IBM Partner Pavilion Proventia Network Enterprise Scanner 2.3 Manuel d'utilisateur

IBM Pro ventia Network Enterprise ScannerUser GuideVersion 2.3

2 Enterprise Scanner: User Guide

Viewing your scan jobsUse the Command Jobs window on the SiteProtector Console to view the status ofa job, watch its progress, and view its final resu

Viewing assessment job resultsYou can open a scanning job in the Command Jobs window as the job runs to seeadditional information it. Some information

94 Enterprise Scanner: User Guide

Chapter 7. Managing scans in SiteProtectorThis chapter explains different ways to stop and restart scans. It also describesexpected scanning behaviors

Stopping and restarting scan jobsYou can stop a scan job by pausing or canceling the job. You can also rerun a scanjob. These actions apply to current

Suspending and enabling all background scansYou can suspend and enable all scanning for the groups controlled by a ScanControl policy. This applies to

Minimum scanning requirementsThis topic provides a brief review and summary of the minimum requirements forinitiating different types of scans.Registr

Scanning behaviors for ad hoc scansDifferent aspects of scanning behaviors are discussed in detail in different parts ofthis guide. This topic answers

A: You did not define at least one IP address for a discovery scan.A: If you set up the scan to run during scan windows, but you have not definedScan

v If the agent to run the background scan is available, the scan job appears in theCommand Jobs window at midnight on the day of a new refresh cycle.v

Chapter 1. Ad hoc scanning in the Proventia ManagerThis chapter explains how to use perspective and the high-level processes behindad hoc scanning fro

If you set up the Scan Control policy sothat the assessment scan... Then, the assessment scan...Does not wait for the discovery scan tofinish before t

Chapter 8. Interpreting scan results in SiteProtectorThis chapter explains how to use OS identification and the views in SiteProtectorto analyze the r

OS identification (OSID) certaintyEnterprise Scanner determines whether to run a check against a host based on thecertainty of the OS information in S

How OSID is updated in Enterprise ScannerEnterprise Scanner uses OSID information or reassesses the OSID during anassessment scan, and it explains whe

Setting up a Summary view for vulnerability managementUse the Summary view in the SiteProtector Console to dynamically displayinformation about scanni

Table 25. Vulnerability management options (continued)Portal DescriptionVulnerability History by Day Displays a bar graph that illustrates thefollowin

Viewing vulnerabilities in the SiteProtector Console using EnterpriseScannerUse the Analysis view in the SiteProtector Console to view event data coll

Field descriptionsThe following table describes the fields and descriptions for this vulnerabilityview:Table 26. Vulnerability view by assetField Desc

Table 26. Vulnerability view by asset (continued)Field DescriptionTag Count Use to filter events according to the TagCount column in the analysis view

Viewing vulnerabilities by detail in Enterprise ScannerUse this view to examine event details that might be related to an attack or thatyou consider u

Section A: Network configurationThis section explains how to define the network interfaces for the management andscanning ports, how to assign perspec

Table 27. Vulnerability view by detail (continued)Field DescriptionObject Type Use this filter to analyze a specific type ofobject that you suspect is

Viewing vulnerabilities by object in Enterprise ScannerUse this view to examine objects on your network or desktop computers that are asource of vulne

Table 28. Vulnerability view by object (continued)Field DescriptionTag Count Use to filter events according to the TagCount column in the analysis vie

Table 29. Vulnerability view by target operating system (continued)Field DescriptionStatus Use the Status filter differently for eventsand vulnerabili

Table 30. Vulnerability view by vulnerability name (continued)Field DescriptionStatus You use the Status filter differently forevents and vulnerabilit

Running reports in the SiteProtector ConsoleUse the Report view in the SiteProtector Console to schedule Enterprise Scannerreports.Procedure1. In the

Table 31. Assessment reports descriptions (continued)Report DescriptionTop Vulnerabilities A list of the top vulnerabilities, by frequency,for a speci

Viewing an Enterprise Scanner report in the SiteProtector ConsoleUse the Report view in the SiteProtector Console to open an Enterprise Scannerreport

120 Enterprise Scanner: User Guide

Chapter 9. Logs and alertsThis chapter explains how to generate log files and to set up alert notifications forthe appliance.Topics“Log files and aler

Configuring the scanning network interfaceUse the Scan Interface tab on the Network Interface Configuration page on theappliance to configure the scan

Log files and alert notificationEnterprise Scanner maintains log files on the appliance to use for diagnosingproblems with the agent. The log files co

System logsUse the System Event Log page in the Proventia Manager to examine entries in thesystem logs.System log descriptionsThe following table desc

Getting log status informationUse the Log Status page in the Proventia Manager to view usage information foralert event log statistics.Navigation: To

Table 37. Enterprise Scanner (ES) log descriptions (continued)Log name (file_name) DescriptionInterface Log (crm-esm.log) Details communications betwe

Downloading Enterprise Scanner (ES) log filesUse the Log File Management page in the Proventia Manager to download anEnterprise Scanner (ES) log file

Alerts logUse the Alert Event Log page in the Proventia Manager to view and managesecurity and system-related alerts.Navigation: You can access this p

Downloading and saving an Alerts logUse the Alerts page in the Proventia Manager to save an alert log file to use forforensic purposes.About this task

Clearing the Alerts logUse the Alerts page in the Proventia Manager to clear all events from the Alert log.Before you beginClearing the Alert log dele

If you want to... Then...Search the Alert log file by filteringoptions1. Select Auto Off from the Refresh Datalist.2. Select an option from the Filter

If you want to... Then...Search the Alert log file by Alert IDnumber1. Type the 26-character alert ID number inthe Search by Alert Id# box.Tip: You ca

Configuring scanning interface DNS settingsUse the DNS tab on the Network Interface Configuration page on the appliance toconfigure the DNS settings f

132 Enterprise Scanner: User Guide

Chapter 10. Ticketing and remediationThis chapter explains how to use information from Enterprise Scanner with theticketing feature in SiteProtector t

Ticketing and Enterprise ScannerSiteProtector works with Enterprise Scanner to streamline your event tracking andremediation processes. This topic exp

When you save the ticket in SiteProtector, the action request system stores theinformation, too. You can edit and maintain tickets in the action reque

If you do not want to modify the cycle duration for your background scans, youcan run an ad hoc scan to verify and close tickets that are pending syst

Table 40. Options for the Ticketing reportsOption Tab DescriptionShare report with otherSiteProtector usersGeneral Select this option to giveother Sit

Table 40. Options for the Ticketing reports (continued)Option Tab DescriptionNumber of Records Report Format Specifies the number ofrecords that will

Part 3. MaintenanceThis section explains how to maintain and update the Enterprise Scanner agent.ChaptersChapter 11, “Performing routine maintenance,”

140 Enterprise Scanner: User Guide

Chapter 11. Performing routine maintenanceThis chapter explains maintenance procedures that you need to perform on theEnterprise Scanner agent.Topics“

Assigning perspective to a scanning interfaceUse the Network Locations tab on the Network Locations page on the appliance toassign a perspective (netw

Shutting down your Enterprise ScannerYou can shut down Enterprise Scanner from the Proventia Manager. The shutdown option also turns off the appliance

Removing an agent from SiteProtectorUse this procedure to remove an agent from SiteProtector.Procedure1. In the SiteProtector Console, open a tab with

Options for backing up Enterprise ScannerUse the Backup and Recovery page to manage snapshots of configuration settingsand to create complete system b

Backing up configuration settingsUse the Settings Backup tab on the Backup and Recovery page to create a settingssnapshot file of the configuration se

Making full system backupsUse the Full Backup tab on the Backup and Recovery page to create a completeimage of the operating system and current config

Chapter 12. Updating Enterprise ScannerThis chapter describes how to configure an agent for XPUs, how to scheduleautomatic and one-time XPUs, and how

XPU basicsThis topic describes the types of updates for your Enterprise Scanner agent andexplains where you can get the updates.Types of updatesThe fo

Updating optionsThe XPU process provides the option to schedule automatic updates on a periodicbasis, schedule one-time updates, or update an agent ma

Configuring explicit-trust authentication with an XPU serverYou can configure the authentication between an Enterprise Scanner agent and aSiteProtecto

Configuring an Alternate Update locationUse the Alternate Update Server page in the Update Settings policy on theSiteProtector Console if you want to

Option DescriptionMetric If you configure more than one route to thesame segment for one perspective, a numberthat indicates the preferred route. The

Option DescriptionTrust Level The authentication level for communicationswith the SiteProtector update server.Authentication level options for theSite

Configuring an HTTP ProxyUse the Proxy Server page in the Update Settings policy on the SiteProtectorConsole to configure proxy server information if

Scheduling a one-time firmware updateOccasionally, you might not want to wait for your automatic update process toinstall an important update. You can

Option DescriptionCheck for updates at given intervals Checks for updates at the interval that youspecify.Note: The range is 60 minutes to 1440minutes

Manually installing updatesIn the Proventia Manager for the agent, you can manually download and installupdates. You download firmware and assessment

Chapter 13. Viewing the status of the Enterprise ScanneragentThis chapter explains the status information that is available for Enterprise Scannerin P

Proventia Manager Home pageThe Proventia Manager Home page provides the latest diagnostic informationabout the appliance.Navigation: To access the Pro

Table 47. Current status of network interfaces (continued)Model Network interfacesES1500 ETH0 (management port)ETH1 (scanning port)ETH2 (scanning port

Viewing agent status in the SiteProtector ConsoleThe same system status information that is available in the Proventia ManagerHome page is available i

Viewing the status of the CAM modulesUse the CAM Modules page in the Proventia Manager to view information aboutCAM sessions in Enterprise Scanner.Pro

7. If you want to add previously known assets that are already defined in othergroups to the scan group, select the Add previously known assets to gro

Table 50. Sensor processes (continued)Module or process Description Troubleshooting optionEnterprise Scanner schedulermodule or iss-esmSchedulerproces

Part 4. Appendixes© Copyright IBM Corp. 1997, 2009 163

164 Enterprise Scanner: User Guide

Appendix. Safety, environmental, and electronic emissionsnoticesSafety notices may be printed throughout this guide. DANGER notices warn youof conditi

When working on or around the system, observe the following precautions:Electrical voltage and current from power, telephone, and communicationcables

CAUTION:The battery contains lithium. To avoid possible explosion, do not burn or chargethe battery.Do not:v Throw or immerse into waterv Heat to more

Product safety labelsOne or more of the following safety labels may apply to this product.DANGERHazardous voltage, current, or energy levels are prese

Laser safety informationThe following laser safety notices apply to this product:CAUTION:This product may contain one or more of the following devices

Notice: This mark applies only to countries within the European Union (EU) andNorway.Appliances are labeled in accordance with European Directive 2002

on disposal of batteries outside the United States, go to http://www.ibm.com/ibm/environment/products/ batteryrecycle.shtm or contact your local waste

If you want to... Then...Create groupings from a selection list1. Click the Group By icon.The Group by Columns windowappears.2. Select a column to gro

In accordance with the European Directive 2006/66/EC, batteries and accumulatorsare labeled to indicate that they are to be collected separately and r

Note: This device complies with Part 15 of the FCC Rules. Operation is subject tothe following two conditions: (1) this device may not cause harmful i

IBM verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohneEmpfehlung der IBM gesteckt/eingebaut werden.EN 55022 Klasse A Geräte müssen

Korean Class A Compliance Statement:Appendix. Safety, environmental, and electronic emissions notices 175

176 Enterprise Scanner: User Guide

IndexAAccess policy 35, 39account lockout 12account lockout (SiteProtector) 51active module icon 158ad hoc assessment scan 65monitoring status 23ad ho

Enterprise Scanner reportviewing in SiteProtector Console 119Enterprise Scanner reportsrunning in SiteProtector 117Enterprise Scanner scan module 161E

scan job (continued)resuming 96scan jobs (SiteProtector) 71scan policyconfiguring from LMI 20scan priority 99Scan Reports page 24scan resultsexporting

Selecting assessment checks with filtersUse the Checks tab in the Assessment policy to provide filtering values on aselected list of assessment checks

Copyright statement© Copyright IBM Corporation 1997, 2009.All Rights Reserved.U.S. Government Users Restricted Rights — Use, duplication or disclosure

Configuring common assessment settings for an AssessmentpolicyUse the Common Settings tab in the Assessment policy to choose settings thatdefine addit

Option DescriptionPorts to scan with generic UDP checks The set of UDP ports to scan with genericUDP checks. You can specify ports using anyof the fol

Option DescriptionDo not perform application fingerprinting Does not try to specifically identify whichapplications are communicating over whichports,

Option DescriptionAllowed account lockout Select a type of lockout:v No lockout allowed: Enterprise Scanneravoids running password guessing checksif a

Defining assessment credentials for a policyUse the Assessment Credentials policy type on the Policy Management page todefine authentication credentia

Option DescriptionAccount Type: SSH LocalIndicates that the user account is definedlocally on a single Unix device that allowsSSH logons. The account

Defining the service names associated with TCP and UDPportsUse the Network Services policy type on the Policy Management page to defineservice names a

Defining ports or assets to exclude from a scanUse the Scan Exclusion policy type on the Policy Management page to definespecific ports or assets to e

Configuring and saving a scan policy in the ProventiaManagerUse the Policy Management page on the appliance to configure discovery andassessment scan

Chapter 2. Interpreting scan results in the Proventia ManagerThis chapter explains how to monitor and view scan results in the ProventiaManager.Topics

Trademarks and DisclaimerIBM®and the IBM logo are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United Stat

Running an ad hoc scanUse the LMI Scan Control page on the appliance to define and run ad hoc scansfor assessment and discovery.Before you beginBefore

Monitoring the status of a scanUse the Scan Status page on the appliance to view the status of ad hoc discoveryand assessment scans you have initializ

Viewing the results of an ad hoc scanUse the Scan Results page on the appliance to analyze security-related datadiscovered by an ad hoc scan.Procedure

Purging scan data from the databaseUse the Scan Results page on the appliance to schedule the removal of scan datafiles from the /var/log/esm/lmiScans

26 Enterprise Scanner: User Guide

Part 2. Scanning from the SiteProtector ConsoleThis section explains how to manage scans from the SiteProtector Console for theEnterprise Scanner agen

28 Enterprise Scanner: User Guide

Chapter 3. Enterprise Scanner policiesThis chapter explains how to use Enterprise Scanner policies to customize yourscanning processes. The policies b

Policy inheritance with Enterprise Scanner policiesThe inheritance properties of policies in SiteProtector provide a flexible andefficient method for

v If you do not override the settings, the column follows the inheritance describedin the table above; however, you must configure those policies.Depl

iv Enterprise Scanner: User Guide

Migrating a locally managed Enterprise Scanner agent intoSiteProtectorYou must migrate the Enterprise Scanner agent out of the Locally Managed Agentsa

Viewing asset or agent policies for Enterprise ScannerIn the SiteProtector Console, you can view asset and agent policies together, or youcan view the

Getting vulnerability help for a SiteProtector Console without InternetaccessIf you use the SiteProtector Console on a computer without an Internet co

Agent policies for Enterprise ScannerAgent policies apply to Enterprise Scanner appliances and describe operationalsettings for the agents or global s

Network Locations policyUse the Network Locations policy to define the perspective (network location) ofan agent and to define routes for those perspe

Important: Users who do not have permission to view the Network Locationspolicy, either through group association or by a specific grant, cannot runEn

Option DescriptionMetric If you configure more than one route to thesame segment for one perspective, a numberthat indicates the preferred route. The

Configuring advanced parameters for event notificationUse the Advanced Parameters tab in the Notification policy on the SiteProtectorConsole to provid

2. In the navigation pane, select a group, and then open the Access policy for thatgroup.3. For each password you want to change, complete the followi

Configuring the scanning network interfaceUse the Scan Interface tab in the Networking policy on the SiteProtector Console toconfigure the scanning in

ContentsTrademarks and Disclaimer ...iiiAbout this book ...viiRelated publications ...viiiTechnical support contacts ...viiiP

Configuring scanning interface DNS settingsUse the DNS tab in the Networking policy on the SiteProtector Console toconfigure the DNS settings for the

Services policyUse the Services policy on the SiteProtector Console to enable or disable access toyour appliance from SSH (Secure Shell) applications

Time policyUse the Time policy on the SiteProtector Console to change the date and the timeof the Enterprise Scanner agent, and to enable the network

Update Settings policyUse the Update Settings policy on the SiteProtector Console to configure how theagent automatically locates, downloads, and inst

v A Discovery policy applies to only the group where you define it.v The remaining policies are inheritable. A subgroup inherits a policy from thefirs

Defining assets to discoverUse the Discovery policy on the SiteProtector Console to define the parametersused to perform a discovery scan on a portion

Assessment policyUse the Assessment policy on the SiteProtector Console to define the checks to runfor assessment scans.The Assessment policy contains

Displaying assessment checks by groupsUse the Checks tab in the Assessment policy on the SiteProtector Console to groupchecks by any combination of co

Selecting assessment checks with filtersUse the Checks tab in the Assessment policy on the SiteProtector Console toprovide filtering values on a selec

Configuring common assessment settingsUse the Common Settings tab in the Assessment policy on the SiteProtectorConsole to choose settings that define

Scanning behaviors for ad hoc scans ...99Chapter 8. Interpreting scan results inSiteProtector ...103OS identification (OSID) certainty ...

Option DescriptionPorts to scan with generic UDP checks The set of UDP ports to scan with genericUDP checks. You can specify ports using anyof the fol

Option DescriptionDo not perform application fingerprinting Does not try to specifically identify whichapplications are communicating over whichports,

Option DescriptionAllowed account lockout Select a type of lockout:v No lockout allowed: Enterprise Scanneravoids running password guessing checksif a

Assessment Credentials policyUse the Assessment Credentials policy on the SiteProtector Console to defineauthentication credentials for your assets.Th

Option DescriptionAccount Type: WindowsDomain/WorkgroupIndicates that the user account is defined ina Windows Domain or Workgroup. Theaccount is used

Scan Control policyUse the Scan Control policy on the SiteProtector Console to define the duration ofscanning cycles and to assign user-defined perspe

Defining scanning cycles and assigning perspectives to scansUse the Scan Control policy on the SiteProtector Console to define the duration ofscanning

Scan Window policyUse the Scan Window policy on the SiteProtector Console to define hours ofallowed scanning for discovery scans (scan windows), asses

Defining when scanning is allowedUse the Scan Window policy on the SiteProtector Console to define the days andhours that scanning is allowed.About th

Scan Exclusion policyUse the Scan Exclusion policy on the SiteProtector Console to define specific portsor assets to exclude from a scan of a group of

About this bookThis section describes the audience for this guide; identifies related publications;and provides contact information.AudienceUsers of t

Network Services policyUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP ports.You can m

Configuring a Network Services policyUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP p

Ad Hoc Scan Control policyUse the Ad Hoc Scan Control policy on the SiteProtector Console to defineEnterprise Scanner ad hoc scans for assessment and

11. If you want to add newly discovered assets to the group where you havedefined the scan, rather than to the Ungrouped Assets group, select the Addn

Option DescriptionHalf-Scan Connections The maximum number of connections thescan should use for opening and closingports.13. Click the Debug Settings

Chapter 4. Understanding scanning processes inSiteProtectorThis chapter explains the high-level processes behind ad hoc and backgroundscanning. It als

What is perspective?When you scan a group of assets, you anticipate and interpret results based on thelocation of your agent relative to the location

firewall, descriptive perspective names might be Atlanta-InsideFirewall andAtlanta-OutsideFirewall.Placing agents in the correct perspectiveA perspect

To scan some asset groups from inside your firewall and others from within yourDMZ, follow these steps:1. Set up two groups in SiteProtector:v One gro

Scan jobs and related termsTo tune your system correctly, you must understand how scan jobs run and howthe options you define in policies affect jobs

Related publicationsUse this topic to help you access information about your Enterprise Scannerappliance.PublicationsThe following documents are avail

Scheduled and running scansTo make it easier to explain the scanning processes, scans are considered scheduledwhen they are displayed in the Command J

Tasks per type of scanThe following table explains the tasks needed for discovery and assessment scans:Table 10. Tasks per type of scanScan type Numbe

Task prioritizationThe following table explains the reasons behind prioritization of scanning tasks:Table 11. Reasons for task prioritizationType of s

The process for a scanning cycleThe following table describes the general process for a scanning cycle:Table 12. The process of a scanning cycleStage

Optimizing cycle duration, scan windows, and subtasks for EnterpriseScannerBackground scanning jobs persist throughout a scan cycle, but are active on

Achieving the right balanceIf a refresh cycle is too short, you cannot scan all of your assets during the cycle. Ifa scan window is too short to finis

78 Enterprise Scanner: User Guide

Chapter 5. Background scanning in SiteProtectorThis chapter describes the minimum requirements and options for definingbackground scanning in the Site

Determining when background scans runThis topic describes two important concepts for background scanning: scanningrefresh cycles and scanning windows.

How policies apply to ad hoc and background scansAgent policies apply to both ad hoc and background scans, while asset policiesapply to both ad hoc an

Part 1. Scanning from the Proventia ManagerThis section explains how to manage scans from the Proventia Manager for theEnterprise Scanner agent.Chapte

Table 15. Changes to Assessment and Discovery policies (continued)If you... Then you...Modify the configured settings Cannot save the policy. Therefor

Background scanning checklists for Enterprise ScannerThis topic describes the minimum requirements to set up background discoveryand background assess

Enabling background scanningUse the Scan Control policy on the SiteProtector Console to define the duration ofrefresh cycles and to assign user-define

Option DescriptionNext cycle start date The beginning date of the next scan cycle.(Display only.)Use Discovery’s start date/duration andwait for disco

Procedure1. From the SiteProtector Console, create a tab to display asset policies.2. In the navigation pane, select a group, and then open the Scan W

Defining ports or assets to exclude from a scanUse the Scan Exclusion policy on the SiteProtector Console to define the specificports, specific assets

Defining network servicesUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP ports.Procedu

Defining assessment credentials for a policyUse the Assessment Credentials policy on the SiteProtector Console to defineauthentication credentials for

Option DescriptionAccount Type: SSH LocalIndicates that the user account is definedlocally on a single Unix device that allowsSSH logons. The account

Chapter 6. Monitoring scans in SiteProtectorThis chapter uses terms that define scanning parameters for scan jobs withSiteProtector.Topics“Viewing you