy
for that group.
3. Click the Event Notification tab.
4. Select the check boxes for each type of event to enable:
v Alert Logging for System Error Events
v Alert Logging for System Warning Events
v Alert Logging for System Informative Events
5. Select the Enable Event Delivery to SiteProtector Console check box for each
type of event to enable:
v System error notification
v System warning notification
v System informative event notification
38 Enterprise Scanner: User Guide
Page 47
Configuring advanced parameters for event notification
Use the Advanced Parameters tab in the Notification policy on the SiteProtector
Console to provide greater control over the event notification behavior of your
appliance.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Notification policy
for that group.
3. Click the Advanced Parameters tab.
4. If the parameter you want to tune is not displayed in the Advanced Parameters
tab, follow these steps:
a. Click the Add icon.
b. Type the name of the parameter.
c. Type a description of the parameter.
d. Specify the value type and value of the parameter.
5. If the parameter you want to tune is already displayed in the Advanced
Parameters tab, click the value or description field and change the setting.
Attention: In most cases, it should not be necessary to change advanced
parameters. However, you should not change these parameters unless you are
instructed by IBM ISS Technical Support personnel.
6. Click OK.
Access policy
Use the Access policy on the SiteProtector Console to change agent passwords and
to enable (require) or disable the bootloader password for backing up or restoring
your agents.
Before you begin
To change a password, you must know the current password.
About this task
When you configure the appliance, you must supply passwords for these accounts:
Table 5. Appliance passwords
Account Purpose
root This password accesses the operating system
Admin (agent user) This password accesses the Proventia Setup
Admin (Web user) This password accesses Proventia Manager
of the appliance.
Assistant on the appliance if the Enterprise
Scanner agent is not managed by a
SiteProtector.
through a Web browser over a network
connection.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
Chapter 3. Enterprise Scanner policies 39
Page 48
2. In the navigation pane, select a group, and then open the Access policy for that
group.
3. For each password you want to change, complete the following steps:
a. Type the current password in the Current Password box.
b. Click Enter Password, type the new password in the Password and in the
Confirm password boxes, and then click OK.
4. If you want to require the use of the bootloader password to back up or restore
the agent, select the Enable bootloader password check box.
Important: If you enable the bootloader password, you must be connected to
the Enterprise Scanner agent with a serial connection and supply a password to
backup or to restore the agent.
Networking policy
Use the Networking policy on the SiteProtector Console to reconfigure the network
configuration settings for the management and scan interfaces and for the DNS
servers and search paths.
Configuring the management network interface
Use the Management Interface tab in the Networking policy on the SiteProtector
Console to configure the management interface network settings (ETH0).
About this task
You configured the management interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Networking policy
for that group.
3. Click the Management Interface tab, and then type or change the following
information:
Option Description
Host Name The fully qualified domain name for the
Enterprise Scanner agent. Use the format:
gateway1.example.com
Interface The management port used by the
Enterprise Scanner agent.
IP address The IP address for the management network
interface that connects to SiteProtector.
Subnet Mask The subnet mask for the management
network interface that connects to
SiteProtector.
Gateway The address of the network gateway.
4. Select the Use Persistent IP if sensor is behind NAT if you want to avoid
conflicts with NAT rules, and then provide the IP address.
40 Enterprise Scanner: User Guide
Page 49
Configuring the scanning network interface
Use the Scan Interface tab in the Networking policy on the SiteProtector Console to
configure the scanning interface network settings (ETH1 - ETH5).
About this task
You configured the scanning interface when you set up the appliance with the
Proventia Setup Assistant. Use the procedures in this topic to change those
settings.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Networking policy
for that group.
3. Click the Scan Interface tab, and then type or change the following
information:
Option Description
Interface The Ethernet port of the interfaces for the
Enterprise Scanner agent.
IP Address The IP address of the scanning network
interface for the Enterprise Scanner agent.
Subnet Mask The IP address for the scanning network
interface subnet mask of the Enterprise
Scanner agent.
Gateway The address of the network gateway.
Maximum IPs per discovery subtask The maximum number of IP addresses to
discover in a subtask (of a task for each scan
job).
Note: This value applies to all discovery
scans that the agent runs.
Maximum assets per assessment subtask The maximum number of assets to scan in a
subtask (of a task for each scan job).
Note: This value applies to all assessment
scans that the agent runs.
Perspective (network location) The name of the network location to
associate with this scanning port.
Values: Global, the default, and any network
locations defined in the Network Locations
policy.
Chapter 3. Enterprise Scanner policies 41
Page 50
Configuring scanning interface DNS settings
Use the DNS tab in the Networking policy on the SiteProtector Console to
configure the DNS settings for the scanning interface.
About this task
You configured these settings when you set up the appliance with the Proventia
Setup Assistant. Use the procedures in this topic to change those settings.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Networking policy
for that group.
3. Click the DNS tab.
4. Choose an option:
If you want to... Then...
Specify DNS settings
Add a DNS search path
Edit a DNS search path
Copy and paste a DNS search path
Remove a DNS search path
Change the order of a DNS search path
1. Type the IP addresses for the primary,
secondary, and tertiary DNS servers.
2. Click Save Changes.
1. In the DNS Search Path section, click the
Add icon.
2. Type the domain name to add to the
search list, and then click OK.
3. Click Save Changes.
1. In the DNS Search Path list, select a
domain name, and then click the Edit
icon.
2. Edit the domain name, and then click
OK.
3. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the Copy
icon. The agent copies the search path to
the clipboard.
2. Click the Paste icon. The agent copies the
search path to the end of the list.
3. If necessary, edit the policy, and then
click OK.
4. Click Save Changes.
1. In the DNS Search Path section, select a
domain name, and then click the
Remove icon.
2. Click Save Changes.
1. In the DNS Search Path section, select a
domain name.
2. Click the Up or Down arrows.
Tip: It is more efficient to place the most
likely used search path at the top of the
list.
3. Click Save Changes.
42 Enterprise Scanner: User Guide
Page 51
Services policy
Use the Services policy on the SiteProtector Console to enable or disable access to
your appliance from SSH (Secure Shell) applications on your network and to
enable SNMP to monitor the Enterprise Scanner appliance for conditions that
warrant administrative attention.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Services policy for
that group.
3. Choose an option:
If you want to... Then...
Enable SSH Select the Enabled check box to enable SSH;
Enable an SNMP Get
Enable an SNMP Trap
clear the Enabled check box to disable SSH.
Note: SSH is enabled and accessible to the
internal and external interfaces by default.
1. Select the SNMP Get Enabled box.
2. Provide a name for the system, a system
location, relevant contact information,
and an appropriate community name.
1. Select the SNMP Traps Enabled box.
2. Type the IP address in the Trap Receiver
Address field.
Note: This IP address is the server
address where the SNMP Manager is
running. The SNMP host must be
accessible to the appliance to send e-mail
notification.
3. Type the appropriate community name
(public or private) in the Trap
Community field.
4. Select a trap version from the Trap
Version list. The following versions are
available:
v V1: Simple Network Management
Protocol version 1
v V2c: Community-Based Simple
Network Management Protocol
version 2
4. Click Save Changes.
Chapter 3. Enterprise Scanner policies 43
Page 52
Time policy
Use the Time policy on the SiteProtector Console to change the date and the time
of the Enterprise Scanner agent, and to enable the network time protocol (NTP) to
synchronize the agent time with a network time server.
About this task
The Time policy always contains the last manually configured values for date and
time options, not the actual date and time. When you save the settings, the agent is
set to the currently configured values, whether you have changed them or not.
Important: To avoid resetting the time and date to the previously configured
values, update the time and date before you save the settings.
Procedure
1. From the SiteProtector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Time policy for that
group.
3. Choose an option:
If you want to... Then...
Change the date and time for the agent
Enable the network time protocol (NTP) Note: NTP synchronizes the configuration
1. Click the Date and Time arrow to see
the calendar.
2. Select the correct month and date.
Tip: Use the arrows at the top to change
the month and year in the calendar.
3. Select the hour and minutes in the Time
boxes.
4. Click outside the calendar to close it.
5. Click the Time Zone arrow and select
the correct time zone for your region.
6. Click Save Changes.
time with a network time server.
1. In the Network Time Protocol section,
select the Enable NTP check box.
2. Type the name of the server in the
Server box.
3. Save the Time policy.
4. Change the tab to an Agent view.
5. Right-click the agent or the group of
agents affected by the policy change, and
then select Refresh Agent from the
pop-up menu.
Important: To ensure that the agent
starts to use NTP time immediately, you
must refresh the agent. If you do not
refresh the agent, NTP time does not
take effect until the agent sends a
heartbeat to SiteProtector. If you cannot
save this policy and refresh the agent
immediately, set the time as described in
the Changing the date and time
procedure before you save the policy.
44 Enterprise Scanner: User Guide
Page 53
Update Settings policy
Use the Update Settings policy on the SiteProtector Console to configure how the
agent automatically locates, downloads, and installs available updates.
Asset policies for Enterprise Scanner
Asset policies apply to groups of assets and describe the security policy for those
assets.
Asset policy descriptions for Enterprise Scanner
Asset policies apply to both discovery scans and assessment scans depending on
the policy.
Scope of scanning
The following table identifies which asset policies apply to discovery scans, which
apply to assessment scans, and which apply to both:
Table 6. Asset policies
Policy Discovery Assessment
Assessment No Yes
Assessment Credentials Yes Yes
Discovery Yes No
Network Locations Yes Yes
Network Services No Yes
Scan Control Yes Yes
Scan Exclusion No Yes
Scan Window Yes Yes
Contents of an asset policy
The general contents of an asset policy include:
v Information about how to run discovery scans, assessment scans, or both types
of scans against the group
v The IP addresses to scan for discovery scans
v The checks to run, and other assessment parameters (for assessment scans
v The days to run scans and during which hours to run them
v Refreshed information from scans about the assets in a group
v The assets in the group, if any, that you do not want to scan
v The list of accounts and log on credentials to use for assets in a group
v The service names associated with TCP and UDP ports
Policy inheritance with asset policies
The following rules describe policy inheritance for agent policies:
v You can define only one Network Locations policy, to be used for all agents and
assets, at the Site level in your group structure.
Chapter 3. Enterprise Scanner policies 45
Page 54
v A Discovery policy applies to only the group where you define it.
v The remaining policies are inheritable. A subgroup inherits a policy from the
first group higher than itself in the group structure that has a defined policy.
In the SiteProtector Console, you select a group in the left pane and the applicable
policies are displayed in the right pane in a Policy tab.
Discovery policy
Use the Discovery policy on the SiteProtector Console to define parameters used to
perform discovery on a portion of a network.
In a discovery task, a range of IP addresses is scanned to locate active network
interfaces, and the type of device associated with each active network interface is
determined through OS identification.
Scope
The Discovery policy applies to background discovery scans. An ad hoc scan reads
this policy and uses its settings to initialize the ad hoc discovery scan. You can
change the settings in the ad hoc scan without changing the background policy.
Policy contents
Each Discovery policy defines the following information:
v A range of IP addresses to be scanned (specified as a combination of
dotted-decimal IP addresses and address ranges, and subnetworks specified in
CIDR notation).
v Whether to ping each IP address before scanning to exclude unreachable hosts
from the scan.
v Whether newly discovered assets should be added to the associated group.
v Whether previously known assets that do not already belong to the associated
group should be added to the group.
46 Enterprise Scanner: User Guide
Page 55
Defining assets to discover
Use the Discovery policy on the SiteProtector Console to define the parameters
used to perform a discovery scan on a portion of a network.
Before you begin
Before it can perform OS fingerprinting on an asset, your agent must find one
open and one closed port. To find an open and a closed port, the agent scans ports
1–1023 and any other ports specified in the applicable Network Services policy.
About this task
In a discovery task, a range of IP addresses is scanned to locate active network
interfaces, and the type of device associated with each active network interface is
determined through OS identification.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Discovery policy for
that group.
3. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to
discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the data is
validated.
4. If you want to ping each IP address before scanning to exclude unreachable
hosts from the scan, select the Ping hosts in this range, before scanning, to
exclude unreachable hosts check box.
5. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the Add
newly discovered assets to group check box.
6. If you want to add previously known assets that are already defined in other
groups to the scan group, select the Add previously known assets to group
check box.
Chapter 3. Enterprise Scanner policies 47
Page 56
Assessment policy
Use the Assessment policy on the SiteProtector Console to define the checks to run
for assessment scans.
The Assessment policy contains the following tabs:
v Checks (display checks by groups, display information about checks, select
checks with filters)
v Common Settings
Scope
The Assessment policy applies only to assessment scans that run in the
background. Ad hoc scans read this policy and use its settings to initialize the ad
hoc Assessment policy. You can change the ad hoc version of the policy without
changing the saved background version.
Displaying information about assessment checks
Use the Checks tab in the Assessment policy on the SiteProtector Console to choose
how much information to display about each assessment check in the Assessment
policy.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment policy for
that group.
3. Choose an option:
If you want to... Then...
Add a single column Right-click a column and then select the
column to add from the pop-up menu.
Note: The column appears at the far right.
Remove a single column Right-click a column and then select the
column to remove.
Note: The column is removed.
Add multiple columns Click Column to display icon, and then
select the check box for each column to add.
Remove multiple columns Click Column to display icon, and then
clear the check box for each column to
remove.
48 Enterprise Scanner: User Guide
Page 57
Displaying assessment checks by groups
Use the Checks tab in the Assessment policy on the SiteProtector Console to group
checks by any combination of columns that you have chosen to display. For
example, you might want to see checks by category, then by severity within that
category.
About this task
The current grouping selections are displayed just above the column headers of the
checks.
v Assessment checks
v If no groups are selected, the following message is displayed on the screen:
Right click on the column header to group by that column.
v If groups are selected, the group names are displayed on in the screen as in the
following example:
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment policy for
that group.
3. Click the Checks tab.
4. Choose an option:
If you want to... Then...
Clear groupings Choose an option:
v Right-click any column header, and then
select Clear Groupings from the pop-up
menu.
v Click Clear Groupings.
Create groupings interactively
Create groupings from a selection list
1. Right-click a column heading, and then
select Group By from the pop-up menu.
2. Repeat the previous step until you have
created the groupings that you want.
1. Click the Group By icon.
The Group by Columns window
appears.
2. Select a column to group by in the All
Columns list, and then click Add.
The column moves to the Group by these
Columns list.
3. Repeat the previous step for each column
that you want to group by.
4. If you want to remove items from the
list, select an item in the Group by these
Columns list, and then click Remove.
The item and any items below it move to
the All Columns list.
5. Click OK.
Chapter 3. Enterprise Scanner policies 49
Page 58
Selecting assessment checks with filters
Use the Checks tab in the Assessment policy on the SiteProtector Console to
provide filtering values on a selected list of assessment checks.
About this task
The following rules apply to using regular expressions:
v The match occurs against all columns in the table, whether or not the column is
displayed.
v If you use more than one regular expression, every regular expression must
match for a check to be selected.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment policy for
that group.
3. Click the Checks tab.
4. Select the Filter check box, and then click Filter.
5. To filter with a regular expression, type one or more regular expressions on
separate lines in the Regular Expression box.
Tip: For example, use http.* to match the value in any column that starts with
http; or use .*http.* to match the value in any column that contains http.
6. To filter by one or more of the remaining filter types, select the values to filter
by in the filtering boxes.
Tip: You can select ranges of filtering values by holding down the SHIFT key
and random filtering values by holding down the CTRL key.
7. Click OK.
50 Enterprise Scanner: User Guide
Page 59
Configuring common assessment settings
Use the Common Settings tab in the Assessment policy on the SiteProtector
Console to choose settings that define additional scanning behavior for the checks
you have selected to run in an assessment scan.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment policy
for that group.
3. Click the Common Settings tab.
4. Type the URL or file location for the assessment check Help documentation in
the Help HTML Prefix box:
v The IBM ISS Web site location of the latest assessment check
documentation.
v The file location of a locally stored version of the documentation.
Note: If you do not have access to the Internet, but you want to view Help
for checks in the Assessment policy, you must copy the files to your hard
drive. See Getting vulnerability help for a SiteProtector Console without
Internet access for details.
5. If you want to run the checks that are enabled by default, including checks
added in an X-Press Update (XPU), select a policy in the Compliance Policies
section.
6. Configure options for service discovery in the Service Discovery section:
Option Description
Discover and report TCP services Reports active TCP services for which the
Service Scan flag is enabled in the Network
Services policy.
Discover and report UDP services Reports active UDP services for which the
Service Scan flag is enabled in the Network
Services policy.
7. Configure options for assessment port ranges in the Assessment Port Ranges
section:
Option Description
Ports to scan with generic TCP checks The set of TCP ports to scan with generic
TCP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic TCP check is one whose
target type is tcp.
Chapter 3. Enterprise Scanner policies 51
Page 60
Option Description
Ports to scan with generic UDP checks The set of UDP ports to scan with generic
UDP checks. You can specify ports using any
of the following methods:
v Type a port or range of ports.
v Click Well known and select ports from
the list.
v Select All.
Note: A generic UDP check is one whose
target type is udp.
8. Configure options for using OS information in the Use of OS Information
section:
Option Description
Dynamically determine OS if SiteProtector
information is older than
For unverified OS’s: Specify which checks to run if the OS is
The maximum age (in minutes) of usable OS
information in SiteProtector.
If the OS information for an asset is older
than the time specified, Enterprise Scanner
reassesses OSID when it runs an assessment
scan.
Default: 120
uncertain.
v Run all checks (lowest performance): If
Enterprise Scanner is uncertain about the
OS of the asset, it runs all assessment
checks.
v Run all checks that apply to general OS
(intermediate performance): If Enterprise
Scanner is uncertain about the OS of the
asset, it runs checks for all versions of an
operating system. (For example, if
Enterprise Scanner is uncertain about
which version a Windows operating
system is, it runs all the checks for all
versions of Win dows operating systems.)
v Run only checks that apply to specific
OS (Best performance): If Enterprise
Scanner is uncertain about the OS of the
asset, runs only the checks that apply to
the exact version of the operating system.
9. Configure options for application fingerprinting in the Use of Application
Fingerprinting section:
52 Enterprise Scanner: User Guide
Page 61
Option Description
Do not perform application fingerprinting Does not try to specifically identify which
applications are communicating over which
ports, and runs the checks as selected in the
Assessment policy.
This option does not identify applications
communicating over non-standard ports.
(Checks are run against standard ports as
defined in the Network Services policy.)
Fingerprint applications and run checks
that apply to application protocol (e.g.,
http)
Fingerprint applications and run checks
that apply to specific application (e.g.,
apache)
Identifies applications communicating over
specific ports, and then runs checks that
apply to the protocol in use.
This option identifies applications
communicating over non-standard ports.
Identifies applications communicating over
specific ports, and then runs checks that
apply only to the application identified.
This option identifies applications
communicating over non-standard ports.
10. The settings in the Account Verification section apply only if an Assessment
Credentials policy is available for the group being scanned.
Option Description
Verify account access level before using
Access domain controllers to verify access
level
Check local group membership to verify
access level
v If disabled, Enterprise Scanner assumes
that whatever is specified in the
Assessment Credentials policy is accurate.
v If enabled, Enterprise Scanner tries to
confirm that the access level specified in
the Assessment Credentials policy is
correct.
Important: You should enable the Check
local group membership to verify access
level if you enable account verification.
v If disabled, Enterprise Scanner does not
communicate with a Domain Controller in
the process of verifying access levels.
v If enabled, Enterprise Scanner tries to
communicate with a Domain Controller in
the process of verifying access levels.
v If disabled, Enterprise Scanner does not
try to confirm the access level of the
account during assessment by checking
which local groups the asset belong to.
v If enabled, Enterprise Scanner tries to
confirm the access level of the account
during assessment by checking which
local groups the asset belong to.
11. Configure the options for locking out accounts in the Account Lockout
Control section:
Chapter 3. Enterprise Scanner policies 53
Page 62
Option Description
Allowed account lockout Select a type of lockout:
v No lockout allowed: Enterprise Scanner
avoids running password guessing checks
if account lockout is enabled on the target
host, or if its status cannot be determined.
v Temporary lockout allowed: Enterprise
Scanner runs password guessing checks
only if the account lockout duration is less
than or equal to the value specified in the
Maximum Allowable Lockout Duration
option later in this section.
v Permanent lockout allowed:Enterprise
Scanner runs password guessing checks
even if the account lockout duration is set
to run infinitely.
Longest allowed temporary lockout Specifies the maximum time (in minutes)
that accounts are allowed to be locked out
by password guessing checks.
This value applies only if Temporary
Lockout Allowed is enabled. When
temporary lockout is allowed, password
guessing checks are run only against assets
whose lockout policy disables locked out
accounts for no more than the maximum
allowed lockout time.
54 Enterprise Scanner: User Guide
Page 63
Assessment Credentials policy
Use the Assessment Credentials policy on the SiteProtector Console to define
authentication credentials for your assets.
The appliance uses authentication credentials to access accounts during assessment
scans. Enterprise Scanner uses all instances of the credentials that are defined for
the group when it scans assets in the group. You can define different instances of
this policy for different groups, which makes it possible to supply different log on
credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets
that run Windows operating systems.
Scope
The Assessment Credentials policy applies to all types of scans.
Defining assessment credentials for a policy
Use the Assessment Credentials policy on the SiteProtector Console to define
authentication credentials for your assets.
About this task
The appliance uses authentication credentials to access accounts during assessment
scans. Enterprise Scanner uses all instances of the credentials that are defined for
the group when it scans assets in the group. You can define different instances of
this policy for different groups, which makes it possible to supply different log on
credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets
that run Windows operating systems.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment
Credentials policy for that group.
3. In the Assessment Credentials policy, click Add, and then provide the
following account information:
Option Description
Username The user identification for an account.
Password The password to use with the user name to
log into an account.
Account Type: Windows Local Indicates that the user account is defined
locally on a single Windows device. The
account is used to attempt to log in to a
single Windows device.
When you choose this option, you must
provide a Windows host name in the
Domain/Host box.
Chapter 3. Enterprise Scanner policies 55
Page 64
Option Description
Account Type: Windows
Domain/Workgroup
Account Type: Windows Active Directory Indicates that the user account is defined in
Account Type: SSH Local
Account Type: SSH Domain
Indicates that the user account is defined in
a Windows Domain or Workgroup. The
account is used to attempt to log in to all
Windows devices within the domain or
workgroup.
When you choose this option, you must
provide the Windows Domain or Workgroup
name in the Domain/Host box.
a Windows Active Directory Domain. The
account is used to attempt to log in to all
Windows devices within the Active
Directory domain.
When you choose this option, you must
provide the Active Directory Domain name
in the Domain/Host box.
Indicates that the user account is defined
locally on a single Unix device that allows
SSH logons. The account is used to attempt
login to a single Unix device.
When you choose this option, you must
provide an IP address in the Domain/Host
box.
Indicates that the user account is defined for
Unix devices that allow SSH logons. In this
context, ″Domain″ loosely refers to a set of
devices, rather than to a specific type of
domain. The account is used to attempt to
log in to all SSH devices covered by the
policy.
Domain/Host Applies to one of the following domains or
Account Level Applies to one of the following accounts:
Important: To avoid locking an account, do not add the account more than
once.
56 Enterprise Scanner: User Guide
When you choose this option, you should
supply a descriptive name in the
Domain/Host box. This is for
documentation purposes only; it is not used
by Enterprise Scanner.
hosts:
v For Windows accounts, the domain or
host name to which the account applies.
v For SSH Local accounts, the IP address of
the device to which the account applies.
v For SSH Domain accounts, any text.
v Administrator
v User
v Guest
Page 65
Scan Control policy
Use the Scan Control policy on the SiteProtector Console to define the duration of
scanning cycles and to assign user-defined perspectives to scans.
Background scanning is based on scanning cycles. Scanning cycles define how
frequently you want to rerun scans for a group.
Note: Background scans run during open scan windows that you define in the
Scan Window policy.
Important: This policy initiates background scanning, so you should configure it
after you have configured the other policies required for background scanning.
Scope
The Scan Control policy applies to background discovery and background
assessment scans. This policy does not affect ad hoc scans. Consequently, the
behavior for ad hoc scans is different:
v An ad hoc discovery scan runs only on the group where you define the scan.
v An ad hoc assessment scan applies to the group where you define the scan and
to all the subgroups. This is different from background scans in that background
scanning behavior is determined by which Scan Control policy applies to each
subgroup.
What is perspective?
When you scan a group of assets, you anticipate and interpret results based on the
location of your scanner relative to the location of the assets. Scanning a group of
assets from inside a firewall, for example, would produce different results from
scanning that same group of assets from outside the firewall. With Enterprise
Scanner, you use perspective to identify scanners by their location on the network,
such as inside or outside the firewall, and then you configure scans based on the
perspective from which you want to scan your assets. You define perspectives in
the Network Locations policy.
Chapter 3. Enterprise Scanner policies 57
Page 66
Defining scanning cycles and assigning perspectives to scans
Use the Scan Control policy on the SiteProtector Console to define the duration of
scanning cycles and to assign user-defined perspectives to scans.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Control policy
for that group.
3. Select the Enable background discovery/assessment scanning of this group
check box, for the type(s) of background scanning you want to define, in the
Background Discovery and Background Assessment sections.
4. Configure background scanning for each type of scan:
Option Description
Job name The name you want displayed for the
scanning job in the Command Jobs window.
Note: This name identifies the scan when it
runs, so choose a meaningful name.
Cycle start date The date on which you want the scan cycle
to start.
Note: Future scans are created in
SiteProtector at midnight at the beginning of
the next refresh cycle.
Cycle duration The length (up to three digits) of the cycle as
in one of the following units:
v Hours (for Enterprise Scanner version 2.1
agents or later only)
v Days
v Weeks
v Months
Current cycle start date The beginning date of the current scan cycle.
(Display only.)
Next cycle start date The beginning date of the next scan cycle.
(Display only.)
Use Discovery’s start date/duration and
wait for discovery scan to complete before
scheduling assessment scan
Delays the start of the assessment scan until
the discovery scan has finished to ensure
that the discovery scan has identified all
discoverable assets before the assessment
scan begins.
Note: This check box applies to assessments
scans only.
5. If you want to scan from a user-defined perspective, select a perspective from
the Perform background scans from this perspective (Network location) box.
Tip: If you have not yet defined the perspective, click the Configure the
referenced list icon to open the Network Locations policy and define a new
perspective.
58 Enterprise Scanner: User Guide
Page 67
Scan Window policy
Use the Scan Window policy on the SiteProtector Console to define hours of
allowed scanning for discovery scans (scan windows), assessment scans (scan
windows), and the time zone in which you want the scanning to occur, which is
typically the time zone of the assets.
By default, scanning is allowed at any time. If you want to limit scanning, be sure
to define scan windows.
Scope
The Scan Window policy applies to background discovery and assessment scans.
For an ad hoc scan, you can choose whether to run the scan only during the
windows defined in this policy or to run the scan without restriction.
By default, all scan windows are open, so that scanning is allowed at any time.
When you open a Scan Window policy, however, the default changes; and all scan
windows are closed. If you modify a Scan Window policy, be sure to define scan
windows for discovery and for assessment scans.
Important: If you start a scan when there are no scan windows, the job appears in
the Command Jobs window in the idle state; but it will not run until you define
scan windows.
Important consideration for multiple agents
If you have multiple agents, you should stagger your scan windows so that the
discovery scan can finish before the assessment scan begins. If a discovery scan
adds assets to a group while an assessment scan is running, there is no guarantee
that those assets will be included in the assessment scan.
Chapter 3. Enterprise Scanner policies 59
Page 68
Defining when scanning is allowed
Use the Scan Window policy on the SiteProtector Console to define the days and
hours that scanning is allowed.
About this task
The Scan Window policy applies to background discovery and assessment scans.
For an ad hoc scan, you can choose whether to run the scan only during the
windows defined in this policy or to run the scan without restriction.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Window policy
for that group.
3. Click the Discovery Windows tab or the Assessment Windows tab.
Note: Scanning hours are selected; non-scanning hours are not selected.
4. Select the periods of allowed scanning using the following methods:
If you want to... Then...
Allow scanning during specific hours Click and drag your cursor over the hours
in each day to allow scanning.
Allow scanning at any time Click Fill All.
Remove all defined scans periods Click Clear All.
Important: To enable background scanning, you must define at least one scan
window.
5. Click the Time Zone tab.
6. Select the time zone during which you want the scan windows to run from the
Time zone for scan windows list.
Note: Typically, you would choose the same time zone as the time zone of the
assets in the group. For example, you might be in the Eastern time zone but
scanning assets in the Pacific time zone. You would define your scanning hours
according to the considerations of the Pacific time zone and set your appliance
to the Pacific time zone.
60 Enterprise Scanner: User Guide
Page 69
Scan Exclusion policy
Use the Scan Exclusion policy on the SiteProtector Console to define specific ports
or assets to exclude from a scan of a group of assets.
Each Scan Exclusion policy defines the following information for the asset group
associated with the policy (and the groups that inherit from it):
v A list of ports against which no assessment checks will be run. (No checks run
against these ports on any host in the group. This applies to both TCP and UDP
ports.)
v A list of IP addresses not to scan.
Important: You should define the Scan Exclusion policy at a high level in your
group structure and allow the lower groups to inherit from it. If needed, you can
then override the policy at lower groups.
Scope
The Scan Exclusion policy applies to ad hoc and background assessment scans. It
does not apply to discovery scans.
Defining ports or assets to exclude from a scan
Use the Scan Exclusion policy on the SiteProtector Console to define specific ports
or assets to exclude from a scan of a group of assets.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Exclusion policy
for that group.
3. Choose an option:
If you want to... Then...
Exclude ports Use a combination of typing the ports to
exclude and choosing the ports:
v Type the ports to exclude, separated by
commas, in the Excluded Ports box.
v Click Well Known Ports, and then select
the ports to exclude.
Exclude assets Type the IP addresses (in dotted-decimal or
CIDR notation) of the hosts to exclude in the
Excluded Hosts box:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then
press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above,
and then press ENTER.
Note: A red box is displayed around the
Excluded Hosts box until the data is
validated.
Chapter 3. Enterprise Scanner policies 61
Page 70
Network Services policy
Use the Network Services policy on the SiteProtector Console to define service
names associated with TCP and UDP ports.
You can modify some properties of a default service in the policy, and you can add
your own customized services to the policy.
Scope
The Network Services policy applies to assessment scans that run as either
background or ad hoc scans.
Default settings
The IBM ISS X-Force defines the default Network Services policy and might
update the policy in an X-Press Update (XPU). The default policy applies to all
groups that do not override it. The service names defined in the policy are
referenced as target types in Enterprise Scanner check definitions. X-Force adds a
service name when a new check uses a service that was not previously defined in
the policy.
Policy inheritance
A Network Services policy defined in association with a group overrides the
default definitions only for those services explicitly referenced in the user-defined
policy. A user-defined Network Services policy includes only explicit overrides of
inherited service definitions, which ensures that all groups automatically inherit
XPU updates to the default Network Services policy.
Service definition
The network services policy includes the following information about each service:
v Service name
v Service description
v Port number
v Protocol (TCP or UDP)
v Whether some (or all) instances of the service operate over SSL on this port
within your network
v Whether to include the port in the service scan
v Whether you have customized a default service or created a custom service
62 Enterprise Scanner: User Guide
Page 71
Configuring a Network Services policy
Use the Network Services policy on the SiteProtector Console to define service
names associated with TCP and UDP ports.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Network Services
policy for that group.
3. For default or customized services, choose an option:
If you want to... Then...
Change the description of a service Slowly click Description two times to switch
to edit mode, and then change the
description.
Allow each service to operate over SSL in
at least some part of your network
Allow service scans for this service over
any TCP and UDP ports specified in the
Assessment policy
Note: You cannot change the Service name, Port, or Protocol of default
services. You cannot delete default services.
4. For customized services, choose an option:
Select the May use SSL check box for that
service.
Select the Service scan check box.
If you want to... Then...
Add a service Click the Add icon.
Modify a service Click the Modify icon.
Delete a service Click the Delete icon.
Chapter 3. Enterprise Scanner policies 63
Page 72
Ad Hoc Scan Control policy
Use the Ad Hoc Scan Control policy on the SiteProtector Console to define
Enterprise Scanner ad hoc scans for assessment and discovery.
Configuration options
For ad hoc scans you configure the following options:
v With the Ad Hoc Scan Control option, you determine whether to run
assessment or discovery scans, whether to run the scans only during available
scan windows, how to lower the impact on the network from scanning, and the
perspective to use.
v With the Assessment option, you select which checks to run for assessment
scans.
v With the Discovery option, you select which IP addresses to scan and how to
handle the hosts that you discover.
Running an ad hoc discovery scan with Enterprise Scanner
When you run an ad hoc discovery scan from the SiteProtector Console, you must
define the ranges of IP addresses to scan, including additional scanning control
parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except for a
Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from the
pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery scan
of this group check box.
5. Type a Job name to identify the job when it appears in the Command Jobs
window.
6. If you want the scan to run only during your scheduled scanning windows,
select the Run only during open discovery windows check box.
7. Click Discovery in the left pane.
8. Type the range, or ranges, of IP addresses to scan in the IP range(s) to scan
box.
9. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets to
exclude in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the data is
validated.
10. If you want to ping each IP address before scanning to exclude unreachable
hosts from the scan, select the Ping hosts in this range, before scanning, to
exclude unreachable hosts check box.
64 Enterprise Scanner: User Guide
Example: 172.1.1.100-172.1.1.200
Page 73
11. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the Add
newly discovered assets to group check box.
12. If you want to add previously known assets (that are not in the group) to the
group, select the Add previously known assets to group check box.
13. Click OK. The ad hoc discovery scan is displayed in the Command Jobs
window.
Running an ad hoc assessment scan with Enterprise Scanner
When you run an ad hoc assessment scan from the SiteProtector Console, you can
use the default settings, or choose the checks you want to run and other scanning
parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except for a
Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from the
pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery scan
of this group check box.
5. Type a Job name to identify the job when it appears in the Command Jobs
window.
6. If you want the scan to run only during your scheduled scanning windows,
select the Run only during open discovery windows check box.
7. Click Assessment in the left pane.
8. Configure the policy the same way you would configure the background
Assessment policy.
9. Select Global in the Perform scans from this perspective (Network location)
list.
10. Click the Advanced Settings tab.
11. In the Assessment Throttling section, use the Bandwidth Throttling slider to
set the amount of bandwidth the scan should consume.
The Enterprise Scanner agent will monitor threads once the value becomes
greater than you specified.
To enable logging, add the following advanced parameter to the logging
parameters in SiteProtector: esm.portN.debug.logging where N is the port
number of the scan interface
The agent writes the log information to iss-esm-<port number of scan
interface>.log.
12. Use the remaining sliders to enable settings that prevent the scan from
overwhelming or flooding a slow network:
Option Description
Connections per host The maximum number of connections the
scan should make per host.
SMB Connections The maximum number of SMB connections
the scan should make during a scan job.
Chapter 3. Enterprise Scanner policies 65
Page 74
Option Description
Half-Scan Connections The maximum number of connections the
scan should use for opening and closing
ports.
13. Click the Debug Settings tab.
14. In the Packet Capture section, select Enabled and then set the filters for the
agent to use during the ad hoc assessment scan for network analysis.
Note: Packet capturing is not available for ad hoc background scanning.
The agent writes the capture results to
<filename>_<interface>_<timestamp>.cap located in /cache/log/esm/
PacketCapture. To view the results of the capture file:
a. Start Proventia Manager, and then click Support → System Support File.
b. Click Generate Support Data File.
c. Download the file to your computer, extract it, and then open the file in
any PCAP compatible software.
15. Click OK. The ad hoc assessment scan appears in the Command Jobs window.
66 Enterprise Scanner: User Guide
Page 75
Chapter 4. Understanding scanning processes in SiteProtector
This chapter explains the high-level processes behind ad hoc and background
scanning. It also explains how policy settings affect those processes.
Use the following strategies for managing vulnerabilities with Enterprise Scanner:
v Use background scanning for automated vulnerability management.
v Use ad hoc scanning as needed to handle exceptional cases.
Topics
“What is perspective?” on page 68
“Defining perspectives” on page 69
“Scan jobs and related terms” on page 71
“Types of tasks” on page 72
“Priorities for running tasks” on page 73
“Stages of a scanning process” on page 74
“Optimizing cycle duration, scan windows, and subtasks for Enterprise Scanner”
on page 76
© Copyright IBM Corp. 1997, 2009 67
Page 76
What is perspective?
When you scan a group of assets, you anticipate and interpret results based on the
location of your agent relative to the location of the assets. Scanning a group of
assets from inside a firewall, for example, produces different results than scanning
the same group of assets from outside the firewall.
Perspective identifies network location
With Enterprise Scanner, you use perspective to define logical locations on your
network. When you add an agent to SiteProtector, you assign it to a perspective
that identifies the agent’s location on the network. When you configure a scan, you
choose the perspective from which you want to scan the IP addresses or the assets
in the group.
Default perspective
Enterprise Scanner contains one predefined perspective, Global. If you plan to scan
from just one location on your network, you may use the default perspective. Or,
you can create a user-defined perspective to use instead of the default.
Technical requirements
The network location that a perspective represents must meet the following
technical requirements:
v A perspective is a set of subnets from which you expect the same results from
scanning or monitoring your network regardless of where you connect the
agents within that set of subnets.
v Within that set of subnets, no network traffic is blocked and no network address
translation occurs.
Use for distributed scanning
Perspective makes it possible to easily distribute the workload among multiple
agents:
v If you have just one agent in a perspective, that agent performs all the scans that
run from that perspective.
v If you have two or more agents in a perspective, Enterprise Scanner
automatically balances the distribution of tasks among the agents in that
perspective.
Flexibility
Identifying agents by perspective instead of by a specific name or IP address
makes it easier to respond to changes in your scanning environment. If you add an
agent to a perspective, then that agent automatically shares the workload with the
other agents in that perspective. If you remove an agent from a perspective that
contains multiple agents, the remaining agents continue to run the scans assigned
to that perspective. In either case, no additional configuration is required, and
there is no interruption to your scanning cycles.
Use meaningful perspective names
The name you use for a perspective should reflect the implications of scanning
from that location. Using the example of setting up agents inside and outside a
68 Enterprise Scanner: User Guide
Page 77
firewall, descriptive perspective names might be Atlanta-InsideFirewall and
Atlanta-OutsideFirewall.
Placing agents in the correct perspective
A perspective name has no meaning to Enterprise Scanner. You must make sure
that the agents you add to each perspective make logical sense placed there. If you
add an agent to a perspective that is not logical for that agent, Enterprise Scanner
cannot determine that you have made a mistake.
Defining perspectives
To use perspectives, you must define the perspective, assign at least one agent to
the perspective, and then associate the perspective with a group of assets to scan.
Perspectives in policies
The exact role of perspective depends on the policy where you define or select it.
The following table describes how to use perspective in different policies:
Table 7. Perspectives in policies
Policy How to use Applies to...
Network Locations policy Define a perspective as a
Network Locations policy Assign an agent to a
Scan Control policy Identify the perspective from
network location
perspective
which you want to scan
groups of assets
The entire Site
A particular agent
The group, or groups, to
scan with that policy
The following image illustrates the relationships between perspectives and policies
described in the table labeled Perspectives in policies:
Chapter 4. Understanding scanning processes in SiteProtector 69
Page 78
Figure 1. Network locations and perspectives
To scan some asset groups from inside your firewall and others from within your
DMZ, follow these steps:
1. Set up two groups in SiteProtector:
v One group contains assets to scan from inside the firewall.
v One group contains assets to scan from the DMZ.
2. Define a perspective to identify the scanners at each place on your network.
3. Assign one or more scanners to each perspective.
4. Set up a scan control policy for each asset group and specify, in each policy, the
perspective from which scanning should occur.
70 Enterprise Scanner: User Guide
Page 79
Scan jobs and related terms
To tune your system correctly, you must understand how scan jobs run and how
the options you define in policies affect jobs and subtasks.
Definitions
The following table describes the terms used by the Enterprise Scanner agent in
the scanning process:
Table 8. Terms related to scanning jobs
Term Description
Criticality A user-assigned setting that indicates the
Scan job SiteProtector schedules a scan job in the
Task A scan job is divided into tasks as described
Subtask The portion of a task assigned to an agent at
relative importance of an asset to other
assets:
v Critical
v High
v Medium
v Unassigned (the default)
v Low
Command Jobs window, either at the
beginning of a refresh cycle or when you
initiate an ad hoc scan. The scan job divides
the scan into subtasks and displays its
progress. Scans might not start processing as
soon as they are posted if they run only
within scan windows and no scan window
is open.
in “Types of tasks” on page 72.
one time. A subtask includes the number of
IPs to discover or the number of assets to
scan based on settings in the Networking
policy for the agent that runs the scan. You
should change the following field names:
v Maximum IPs per Discovery Subtask
v Maximum Assets per Assessment Subtask
Assets with unassigned criticality
The criticality levels in the definition above are listed in order from highest to
lowest criticality. The Unassigned level is intentionally higher than the Low level for
the following reasons:
v The default criticality level for a newly discovered asset is Unassigned because
the criticality is unknown until you assign it another criticality level.
v Because you must specifically assign the Low level to an asset, Enterprise
Scanner places it below Unassigned assets because unassigned assets might be of
a higher criticality.
Chapter 4. Understanding scanning processes in SiteProtector 71
Page 80
Types of tasks
Scheduled and running scans
To make it easier to explain the scanning processes, scans are considered scheduled
when they are displayed in the Command Jobs window. Because jobs might not
start to scan immediately, they are considered scheduled until the job actually
starts to create tasks and run subtasks.
The importance of tasks and subtasks
Because a task assumes the criticality of the assets it contains, Enterprise Scanner
can assign priority factors to tasks based on asset criticality. Because tasks run in
units determined by subtask size, Enterprise Scanner can run subtasks that can run
to completion during an open scanning window.
This topic describes the types of tasks in a scan and explains which apply to
discovery and which apply to assessment scans.
A scanning job is organized by tasks. Tasks manage other tasks or subtasks, or they
manage the subtasks that actually scan your network and assets. Several factors,
including whether the scan is for discovery or assessment influence, which types of
tasks a scan job contains.
Common management tasks
Every scan, whether for discovery or assessment, includes the following
management tasks:
Table 9. Common management tasks for discovery and assessment scans
Management task Description
A job-level task A task that appears once for each type of
scan. It is identified by the name given to
the scan.
One or more Parent-level tasks A task that appears for each group and
subgroup affected by the scan. It is
identified by the following components:
v Parent
v Type_of_Scan, such as Ad Hoc Discovery
or Ad Hoc Assessment
v Name_of_Asset_Group
Base management tasks
For assessment scans, Enterprise Scanner uses a base task for each group in the
scan. The base task manages the scanning tasks for each criticality in a group. The
base task is identified as ″Base Assessment Scan for Group.″
72 Enterprise Scanner: User Guide
Page 81
Tasks per type of scan
The following table explains the tasks needed for discovery and assessment scans:
Table 10. Tasks per type of scan
Scan type Number of tasks
Discovery 1 job-level task
1 parent task
1 scanning task
Note: There is no way to prioritize the order
in which a discovery scan scans IP
addresses, therefore there is no reason to
divide the job into more than one scanning
task. The scanning task is divided into
subtasks, however, based on the maximum
number of IP addresses allowed per subtask.
Assessment 1 job-level task
1 parent task
1 base task for each group
1 scanning task for each asset criticality level
represented in each group
Priorities for running tasks
To determine the order for scanning your network, each task in a scan job is
assigned a priority.
The tasks for all jobs assigned to a perspective run in priority order as follows:
v Ad hoc scans run before background scans.
v Discovery scans run before assessment scans.
v Assessment scans run tasks in the order of the criticality of the assets in the task.
Criticality and assessment tasks
User-assigned criticality ratings indicate the relative importance of assets in a
group. A group can contain assets with different criticality ratings. When
Enterprise Scanner divides the job into tasks, it creates separate tasks for each
criticality level and assigns assets to the tasks with the corresponding criticality.
Consequently, the assets in an assessment task are of the same criticality, with the
following results:
v An assessment scan contains at least one task for each asset criticality
represented in each group.
v Asset criticality affects the priority of the task.
Example: If a scan job includes a group with one subgroup, and each group
contains assets with all levels of criticality, the job will run as at least ten tasks: one
task for each criticality in each group.
Chapter 4. Understanding scanning processes in SiteProtector 73
Page 82
Task prioritization
The following table explains the reasons behind prioritization of scanning tasks:
Table 11. Reasons for task prioritization
Type of scan Reason for prioritization
Ad hoc versus background Ad hoc scans run at higher priority than
background scans because ad hoc scans fill
extraordinary scanning needs:
v Ad hoc scans help you identify major
changes to your network or assess your
assets against newly identified threats.
v Background scans are cyclical scans for
ongoing vulnerability management.
Discovery versus assessment Assessment scans work only on already
discovered assets. Therefore, a discovery
task has a higher priority so that assets
maybe discovered before the assessment
scan runs.
Criticality of assets in assessment scans To ensure the best protection for your most
critical assets, your agent scans tasks in
order of criticality from highest to lowest.
Stages of a scanning process
Many factors affect when and how scan jobs run. This topic provides a process
that identifies the stages of a scanning cycle and explains the factors to consider at
each stage.
Dynamic prioritization
Scanning jobs are prioritized at the task level so that a scan job does not have to
finish before another scan job with higher priority tasks can be processed. When an
agent completes a subtask, it processes the next subtask with the highest priority
next.
Example: A background scan might be running when you start an ad hoc scan.
You do not have to stop the background scan. The background scan continues until
it has processed its current subtask, then the ad hoc scan takes priority and starts
to run.
74 Enterprise Scanner: User Guide
Page 83
The process for a scanning cycle
The following table describes the general process for a scanning cycle:
Table 12. The process of a scanning cycle
Stage Description
1 Scanning jobs are displayed in the Command Jobs window as they are scheduled:
v A job for a background scan is scheduled at midnight on the first day of the
refresh cycle defined in the Scan Control policy for a group.
v A job for an ad hoc scan is scheduled when you initiate the scan.
2 A job is ready to run follows this order:
v For background scans or ad hoc scans that run in scan windows, the job runs as
soon as an open scan window is available.
v For ad hoc scans that can run any time, the job runs as soon as possible after
you initiate it.
3 When a job is scheduled, the agent divides it into tasks:
v The first task created for all scans is a management (parent) task that oversees
the scanning tasks.
v For discovery scans, there is one additional scanning task.
v For assessment scans, additional scanning tasks are created based on the
priorities described in “Priorities for running tasks” on page 73.
4 When an agent is available to run the scan, the agent finds the task with the
highest priority. The agent then runs a subtask of that task. The subtask is equal to
the subtask size determined by the maximum number of IP addresses or of assets
defined for that agent in the Networking policy.
5 The remaining subtasks run as follows:
v If you have only one agent, the same agent takes the next subtask.
v If you have more than one agent, the first available agent takes the next subtask.
6 Subtasks continue to run until you pause or cancel the scan, or until one of the
following occurs:
v For ad hoc scans, until all the assets have been scanned.
v For background scans, until all the assets have been scanned or until the
scanning cycle ends, whichever occurs first.
Chapter 4. Understanding scanning processes in SiteProtector 75
Page 84
Optimizing cycle duration, scan windows, and subtasks for Enterprise Scanner
Background scanning jobs persist throughout a scan cycle, but are active only
during open scan windows.
The efficiency of background scanning relies on carefully calibrating the following
items:
v Quantity of IP addresses and assets to scan
v The duration of the scan cycle
v The size of subtasks and the size of the smallest scan window
Size of scan windows
You define scan windows for each day in multiples of hours. The shortest possible
scan window is one hour; the longest is 24 hours.
Calibration considerations
If a subtask does not finish during a scanning window, one of the following events
occur:
v If another scan window is available during the same scan cycle, the subtask
starts from the beginning and runs again in its entirety. The second subtask
scans every asset in the subtask, including any that the previous subtask already
scanned.
Important: Subtasks that carry over to another scan window during the same
scan cycle always start from the beginning, repeating any scanning that occurred
in that subtask before the scan window closed.
v If no more scan windows are available during the scan cycle, the unscanned
assets in the subtask, and any unscanned assets in the rest of the job, remain
unscanned.
Important: New scan cycles always start from the beginning of the command
job even if any tasks or subtasks from the previous scan cycle did not finish.
Discovery cycle duration
The duration of your discovery scan cycle will depend on how frequently you add
or change the assets on your network.
v If your network changes frequently, you should scan more frequently.
v If your network is fairly stable, you can scan less frequently.
Assessment cycle duration
The duration of your assessment scan cycle will depend on how important it is for
you to scan every asset during every scan cycle. Consider the following issues:
v If you define a scan cycle for a group that contains critical assets only, it is
probably important to your network security that you scan each asset during the
cycle.
v If you define a scan cycle for a group that contains assets with different levels of
criticality, you might be less concerned if the scan cycle does not scan all the
assets with lower criticality.
76 Enterprise Scanner: User Guide
Page 85
Achieving the right balance
If a refresh cycle is too short, you cannot scan all of your assets during the cycle. If
a scan window is too short to finish subtasks, you can rerun subtasks that were
nearly finished. To achieve the right balance, take the following actions:
v Try to size your subtasks according to the size of your smallest scan window.
v Try to size the quantity of IP addresses and assets to scan according to the
duration of your refresh cycle.
If you still are unable to finish your scanning in the time allowed, you can reduce
the number of checks you run, or you can add another Enterprise Scanner to the
perspective.
Chapter 4. Understanding scanning processes in SiteProtector 77
Page 86
78 Enterprise Scanner: User Guide
Page 87
Chapter 5. Background scanning in SiteProtector
This chapter describes the minimum requirements and options for defining
background scanning in the SiteProtector Console. Because ad hoc scans use some
of the background policies, this chapter also describes the impact of those shared
policies on ad hoc scans. In addition, checklists in this chapter guide you through
the process of setting up background scans.
Topics
“Determining when background scans run” on page 80
“How policies apply to ad hoc and background scans” on page 81
“Background scanning checklists for Enterprise Scanner” on page 83
“Enabling background scanning” on page 84
“Defining when scanning is allowed” on page 85
“Defining ports or assets to exclude from a scan” on page 87
“Defining network services” on page 88
“Defining assessment credentials for a policy” on page 89
© Copyright IBM Corp. 1997, 2009 79
Page 88
Determining when background scans run
This topic describes two important concepts for background scanning: scanning
refresh cycles and scanning windows. These concepts control when background
scans run.
Scanning refresh cycle
A scanning refresh cycle is the maximum duration (in days, weeks, or months) of a
background scan. You define separate scanning refresh cycles for discovery and for
assessment scans in a Scan Control policy. The cycles apply to the scans for all
groups that the policy controls.
Important points about refresh cycles
Refresh cycles affect scanning as follows:
v Refresh cycles apply to background discovery and background assessment scans;
they do not apply to ad hoc scans.
v At the end of a refresh cycle, any background scanning jobs that are still running
are stopped. Their status appears as expired.
v The refresh cycle begins at midnight on the first day of the cycle, and the jobs
for that cycle are scheduled in the Command Jobs window at that time.
Scanning windows
Scanning windows are the hours that are available for scanning each day of the
week. A scan that runs only during scanning windows pauses when a window
closes, and then resumes when the window reopens.
Scans affected by scanning windows
Scanning windows affect scans as follows:
v Scanning windows apply to all background scans for the groups controlled by a
particular Scan Windows policy.
v When you run an ad hoc scan, you choose whether to confine the scan to the
user-defined scanning windows.
Cycle and window dependencies
Background scanning for a group requires a refresh cycle and one or more
scanning windows. Although you define refresh cycles and scanning windows in
different policies, they work together to define the extent of your background
scans. The cycle defines the duration, or elapsed time, of the scan; the scanning
windows define the days and hours when scanning may occur during the cycle.
Flexibility
Because you define refresh cycles and scanning windows in different policies, you
can use the policy inheritance properties to more precisely define your scans. For
example, you can define refresh cycles and apply the Scan Control policy to a
group with several subgroups. For each subgroup, you can define different scan
windows to control the amount of scanning on different parts of your network at
different times. For more about policy inheritance, see Chapter 3, “Enterprise
Scanner policies,” on page 29.
80 Enterprise Scanner: User Guide
Page 89
How policies apply to ad hoc and background scans
Agent policies apply to both ad hoc and background scans, while asset policies
apply to both ad hoc and background scans; however, you can reconfigure some
asset policies when you define an ad hoc scan.
The following table describes ad hoc and background scans:
Table 13. Descriptions of ad hoc and background scans
Type of scan Description
Ad hoc One-time scans that you start manually for
discovery scans, assessment scans, or both,
typically in response to network changes or
newly discovered threats.
Note: You can run an ad hoc scan
immediately, or you can run it only during
the scan windows defined for the group in
the Scan Window policy.
Background Automatic, recurring scans that run on
separately definable refresh cycles for
discovery and for assessment scanning.
Asset policies and ad hoc scans
The following table defines configuration options for policies used by ad hoc scans:
Table 14. Asset policies for ad hoc and background scans
Background asset policies that... Include the following policies:
You can reconfigure scans
Differ for ad hoc scans Scan Control
Contain the same settings for ad hoc scans
as for background scans
v Assessment
v Discovery
v Assessment Credentials
v Network Services
v Scan Exclusion
Note: This policy applies only to
assessment scans, but it applies to both ad
hoc and background scans.
v Scan Window (optional)
Changing assessment and discovery policies
An ad hoc scan initially uses any settings currently configured in the Assessment
and Discovery policies for the group. You can run the scan with those settings, or
you can modify the settings. The following table describes the advantages of each
method:
Table 15. Changes to Assessment and Discovery policies
If you... Then you...
Use the configured settings Can easily start an ad hoc scan that
duplicates a configured background scan.
Chapter 5. Background scanning in SiteProtector 81
Page 90
Table 15. Changes to Assessment and Discovery policies (continued)
If you... Then you...
Modify the configured settings Cannot save the policy. Therefore, the
changes apply to only that ad hoc scan and
do not affect configured background scans.
Scan Control policy
You cannot configure refresh cycles or scan windows for ad hoc scans because they
are not included in the ad hoc Scan Control policy. The following table describes
how refresh cycles and scan windows from the background Scan Control policy
affect ad hoc scans:
Table 16. Ad Hoc Scan Control policy
Option from Background Scan Control
policy Impact on ad hoc scans
Scan Windows You can choose whether to run an ad hoc
scan only during the open scan windows
defined for background scans and to pause
when the windows close.
Refresh cycles Ad hoc scans are never bound by the refresh
cycles that apply to background scans. Ad
hoc scans continue to scan until they finish
or until you stop them. Ad hoc scans pause
when scan windows close if you select the
option to run the scans only during open
scan windows.
Scan window and refresh cycle examples
Assume the following points:
v Your scanning refresh cycle is every two days.
v Scanning windows run from 8:00 P.M. until midnight and from 1:00 A.M. until
4:00 A.M. each day.
Table 17. Examples of scan windows and refresh cycles with ad hoc scans
You start an ad hoc scan that takes three
hours. The scan runs from 11:00 P.M. until
At 11:00 P.M. on the...
First night of a refresh cycle 1:00 A.M. until 3:00 A.M. on the second day
Second night of a refresh cycle the scan runs from 1:00 A.M. until 3:00 A.M.
midnight, and then the scan runs from...
of the same refresh cycle.
on the first day of the next refresh cycle.
82 Enterprise Scanner: User Guide
Page 91
Background scanning checklists for Enterprise Scanner
This topic describes the minimum requirements to set up background discovery
and background assessment scanning. You should also use any other policies that
help you configure your scanning environment to meet your security goals.
Checklist for background discovery scanning
The following table describes the requirements for setting up background
discovery scanning for a group:
1. Apply a Discovery policy to the group.
2. Apply a Scan Window policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
3. Optional: Apply an Assessment Credentials policy to the group for better OS
identification.
4. Apply a Scan Control policy to the group (either directly or through inheritance
from a group that is at a higher level in the group structure).
Checklist for background assessment scanning
The following table describes the requirements for setting up background
assessment scanning for a group:
1. Verify that the group already contains assets, possibly from a recent discovery
scan.
2. Apply an Assessment policy to the group (either directly or through inheritance
from a group that is at a higher level in the group structure).
3. Apply a Scan Window policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
4. Optional: Apply an Assessment Credentials policy to the group for better OS
identification.
5. Apply a Scan Control policy to the group (either directly or through inheritance
from a group that is at a higher level in the group structure).
Chapter 5. Background scanning in SiteProtector 83
Page 92
Enabling background scanning
Use the Scan Control policy on the SiteProtector Console to define the duration of
refresh cycles and to assign user-defined perspectives to scans.
About this task
Background scanning is based on scanning refresh cycles. Refresh cycles define
how frequently you want to rerun scans for a group.
Note: Background scans run during open scan windows that you define in the
Scan Window policy.
Important: This policy initiates background scanning, therefore you configure it
after you have configured the other policies required for background scanning.
The Scan Control policy applies to background discovery and background
assessment scans. This policy does not affect ad hoc scans. Consequently, the
behavior for ad hoc scans is different:
v An ad hoc discovery scan runs only on the group where you define the scan.
v An ad hoc assessment scan applies to the group where you define the scan and
to all the subgroups. This is different from background scans in that background
scanning behavior is determined by which Scan Control policy applies to each
subgroup.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Control policy
for that group.
3. Select the Enable background discovery/assessment scanning of this group
check box, for the type(s) of background scanning you want to define, in the
Background Discovery and Background Assessment sections.
4. Configure background scanning for each type of scan:
Option Description
Job name The name you want displayed for the
scanning job in the Command Jobs window.
Note: This name identifies the scan when it
runs, therefore choose a meaningful name.
Cycle start date The date on which you want the scan cycle
to start.
Note: Future scans are created in
SiteProtector at midnight at the beginning of
the next refresh cycle.
Cycle duration The length (up to three digits) of the cycle as
in one of the following units:
v Hours (for use with Enterprise Scanner 2.1
agents or later only)
v Days
v Weeks
v Months
Current cycle start date The beginning date of the current scan cycle.
(Display only.)
84 Enterprise Scanner: User Guide
Page 93
Option Description
Next cycle start date The beginning date of the next scan cycle.
Use Discovery’s start date/duration and
wait for discovery scan to complete before
scheduling assessment scan
5. If you want to scan from a user-defined perspective, select a perspective from
the Perform background scans from this perspective (Network location) box.
Tip: If you have not yet defined the perspective, click the Configure the
referenced list icon to open the Network Locations policy and define a new
perspective.
Defining when scanning is allowed
Use the Scan Window policy on the SiteProtector Console to define the days and
hours that scanning is allowed.
About this task
(Display only.)
Delays the start of the assessment scan until
the discovery scan has finished to ensure
that the discovery scan has identified all
discoverable assets before the assessment
scan begins.
Note: This check box applies to assessments
scans only.
The Scan Window policy applies to background discovery and assessment scans.
For an ad hoc scan, you can choose whether to run the scan only during the
windows defined in this policy or to run the scan without restriction.
By default, all scan windows are open, therefore scanning is allowed at any time.
When you open a Scan Window policy, however, the default changes; and all scan
windows are closed. If you modify a Scan Window policy, be sure to define scan
windows for discovery and for assessment scans.
Important: If you start a scan when there are no scan windows, the job appears in
the Command Jobs window in the Idle state. The job will not run until you define
scan windows.
The following rules apply to scan windows:
v You define the scan windows for discovery and assessment policies separately,
on separate tabs of the policy. Important: Be sure to define a scan window for
both types of scans if you intend to run both as background scans.
v You can define scan windows only in increments of hours, therefore the
minimum scan window is one hour.
v You can define as many scan windows as you want on any day of the week.
If you have multiple agents, you should stagger your scan windows so that the
discovery scan finishes before the assessment scan begins. If a discovery scan adds
assets to a group while an assessment scan is running, there is no guarantee that
those assets will be included in the assessment scan.
Chapter 5. Background scanning in SiteProtector 85
Page 94
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Window policy
for that group.
3. Click the Discovery Windows tab or the Assessment Windows tab.
Note: Scanning hours are selected; non-scanning hours are not selected.
4. Select the periods of allowed scanning using the following methods:
If you want to... Then...
Allow scanning during specific hours Click and drag your cursor over the hours
in each day to allow scanning.
Allow scanning at any time Click Fill All.
Remove all defined scans periods Click Clear All.
Important: To enable background scanning, you must define at least one scan
window.
5. Click the Time Zone tab.
6. Select the time zone during which you want the scan windows to run from the
Time zone for scan windows list.
Tip: Typically, you would choose the same time zone as the time zone of the
assets in the group. For example, you might be in the Eastern time zone but
scanning assets in the Pacific time zone. You would define your scanning hours
according to the considerations of the Pacific time zone and set your appliance
to the Pacific time zone.
86 Enterprise Scanner: User Guide
Page 95
Defining ports or assets to exclude from a scan
Use the Scan Exclusion policy on the SiteProtector Console to define the specific
ports, specific assets, or both, that you want to exclude from a scan of a group of
assets.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Scan Exclusion policy
for that group.
3. Choose an option:
If you want to... Then...
Exclude ports Use a combination of typing the ports to
exclude and choosing the ports:
v Type the ports to exclude, separated by
commas, in the Excluded Ports box.
v Click Well Known Ports, and then select
the ports to exclude.
Exclude assets Type the IP addresses (in dotted-decimal or
CIDR notation) of the hosts to exclude in the
Excluded Hosts box:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then
press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a series of individual IP addresses, a
range of addresses separated by commas,
or both, and then press ENTER.
Note: A red box is displayed around the
Excluded Hosts box until the data is
validated.
Chapter 5. Background scanning in SiteProtector 87
Page 96
Defining network services
Use the Network Services policy on the SiteProtector Console to define service
names associated with TCP and UDP ports.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Network Services
policy for that group.
3. For default or customized services, choose an option:
If you want to... Then...
Disable a service definition Clear the Enabled check box for that service.
Change the description of a service Slowly click Description two times to switch
Allow each service to operate over SSL in
at least some part of your network
Allow service scans for this service over
any TCP and UDP ports specified in the
Assessment policy
Note: You cannot change the Service name, Port, or Protocol of default
services. You cannot delete default services.
4. For customized services, choose an option:
to edit mode, and then change the
description.
Select the May use SSL check box for that
service.
Select the Service scan check box.
If you want to... Then...
Add a service Click the Add icon.
Modify a service Click the Modify icon.
Delete a service Click the Delete icon.
88 Enterprise Scanner: User Guide
Page 97
Defining assessment credentials for a policy
Use the Assessment Credentials policy on the SiteProtector Console to define
authentication credentials for your assets.
About this task
The appliance uses authentication credentials to access accounts during assessment
scans. Enterprise Scanner uses all instances of the credentials that are defined for
the group when it scans assets in the group. You can define different instances of
this policy for different groups, which makes it possible to supply different log on
credentials to scan different parts of the network.
Important: The Assessment Credentials policy currently works only with assets
that run Windows operating systems.
Procedure
1. From the SiteProtector Console, create a tab to display asset policies.
2. In the navigation pane, select a group, and then open the Assessment
Credentials policy for that group.
3. In the Assessment Credentials policy, click Add, and then provide the
following account information:
Option Description
Username The user identification for an account.
Password The password to use with the user name to
Account Type: Windows Local Indicates that the user account is defined
log into an account.
locally on a single Windows device. The
account is used to attempt to log in to a
single Windows device.
When you choose this option, you must
provide a Windows host name in the
Domain/Host box.
Account Type: Windows
Domain/Workgroup
Account Type: Windows Active Directory Indicates that the user account is defined in
Indicates that the user account is defined in
a Windows Domain or Workgroup. The
account is used to attempt to log in to all
Windows devices within the domain or
workgroup.
When you choose this option, you must
provide the Windows Domain or Workgroup
name in the Domain/Host box.
a Windows Active Directory Domain. The
account is used to attempt to log in to all
Windows devices within the Active
Directory domain.
When you choose this option, you must
provide the Active Directory Domain name
in the Domain/Host box.
Chapter 5. Background scanning in SiteProtector 89
Page 98
Option Description
Account Type: SSH Local
Account Type: SSH Domain
Domain/Host Applies to one of the following domains or
Account Level Applies to one of the following accounts:
Indicates that the user account is defined
locally on a single Unix device that allows
SSH logons. The account is used to attempt
login to a single Unix device.
When you choose this option, you must
provide an IP address in the Domain/Host
box.
Indicates that the user account is defined for
Unix devices that allow SSH logons. In this
context, ″Domain″ loosely refers to a set of
devices, rather than to a specific type of
domain. The account is used to attempt to
log in to all SSH devices covered by the
policy.
When you choose this option, you should
supply a descriptive name in the
Domain/Host box. This is for
documentation purposes only; it is not used
by Enterprise Scanner.
hosts:
v For Windows accounts, the domain or
host name to which the account applies.
v For SSH Local accounts, the IP address of
the device to which the account applies.
v For SSH Domain accounts, any text.
v Administrator
v User
v Guest
Important: To avoid inadvertently locking an account, do not add the account
more than once.
90 Enterprise Scanner: User Guide
Page 99
Chapter 6. Monitoring scans in SiteProtector
This chapter uses terms that define scanning parameters for scan jobs with
SiteProtector.
Topics
“Viewing your scan jobs” on page 92
“Viewing discovery job results” on page 92
“Viewing assessment job results” on page 93
© Copyright IBM Corp. 1997, 2009 91
Page 100
Viewing your scan jobs
Use the Command Jobs window on the SiteProtector Console to view the status of
a job, watch its progress, and view its final results.
Procedure
1. In the SiteProtector Console, right-click the Site or a group, and then select
Properties from the pop-up menu.
2. Select Command Jobs from the options in the left pane. The command jobs are
displayed for the selected group.
Tip: If you enable viewing of subgroups (View → Include Subgroups), jobs for
any subgroups of the Site or group you select are also displayed in the list.
Viewing discovery job results
You can open a running scan job in the Command Jobs window to see a snapshot
of the currently available information. Some information is not available until the
job has finished running. To see the latest information about a running job, you
must close and then reopen the window.
Procedure
1. In the SiteProtector Console, right-click the Site or a group, and then select
Properties from the pop-up menu.
2. Select Command Jobs from the options in the left pane. The command jobs are
displayed for the selected group.
3. Right-click a job in the Command Jobs window, and then select Open from the
pop-up menu.
4. Click Results in the left pane. The Remote Scan window is displayed on the
screen as in the example of the illustration above.
92 Enterprise Scanner: User Guide
Loading...