IBM Pro ventia Network Enterprise ScannerUser GuideVersion 2.3
2 Enterprise Scanner: User Guide
Viewing your scan jobsUse the Command Jobs window on the SiteProtector Console to view the status ofa job, watch its progress, and view its final resu
Viewing assessment job resultsYou can open a scanning job in the Command Jobs window as the job runs to seeadditional information it. Some information
94 Enterprise Scanner: User Guide
Chapter 7. Managing scans in SiteProtectorThis chapter explains different ways to stop and restart scans. It also describesexpected scanning behaviors
Stopping and restarting scan jobsYou can stop a scan job by pausing or canceling the job. You can also rerun a scanjob. These actions apply to current
Suspending and enabling all background scansYou can suspend and enable all scanning for the groups controlled by a ScanControl policy. This applies to
Minimum scanning requirementsThis topic provides a brief review and summary of the minimum requirements forinitiating different types of scans.Registr
Scanning behaviors for ad hoc scansDifferent aspects of scanning behaviors are discussed in detail in different parts ofthis guide. This topic answers
A: You did not define at least one IP address for a discovery scan.A: If you set up the scan to run during scan windows, but you have not definedScan
v If the agent to run the background scan is available, the scan job appears in theCommand Jobs window at midnight on the day of a new refresh cycle.v
Chapter 1. Ad hoc scanning in the Proventia ManagerThis chapter explains how to use perspective and the high-level processes behindad hoc scanning fro
If you set up the Scan Control policy sothat the assessment scan... Then, the assessment scan...Does not wait for the discovery scan tofinish before t
Chapter 8. Interpreting scan results in SiteProtectorThis chapter explains how to use OS identification and the views in SiteProtectorto analyze the r
OS identification (OSID) certaintyEnterprise Scanner determines whether to run a check against a host based on thecertainty of the OS information in S
How OSID is updated in Enterprise ScannerEnterprise Scanner uses OSID information or reassesses the OSID during anassessment scan, and it explains whe
Setting up a Summary view for vulnerability managementUse the Summary view in the SiteProtector Console to dynamically displayinformation about scanni
Table 25. Vulnerability management options (continued)Portal DescriptionVulnerability History by Day Displays a bar graph that illustrates thefollowin
Viewing vulnerabilities in the SiteProtector Console using EnterpriseScannerUse the Analysis view in the SiteProtector Console to view event data coll
Field descriptionsThe following table describes the fields and descriptions for this vulnerabilityview:Table 26. Vulnerability view by assetField Desc
Table 26. Vulnerability view by asset (continued)Field DescriptionTag Count Use to filter events according to the TagCount column in the analysis view
Viewing vulnerabilities by detail in Enterprise ScannerUse this view to examine event details that might be related to an attack or thatyou consider u
Section A: Network configurationThis section explains how to define the network interfaces for the management andscanning ports, how to assign perspec
Table 27. Vulnerability view by detail (continued)Field DescriptionObject Type Use this filter to analyze a specific type ofobject that you suspect is
Viewing vulnerabilities by object in Enterprise ScannerUse this view to examine objects on your network or desktop computers that are asource of vulne
Table 28. Vulnerability view by object (continued)Field DescriptionTag Count Use to filter events according to the TagCount column in the analysis vie
Table 29. Vulnerability view by target operating system (continued)Field DescriptionStatus Use the Status filter differently for eventsand vulnerabili
Table 30. Vulnerability view by vulnerability name (continued)Field DescriptionStatus You use the Status filter differently forevents and vulnerabilit
Running reports in the SiteProtector ConsoleUse the Report view in the SiteProtector Console to schedule Enterprise Scannerreports.Procedure1. In the
Table 31. Assessment reports descriptions (continued)Report DescriptionTop Vulnerabilities A list of the top vulnerabilities, by frequency,for a speci
Viewing an Enterprise Scanner report in the SiteProtector ConsoleUse the Report view in the SiteProtector Console to open an Enterprise Scannerreport
120 Enterprise Scanner: User Guide
Chapter 9. Logs and alertsThis chapter explains how to generate log files and to set up alert notifications forthe appliance.Topics“Log files and aler
Configuring the scanning network interfaceUse the Scan Interface tab on the Network Interface Configuration page on theappliance to configure the scan
Log files and alert notificationEnterprise Scanner maintains log files on the appliance to use for diagnosingproblems with the agent. The log files co
System logsUse the System Event Log page in the Proventia Manager to examine entries in thesystem logs.System log descriptionsThe following table desc
Getting log status informationUse the Log Status page in the Proventia Manager to view usage information foralert event log statistics.Navigation: To
Table 37. Enterprise Scanner (ES) log descriptions (continued)Log name (file_name) DescriptionInterface Log (crm-esm.log) Details communications betwe
Downloading Enterprise Scanner (ES) log filesUse the Log File Management page in the Proventia Manager to download anEnterprise Scanner (ES) log file
Alerts logUse the Alert Event Log page in the Proventia Manager to view and managesecurity and system-related alerts.Navigation: You can access this p
Downloading and saving an Alerts logUse the Alerts page in the Proventia Manager to save an alert log file to use forforensic purposes.About this task
Clearing the Alerts logUse the Alerts page in the Proventia Manager to clear all events from the Alert log.Before you beginClearing the Alert log dele
If you want to... Then...Search the Alert log file by filteringoptions1. Select Auto Off from the Refresh Datalist.2. Select an option from the Filter
If you want to... Then...Search the Alert log file by Alert IDnumber1. Type the 26-character alert ID number inthe Search by Alert Id# box.Tip: You ca
Configuring scanning interface DNS settingsUse the DNS tab on the Network Interface Configuration page on the appliance toconfigure the DNS settings f
132 Enterprise Scanner: User Guide
Chapter 10. Ticketing and remediationThis chapter explains how to use information from Enterprise Scanner with theticketing feature in SiteProtector t
Ticketing and Enterprise ScannerSiteProtector works with Enterprise Scanner to streamline your event tracking andremediation processes. This topic exp
When you save the ticket in SiteProtector, the action request system stores theinformation, too. You can edit and maintain tickets in the action reque
If you do not want to modify the cycle duration for your background scans, youcan run an ad hoc scan to verify and close tickets that are pending syst
Table 40. Options for the Ticketing reportsOption Tab DescriptionShare report with otherSiteProtector usersGeneral Select this option to giveother Sit
Table 40. Options for the Ticketing reports (continued)Option Tab DescriptionNumber of Records Report Format Specifies the number ofrecords that will
Part 3. MaintenanceThis section explains how to maintain and update the Enterprise Scanner agent.ChaptersChapter 11, “Performing routine maintenance,”
140 Enterprise Scanner: User Guide
Chapter 11. Performing routine maintenanceThis chapter explains maintenance procedures that you need to perform on theEnterprise Scanner agent.Topics“
Assigning perspective to a scanning interfaceUse the Network Locations tab on the Network Locations page on the appliance toassign a perspective (netw
Shutting down your Enterprise ScannerYou can shut down Enterprise Scanner from the Proventia Manager. The shutdown option also turns off the appliance
Removing an agent from SiteProtectorUse this procedure to remove an agent from SiteProtector.Procedure1. In the SiteProtector Console, open a tab with
Options for backing up Enterprise ScannerUse the Backup and Recovery page to manage snapshots of configuration settingsand to create complete system b
Backing up configuration settingsUse the Settings Backup tab on the Backup and Recovery page to create a settingssnapshot file of the configuration se
Making full system backupsUse the Full Backup tab on the Backup and Recovery page to create a completeimage of the operating system and current config
Chapter 12. Updating Enterprise ScannerThis chapter describes how to configure an agent for XPUs, how to scheduleautomatic and one-time XPUs, and how
XPU basicsThis topic describes the types of updates for your Enterprise Scanner agent andexplains where you can get the updates.Types of updatesThe fo
Updating optionsThe XPU process provides the option to schedule automatic updates on a periodicbasis, schedule one-time updates, or update an agent ma
Configuring explicit-trust authentication with an XPU serverYou can configure the authentication between an Enterprise Scanner agent and aSiteProtecto
Configuring an Alternate Update locationUse the Alternate Update Server page in the Update Settings policy on theSiteProtector Console if you want to
Option DescriptionMetric If you configure more than one route to thesame segment for one perspective, a numberthat indicates the preferred route. The
Option DescriptionTrust Level The authentication level for communicationswith the SiteProtector update server.Authentication level options for theSite
Configuring an HTTP ProxyUse the Proxy Server page in the Update Settings policy on the SiteProtectorConsole to configure proxy server information if
Scheduling a one-time firmware updateOccasionally, you might not want to wait for your automatic update process toinstall an important update. You can
Option DescriptionCheck for updates at given intervals Checks for updates at the interval that youspecify.Note: The range is 60 minutes to 1440minutes
Manually installing updatesIn the Proventia Manager for the agent, you can manually download and installupdates. You download firmware and assessment
Chapter 13. Viewing the status of the Enterprise ScanneragentThis chapter explains the status information that is available for Enterprise Scannerin P
Proventia Manager Home pageThe Proventia Manager Home page provides the latest diagnostic informationabout the appliance.Navigation: To access the Pro
Table 47. Current status of network interfaces (continued)Model Network interfacesES1500 ETH0 (management port)ETH1 (scanning port)ETH2 (scanning port
Viewing agent status in the SiteProtector ConsoleThe same system status information that is available in the Proventia ManagerHome page is available i
Viewing the status of the CAM modulesUse the CAM Modules page in the Proventia Manager to view information aboutCAM sessions in Enterprise Scanner.Pro
7. If you want to add previously known assets that are already defined in othergroups to the scan group, select the Add previously known assets to gro
Table 50. Sensor processes (continued)Module or process Description Troubleshooting optionEnterprise Scanner schedulermodule or iss-esmSchedulerproces
Part 4. Appendixes© Copyright IBM Corp. 1997, 2009 163
164 Enterprise Scanner: User Guide
Appendix. Safety, environmental, and electronic emissionsnoticesSafety notices may be printed throughout this guide. DANGER notices warn youof conditi
When working on or around the system, observe the following precautions:Electrical voltage and current from power, telephone, and communicationcables
CAUTION:The battery contains lithium. To avoid possible explosion, do not burn or chargethe battery.Do not:v Throw or immerse into waterv Heat to more
Product safety labelsOne or more of the following safety labels may apply to this product.DANGERHazardous voltage, current, or energy levels are prese
Laser safety informationThe following laser safety notices apply to this product:CAUTION:This product may contain one or more of the following devices
Notice: This mark applies only to countries within the European Union (EU) andNorway.Appliances are labeled in accordance with European Directive 2002
on disposal of batteries outside the United States, go to http://www.ibm.com/ibm/environment/products/ batteryrecycle.shtm or contact your local waste
If you want to... Then...Create groupings from a selection list1. Click the Group By icon.The Group by Columns windowappears.2. Select a column to gro
In accordance with the European Directive 2006/66/EC, batteries and accumulatorsare labeled to indicate that they are to be collected separately and r
Note: This device complies with Part 15 of the FCC Rules. Operation is subject tothe following two conditions: (1) this device may not cause harmful i
IBM verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohneEmpfehlung der IBM gesteckt/eingebaut werden.EN 55022 Klasse A Geräte müssen
Korean Class A Compliance Statement:Appendix. Safety, environmental, and electronic emissions notices 175
176 Enterprise Scanner: User Guide
IndexAAccess policy 35, 39account lockout 12account lockout (SiteProtector) 51active module icon 158ad hoc assessment scan 65monitoring status 23ad ho
Enterprise Scanner reportviewing in SiteProtector Console 119Enterprise Scanner reportsrunning in SiteProtector 117Enterprise Scanner scan module 161E
scan job (continued)resuming 96scan jobs (SiteProtector) 71scan policyconfiguring from LMI 20scan priority 99Scan Reports page 24scan resultsexporting
Selecting assessment checks with filtersUse the Checks tab in the Assessment policy to provide filtering values on aselected list of assessment checks
Copyright statement© Copyright IBM Corporation 1997, 2009.All Rights Reserved.U.S. Government Users Restricted Rights — Use, duplication or disclosure
Configuring common assessment settings for an AssessmentpolicyUse the Common Settings tab in the Assessment policy to choose settings thatdefine addit
Option DescriptionPorts to scan with generic UDP checks The set of UDP ports to scan with genericUDP checks. You can specify ports using anyof the fol
Option DescriptionDo not perform application fingerprinting Does not try to specifically identify whichapplications are communicating over whichports,
Option DescriptionAllowed account lockout Select a type of lockout:v No lockout allowed: Enterprise Scanneravoids running password guessing checksif a
Defining assessment credentials for a policyUse the Assessment Credentials policy type on the Policy Management page todefine authentication credentia
Option DescriptionAccount Type: SSH LocalIndicates that the user account is definedlocally on a single Unix device that allowsSSH logons. The account
Defining the service names associated with TCP and UDPportsUse the Network Services policy type on the Policy Management page to defineservice names a
Defining ports or assets to exclude from a scanUse the Scan Exclusion policy type on the Policy Management page to definespecific ports or assets to e
Configuring and saving a scan policy in the ProventiaManagerUse the Policy Management page on the appliance to configure discovery andassessment scan
Chapter 2. Interpreting scan results in the Proventia ManagerThis chapter explains how to monitor and view scan results in the ProventiaManager.Topics
Trademarks and DisclaimerIBM®and the IBM logo are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United Stat
Running an ad hoc scanUse the LMI Scan Control page on the appliance to define and run ad hoc scansfor assessment and discovery.Before you beginBefore
Monitoring the status of a scanUse the Scan Status page on the appliance to view the status of ad hoc discoveryand assessment scans you have initializ
Viewing the results of an ad hoc scanUse the Scan Results page on the appliance to analyze security-related datadiscovered by an ad hoc scan.Procedure
Purging scan data from the databaseUse the Scan Results page on the appliance to schedule the removal of scan datafiles from the /var/log/esm/lmiScans
26 Enterprise Scanner: User Guide
Part 2. Scanning from the SiteProtector ConsoleThis section explains how to manage scans from the SiteProtector Console for theEnterprise Scanner agen
28 Enterprise Scanner: User Guide
Chapter 3. Enterprise Scanner policiesThis chapter explains how to use Enterprise Scanner policies to customize yourscanning processes. The policies b
Policy inheritance with Enterprise Scanner policiesThe inheritance properties of policies in SiteProtector provide a flexible andefficient method for
v If you do not override the settings, the column follows the inheritance describedin the table above; however, you must configure those policies.Depl
iv Enterprise Scanner: User Guide
Migrating a locally managed Enterprise Scanner agent intoSiteProtectorYou must migrate the Enterprise Scanner agent out of the Locally Managed Agentsa
Viewing asset or agent policies for Enterprise ScannerIn the SiteProtector Console, you can view asset and agent policies together, or youcan view the
Getting vulnerability help for a SiteProtector Console without InternetaccessIf you use the SiteProtector Console on a computer without an Internet co
Agent policies for Enterprise ScannerAgent policies apply to Enterprise Scanner appliances and describe operationalsettings for the agents or global s
Network Locations policyUse the Network Locations policy to define the perspective (network location) ofan agent and to define routes for those perspe
Important: Users who do not have permission to view the Network Locationspolicy, either through group association or by a specific grant, cannot runEn
Option DescriptionMetric If you configure more than one route to thesame segment for one perspective, a numberthat indicates the preferred route. The
Configuring advanced parameters for event notificationUse the Advanced Parameters tab in the Notification policy on the SiteProtectorConsole to provid
2. In the navigation pane, select a group, and then open the Access policy for thatgroup.3. For each password you want to change, complete the followi
Configuring the scanning network interfaceUse the Scan Interface tab in the Networking policy on the SiteProtector Console toconfigure the scanning in
ContentsTrademarks and Disclaimer ...iiiAbout this book ...viiRelated publications ...viiiTechnical support contacts ...viiiP
Configuring scanning interface DNS settingsUse the DNS tab in the Networking policy on the SiteProtector Console toconfigure the DNS settings for the
Services policyUse the Services policy on the SiteProtector Console to enable or disable access toyour appliance from SSH (Secure Shell) applications
Time policyUse the Time policy on the SiteProtector Console to change the date and the timeof the Enterprise Scanner agent, and to enable the network
Update Settings policyUse the Update Settings policy on the SiteProtector Console to configure how theagent automatically locates, downloads, and inst
v A Discovery policy applies to only the group where you define it.v The remaining policies are inheritable. A subgroup inherits a policy from thefirs
Defining assets to discoverUse the Discovery policy on the SiteProtector Console to define the parametersused to perform a discovery scan on a portion
Assessment policyUse the Assessment policy on the SiteProtector Console to define the checks to runfor assessment scans.The Assessment policy contains
Displaying assessment checks by groupsUse the Checks tab in the Assessment policy on the SiteProtector Console to groupchecks by any combination of co
Selecting assessment checks with filtersUse the Checks tab in the Assessment policy on the SiteProtector Console toprovide filtering values on a selec
Configuring common assessment settingsUse the Common Settings tab in the Assessment policy on the SiteProtectorConsole to choose settings that define
Scanning behaviors for ad hoc scans ...99Chapter 8. Interpreting scan results inSiteProtector ...103OS identification (OSID) certainty ...
Option DescriptionPorts to scan with generic UDP checks The set of UDP ports to scan with genericUDP checks. You can specify ports using anyof the fol
Option DescriptionDo not perform application fingerprinting Does not try to specifically identify whichapplications are communicating over whichports,
Option DescriptionAllowed account lockout Select a type of lockout:v No lockout allowed: Enterprise Scanneravoids running password guessing checksif a
Assessment Credentials policyUse the Assessment Credentials policy on the SiteProtector Console to defineauthentication credentials for your assets.Th
Option DescriptionAccount Type: WindowsDomain/WorkgroupIndicates that the user account is defined ina Windows Domain or Workgroup. Theaccount is used
Scan Control policyUse the Scan Control policy on the SiteProtector Console to define the duration ofscanning cycles and to assign user-defined perspe
Defining scanning cycles and assigning perspectives to scansUse the Scan Control policy on the SiteProtector Console to define the duration ofscanning
Scan Window policyUse the Scan Window policy on the SiteProtector Console to define hours ofallowed scanning for discovery scans (scan windows), asses
Defining when scanning is allowedUse the Scan Window policy on the SiteProtector Console to define the days andhours that scanning is allowed.About th
Scan Exclusion policyUse the Scan Exclusion policy on the SiteProtector Console to define specific portsor assets to exclude from a scan of a group of
About this bookThis section describes the audience for this guide; identifies related publications;and provides contact information.AudienceUsers of t
Network Services policyUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP ports.You can m
Configuring a Network Services policyUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP p
Ad Hoc Scan Control policyUse the Ad Hoc Scan Control policy on the SiteProtector Console to defineEnterprise Scanner ad hoc scans for assessment and
11. If you want to add newly discovered assets to the group where you havedefined the scan, rather than to the Ungrouped Assets group, select the Addn
Option DescriptionHalf-Scan Connections The maximum number of connections thescan should use for opening and closingports.13. Click the Debug Settings
Chapter 4. Understanding scanning processes inSiteProtectorThis chapter explains the high-level processes behind ad hoc and backgroundscanning. It als
What is perspective?When you scan a group of assets, you anticipate and interpret results based on thelocation of your agent relative to the location
firewall, descriptive perspective names might be Atlanta-InsideFirewall andAtlanta-OutsideFirewall.Placing agents in the correct perspectiveA perspect
To scan some asset groups from inside your firewall and others from within yourDMZ, follow these steps:1. Set up two groups in SiteProtector:v One gro
Scan jobs and related termsTo tune your system correctly, you must understand how scan jobs run and howthe options you define in policies affect jobs
Related publicationsUse this topic to help you access information about your Enterprise Scannerappliance.PublicationsThe following documents are avail
Scheduled and running scansTo make it easier to explain the scanning processes, scans are considered scheduledwhen they are displayed in the Command J
Tasks per type of scanThe following table explains the tasks needed for discovery and assessment scans:Table 10. Tasks per type of scanScan type Numbe
Task prioritizationThe following table explains the reasons behind prioritization of scanning tasks:Table 11. Reasons for task prioritizationType of s
The process for a scanning cycleThe following table describes the general process for a scanning cycle:Table 12. The process of a scanning cycleStage
Optimizing cycle duration, scan windows, and subtasks for EnterpriseScannerBackground scanning jobs persist throughout a scan cycle, but are active on
Achieving the right balanceIf a refresh cycle is too short, you cannot scan all of your assets during the cycle. Ifa scan window is too short to finis
78 Enterprise Scanner: User Guide
Chapter 5. Background scanning in SiteProtectorThis chapter describes the minimum requirements and options for definingbackground scanning in the Site
Determining when background scans runThis topic describes two important concepts for background scanning: scanningrefresh cycles and scanning windows.
How policies apply to ad hoc and background scansAgent policies apply to both ad hoc and background scans, while asset policiesapply to both ad hoc an
Part 1. Scanning from the Proventia ManagerThis section explains how to manage scans from the Proventia Manager for theEnterprise Scanner agent.Chapte
Table 15. Changes to Assessment and Discovery policies (continued)If you... Then you...Modify the configured settings Cannot save the policy. Therefor
Background scanning checklists for Enterprise ScannerThis topic describes the minimum requirements to set up background discoveryand background assess
Enabling background scanningUse the Scan Control policy on the SiteProtector Console to define the duration ofrefresh cycles and to assign user-define
Option DescriptionNext cycle start date The beginning date of the next scan cycle.(Display only.)Use Discovery’s start date/duration andwait for disco
Procedure1. From the SiteProtector Console, create a tab to display asset policies.2. In the navigation pane, select a group, and then open the Scan W
Defining ports or assets to exclude from a scanUse the Scan Exclusion policy on the SiteProtector Console to define the specificports, specific assets
Defining network servicesUse the Network Services policy on the SiteProtector Console to define servicenames associated with TCP and UDP ports.Procedu
Defining assessment credentials for a policyUse the Assessment Credentials policy on the SiteProtector Console to defineauthentication credentials for
Option DescriptionAccount Type: SSH LocalIndicates that the user account is definedlocally on a single Unix device that allowsSSH logons. The account
Chapter 6. Monitoring scans in SiteProtectorThis chapter uses terms that define scanning parameters for scan jobs withSiteProtector.Topics“Viewing you
Commentaires sur ces manuels