Instruction/ maintenance manual of the product 2.3 IBM Partner Pavilion
Go to page of 187
IBM Pro ve nt ia Net work Ent er pr i se Sc an ner Us e r Gu id e V e rsi o n 2. 3 .
Copyright statement © Copyright IBM Corporation 1997, 2009. All Rights Reserved. U.S. Government Users Restricted Rights — Use, duplication or disclosure r estricted by GSA ADP Schedule Contract with IBM Corp.
T rademarks and Disclaimer IBM ® and the IBM logo are trademarks or r egistered trademarks of International Business Machines Corporation in the United States, other countries, or both.
iv Enterprise Scanner: User Guide.
Contents T rademarks and Disclaimer ...... i i i About this book ........... v i i Related publications ........... viii T echnical support contacts ......... viii Part 1. Scanning from the Proventia Manager .............. 1 Chapter 1. Ad hoc scanning in the Proventia Manager .
Scanning behaviors for ad hoc scans ...... 9 9 Chapter 8. Interpreting scan results in SiteProtector ........... 1 0 3 OS identification (OSID) certainty ...... 1 0 4 How OSID is updated in Enterprise Scanner . . . 105 Setting up a Summary view for vulnerability management .
About this book This section describes the audience for this guide; identifies related publications; and provides contact information. Audience Users of this guide should understand their network topology , including the criticality of network assets.
Related publications Use this topic to help you access information about your Enterprise Scanner appliance. Publications The following documents are available for download fr om the IBM ISS Documentation W eb site at http://www .iss.net/support/documentation/.
Part 1. Scanning from the Proventia Manager This section explains how to manage scans from the Pr oventia Manager for the Enterprise Scanner agent. Chapters Chapter 1, “Ad hoc scanning in the Pr oventia Manager,” on page 3 Chapter 2, “Interpr eting scan results in the Pr oventia Manager,” on page 21 © Copyright IBM Corp.
2 Enterprise Scanner: User Guide.
Chapter 1. Ad hoc scanning in the Proventia Manager This chapter explains how to use perspective and the high-level processes behind ad hoc scanning from the Pr oventia Manager .
Section A: Network configuration This section explains how to define the network interfaces for the management and scanning ports, how to assign perspectives to network interfaces, and how to configure the Enterprise Scanner appliance to select r outes for traffic.
Configuring the scanning network interface Use the Scan Interface tab on the Network Interface Configuration page on the appliance to configure the scanning interface network settings (ETH1 - ETH5). About this task Y ou configured the scanning interface when you set up the appliance with the Proventia Setup Assistant.
Configuring scanning interface DNS settings Use the DNS tab on the Network Interface Configuration page on the appliance to configure the DNS settings for the scanning interface. About this task Y ou configured these settings when you set up the appliance with the Pr oventia Setup Assistant.
Assigning perspective to a scanning interface Use the Network Locations tab on the Network Locations page on the appliance to assign a perspective (network location) to a scanning interface. About this task Y ou can only configure the ETH0 and ETH1 interfaces in Pr oventia Setup.
Option Description Metric If you configure mor e than one route to the same segment for one perspective, a number that indicates the preferr ed route. The closer to 1, the more pr eferred the r oute. Note: The numbers you use do not have to be consecutive.
7. If you want to add previously known assets that ar e already defined in other groups to the scan gr oup, select the Add previously known assets to group check box. Displaying assessment checks by groups Use the Checks tab in the Assessment policy to group checks by any combination of columns that you have chosen to display .
If you want to... Then... Create groupings from a selection list 1. Click the Group By icon. The Group by Columns window appears. 2. Select a column to group by in the All Columns list, and then click Add . The column moves to the Group by these Columns list.
Selecting assessment checks with filters Use the Checks tab in the Assessment policy to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using r egular expressions: v The match occurs against all columns in the table, whether or not the column is displayed.
Configuring common assessment settings for an Assessment policy Use the Common Settings tab in the Assessment policy to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1.
Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. Y ou can specify ports using any of the following methods: v T ype a port or range of ports. v Click W ell known and select ports from the list.
Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy . This option does not identify applications communicating over non-standard ports.
Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined.
Defining assessment credentials for a policy Use the Assessment Credentials policy type on the Policy Management page to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans.
Option Description Account T ype: SSH Local Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box.
Defining the service names associated with TCP and UDP ports Use the Network Services policy type on the Policy Management page to define service names associated with TCP and UDP ports. Procedure 1. Click Scan → Policy Management in the navigation pane.
Defining ports or assets to exclude from a scan Use the Scan Exclusion policy type on the Policy Management page to define specific ports or assets to exclude from a scan of a gr oup of assets. Procedure 1. Click Scan → Policy Management in the navigation pane.
Configuring and saving a scan policy in the Proventia Manager Use the Policy Management page on the appliance to configure discovery and assessment scan policies from Pr oventia Manager for auditing purposes, and then use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan Control page.
Chapter 2. Interpreting scan results in the Proventia Manager This chapter explains how to monitor and view scan results in the Pr oventia Manager . T opics “Running an ad hoc scan” on page 22 “.
Running an ad hoc scan Use the LMI Scan Control page on the appliance to define and r un ad hoc scans for assessment and discovery . Before you begin Before you can r un a scan, make sure you have configur ed a scan from the Policy Management page. Procedure 1.
Monitoring the status of a scan Use the Scan Status page on the appliance to view the status of ad hoc discovery and assessment scans you have initialized from the LMI Scan Contr ol page. About this task While Proventia Manager pr ocesses the scan, you can perform one of the following actions on the scan: T able 3.
V iewing the results of an ad hoc scan Use the Scan Results page on the appliance to analyze security-related data discovered by an ad hoc scan. Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Choose the scan date (time stamp) from the List Scans list, and then click Go .
Purging scan data from the database Use the Scan Results page on the appliance to schedule the removal of scan data files from the /var/log/esm/lmiScans dir ectory . Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Click the Purge Scan Data link.
26 Enterprise Scanner: User Guide.
Part 2. Scanning from the SiteProtector Console This section explains how to manage scans from the SitePr otector Console for the Enterprise Scanner agent.
28 Enterprise Scanner: User Guide.
Chapter 3. Enterprise Scanner policies This chapter explains how to use Enterprise Scanner policies to customize your scanning processes. The policies belong to meaningful categories based on their scope and impact on scans.
Policy inheritance with Enterprise Scanner policies The inheritance properties of policies in SitePr otector provide a flexible and efficient method for setting up your scanning envir onment in a hierarchical gr oup structur e.
v If you do not override the settings, the column follows the inheritance described in the table above; however , you must configure those policies. Deploying an Enterprise Scanner policy from the policy repository Use the policy repository to cr eate, edit, and deploy Enterprise Scanner policies in SiteProtector .
Migrating a locally managed Enterprise Scanner agent into SiteProtector Y ou must migrate the Enterprise Scanner agent out of the Locally Managed Agents area to take advantage of the policy featur es available in SiteProtector .
V iewing asset or agent policies for Enterprise Scanner In the SiteProtector Console, you can view asset and agent policies together , or you can view them separately . If you view the policies separately , you can use the views and tabs in SiteProtector to easily move back and forth between asset and agent policies.
Getting vulnerability help for a SiteProtector Console without Internet access If you use the SiteProtector Console on a computer without an Internet connection, you need to store the vulnerability Help on the computer or one it can access over your company’s network.
Agent policies for Enterprise Scanner Agent policies apply to Enterprise Scanner appliances and describe operational settings for the agents or global settings for all scans. In addition, some agent policies apply to only one agent. Agent policy descriptions for Enterprise Scanner Agent policies apply to both ad hoc and background scans.
Network Locations policy Use the Network Locations policy to define the perspective (network location) of an agent and to define routes for those perspectives. Note: The Network Locations policy does not automatically import the perspectives you set up in the Network Locations tab in the Proventia Manager (LMI).
Important: Users who do not have permission to view the Network Locations policy , either through group association or by a specific grant, cannot r un Enterprise Scanner scans.
Option Description Metric If you configure mor e than one route to the same segment for one perspective, a number that indicates the preferr ed route. The closer to 1, the more pr eferred the r oute. Note: The numbers you use do not have to be consecutive.
Configuring advanced parameters for event notification Use the Advanced Parameters tab in the Notification policy on the SiteProtector Console to provide gr eater control over the event notification behavior of your appliance. Procedure 1. From the SitePr otector Console, create a tab to display agent policies.
2. In the navigation pane, select a group, and then open the Access policy for that group. 3. For each password you want to change, complete the following steps: a. T ype the current passwor d in the Current Password box. b. Click Enter Password , type the new password in the Password and in the Confirm password boxes, and then click OK .
Configuring the scanning network interface Use the Scan Interface tab in the Networking policy on the SiteProtector Console to configure the scanning interface network settings (ETH1 - ETH5). About this task Y ou configured the scanning interface when you set up the appliance with the Proventia Setup Assistant.
Configuring scanning interface DNS settings Use the DNS tab in the Networking policy on the SiteProtector Console to configure the DNS settings for the scanning interface. About this task Y ou configured these settings when you set up the appliance with the Pr oventia Setup Assistant.
Services policy Use the Services policy on the SiteProtector Console to enable or disable access to your appliance from SSH (Secur e Shell) applications on your network and to enable SNMP to monitor the Enterprise Scanner appliance for conditions that warrant administrative attention.
T ime policy Use the T ime policy on the SiteProtector Console to change the date and the time of the Enterprise Scanner agent, and to enable the network time protocol (NTP) to synchronize the agent time with a network time server .
Update Settings policy Use the Update Settings policy on the SiteProtector Console to configur e how the agent automatically locates, downloads, and installs available updates. Asset policies for Enterprise Scanner Asset policies apply to groups of assets and describe the security policy for those assets.
v A Discovery policy applies to only the group where you define it. v The remaining policies ar e inheritable. A subgroup inherits a policy fr om the first group higher than itself in the gr oup structur e that has a defined policy .
Defining assets to discover Use the Discovery policy on the SiteProtector Console to define the parameters used to perform a discovery scan on a portion of a network. Before you begin Before it can perform OS fingerprinting on an asset, your agent must find one open and one closed port.
Assessment policy Use the Assessment policy on the SiteProtector Console to define the checks to r un for assessment scans. The Assessment policy contains the following tabs: v Checks (display checks .
Displaying assessment checks by groups Use the Checks tab in the Assessment policy on the SiteProtector Console to gr oup checks by any combination of columns that you have chosen to display . For example, you might want to see checks by category , then by severity within that category .
Selecting assessment checks with filters Use the Checks tab in the Assessment policy on the SiteProtector Console to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using r egular expressions: v The match occurs against all columns in the table, whether or not the column is displayed.
Configuring common assessment settings Use the Common Settings tab in the Assessment policy on the SiteProtector Console to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1.
Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. Y ou can specify ports using any of the following methods: v T ype a port or range of ports. v Click W ell known and select ports from the list.
Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy . This option does not identify applications communicating over non-standard ports.
Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined.
Assessment Credentials policy Use the Assessment Credentials policy on the SitePr otector Console to define authentication credentials for your assets.
Option Description Account T ype: Windows Domain/W orkgroup Indicates that the user account is defined in a W indows Domain or W orkgroup. The account is used to attempt to log in to all W indows devices within the domain or workgroup. When you choose this option, you must provide the W indows Domain or W orkgroup name in the Domain/Host box.
Scan Control policy Use the Scan Control policy on the SitePr otector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Background scanning is based on scanning cycles. Scanning cycles define how frequently you want to r erun scans for a gr oup.
Defining scanning cycles and assigning perspectives to scans Use the Scan Control policy on the SitePr otector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Procedure 1. From the SitePr otector Console, create a tab to display asset policies.
Scan Window policy Use the Scan W indow policy on the SiteProtector Console to define hours of allowed scanning for discovery scans (scan windows), assessment scans (scan windows), and the time zone in which you want the scanning to occur , which is typically the time zone of the assets.
Defining when scanning is allowed Use the Scan W indow policy on the SiteProtector Console to define the days and hours that scanning is allowed. About this task The Scan W indow policy applies to background discovery and assessment scans.
Scan Exclusion policy Use the Scan Exclusion policy on the SiteProtector Console to define specific ports or assets to exclude from a scan of a gr oup of assets.
Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Y ou can modify some properties of a default service in the policy , and you can add your own customized services to the policy .
Configuring a Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group.
Ad Hoc Scan Control policy Use the Ad Hoc Scan Control policy on the SitePr otector Console to define Enterprise Scanner ad hoc scans for assessment and discovery .
11 . If you want to add newly discovered assets to the gr oup where you have defined the scan, rather than to the Ungrouped Assets gr oup, select the Add newly discovered assets to group check box. 12. If you want to add previously known assets (that ar e not in the group) to the group, select the Add previously known assets to group check box.
Option Description Half-Scan Connections The maximum number of connections the scan should use for opening and closing ports. 13. Click the Debug Settings tab. 14. In the Packet Capture section, select Enabled and then set the filters for the agent to use during the ad hoc assessment scan for network analysis.
Chapter 4. Understanding scanning processes in SiteProtector This chapter explains the high-level processes behind ad hoc and backgr ound scanning. It also explains how policy settings affect those pr ocesses.
What is perspective? When you scan a group of assets, you anticipate and interpr et results based on the location of your agent relative to the location of the assets. Scanning a gr oup of assets from inside a fir ewall, for example, produces dif fer ent results than scanning the same group of assets fr om outside the firewall.
firewall, descriptive perspective names might be Atlanta-InsideFir ewall and Atlanta-OutsideFirewall . Placing agents in the correct perspective A perspective name has no meaning to Enterprise Scanner . Y ou must make sure that the agents you add to each perspective make logical sense placed there.
T o scan some asset groups fr om inside your firewall and others fr om within your DMZ, follow these steps: 1. Set up two groups in SitePr otector: v One group contains assets to scan fr om inside the firewall. v One group contains assets to scan fr om the DMZ.
Scan jobs and related terms T o tune your system correctly , you must understand how scan jobs run and how the options you define in policies affect jobs and subtasks. Definitions The following table describes the terms used by the Enterprise Scanner agent in the scanning process: T able 8.
Scheduled and running scans T o make it easier to explain the scanning processes, scans ar e considered scheduled when they are displayed in the Command Jobs window . Because jobs might not start to scan immediately , they are considered scheduled until the job actually starts to create tasks and r un subtasks.
T asks per type of scan The following table explains the tasks needed for discovery and assessment scans: T able 10. T asks per type of scan Scan type Number of tasks Discovery 1 job-level task 1 pare.
T ask prioritization The following table explains the reasons behind prioritization of scanning tasks: T able 1 1. Reasons for task prioritization T ype of scan Reason for prioritization Ad hoc versus.
The process for a scanning cycle The following table describes the general process for a scanning cycle: T able 12. The process of a scanning cycle Stage Description 1 Scanning jobs are displayed in t.
Optimizing cycle duration, scan windows, and subtasks for Enterprise Scanner Background scanning jobs persist thr oughout a scan cycle, but are active only during open scan windows.
Achieving the right balance If a refr esh cycle is too short, you cannot scan all of your assets during the cycle. If a scan window is too short to finish subtasks, you can rer un subtasks that were nearly finished.
78 Enterprise Scanner: User Guide.
Chapter 5. Background scanning in SiteProtector This chapter describes the minimum requir ements and options for defining background scanning in the SitePr otector Console. Because ad hoc scans use some of the background policies, this chapter also describes the impact of those shar ed policies on ad hoc scans.
Determining when background scans run This topic describes two important concepts for background scanning: scanning refr esh cycles and scanning windows. These concepts control when backgr ound scans run. Scanning refresh cycle A scanning refresh cycle is the maximum duration (in days, weeks, or months) of a background scan.
How policies apply to ad hoc and background scans Agent policies apply to both ad hoc and background scans, while asset policies apply to both ad hoc and background scans; however , you can reconfigur e some asset policies when you define an ad hoc scan.
T able 15. Changes to Assessment and Discovery policies (continued) If you... Then you... Modify the configured settings Cannot save the policy . Therefore, the changes apply to only that ad hoc scan and do not affect configur ed background scans.
Background scanning checklists for Enterprise Scanner This topic describes the minimum requir ements to set up background discovery and background assessment scanning. Y ou should also use any other policies that help you configure your scanning envir onment to meet your security goals.
Enabling background scanning Use the Scan Control policy on the SitePr otector Console to define the duration of refr esh cycles and to assign user-defined perspectives to scans. About this task Background scanning is based on scanning r efresh cycles.
Option Description Next cycle start date The beginning date of the next scan cycle. (Display only .) Use Discovery’s start date/duration and wait for discovery scan to complete before scheduling ass.
Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Scan W indow policy for that group. 3. Click the Discovery W indows tab or the Assessment W indows tab. Note: Scanning hours are selected; non-scanning hours ar e not selected.
Defining ports or assets to exclude from a scan Use the Scan Exclusion policy on the SiteProtector Console to define the specific ports, specific assets, or both, that you want to exclude from a scan of a gr oup of assets. Procedure 1. From the SitePr otector Console, create a tab to display asset policies.
Defining network services Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group.
Defining assessment credentials for a policy Use the Assessment Credentials policy on the SitePr otector Console to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans.
Option Description Account T ype: SSH Local Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box.
Chapter 6. Monitoring scans in SiteProtector This chapter uses terms that define scanning parameters for scan jobs with SiteProtector . T opics “V iewing your scan jobs” on page 92 “V iewing discovery job results” on page 92 “V iewing assessment job results” on page 93 © Copyright IBM Corp.
V iewing your scan jobs Use the Command Jobs window on the SiteProtector Console to view the status of a job, watch its progr ess, and view its final results. Procedure 1. In the SiteProtector Console, right-click the Site or a gr oup, and then select Properties from the pop-up menu.
V iewing assessment job results Y ou can open a scanning job in the Command Jobs window as the job runs to see additional information it. Some information is not available until the job has finished running. About this task The Remote Scan window presents a snapshot of the information available when you open the job.
94 Enterprise Scanner: User Guide.
Chapter 7. Managing scans in SiteProtector This chapter explains differ ent ways to stop and restart scans. It also describes expected scanning behaviors and provides tips for tr oubleshooting your scan jobs.
Stopping and restarting scan jobs Y ou can stop a scan job by pausing or canceling the job. Y ou can also rerun a scan job. These actions apply to current scan jobs, not to scans to be scheduled in the future. Impact of stopping scan jobs The following table describes the impact of stopping scans with the Pause and Cancel options: T able 19.
Suspending and enabling all background scans Y ou can suspend and enable all scanning for the groups contr olled by a Scan Control policy . This applies to current and futur e background scans.
Minimum scanning requirements This topic provides a brief r eview and summary of the minimum requir ements for initiating differ ent types of scans. Registration and authentication Y our agent must be register ed and authenticated with SiteProtector .
Scanning behaviors for ad hoc scans Differ ent aspects of scanning behaviors are discussed in detail in dif fer ent parts of this guide. This topic answers some of the most common questions about how jobs are scheduled and how they ar e displayed in the Command Jobs window .
A: Y ou did not define at least one IP address for a discovery scan. A: If you set up the scan to run during scan windows, but you have not defined Scan W indows for the group you are scanning. This could happen if you define a Scan W indow policy for the group, but you have not defined any Scan W indows in the policy .
v If the agent to run the backgr ound scan is available, the scan job appears in the Command Jobs window at midnight on the day of a new refr esh cycle. v If the agent to run the backgr ound scan is not available, the scan job appears in the Command Jobs window when the agent is available, provided it is on a valid start date.
If you set up the Scan Control policy so that the assessment scan... Then, the assessment scan... Does not wait for the discovery scan to finish before the assessment scan begins Starts as a single job.
Chapter 8. Interpreting scan results in SiteProtector This chapter explains how to use OS identification and the views in SiteProtector to analyze the results of vulnerability assessment scans by the Enterprise Scanner agent.
OS identification (OSID) certainty Enterprise Scanner determines whether to run a check against a host based on the certainty of the OS information in SiteProtector and the setting in the Assessment policy that specifies what action to take if the OSID is uncertain.
How OSID is updated in Enterprise Scanner Enterprise Scanner uses OSID information or reassesses the OSID during an assessment scan, and it explains when SiteProtector updates OSID that it has for an asset.
Setting up a Summary view for vulnerability management Use the Summary view in the SiteProtector Console to dynamically display information about scanning and vulnerability management. Procedure 1. From the T ools menu, select Options . 2. Select Summary in the left column.
T able 25. Vulnerability management options (continued) Portal Description V ulnerability History by Day Displays a bar graph that illustrates the following information: v T otal number of high priori.
V iewing vulnerabilities in the SiteProtector Console using Enterprise Scanner Use the Analysis view in the SiteProtector Console to view event data collected by the Enterprise Scanner agent. About vulnerability assessment V ulnerability assessment data identifies weaknesses in your network and hosts.
Field descriptions The following table describes the fields and descriptions for this vulnerability view: T able 26. Vulnerability view by asset Field Description T arget IP Use this filter to monitor a specific IP address that you suspect is the tar get of attacks.
T able 26. Vulnerability view by asset (continued) Field Description T ag Count Use to filter events accor ding to the T ag Count column in the analysis views. SiteProtector calculates the T ag Count according to the number of events that ar e associated with each row of data in the analysis view .
V iewing vulnerabilities by detail in Enterprise Scanner Use this view to examine event details that might be related to an attack or that you consider unusual. Benefits Y ou analyze event data to evaluate the effectiveness of your system’s security and to investigate any suspicious activity .
T able 27. Vulnerability view by detail (continued) Field Description Object T ype Use this filter to analyze a specific type of object that you suspect is the target of attacks. Object Name Use this filter to see events involving a specific object according to the object’s name.
V iewing vulnerabilities by object in Enterprise Scanner Use this view to examine objects on your network or desktop computers that are a source of vulnerabilities. Benefits Y ou can analyze specific objects that are mor e affected by vulnerabilities, such as ports or URLs.
T able 28. Vulnerability view by object (continued) Field Description T ag Count Use to filter events accor ding to the T ag Count column in the analysis views. SiteProtector calculates the T ag Count according to the number of events that ar e associated with each row of data in the analysis view .
T able 29. Vulnerability view by target operating system (continued) Field Description Status Use the Status filter differently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v V ulnerabilities: The Status column indicates whether the vulnerability was found.
T able 30. Vulnerability view by vulnerability name (continued) Field Description Status Y ou use the Status filter differ ently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v V ulnerabilities: The Status column indicates whether the vulnerability was found.
Running reports in the SiteProtector Console Use the Report view in the SiteProtector Console to schedule Enterprise Scanner reports. Procedure 1. In the navigation pane for the SiteProtector Console, select the gr oup for which you want to run r eports.
T able 31. Assessment reports descriptions (continued) Report Description T op V ulnerabilities A list of the top vulnerabilities, by frequency , for a specified group and time. V ulnerability by Asset A list of the top assets by number of vulnerabilities for a specified group and time.
V iewing an Enterprise Scanner report in the SiteProtector Console Use the Report view in the SiteProtector Console to open an Enterprise Scanner report on your computer . Procedure 1. In the navigation pane for the SiteProtector Console, select the gr oup that you want to run r eports for .
120 Enterprise Scanner: User Guide.
Chapter 9. Logs and alerts This chapter explains how to generate log files and to set up alert notifications for the appliance. T opics “Log files and alert notification” on page 122 “System log.
Log files and alert notification Enterprise Scanner maintains log files on the appliance to use for diagnosing problems with the agent. The log files contain details about the scanning and operational processes r unning on the agent. T wo types of log files Enterprise Scanner maintains two types of log files: T able 32.
System logs Use the System Event Log page in the Proventia Manager to examine entries in the system logs. System log descriptions The following table describes the system logs for Enterprise Scanner: T able 34. System logs Log name ( file_name ) Description Architectur e Services Log ( AS_Log.
Getting log status information Use the Log Status page in the Proventia Manager to view usage information for alert event log statistics. Navigation: T o access the Log Status page, click Status → Logs in the navigation pane. This page provides usage information for the following alert event log statistics: T able 35.
T able 37. Enterprise Scanner (ES) log descriptions (continued) Log name ( file_name ) Description Interface Log ( crm-esm.log ) Details communications between the CRM and the ESM.
Downloading Enterprise Scanner (ES) log files Use the Log File Management page in the Proventia Manager to download an Enterprise Scanner (ES) log file from the Enterprise Scanner agent to a local workstation. About this task When you download a log file, Enterprise Scanner creates a backup of the log file for you to download.
Alerts log Use the Alert Event Log page in the Proventia Manager to view and manage security and system-related alerts. Navigation: Y ou can access this page from ( Logs → Alerts , Maintenance → U.
Downloading and saving an Alerts log Use the Alerts page in the Proventia Manager to save an alert log file to use for forensic purposes. About this task The Alert log is saved in three comma-separated values (CSV) files. The thr ee files refer to the data displayed in the Alerts log: T able 39.
Clearing the Alerts log Use the Alerts page in the Proventia Manager to clear all events fr om the Alert log. Before you begin Clearing the Alert log deletes the recor ds and removes the alerts fr om the Alerts page. Before you clear the Alert log, you might want to save a copy for archiving.
If you want to... Then... Search the Alert log file by filtering options 1. Select Auto Off fr om the Refresh Data list. 2. Select an option from the Filter Options list. Search value fields appr opriate to the option are displayed later in this section in the Filter Options list.
If you want to... Then... Search the Alert log file by Alert ID number 1. T ype the 26-character alert ID number in the Search by Alert Id# box. T ip: Y ou can copy the ID# from an Alert Event Details window and paste it into the search box to find all events with that ID#.
132 Enterprise Scanner: User Guide.
Chapter 10. T icketing and remediation This chapter explains how to use information from Enterprise Scanner with the ticketing feature in SitePr otector to manage tracking and remediation.
T icketing and Enterprise Scanner SiteProtector works with Enterprise Scanner to str eamline your event tracking and remediation pr ocesses. This topic explains how to use information from Enterprise Scanner with the ticketing feature in SitePr otector to manage tracking and remediation.
When you save the ticket in SiteProtector , the action request system stor es the information, too. Y ou can edit and maintain tickets in the action request system. SiteProtector r etains a copy of the ticket on the database server . Note: If you use Remedy to maintain tickets, then you cannot edit them in SiteProtector .
If you do not want to modify the cycle duration for your background scans, you can run an ad hoc scan to verify and close tickets that ar e pending system verification. Remediation tasks for Enterprise Scanner Use information from Enterprise Scanner with the ticketing featur e in SiteProtector to manage tracking and remediation.
T able 40. Options for the Ticketing reports Option T ab Description Share r eport with other SiteProtector users General Select this option to give other SiteProtector users permissions to view the report you ar e running.
T able 40. Options for the Ticketing reports (continued) Option T ab Description Number of Records Report Format Specifies the number of recor ds that will be displayed in the report fr om five to ALL recor ds. Show Graph Report Format Select this check box if you want a graph to be displayed on the report.
Part 3. Maintenance This section explains how to maintain and update the Enterprise Scanner agent. Chapters Chapter 1 1, “Performing routine maintenance,” on page 141 Chapter 12, “Updating Enterprise Scanner,” on page 147 Chapter 13, “V iewing the status of the Enterprise Scanner agent,” on page 157 © Copyright IBM Corp.
140 Enterprise Scanner: User Guide.
Chapter 1 1. Performing routine maintenance This chapter explains maintenance procedur es that you need to perform on the Enterprise Scanner agent. T opics “Shutting down your Enterprise Scanner” .
Shutting down your Enterprise Scanner Y ou can shut down Enterprise Scanner from the Pr oventia Manager . The shut down option also turns off the appliance. Before you begin If you have an agent with an early BIOS, the shut down command may not turn off the appliance.
Removing an agent from SiteProtector Use this procedur e to remove an agent fr om SitePr otector . Procedure 1. In the SiteProtector Console, open a tab with an Agent view , and then select the group that contains your agent. 2. In the right pane, right-click the agent, and then select Delete from the pop-up menu.
Options for backing up Enterprise Scanner Use the Backup and Recovery page to manage snapshots of configuration settings and to create complete system backups. T ypes of backups Settings backup A settings backup is a snapshot file that stores all of your appliance configuration settings.
Backing up configuration settings Use the Settings Backup tab on the Backup and Recovery page to create a settings snapshot file of the configuration settings for your agent. About this task A settings snapshot file contains the configuration settings, including the logon account credentials and networking settings, of the agent.
Making full system backups Use the Full Backup tab on the Backup and Recovery page to create a complete image of the operating system and current configuration settings befor e you apply firmware updates or apply snapshot files that change the original configuration settings of the appliance.
Chapter 12. Updating Enterprise Scanner This chapter describes how to configure an agent for XPUs, how to schedule automatic and one-time XPUs, and how to apply XPUs manually . Occasionally , you must install XPUs for other products, such as for SiteProtector components, when you install an XPU for Enterprise Scanner .
XPU basics This topic describes the types of updates for your Enterprise Scanner agent and explains where you can get the updates. T ypes of updates The following table describes the contents of firmware and assessment content updates: T able 41.
Updating options The XPU process pr ovides the option to schedule automatic updates on a periodic basis, schedule one-time updates, or update an agent manually . Y ou should configure automatic updates and use one-time and manual updates as needed between the automatic updates.
Configuring explicit-trust authentication with an XPU server Y ou can configure the authentication between an Enterprise Scanner agent and a SiteProtector X-Pr ess Update Server (XPU Server) to use either trust-all or explicit-trust authentication.
Configuring an Alternate Update location Use the Alternate Update Server page in the Update Settings policy on the SiteProtector Console if you want to update your Enterprise Scanner appliance from within your network instead of getting updates fr om the IBM ISS Download Center .
Option Description T rust Level The authentication level for communications with the SiteProtector update server . Authentication level options for the SiteProtector update server ar e as follows: v T rust-all: The appliance trusts the SiteProtector update server , and does not use SSL certificates for authentication.
Configuring an HTTP Proxy Use the Proxy Server page in the Update Settings policy on the SitePr otector Console to configure pr oxy server information if your Enterprise Scanner agent uses a proxy server to access the Update Server . Procedure 1. From the SitePr otector Console, create a tab to display agent policies.
Scheduling a one-time firmware update Occasionally , you might not want to wait for your automatic update process to install an important update. Y ou can schedule a one-time firmware update between automatic updates. Procedure 1. From the SitePr otector Console, open the Update Settings policy for the agent you want to update.
Option Description Check for updates at given intervals Checks for updates at the interval that you specify . Note: The range is 60 minutes to 1440 minutes (1-24 hours). Make sure that your agent checks for updates at least one hour befor e automatic installations to ensure suf ficient time for downloading updates.
Manually installing updates In the Proventia Manager for the agent, you can manually download and install updates. Y ou download firmware and assessment content updates at the same time, but you install them separately . Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent.
Chapter 13. V iewing the status of the Enterprise Scanner agent This chapter explains the status information that is available for Enterprise Scanner in Proventia Manager and in the SitePr otector Console.
Proventia Manager Home page The Proventia Manager Home page pr ovides the latest diagnostic information about the appliance. Navigation: T o access the Proventia Manager Home page, click Home in the navigation pane. System status The system status group box describes the curr ent status of the system: T able 46.
T able 47. Current status of network interfaces (continued) Model Network interfaces ES1500 ETH0 (management port) ETH1 (scanning port) ETH2 (scanning port) ETH3 (scanning port) ETH4 (scanning port) ETH5 (scanning port) Updates status The update status group box pr ovides the latest update information of the appliance: T able 48.
V iewing agent status in the SiteProtector Console The same system status information that is available in the Proventia Manager Home page is available in the SiteProtector Console. Y ou can also check your authentication status in the SiteProtector Console.
V iewing the status of the CAM modules Use the CAM Modules page in the Proventia Manager to view information about CAM sessions in Enterprise Scanner . Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. Click Status → CAM Modules in the navigation pane.
T able 50. Sensor processes (continued) Module or process Description T roubleshooting option Enterprise Scanner scheduler module or iss-esmScheduler process The program file that schedules and runs Enterprise Scanner ad hoc discovery and assessment tasks.
Part 4. Appendixes © Copyright IBM Corp. 1997, 2009 163.
164 Enterprise Scanner: User Guide.
Appendix. Safety , environmental, and electronic emissions notices Safety notices may be printed throughout this guide. DANGER notices warn you of conditions or procedur es that can result in death or sever e personal injury .
When working on or around the system, observe the following precautions: Electrical voltage and current from power , telephone, and communication cables are hazardous. T o avoid a shock hazard: v Connect power to this unit only with the IBM ISS provided power cord.
CAUTION: The battery contains lithium. T o avoid possible explosion, do not burn or charge the battery . Do not: v Throw or immerse into water v Heat to more than 100°C (212°F) v Repair or disassemble Exchange only with the IBM ISS-approved part. Recycle or discard the battery as instructed by local regulations.
Product safety labels One or more of the following safety labels may apply to this pr oduct. DANGER Hazardous voltage, current, or energy levels are present inside any component that has this label attached. Do not open any cover or barrier that contains this label.
Laser safety information The following laser safety notices apply to this product: CAUTION: This product may contain one or more of the following devices: CD-ROM drive, DVD-ROM drive, DVD-RAM drive, or laser module, which are Class 1 laser products. Note the following information: v Do not remove the covers.
Notice : This mark applies only to countries within the European Union (EU) and Norway . Appliances are labeled in accor dance with European Dir ective 2002/96/EC concerning waste electrical and electronic equipment (WEEE).
on disposal of batteries outside the United States, go to http://www .ibm.com/ ibm/environment/pr oducts/ batteryrecycle.shtm or contact your local waste disposal facility .
In accordance with the Eur opean Directive 2006/66/EC, batteries and accumulators are labeled to indicate that they ar e to be collected separately and recycled at end of life. The label on the battery may also include a symbol for the metal concerned in the battery (Pb for lead, Hg for the mercury , and Cd for cadmium).
Note: This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference r eceived, including interference that may cause undesired operation.
IBM verändert bzw . wenn Erweiterungskomponenten von Fr emdherstellern ohne Empfehlung der IBM gesteckt/eingebaut werden. EN 55022 Klasse A Geräte müssen mit folgendem W arnhinweis versehen werden: ″ W arnung: Dieses ist eine Einrichtung der Klasse A.
Korean Class A Compliance Statement: Appendix. Safety , environmental, and electr onic emissions notices 175.
176 Enterprise Scanner: User Guide.
Index A Access policy 35, 39 account lockout 12 account lockout (SiteProtector) 51 active module icon 158 ad hoc assessment scan 65 monitoring status 23 ad hoc discovery scan 64 monitoring status 23 a.
Enterprise Scanner report viewing in SiteProtector Console 1 19 Enterprise Scanner reports running in SiteProtector 117 Enterprise Scanner scan module 161 Enterprise Scanner scheduler module 162 ES lo.
scan job (continued) resuming 96 scan jobs (SiteProtector) 71 scan policy configuring from LMI 20 scan priority 99 Scan Reports page 24 scan results exporting 24 Scan Results page 24, 25 Scan Status p.
An important point after buying a device IBM Partner Pavilion 2.3 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought IBM Partner Pavilion 2.3 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data IBM Partner Pavilion 2.3 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, IBM Partner Pavilion 2.3 you will learn all the available features of the product, as well as information on its operation. The information that you get IBM Partner Pavilion 2.3 will certainly help you make a decision on the purchase.
If you already are a holder of IBM Partner Pavilion 2.3, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime IBM Partner Pavilion 2.3.
However, one of the most important roles played by the user manual is to help in solving problems with IBM Partner Pavilion 2.3. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device IBM Partner Pavilion 2.3 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center