IBM Partner Pavilion 2.3 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of IBM Partner Pavilion 2.3, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of IBM Partner Pavilion 2.3 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of IBM Partner Pavilion 2.3. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of IBM Partner Pavilion 2.3 should contain:
- informations concerning technical data of IBM Partner Pavilion 2.3
- name of the manufacturer and a year of construction of the IBM Partner Pavilion 2.3 item
- rules of operation, control and maintenance of the IBM Partner Pavilion 2.3 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of IBM Partner Pavilion 2.3 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of IBM Partner Pavilion 2.3, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the IBM Partner Pavilion service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of IBM Partner Pavilion 2.3.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the IBM Partner Pavilion 2.3 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    IBM Pro ve nt ia Net work Ent er pr i se Sc an ner Us e r Gu id e V e rsi o n 2. 3 [...]

  • Page 2

    Copyright statement © Copyright IBM Corporation 1997, 2009. All Rights Reserved. U.S. Government Users Restricted Rights — Use, duplication or disclosure r estricted by GSA ADP Schedule Contract with IBM Corp. Publication Date: February 2009[...]

  • Page 3

    T rademarks and Disclaimer IBM ® and the IBM logo are trademarks or r egistered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME ™ , Ahead of the threat, BlackICE ™ , Internet Scanner ® , Pr oventia ® , RealSecure ® , Secur ePartner ™ , SecurityFusion ™ , SiteProtector ™ ,[...]

  • Page 4

    iv Enterprise Scanner: User Guide[...]

  • Page 5

    Contents T rademarks and Disclaimer ...... i i i About this book ........... v i i Related publications ........... viii T echnical support contacts ......... viii Part 1. Scanning from the Proventia Manager .............. 1 Chapter 1. Ad hoc scanning in the Proventia Manager .......... 3 Section A: Network configuration ....... 4 Configuring the m[...]

  • Page 6

    Scanning behaviors for ad hoc scans ...... 9 9 Chapter 8. Interpreting scan results in SiteProtector ........... 1 0 3 OS identification (OSID) certainty ...... 1 0 4 How OSID is updated in Enterprise Scanner . . . 105 Setting up a Summary view for vulnerability management ............. 1 0 6 Summary page for vulnerability management . . 106 V iewi[...]

  • Page 7

    About this book This section describes the audience for this guide; identifies related publications; and provides contact information. Audience Users of this guide should understand their network topology , including the criticality of network assets. In addition, because Enterprise Scanner can be managed through the SitePr otector Console, you mus[...]

  • Page 8

    Related publications Use this topic to help you access information about your Enterprise Scanner appliance. Publications The following documents are available for download fr om the IBM ISS Documentation W eb site at http://www .iss.net/support/documentation/. v IBM Proventia Network Enterprise Scanner V ersion 2.3 Quick Start Card (Models ES750 an[...]

  • Page 9

    Part 1. Scanning from the Proventia Manager This section explains how to manage scans from the Pr oventia Manager for the Enterprise Scanner agent. Chapters Chapter 1, “Ad hoc scanning in the Pr oventia Manager,” on page 3 Chapter 2, “Interpr eting scan results in the Pr oventia Manager,” on page 21 © Copyright IBM Corp. 1997, 2009 1[...]

  • Page 10

    2 Enterprise Scanner: User Guide[...]

  • Page 11

    Chapter 1. Ad hoc scanning in the Proventia Manager This chapter explains how to use perspective and the high-level processes behind ad hoc scanning from the Pr oventia Manager . Section A: Network configuration “Configuring the management network interface” on page 4 “Configuring the scanning network interface” on page 5 “Configuring sca[...]

  • Page 12

    Section A: Network configuration This section explains how to define the network interfaces for the management and scanning ports, how to assign perspectives to network interfaces, and how to configure the Enterprise Scanner appliance to select r outes for traffic. Configuring the management network interface Use the Management Interface tab on the[...]

  • Page 13

    Configuring the scanning network interface Use the Scan Interface tab on the Network Interface Configuration page on the appliance to configure the scanning interface network settings (ETH1 - ETH5). About this task Y ou configured the scanning interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this top[...]

  • Page 14

    Configuring scanning interface DNS settings Use the DNS tab on the Network Interface Configuration page on the appliance to configure the DNS settings for the scanning interface. About this task Y ou configured these settings when you set up the appliance with the Pr oventia Setup Assistant. Use the procedur es in this topic to change those setting[...]

  • Page 15

    Assigning perspective to a scanning interface Use the Network Locations tab on the Network Locations page on the appliance to assign a perspective (network location) to a scanning interface. About this task Y ou can only configure the ETH0 and ETH1 interfaces in Pr oventia Setup. Y ou must configure the r emaining interfaces on this page (Network L[...]

  • Page 16

    Option Description Metric If you configure mor e than one route to the same segment for one perspective, a number that indicates the preferr ed route. The closer to 1, the more pr eferred the r oute. Note: The numbers you use do not have to be consecutive. 5. Click Save Changes . Section B: Policy configuration This section explains how to configur[...]

  • Page 17

    7. If you want to add previously known assets that ar e already defined in other groups to the scan gr oup, select the Add previously known assets to group check box. Displaying assessment checks by groups Use the Checks tab in the Assessment policy to group checks by any combination of columns that you have chosen to display . For example, you mig[...]

  • Page 18

    If you want to... Then... Create groupings from a selection list 1. Click the Group By icon. The Group by Columns window appears. 2. Select a column to group by in the All Columns list, and then click Add . The column moves to the Group by these Columns list. 3. Repeat the previous step for each column that you want to group by . 4. If you want to [...]

  • Page 19

    Selecting assessment checks with filters Use the Checks tab in the Assessment policy to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using r egular expressions: v The match occurs against all columns in the table, whether or not the column is displayed. v If you use more than one r e[...]

  • Page 20

    Configuring common assessment settings for an Assessment policy Use the Common Settings tab in the Assessment policy to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1. Click Scan → Policy Management in the navigation pane. 2. Select Assessment from the Policy T y[...]

  • Page 21

    Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. Y ou can specify ports using any of the following methods: v T ype a port or range of ports. v Click W ell known and select ports from the list. v Select All . Note: A generic UDP check is one whose target type is udp . 9. Configure option[...]

  • Page 22

    Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy . This option does not identify applications communicating over non-standard ports. (Checks are run against standar d ports as defined in t[...]

  • Page 23

    Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined. v T emporary lockout allowed: Enterprise Scanner runs password guessing checks only if the account lockout dura[...]

  • Page 24

    Defining assessment credentials for a policy Use the Assessment Credentials policy type on the Policy Management page to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that ar e defin[...]

  • Page 25

    Option Description Account T ype: SSH Local Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box. Account T ype: SSH Domain Indicates that the user account is [...]

  • Page 26

    Defining the service names associated with TCP and UDP ports Use the Network Services policy type on the Policy Management page to define service names associated with TCP and UDP ports. Procedure 1. Click Scan → Policy Management in the navigation pane. 2. Select Network Services from the Policy T ypes list, and then click Add . 3. T ype a name [...]

  • Page 27

    Defining ports or assets to exclude from a scan Use the Scan Exclusion policy type on the Policy Management page to define specific ports or assets to exclude from a scan of a gr oup of assets. Procedure 1. Click Scan → Policy Management in the navigation pane. 2. Select Scan Exclusion from the Policy T ypes list, and then click Add . 3. T ype a [...]

  • Page 28

    Configuring and saving a scan policy in the Proventia Manager Use the Policy Management page on the appliance to configure discovery and assessment scan policies from Pr oventia Manager for auditing purposes, and then use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan Control page. Before you begin Y ou will not be[...]

  • Page 29

    Chapter 2. Interpreting scan results in the Proventia Manager This chapter explains how to monitor and view scan results in the Pr oventia Manager . T opics “Running an ad hoc scan” on page 22 “Monitoring the status of a scan” on page 23 “V iewing the results of an ad hoc scan” on page 24 “Exporting scan results fr om Proventia Manage[...]

  • Page 30

    Running an ad hoc scan Use the LMI Scan Control page on the appliance to define and r un ad hoc scans for assessment and discovery . Before you begin Before you can r un a scan, make sure you have configur ed a scan from the Policy Management page. Procedure 1. Click Scan → Run Scan in the navigation pane. 2. Depending on what type of scan you ar[...]

  • Page 31

    Monitoring the status of a scan Use the Scan Status page on the appliance to view the status of ad hoc discovery and assessment scans you have initialized from the LMI Scan Contr ol page. About this task While Proventia Manager pr ocesses the scan, you can perform one of the following actions on the scan: T able 3. Processing status of a scan Actio[...]

  • Page 32

    V iewing the results of an ad hoc scan Use the Scan Results page on the appliance to analyze security-related data discovered by an ad hoc scan. Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Choose the scan date (time stamp) from the List Scans list, and then click Go . 3. Select the scan job from the Scan T ype list, and then[...]

  • Page 33

    Purging scan data from the database Use the Scan Results page on the appliance to schedule the removal of scan data files from the /var/log/esm/lmiScans dir ectory . Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Click the Purge Scan Data link. The Purge Scan Data window pr ovides the following information about the current sca[...]

  • Page 34

    26 Enterprise Scanner: User Guide[...]

  • Page 35

    Part 2. Scanning from the SiteProtector Console This section explains how to manage scans from the SitePr otector Console for the Enterprise Scanner agent. Chapters Chapter 3, “Enterprise Scanner policies,” on page 29 Chapter 4, “Understanding scanning processes in SitePr otector,” on page 67 Chapter 5, “Background scanning in SitePr otec[...]

  • Page 36

    28 Enterprise Scanner: User Guide[...]

  • Page 37

    Chapter 3. Enterprise Scanner policies This chapter explains how to use Enterprise Scanner policies to customize your scanning processes. The policies belong to meaningful categories based on their scope and impact on scans. T opics “Policy inheritance with Enterprise Scanner policies” on page 30 “Deploying an Enterprise Scanner policy from t[...]

  • Page 38

    Policy inheritance with Enterprise Scanner policies The inheritance properties of policies in SitePr otector provide a flexible and efficient method for setting up your scanning envir onment in a hierarchical gr oup structur e. General inheritance behavior In general, inheritance works as follows: v When you define a policy for a group in your gr o[...]

  • Page 39

    v If you do not override the settings, the column follows the inheritance described in the table above; however , you must configure those policies. Deploying an Enterprise Scanner policy from the policy repository Use the policy repository to cr eate, edit, and deploy Enterprise Scanner policies in SiteProtector . The repository keeps an ar chive [...]

  • Page 40

    Migrating a locally managed Enterprise Scanner agent into SiteProtector Y ou must migrate the Enterprise Scanner agent out of the Locally Managed Agents area to take advantage of the policy featur es available in SiteProtector . About this task If the policies for the Enterprise Scanner agent are managed locally (fr om Proventia Manager), they will[...]

  • Page 41

    V iewing asset or agent policies for Enterprise Scanner In the SiteProtector Console, you can view asset and agent policies together , or you can view them separately . If you view the policies separately , you can use the views and tabs in SiteProtector to easily move back and forth between asset and agent policies. Procedure 1. From the SitePr ot[...]

  • Page 42

    Getting vulnerability help for a SiteProtector Console without Internet access If you use the SiteProtector Console on a computer without an Internet connection, you need to store the vulnerability Help on the computer or one it can access over your company’s network. Procedure 1. Download the vulnerability Help file ( XForceHelpFiles.zip )f r o [...]

  • Page 43

    Agent policies for Enterprise Scanner Agent policies apply to Enterprise Scanner appliances and describe operational settings for the agents or global settings for all scans. In addition, some agent policies apply to only one agent. Agent policy descriptions for Enterprise Scanner Agent policies apply to both ad hoc and background scans. Contents o[...]

  • Page 44

    Network Locations policy Use the Network Locations policy to define the perspective (network location) of an agent and to define routes for those perspectives. Note: The Network Locations policy does not automatically import the perspectives you set up in the Network Locations tab in the Proventia Manager (LMI). If you have defined perspectives in [...]

  • Page 45

    Important: Users who do not have permission to view the Network Locations policy , either through group association or by a specific grant, cannot r un Enterprise Scanner scans. Assigning perspective to a scanning interface Use the Network Locations tab in the Network Locations policy on the SiteProtector Console to assign a perspective (network lo[...]

  • Page 46

    Option Description Metric If you configure mor e than one route to the same segment for one perspective, a number that indicates the preferr ed route. The closer to 1, the more pr eferred the r oute. Note: The numbers you use do not have to be consecutive. 5. Click OK . Notification policy Use the Notification policy to configure r esponses sent fr[...]

  • Page 47

    Configuring advanced parameters for event notification Use the Advanced Parameters tab in the Notification policy on the SiteProtector Console to provide gr eater control over the event notification behavior of your appliance. Procedure 1. From the SitePr otector Console, create a tab to display agent policies. 2. In the navigation pane, select a g[...]

  • Page 48

    2. In the navigation pane, select a group, and then open the Access policy for that group. 3. For each password you want to change, complete the following steps: a. T ype the current passwor d in the Current Password box. b. Click Enter Password , type the new password in the Password and in the Confirm password boxes, and then click OK . 4. If you[...]

  • Page 49

    Configuring the scanning network interface Use the Scan Interface tab in the Networking policy on the SiteProtector Console to configure the scanning interface network settings (ETH1 - ETH5). About this task Y ou configured the scanning interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to c[...]

  • Page 50

    Configuring scanning interface DNS settings Use the DNS tab in the Networking policy on the SiteProtector Console to configure the DNS settings for the scanning interface. About this task Y ou configured these settings when you set up the appliance with the Pr oventia Setup Assistant. Use the procedur es in this topic to change those settings. Proc[...]

  • Page 51

    Services policy Use the Services policy on the SiteProtector Console to enable or disable access to your appliance from SSH (Secur e Shell) applications on your network and to enable SNMP to monitor the Enterprise Scanner appliance for conditions that warrant administrative attention. Procedure 1. From the SitePr otector Console, create a tab to di[...]

  • Page 52

    T ime policy Use the T ime policy on the SiteProtector Console to change the date and the time of the Enterprise Scanner agent, and to enable the network time protocol (NTP) to synchronize the agent time with a network time server . About this task The T ime policy always contains the last manually configured values for date and time options, not t[...]

  • Page 53

    Update Settings policy Use the Update Settings policy on the SiteProtector Console to configur e how the agent automatically locates, downloads, and installs available updates. Asset policies for Enterprise Scanner Asset policies apply to groups of assets and describe the security policy for those assets. Asset policy descriptions for Enterprise Sc[...]

  • Page 54

    v A Discovery policy applies to only the group where you define it. v The remaining policies ar e inheritable. A subgroup inherits a policy fr om the first group higher than itself in the gr oup structur e that has a defined policy . In the SiteProtector Console, you select a gr oup in the left pane and the applicable policies are displayed in the [...]

  • Page 55

    Defining assets to discover Use the Discovery policy on the SiteProtector Console to define the parameters used to perform a discovery scan on a portion of a network. Before you begin Before it can perform OS fingerprinting on an asset, your agent must find one open and one closed port. T o find an open and a closed port, the agent scans ports 1–[...]

  • Page 56

    Assessment policy Use the Assessment policy on the SiteProtector Console to define the checks to r un for assessment scans. The Assessment policy contains the following tabs: v Checks (display checks by groups, display information about checks, select checks with filters) v Common Settings Scope The Assessment policy applies only to assessment scan[...]

  • Page 57

    Displaying assessment checks by groups Use the Checks tab in the Assessment policy on the SiteProtector Console to gr oup checks by any combination of columns that you have chosen to display . For example, you might want to see checks by category , then by severity within that category . About this task The current gr ouping selections are displaye[...]

  • Page 58

    Selecting assessment checks with filters Use the Checks tab in the Assessment policy on the SiteProtector Console to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using r egular expressions: v The match occurs against all columns in the table, whether or not the column is displayed. v[...]

  • Page 59

    Configuring common assessment settings Use the Common Settings tab in the Assessment policy on the SiteProtector Console to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation[...]

  • Page 60

    Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. Y ou can specify ports using any of the following methods: v T ype a port or range of ports. v Click W ell known and select ports from the list. v Select All . Note: A generic UDP check is one whose target type is udp . 8. Configure option[...]

  • Page 61

    Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy . This option does not identify applications communicating over non-standard ports. (Checks are run against standar d ports as defined in t[...]

  • Page 62

    Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined. v T emporary lockout allowed: Enterprise Scanner runs password guessing checks only if the account lockout dura[...]

  • Page 63

    Assessment Credentials policy Use the Assessment Credentials policy on the SitePr otector Console to define authentication credentials for your assets. The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that ar e defined for the group when it scans asset[...]

  • Page 64

    Option Description Account T ype: Windows Domain/W orkgroup Indicates that the user account is defined in a W indows Domain or W orkgroup. The account is used to attempt to log in to all W indows devices within the domain or workgroup. When you choose this option, you must provide the W indows Domain or W orkgroup name in the Domain/Host box. Accou[...]

  • Page 65

    Scan Control policy Use the Scan Control policy on the SitePr otector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Background scanning is based on scanning cycles. Scanning cycles define how frequently you want to r erun scans for a gr oup. Note: Background scans r un during open scan windows t[...]

  • Page 66

    Defining scanning cycles and assigning perspectives to scans Use the Scan Control policy on the SitePr otector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then o[...]

  • Page 67

    Scan Window policy Use the Scan W indow policy on the SiteProtector Console to define hours of allowed scanning for discovery scans (scan windows), assessment scans (scan windows), and the time zone in which you want the scanning to occur , which is typically the time zone of the assets. By default, scanning is allowed at any time. If you want to l[...]

  • Page 68

    Defining when scanning is allowed Use the Scan W indow policy on the SiteProtector Console to define the days and hours that scanning is allowed. About this task The Scan W indow policy applies to background discovery and assessment scans. For an ad hoc scan, you can choose whether to run the scan only during the windows defined in this policy or t[...]

  • Page 69

    Scan Exclusion policy Use the Scan Exclusion policy on the SiteProtector Console to define specific ports or assets to exclude from a scan of a gr oup of assets. Each Scan Exclusion policy defines the following information for the asset group associated with the policy (and the groups that inherit fr om it): v A list of ports against which no asses[...]

  • Page 70

    Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Y ou can modify some properties of a default service in the policy , and you can add your own customized services to the policy . Scope The Network Services policy applies to assessment scans that run as ei[...]

  • Page 71

    Configuring a Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group. 3. Fo[...]

  • Page 72

    Ad Hoc Scan Control policy Use the Ad Hoc Scan Control policy on the SitePr otector Console to define Enterprise Scanner ad hoc scans for assessment and discovery . Configuration options For ad hoc scans you configure the following options: v W ith the Ad Hoc Scan Control option, you determine whether to run assessment or discovery scans, whether t[...]

  • Page 73

    11 . If you want to add newly discovered assets to the gr oup where you have defined the scan, rather than to the Ungrouped Assets gr oup, select the Add newly discovered assets to group check box. 12. If you want to add previously known assets (that ar e not in the group) to the group, select the Add previously known assets to group check box. 13.[...]

  • Page 74

    Option Description Half-Scan Connections The maximum number of connections the scan should use for opening and closing ports. 13. Click the Debug Settings tab. 14. In the Packet Capture section, select Enabled and then set the filters for the agent to use during the ad hoc assessment scan for network analysis. Note: Packet capturing is not availabl[...]

  • Page 75

    Chapter 4. Understanding scanning processes in SiteProtector This chapter explains the high-level processes behind ad hoc and backgr ound scanning. It also explains how policy settings affect those pr ocesses. Use the following strategies for managing vulnerabilities with Enterprise Scanner: v Use background scanning for automated vulnerability man[...]

  • Page 76

    What is perspective? When you scan a group of assets, you anticipate and interpr et results based on the location of your agent relative to the location of the assets. Scanning a gr oup of assets from inside a fir ewall, for example, produces dif fer ent results than scanning the same group of assets fr om outside the firewall. Perspective identifi[...]

  • Page 77

    firewall, descriptive perspective names might be Atlanta-InsideFir ewall and Atlanta-OutsideFirewall . Placing agents in the correct perspective A perspective name has no meaning to Enterprise Scanner . Y ou must make sure that the agents you add to each perspective make logical sense placed there. If you add an agent to a perspective that is not l[...]

  • Page 78

    T o scan some asset groups fr om inside your firewall and others fr om within your DMZ, follow these steps: 1. Set up two groups in SitePr otector: v One group contains assets to scan fr om inside the firewall. v One group contains assets to scan fr om the DMZ. 2. Define a perspective to identify the scanners at each place on your network. 3. Assig[...]

  • Page 79

    Scan jobs and related terms T o tune your system correctly , you must understand how scan jobs run and how the options you define in policies affect jobs and subtasks. Definitions The following table describes the terms used by the Enterprise Scanner agent in the scanning process: T able 8. T erms related to scanning jobs T erm Description Critical[...]

  • Page 80

    Scheduled and running scans T o make it easier to explain the scanning processes, scans ar e considered scheduled when they are displayed in the Command Jobs window . Because jobs might not start to scan immediately , they are considered scheduled until the job actually starts to create tasks and r un subtasks. The importance of tasks and subtasks [...]

  • Page 81

    T asks per type of scan The following table explains the tasks needed for discovery and assessment scans: T able 10. T asks per type of scan Scan type Number of tasks Discovery 1 job-level task 1 parent task 1 scanning task Note: There is no way to prioritize the or der in which a discovery scan scans IP addresses, ther efore ther e is no reason to[...]

  • Page 82

    T ask prioritization The following table explains the reasons behind prioritization of scanning tasks: T able 1 1. Reasons for task prioritization T ype of scan Reason for prioritization Ad hoc versus background Ad hoc scans run at higher priority than background scans because ad hoc scans fill extraordinary scanning needs: v Ad hoc scans help you [...]

  • Page 83

    The process for a scanning cycle The following table describes the general process for a scanning cycle: T able 12. The process of a scanning cycle Stage Description 1 Scanning jobs are displayed in the Command Jobs window as they ar e scheduled: v A job for a background scan is scheduled at midnight on the first day of the refr esh cycle defined i[...]

  • Page 84

    Optimizing cycle duration, scan windows, and subtasks for Enterprise Scanner Background scanning jobs persist thr oughout a scan cycle, but are active only during open scan windows. The efficiency of backgr ound scanning relies on car efully calibrating the following items: v Quantity of IP addr esses and assets to scan v The duration of the scan c[...]

  • Page 85

    Achieving the right balance If a refr esh cycle is too short, you cannot scan all of your assets during the cycle. If a scan window is too short to finish subtasks, you can rer un subtasks that were nearly finished. T o achieve the right balance, take the following actions: v T ry to size your subtasks according to the size of your smallest scan wi[...]

  • Page 86

    78 Enterprise Scanner: User Guide[...]

  • Page 87

    Chapter 5. Background scanning in SiteProtector This chapter describes the minimum requir ements and options for defining background scanning in the SitePr otector Console. Because ad hoc scans use some of the background policies, this chapter also describes the impact of those shar ed policies on ad hoc scans. In addition, checklists in this chapt[...]

  • Page 88

    Determining when background scans run This topic describes two important concepts for background scanning: scanning refr esh cycles and scanning windows. These concepts control when backgr ound scans run. Scanning refresh cycle A scanning refresh cycle is the maximum duration (in days, weeks, or months) of a background scan. Y ou define separate sc[...]

  • Page 89

    How policies apply to ad hoc and background scans Agent policies apply to both ad hoc and background scans, while asset policies apply to both ad hoc and background scans; however , you can reconfigur e some asset policies when you define an ad hoc scan. The following table describes ad hoc and background scans: T able 13. Descriptions of ad hoc an[...]

  • Page 90

    T able 15. Changes to Assessment and Discovery policies (continued) If you... Then you... Modify the configured settings Cannot save the policy . Therefore, the changes apply to only that ad hoc scan and do not affect configur ed background scans. Scan Control policy Y ou cannot configure r efresh cycles or scan windows for ad hoc scans because the[...]

  • Page 91

    Background scanning checklists for Enterprise Scanner This topic describes the minimum requir ements to set up background discovery and background assessment scanning. Y ou should also use any other policies that help you configure your scanning envir onment to meet your security goals. Checklist for background discovery scanning The following tabl[...]

  • Page 92

    Enabling background scanning Use the Scan Control policy on the SitePr otector Console to define the duration of refr esh cycles and to assign user-defined perspectives to scans. About this task Background scanning is based on scanning r efresh cycles. Refr esh cycles define how frequently you want to r erun scans for a gr oup. Note: Background sca[...]

  • Page 93

    Option Description Next cycle start date The beginning date of the next scan cycle. (Display only .) Use Discovery’s start date/duration and wait for discovery scan to complete before scheduling assessment scan Delays the start of the assessment scan until the discovery scan has finished to ensure that the discovery scan has identified all discov[...]

  • Page 94

    Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Scan W indow policy for that group. 3. Click the Discovery W indows tab or the Assessment W indows tab. Note: Scanning hours are selected; non-scanning hours ar e not selected. 4. Select the periods of a[...]

  • Page 95

    Defining ports or assets to exclude from a scan Use the Scan Exclusion policy on the SiteProtector Console to define the specific ports, specific assets, or both, that you want to exclude from a scan of a gr oup of assets. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group[...]

  • Page 96

    Defining network services Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SitePr otector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group. 3. For default or[...]

  • Page 97

    Defining assessment credentials for a policy Use the Assessment Credentials policy on the SitePr otector Console to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that ar e defined fo[...]

  • Page 98

    Option Description Account T ype: SSH Local Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box. Account T ype: SSH Domain Indicates that the user account is [...]

  • Page 99

    Chapter 6. Monitoring scans in SiteProtector This chapter uses terms that define scanning parameters for scan jobs with SiteProtector . T opics “V iewing your scan jobs” on page 92 “V iewing discovery job results” on page 92 “V iewing assessment job results” on page 93 © Copyright IBM Corp. 1997, 2009 91[...]

  • Page 100

    V iewing your scan jobs Use the Command Jobs window on the SiteProtector Console to view the status of a job, watch its progr ess, and view its final results. Procedure 1. In the SiteProtector Console, right-click the Site or a gr oup, and then select Properties from the pop-up menu. 2. Select Command Jobs from the options in the left pane. The com[...]

  • Page 101

    V iewing assessment job results Y ou can open a scanning job in the Command Jobs window as the job runs to see additional information it. Some information is not available until the job has finished running. About this task The Remote Scan window presents a snapshot of the information available when you open the job. T o refr esh the information, y[...]

  • Page 102

    94 Enterprise Scanner: User Guide[...]

  • Page 103

    Chapter 7. Managing scans in SiteProtector This chapter explains differ ent ways to stop and restart scans. It also describes expected scanning behaviors and provides tips for tr oubleshooting your scan jobs. T opics “Stopping and restarting scan jobs” on page 96 “Suspending and enabling all background scans” on page 97 “Minimum scanning [...]

  • Page 104

    Stopping and restarting scan jobs Y ou can stop a scan job by pausing or canceling the job. Y ou can also rerun a scan job. These actions apply to current scan jobs, not to scans to be scheduled in the future. Impact of stopping scan jobs The following table describes the impact of stopping scans with the Pause and Cancel options: T able 19. Impact[...]

  • Page 105

    Suspending and enabling all background scans Y ou can suspend and enable all scanning for the groups contr olled by a Scan Control policy . This applies to current and futur e background scans. About this task If you stop background scans by disabling all scanning in the Scan Contr ol policy , all current scans go into the idle status, and no mor e[...]

  • Page 106

    Minimum scanning requirements This topic provides a brief r eview and summary of the minimum requir ements for initiating differ ent types of scans. Registration and authentication Y our agent must be register ed and authenticated with SiteProtector . Y ou can check the status in Proventia Manager in Configuration → Authentication . Steps to init[...]

  • Page 107

    Scanning behaviors for ad hoc scans Differ ent aspects of scanning behaviors are discussed in detail in dif fer ent parts of this guide. This topic answers some of the most common questions about how jobs are scheduled and how they ar e displayed in the Command Jobs window . Inheritance Expect the following regar ding inheritance: v There is a one-[...]

  • Page 108

    A: Y ou did not define at least one IP address for a discovery scan. A: If you set up the scan to run during scan windows, but you have not defined Scan W indows for the group you are scanning. This could happen if you define a Scan W indow policy for the group, but you have not defined any Scan W indows in the policy . The default for an unmodifie[...]

  • Page 109

    v If the agent to run the backgr ound scan is available, the scan job appears in the Command Jobs window at midnight on the day of a new refr esh cycle. v If the agent to run the backgr ound scan is not available, the scan job appears in the Command Jobs window when the agent is available, provided it is on a valid start date. Q: How many states do[...]

  • Page 110

    If you set up the Scan Control policy so that the assessment scan... Then, the assessment scan... Does not wait for the discovery scan to finish before the assessment scan begins Starts as a single job. There is no need to create a separate assessment job for each subgroup because the assessment scan does not have to wait for the discovery job to f[...]

  • Page 111

    Chapter 8. Interpreting scan results in SiteProtector This chapter explains how to use OS identification and the views in SiteProtector to analyze the results of vulnerability assessment scans by the Enterprise Scanner agent. T opics “OS identification (OSID) certainty” on page 104 “How OSID is updated in Enterprise Scanner” on page 105 “[...]

  • Page 112

    OS identification (OSID) certainty Enterprise Scanner determines whether to run a check against a host based on the certainty of the OS information in SiteProtector and the setting in the Assessment policy that specifies what action to take if the OSID is uncertain. What determines certainty ? The certainty with which a source pr ovides a completel[...]

  • Page 113

    How OSID is updated in Enterprise Scanner Enterprise Scanner uses OSID information or reassesses the OSID during an assessment scan, and it explains when SiteProtector updates OSID that it has for an asset. Conditions for reassessing OSID The following conditions must be met for Enterprise Scanner to use the OSID information from SitePr otector: v [...]

  • Page 114

    Setting up a Summary view for vulnerability management Use the Summary view in the SiteProtector Console to dynamically display information about scanning and vulnerability management. Procedure 1. From the T ools menu, select Options . 2. Select Summary in the left column. 3. If you always want the portlets to reflect the summary information for t[...]

  • Page 115

    T able 25. Vulnerability management options (continued) Portal Description V ulnerability History by Day Displays a bar graph that illustrates the following information: v T otal number of high priority vulnerabilities by day v T otal number of medium priority vulnerabilities by day v T otal number of low priority vulnerabilities by day v T otal nu[...]

  • Page 116

    V iewing vulnerabilities in the SiteProtector Console using Enterprise Scanner Use the Analysis view in the SiteProtector Console to view event data collected by the Enterprise Scanner agent. About vulnerability assessment V ulnerability assessment data identifies weaknesses in your network and hosts. Intruders or employees can exploit these weakne[...]

  • Page 117

    Field descriptions The following table describes the fields and descriptions for this vulnerability view: T able 26. Vulnerability view by asset Field Description T arget IP Use this filter to monitor a specific IP address that you suspect is the tar get of attacks. The IP addr ess can be either internal or external. This information is typically m[...]

  • Page 118

    T able 26. Vulnerability view by asset (continued) Field Description T ag Count Use to filter events accor ding to the T ag Count column in the analysis views. SiteProtector calculates the T ag Count according to the number of events that ar e associated with each row of data in the analysis view . This filter filters data only in views that contai[...]

  • Page 119

    V iewing vulnerabilities by detail in Enterprise Scanner Use this view to examine event details that might be related to an attack or that you consider unusual. Benefits Y ou analyze event data to evaluate the effectiveness of your system’s security and to investigate any suspicious activity . Y ou can analyze event data in several ways: v Examin[...]

  • Page 120

    T able 27. Vulnerability view by detail (continued) Field Description Object T ype Use this filter to analyze a specific type of object that you suspect is the target of attacks. Object Name Use this filter to see events involving a specific object according to the object’s name. User Name Use this filter to display or suppress events that match [...]

  • Page 121

    V iewing vulnerabilities by object in Enterprise Scanner Use this view to examine objects on your network or desktop computers that are a source of vulnerabilities. Benefits Y ou can analyze specific objects that are mor e affected by vulnerabilities, such as ports or URLs. Y ou can view an object by the type, name, events, or vulnerability type. F[...]

  • Page 122

    T able 28. Vulnerability view by object (continued) Field Description T ag Count Use to filter events accor ding to the T ag Count column in the analysis views. SiteProtector calculates the T ag Count according to the number of events that ar e associated with each row of data in the analysis view . This filters data only in views that contain the [...]

  • Page 123

    T able 29. Vulnerability view by target operating system (continued) Field Description Status Use the Status filter differently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v V ulnerabilities: The Status column indicates whether the vulnerability was found. Event Count Use this filter to determine w[...]

  • Page 124

    T able 30. Vulnerability view by vulnerability name (continued) Field Description Status Y ou use the Status filter differ ently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v V ulnerabilities: The Status column indicates whether the vulnerability was found. Use this filter to show only the statuses[...]

  • Page 125

    Running reports in the SiteProtector Console Use the Report view in the SiteProtector Console to schedule Enterprise Scanner reports. Procedure 1. In the navigation pane for the SiteProtector Console, select the gr oup for which you want to run r eports. 2. In the right pane, select and tab, and then select the Report view . 3. Right-click the repo[...]

  • Page 126

    T able 31. Assessment reports descriptions (continued) Report Description T op V ulnerabilities A list of the top vulnerabilities, by frequency , for a specified group and time. V ulnerability by Asset A list of the top assets by number of vulnerabilities for a specified group and time. V ulnerability by Group A comparison of vulnerabilities across[...]

  • Page 127

    V iewing an Enterprise Scanner report in the SiteProtector Console Use the Report view in the SiteProtector Console to open an Enterprise Scanner report on your computer . Procedure 1. In the navigation pane for the SiteProtector Console, select the gr oup that you want to run r eports for . 2. In the right pane, select and tab, and then select the[...]

  • Page 128

    120 Enterprise Scanner: User Guide[...]

  • Page 129

    Chapter 9. Logs and alerts This chapter explains how to generate log files and to set up alert notifications for the appliance. T opics “Log files and alert notification” on page 122 “System logs” on page 123 “Getting log status information” on page 124 “Enterprise Scanner (ES) logs” on page 124 “Downloading Enterprise Scanner (ES[...]

  • Page 130

    Log files and alert notification Enterprise Scanner maintains log files on the appliance to use for diagnosing problems with the agent. The log files contain details about the scanning and operational processes r unning on the agent. T wo types of log files Enterprise Scanner maintains two types of log files: T able 32. T ypes of log files Log type[...]

  • Page 131

    System logs Use the System Event Log page in the Proventia Manager to examine entries in the system logs. System log descriptions The following table describes the system logs for Enterprise Scanner: T able 34. System logs Log name ( file_name ) Description Architectur e Services Log ( AS_Log.log ) Contains low-level debugging information from the [...]

  • Page 132

    Getting log status information Use the Log Status page in the Proventia Manager to view usage information for alert event log statistics. Navigation: T o access the Log Status page, click Status → Logs in the navigation pane. This page provides usage information for the following alert event log statistics: T able 35. Alert event log statistics S[...]

  • Page 133

    T able 37. Enterprise Scanner (ES) log descriptions (continued) Log name ( file_name ) Description Interface Log ( crm-esm.log ) Details communications between the CRM and the ESM. Engine (ESM Blade) Log ( iss-esm.log ) Contains low-level information related to Common Assessment Module (CAM) sessions that are executed by discovery and assessment ta[...]

  • Page 134

    Downloading Enterprise Scanner (ES) log files Use the Log File Management page in the Proventia Manager to download an Enterprise Scanner (ES) log file from the Enterprise Scanner agent to a local workstation. About this task When you download a log file, Enterprise Scanner creates a backup of the log file for you to download. Enterprise Scanner sa[...]

  • Page 135

    Alerts log Use the Alert Event Log page in the Proventia Manager to view and manage security and system-related alerts. Navigation: Y ou can access this page from ( Logs → Alerts , Maintenance → Updates → Alerts ,o r Logs → Scanning Alerts ) Risk level icons Y ou can determine the risk level of an event by the icon in the Risk Level column [...]

  • Page 136

    Downloading and saving an Alerts log Use the Alerts page in the Proventia Manager to save an alert log file to use for forensic purposes. About this task The Alert log is saved in three comma-separated values (CSV) files. The thr ee files refer to the data displayed in the Alerts log: T able 39. Alert log files File Description filename_eventdata.c[...]

  • Page 137

    Clearing the Alerts log Use the Alerts page in the Proventia Manager to clear all events fr om the Alert log. Before you begin Clearing the Alert log deletes the recor ds and removes the alerts fr om the Alerts page. Before you clear the Alert log, you might want to save a copy for archiving. Procedure 1. Log on to the Proventia Manager for the Ent[...]

  • Page 138

    If you want to... Then... Search the Alert log file by filtering options 1. Select Auto Off fr om the Refresh Data list. 2. Select an option from the Filter Options list. Search value fields appr opriate to the option are displayed later in this section in the Filter Options list. 3. Specify a search value for the chosen filtering option: v Select:[...]

  • Page 139

    If you want to... Then... Search the Alert log file by Alert ID number 1. T ype the 26-character alert ID number in the Search by Alert Id# box. T ip: Y ou can copy the ID# from an Alert Event Details window and paste it into the search box to find all events with that ID#. T o see the details window , click the name of the alert in the Alert Name [...]

  • Page 140

    132 Enterprise Scanner: User Guide[...]

  • Page 141

    Chapter 10. T icketing and remediation This chapter explains how to use information from Enterprise Scanner with the ticketing feature in SitePr otector to manage tracking and remediation. T opics “T icketing and Enterprise Scanner” on page 134 “Remediation process overview for Enterprise Scanner” on page 135 “Remediation tasks for Enterp[...]

  • Page 142

    T icketing and Enterprise Scanner SiteProtector works with Enterprise Scanner to str eamline your event tracking and remediation pr ocesses. This topic explains how to use information from Enterprise Scanner with the ticketing feature in SitePr otector to manage tracking and remediation. When remediation is necessary , such as patching a vulnerabil[...]

  • Page 143

    When you save the ticket in SiteProtector , the action request system stor es the information, too. Y ou can edit and maintain tickets in the action request system. SiteProtector r etains a copy of the ticket on the database server . Note: If you use Remedy to maintain tickets, then you cannot edit them in SiteProtector . However , SiteProtector sa[...]

  • Page 144

    If you do not want to modify the cycle duration for your background scans, you can run an ad hoc scan to verify and close tickets that ar e pending system verification. Remediation tasks for Enterprise Scanner Use information from Enterprise Scanner with the ticketing featur e in SiteProtector to manage tracking and remediation. T ask overview T as[...]

  • Page 145

    T able 40. Options for the Ticketing reports Option T ab Description Share r eport with other SiteProtector users General Select this option to give other SiteProtector users permissions to view the report you ar e running. Display assigned users Display Select this check box if you want users, who have been assigned tickets, to be displayed in the[...]

  • Page 146

    T able 40. Options for the Ticketing reports (continued) Option T ab Description Number of Records Report Format Specifies the number of recor ds that will be displayed in the report fr om five to ALL recor ds. Show Graph Report Format Select this check box if you want a graph to be displayed on the report. T ask 6: Close the ticket After the work [...]

  • Page 147

    Part 3. Maintenance This section explains how to maintain and update the Enterprise Scanner agent. Chapters Chapter 1 1, “Performing routine maintenance,” on page 141 Chapter 12, “Updating Enterprise Scanner,” on page 147 Chapter 13, “V iewing the status of the Enterprise Scanner agent,” on page 157 © Copyright IBM Corp. 1997, 2009 139[...]

  • Page 148

    140 Enterprise Scanner: User Guide[...]

  • Page 149

    Chapter 1 1. Performing routine maintenance This chapter explains maintenance procedur es that you need to perform on the Enterprise Scanner agent. T opics “Shutting down your Enterprise Scanner” on page 142 “Removing an agent from SitePr otector” on page 143 “Options for backing up Enterprise Scanner” on page 144 “Backing up configur[...]

  • Page 150

    Shutting down your Enterprise Scanner Y ou can shut down Enterprise Scanner from the Pr oventia Manager . The shut down option also turns off the appliance. Before you begin If you have an agent with an early BIOS, the shut down command may not turn off the appliance. About this task Use this option if you need to turn off the appliance temporarily[...]

  • Page 151

    Removing an agent from SiteProtector Use this procedur e to remove an agent fr om SitePr otector . Procedure 1. In the SiteProtector Console, open a tab with an Agent view , and then select the group that contains your agent. 2. In the right pane, right-click the agent, and then select Delete from the pop-up menu. 3. If you want to delete the group[...]

  • Page 152

    Options for backing up Enterprise Scanner Use the Backup and Recovery page to manage snapshots of configuration settings and to create complete system backups. T ypes of backups Settings backup A settings backup is a snapshot file that stores all of your appliance configuration settings. Y ou can have many settings snapshot files of differ ent conf[...]

  • Page 153

    Backing up configuration settings Use the Settings Backup tab on the Backup and Recovery page to create a settings snapshot file of the configuration settings for your agent. About this task A settings snapshot file contains the configuration settings, including the logon account credentials and networking settings, of the agent. The default settin[...]

  • Page 154

    Making full system backups Use the Full Backup tab on the Backup and Recovery page to create a complete image of the operating system and current configuration settings befor e you apply firmware updates or apply snapshot files that change the original configuration settings of the appliance. Procedure 1. Click Maintenance → Backup and Recovery i[...]

  • Page 155

    Chapter 12. Updating Enterprise Scanner This chapter describes how to configure an agent for XPUs, how to schedule automatic and one-time XPUs, and how to apply XPUs manually . Occasionally , you must install XPUs for other products, such as for SiteProtector components, when you install an XPU for Enterprise Scanner . Additional update requir emen[...]

  • Page 156

    XPU basics This topic describes the types of updates for your Enterprise Scanner agent and explains where you can get the updates. T ypes of updates The following table describes the contents of firmware and assessment content updates: T able 41. Contents of firmware and assessment content updates T ype of update Content Firmware An update that con[...]

  • Page 157

    Updating options The XPU process pr ovides the option to schedule automatic updates on a periodic basis, schedule one-time updates, or update an agent manually . Y ou should configure automatic updates and use one-time and manual updates as needed between the automatic updates. Update options The following table describes the three update options: [...]

  • Page 158

    Configuring explicit-trust authentication with an XPU server Y ou can configure the authentication between an Enterprise Scanner agent and a SiteProtector X-Pr ess Update Server (XPU Server) to use either trust-all or explicit-trust authentication. Before you begin T o use explicit-trust authentication with an XPU Server , follow these steps: v Cop[...]

  • Page 159

    Configuring an Alternate Update location Use the Alternate Update Server page in the Update Settings policy on the SiteProtector Console if you want to update your Enterprise Scanner appliance from within your network instead of getting updates fr om the IBM ISS Download Center . About this task By default, an agent receives updates fr om the IBM I[...]

  • Page 160

    Option Description T rust Level The authentication level for communications with the SiteProtector update server . Authentication level options for the SiteProtector update server ar e as follows: v T rust-all: The appliance trusts the SiteProtector update server , and does not use SSL certificates for authentication. This is the easiest way to set[...]

  • Page 161

    Configuring an HTTP Proxy Use the Proxy Server page in the Update Settings policy on the SitePr otector Console to configure pr oxy server information if your Enterprise Scanner agent uses a proxy server to access the Update Server . Procedure 1. From the SitePr otector Console, create a tab to display agent policies. 2. In the navigation pane, sel[...]

  • Page 162

    Scheduling a one-time firmware update Occasionally , you might not want to wait for your automatic update process to install an important update. Y ou can schedule a one-time firmware update between automatic updates. Procedure 1. From the SitePr otector Console, open the Update Settings policy for the agent you want to update. 2. Click the Update [...]

  • Page 163

    Option Description Check for updates at given intervals Checks for updates at the interval that you specify . Note: The range is 60 minutes to 1440 minutes (1-24 hours). Make sure that your agent checks for updates at least one hour befor e automatic installations to ensure suf ficient time for downloading updates. 5. Configure your downloading and[...]

  • Page 164

    Manually installing updates In the Proventia Manager for the agent, you can manually download and install updates. Y ou download firmware and assessment content updates at the same time, but you install them separately . Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. Click Maintenance → Updates in the navigation[...]

  • Page 165

    Chapter 13. V iewing the status of the Enterprise Scanner agent This chapter explains the status information that is available for Enterprise Scanner in Proventia Manager and in the SitePr otector Console. T opics “Proventia Manager Home page” on page 158 “V iewing agent status in the SiteProtector Console” on page 160 “V iewing agent sta[...]

  • Page 166

    Proventia Manager Home page The Proventia Manager Home page pr ovides the latest diagnostic information about the appliance. Navigation: T o access the Proventia Manager Home page, click Home in the navigation pane. System status The system status group box describes the curr ent status of the system: T able 46. Current status of the system Statist[...]

  • Page 167

    T able 47. Current status of network interfaces (continued) Model Network interfaces ES1500 ETH0 (management port) ETH1 (scanning port) ETH2 (scanning port) ETH3 (scanning port) ETH4 (scanning port) ETH5 (scanning port) Updates status The update status group box pr ovides the latest update information of the appliance: T able 48. Current status of [...]

  • Page 168

    V iewing agent status in the SiteProtector Console The same system status information that is available in the Proventia Manager Home page is available in the SiteProtector Console. Y ou can also check your authentication status in the SiteProtector Console. Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. In an Age[...]

  • Page 169

    V iewing the status of the CAM modules Use the CAM Modules page in the Proventia Manager to view information about CAM sessions in Enterprise Scanner . Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. Click Status → CAM Modules in the navigation pane. 3. If you want to refr esh the diagnostics information, select [...]

  • Page 170

    T able 50. Sensor processes (continued) Module or process Description T roubleshooting option Enterprise Scanner scheduler module or iss-esmScheduler process The program file that schedules and runs Enterprise Scanner ad hoc discovery and assessment tasks. v Clean: Remove esmScheduler log files. (If the scheduler module is running, this process onl[...]

  • Page 171

    Part 4. Appendixes © Copyright IBM Corp. 1997, 2009 163[...]

  • Page 172

    164 Enterprise Scanner: User Guide[...]

  • Page 173

    Appendix. Safety , environmental, and electronic emissions notices Safety notices may be printed throughout this guide. DANGER notices warn you of conditions or procedur es that can result in death or sever e personal injury . CAUTION notices warn you of conditions or procedur es that can cause personal injury that is neither lethal nor extremely h[...]

  • Page 174

    When working on or around the system, observe the following precautions: Electrical voltage and current from power , telephone, and communication cables are hazardous. T o avoid a shock hazard: v Connect power to this unit only with the IBM ISS provided power cord. Do not use the IBM ISS provided power cord for any other product. v Do not open or s[...]

  • Page 175

    CAUTION: The battery contains lithium. T o avoid possible explosion, do not burn or charge the battery . Do not: v Throw or immerse into water v Heat to more than 100°C (212°F) v Repair or disassemble Exchange only with the IBM ISS-approved part. Recycle or discard the battery as instructed by local regulations. In the United States, IBM ISS has [...]

  • Page 176

    Product safety labels One or more of the following safety labels may apply to this pr oduct. DANGER Hazardous voltage, current, or energy levels are present inside any component that has this label attached. Do not open any cover or barrier that contains this label. (L001) DANGER Multiple power cords. The product might be equipped with multiple pow[...]

  • Page 177

    Laser safety information The following laser safety notices apply to this product: CAUTION: This product may contain one or more of the following devices: CD-ROM drive, DVD-ROM drive, DVD-RAM drive, or laser module, which are Class 1 laser products. Note the following information: v Do not remove the covers. Removing the covers of the laser product[...]

  • Page 178

    Notice : This mark applies only to countries within the European Union (EU) and Norway . Appliances are labeled in accor dance with European Dir ective 2002/96/EC concerning waste electrical and electronic equipment (WEEE). The Dir ective determines the framework for the return and r ecycling of used appliances as applicable through the Eur opean U[...]

  • Page 179

    on disposal of batteries outside the United States, go to http://www .ibm.com/ ibm/environment/pr oducts/ batteryrecycle.shtm or contact your local waste disposal facility . In the United States, IBM has established a return pr ocess for reuse, r ecycling, or proper disposal of used IBM sealed lead acid, nickel cadmium, nickel metal hydride, and ot[...]

  • Page 180

    In accordance with the Eur opean Directive 2006/66/EC, batteries and accumulators are labeled to indicate that they ar e to be collected separately and recycled at end of life. The label on the battery may also include a symbol for the metal concerned in the battery (Pb for lead, Hg for the mercury , and Cd for cadmium). Users of batteries and accu[...]

  • Page 181

    Note: This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference r eceived, including interference that may cause undesired operation. Canadian Department of Communications Compliance Statement This Cla[...]

  • Page 182

    IBM verändert bzw . wenn Erweiterungskomponenten von Fr emdherstellern ohne Empfehlung der IBM gesteckt/eingebaut werden. EN 55022 Klasse A Geräte müssen mit folgendem W arnhinweis versehen werden: ″ W arnung: Dieses ist eine Einrichtung der Klasse A. Diese Einrichtung kann im W ohnbereich Funk-Stör ungen verursachen; in diesem Fall kann vom [...]

  • Page 183

    Korean Class A Compliance Statement: Appendix. Safety , environmental, and electr onic emissions notices 175[...]

  • Page 184

    176 Enterprise Scanner: User Guide[...]

  • Page 185

    Index A Access policy 35, 39 account lockout 12 account lockout (SiteProtector) 51 active module icon 158 ad hoc assessment scan 65 monitoring status 23 ad hoc discovery scan 64 monitoring status 23 ad hoc scan running 22 types of 81 Ad Hoc Scan Control policy 64, 82 ad hoc scan policies 20 ad hoc scans expected scanning behavior 99 Admin password [...]

  • Page 186

    Enterprise Scanner report viewing in SiteProtector Console 1 19 Enterprise Scanner reports running in SiteProtector 117 Enterprise Scanner scan module 161 Enterprise Scanner scheduler module 162 ES logs 122, 124 changing detail 124 ESM blade log 124 ETH0 40 ETH1 40 event notification 38 configuring 38 Event Notification tab 153 explicit-trust 150, [...]

  • Page 187

    scan job (continued) resuming 96 scan jobs (SiteProtector) 71 scan policy configuring from LMI 20 scan priority 99 Scan Reports page 24 scan results exporting 24 Scan Results page 24, 25 Scan Status page 23 Scan W indow policy 45, 59, 60, 85 Scan W indow policy (SiteProtector) 85 allowed scanning 85 scan windows 59, 76 scanning (SiteProtector) mini[...]