IBM Proventia Network Enterprise Scanner User Guide Version 1.3 IBM Internet Security Systems...
Page 2
Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
Overview Introduction This is the User Guide for the IBM Proventia Network Enterprise Scanner appliance (Enterprise Scanner) from IBM Internet Security Systems, Inc. (IBM ISS), which includes the following models: the ES750 and the ES1500. The Enterprise Scanner appliance is a vulnerability detection agent that is designed for the enterprise customer.
Context-sensitive Help that contains procedures for tasks you perform in the Proventia Manager and in the SiteProtector Console. the SiteProtector system Documents available on the IBM ISS Web site that provide documents information about using the SiteProtector system and the SiteProtector Console.
Page 11
You manage your Enterprise Scanner agent through a SiteProtector Console. The SiteProtector information in this guide about the SiteProtector system refers to Proventia Management system SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31). IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Preface Getting Technical Support Introduction IBM ISS provides technical support through its Web site and by email or telephone. The IBM ISS Web The IBM Internet Security Systems (IBM ISS) Resource Center Web site ( http:// site ) provides direct access to online user documentation, current www.iss.net/support/...
Page 13
East, and Africa Asia-Pacific, (1) (888) 447-4861 (toll free) support@iss.net Australia, and (1) (404) 236-2700 the Philippines Japan Domestic: (81) (3) 5740-4065 support@isskk.co.jp Table 4: Contact information for technical support (Continued) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Overview Introduction Enterprise Scanner is the assessment component of the IBM Proventia Enterprise Security Platform. Enterprise Scanner is based on a model in which vulnerability detection is treated like a continuous network monitoring task rather than the ad hoc scanning model used by earlier vulnerability management systems.
When to use Application fingerprinting is especially useful in the following cases: application fingerprinting You know that some applications on the network communicate over non-standard ● ports. IBM Internet Security Systems...
Page 19
This capability allows X-Force to create new vulnerability checks for non-network exposed services, similar to the current Windows patch checks. For more information about SSH, go to http://www.openssh.com/ To configure SSH, see “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Chapter 1: Introduction to Enterprise Scanner Key Concepts Introduction Enterprise Scanner is the next generation scanning appliance from IBM ISS. As a component of the Enterprise Security Platform, Enterprise Scanner delivers true enterprise scalability and scanning load balancing. Designed to run on Linux, Enterprise Scanner delivers the core functionality necessary in today's enterprise environments.
You define hours of the day (scanning windows) during which scanning is allowed. ● You identify critical assets that require priority attention. ● You define locations of agents and perspectives to scan assets as network locations. ● IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Internet Scanner to Enterprise Scanner. Migration tools To migrate policies from Internet Scanner to Enterprise Scanner, download the IBM Proventia Network Enterprise Scanner Policy Migration Utility and instructions from the IBM ISS Download Center. Using Internet You can use Internet Scanner with Enterprise Scanner, which you may want to do as you Scanner with migrate from Internet Scanner.
Figure 1: Enterprise Scanner architecture Network interfaces Enterprise Scanner uses network interfaces as follows: Interface Purpose Management To communicate with the SiteProtector system. Scanning To communicate with assets. Table 6: Management and scanning interfaces IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 24
The user’s Web browser. Inbound on 22 TCP An SSH shell on a user’s computer. Scanning Any TCP outbound The assets being scanned by the agent. Any UDP Any ICMP Table 7: Port usage for Enterprise Scanner IBM Internet Security Systems...
You can configure automatic downloading and installation of updates through Note: the SiteProtector Console or through your Agent Manager. Updates are available either through the IBM ISS Download Center or from a locally managed Update Server. User interfaces You can access and view information gathered by the Enterprise Scanner through one or...
Introduction The SiteProtector system is a centralized management system that provides command, control, and monitoring capabilities over all of your IBM Internet Security Systems (IBM ISS) products, including the Enterprise Scanner appliance. The SiteProtector system documentation provides thorough descriptions of all of its components. This topic provides brief descriptions of the components that affect Enterprise Scanner users the most.
Setting Up Your Appliance for Initial Configuration Configuring Appliance-Level Settings Configuring Explicit-Trust Authentication with an Agent Manager Registering Enterprise Scanner to Connect to the SiteProtector System Logging On to the SiteProtector Console IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
If you do not intend to install multiple agents, you can perspective use the default, Global perspective. For a complete explanation of perspective, see “What is Perspective?” on Reference: page 124, “Defining Perspectives” on page 125, and “One Way to Use Perspective” on page 126. IBM Internet Security Systems...
Some XPUs may apply to the SiteProtector system components, such as to the Note: SiteProtector database. To find the list of known issues, log on to the IBM ISS Knowledgebase ( ● http:// ), and then search the knowledgebase for Answer ID 3442.
Page 30
81 and Chapter 7, "Configuring Discovery and Assessment Policies" on page 97. Set up the SiteProtector system for Chapter 12, "Interpreting Scan Results" on vulnerability management. page 167. Table 11: Stages of installation and configuration (Continued) IBM Internet Security Systems...
6. Start your terminal emulation program with the following settings: Setting Value Baud rate 9600 Flow control Hardware Data bits Parity None Stop bits Emulation VT100 IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 32
Chapter 2: Installing and Configuring an Agent 7. Turn on the appliance. Initialization messages appear in the window. If messages do not appear after the appliance starts, press the key. Note: ENTER 8. Go to “Configuring Appliance-Level Settings” on page 33. IBM Internet Security Systems...
The Welcome to the Proventia Manager Setup Wizard screen appears. 4. Press to advance to the next screen. ENTER 5. Press the to select I accept (End User License Agreement for IBM ISS), press SPACE BAR to select Next, and then press DOWN ARROW ENTER 6.
Page 34
If you want to configure explicit trust with your Agent Manager, go to ■ “Configuring Explicit-Trust Authentication with an Agent Manager” on page 35 If you want to continue setting up your appliance, go to “Registering Enterprise ■ Scanner to Connect to the SiteProtector System” on page 37. IBM Internet Security Systems...
Agent Manager certificate 1. Locate the computer that hosts your SiteProtector Agent Manager, and then locate the folder where the Agent Manager is installed. The default location is C:\Program Files\ISS\SiteProtector\Agent Note: Manager IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 36
To configure a new Agent Manager, complete the process as explained in ■ “Registering Enterprise Scanner to Connect to the SiteProtector System” on page 37. To change an existing Agent Manager, click OK, and then click Save Changes. ■ 6. Reboot the appliance. IBM Internet Security Systems...
The Proventia Manager Home window appears. → 5. Click System on the navigation pane, and then click Management Registration. It may take a while for Java to initialize the first time you do this. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 38
Note: The default port number is 3995. If you change the default port number, you must also configure the port number locally on the SiteProtector Agent Manager. Account Name The account name for the Agent Manager. IBM Internet Security Systems...
Page 39
After the first heartbeat, your agent appears in the SiteProtector system in the group you designated. This operation may take several minutes. Wait until this page is refreshed in Note: your browser before you continue. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Port box. 4. Type your SiteProtector User name. If your user name is part of a domain, use the following format: Note: domain_name\user_name 5. Type your Password. 6. Click OK. The Site Manager appears. IBM Internet Security Systems...
Table 14: How to use Tips In this chapter This chapter contains the following topics: Topic Page Basic Concepts Finding Your Agent, Assets, and Policies in the SiteProtector System Running Ad Hoc Scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 42
Chapter 3: Running Your First Scans Topic Page Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans Background Scanning Overview Background Scanning Process IBM Internet Security Systems...
This topic explains basic concepts about your Enterprise Scanner agent that you need to know before you begin. Keep these in mind as you work with the agent. If you have used the IBM ISS Internet Scanner application, some of the differences are significant. Types of scans...
CorporateScanningGroups group. Illustration Figure 2 illustrates the location of the groups for the Enterprise Scanner agent and the assets to scan for the examples in this chapter: Figure 2: Groups used in scanning examples IBM Internet Security Systems...
Page 45
The examples in this chapter use a user-defined perspective, Corporate. Where Important: the perspective in the examples is Corporate, your perspective should appear as Global. For more information about setting up a perspective, see pages 124–126. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
2. Right-click the group, and then select Scan from the pop-up menu. The Scan window appears. Figure 3: Window for selecting ad hoc or background scanning 3. Select Network Enterprise Scanner/Ad-Hoc Scan, and then click OK. The Remote Scan window appears. IBM Internet Security Systems...
Page 47
Select the Wait for discovery scan to complete before scheduling assessment scan ■ check box. 7. Leave the perspective in the Perform one-time scan from this perspective list at its default setting, Global. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 48
IP range(s) to scan box as follows: Type an IP address, and then press (or type a comma). ■ ENTER Type a range of IP addresses, and then press (or type a comma). ■ ENTER IBM Internet Security Systems...
Page 49
The system schedules an ad hoc discovery scan job in the Command Jobs window in the SiteProtector system. The ad hoc assessment scan does not run until the ad hoc discovery scan has finished. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The status starts out as Pending, may go back-and-forth between Idle and Tip: Processing until it finishes, and then its status is Completed. For more information about how scan jobs run and how to find information Tip: about them, see Chapter 10, "Monitoring Scans" on page 135. IBM Internet Security Systems...
Page 51
Assets discovered by an Enterprise Scanner agent have a default criticality of Unassigned. For information about assigning criticality to assets, see “Scan Jobs and Related Terms” on page 127. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 52
For more information about how scan jobs run and how to find information Tip: about them, see Chapter 10, "Monitoring Scans" on page 135. 7. After the job has finished, select the Analysis view, and then select the group. IBM Internet Security Systems...
Page 53
Vuln Analysis - Detail view. Figure 11: View of vulnerability details in the CorporateScanningGroups Group If the events do not appear, adjust display parameters, such as the Start and End Tip: times. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
These instructions guide you through the process without explaining every detail. If you are interested in the details, refer to the information in the Tips for different steps. If you are not interested in the details, you can ignore the tips. IBM Internet Security Systems...
Enterprise Scanner policies may apply to one or more versions, as indicated in Tip: the policy view. If you use multiple agents at different versions that do not share the same policy, you must define separate policies for each version. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 56
■ ENTER Type a range of IP addresses, and then press (or type a comma). ■ ENTER Example: 172.1.1.100-172.1.1.200 Discovery policies cannot be inherited from a parent. Each group must have its Tip: own Discovery policy. IBM Internet Security Systems...
Page 57
Assessment policies for subgroups are inherited from a parent group if the Tip: assessment policy is defined for the parent group. If the policy is inherited, it displays the parent’s name in the group’s policy list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 58
Figure 15: The Scan Window policy for the CorporateScanningGroups group Scan window policies are inherited by default from a parent group if the Scan Tip: window policy is defined for the parent group. 4. Select the Discovery Windows tab. IBM Internet Security Systems...
Page 59
1. On the navigation pane, select the group to scan. cycles 2. Right-click the Scan Control policy, and then select Override from the pop-up menu. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 60
10. Leave the perspective in the Perform background scans from this perspective list at its default setting, Global. A customized perspective allows you to limit the portion of the network from Tip: which a given sensor can operate. For more information about using perspective, see IBM Internet Security Systems...
Page 61
5. You can view the Details and Activities tabs for the job just as you did for the ad hoc scans. (See “Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans” on page 50.) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 62
6. If you want to disable background assessment scans, in the Background Assessment section, clear the Enable background assessment scanning of this group check box. 7. From the Action menu, click Save All. 8. Click OK. IBM Internet Security Systems...
In this chapter This chapter contains the following topics: Topic Page Enterprise Scanner Permissions Enterprise Scanner User Groups Considerations for Enterprise Scanner Permissions Creating User Groups in the SiteProtector System Changing Group Permissions IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Scan Control policy, which enables background scanning. Proventia Manager Whether you can launch Proventia Manager from the SiteProtector Console. Scan Window Whether you can view and/or modify the Policy policy. Table 18: Enterprise Scanner Group permissions IBM Internet Security Systems...
Enterprise Scanner scans. If those users try to run a scan, they receive an error message that the scan cannot be run because a policy is not defined. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
When you import assets before you set up asset groups, the SiteProtector system puts the assets in the Ungrouped assets folder. To assign permissions to ungrouped assets, you must use the global permission, Managing Ungrouped Assets. IBM Internet Security Systems...
7. Select the name in the list you want to add to the User Group, and then click OK. The user or group is added to the SiteProtector User Group and is granted all the permissions granted to that User Group. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
6. To change the owner of this group, type all or part of the user name or group in the Change Owner box, and then click Check Names. 7. Select the new owner, and then click OK to return to the Advanced Properties window. 8. Click OK. IBM Internet Security Systems...
Contents of Asset and Agent Policies Viewing Asset and Agent Policies Descriptions of Asset Policies Descriptions of Agent Policies Policy Inheritance with Enterprise Scanner Policies Policy Inheritance with Agent Policies Policy Inheritance with Asset Policies IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Likewise, you could remove an agent from a pool, and the agents that remain would ● continue to share the work load assigned to that pool. IBM Internet Security Systems...
Figure 18 illustrates how asset and agent policies are grouped with the agent or the group of assets to which they apply in the SiteProtector Console: Figure 18: Enterprise Scanner asset and agent policies in a SiteProtector Console IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
6. Do one of the following: To view all policies, select All from the Mode list. ■ To view asset policies, select Asset from the Mode list. ■ To view agent policies, select Agent from the Mode list. ■ IBM Internet Security Systems...
You can have only one Network Locations policy. It defines perspectives that are used by all agents and assets at the Site. It appears once for the Site at the Site Group level. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
You can have only one Network Locations policy. It defines perspectives that are used by all agents and assets at the Site. It appears once for the Site at the Site Group level. IBM Internet Security Systems...
Introduction The inheritance properties of policies enable you to set up your scanning environment in a hierarchical group structure. Even if you understand policy inheritance with other IBM ISS agents, you should understand the slight variations with Enterprise Scanner policies.
The Notification and Update Settings policies appear on the left pane under A_Group_Name Cancun, indicating that they are defined for the Cancun group. The Inheriting From column on the right pane confirms that the agent inherits the policies from Cancun. Table 25: Agent policy inheritance indicators IBM Internet Security Systems...
Exclusion policies defined at a higher level, but neither policy is defined in the agent’s group structure. The Network Services policy is defined at the Cancun level. A_Group_Name Table 26: Asset policy inheritance indicators IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 80
Chapter 5: Introduction to Enterprise Scanner Policies IBM Internet Security Systems...
Example Figure 21 illustrates a two-week scanning refresh cycle that has different scan windows for weekdays and for each day of the weekend. In this example, scans can run from 10:00 IBM Internet Security Systems...
Page 83
For each subgroup, you could define different scan windows to control the amount of scanning on different parts of your network at different times. For more about policy inheritance, see “Policy Inheritance with Enterprise Scanner Policies” on page 77. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Therefore, the changes apply to only that settings ad hoc scan and do not affect configured background scans. Table 29: Changes to Assessment and Discovery policies IBM Internet Security Systems...
Page 85
1:00 A.M. until 3:00 A.M. on the first day of the next refresh cycle. Table 31: Examples of scan windows and refresh cycles with ad hoc scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
See “Defining Assessment Credentials (Assessment Credentials Policy)” on page 94. Apply a Scan Control policy to the group (either directly or through inheritance from a higher group). See “Enabling Background Scanning (Scan Control Policy)” on page 87. Table 33: Checklist for background discovery scanning IBM Internet Security Systems...
• months Current cycle start date The beginning date of the current refresh cycle. (Display only.) Next cycle start date The beginning date of the next refresh cycle. (Display only.) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 88
Perform background scans from this perspective (Network location) box. If you have not yet defined the perspective, click the Configure Network Tip: Location icon to open the Network Locations policy (See page 112.) and define a new perspective. IBM Internet Security Systems...
2. On the navigation pane, select a group, and then open the Scan Window policy for that group. 3. Select the Discovery Windows tab or the Assessment Windows tab. Scanning hours are selected; non-scanning hours are not selected. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 90
Eastern time zone but scanning assets in the Pacific time zone. You would define your scanning hours according to the considerations of the Pacific time zone, and then set your appliance to the Pacific time zone. IBM Internet Security Systems...
Type a range of IP addresses, and then press (or type a comma). ■ ENTER Example: 172.1.1.100-172.1.1.200 A red box may appear around the Excluded Hosts box as you type until the Note: data is validated. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Default settings The IBM ISS X-Force defines the default Network Services policy and may update the policy in an X-Press Update (XPU). The default policy applies to all groups that do not override it. The service names defined in the policy are referenced as target types in Enterprise Scanner check definitions.
Page 93
To add a service, click the add icon. ■ To modify a service, select the service, and then click the modify icon. ■ To delete a service, select the service, and then click the delete icon. ■ IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Directory Domain. The account will be used to attempt logon to all Windows devices within the Active Directory domain. When you choose this option, you must provide the Active Directory Domain name in the Domain/Host box. IBM Internet Security Systems...
Page 95
Account Level One of the following: • Administrator • User • Guest To avoid inadvertently locking out an account, do not add an account more Caution: than once. 5. Click OK. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Scan Window policy for the scanning is allowed group to scan Windows and the Assessment Windows. Table 34: Key scanning parameters a. For guidance in determining the size of subtasks, see “Considerations for Subtask Sizes” on page 111. IBM Internet Security Systems...
How Policies Apply to Discovery and Assessment Scans Defining Assets to Discover (Discovery Policy) Defining Assessment Details Introduction (Assessment Policy) Description of Check Information (Assessment Policy) Grouping and Displaying Checks (Assessment Policy) Defining Common Assessment Settings (Assessment Policy) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Table 36 identifies which asset policies apply to discovery scans, which apply to assessment scans, and which apply to both: Policy Discovery Assessment Assessment Assessment Credentials Discovery Network Locations Network Services Scan Control Scan Exclusion Scan Window Table 36: Asset policies that affect discovery and assessment scans IBM Internet Security Systems...
6. If you want to add previously known assets that are already defined in other groups to the scan group, select the Add previously known assets to group (if not already in group) check box. This check box is enabled by default. Note: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
You can change the ad hoc version of the policy without changing the saved background version. Policy contents An Assessment policy includes the following information: a list of assessment checks ● check-specific configuration parameters ● common assessment settings that define additional scanning behavior ● IBM Internet Security Systems...
Note: The impact of None, indicates that the check does not create a denial-of- service (DoS) situation on an asset. Info A link to the IBM ISS Web site location of up-to-date remedy information for the assessment checks. No target result...
Page 102
XPU added The Assessment Content XPU in which the check was added. XPU updated The Assessment Content XPU in which the check was last updated. Table 38: Check grouping definitions (Continued) IBM Internet Security Systems...
2. On the navigation pane, select a group, and then open the Assessment policy for that group. 3. Do any of the following: If you want to sort a column… Then… that is not sorted click the column heading. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 104
All Columns list to the Group By These Columns list in the order you want to group by. Note: If the column you want to group by is not available, add it, and then try again. IBM Internet Security Systems...
Page 105
2. Double-click the group level node. 3. Select or clear the Enable check box to enable or disable all the checks in the group. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Help HTML Prefix The location of the assessment check Help, specified as one of the following: • the IBM ISS Web site that contains the up-to-date assessment check documentation • the location of a locally stored version of the documentation.
Page 107
Fingerprint applications and run checks that apply to specific application (e.g., apache) Identifies applications communicating over specific ports, and then runs checks that apply only to the application identified. This option identifies applications communicating over non-standard ports. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 108
Temporary Lockout Allowed is enabled. When temporary lockout is allowed, password guessing checks are run only against assets whose lockout policy disables locked out accounts for no more than the maximum allowed lockout time. IBM Internet Security Systems...
Defining Alert Logging (Notification Policy) Defining Agent Passwords (Access Policy) Defining Agent Interfaces (Networking Policy) Defining the Date and Time Settings of the Agent (Time Policy) Defining Services to Run on the Agent (Services Policy) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The name of the network location to associate with this scanning port. location) Values: , the default, and any network locations defined in Global the Network Locations policy a. For more information, see “Considerations for Subtask Sizes” on page 111. IBM Internet Security Systems...
If the default settings allow you to scan all of your assets once per cycle within the scan windows you have defined, then you should not need to change the default settings. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The policy is listed just below the Site. Note: 3. Select the Network Locations tab, and then click the Add Network Location icon. 4. Type the perspective name in the Network Location Name box, and then click OK. IBM Internet Security Systems...
Alert Logging for System Warning Events ■ Alert Logging for System Informative Events ■ 5. Select the Enable Event Delivery to SiteProtector Console check box for each type of event to enable. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Enable bootloader password check box. If you enable the Bootloader password, you must be connected to the agent Caution: with a serial connection and supply a password to back up or to restore the agent. IBM Internet Security Systems...
4. Configure the DNS servers and search paths as follows: Field Description The primary nameserver to use for resolving DNS names. Primary DNS Server Secondary DNS Server The secondary nameserver to use for resolving DNS names. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 116
5. Click the Add icon to add a domain name to your DNS search path, type the Domain Name, and then click OK. 6. If you want to change the order of the domains in your DNS search path, select the domain, and then click either the up or the down arrow. IBM Internet Security Systems...
To ensure that the agent starts to use NTP time immediately, you must Important: refresh the agent. If you do not refresh the agent, NTP time does not take effect until IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 118
SiteProtector. If you cannot save this policy and refresh the agent immediately, set the time as described above in Steps 4 and 5 in the “Changing the date and time” procedure before you save the policy. IBM Internet Security Systems...
4. In the SSH section, do one of the following: To enable SSH, select the Enabled check box. ■ To disable SSH, clear the Enabled check box. ■ 5. Click Save Changes. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 120
Chapter 8: Defining Agent Policies IBM Internet Security Systems...
Defining Perspectives One Way to Use Perspective Scan Jobs and Related Terms Types of Tasks Priorities for Running Tasks Stages of a Scanning Process Optimizing Cycle Duration, Scan Windows, and Subtasks IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
If you add an agent perspective to a perspective that is not logical for that agent, Enterprise Scanner is not able to determine that you have made a mistake. IBM Internet Security Systems...
Table 42: Perspectives in policies Illustration Figure 23 illustrates the relationships between perspectives and policies described in Table 42: Figure 23: Network locations in the ESM, Network Locations, and Scan Control policies IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
One group contains assets to scan from inside the firewall. ■ One group contains assets to scan from the DMZ. ■ 5. Set up a scan control policy for each asset group, assigning the asset groups to the perspective from which you want to scan. IBM Internet Security Systems...
Because tasks run in units determined by subtask size, Enterprise Scanner can run subtasks that can run to completion during an open scanning window. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
IP addresses allowed per subtask. Assessment 1 job-level task 1 parent task 1 base task for each group 1 scanning task for each asset criticality level represented in each group Table 45: Tasks per type of scan IBM Internet Security Systems...
Criticality of assets in To ensure the best protection for your most critical assets, your assessment scans agent scans tasks in order of criticality from highest to lowest. Table 46: Reasons for task prioritization IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 130
The example in Figure 25 contains an assessment task for each asset criticality level. The order of the tasks in the Remote Scan window does not reflect the order in which the tasks run. The tasks run in priority order from the highest criticality level to the lowest. IBM Internet Security Systems...
For ad hoc scans, until all the assets have been scanned. • For background scans, until all the assets have been scanned or until the scanning cycle ends, whichever occurs first. Table 47: The process of a scanning cycle IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
24 hours. If a refresh cycle is too short, it does not scan all of the assets during the cycle. If a scan window is too short to finish subtasks, it may rerun subtasks that were nearly complete. To achieve the optimal balance, do the following: IBM Internet Security Systems...
Page 133
If your scans still do not finish in the time allowed, consider reducing the number of checks you run or adding another Enterprise Scanner agent to the perspective. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 134
Chapter 9: Understanding Scanning Processes in SiteProtector IBM Internet Security Systems...
2. Select Command Jobs from the options on the left pane. The command jobs appear for the selected group. → If you enable viewing of subgroups (View Include Subgroups), jobs for any Tip: subgroups of the Site or group you select also appear in the list. IBM Internet Security Systems...
The Progress column indicates the completion status of the job. Progress is shown by a progress bar and a percentage of completion. The percentage may decrease temporarily if you stop and restart a job that must rerun subtasks. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
IP address of the asset currently being scanned. Figure 28 is an example of an Activity tab for an ad hoc discovery scan: Figure 28: The Activity tab for a discovery scan IBM Internet Security Systems...
1. Right-click a job in the Command Jobs window, and then select Open from the pop- up menu. 2. Click Results on the left pane. The Remote Scan window appears as in the example in Figure 29. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Job details Figure 30 is an example of the job details for an ad hoc discovery scan: Figure 30: Job details for an ad hoc discovery scan IBM Internet Security Systems...
Page 141
Figure 31 is an example of the parent task details for an ad hoc discovery scan: Figure 31: Parent task details for an ad hoc discovery scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Scanning task details include parameters that control how the scan runs, including user- defined parameters. Figure 32 is an example of the scanning details for a task: Figure 32: Scanning task details for an ad hoc discovery scan IBM Internet Security Systems...
Scan_Group_Name for hosts with was run. Table 50: Subtask description IBM Internet Security Systems...
Page 145
1. Right-click a job in the Command Jobs window, and then select Open from the pop- up menu. 2. Click Results on the left pane. The Remote Scan window appears as in the example in Figure 35. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Job details Figure 36 is an example of the job details for an ad hoc assessment scan: Figure 36: Job details for an ad hoc assessment scan IBM Internet Security Systems...
Page 147
Figure 37 is an example of the parent task details for an ad hoc assessment scan: Figure 37: Parent task details for an ad hoc assessment scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Base assessment Figure 38 is an example of a Base Assessment Scan task for the CorporateScanningGroups scan details group: Figure 38: Base assessment scan details for an ad hoc assessment scan IBM Internet Security Systems...
Page 149
Scanning task Scanning task details include parameters that control how the scan runs. Some of these are details user-defined parameters. Figure 39: Scanning task details for an ad hoc assessment scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 150
Chapter 10: Monitoring Scans IBM Internet Security Systems...
Suspending and Enabling All Background Scans Minimum Scanning Requirements Generally Expected Scanning Behaviors Expected Scanning Behaviors for Ad Hoc Scans Expected Scanning Behaviors for Background Scans Identifying Error Conditions Troubleshooting Tips IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Important: Use the Pause option only when a job is in the Processing status. Pausing a job in any other status may cause problems if you try to Resume or Rerun the scan. Table 52: Impact of stopping scans IBM Internet Security Systems...
Page 153
If you resume the scan job, only incomplete subtasks run again, but they run in their entirety. Note: If large subtasks must run again, the progress shown on your progress bar will drop back accordingly. Table 53: Impact of restarting scans IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
If you want to enable scans, select the Enable background discovery/assessment ■ scanning of this group check box in the Background Discovery and Background Assessment sections, for the type(s) of background scanning you want to define. IBM Internet Security Systems...
(or earlier) start date. Table 55: Minimum scanning requirements a. For detailed instructions about defining policies, see Chapter 6, "Defining Background Scans" on page 81. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
A change in processing order does not have to wait for an entire job to finish; scan ● priorities can cause changes in job processing order that take effect at the completion of the work assigned to a subtask. IBM Internet Security Systems...
Why did my ad hoc scan continue to run even when the refresh cycle started again? Refresh cycles do not apply to ad hoc scans, so ad hoc scans continue to run even if a new refresh cycle starts. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The background scan will resume after the ad hoc scan has finished. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 160
There is no need to before the assessment scan begins create a separate assessment job for each subgroup since the assessment scan does not have to wait for the discovery job to finish before it can start. IBM Internet Security Systems...
Group_Name scan disabled, no scan being scheduled No Discovery policy found for Group_Name. No scan being scheduled No Assessment policy found for Group_Name. No scan being scheduled Table 56: Messages in the Display Task Detail AA window IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 162
Text of Message No hosts with criticality criticality_level in Group Group_Name - Scan not run Error found in the discovery policy - scan will not be run Table 56: Messages in the Display Task Detail AA window (Continued) IBM Internet Security Systems...
(See page 87.) Table 57: Perspectives in policies No error is reported for this condition in the Remote Scan window. Important: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 164
Chapter 11: Managing Scans IBM Internet Security Systems...
OS Identification (OSID) in Enterprise Scanner How OSID Is Updated Viewing Vulnerabilities by Asset Viewing Vulnerabilities by Object Viewing Vulnerabilities by Detail Viewing Vulnerabilities by Vuln Names Assessment Reports Assessment Report Descriptions Report Sorting Options IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Total number of medium priority vulnerabilities on the operating system • Total number of low priority vulnerabilities on the operating system • Total number of vulnerabilities in all categories on the operating system Table 58: Information portals for vulnerability management IBM Internet Security Systems...
Page 169
5. If you want to remove portlets from a view, double-click the portlet in the Displayed list. 6. If you want to change the order in which portlets appear, select a portlet in the Displayed list, and then click Up or Down. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
IP address or range of IP addresses ● tag name ● object name ● observance type ● You determine how many rows of incidents or exceptions you want to display in an analysis view in the Console options. IBM Internet Security Systems...
If you want to make a valid comparison of OSID results between Enterprise Scanner and between Enterprise Internet Scanner, you must make sure that you provide equivalent log on access to Scanner and accounts from both products. Internet Scanner IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
A scan from Enterprise Scanner with authenticated access reports an OSID for that ● asset. If you enter user-supplied OSIDs and do not meet either of the preceding Important: conditions, you are responsible for maintaining any changes to the OSID. IBM Internet Security Systems...
Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access. Table 61: Vulnerability analysis–asset fields IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 174
Latest Event column. For example, if you apply this filter to the Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 61: Vulnerability analysis–asset fields (Continued) IBM Internet Security Systems...
Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 62: Vulnerability analysis–object fields IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Name, if any, associated with an event. Source Port The port on which the vulnerability was detected. algorithm-id This is a check id used by IBM ISS to identify the check. Table 63: Vulnerability analysis–detail fields IBM Internet Security Systems...
Page 177
This is used by Enterprise Scanner to detail reasons for vulnerabilities. Examples of reasons: OS not vulnerable, Service behavior, and HTTP stream matched result Whether the vulnerability was found. Table 63: Vulnerability analysis–detail fields (Continued) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Latest Event column. For example, if you apply this filter to the Event Name view, SiteProtector would apply criteria you specified to each Tag name (or row) that appears in the view. Table 64: Vulnerability analysis–name fields IBM Internet Security Systems...
4. Select Reports on the left pane. 5. Right-click an instance of the report, and then select Open Report from the pop-up menu. 6. Follow the prompts to open the report file on your computer. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
A list of vulnerabilities their remedies for each asset. Asset Vulnerability Summary by A list of vulnerabilities and their descriptions for each asset. Asset Vulnerable Assets A lists of assets by criticality for each vulnerability. Table 65: Assessment report descriptions IBM Internet Security Systems...
• Medium Severity • Low Severity • Total Vulnerabilities Vulnerability by OS • OS Name • High Severity • Medium Severity • Low Severity • Total Vulnerabilities Table 66: Sorting options IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 182
Severity • Status Vulnerability Names By Asset • DNS Name Vulnerability Summary By Asset • IP Address Vulnerable Assets • Asset Criticality • Asset Name • DNS Name • IP Address Table 66: Sorting options (Continued) IBM Internet Security Systems...
Scanner with the ticketing feature in SiteProtector to manage tracking and remediation. In this chapter This chapter contains the following topics: Topic Page Ticketing and Enterprise Scanner Possible Scenarios Overview of the Remediation Process Remediation Tasks IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Note: however, SiteProtector saves a copy of each ticket you create. For detailed Ticketing is a SiteProtector feature, managed through the SiteProtector Console. Refer to information about the SiteProtector documentation for detailed information about ticketing. ticketing IBM Internet Security Systems...
Run a discovery scan for the range of IP addresses for active assets. Identify Action plan: any assets running unapproved or outdated operating systems. Create a ticket to locate assets that are out of compliance, and update their operating systems. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
24 hours to verify completion. If you do not want to modify the cycle duration for your background scans, you can run an ad hoc scan to verify and close tickets that are pending system verification. IBM Internet Security Systems...
Shows a ticket priority of Critical, High, Medium, or Low. Responsibility Shows who is responsible for handling the ticket. Due Date Shows the date by which the responsible party must handle the ticket. Table 69: Ticket properties IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 188
Specify the number of records that appear in the report Format from five to ALL records. Show Graph Report Select this check box if you want a graph to appear on Format the report. Table 70: Ticketing report options IBM Internet Security Systems...
Page 189
When Enterprise Scanner completes a scan, the ticketing system can determine whether situations identified in earlier scans have been remedied. After a scan verifies that the situation has been resolved, SiteProtector closes the ticket. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 190
Chapter 13: Tracking and Remediation IBM Internet Security Systems...
This chapter contains the following topics: Topic Page Understanding How Ad Hoc Scans Use Policies Expected Behavior for Ad Hoc Scans Running an Ad Hoc Discovery Scan Running an Ad Hoc Assessment Scan IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Policy inheritance for ad hoc scans works as follows: Discovery scans run against only the group for which they are defined. ● Assessment scans run against the group for which they are defined and every ● subgroup that inherits the assessment policy. IBM Internet Security Systems...
If you start the scan when the scan window is closed, the scan must wait for a scan window to open before it can run. • Ad hoc scans pause during closed scan windows. Table 71: Ad hoc scans and scan windows IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 194
If you configure a three-hour ad hoc scan to start one hour before the end of a Example: refresh cycle, the scan continues to run without regard to the change in refresh cycles. IBM Internet Security Systems...
A red box appears around the IP range(s) to scan box until the data is Note: validated. 10. Click OK. The ad hoc discovery scan appears in the Command Jobs window. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
11. Configure the policy the same way as you would configure the background Assessment policy. (See “Defining Assessment Details Introduction (Assessment Policy)” on page 100.) 12. Click OK. The ad hoc assessment scan appears in the Command Jobs window. IBM Internet Security Systems...
Options for Backing up Enterprise Scanner Backing Up Configuration Settings Using Full System Backup Files Acquiring Your Enterprise Scanner Licenses Preparing to Reinstall an Enterprise Scanner Agent Reinstalling an Enterprise Scanner Agent IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
4. When you see the Connect to your_appliance_name window, type your Proventia Manager User name ( admin ) and the Password you configured for that user name. The Proventia Manager Home window appears. IBM Internet Security Systems...
It may take a while for Java to initialize the first time you do this. Note: 3. Select System on the navigation pane, and then select Tools. 4. Click SHUT DOWN. The application shuts down and the appliance is turned off. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
7. If you want to shut down the application and turn off the appliance, click → System Tools on the navigation pane, and then click SHUT DOWN. The application shuts down and the appliance is turned off. IBM Internet Security Systems...
If you do not perform these steps, Proventia Manager may behave Important: unpredictably. Date of last system The System Status information on the Home page includes the date of the last backup in backup the Last System Backup field. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
4. Type the name of the settings snapshot file in the Snapshot file to Upload field, or click Browse to select the file. 5. Click Upload. The settings snapshot file appears in the Settings Backup table. IBM Internet Security Systems...
Page 205
3. In the Settings Backup table, select the settings snapshot file to delete. 4. Click Delete. To delete multiple settings snapshot files, press the key, select each file, and Tip: CTRL then click Delete. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The IP address for the agent is unavailable during the backup process, and you Note: cannot access the Proventia Manager in the browser window. 4. Close all Web browser windows. 5. Clear your Java cache. For instructions about clearing the Java cache, refer to your operating Reference: system documentation. IBM Internet Security Systems...
An agent that is an appliance, such as Enterprise Scanner, comes with a serial number. and OneTrust That serial number is associated with your IBM ISS customer ID, and your IBM ISS licensing customer ID identifies your licenses. You must acquire the licenses associated with your agent’s serial number, using one of the options described below.
Drive IDE CD-ROM drive Serial port COM1 Table 74: PXE boot server requirements Certified hardware The following supported hardware for a PXE boot server has been certified by IBM ISS Quality Assurance: Intel PRO/100 ● Intel PRO/1000 ● Additional hardware The following hardware has not been certified for a PXE boot server, but should also...
4. Plug the DB9 connection of the blue RJ45-to-DB9 cable into the serial port on the back of the boot server computer. 5. Insert the IBM Proventia Network Enterprise Scanner Recovery CD into the CD drive of the boot server, and then reboot the boot server computer.
Page 210
2. Start a terminal emulation program using the following settings: Setting Value Baud rate 9600 Flow control Hardware Data bits Parity None Stop bits Emulation VT100 3. Restart the boot server computer. 4. Resume from the procedure that you were performing. IBM Internet Security Systems...
Introduction For the most accurate results, keep your Enterprise Scanner agents up-to-date with the latest firmware and assessment content X-Press Updates (XPUs). The IBM ISS XPU process provides flexible options for updating your agent. This chapter describes the following functions: configuring an agent for XPUs ●...
Page 212
Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
This section provides background information about the XPU process and about using the XPU process with Enterprise Scanner. In this section This section contains the following topics: Topic Page XPU Basics Updating Options Consoles to Use for XPUs XPU Configuration Settings IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Assessment content An update that contains security content. Table 75: Contents of firmware and assessment content updates Update locations Table 76 describes the two locations that the IBM ISS X-Press Update process can use to update your agent: Update Location Description IBM ISS Download Center The default location for XPUs for all IBM ISS products.
You can troubleshoot and roll back updates from Proventia Manager on the agent, Note: but not from SiteProtector. “Using Full System Backup Files” on page 206. Reference: IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
1. Start the Proventia Manager in a Web browser. 2. Select Updates on the navigation pane. SiteProtector Console 1. Open a tab with the policy view. 2. Open the Update Settings policy for the agents to change. Table 79: Consoles to use for updates IBM Internet Security Systems...
Do not attempt to edit the default values in the Advanced Parameters tab (or Important: page, in Proventia Manager) unless you are working with IBM ISS Technical Support personnel. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 218
Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
In this section This section contains the following topics: Topic Page Configuring Explicit-Trust Authentication with an XPU Server Configuring an Alternate Update Location Configuring an HTTP Proxy Configuring Notification Options for XPUs IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
( server-rsa.crt ), and then paste it into the following directory on the agent: /var/spool/leafcerts/ 3. Rename the certificate file using the following format: IPAddress_port.pem The port for the XPU Server is 3994. Enterprise Scanner recognizes the XPU Note: Server by the IP address. IBM Internet Security Systems...
Configuring an Alternate Update Location Introduction By default, an agent receives updates from the IBM ISS Download Center. If you prefer, you can update your agent from a locally managed SiteProtector X-Press Update Server (XPU Server) instead. The SiteProtector XPU Server mirrors and caches updates from the IBM ISS Download Center.
Forces the agent to authenticate to the proxy server. Note: The User ID and Password are required. User ID/Password If authentication is enabled, the User ID and Password the agent uses to authenticate to the proxy server. IBM Internet Security Systems...
■ Alert Logging for Update Installation ■ Alert Logging for Update Errors ■ 3. Select the Enable Event Delivery to SiteProtector Console check box for each type of event to enable. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 224
Chapter 16: Updating Enterprise Scanner IBM Internet Security Systems...
“Acquiring Your Enterprise Scanner Licenses” on page 207. Reference: In this section This section contains the following topics: Topic Page Update Process Scheduling a One-Time Firmware Update Configuring Automatic Downloads and Updates Manually Installing Updates IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The following table describes the stages of a typical, daily update process: Stage Description At 3:00 A.M., the agent checks the IBM ISS download center for updates. The agent downloads assessment content and firmware updates. The agent installs assessment content updates immediately.
If you want to install all Then select… versions up to… the most recent version All Available Updates. a specific version number Up To Specific Version, and then type the version in the Version box. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Automatically Download Automatically downloads any new assessment content updates. Automatically Install Automatically installs any new assessment content updates. 5. If you want the agent to automatically download firmware updates, select Automatically Download in the Firmware Updates section. IBM Internet Security Systems...
Page 229
If you select this option, the agent installs the update as soon as it discovers that an update is available. Note: You should not use this option, as it could cause the agent to restart while a scan is in progress. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
If you want to see the list of updates before you install them, click View Details, Tip: and then click Install Assessment Scanner Updates. 8. After the update process has finished, check the Update History to make sure that all the updates installed successfully. IBM Internet Security Systems...
This chapter contains the following topics: Topic Page The Proventia Manager Home Page Viewing Status in the SiteProtector Console Viewing Agent Status Viewing Application Diagnostics Viewing System Status Viewing System Diagnostics IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Last Restart The time the agent was last restarted. The time is given in the following format: • yyyy-mm-dd • hh:mm:ss Example: 2004-05-04 16:24:37 Table 86: System status icons IBM Internet Security Systems...
Page 233
Table 86: System status icons (Continued) Procedure To view agent status: 1. Log on to the Proventia Manager for your agent. (See page 200.) 2. Select Home on the navigation pane. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Properties from the pop-up menu. 2. If you want to see system status, double-click Agent Status on the middle pane, and then select Agent Information. 3. If you want to see authentication status, double-click Agent Authentication on the left pane. IBM Internet Security Systems...
Refresh Now (manually refreshes the page) ● every 10 seconds ● every 20 seconds ● every 30 seconds ● every 1 minute ● every 2 minutes ● Auto Off (disables automatic refreshing) ● IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The Application Diagnostics page in Proventia Manager contains descriptions of modules in Enterprise Scanner. It also provides information about the modules that may be helpful to IBM ISS Customer Support if you need to contact them about a problem. Procedure To view application diagnostics: 1.
1. Log on to the Proventia Manager for your agent. (See page 200.) 2. Select System on the navigation pane. 3. If you want to refresh the status information, select a refresh option from the Refresh Data list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Viewing System Diagnostics Introduction The System Diagnostics page in Proventia Manager provides information about your agent that may be helpful if you need to contact IBM ISS Customer Support about a problem. It contains the following categories of information: Processes ●...
Viewing Different Types of Alerts Downloading an Alert Log Clearing the Alerts Log Viewing ES and System Logs Viewing ES Logs Downloading ES Log Files System Log Descriptions Getting Log Status Information Changing Logging Detail IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Logs→System Logs. Table 90: Selecting alerts and logs in the Proventia Manager → a. This option is a shortcut to Logs Alerts, with Alert type preselected for Filter options and Enterprise Scanner preselected for Alert Type. IBM Internet Security Systems...
Click the Up or Down arrows to view details of the previous or next alert. Tip: Viewing alert To view alert descriptions: descriptions Click the event information icon ● The X-Force Alert Description of the event appears. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Type the IP address of the source of the alert and the IP address of the Destination IP destination for the alert in the Source IP and Destination IP boxes. Multiple Values Specify the filter values you want to use based on the descriptions above. IBM Internet Security Systems...
Page 243
Viewing Different Types of Alerts Filter Option For this filter option… Filter Off Removes filters. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
A menu prompts, “Are you sure you want to download the file?” 3. Click OK. 4. Select Save, and then click OK. 5. Navigate to the folder where you want to save the file. 6. Type a file name, and then click Save. IBM Internet Security Systems...
To download an Alert log file: 1. On the Alerts page in Proventia Manager, click Clear current Alerts from event log. 2. Click OK. 3. The agent clears the Alerts log. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Refreshing a log To refresh a log: On the ES Logs or System Logs page in Proventia Manager, select an option from the ● Refresh Data list. The agent refreshes the page to display the latest events. IBM Internet Security Systems...
To view the ES logs: 1. On the navigation pane in Proventia Manager, select Logs, and then select ES Logs. 2. Select a log to view in the Select Log list. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
The Log File Management page appears. 2. Do one of the following: Select a file to delete, and then click Delete. ■ Click Delete All. ■ A confirmation window appears. 3. Click OK. The file or files are deleted. IBM Internet Security Systems...
Contains messages regarding the status of the ESM process. Table 95: Log file descriptions Procedure To view the System logs: On the navigation pane in Proventia Manager, select Logs, and then select System ● Logs. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Time of Last Alert The date and time the last alert was written to the log file. Table 96: Alert event log statistics Procedure To view log status information: On the navigation pane in Proventia Manager, select Logs. ● IBM Internet Security Systems...
ISS Technical Support Representative. To avoid setting log levels incorrectly, which can impact your scanning Important: performance and fill your disk with logs, make sure you work with your IBM ISS Technical Support Representative. Affected logs You can change the logging detail settings for these ES Logs: (Trace Log) ●...
Page 252
Chapter 18: Enterprise Scanner Logs and Alerts IBM Internet Security Systems...
SiteProtector user group that has global permissions except full access to all functionality. assessment content—An update from the IBM ISS Center that contains security content. Assessment Credentials policy—A policy that defines authentication credentials used for accessing and assessing the Windows assets in a group.
Page 254
Event Collector to provide near real-time access to security data for troubleshooting. firmware—An update from the IBM ISS Center that contains new program files, fixes or patches, enhancements, or online Help.
Page 255
Notification policy—A policy that configures responses for the Enterprise Scanner agent. OneTrust Infrastructure—Provides the license for the appliance and provides updates for firmware and assessment content updates. operator—A user in the SiteProtector user group that has limited task ability. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 256
IBM ISS products, including the Enterprise Scanner appliance. SiteProtector Console—The interface where you perform all SiteProtector-related tasks. SiteProtector Database—The SiteProtector Database that stores security data generated by IBM ISS products. source IP—The source IP address for an alert sent to the SiteProtector Console.
Page 257
Ungrouped Assets group that need to be assigned to asset groups. vulnerability assessment—The processess of finding vulnerabilities that identify weaknesses in the network and hosts. Web Access—A Web-based, read-only version of the SiteProtector Console. IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 258
Glossary IBM Internet Security Systems...
SiteProtector Console, in authentication agent status configuration levels Proventia Manager, in credentials SiteProtector Console, in SiteProtector, with alerts (notifications) downloading viewing Alternate Update Server tab in Update Settings policy application fingerprinting configuring IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 261
Internet Scanner Internet Scanner, from Enterprise Scanner, compared with Proventia Network Enterprise Scanner Policy Migration migration from Utility IP addresses model number excluding from a scan nameservers network interfaces management (eth0) IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 262
(and alerts) in downloading password types of purpose of viewing System Diagnostics Page NTP (Network Time Protocol) Proventia Network Enterprise Scanner Policy Migration Utility Proventia Network Enterprise Scanner Quick Start Card Proventia Setup Assistant one-time updates Proxy Server OneTrust...
Page 263
Status, column in Assessment policy verification scans stopping a job subgroup, and policy inheritance subtasks defining IBM Proventia Network Enterprise Scanner User Guide, Version 1.3...
Page 264
SiteProtector Console Target type, column in Assessment policy Vulnerability ID, column in Assessment policy TCP services, discovering vulnerability management technical support, IBM Internet Security Systems asset-centric terminal emulation Vulnerability, column in Assessment policy installation, during reinstallation, during...
Page 265
1. License - The Software is provided in object code and is licensed, not sold. Upon your payment of the applicable fees and ISS' delivery to you of the applicable license notification, Internet Security Systems, Inc., an IBM Company ("ISS") grants to you as the only end user ("Licensee") a nonexclusive and nontransferable, limited license for the accompanying Software, for use only on the specific network configuration, for the number and type of devices, and for the time period ("Term") that are specified in ISS' quotation and Licensee's purchase order, as accepted by ISS.
Page 266
ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE'S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA PRODUCT LICENSE BY WRITTEN NOTICE TO ISS. 5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS.
Page 267
injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom. 17.