hit counter script
IBM Proventia Network Enterprise Scanner User Manual
IBM Proventia Network Enterprise Scanner User Manual

IBM Proventia Network Enterprise Scanner User Manual

Table of Contents

Advertisement

Quick Links

IBM Proventia Network Enterprise Scanner

User Guide

Version 1.3
IBM Internet Security Systems

Advertisement

Table of Contents
loading

Summary of Contents for IBM Proventia Network Enterprise Scanner

  • Page 1: User Guide

    IBM Proventia Network Enterprise Scanner User Guide Version 1.3 IBM Internet Security Systems...
  • Page 2 Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
  • Page 3: Table Of Contents

    Changing Group Permissions ........... . 68 IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 4 Priorities for Running Tasks ........... 129 IBM Internet Security Systems...
  • Page 5 Running an Ad Hoc Discovery Scan ..........195 IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 6 Clearing the Alerts Log ............245 IBM Internet Security Systems...
  • Page 7 ..............259 IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 8 Contents IBM Internet Security Systems...
  • Page 9: Overview

    Overview Introduction This is the User Guide for the IBM Proventia Network Enterprise Scanner appliance (Enterprise Scanner) from IBM Internet Security Systems, Inc. (IBM ISS), which includes the following models: the ES750 and the ES1500. The Enterprise Scanner appliance is a vulnerability detection agent that is designed for the enterprise customer.
  • Page 10: How To Use Enterprise Scanner Documentation

    Context-sensitive Help that contains procedures for tasks you perform in the Proventia Manager and in the SiteProtector Console. the SiteProtector system Documents available on the IBM ISS Web site that provide documents information about using the SiteProtector system and the SiteProtector Console.
  • Page 11 You manage your Enterprise Scanner agent through a SiteProtector Console. The SiteProtector information in this guide about the SiteProtector system refers to Proventia Management system SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31). IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 12: Getting Technical Support

    Preface Getting Technical Support Introduction IBM ISS provides technical support through its Web site and by email or telephone. The IBM ISS Web The IBM Internet Security Systems (IBM ISS) Resource Center Web site ( http:// site ) provides direct access to online user documentation, current www.iss.net/support/...
  • Page 13 East, and Africa Asia-Pacific, (1) (888) 447-4861 (toll free) support@iss.net Australia, and (1) (404) 236-2700 the Philippines Japan Domestic: (81) (3) 5740-4065 support@isskk.co.jp Table 4: Contact information for technical support (Continued) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 14 Preface IBM Internet Security Systems...
  • Page 15: Part I: Getting Started

    Part I Getting Started...
  • Page 17: Chapter 1: Introduction To Enterprise Scanner

    Overview Introduction Enterprise Scanner is the assessment component of the IBM Proventia Enterprise Security Platform. Enterprise Scanner is based on a model in which vulnerability detection is treated like a continuous network monitoring task rather than the ad hoc scanning model used by earlier vulnerability management systems.
  • Page 18: New Features

    When to use Application fingerprinting is especially useful in the following cases: application fingerprinting You know that some applications on the network communicate over non-standard ● ports. IBM Internet Security Systems...
  • Page 19 This capability allows X-Force to create new vulnerability checks for non-network exposed services, similar to the current Windows patch checks. For more information about SSH, go to http://www.openssh.com/ To configure SSH, see “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 20: Key Concepts

    Chapter 1: Introduction to Enterprise Scanner Key Concepts Introduction Enterprise Scanner is the next generation scanning appliance from IBM ISS. As a component of the Enterprise Security Platform, Enterprise Scanner delivers true enterprise scalability and scanning load balancing. Designed to run on Linux, Enterprise Scanner delivers the core functionality necessary in today's enterprise environments.
  • Page 21: Introducing Background Scanning

    You define hours of the day (scanning windows) during which scanning is allowed. ● You identify critical assets that require priority attention. ● You define locations of agents and perspectives to scan assets as network locations. ● IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 22: Migrating From Internet Scanner

    Internet Scanner to Enterprise Scanner. Migration tools To migrate policies from Internet Scanner to Enterprise Scanner, download the IBM Proventia Network Enterprise Scanner Policy Migration Utility and instructions from the IBM ISS Download Center. Using Internet You can use Internet Scanner with Enterprise Scanner, which you may want to do as you Scanner with migrate from Internet Scanner.
  • Page 23: Enterprise Scanner Communication Channels

    Figure 1: Enterprise Scanner architecture Network interfaces Enterprise Scanner uses network interfaces as follows: Interface Purpose Management To communicate with the SiteProtector system. Scanning To communicate with assets. Table 6: Management and scanning interfaces IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 24 The user’s Web browser. Inbound on 22 TCP An SSH shell on a user’s computer. Scanning Any TCP outbound The assets being scanned by the agent. Any UDP Any ICMP Table 7: Port usage for Enterprise Scanner IBM Internet Security Systems...
  • Page 25: Component Descriptions

    You can configure automatic downloading and installation of updates through Note: the SiteProtector Console or through your Agent Manager. Updates are available either through the IBM ISS Download Center or from a locally managed Update Server. User interfaces You can access and view information gathered by the Enterprise Scanner through one or...
  • Page 26: The Siteprotector System Components

    Introduction The SiteProtector system is a centralized management system that provides command, control, and monitoring capabilities over all of your IBM Internet Security Systems (IBM ISS) products, including the Enterprise Scanner appliance. The SiteProtector system documentation provides thorough descriptions of all of its components. This topic provides brief descriptions of the components that affect Enterprise Scanner users the most.
  • Page 27: Chapter 2: Installing And Configuring An Agent

    Setting Up Your Appliance for Initial Configuration Configuring Appliance-Level Settings Configuring Explicit-Trust Authentication with an Agent Manager Registering Enterprise Scanner to Connect to the SiteProtector System Logging On to the SiteProtector Console IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 28: Before You Begin

    If you do not intend to install multiple agents, you can perspective use the default, Global perspective. For a complete explanation of perspective, see “What is Perspective?” on Reference: page 124, “Defining Perspectives” on page 125, and “One Way to Use Perspective” on page 126. IBM Internet Security Systems...
  • Page 29: Process Overview

    Some XPUs may apply to the SiteProtector system components, such as to the Note: SiteProtector database. To find the list of known issues, log on to the IBM ISS Knowledgebase ( ● http:// ), and then search the knowledgebase for Answer ID 3442.
  • Page 30 81 and Chapter 7, "Configuring Discovery and Assessment Policies" on page 97. Set up the SiteProtector system for Chapter 12, "Interpreting Scan Results" on vulnerability management. page 167. Table 11: Stages of installation and configuration (Continued) IBM Internet Security Systems...
  • Page 31: Setting Up Your Appliance For Initial Configuration

    6. Start your terminal emulation program with the following settings: Setting Value Baud rate 9600 Flow control Hardware Data bits Parity None Stop bits Emulation VT100 IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 32 Chapter 2: Installing and Configuring an Agent 7. Turn on the appliance. Initialization messages appear in the window. If messages do not appear after the appliance starts, press the key. Note: ENTER 8. Go to “Configuring Appliance-Level Settings” on page 33. IBM Internet Security Systems...
  • Page 33: Configuring Appliance-Level Settings

    The Welcome to the Proventia Manager Setup Wizard screen appears. 4. Press to advance to the next screen. ENTER 5. Press the to select I accept (End User License Agreement for IBM ISS), press SPACE BAR to select Next, and then press DOWN ARROW ENTER 6.
  • Page 34 If you want to configure explicit trust with your Agent Manager, go to ■ “Configuring Explicit-Trust Authentication with an Agent Manager” on page 35 If you want to continue setting up your appliance, go to “Registering Enterprise ■ Scanner to Connect to the SiteProtector System” on page 37. IBM Internet Security Systems...
  • Page 35: Configuring Explicit-Trust Authentication With An Agent Manager

    Agent Manager certificate 1. Locate the computer that hosts your SiteProtector Agent Manager, and then locate the folder where the Agent Manager is installed. The default location is C:\Program Files\ISS\SiteProtector\Agent Note: Manager IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 36 To configure a new Agent Manager, complete the process as explained in ■ “Registering Enterprise Scanner to Connect to the SiteProtector System” on page 37. To change an existing Agent Manager, click OK, and then click Save Changes. ■ 6. Reboot the appliance. IBM Internet Security Systems...
  • Page 37: Registering Enterprise Scanner To Connect To The Siteprotector System

    The Proventia Manager Home window appears. → 5. Click System on the navigation pane, and then click Management Registration. It may take a while for Java to initialize the first time you do this. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 38 Note: The default port number is 3995. If you change the default port number, you must also configure the port number locally on the SiteProtector Agent Manager. Account Name The account name for the Agent Manager. IBM Internet Security Systems...
  • Page 39 After the first heartbeat, your agent appears in the SiteProtector system in the group you designated. This operation may take several minutes. Wait until this page is refreshed in Note: your browser before you continue. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 40: Logging On To The Siteprotector Console

    Port box. 4. Type your SiteProtector User name. If your user name is part of a domain, use the following format: Note: domain_name\user_name 5. Type your Password. 6. Click OK. The Site Manager appears. IBM Internet Security Systems...
  • Page 41: Chapter 3: Running Your First Scans

    Table 14: How to use Tips In this chapter This chapter contains the following topics: Topic Page Basic Concepts Finding Your Agent, Assets, and Policies in the SiteProtector System Running Ad Hoc Scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 42 Chapter 3: Running Your First Scans Topic Page Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans Background Scanning Overview Background Scanning Process IBM Internet Security Systems...
  • Page 43: Basic Concepts

    This topic explains basic concepts about your Enterprise Scanner agent that you need to know before you begin. Keep these in mind as you work with the agent. If you have used the IBM ISS Internet Scanner application, some of the differences are significant. Types of scans...
  • Page 44: Finding Your Agent, Assets, And Policies In The Siteprotector System

    CorporateScanningGroups group. Illustration Figure 2 illustrates the location of the groups for the Enterprise Scanner agent and the assets to scan for the examples in this chapter: Figure 2: Groups used in scanning examples IBM Internet Security Systems...
  • Page 45 The examples in this chapter use a user-defined perspective, Corporate. Where Important: the perspective in the examples is Corporate, your perspective should appear as Global. For more information about setting up a perspective, see pages 124–126. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 46: Running Ad Hoc Scans

    2. Right-click the group, and then select Scan from the pop-up menu. The Scan window appears. Figure 3: Window for selecting ad hoc or background scanning 3. Select Network Enterprise Scanner/Ad-Hoc Scan, and then click OK. The Remote Scan window appears. IBM Internet Security Systems...
  • Page 47 Select the Wait for discovery scan to complete before scheduling assessment scan ■ check box. 7. Leave the perspective in the Perform one-time scan from this perspective list at its default setting, Global. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 48 IP range(s) to scan box as follows: Type an IP address, and then press (or type a comma). ■ ENTER Type a range of IP addresses, and then press (or type a comma). ■ ENTER IBM Internet Security Systems...
  • Page 49 The system schedules an ad hoc discovery scan job in the Command Jobs window in the SiteProtector system. The ad hoc assessment scan does not run until the ad hoc discovery scan has finished. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 50: Monitoring Ad Hoc Discovery And Ad Hoc Assessment Scans

    The status starts out as Pending, may go back-and-forth between Idle and Tip: Processing until it finishes, and then its status is Completed. For more information about how scan jobs run and how to find information Tip: about them, see Chapter 10, "Monitoring Scans" on page 135. IBM Internet Security Systems...
  • Page 51 Assets discovered by an Enterprise Scanner agent have a default criticality of Unassigned. For information about assigning criticality to assets, see “Scan Jobs and Related Terms” on page 127. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 52 For more information about how scan jobs run and how to find information Tip: about them, see Chapter 10, "Monitoring Scans" on page 135. 7. After the job has finished, select the Analysis view, and then select the group. IBM Internet Security Systems...
  • Page 53 Vuln Analysis - Detail view. Figure 11: View of vulnerability details in the CorporateScanningGroups Group If the events do not appear, adjust display parameters, such as the Start and End Tip: times. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 54: Background Scanning Overview

    These instructions guide you through the process without explaining every detail. If you are interested in the details, refer to the information in the Tips for different steps. If you are not interested in the details, you can ignore the tips. IBM Internet Security Systems...
  • Page 55: Background Scanning Process

    Enterprise Scanner policies may apply to one or more versions, as indicated in Tip: the policy view. If you use multiple agents at different versions that do not share the same policy, you must define separate policies for each version. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 56 ■ ENTER Type a range of IP addresses, and then press (or type a comma). ■ ENTER Example: 172.1.1.100-172.1.1.200 Discovery policies cannot be inherited from a parent. Each group must have its Tip: own Discovery policy. IBM Internet Security Systems...
  • Page 57 Assessment policies for subgroups are inherited from a parent group if the Tip: assessment policy is defined for the parent group. If the policy is inherited, it displays the parent’s name in the group’s policy list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 58 Figure 15: The Scan Window policy for the CorporateScanningGroups group Scan window policies are inherited by default from a parent group if the Scan Tip: window policy is defined for the parent group. 4. Select the Discovery Windows tab. IBM Internet Security Systems...
  • Page 59 1. On the navigation pane, select the group to scan. cycles 2. Right-click the Scan Control policy, and then select Override from the pop-up menu. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 60 10. Leave the perspective in the Perform background scans from this perspective list at its default setting, Global. A customized perspective allows you to limit the portion of the network from Tip: which a given sensor can operate. For more information about using perspective, see IBM Internet Security Systems...
  • Page 61 5. You can view the Details and Activities tabs for the job just as you did for the ad hoc scans. (See “Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans” on page 50.) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 62 6. If you want to disable background assessment scans, in the Background Assessment section, clear the Enable background assessment scanning of this group check box. 7. From the Action menu, click Save All. 8. Click OK. IBM Internet Security Systems...
  • Page 63: Chapter 4: Setting Up Scanning Permissions For Users

    In this chapter This chapter contains the following topics: Topic Page Enterprise Scanner Permissions Enterprise Scanner User Groups Considerations for Enterprise Scanner Permissions Creating User Groups in the SiteProtector System Changing Group Permissions IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 64: Enterprise Scanner Permissions

    Scan Control policy, which enables background scanning. Proventia Manager Whether you can launch Proventia Manager from the SiteProtector Console. Scan Window Whether you can view and/or modify the Policy policy. Table 18: Enterprise Scanner Group permissions IBM Internet Security Systems...
  • Page 65: Enterprise Scanner User Groups

    Enterprise Scanner scans. If those users try to run a scan, they receive an error message that the scan cannot be run because a policy is not defined. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 66: Considerations For Enterprise Scanner Permissions

    When you import assets before you set up asset groups, the SiteProtector system puts the assets in the Ungrouped assets folder. To assign permissions to ungrouped assets, you must use the global permission, Managing Ungrouped Assets. IBM Internet Security Systems...
  • Page 67: Creating User Groups In The Siteprotector System

    7. Select the name in the list you want to add to the User Group, and then click OK. The user or group is added to the SiteProtector User Group and is granted all the permissions granted to that User Group. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 68: Changing Group Permissions

    6. To change the owner of this group, type all or part of the user name or group in the Change Owner box, and then click Check Names. 7. Select the new owner, and then click OK to return to the Advanced Properties window. 8. Click OK. IBM Internet Security Systems...
  • Page 69: Part Ii: Configuring Enterprise Vulnerability Protection

    Part II Configuring Enterprise Vulnerability Protection...
  • Page 71: Overview

    Contents of Asset and Agent Policies Viewing Asset and Agent Policies Descriptions of Asset Policies Descriptions of Agent Policies Policy Inheritance with Enterprise Scanner Policies Policy Inheritance with Agent Policies Policy Inheritance with Asset Policies IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 72: Chapter 5: Introduction To Enterprise Scanner Policies

    Likewise, you could remove an agent from a pool, and the agents that remain would ● continue to share the work load assigned to that pool. IBM Internet Security Systems...
  • Page 73: Contents Of Asset And Agent Policies

    Figure 18 illustrates how asset and agent policies are grouped with the agent or the group of assets to which they apply in the SiteProtector Console: Figure 18: Enterprise Scanner asset and agent policies in a SiteProtector Console IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 74: Viewing Asset And Agent Policies

    6. Do one of the following: To view all policies, select All from the Mode list. ■ To view asset policies, select Asset from the Mode list. ■ To view agent policies, select Agent from the Mode list. ■ IBM Internet Security Systems...
  • Page 75: Descriptions Of Asset Policies

    You can have only one Network Locations policy. It defines perspectives that are used by all agents and assets at the Site. It appears once for the Site at the Site Group level. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 76: Descriptions Of Agent Policies

    You can have only one Network Locations policy. It defines perspectives that are used by all agents and assets at the Site. It appears once for the Site at the Site Group level. IBM Internet Security Systems...
  • Page 77: Policy Inheritance With Enterprise Scanner Policies

    Introduction The inheritance properties of policies enable you to set up your scanning environment in a hierarchical group structure. Even if you understand policy inheritance with other IBM ISS agents, you should understand the slight variations with Enterprise Scanner policies.
  • Page 78: Policy Inheritance With Agent Policies

    The Notification and Update Settings policies appear on the left pane under A_Group_Name Cancun, indicating that they are defined for the Cancun group. The Inheriting From column on the right pane confirms that the agent inherits the policies from Cancun. Table 25: Agent policy inheritance indicators IBM Internet Security Systems...
  • Page 79: Policy Inheritance With Asset Policies

    Exclusion policies defined at a higher level, but neither policy is defined in the agent’s group structure. The Network Services policy is defined at the Cancun level. A_Group_Name Table 26: Asset policy inheritance indicators IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 80 Chapter 5: Introduction to Enterprise Scanner Policies IBM Internet Security Systems...
  • Page 81: Overview

    Defining Periods of Allowed Scanning (Scan Window Policy) Excluding Assets from Scans (Scan Exclusion Policy) Defining Network Services (Network Services Policy) Defining Assessment Credentials (Assessment Credentials Policy) Key Parameters for Defining Scan Jobs IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 82: Chapter 6: Defining Background Scans

    Example Figure 21 illustrates a two-week scanning refresh cycle that has different scan windows for weekdays and for each day of the weekend. In this example, scans can run from 10:00 IBM Internet Security Systems...
  • Page 83 For each subgroup, you could define different scan windows to control the amount of scanning on different parts of your network at different times. For more about policy inheritance, see “Policy Inheritance with Enterprise Scanner Policies” on page 77. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 84: How Policies Apply To Ad Hoc And Background Scans

    Therefore, the changes apply to only that settings ad hoc scan and do not affect configured background scans. Table 29: Changes to Assessment and Discovery policies IBM Internet Security Systems...
  • Page 85 1:00 A.M. until 3:00 A.M. on the first day of the next refresh cycle. Table 31: Examples of scan windows and refresh cycles with ad hoc scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 86: Background Scanning Checklists

    See “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94. Apply a Scan Control policy to the group (either directly or through inheritance from a higher group). See “Enabling Background Scanning (Scan Control Policy)” on page 87. Table 33: Checklist for background discovery scanning IBM Internet Security Systems...
  • Page 87: Enabling Background Scanning (Scan Control Policy)

    • months Current cycle start date The beginning date of the current refresh cycle. (Display only.) Next cycle start date The beginning date of the next refresh cycle. (Display only.) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 88 Perform background scans from this perspective (Network location) box. If you have not yet defined the perspective, click the Configure Network Tip: Location icon to open the Network Locations policy (See page 112.) and define a new perspective. IBM Internet Security Systems...
  • Page 89: Defining Periods Of Allowed Scanning (Scan Window Policy)

    2. On the navigation pane, select a group, and then open the Scan Window policy for that group. 3. Select the Discovery Windows tab or the Assessment Windows tab. Scanning hours are selected; non-scanning hours are not selected. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 90 Eastern time zone but scanning assets in the Pacific time zone. You would define your scanning hours according to the considerations of the Pacific time zone, and then set your appliance to the Pacific time zone. IBM Internet Security Systems...
  • Page 91: Excluding Assets From Scans (Scan Exclusion Policy)

    Type a range of IP addresses, and then press (or type a comma). ■ ENTER Example: 172.1.1.100-172.1.1.200 A red box may appear around the Excluded Hosts box as you type until the Note: data is validated. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 92: Defining Network Services (Network Services Policy)

    Default settings The IBM ISS X-Force defines the default Network Services policy and may update the policy in an X-Press Update (XPU). The default policy applies to all groups that do not override it. The service names defined in the policy are referenced as target types in Enterprise Scanner check definitions.
  • Page 93 To add a service, click the add icon. ■ To modify a service, select the service, and then click the modify icon. ■ To delete a service, select the service, and then click the delete icon. ■ IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 94: Defining Assessment Credentials (Assessment Credentials Policy)

    Directory Domain. The account will be used to attempt logon to all Windows devices within the Active Directory domain. When you choose this option, you must provide the Active Directory Domain name in the Domain/Host box. IBM Internet Security Systems...
  • Page 95 Account Level One of the following: • Administrator • User • Guest To avoid inadvertently locking out an account, do not add an account more Caution: than once. 5. Click OK. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 96: Key Parameters For Defining Scan Jobs

    Scan Window policy for the scanning is allowed group to scan Windows and the Assessment Windows. Table 34: Key scanning parameters a. For guidance in determining the size of subtasks, see “Considerations for Subtask Sizes” on page 111. IBM Internet Security Systems...
  • Page 97: Chapter 7: Configuring Discovery And Assessment Policies

    How Policies Apply to Discovery and Assessment Scans Defining Assets to Discover (Discovery Policy) Defining Assessment Details Introduction (Assessment Policy) Description of Check Information (Assessment Policy) Grouping and Displaying Checks (Assessment Policy) Defining Common Assessment Settings (Assessment Policy) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 98: How Policies Apply To Discovery And Assessment Scans

    Table 36 identifies which asset policies apply to discovery scans, which apply to assessment scans, and which apply to both: Policy Discovery Assessment Assessment Assessment Credentials Discovery Network Locations Network Services Scan Control Scan Exclusion Scan Window Table 36: Asset policies that affect discovery and assessment scans IBM Internet Security Systems...
  • Page 99: Defining Assets To Discover (Discovery Policy)

    6. If you want to add previously known assets that are already defined in other groups to the scan group, select the Add previously known assets to group (if not already in group) check box. This check box is enabled by default. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 100: Defining Assessment Details Introduction (Assessment Policy)

    You can change the ad hoc version of the policy without changing the saved background version. Policy contents An Assessment policy includes the following information: a list of assessment checks ● check-specific configuration parameters ● common assessment settings that define additional scanning behavior ● IBM Internet Security Systems...
  • Page 101: Description Of Check Information (Assessment Policy)

    Note: The impact of None, indicates that the check does not create a denial-of- service (DoS) situation on an asset. Info A link to the IBM ISS Web site location of up-to-date remedy information for the assessment checks. No target result...
  • Page 102 XPU added The Assessment Content XPU in which the check was added. XPU updated The Assessment Content XPU in which the check was last updated. Table 38: Check grouping definitions (Continued) IBM Internet Security Systems...
  • Page 103: Grouping And Displaying Checks (Assessment Policy)

    2. On the navigation pane, select a group, and then open the Assessment policy for that group. 3. Do any of the following: If you want to sort a column… Then… that is not sorted click the column heading. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 104 All Columns list to the Group By These Columns list in the order you want to group by. Note: If the column you want to group by is not available, add it, and then try again. IBM Internet Security Systems...
  • Page 105 2. Double-click the group level node. 3. Select or clear the Enable check box to enable or disable all the checks in the group. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 106: Defining Common Assessment Settings (Assessment Policy)

    Help HTML Prefix The location of the assessment check Help, specified as one of the following: • the IBM ISS Web site that contains the up-to-date assessment check documentation • the location of a locally stored version of the documentation.
  • Page 107 Fingerprint applications and run checks that apply to specific application (e.g., apache) Identifies applications communicating over specific ports, and then runs checks that apply only to the application identified. This option identifies applications communicating over non-standard ports. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 108 Temporary Lockout Allowed is enabled. When temporary lockout is allowed, password guessing checks are run only against assets whose lockout policy disables locked out accounts for no more than the maximum allowed lockout time. IBM Internet Security Systems...
  • Page 109: Overview

    Defining Alert Logging (Notification Policy) Defining Agent Passwords (Access Policy) Defining Agent Interfaces (Networking Policy) Defining the Date and Time Settings of the Agent (Time Policy) Defining Services to Run on the Agent (Services Policy) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 110: Chapter 8: Defining Agent Policies

    The name of the network location to associate with this scanning port. location) Values: , the default, and any network locations defined in Global the Network Locations policy a. For more information, see “Considerations for Subtask Sizes” on page 111. IBM Internet Security Systems...
  • Page 111: Considerations For Subtask Sizes

    If the default settings allow you to scan all of your assets once per cycle within the scan windows you have defined, then you should not need to change the default settings. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 112: Defining Perspectives (Network Locations Policy)

    The policy is listed just below the Site. Note: 3. Select the Network Locations tab, and then click the Add Network Location icon. 4. Type the perspective name in the Network Location Name box, and then click OK. IBM Internet Security Systems...
  • Page 113: Defining Alert Logging (Notification Policy)

    Alert Logging for System Warning Events ■ Alert Logging for System Informative Events ■ 5. Select the Enable Event Delivery to SiteProtector Console check box for each type of event to enable. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 114: Defining Agent Passwords (Access Policy)

    Enable bootloader password check box. If you enable the Bootloader password, you must be connected to the agent Caution: with a serial connection and supply a password to back up or to restore the agent. IBM Internet Security Systems...
  • Page 115: Defining Agent Interfaces (Networking Policy)

    4. Configure the DNS servers and search paths as follows: Field Description The primary nameserver to use for resolving DNS names. Primary DNS Server Secondary DNS Server The secondary nameserver to use for resolving DNS names. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 116 5. Click the Add icon to add a domain name to your DNS search path, type the Domain Name, and then click OK. 6. If you want to change the order of the domains in your DNS search path, select the domain, and then click either the up or the down arrow. IBM Internet Security Systems...
  • Page 117: Defining The Date And Time Settings Of The Agent (Time Policy)

    To ensure that the agent starts to use NTP time immediately, you must Important: refresh the agent. If you do not refresh the agent, NTP time does not take effect until IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 118 SiteProtector. If you cannot save this policy and refresh the agent immediately, set the time as described above in Steps 4 and 5 in the “Changing the date and time” procedure before you save the policy. IBM Internet Security Systems...
  • Page 119: Defining Services To Run On The Agent (Services Policy)

    4. In the SSH section, do one of the following: To enable SSH, select the Enabled check box. ■ To disable SSH, clear the Enabled check box. ■ 5. Click Save Changes. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 120 Chapter 8: Defining Agent Policies IBM Internet Security Systems...
  • Page 121: Part Iii: Scanning

    Part III Scanning...
  • Page 123: Overview

    Defining Perspectives One Way to Use Perspective Scan Jobs and Related Terms Types of Tasks Priorities for Running Tasks Stages of a Scanning Process Optimizing Cycle Duration, Scan Windows, and Subtasks IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 124: Chapter 9: Understanding Scanning Processes In Siteprotector

    If you add an agent perspective to a perspective that is not logical for that agent, Enterprise Scanner is not able to determine that you have made a mistake. IBM Internet Security Systems...
  • Page 125: Defining Perspectives

    Table 42: Perspectives in policies Illustration Figure 23 illustrates the relationships between perspectives and policies described in Table 42: Figure 23: Network locations in the ESM, Network Locations, and Scan Control policies IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 126: One Way To Use Perspective

    One group contains assets to scan from inside the firewall. ■ One group contains assets to scan from the DMZ. ■ 5. Set up a scan control policy for each asset group, assigning the asset groups to the perspective from which you want to scan. IBM Internet Security Systems...
  • Page 127: Scan Jobs And Related Terms

    Because tasks run in units determined by subtask size, Enterprise Scanner can run subtasks that can run to completion during an open scanning window. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 128: Types Of Tasks

    IP addresses allowed per subtask. Assessment 1 job-level task 1 parent task 1 base task for each group 1 scanning task for each asset criticality level represented in each group Table 45: Tasks per type of scan IBM Internet Security Systems...
  • Page 129: Priorities For Running Tasks

    Criticality of assets in To ensure the best protection for your most critical assets, your assessment scans agent scans tasks in order of criticality from highest to lowest. Table 46: Reasons for task prioritization IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 130 The example in Figure 25 contains an assessment task for each asset criticality level. The order of the tasks in the Remote Scan window does not reflect the order in which the tasks run. The tasks run in priority order from the highest criticality level to the lowest. IBM Internet Security Systems...
  • Page 131: Stages Of A Scanning Process

    For ad hoc scans, until all the assets have been scanned. • For background scans, until all the assets have been scanned or until the scanning cycle ends, whichever occurs first. Table 47: The process of a scanning cycle IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 132: Optimizing Cycle Duration, Scan Windows, And Subtasks

    24 hours. If a refresh cycle is too short, it does not scan all of the assets during the cycle. If a scan window is too short to finish subtasks, it may rerun subtasks that were nearly complete. To achieve the optimal balance, do the following: IBM Internet Security Systems...
  • Page 133 If your scans still do not finish in the time allowed, consider reducing the number of checks you run or adding another Enterprise Scanner agent to the perspective. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 134 Chapter 9: Understanding Scanning Processes in SiteProtector IBM Internet Security Systems...
  • Page 135: Chapter 10: Monitoring Scans

    Viewing Discovery Job and Parent Task Details Viewing Discovery Scanning Task Details Viewing Runtime Details about Assessment Scans Viewing Assessment Job Results Viewing Assessment Job and Parent Task Details Viewing Base Assessment and Scanning Task Details IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 136: Finding Your Scan Jobs

    2. Select Command Jobs from the options on the left pane. The command jobs appear for the selected group. → If you enable viewing of subgroups (View Include Subgroups), jobs for any Tip: subgroups of the Site or group you select also appear in the list. IBM Internet Security Systems...
  • Page 137: Job Information In The Command Jobs Window

    The Progress column indicates the completion status of the job. Progress is shown by a progress bar and a percentage of completion. The percentage may decrease temporarily if you stop and restart a job that must rerun subtasks. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 138: Viewing Runtime Details About Discovery Scans

    IP address of the asset currently being scanned. Figure 28 is an example of an Activity tab for an ad hoc discovery scan: Figure 28: The Activity tab for a discovery scan IBM Internet Security Systems...
  • Page 139: Viewing Discovery Job Results

    1. Right-click a job in the Command Jobs window, and then select Open from the pop- up menu. 2. Click Results on the left pane. The Remote Scan window appears as in the example in Figure 29. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 140: Viewing Discovery Job And Parent Task Details

    Job details Figure 30 is an example of the job details for an ad hoc discovery scan: Figure 30: Job details for an ad hoc discovery scan IBM Internet Security Systems...
  • Page 141 Figure 31 is an example of the parent task details for an ad hoc discovery scan: Figure 31: Parent task details for an ad hoc discovery scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 142: Viewing Discovery Scanning Task Details

    Scanning task details include parameters that control how the scan runs, including user- defined parameters. Figure 32 is an example of the scanning details for a task: Figure 32: Scanning task details for an ad hoc discovery scan IBM Internet Security Systems...
  • Page 143: Viewing Runtime Details About Assessment Scans

    Figure 34: The Activity tab for an assessment scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 144: Viewing Assessment Job Results

    Scan_Group_Name for hosts with was run. Table 50: Subtask description IBM Internet Security Systems...
  • Page 145 1. Right-click a job in the Command Jobs window, and then select Open from the pop- up menu. 2. Click Results on the left pane. The Remote Scan window appears as in the example in Figure 35. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 146: Viewing Assessment Job And Parent Task Details

    Job details Figure 36 is an example of the job details for an ad hoc assessment scan: Figure 36: Job details for an ad hoc assessment scan IBM Internet Security Systems...
  • Page 147 Figure 37 is an example of the parent task details for an ad hoc assessment scan: Figure 37: Parent task details for an ad hoc assessment scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 148: Viewing Base Assessment And Scanning Task Details

    Base assessment Figure 38 is an example of a Base Assessment Scan task for the CorporateScanningGroups scan details group: Figure 38: Base assessment scan details for an ad hoc assessment scan IBM Internet Security Systems...
  • Page 149 Scanning task Scanning task details include parameters that control how the scan runs. Some of these are details user-defined parameters. Figure 39: Scanning task details for an ad hoc assessment scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 150 Chapter 10: Monitoring Scans IBM Internet Security Systems...
  • Page 151: Chapter 11: Managing Scans

    Suspending and Enabling All Background Scans Minimum Scanning Requirements Generally Expected Scanning Behaviors Expected Scanning Behaviors for Ad Hoc Scans Expected Scanning Behaviors for Background Scans Identifying Error Conditions Troubleshooting Tips IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 152: Stopping And Restarting Scan Jobs

    Important: Use the Pause option only when a job is in the Processing status. Pausing a job in any other status may cause problems if you try to Resume or Rerun the scan. Table 52: Impact of stopping scans IBM Internet Security Systems...
  • Page 153 If you resume the scan job, only incomplete subtasks run again, but they run in their entirety. Note: If large subtasks must run again, the progress shown on your progress bar will drop back accordingly. Table 53: Impact of restarting scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 154: Suspending And Enabling All Background Scans

    If you want to enable scans, select the Enable background discovery/assessment ■ scanning of this group check box in the Background Discovery and Background Assessment sections, for the type(s) of background scanning you want to define. IBM Internet Security Systems...
  • Page 155: Minimum Scanning Requirements

    (or earlier) start date. Table 55: Minimum scanning requirements a. For detailed instructions about defining policies, see Chapter 6, "Defining Background Scans" on page 81. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 156: Generally Expected Scanning Behaviors

    A change in processing order does not have to wait for an entire job to finish; scan ● priorities can cause changes in job processing order that take effect at the completion of the work assigned to a subtask. IBM Internet Security Systems...
  • Page 157: Expected Scanning Behaviors For Ad Hoc Scans

    Why did my ad hoc scan continue to run even when the refresh cycle started again? Refresh cycles do not apply to ad hoc scans, so ad hoc scans continue to run even if a new refresh cycle starts. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 158 IBM Internet Security Systems...
  • Page 159: Expected Scanning Behaviors For Background Scans

    The background scan will resume after the ad hoc scan has finished. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 160 There is no need to before the assessment scan begins create a separate assessment job for each subgroup since the assessment scan does not have to wait for the discovery job to finish before it can start. IBM Internet Security Systems...
  • Page 161: Identifying Error Conditions

    Group_Name scan disabled, no scan being scheduled No Discovery policy found for Group_Name. No scan being scheduled No Assessment policy found for Group_Name. No scan being scheduled Table 56: Messages in the Display Task Detail AA window IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 162 Text of Message No hosts with criticality criticality_level in Group Group_Name - Scan not run Error found in the discovery policy - scan will not be run Table 56: Messages in the Display Task Detail AA window (Continued) IBM Internet Security Systems...
  • Page 163: Troubleshooting Tips

    (See page 87.) Table 57: Perspectives in policies No error is reported for this condition in the Remote Scan window. Important: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 164 Chapter 11: Managing Scans IBM Internet Security Systems...
  • Page 165: Part Iv: Analysis, Tracking, And Remediation

    Part IV Analysis, Tracking, and Remediation...
  • Page 167: Overview

    OS Identification (OSID) in Enterprise Scanner How OSID Is Updated Viewing Vulnerabilities by Asset Viewing Vulnerabilities by Object Viewing Vulnerabilities by Detail Viewing Vulnerabilities by Vuln Names Assessment Reports Assessment Report Descriptions Report Sorting Options IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 168: Chapter 12: Interpreting Scan Results

    Total number of medium priority vulnerabilities on the operating system • Total number of low priority vulnerabilities on the operating system • Total number of vulnerabilities in all categories on the operating system Table 58: Information portals for vulnerability management IBM Internet Security Systems...
  • Page 169 5. If you want to remove portlets from a view, double-click the portlet in the Displayed list. 6. If you want to change the order in which portlets appear, select a portlet in the Displayed list, and then click Up or Down. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 170: Viewing Vulnerabilities In The Siteprotector Console

    IP address or range of IP addresses ● tag name ● object name ● observance type ● You determine how many rows of incidents or exceptions you want to display in an analysis view in the Console options. IBM Internet Security Systems...
  • Page 171: Os Identification (Osid) In Enterprise Scanner

    If you want to make a valid comparison of OSID results between Enterprise Scanner and between Enterprise Internet Scanner, you must make sure that you provide equivalent log on access to Scanner and accounts from both products. Internet Scanner IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 172: How Osid Is Updated

    A scan from Enterprise Scanner with authenticated access reports an OSID for that ● asset. If you enter user-supplied OSIDs and do not meet either of the preceding Important: conditions, you are responsible for maintaining any changes to the OSID. IBM Internet Security Systems...
  • Page 173: Viewing Vulnerabilities By Asset

    Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access. Table 61: Vulnerability analysis–asset fields IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 174 Latest Event column. For example, if you apply this filter to the Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 61: Vulnerability analysis–asset fields (Continued) IBM Internet Security Systems...
  • Page 175: Viewing Vulnerabilities By Object

    Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 62: Vulnerability analysis–object fields IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 176: Viewing Vulnerabilities By Detail

    Name, if any, associated with an event. Source Port The port on which the vulnerability was detected. algorithm-id This is a check id used by IBM ISS to identify the check. Table 63: Vulnerability analysis–detail fields IBM Internet Security Systems...
  • Page 177 This is used by Enterprise Scanner to detail reasons for vulnerabilities. Examples of reasons: OS not vulnerable, Service behavior, and HTTP stream matched result Whether the vulnerability was found. Table 63: Vulnerability analysis–detail fields (Continued) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 178: Viewing Vulnerabilities By Vuln Names

    Latest Event column. For example, if you apply this filter to the Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 64: Vulnerability analysis–name fields IBM Internet Security Systems...
  • Page 179: Assessment Reports

    4. Select Reports on the left pane. 5. Right-click an instance of the report, and then select Open Report from the pop-up menu. 6. Follow the prompts to open the report file on your computer. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 180: Assessment Report Descriptions

    A list of vulnerabilities their remedies for each asset. Asset Vulnerability Summary by A list of vulnerabilities and their descriptions for each asset. Asset Vulnerable Assets A lists of assets by criticality for each vulnerability. Table 65: Assessment report descriptions IBM Internet Security Systems...
  • Page 181: Report Sorting Options

    • Medium Severity • Low Severity • Total Vulnerabilities Vulnerability by OS • OS Name • High Severity • Medium Severity • Low Severity • Total Vulnerabilities Table 66: Sorting options IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 182 Severity • Status Vulnerability Names By Asset • DNS Name Vulnerability Summary By Asset • IP Address Vulnerable Assets • Asset Criticality • Asset Name • DNS Name • IP Address Table 66: Sorting options (Continued) IBM Internet Security Systems...
  • Page 183: Chapter 13: Tracking And Remediation

    Scanner with the ticketing feature in SiteProtector to manage tracking and remediation. In this chapter This chapter contains the following topics: Topic Page Ticketing and Enterprise Scanner Possible Scenarios Overview of the Remediation Process Remediation Tasks IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 184: Ticketing And Enterprise Scanner

    Note: however, SiteProtector saves a copy of each ticket you create. For detailed Ticketing is a SiteProtector feature, managed through the SiteProtector Console. Refer to information about the SiteProtector documentation for detailed information about ticketing. ticketing IBM Internet Security Systems...
  • Page 185: Possible Scenarios

    Run a discovery scan for the range of IP addresses for active assets. Identify Action plan: any assets running unapproved or outdated operating systems. Create a ticket to locate assets that are out of compliance, and update their operating systems. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 186: Overview Of The Remediation Process

    24 hours to verify completion. If you do not want to modify the cycle duration for your background scans, you can run an ad hoc scan to verify and close tickets that are pending system verification. IBM Internet Security Systems...
  • Page 187: Remediation Tasks

    Shows a ticket priority of Critical, High, Medium, or Low. Responsibility Shows who is responsible for handling the ticket. Due Date Shows the date by which the responsible party must handle the ticket. Table 69: Ticket properties IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 188 Specify the number of records that appear in the report Format from five to ALL records. Show Graph Report Select this check box if you want a graph to appear on Format the report. Table 70: Ticketing report options IBM Internet Security Systems...
  • Page 189 When Enterprise Scanner completes a scan, the ticketing system can determine whether situations identified in earlier scans have been remedied. After a scan verifies that the situation has been resolved, SiteProtector closes the ticket. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 190 Chapter 13: Tracking and Remediation IBM Internet Security Systems...
  • Page 191: Chapter 14: Running Ad Hoc Scans

    This chapter contains the following topics: Topic Page Understanding How Ad Hoc Scans Use Policies Expected Behavior for Ad Hoc Scans Running an Ad Hoc Discovery Scan Running an Ad Hoc Assessment Scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 192: Understanding How Ad Hoc Scans Use Policies

    Policy inheritance for ad hoc scans works as follows: Discovery scans run against only the group for which they are defined. ● Assessment scans run against the group for which they are defined and every ● subgroup that inherits the assessment policy. IBM Internet Security Systems...
  • Page 193: Expected Behavior For Ad Hoc Scans

    If you start the scan when the scan window is closed, the scan must wait for a scan window to open before it can run. • Ad hoc scans pause during closed scan windows. Table 71: Ad hoc scans and scan windows IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 194 If you configure a three-hour ad hoc scan to start one hour before the end of a Example: refresh cycle, the scan continues to run without regard to the change in refresh cycles. IBM Internet Security Systems...
  • Page 195: Running An Ad Hoc Discovery Scan

    A red box appears around the IP range(s) to scan box until the data is Note: validated. 10. Click OK. The ad hoc discovery scan appears in the Command Jobs window. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 196: Running An Ad Hoc Assessment Scan

    11. Configure the policy the same way as you would configure the background Assessment policy. (See “Defining Assessment Details Introduction (Assessment Policy)” on page 100.) 12. Click OK. The ad hoc assessment scan appears in the Command Jobs window. IBM Internet Security Systems...
  • Page 197: Part V: Maintenance

    Part V Maintenance...
  • Page 199: Overview

    Options for Backing up Enterprise Scanner Backing Up Configuration Settings Using Full System Backup Files Acquiring Your Enterprise Scanner Licenses Preparing to Reinstall an Enterprise Scanner Agent Reinstalling an Enterprise Scanner Agent IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 200: Chapter 15: Performing Routine Maintenance

    4. When you see the Connect to your_appliance_name window, type your Proventia Manager User name ( admin ) and the Password you configured for that user name. The Proventia Manager Home window appears. IBM Internet Security Systems...
  • Page 201: Shutting Down Your Enterprise Scanner

    It may take a while for Java to initialize the first time you do this. Note: 3. Select System on the navigation pane, and then select Tools. 4. Click SHUT DOWN. The application shuts down and the appliance is turned off. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 202: Removing An Agent From Siteprotector

    7. If you want to shut down the application and turn off the appliance, click → System Tools on the navigation pane, and then click SHUT DOWN. The application shuts down and the appliance is turned off. IBM Internet Security Systems...
  • Page 203: Options For Backing Up Enterprise Scanner

    If you do not perform these steps, Proventia Manager may behave Important: unpredictably. Date of last system The System Status information on the Home page includes the date of the last backup in backup the Last System Backup field. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 204: Backing Up Configuration Settings

    4. Type the name of the settings snapshot file in the Snapshot file to Upload field, or click Browse to select the file. 5. Click Upload. The settings snapshot file appears in the Settings Backup table. IBM Internet Security Systems...
  • Page 205 3. In the Settings Backup table, select the settings snapshot file to delete. 4. Click Delete. To delete multiple settings snapshot files, press the key, select each file, and Tip: CTRL then click Delete. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 206: Using Full System Backup Files

    The IP address for the agent is unavailable during the backup process, and you Note: cannot access the Proventia Manager in the browser window. 4. Close all Web browser windows. 5. Clear your Java cache. For instructions about clearing the Java cache, refer to your operating Reference: system documentation. IBM Internet Security Systems...
  • Page 207: Acquiring Your Enterprise Scanner Licenses

    An agent that is an appliance, such as Enterprise Scanner, comes with a serial number. and OneTrust That serial number is associated with your IBM ISS customer ID, and your IBM ISS licensing customer ID identifies your licenses. You must acquire the licenses associated with your agent’s serial number, using one of the options described below.
  • Page 208: Preparing To Reinstall An Enterprise Scanner Agent

    Drive IDE CD-ROM drive Serial port COM1 Table 74: PXE boot server requirements Certified hardware The following supported hardware for a PXE boot server has been certified by IBM ISS Quality Assurance: Intel PRO/100 ● Intel PRO/1000 ● Additional hardware The following hardware has not been certified for a PXE boot server, but should also...
  • Page 209: Reinstalling An Enterprise Scanner Agent

    4. Plug the DB9 connection of the blue RJ45-to-DB9 cable into the serial port on the back of the boot server computer. 5. Insert the IBM Proventia Network Enterprise Scanner Recovery CD into the CD drive of the boot server, and then reboot the boot server computer.
  • Page 210 2. Start a terminal emulation program using the following settings: Setting Value Baud rate 9600 Flow control Hardware Data bits Parity None Stop bits Emulation VT100 3. Restart the boot server computer. 4. Resume from the procedure that you were performing. IBM Internet Security Systems...
  • Page 211: Chapter 16: Updating Enterprise Scanner

    Introduction For the most accurate results, keep your Enterprise Scanner agents up-to-date with the latest firmware and assessment content X-Press Updates (XPUs). The IBM ISS XPU process provides flexible options for updating your agent. This chapter describes the following functions: configuring an agent for XPUs ●...
  • Page 212 Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
  • Page 213: Section A: Understanding The Xpu Process

    This section provides background information about the XPU process and about using the XPU process with Enterprise Scanner. In this section This section contains the following topics: Topic Page XPU Basics Updating Options Consoles to Use for XPUs XPU Configuration Settings IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 214: Xpu Basics

    Assessment content An update that contains security content. Table 75: Contents of firmware and assessment content updates Update locations Table 76 describes the two locations that the IBM ISS X-Press Update process can use to update your agent: Update Location Description IBM ISS Download Center The default location for XPUs for all IBM ISS products.
  • Page 215: Updating Options

    You can troubleshoot and roll back updates from Proventia Manager on the agent, Note: but not from SiteProtector. “Using Full System Backup Files” on page 206. Reference: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 216: Consoles To Use For Xpus

    1. Start the Proventia Manager in a Web browser. 2. Select Updates on the navigation pane. SiteProtector Console 1. Open a tab with the policy view. 2. Open the Update Settings policy for the agents to change. Table 79: Consoles to use for updates IBM Internet Security Systems...
  • Page 217: Xpu Configuration Settings

    Do not attempt to edit the default values in the Advanced Parameters tab (or Important: page, in Proventia Manager) unless you are working with IBM ISS Technical Support personnel. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 218 Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
  • Page 219: Section B: Configuring The Xpu Environment

    In this section This section contains the following topics: Topic Page Configuring Explicit-Trust Authentication with an XPU Server Configuring an Alternate Update Location Configuring an HTTP Proxy Configuring Notification Options for XPUs IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 220: Configuring Explicit-Trust Authentication With An Xpu Server

    ( server-rsa.crt ), and then paste it into the following directory on the agent: /var/spool/leafcerts/ 3. Rename the certificate file using the following format: IPAddress_port.pem The port for the XPU Server is 3994. Enterprise Scanner recognizes the XPU Note: Server by the IP address. IBM Internet Security Systems...
  • Page 221: Configuring An Alternate Update Location

    Configuring an Alternate Update Location Introduction By default, an agent receives updates from the IBM ISS Download Center. If you prefer, you can update your agent from a locally managed SiteProtector X-Press Update Server (XPU Server) instead. The SiteProtector XPU Server mirrors and caches updates from the IBM ISS Download Center.
  • Page 222: Configuring An Http Proxy

    Forces the agent to authenticate to the proxy server. Note: The User ID and Password are required. User ID/Password If authentication is enabled, the User ID and Password the agent uses to authenticate to the proxy server. IBM Internet Security Systems...
  • Page 223: Configuring Notification Options For Xpus

    ■ Alert Logging for Update Installation ■ Alert Logging for Update Errors ■ 3. Select the Enable Event Delivery to SiteProtector Console check box for each type of event to enable. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 224 Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
  • Page 225: Section C: Scheduling Updates And Manually Updating An Agent

    “Acquiring Your Enterprise Scanner Licenses” on page 207. Reference: In this section This section contains the following topics: Topic Page Update Process Scheduling a One-Time Firmware Update Configuring Automatic Downloads and Updates Manually Installing Updates IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 226: Update Process

    The following table describes the stages of a typical, daily update process: Stage Description At 3:00 A.M., the agent checks the IBM ISS download center for updates. The agent downloads assessment content and firmware updates. The agent installs assessment content updates immediately.
  • Page 227: Scheduling A One-Time Firmware Update

    If you want to install all Then select… versions up to… the most recent version All Available Updates. a specific version number Up To Specific Version, and then type the version in the Version box. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 228: Configuring Automatic Downloads And Updates

    Automatically Download Automatically downloads any new assessment content updates. Automatically Install Automatically installs any new assessment content updates. 5. If you want the agent to automatically download firmware updates, select Automatically Download in the Firmware Updates section. IBM Internet Security Systems...
  • Page 229 If you select this option, the agent installs the update as soon as it discovers that an update is available. Note: You should not use this option, as it could cause the agent to restart while a scan is in progress. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 230: Manually Installing Updates

    If you want to see the list of updates before you install them, click View Details, Tip: and then click Install Assessment Scanner Updates. 8. After the update process has finished, check the Update History to make sure that all the updates installed successfully. IBM Internet Security Systems...
  • Page 231: Chapter 17: Viewing Agent Status

    This chapter contains the following topics: Topic Page The Proventia Manager Home Page Viewing Status in the SiteProtector Console Viewing Agent Status Viewing Application Diagnostics Viewing System Status Viewing System Diagnostics IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 232: The Proventia Manager Home Page

    Last Restart The time the agent was last restarted. The time is given in the following format: • yyyy-mm-dd • hh:mm:ss Example: 2004-05-04 16:24:37 Table 86: System status icons IBM Internet Security Systems...
  • Page 233 Table 86: System status icons (Continued) Procedure To view agent status: 1. Log on to the Proventia Manager for your agent. (See page 200.) 2. Select Home on the navigation pane. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 234: Viewing Status In The Siteprotector Console

    Properties from the pop-up menu. 2. If you want to see system status, double-click Agent Status on the middle pane, and then select Agent Information. 3. If you want to see authentication status, double-click Agent Authentication on the left pane. IBM Internet Security Systems...
  • Page 235: Viewing Agent Status

    Refresh Now (manually refreshes the page) ● every 10 seconds ● every 20 seconds ● every 30 seconds ● every 1 minute ● every 2 minutes ● Auto Off (disables automatic refreshing) ● IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 236: Viewing Application Diagnostics

    The Application Diagnostics page in Proventia Manager contains descriptions of modules in Enterprise Scanner. It also provides information about the modules that may be helpful to IBM ISS Customer Support if you need to contact them about a problem. Procedure To view application diagnostics: 1.
  • Page 237: Viewing System Status

    1. Log on to the Proventia Manager for your agent. (See page 200.) 2. Select System on the navigation pane. 3. If you want to refresh the status information, select a refresh option from the Refresh Data list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 238: Viewing System Diagnostics

    Viewing System Diagnostics Introduction The System Diagnostics page in Proventia Manager provides information about your agent that may be helpful if you need to contact IBM ISS Customer Support about a problem. It contains the following categories of information: Processes ●...
  • Page 239: Overview

    Viewing Different Types of Alerts Downloading an Alert Log Clearing the Alerts Log Viewing ES and System Logs Viewing ES Logs Downloading ES Log Files System Log Descriptions Getting Log Status Information Changing Logging Detail IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 240: Chapter 18: Enterprise Scanner Logs And Alerts

    Logs→System Logs. Table 90: Selecting alerts and logs in the Proventia Manager → a. This option is a shortcut to Logs Alerts, with Alert type preselected for Filter options and Enterprise Scanner preselected for Alert Type. IBM Internet Security Systems...
  • Page 241: Viewing Alerts

    Click the Up or Down arrows to view details of the previous or next alert. Tip: Viewing alert To view alert descriptions: descriptions Click the event information icon ● The X-Force Alert Description of the event appears. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 242: Viewing Different Types Of Alerts

    Type the IP address of the source of the alert and the IP address of the Destination IP destination for the alert in the Source IP and Destination IP boxes. Multiple Values Specify the filter values you want to use based on the descriptions above. IBM Internet Security Systems...
  • Page 243 Viewing Different Types of Alerts Filter Option For this filter option… Filter Off Removes filters. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 244: Downloading An Alert Log

    A menu prompts, “Are you sure you want to download the file?” 3. Click OK. 4. Select Save, and then click OK. 5. Navigate to the folder where you want to save the file. 6. Type a file name, and then click Save. IBM Internet Security Systems...
  • Page 245: Clearing The Alerts Log

    To download an Alert log file: 1. On the Alerts page in Proventia Manager, click Clear current Alerts from event log. 2. Click OK. 3. The agent clears the Alerts log. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 246: Viewing Es And System Logs

    Refreshing a log To refresh a log: On the ES Logs or System Logs page in Proventia Manager, select an option from the ● Refresh Data list. The agent refreshes the page to display the latest events. IBM Internet Security Systems...
  • Page 247: Viewing Es Logs

    To view the ES logs: 1. On the navigation pane in Proventia Manager, select Logs, and then select ES Logs. 2. Select a log to view in the Select Log list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 248: Downloading Es Log Files

    The Log File Management page appears. 2. Do one of the following: Select a file to delete, and then click Delete. ■ Click Delete All. ■ A confirmation window appears. 3. Click OK. The file or files are deleted. IBM Internet Security Systems...
  • Page 249: System Log Descriptions

    Contains messages regarding the status of the ESM process. Table 95: Log file descriptions Procedure To view the System logs: On the navigation pane in Proventia Manager, select Logs, and then select System ● Logs. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 250: Getting Log Status Information

    Time of Last Alert The date and time the last alert was written to the log file. Table 96: Alert event log statistics Procedure To view log status information: On the navigation pane in Proventia Manager, select Logs. ● IBM Internet Security Systems...
  • Page 251: Changing Logging Detail

    ISS Technical Support Representative. To avoid setting log levels incorrectly, which can impact your scanning Important: performance and fill your disk with logs, make sure you work with your IBM ISS Technical Support Representative. Affected logs You can change the logging detail settings for these ES Logs: (Trace Log) ●...
  • Page 252 Chapter 18: Enterprise Scanner Logs and Alerts IBM Internet Security Systems...
  • Page 253: Glossary

    SiteProtector user group that has global permissions except full access to all functionality. assessment content—An update from the IBM ISS Center that contains security content. Assessment Credentials policy—A policy that defines authentication credentials used for accessing and assessing the Windows assets in a group.
  • Page 254 Event Collector to provide near real-time access to security data for troubleshooting. firmware—An update from the IBM ISS Center that contains new program files, fixes or patches, enhancements, or online Help.
  • Page 255 Notification policy—A policy that configures responses for the Enterprise Scanner agent. OneTrust Infrastructure—Provides the license for the appliance and provides updates for firmware and assessment content updates. operator—A user in the SiteProtector user group that has limited task ability. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 256 IBM ISS products, including the Enterprise Scanner appliance. SiteProtector Console—The interface where you perform all SiteProtector-related tasks. SiteProtector Database—The SiteProtector Database that stores security data generated by IBM ISS products. source IP—The source IP address for an alert sent to the SiteProtector Console.
  • Page 257 Ungrouped Assets group that need to be assigned to asset groups. vulnerability assessment—The processess of finding vulnerabilities that identify weaknesses in the network and hosts. Web Access—A Web-based, read-only version of the SiteProtector Console. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 258 Glossary IBM Internet Security Systems...
  • Page 259: Index

    SiteProtector Console, in authentication agent status configuration levels Proventia Manager, in credentials SiteProtector Console, in SiteProtector, with alerts (notifications) downloading viewing Alternate Update Server tab in Update Settings policy application fingerprinting configuring IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 260 Enterprise Security Platform (ESP) initial settings error conditions management network interface (eth0) ESM policy nameservers configuring Proventia Setup Assistant defining perspective scanning network interface (eth1) description of console inheritance of management Proventia Manager Proventia Setup Assistant SiteProtector IBM Internet Security Systems...
  • Page 261 Internet Scanner Internet Scanner, from Enterprise Scanner, compared with Proventia Network Enterprise Scanner Policy Migration migration from Utility IP addresses model number excluding from a scan nameservers network interfaces management (eth0) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 262 (and alerts) in downloading password types of purpose of viewing System Diagnostics Page NTP (Network Time Protocol) Proventia Network Enterprise Scanner Policy Migration Utility Proventia Network Enterprise Scanner Quick Start Card Proventia Setup Assistant one-time updates Proxy Server OneTrust...
  • Page 263 Status, column in Assessment policy verification scans stopping a job subgroup, and policy inheritance subtasks defining IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
  • Page 264 SiteProtector Console Target type, column in Assessment policy Vulnerability ID, column in Assessment policy TCP services, discovering vulnerability management technical support, IBM Internet Security Systems asset-centric terminal emulation Vulnerability, column in Assessment policy installation, during reinstallation, during...
  • Page 265 1. License - The Software is provided in object code and is licensed, not sold. Upon your payment of the applicable fees and ISS' delivery to you of the applicable license notification, Internet Security Systems, Inc., an IBM Company ("ISS") grants to you as the only end user ("Licensee") a nonexclusive and nontransferable, limited license for the accompanying Software, for use only on the specific network configuration, for the number and type of devices, and for the time period ("Term") that are specified in ISS' quotation and Licensee's purchase order, as accepted by ISS.
  • Page 266 ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE'S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA PRODUCT LICENSE BY WRITTEN NOTICE TO ISS. 5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS.
  • Page 267 injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom. 17.

Table of Contents