Ibm Pnes GSG 2.3

IBM Proventia Network Enterprise Scanner
Getting Started Guide

Version 2.3
Copyright statement
Copyright IBM Corporation 1997, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Publication Date: February 2009
Trademarks and Disclaimer
IBM
and the IBM logo are trademarks or registered trademarks of

International Business Machines Corporation in the United States, other
countries, or both. ADDME
, Ahead of the threat, BlackICE
, Internet
Scanner
, Proventia
, RealSecure
, SecurePartner
, SecurityFusion
,
SiteProtector
, System Scanner
, Virtual Patch
, X-Force
and X-Press Update

are trademarks or registered trademarks of Internet Security Systems
, Inc. in
the United States, other countries, or both. Internet Security Systems, Inc. is a
wholly-owned subsidiary of International Business Machines Corporation.
Microsoft
, Windows
, and Windows NT
are trademarks of Microsoft

Corporation in the United States, other countries, or both.
Other company, product and service names may be trademarks or service
marks of others.
References in this publication to IBM products or services do not imply that
IBM intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without
notice, and may have been altered or changed if you have received it from a
source other than IBM Internet Security Systems (IBM ISS). Use of this
information constitutes acceptance for use in an AS IS condition, without
warranties of any kind, and any use of this information is at the users own
risk. IBM Internet Security Systems disclaims all warranties, either expressed
or implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall IBM ISS be liable for any damages
whatsoever, including direct, indirect, incidental, consequential or special
damages, arising from the use or dissemination hereof, even if IBM Internet
Security Systems has been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or
incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation, or favoring by IBM
Internet Security Systems. The views and opinions of authors expressed herein
do not necessarily state or reflect those of IBM Internet Security Systems, and
shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to
release, but the ever-changing nature of the Internet prevents IBM Internet
Copyright IBM Corp. 1997, 2009 iii
Security Systems, Inc. from guaranteeing the content or existence of the
resource. When possible, the reference contains alternate sites or keywords
that could be used to acquire the information by other methods. If you find a
broken or inappropriate link, please send an email message with the topic
name, link, and its behavior to mailto://support@iss.net.
iv Enterprise Scanner: Getting Started Guide
Contents
Trademarks and Disclaimer . . . . . . iii
About this book . . . . . . . . . . vii
Related publications . . . . . . . . . viii
Getting technical support . . . . . . . . ix
Chapter 1. Introduction . . . . . . . . 1
Whats new in Enterprise Scanner 2.3? . . . 2
Key concepts . . . . . . . . . . . . 2
Enterprise Scanner communication channels . 4
Component descriptions . . . . . . . . 6
Chapter 2. Installing and configuring
Enterprise Scanner . . . . . . . . . 9
Process overview . . . . . . . . . . 10
Using terminal emulation to set up your
appliance for initial configuration . . . . . 12
Configuring appliance-level settings . . . . 13
Acquiring licenses . . . . . . . . . . 16
Configuring explicit trust authentication with
an agent manager . . . . . . . . . . 17
Clear first-time-trust certificates . . . . 17
Copy the agent manager certificate . . . 18
Edit the local properties file . . . . . . 18
Enable explicit-trust authentication . . . 19
Registering Enterprise Scanner to connect to
SiteProtector . . . . . . . . . . . . 20
Logging on to the IBM SiteProtector Console 24
Preparing to reinstall an Enterprise Scanner
agent . . . . . . . . . . . . . . 25
Reinstalling an Enterprise Scanner agent . . 26
Chapter 3. Running your first scans from
Proventia Manager . . . . . . . . . 29
Policy types in Proventia Manager . . . . 30
Running an ad hoc scan . . . . . . . . 32
Monitoring the status of a scan . . . . . 33
Viewing the results of an ad hoc scan . . . 34
Exporting scan results from Proventia
Manager . . . . . . . . . . . . . 35
Chapter 4. Running your first scans from
SiteProtector . . . . . . . . . . . 37
Basic concepts . . . . . . . . . . . 38
How to use perspective in Enterprise Scanner 40
Running an ad hoc discovery scan with
Enterprise Scanner . . . . . . . . . . 41
Running an ad hoc assessment scan with
Enterprise Scanner . . . . . . . . . . 42
Monitoring ad hoc discovery and ad hoc
assessment scans . . . . . . . . . . 44
Background scanning checklists for Enterprise
Scanner . . . . . . . . . . . . . 46
Running a background scan. . . . . . . 47
Task 1: Define background discovery scans 47
Task 2: Define background assessment
scans . . . . . . . . . . . . . 48
Task 3: Define when scanning is allowed 49
Task 4: Enable scanning and define length
of scanning cycles . . . . . . . . . 50
Task 5: Finish setting up background
scanning . . . . . . . . . . . . 51
Disabling background scans. . . . . . . 51
Chapter 5. Setting up scanning
permissions for users . . . . . . . . 53
Predefined Enterprise Scanner permissions. . 54
Creating user groups in the SiteProtector
system . . . . . . . . . . . . . . 57
Adding members to SiteProtector user groups 58
Changing group-level permissions . . . . 59
Removing group-level permissions . . . 59
Configuring advanced permissions . . . 60
Index . . . . . . . . . . . . . . 61
Copyright IBM Corp. 1997, 2009 v
vi Enterprise Scanner: Getting Started Guide
About this book
This section describes the audience for this guide; identifies related
publications; and provides contact information.
Audience
Users of this guide should understand their network topology, including the
criticality of network assets. In addition, because Enterprise Scanner can be
managed through the SiteProtector Console, you must have a working
knowledge of the SiteProtector system, including how to set up views,
manage users and user permissions, and deploy policies.
Topics
Related publications on page viii
Getting technical support on page ix
Copyright IBM Corp. 1997, 2009 vii
Related publications
Use this topic to help you access information about your appliance.
Publications
The following documents are available for downloading from the IBM ISS
Documentation Web site at http://www.iss.net/support/documentation/.
v IBM Proventia Network Enterprise Scanner Version 2.3 Quick Start Card (Models
ES750 and ES1500)
v IBM Proventia Network Enterprise Scanner Version 2.3 Getting Started Guide
v IBM Proventia Network Enterprise Scanner Version 2.3 User Guide
License agreement
For licensing information about IBM Internet Security System products,
download the IBM Licensing Agreement from http://www.ibm.com/
services/us/iss/html/contracts_landing.html.
viii Enterprise Scanner: Getting Started Guide
Getting technical support
IBM Internet Security Systems (IBM ISS) provides technical support through
its Web site and by e-mail or telephone.
The IBM ISS Web site
The IBM ISS Customer Support Web page at http://www.ibm.com/services/
us/iss/support/ provides direct access to online user documentation, current
versions listings, detailed product literature, white papers, and the Technical
Support Knowledgebase.
Hours of support
The following table provides hours for Technical Support at the Americas and
other locations:
Table 1. Hours of technical support
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00
P.M. during their local time, excluding
IBM ISS published holidays
Note: If your local support office is
located outside the Americas, you may
call or send an e-mail to the Americas
office for help during off-hours.
Contact information
For contact information, go to the IBM ISS Contact Technical Support Web
page at http://www.ibm.com/services/us/iss/support/contacts.html.
About this book ix
x Enterprise Scanner: Getting Started Guide
Chapter 1. Introduction
Enterprise Scanner automates the process of discovering and assessing your
network assets through continuous background scanning of your network.
This model allows you to track the remediation effort in SiteProtector and use
reports to evaluate the security status of your network at any time.
Topics
Whats new in Enterprise Scanner 2.3? on page 2
Key concepts on page 2
Enterprise Scanner communication channels on page 4
Component descriptions on page 6
Copyright IBM Corp. 1997, 2009 1
Whats new in Enterprise Scanner 2.3?
This Enterprise Scanner appliance firmware update includes improvements
and bug fixes.
For the most current information about product issues and updates, see the
readme file on the IBM Internet Security Systems Download Center at
http://www.iss.net/download/.
Key concepts
This topic provides a background overview of the Enterprise Scanner
workflow model.
Enterprise Scanner model
Enterprise Scanner automates the process of discovering and assessing your
network assets through continuous background scanning of your network.
Enterprise Scanner is based on a model in which vulnerability detection is
treated like a continuous network monitoring task if it is being managed by
the SiteProtector system.
In addition to the continuous network monitoring, Enterprise Scanner gives
you the ability to configure and run ad hoc scans from either the Proventia
Manager or while it is being managed by the SiteProtector system. Ad hoc
scanning allows you to run a one-time scan to discover new assets or to
assess the vulnerability status of existing assets at any time. Ad hoc scans are
useful when you need to take immediate action because assets have been
added to your network or new vulnerabilities have been announced.
Centralized control
Enterprise Scanner works with the SiteProtector system to provide centralized
security management for your enterprise assets. After you install and
configure your appliance, you can use the SiteProtector Console for scan
management, tracking and remediation, and reporting. Or, if you do not want
to register with the SiteProtector system, you can start off by running
one-time scans from the Proventia Manager.
Asset-centric approach
You probably already think about your vulnerability management in terms of
your assets. You know to prioritize your efforts to protect your most critical
assets first and to provide the same type of protection for similar assets.
Enterprise Scanner makes this easier by separating policies for groups of
assets from the policies for agents: Asset policies define scanning requirements
2 Enterprise Scanner: Getting Started Guide
for groups of assets, including IP addresses to scan, checks to run, and how
often to refresh information. Agent policies define how agents operate,
including the location in the network from which they operate. That network
location is called perspective.
Ad hoc scanning and auditing
Enterprise Scanner supports ad hoc scanning from both the Proventia
Manager (used as an auditing tool) and the SiteProtector system.
When the appliance is managed by the SiteProtector system, you use the ad
hoc scanning capability in between scheduled background scans for the
following types of needs:
v For network reconfiguration, use ad hoc scanning to refresh your discovery
and vulnerability information.
v For a new threat, use ad hoc scanning to assess the risk to your assets.
Load balancing
Enterprise Scanner makes it easier for you to respond to the dynamic nature
of an enterprise network. You can create pools of agents to share a scanning
load. You can add agents or remove agents without having to change any
discovery or assessment configuration parameters. You can also adjust other
operational parameters to ensure that you have the coverage you need.
Perspective definitions
You have different expectations for scanning results based on the location of
an agent in relation to the assets it scans. For example, results might be
different depending on whether you scanned a group of assets from inside a
firewall or outside a firewall. In Enterprise Scanner, perspective definitions
serve several purposes:
v They identify locations on your network from which scanning is performed.
v They indicate where agents are connected to your network so that load
balancing can occur across agents that share a perspective.
v They indicate the location from which groups of assets should be scanned.
Chapter 1. Introduction 3
Enterprise Scanner communication channels
This topic discusses the communication channels Enterprise Scanner uses.
Components
In normal operations, Enterprise Scanner communicates with these external
components:
v OneTrust Infrastructure
v The SiteProtector system
v User consoles
v Assets on the network
Architecture diagram
The following diagram shows the communication paths between Enterprise
Scanner and the SiteProtector system:
Network interfaces
Enterprise Scanner uses network interfaces as follows:
Table 2. Management and scanning interfaces
Interface Purpose
Management To communicate with the SiteProtector
system.
Scanning To communicate with assets.
Port usage
The following table describes port usage from the point of view of Enterprise
Scanner:
Table 3. Port usage for Enterprise Scanner
Network interface Port Communication with
Management Inbound from 3995 The SiteProtector Agent
Manager.
Inbound from 3994 TCP The X-Press Update Server.
Inbound on 443 TCP The users Web browser.
Inbound on 22 TCP An SSH shell on a users
computer.
Scanning Any TCP outbound
Any UDP
Any ICMP
The assets being scanned
by the agent.
Component descriptions
This topic describes the purpose of communication between Enterprise
Scanner and other components.
OneTrust Infrastructure
OneTrust Infrastructure provides two services to Enterprise Scanner:
v Licenses for the appliance.
Note: You must acquire a new or an updated license manually on the
Licensing page in the Proventia Manager.
v Updates for firmware and assessment content updates.
Note: You can configure automatic downloading and installation of
updates through the SiteProtector Console or through your Agent Manager.
Updates are available either through the IBM ISS Download Center or from
a locally managed Update Server.
User interfaces
You can access and view information gathered by the Enterprise Scanner
through one or both consoles as described in the following table:
Table 4. User Console components
Component Description
SiteProtector Console The interface where you perform all the
SiteProtector system tasks, such as:
v Configure and manage the appliance
v Create and manage security policies
v Enable alerts and logging
v Set up users and user permissions
v Monitor security events and
vulnerabilities on your network
v Generate reports
Proventia Manager A Web-based interface for managing the
agent and configuring and running ad
hoc scans.
IBM SiteProtector System
The SiteProtector system is a centralized management system that provides
command, control, and monitoring capabilities for all of your IBM Internet
Security Systems (IBM ISS) products, including the Enterprise Scanner
appliance. SiteProtector system documentation provides thorough descriptions
of all of its components.
The following major components make up the SiteProtector system:
Table 5. The SiteProtector system components
Component Description
Agent Manager The Agent Manager provides the ability
to configure, update, and manage the
appliance in the SiteProtector system. It
also manages the alternate update server,
called the SiteProtector X-Press Update
Server.
As the appliance generates security data,
the Agent Manager facilitates the data
processing required for you to view the
data in the SiteProtector Console.
The appliance sends a heartbeat signal
through the management interface to its
Agent Manager on a routine basis to
indicate that it is active to receive policies
and updates from the Agent Manager.
The time between heartbeats is defined by
the user.
Application Server The Application Server provides remote
access functions for the SiteProtector
Console.
SiteProtector Database The SiteProtector Database stores the
following information:
v Security data generated by your IBM
ISS products
v Statistics for security events
v The update status of all products
v The SiteProtector system user accounts
and permissions
Update Server The Update Server contains the X-Press
Updates (XPUs) for all licensed IBM ISS
products.
Chapter 2. Installing and configuring Enterprise Scanner
This chapter explains how to connect the Enterprise Scanner agent to the
network, configure appliance-level settings, and connecting the appliance to
the SiteProtector system.
Topics
Process overview on page 10
Using terminal emulation to set up your appliance for initial configuration
on page 12
Configuring appliance-level settings on page 13
Acquiring licenses on page 16
Configuring explicit trust authentication with an agent manager on page 17
Registering Enterprise Scanner to connect to SiteProtector on page 20
Logging on to the IBM SiteProtector Console on page 24
Preparing to reinstall an Enterprise Scanner agent on page 25
Reinstalling an Enterprise Scanner agent on page 26
Process overview
Follow the Installation process checklist in this topic to determine the tasks
you need to perform to install and configure your Enterprise Scanner agent.
To track your progress, print the checklist and mark each step as you
complete it.
Prerequisites
Before you install and configure your agent, check the applicable readme file
and the known issues:
v The readme file lists the X-Press Updates (XPUs) that you must install.
Note: Some XPUs might apply to the SiteProtector system components,
such as to the SiteProtector database.
v To find the list of known issues, log on to the IBM ISS Knowledgebase
(http://www.iss.net/support/), and then search the knowledgebase for
Answer ID 3442.
Tip: Type 3442 in the Search Text box, and select Answer ID in the Search
By list.
Installation process
Complete these tasks to install and configure Enterprise Scanner:
Table 6. Installation process checklist
Description Reference
Connect your appliance to the network
and set it up for terminal emulation.
Use the IBM Proventia Network Enterprise
Scanner Quick Start Card or see Using
terminal emulation to set up your
appliance for initial configuration on
page 12 in this guide.
Run the Proventia Setup Assistant to
configure appliance-level settings and
initial agent parameters.
Use the IBM Proventia Network Enterprise
Scanner Quick Start Card or see
Configuring appliance-level settings on
page 13 in this guide.
Create a backup of your system
configuration settings
See the section on Backing up configuration
settings in the chapter on Performing
routine maintenance of the IBM Proventia
Network Enterprise Scanner User Guide.
Optional: Set up explicit-trust
authentication with the SiteProtector
Agent Manager.
SeeConfiguring appliance-level settings
on page 13 in this guide.
Table 6. Installation process checklist (continued)
Description Reference
Acquire the license for your agent. See Acquiring licenses on page 16 in
this guide.
Install the latest X-Press Updates (XPUs)
for firmware and assessment content
either manually or by setting up
scheduled updates.
v See the chapter on Updating Enterprise
Scanner in the IBM Proventia Network
Enterprise Scanner User Guide
v Help in the Proventia Manager
Configure your agent to work with
SiteProtector system (if you are not
configuring settings from the Proventia
Manager).
See Registering Enterprise Scanner to
connect to SiteProtector on page 20 in
this guide.
As an option, run verification scans to
verify your installation and to become
familiar with scanning with Enterprise
Scanner.
v See Chapter 3, Running your first
scans from Proventia Manager, on
page 29
v Running your first scans with the
SiteProtector system
Configure the policies that define the
characteristics of the agent.
See the chapter on Agent policies for
Enterprise Scanner in the IBM Proventia
Enterprise Scanner User Guide.
Configure policies for groups of assets
that you want an agent to scan.
See the chapters on Background scan and
Asset policies for Enterprise Scanner in the
IBM Proventia Enterprise Scanner User
Guide.
Set up the SiteProtector system for
vulnerability management.
See the chapter on Interpreting scan results
in SiteProtector in the IBM Proventia
Enterprise Scanner User Guide.
Chapter 2. Installing and configuring Enterprise Scanner 11
Using terminal emulation to set up your appliance for initial configuration
This topic explains how to connect the appliance to the network and set up a
terminal emulation session with your appliance.
Before you begin
You must have the following items to set up terminal emulation:
v A computer with a terminal emulation program that you connect to the
appliance with an RS-232 serial (COM) port
v The power cable that came in the box with the appliance
v The serial cable with an RJ45 connection that came in the box with the
appliance
v A static IP address for the Management network interface
About this task
Terminal emulation programs are installed with Microsoft and Linux
operating systems. Documentation for using them should be provided by the

vendor. A common Microsoft emulation program is HyperTerminal. You can
start it as follows:
v Click Start on the taskbar, and then click All Programs Accessories
Communications HyperTerminal.
Procedure
1. Connect the power cable to the power receptacle on the back of the
appliance, and plug the cord into the power source.
2. Optional: Connect the Management Port to a router or a switch on your
network that has connectivity with the SiteProtector system that will
manage your agent.
3. Connect the Scan Port (if connecting the ES750) or Scan Ports 1 - 5 (if
connecting the ES1500) to the network to scan.
4. Connect the notebook or mobile desktop to the same network as the
appliance using the Ethernet adapter on the computer and a standard
Ethernet cable.
5. Plug the RJ45 connection into the Console outlet on the appliance, and
plug the other end of the cable into a serial port on the back of the
computer.
6. Start your terminal emulation program with the following settings:
Option Description
Baud rate 9600
Flow control Hardware
Option Description
Data bits 8
Parity None
Stop bits 1
Emulation VT100
7. Turn on the appliance. Initialization messages are displayed in the
window.
Note: If messages do not display after the appliance starts, press the ENTER
key.
Configuring appliance-level settings
To configure appliance-level settings, you must log on to the appliance and
run the Proventia Setup Assistant. Appliance-level settings define the network
and administrative settings for the agent. You can change most of the settings
later through the Proventia Manager or through the SiteProtector Console.
Before you begin
Set up the terminal emulation program as described in Setting up your
appliance for initial configuration.
About this task
To configure appliance-level settings, you must log on to the appliance and
run the Proventia Setup Assistant. Appliance-level settings define the network
and administrative settings for the agent. You can change most of the settings
later through the Proventia Manager or through the SiteProtector Console.
Procedure
1. With the terminal emulation connection to your appliance, wait for the
unconfigured.appliance login: prompt to be displayed on your screen.
2. Type admin for the login, and then press ENTER.
3. Type admin for the password, and then press ENTER. The Welcome to the
Proventia Manager Setup Wizard screen appears.
4. Press ENTER to advance to the next screen.
5. Press the SPACE BAR to select I accept (End User License Agreement for
IBM ISS), press the DOWN ARROW to select Next, and then press ENTER.
6. Press the SPACE BAR to select I accept (Linux End User License
Agreement), press the DOWN ARROW to select Next, and then press ENTER.
7. Review the information required for the wizard, select Next, and then
press ENTER. The keyboard navigation Help appears at the top of each
configuration screen.
8. Continue with the Proventia Setup Assistant, and see the following table
for the requirements of each screen:
Important: You will see only the screens that apply to your configuration
choices.
Option Description
Hostname The fully qualified domain name for the
Enterprise Scanner appliance.
Important: In the Hostname box, press
backspace to erase
unconfigured.appliance, and then type
the host name.
Management Interface (eth0) The IP Address, Netmask (subnet mask),
and Gateway for the management port
that connects to the SiteProtector system.
Scanning Interface (eth1) The IP Address, Netmask (subnet mask),
and Gateway (IP) for the scanning
interface (data port) that connects to your
network.
Nameservers One or more of the Primary, Secondary,
and Tertiary Nameservers to use for
resolving DNS names.
Note: The nameservers are used by both
the management network interface (eth0)
and the scanning network interface (eth1).
DNS Search Path A space-delimited list of domain names
that make up your DNS search path.
Time Zone The time zone for your appliance.
Tip: Press ENTER to display the choices in
the list, and then press the UP ARROW and
the DOWN ARROW to select a choice.
Date and Time The current Month, Day, Year, Hours, and
Minutes for your appliance.
Important: You must use a 24-hour time
format.
Note: If the date and time are correct,
you do not need to change anything. You
only need to change fields that are not
already correct in the Current System
Date and Current System Time boxes.
Option Description
Root Password The password required to log on to the
operating system of your appliance.
Administrator Password The password required to access the
Proventia Setup Assistant on the
appliance.
Proventia Manager Password The password required to access
Proventia Manager through a Web
browser over a network connection.
Bootloader Whether to require (Enable) or not require
(Disable) the Bootloader (root) password
for backup and restore operations only.
CAUTION:
If you enable the Bootloader password,
you must use a serial connection to the
agent through a serial port and supply a
password to back up or restore the
appliance; you do not need to be
connected for other operations.
Settings Review A list of all the configuration settings you
have chosen.
Tip: Press the DOWN ARROW to see the
complete list of settings and to see the
Finish button.
9. Select Finish, and then press ENTER. The Setup Complete screen appears.
10. Press the ESC key, select Yes to close Proventia Setup Assistant, and then
press ENTER.
11. Do one of the following to disconnect your cables:
v If you are using terminal emulation, disconnect the RJ45 connection
from the serial port on the back of the computer.
v If you are using the PXE bootserver for a reinstallation (see Reinstalling
an Enterprise Scanner agent), disconnect the
RJ45 connection from the serial port on the back of the computer
Red crossover cable from management port of the appliance to the
Ethernet port on the boot server computer
Press CTRL+G to eject the installation disk.
12. Choose an option:
v If you want to configure explicit trust with your Agent Manager, go to
Configuring explicit-trust authentication with an Agent Manager.
v If you want to continue setting up your appliance, go to Registering
Enterprise Scanner to connect to the IBM SiteProtector system.
Acquiring licenses
This topic explains how to acquire your OneTrust licenses through Proventia
Manager for your agent.
About this task
Enterprise Scanner uses the Proventia OneTrust license technology. OneTrust
licensing simplifies license management for your Enterprise Scanner agents
and for other IBM ISS products that support OneTrust licensing.
Important: You must acquire your licenses before you can update your agent.
Reference: For detailed information about OneTrust licenses, see the
IBMSiteProtector documentation.
The options for acquiring licenses depend on how your agent connects to the
IBM ISS Download Center:
Table 7. Options for acquiring licenses
If your agent... Then...
Has a connection to the Internet You can acquire your license directly from
the IBM ISS Download Center without
any additional configuration.
Must go through a Proxy server You must configure your agent to use a
proxy server.
(See the chapter on Updating Enterprise
Enterprise Scanner User Guide.)
Must use a local source to acquire a
license
You must configure a connection to an
X-Press Update Server for SiteProtector.
(See the chapter on Updating Enterprise
Procedure
1. Log on to the Proventia Manager for the Enterprise Scanner agent.
2. Click Maintenance Licensing in the navigation pane.
3. Click the button that appears, either Acquire License or Refresh License.
The current license information is displayed on the screen.
Configuring explicit trust authentication with an agent manager
Use the following procedures if you want to set up explicit trust
authentication between your appliance and the SiteProtector agent manager.
First-time-trust authentication level is used by default. Using explicit trust
authentication is optional.
Before you begin
Make sure your appliance is not registered with SiteProtector before you
continue. If the appliance has never established communication with the agent
manager, skip Step 1.
About this task
Follow these steps to configure explicit-trust authentication with an agent
manager:
Clear first-time-trust certificates
Server certificates are stored in a directory on the Proventia Appliance the first
time a connection is made between the appliance and the agent manager. You
must remove those certificates before you can use explicit-trust authentication.
About this task
If the appliance has never established communication with the agent manager,
skip this procedure.
Procedure
1. Locate the /var/spool/crm directory on the appliance.
2. Optionally, copy the entire CRM folder to another location locally to make
a backup of it.
Note: If the appliance has never registered with SiteProtector, this
directory will be empty.
3. Delete the contents of the CRM folder on the appliance.
Copy the agent manager certificate
Manually copy the agent manager certificate to a specific location for
explicit-trust to work.
Procedure
1. Locate the computer that hosts your SiteProtector agent manager, and then
locate the folder where the agent manager is installed.
Note: The default location is C:\Program Files\ISS\SiteProtector\Agent
Manager.
2. Copy this file (using FTP or FileZilla) to the following path and file name
on the appliance: /var/spool/crm/cacerts/
3. Rename the file: dccert.pem
Edit the local properties file
The communications modules for the appliance read their authentication
configuration from a file, and you must change that file to identify the
certificate used for explicit-trust authentication.
Procedure
1. On the appliance, open the file named /etc/crm/
rsPostLocalProperties.xml.
2. Locate the setting parm name=caCertFile.
3. Set the value= to value=/var/spool/crm/cacerts/dccert.pem.
4. Save the file.
Enable explicit-trust authentication
You must register with the agent manager, specify explicit-trust
authentication, and then reboot the appliance.
Procedure
1. Click System SiteProtector in the navigation pane.
2. Select the Register with SiteProtector check box.
3. Either create a new agent manager configuration or open an existing one.
4. Select explicit-trust from the Authentication Level list.
v If you are configuring a new agent manager, complete the process as
explained in Registering Enterprise Scanner to connect to SiteProtector
on page 20.
v If you are changing an existing agent manager configuration, click OK,
and then click Save Changes.
6. Reboot the appliance.
Registering Enterprise Scanner to connect to SiteProtector
Use the SiteProtector Registration page in the Proventia Manager to enable the
SiteProtector interface to manage Enterprise Scanner appliance functions and
to receive alerts.
Before you begin
To register your appliance to connect to SiteProtector, you need the following
information:
v The name of the SiteProtector agent group that you want to assign the
appliance to.
Note: You do not have to create the group in SiteProtector; if the group
does not exist, it is created during the registration process.
v Whether to use an agent configuration that is already defined for the group
or to override any group settings with local settings.
v Basic information required to connect with a SiteProtector agent manager.
Authentication level
IP address and port number
v SiteProtector account credentials for appliance access to secure information.
Before you register your appliance with SiteProtector, you must decide
whether you want your appliance to inherit configuration settings from its
group in SiteProtector immediately (at the first heartbeat) or wait until you
have configured the settings in SiteProtector.
v If you do not want the appliance to use any settings defined for the group
where you are registering the appliance, select the Local Settings Override
SiteProtector Group Settings check box.
Note: This option ensures that the appliance does not inherit any default,
undefined settings from the SiteProtector group.
v If you have already configured the settings you want to use in the group
where you are registering the appliance, then clear the Local Settings
Override SiteProtector Group Settings check box.
Important: If you have not defined the settings for the group, your
appliance settings will be overridden by the default, undefined group
settings.
Procedure
1. Click Configuration SiteProtector Registration in the navigation pane.
Note: It might take some time for Java
to initialize the first time you do

this.
2. Configure your SiteProtector account:
Option Description
Register with SiteProtector Registers the agent with SiteProtector to
enable the agent to scan.
Local Settings Override SiteProtector
Group Settings
Instructs on how to handle policy
updates:
v Select the check box if you want the
agent to use the configuration settings
you define in Proventia Manager until
you change those settings for the agent
group in SiteProtector.
Tip: This setting prevents the appliance
from starting to function before you
have entirely defined its behavior.
v Clear the check box if you want the
appliance to inherit currently defined
settings from the agent group in
SiteProtector.
Tip: This setting is useful if you have
fully defined the behavior of the
appliance in SiteProtector and you
want the appliance to inherit those
settings. This might be applicable if
you are adding a new appliance to an
existing group.
Desired SiteProtector Group for Sensor The name of the group where the agent is
registered in SiteProtector.
Note: SiteProtector creates the group if it
is not already there.
Option Description
Heartbeat Interval (secs) The number of seconds you want the
agent to wait between the time it contacts
SiteProtector for changed policies and
updates to firmware and assessment
content.
Range: 60 to 86,400 seconds (1 minute to
2 days). You should use the default of
3600.
Tip: Your agent registers itself with
SiteProtector at the end of the first
heartbeat. If you want to use a long
heartbeat, you might want to set a short
heartbeat initially, and then change it after
the agent is registered.
3. In the Agent Manager Configuration section, click Add.
4. Configure the agent manager in the Add Agent Manager Configuration
window:
Option Description
Authentication Level
v trust-all: Specifies that the appliance
does not use the SSL certificate
presented by SiteProtector. The
appliance trusts all connections on port
3995 (or other designated port) and
sends alerts to any system to which it
can connect on that port.
v first-time-trust: Specifies that at the
first connection, the appliance accepts
the SSL certificate and stores it. On all
subsequent connections to the same
SiteProtector desktop controller,
SiteProtector must present the same
certificate.
v explicit-trust: Specifies that you must
copy the SSL certificate to authenticate
SiteProtector to the correct location on
the appliance before connecting. The
certificates should be placed in the
/cache/spool/crm/cacerts directory.
Name A meaningful name that corresponds to
the SiteProtector agent manager.
Agent Manager Address The DNS name or the IP address of the
SiteProtector agent manager.
Option Description
Agent Manager Port The port number on which alerts are sent
to SiteProtector.
Note: The default port number is 3995. If
you change the default port number, you
must also configure the port number
locally on the SiteProtector agent
manager.
Account Name The account name for the agent manager.
Tip: You can add additional definitions of agent managers to use as
backups. Be sure to put the definitions in the order of preference, with the
most preferred agent manager first in the list.
5. If your agent must use a password to connect with the agent manager,
click Enter Password, and then type the password in the Password and
Confirm Password boxes.
6. If a proxy HTTPS server is installed on the network between the agent and
SiteProtector, select the Use Proxy Settings check box, and then configure
the proxy:
Option Description
Proxy Server Address The DNS name or the IP address of the
proxy server.
Proxy Server Port The HTTPS port number of the proxy
server.
Proxy Username If required, the user ID the agent needs to
authenticate with the proxy server.
Proxy Password The password that goes with the user ID
if the agent needs one to authenticate
with the proxy server.
7. Click OK, and then click Save Changes.
8. Type the SiteProtector Account and Password for the SiteProtector
Account that allows you to access sensitive information, such as
assessment accounts.
9. Click Save. After the first heartbeat, your agent appears in SiteProtector in
the group you designated.
Note: This operation can take several minutes. Wait until this page is
refreshed in your browser before you continue.
Logging on to the IBM SiteProtector Console
Use the SiteProtector Console to set up users and user groups, configure ad
hoc and background scans, and monitor the protection status of your Site.
Before you begin
Before you can log on to the SiteProtector Console, you must have:
v The SiteProtector Console on your computer
v A user ID and password for the SiteProtector system
About this task
Use the SiteProtector Console to set up users and user groups, configure ad
hoc and background scans, and monitor the protection status of your Site.
Procedure
1. Click Start on the taskbar, and then click Programs ISS SiteProtector
Console.
v If the Site is already defined in the SiteProtector system, select it.
v If the Site is not already defined in the SiteProtector system, right-click
My Sites, click New Site from the pop-up menu, and then type the IP
address or the DNS name of the Site in the Server box.
3. If you do not use the default port number (3998), type the port number of
the Site server to communicate with in the Port box.
4. Type your SiteProtector User name.
Note: If your user name is part of a domain, use the following format:
domain_name\user_name
5. Type your password.
6. Click OK. The Site Manager appears.
Preparing to reinstall an Enterprise Scanner agent
You can booting with the recovery CD over the network from a PXE boot
server to reinstall the appliance. The Recovery CD runs a temporary PXE boot
server on most Pentium
II or later computers that have a serial port and a

supported network interface card as listed later in this topic.
Prerequisites
To reinstall Enterprise Scanner, you must have the following items:
v A computer to use as a PXE (Pre-boot eXecution Environment) boot server
Note: In some cases, you might need to connect to the agent through
terminal emulation. To determine if you need this, see Setting up your
v The IBM Proventia Network Enterprise Scanner Recovery CD
v RJ-45 to DB9 modified serial console cable (the blue cable that came with
the agent)
v CAT-5 Ethernet crossover cable (the red cable that came with the agent)
PXE boot server requirements
The computer or notebook you use as the PXE boot server must meet the
following requirements:
Table 8. PXE boot server requirements
Component Requirement
Processor Pentium II or compatible CPU (at a
minimum)
RAM 64 MB (at a minimum)
Drive IDE CD-ROM drive
Serial port COM1
Note: This process does not install any software on the PXE boot server
computer.
Certified hardware
The following supported hardware has been certified by IBM ISS Quality
Assurance for the PXE boot server:
v Intel
PRO/100
v Intel PRO/1000
Additional hardware
The following hardware has not been certified for a PXE boot server, but
should also work:
v 3Com 3c905C, 3c575, and 3c574
v Netgear FA51 and FA411
v Intel PRO/100 S Mobile Adapter
Note: IBM ISS supports only the network cards specified in the PXE boot
server hardware requirements.
Reinstalling an Enterprise Scanner agent
Reinstall your Enterprise Scanner agent only if your attempts at
troubleshooting do not resolve a serious problem. You should contact IBM ISS
Technical Support to try and resolve the problem before you reinstall the
agent.
Before you begin
Important: Before you attempt to reinstall your agent, make sure you have
read and understand the information in Preparing to reinstall an Enterprise
Scanner agent on page 25.
To reinstall Enterprise Scanner, you must have the following items:
v A computer to use as a PXE (Pre-boot eXecution Environment) boot server
Note: In some cases, you might need to connect to the agent through
terminal emulation. To determine if you need this, see Setting up your
v The IBM Proventia Network Enterprise Scanner Recovery CD
v RJ-45 to DB9 modified serial console cable (the blue cable that came with
the agent)
v CAT-5 Ethernet crossover cable (the red cable that came with the agent)
Before you attempt to reinstall your agent, make sure you have read and
understand the information in Preparing to reinstall an Enterprise Scanner
agent on page 25.
About this task
After you reinstall an appliance, you must configure it as you would for an
original installation. If you saved a settings snapshot file, and downloaded it
to your PC before reinstalling the appliance, you can use Proventia Manager
to upload that settings snapshot file to the appliance, and then apply it. (See
the chapter on Performing routine maintenance in the IBM Proventia Network
Procedure
1. Turn off your appliance.
Important: You cannot just reboot the appliance to initiate the
installation.
2. Connect one end of the red crossover cable to the management port of
the appliance, and then connect the other end of the cable to an Ethernet
port on the boot server computer.
Important: You must use the red crossover cable for this step. Do not use
a hub or switch because other servers on the network can interfere with
the PXE boot server.
3. Plug the RJ45 connection of the blue RJ45-to-DB9 cable into the Console
outlet on the appliance.
4. Plug the DB9 connection of the blue RJ45-to-DB9 cable into the serial port
on the back of the boot server computer.
5. Insert the IBM Proventia Network Enterprise Scanner Recovery CD into the
CD-ROM drive of the boot server, and then reboot the boot server
computer.
6. When the following message appears at the bottom of your screen, turn
on your appliance: ***
*** You may now boot your ES1500-esos via the network ***
*** Starting Terminal Emulator ***
*** Press Control-G to Exit and Reboot ***
The PXE boot server now acts as a terminal emulator for the appliance
and displays boot process messages.
7. Carefully watch the messages at the bottom of the screen, and then press
L as soon as you see the following: Press L to boot from LAN Messages
continue to display for a few more screens. If you do not press L quickly
enough, the appliance boots normally. If that happens, you must turn the
appliance off, and then turn it back on again, to restart the reinstallation.
8. When the boot prompt appears, type reinstall, and then press ENTER.
Note: It takes some time, but do not respond to any prompt until the
unconfigured.appliance login prompt appears.
9. When the unconfigured.appliance login prompt appears, type admin,
and then press ENTER. All passwords for the appliance are reset to the
defaults.
10. Type admin for the password, and then press ENTER. The Welcome to the
Proventia Manager Setup Wizard screen appears.
11. Go to Step 4 in the procedure for Configuring appliance-level settings . If
the boot server is not accepting input from your keyboard, you must set
up terminal emulation on another computer. See Setting up your
Chapter 3. Running your first scans from Proventia
Manager
This chapter guides you through the process of running basic ad hoc scans for
discovery and for assessment from the Proventia Manager.
These scans accomplish the following tasks:
v Introduce you to the basic workflow of scanning with the Proventia
Manager.
v Provide a foundation of understanding that you can build upon as you
customize scanning for your network.
Topics
Policy types in Proventia Manager on page 30
Running an ad hoc scan on page 32
Monitoring the status of a scan on page 33
Viewing the results of an ad hoc scan on page 34
Exporting scan results from Proventia Manager on page 35
Policy types in Proventia Manager
You can configure discovery and assessment scan policies from Proventia
Manager for auditing purposes, and then use those policies for one-time (ad
hoc) scans that you initialize from the LMI Scan Control policy.
LMI Scan Control
The LMI Scan Control policy controls the following scanning parameters:
v Whether discovery scanning, assessment scanning, or both types of
scanning are enabled
v The perspective from which to scan against this group
Ad hoc scanning
You can run the following combinations of ad hoc scans:
v Discovery
v Discovery and an assessment
You cannot run an assessment only scan from the Proventia Manager. The
following table lists which scan policies are required to run an ad hoc scan
from Proventia Manager:
Table 9. Policies used for ad hoc scanning in Proventia Manager
Scan policy Required
Discovery Yes
Assessment Yes
Assessment Credentials No
Network Services No
Scan Exclusion No
*You should run a discovery scan policy first (to identify assets on the network)
before you run an assessment scan.
Policy descriptions
The following table describes the policy types available in the Proventia
Manager:
Table 10. Descriptions of the policy types in the Proventia Manager
Policy Description
Assessment Defines the following for the ad hoc
assessment scan:
v Which checks to run against assets in
the group Assessment check parameters
v Common settings for assessment scans
Assessment Credentials Contains logon account information for
running checks that require authenticated
access.
Discovery Defines the following for ad hoc
discovery scans:
v IP addresses and address ranges for a
scan to discover
v How to handle discovered assets
Network Services Defines the ports on which services run.
Scan Exclusion Defines IP addresses, ports, or both that
you want to exclude from assessment
scans.
Policy locations
All scan policies are stored locally on the appliance in the following directory:
/var/www/html/viewer/SupportFiles/[Directory]
The scan policies are not shared with other appliances and you cannot import
the scan policies into the SiteProtector system.
Chapter 3. Running your first scans from Proventia Manager 31
Running an ad hoc scan
Ad hoc scans are one-time scans that you can run to discover new assets or to
assess existing assets. You run ad hoc scans from Proventia Manager using
scan policies that you configure and save on the Policy Management page.
You use the LMI Scan Control page on the appliance to define and run ad hoc
scans for assessment and discovery.
Procedure
1. Click Scan Run Scan in the navigation pane.
2. Use the default names for the scan jobs: LMI Discovery and LMI
Assessment.
Tip: The scan job name is useful when you want to view the results and
status of the scan.
3. From the fields provided in the LMI Scan area, select FirstDiscovery in
the Discovery list, and FirstAssessment in the Assessment list.
Note: You cannot run an assessment only scan from the Proventia
Manager. Because the appliance does not use a database to store asset
information, you must run a discovery scan followed by an assessment
scan.
4. Select Global in the Perform scans from this perspective (Network
location) list.
5. Click Save Changes to start the ad hoc scan.
Monitoring the status of a scan
Use the Scan Status page in the Proventia Manager to view the status of ad
hoc discovery and assessment scans you have initialized from the LMI Scan
Control page.
About this task
While Proventia Manager processes the scan, you can perform one of the
following actions on the scan:
Table 11. Processing status of a scan
Action Icon Description
Pause Pause the job, but only
when it is in the processing
status. Pausing a job in any
other status might cause
problems if you try to
resume or rerun the scan.
Resume Resume the scan after you
have paused it
Cancel Cancel the scan altogether
Procedure
1. Click Scan Scan Status in the navigation pane.
The Scan Status page appears with a table displaying the status of the
scan.
Note: The results of the scan can take up to a minute to display on this
page.
2. Click the link for the scan in the Name column to display the results of
the scan on the Scan Results page.
Viewing the results of an ad hoc scan
Use the Scan Results page in the Proventia Manager to analyze
security-related data discovered by an ad hoc scan.
Procedure
1. Click Scan Scan Results in the navigation pane.
2. Choose the scan date (time stamp) from the List Scans list, and then click
Go.
3. Select the scan job from the Scan Type list, and then click Go. The results
of the scan are displayed in the table.
4. Click View/Manage Log Files.
5. Select the scan job in the File Name list. The name of the log file contains
the date the scan was run and uses this format: lmiScans/
mmddyyyy_xxxxx.log
6. Click Download to the download the log file for the scan to a directory on
your computer. Scan data files are located in the /var/log/esm/lmiScans
directory.
Exporting scan results from Proventia Manager
Use the Scan Reports page on the appliance to export scan results to HTML or
CSV files from Proventia Manager.
About this task
This feature provides basic reporting for ad hoc scans initialized from
Proventia Manager. It is not intended to replace the full analysis and reporting
functions of SiteProtector.
Procedure
1. Click Scan Scan Reports in the navigation pane.
2. Select the discovery or assessment scan that you want to export from the
List Scans list.
3. Select how you want to sort the hosts in the report.
4. Select the Report checks which found no vulnerability check box if you
want to include information about checks that did not find a vulnerability.
5. Depending on the type of report you need to generate, click Generate
HTML Report or Generate CSV Files .
6. Save the file to your local system. Enterprise Scanner uses the following
file name convention for exported results:
Discovery:
DiscoveryResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-
<jobname>.csv
Assessment:
AssessmentResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-
<jobname>.csv
Example: A discovery scan that ran on March 30, 2008 at 1:20:39 PM EST
with a scanner name of testscan and a job name of testjob would display
the following file name: DiscoveryResults-20080330-132039EST-testscan-
testjob.csv
Chapter 4. Running your first scans from SiteProtector
This chapter guides you through the process of running basic ad hoc and
background scans for discovery and for assessment.
These scans accomplish the following tasks:
v Verify that you have set up Enterprise Scanner to work correctly with the
SiteProtector system.
v Introduce you to the basic workflow of scanning with Enterprise Scanner
from the SiteProtector system.
v Provide a foundation of understanding that you can build upon as you
customize scanning for your Site.
Topics
Basic concepts on page 38
Running an ad hoc discovery scan with Enterprise Scanner on page 41
Running an ad hoc assessment scan with Enterprise Scanner on page 42
Monitoring ad hoc discovery and ad hoc assessment scans on page 44
Background scanning checklists for Enterprise Scanner on page 46
How to use perspective in Enterprise Scanner on page 40
Running a background scan on page 47
Disabling background scans on page 51
Basic concepts
This topic explains the basic concepts you should know before you use the
SiteProtector system to manage the Enterprise Scanner agent. Keep these
concepts in mind as you work with the agent.
Types of scans
Enterprise Scanner runs the following types of scans in SiteProtector:
Table 12. Definitions of ad hoc and background scans
Type of scan Description
Ad hoc One-time scans for discovery, for
assessment, or for both.
Background Recurring, cyclical scans that refresh your
discovery information, assessment
information, or both at user-defined
intervals.
Discovery separate from assessment
With Enterprise Scanner, discovery scans and assessment scans are separate
for both ad hoc and background scans. You may, however, link scans so that
an assessment scan does not run until the corresponding discovery scan has
finished.
Scopes of scans
The scopes of discovery and assessment scans are based on the following
settings:
Table 13. Scope of discovery and assessment scans
Type of scan Scope
Discovery Operates on IP addresses (single, ranges,
or both) that you assign to the scan.
Note: The group you use for discovery
scans might already contain assets. Those
assets do not have to belong to the IP
range of the scan.
Assessment Operates on the assets in a group in the
SiteProtector system.
Agent and asset groups
The assets that you scan can be in the same group as your agent, but they do
not have to be. The agent is associated with the groups it scans based on
perspective, not on the group to which it belongs.
Enterprise Scanner location
When you registered your Enterprise Scanner agent with the SiteProtector
system, you added it to a group that appears in the SiteProtector Console. To
modify policies and customize the scanning behavior of your agent, you must
locate that group. For the examples in this topic, the agent is in the
CorporateScanners group.
Location of assets
A group that you scan might have subgroups, and you can use the rules of
policy inheritance to change scanning behaviors for subgroups. For the
examples in this chapter, the assets to scan are also in the CorporateScanners
group.
Using the default perspective
For an initial installation of Enterprise Scanner, you should have no problem
using the default perspective, Global. If you have an established installation
and must use a different perspective, check with your security manager before
you continue.
Chapter 4. Running your first scans from SiteProtector 39
How to use perspective in Enterprise Scanner
This topic explains the meaning of perspective in different contexts.
Perspectives in policies
The exact role of perspective depends on the policy where you define or select
it. The following table describes how to use perspective in different policies:
Table 14. Perspectives in policies
Policy How to use Applies to
Network Locations policy Define a perspective as a
network location
The entire Site
Network Locations policy Assign an agent to a
perspective
A particular agent
Scan Control policy Identify the perspective
from which you want to
scan groups of assets
The group, or groups, to
scan with that policy
Illustration
The following figure illustrates a set up for scanning one group of assets from
inside the firewall and another group of assets from within a DMZ:
Sample
To scan some asset groups from inside your firewall and others from within
your DMZ, follow these steps:
1. Set up two groups in SiteProtector:
v One group contains assets to scan from inside the firewall.
v One group contains assets to scan from the DMZ.
2. Define a perspective to identify the scanners at each place on your
network.
3. Assign one or more scanners to each perspective.
4. Set up a scan control policy for each asset group and specify, in each
policy, the perspective from which scanning should occur.
Running an ad hoc discovery scan with Enterprise Scanner
When you run an ad hoc discovery scan from the SiteProtector Console, you
must define the ranges of IP addresses to scan, including additional scanning
control parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except
for a Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from
the pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery
scan of this group check box.
5. Type a Job name to identify the job when it appears in the Command
Jobs window.
6. If you want the scan to run only during your scheduled scanning
windows, select the Run only during open discovery windows check
box.
7. Click Discovery in the left pane.
8. Type the range, or ranges, of IP addresses to scan in the IP range(s) to
scan box.
9. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets
to exclude in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the
data is validated.
10. If you want to ping each IP address before scanning to exclude
unreachable hosts from the scan, select the Ping hosts in this range,
before scanning, to exclude unreachable hosts check box.
11. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the
Add newly discovered assets to group check box.
12. If you want to add previously known assets (that are not in the group) to
the group, select the Add previously known assets to group check box.
13. Click OK. The ad hoc discovery scan is displayed in the Command Jobs
window.
Running an ad hoc assessment scan with Enterprise Scanner
When you run an ad hoc assessment scan from the SiteProtector Console, you
can use the default settings, or choose the checks you want to run and other
scanning parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except
for a Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from
the pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery
scan of this group check box.
5. Type a Job name to identify the job when it appears in the Command
Jobs window.
6. If you want the scan to run only during your scheduled scanning
windows, select the Run only during open discovery windows check
box.
7. Click Assessment in the left pane.
8. Configure the policy the same way you would configure the background
Assessment policy.
9. Select Global in the Perform scans from this perspective (Network
location) list.
10. Click the Advanced Settings tab.
11. In the Assessment Throttling section, use the Bandwidth Throttling
slider to set the amount of bandwidth the scan should consume.
The Enterprise Scanner agent will monitor threads once the value
becomes greater than you specified.
To enable logging, add the following advanced parameter to the logging
parameters in SiteProtector: esm.portN.debug.logging where N is the port
number of the scan interface
The agent writes the log information to iss-esm-<port number of scan
interface>.log.
12. Use the remaining sliders to enable settings that prevent the scan from
overwhelming or flooding a slow network:
Option Description
Connections per host The maximum number of connections the
scan should make per host.
SMB Connections The maximum number of SMB
connections the scan should make during
a scan job.
Half-Scan Connections The maximum number of connections the
scan should use for opening and closing
ports.
13. Click the Debug Settings tab.
14. In the Packet Capture section, select Enabled and then set the filters for
the agent to use during the ad hoc assessment scan for network analysis.
Note: Packet capturing is not available for ad hoc background scanning.
The agent writes the capture results to
<filename>_<interface>_<timestamp>.cap located in
/cache/log/esm/PacketCapture. To view the results of the capture file:
a. Start Proventia Manager, and then click Support System Support
File.
b. Click Generate Support Data File.
c. Download the file to your computer, extract it, and then open the file
in any PCAP compatible software.
15. Click OK. The ad hoc assessment scan appears in the Command Jobs
window.
Monitoring ad hoc discovery and ad hoc assessment scans
Use the procedure in this topic to monitor the ad hoc discovery and ad hoc
assessment scans in the SiteProtector Console.
Procedure
1. Right-click the group in the navigation pane, and then select Properties
from the pop-up menu.
2. Click Command Jobs in the navigation pane, or click the Control jobs
icon on the toolbar. The ad hoc discovery scan appears in the Command
Jobs window, and the task name appears under the Object column.
3. Click the Details-[Linked]First Ad Hoc Discovery tab. The job-level
statistics for the job display on the screen.
Note: [Linked] attached to the task name indicates that the assessment
scan was set up to run after the discovery scan has finished. The same
prefix is attached to the assessment scan to indicate that it is linked with a
discovery scan.
Tip: The status starts out as Pending, can go back-and-forth between Idle
and Processing until it finishes, and then its status is Completed.
Tip: For more information about how scan jobs run and how to find
information about them, see chapter on Monitoring scans in SiteProtector in
the IBM Proventia Network Enterprise Scanner User Guide.
4. Click the Activity tab. The task-level statistics for the job display on the
screen.
5. After the discovery scan has finished, set up a tab with the Asset view,
and then select the group.
The discovered assets display on the right pane.
Note: If the assets do not display on the screen, press F5 to refresh the
view.
Tip: Assessment scans assess assets by user-assigned criticality levels to
ensure that the most critical assets are scanned first. Assets discovered by
an Enterprise Scanner agent have a default criticality of Unassigned.
6. To monitor the progress of the assessment scan, right-click the group in
the navigation pane, select Properties from the pop-up menu, and then
click Command Jobs in the navigation pane.
Tip: Or click the Control jobs icon on the toolbar.
The assessment scan will not start until the discovery scan has finished.
The Command Jobs window appears and the ad hoc assessment scan
appears in the Command Jobs window along with the completed
discovery scan.
7. To view statistics about the tasks in the job, click the Activity tab. Details
about the tasks display in the Activity tab.
Tip: The task name appears under the Object column. The status starts out
as Pending, can go back-and-forth between Idle and Processing until it
finishes, and then its status is Completed.
Tip: For more information about how scan jobs run and how to find
information about them, see chapter on Monitoring scans in SiteProtector in
the IBM Proventia Network Enterprise Scanner User Guide.
8. After the job has finished, click the Analysis view, and then select the
group.
9. To see if the scan identified any vulnerabilities for any of the assets in the
group, select one of the vulnerability views:
v Vuln Analysis - Asset
v Vuln Analysis - Detail
v Vuln Analysis - Target OS
v Vuln Analysis - Object
v Vuln Analysis - Vuln Name
Tip: If the events do not display on the screen, adjust display parameters,
such as the Start and End times.
Background scanning checklists for Enterprise Scanner
This topic describes the minimum requirements to set up background
discovery and background assessment scanning. You should also use any
other policies that help you configure your scanning environment to meet
your security goals.
Checklist for background discovery scanning
The following table describes the requirements for setting up background
discovery scanning for a group:
1. Apply a Discovery policy to the group.
2. Apply a Scan Window policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
3. Optional: Apply an Assessment Credentials policy to the group for better
OS identification.
4. Apply a Scan Control policy to the group (either directly or through
Checklist for background assessment scanning
The following table describes the requirements for setting up background
assessment scanning for a group:
1. Verify that the group already contains assets, possibly from a recent
discovery scan.
2. Apply an Assessment policy to the group (either directly or through
3. Apply a Scan Window policy to the group (either directly or through
4. Optional: Apply an Assessment Credentials policy to the group for better
OS identification.
5. Apply a Scan Control policy to the group (either directly or through
Running a background scan
Use these procedures to configure and then run a background scan from the
SiteProtector Console with the Enterprise Scanner agent.
Task 1: Define background discovery scans
Use this procedure to define the range of IP addresses to scan.
Procedure
1. In your SiteProtector Console, select the Policy view, and then create or
select a group for the range of IP addresses to discover.
2. Right-click the group, and then select New Policy Repository from the
pop-up menu.
3. Select Network Enterprise Scanner in the Agent Type list.
4. Select your version of Enterprise Scanner for the agent from the Version
list.
Note: The version can apply to the agent whose properties you are
defining or to the agent responsible for scanning the group whose
properties you are defining.
Important: Enterprise Scanner policies can apply to one or more
versions, as indicated in the policy view. If you use multiple agents at
different versions that do not share the same policy, you must define
separate policies for each version.
5. Select Asset in the Mode list.
6. In the left pane, click the Repository folder you just created.
7. Select New Policy to create a new Discovery policy based off the
default Discovery policy. The Create New Policy window is displayed on
the screen.
8. Select Generate Empty, and then select Discovery from the Policy Type
list.
9. Type a name for the new policy in the Policy Name box, and then click
OK. The policy opens for editing.
10. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets
to discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Tip: Discovery policies cannot be inherited from a parent. Each group
must define its own Discovery policy.
11. From the Action menu, select Save Policy.
12. Click OK.
Task 2: Define background assessment scans
Use this procedure to enable background assessment scanning and define
which checks to run in the scan.
Procedure
1. In the navigation pane, select the group to scan.
3. Click New Policy to create a new Assessment policy based off the
default Assessment policy. The Create New Policy window is displayed on
the screen.
4. Select Generate Empty, and then select Assessment from the Policy Type
list.
5. Type a name for the new policy in the Policy Name box. The policy opens
for editing.
Tip: If you want to see or change the checks that run, click the Checks
tab. If you select the folder with the red X in the toolbar, the checks are
displayed in an ungrouped list.
Tip: If you want to see or change any common assessment settings, click
the Common Settings tab.
Tip: Assessment policies for subgroups are inherited from a parent by
default if the assessment policy is defined in the parent group. If the
policy is inherited, it displays the name of the parent in the list of policies
for the group.
7. Click OK.
Task 3: Define when scanning is allowed
Use this optional procedure to define the days and hours that scanning is
allowed.
Procedure
3. Select New Policy to create a new Scan Window policy based off the
default Scan Window policy. The Create New Policy window is displayed
on the screen.
4. Select Generate Empty, and then select Scan Window from the Policy
Type list.
6. Click the Discovery Windows tab.
7. You can select the periods of allowed scanning using the following
methods:
If you want to... Then...
Allow scanning during specific hours Click and drag your cursor over those
hours for each day that you want to
allow scanning.
At any time Click Fill All. All squares turn black.
Remove all defined scans periods Click Clear All. All squares turn white.
Tip: For the purposes of testing, choose two hours each day, including
the current hour or the next two hours so that your background scans
can start soon.
Note: Scanning hours are selected; non-scanning hours are not selected.
8. Click the Assessment Windows tab, and then select hours for the
assessment windows just as you did for discovery.
9. Click the Time Zone tab.
10. Select the time zone during which you want the scan windows to be
open from the Time zone for windows defined in this policy list.
Tip: Typically, you will need to select the same time zone as the time
zone of the assets in the group.
12. Click OK.
Task 4: Enable scanning and define length of scanning cycles
Use this optional procedure to define when the first scanning cycle begins,
including the length of each scanning cycle.
Procedure
2. Select New Policy to create a new Scan Control policy based off the
default Scan Control policy. The Create New Policy window is displayed
on the screen.
3. Select Generate Empty, and then select Scan Control from the Policy
Type list.
5. In the Background Discovery section, select the Enable background
discovery scanning of this group check box.
6. Type First Background Discovery Scan in the Job name box.
7. Select todays date in the Cycle start date list, and then select two days
in the Cycle duration boxes.
8. In the Background Assessment section, select the Enable background
assessment scanning of this group check box.
9. Type First Background Assessment Scan in the Job name box.
10. Select todays date in the Cycle start date list, and then select two days
in the Cycle duration boxes.
11. Select the Wait for discovery scan to complete before scheduling
assessment scan check box.
12. Leave the perspective list at its default setting, Global.
Tip: These scans will use the default perspective, which is Global. A
customized perspective allows you to limit the portion of the network
from which a given sensor can operate.
13. Click the Advanced Settings tab.
14. Set the amount of bandwidth the scan should consume using the
Bandwidth Throttling slider.
16. Click OK.
Task 5: Finish setting up background scanning
Use this procedure to initialize and monitor a background scan after you have
saved your scan policies.
Procedure
1. To monitor the progress of the scan, right-click the group in the navigation
pane, and then select Properties from the pop-up menu.
2. Click Command Jobs in the left pane. The background scans are displayed
in the Command Jobs window, and the job names are displayed under the
Object column.
Note: If you accidentally started your scan cycle for a later date, the jobs
will not be displayed until midnight on the first day of the new scan cycle.
Disabling background scans
Use this procedure to disable background discovery or assessment scanning of
a group by Enterprise Scanner.
Procedure
1. In the navigation pane, select the group you scanned, and then select the
Policy view.
2. Right-click the Scan Control policy, and then select Open from the pop-up
menu.
If you want to disable... Then...
Background discovery scans In the Background Discovery section,
clear the Enable background discovery
scanning of this group check box.
Background assessment scans In the Background Assessment section,
clear the Enable background assessment
scanning of this group check box.
5. Click OK.
Chapter 5. Setting up scanning permissions for users
After you register your agent with the SiteProtector system, you can control
access to it through the permissions in the SiteProtector system.
Permissions in the SiteProtector system are flexible so that you can define
access at different levels of granularity. You can set permissions for the
following levels:
v Global
v User or a group of users
v Group of assets
v Policies
Topics
Predefined Enterprise Scanner permissions on page 54
Creating user groups in the SiteProtector system on page 57
Adding members to SiteProtector user groups on page 58
Changing group-level permissions on page 59
Predefined Enterprise Scanner permissions
This topic describes the predefined permissions in the SiteProtector system
that apply to Enterprise Scanner users. You define Enterprise Scanner
permissions just as you do for other permissions in the SiteProtector system.
Permissions
The following table describes the default Enterprise Scanner permissions:
Table 15. Enterprise Scanner Group permissions
Enterprise
Scanner
permission Description View Modify Control
Ad Hoc Scan
Whether you
can run an ad
hoc scan.
Note: The
Modify Policy
permission is
automatically
granted with
this permission.
X
Agent
Whether you
can manually
refresh agents.
X
Assessment
Credentials
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
Assessment
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
Discovery
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
Table 15. Enterprise Scanner Group permissions (continued)
Enterprise
Scanner
permission Description View Modify Control
Network
Locations
Policy
Whether you
can view the
Network
Locations
policy.
Important: See
Creating user
groups in the
SiteProtector
system on
page 57 for
important
information
about users
with restricted
permissions.
X
Policy
Whether you
can modify any
policy whose
permissions are
not granted
explicitly,
including the
Scan Control
policy, which
enables
background
scanning.
X X
Proventia
Manager
Whether you
can open
Proventia
Manager from
the
SiteProtector
Console.
X
Scan Window
Policy
Whether you
can view a
policy, modify a
policy, or do
both.
X X
Chapter 5. Setting up scanning permissions for users 55
About group-level permissions
Group-level permissions control a users ability to view, modify, and work
with agents and assets in a specific group. For example, group-level
permissions control whether a user can scan a group of assets with Enterprise
Scanner or apply an XPU to the agents in a group. Group-level permissions
do not provide Site-wide functions. They only provide permission to perform
actions on the assets in the group where they are assigned. Because of the
specific and flexible nature of group-level permissions, you can use them to
maintain very specific control over a users actions in the SiteProtector system.
For example, you can set group-level permissions such that three users have
different permissions for the same group.
Managing group-level permissions
You should perform the following tasks before you configure group-level
permissions:
v Set up asset groups
v Import assets into the asset groups
You can, however, configure group-level permissions before you set up asset
groups and import assets, and then assign group-level permissions as
necessary. Subgroups you create later automatically inherit these permissions.
Ungrouped assets
When you import assets before you set up asset groups, the SiteProtector
system puts the assets in the Ungrouped assets folder. To assign permissions to
ungrouped assets, you must use the global permission, Managing Ungrouped
Assets.
Creating user groups in the SiteProtector system
A SiteProtector User Group is a group of users who have the same set of
global and group-level permissions.
About this task
SiteProtector User Groups are useful because you can control the permissions
for an entire group of users simultaneously according to their role in your
organization.
Procedure
1. In the left pane, click the Site Group where you want to create the User
Group.
2. On the Tools menu, click User Groups.
3. In the left pane of the User Groups window, click Add, and then type the
name for the new User Group.
4. Press ENTER.
5. Click OK.
Adding members to SiteProtector user groups
This topic explains how to add members to a group of SiteProtector users
who have the same set of global and group-level permissions.
Procedure
1. In the left pane, click the Site Group where you want to add members to a
User Group.
2. On the Tools menu, click User Groups.
3. In the left pane of the User Groups window, select the group you want to
modify.
4. In the Members section, click Add.
5. Use the following table to determine your next step:
If you want to add...
To the SiteProtector user group, then
type the complete account...
Local users or groups Using the following syntax:
v computer name\user name
v computer name\group name
If you do not know the complete account
information, then you must look it up
using Windows Computer Management.
Domain users or groups Using the following syntax:
v domain name\user name
v domain name\group name
If you do not know the complete account
name, click Check Names to look it up.
The Select User and Groups window displays on the screen.
6. Click OK.
7. Select the name in the list you want to add to the User Group, and then
click OK. The user or group is added to the SiteProtector User Group and
is granted all the permissions granted to that User Group.
Changing group-level permissions
This topic explains how to add and delete group permissions, how to change
inheritance properties, and how to change group owners.
Procedure
1. In the left pane, right-click a group, and then select Properties.
2. Click the Permissions icon.
3. In the Users and/or Groups column, select the user or group.
4. In the Manage Security section, select the circle that corresponds to the
permission you want to grant. The circle turns black indicating that the
permission is granted.
5. Click the Save icon.
6. Close the Properties tab.
Removing group-level permissions
Procedure
1. In the left pane, right-click a group, and then select Properties. The Group
Properties tab appears.
2. Click the Permissions icon.
3. In the Users and/or Groups column, select the user or group.
4. In the Manage Security section, clear the circle that corresponds to the
permission you want to grant. The circle turns white indicating that the
permission is removed.
5. Click the Save icon.
6. Close the Properties tab.
Configuring advanced permissions
Procedure
1. In the left pane, right-click a group, and then select Properties.
2. Click the Permissions icon. A group owner or a user with Full Access to
all Functionality can assign advanced permissions.
3. Click Advanced. The Advanced Properties window appears.
4. If you do not want this group to inherit advanced permissions from the
parent group, clear the Inherit from parent group check box on the
Permissions tab.
5. Click the Owner tab.
6. To change the owner of this group, type all or part of the user name or
group in the Change Owner box, and then click Check Names.
7. Select the new owner, and then click OK to return to the Advanced
Properties window.
8. Click OK.
Index
A
account passwords 17, 20
ad hoc assessment scan 42
monitoring status 33
ad hoc discovery scan 41
monitoring status 33
ad hoc scan
policies 30
ad hoc scans 32
monitoring 44
running 32
Administrator password 15
agent manager 18
Agent Manager 7
agent manager certificate
copying 18
agent managers 17, 20
appliance-level settings 13
Application Server 7
assessment 42
assessment scan 38
assessment throttling 42
authentication levels 17, 20
B
background scan 38
background scanning checklists 46
background scans 46, 47
disabling 51
background scans, SiteProtector 47
bootloader password 15
C
Cancel scan icon 33
crm folder 17
CRM folder 17
CSV file
generate from LMI 35
D
dccert.pem 18
Debug Settings tab 42
default gateway 14
disabling background scans 51
discovery scan 38
DNS search path 14
DNS server path 14
documentation viii
documentation web site viii
E
Enterprise Scanner
architecture 4
communication channels 4
components 6
configuring 10
consoles 6
installation checklist 10
key concepts 2
known issues list 10
licenses 16
management interface 5
network interfaces 5
ports 5
reinstalling 25, 26
related publications viii
scanning interface 5
settings 13
setup 12
SiteProtector location 39
ungrouped assests 56
user interfaces 6
Enterprise Scanner permissions 54
default 54
defining 54
group-level 56
managing group-level 56
ETH0 14
ETH1 14
explicit-trust 17, 20
explicit-trust authentication 19
editing local properties file 18
F
first-time trust 17
first-time trust certificates
removing 17
first-time-trust 20
G
group-level permissions 56
adding 59
changing inheritance
properties 59
changing owners 59
configuring advanced 60
deleting 59
removing 59
H
Half-Scan Connections 42
HTML reports
generate from LMI 35
I
IBM Internet Security Systems
technical support ix
Web site ix
IBM license agreement viii
initial configuration 12
installation process 10
IP range 41
K
key concepts 2
knowledgebase article 10
L
licenses
acquiring 16
refreshing 16
LMI Scan Control policy 30, 32
N
network interfaces 5
new features 2
O
OneTrust 6
OneTrust licenses 16
P
packet capturing 42
passwords, account 17, 20
Pause scan icon 33
perspective 39, 40
using 40
Policy Management page 32
preface vii
Proventia Manager password 15
Proventia OneTrust 16
Proventia Setup Assistant 13
PXE boot server 25
certified hardware 25
PXE bootserver 15
R
readme 2
recovery CD 25
Resume scan icon 33
root password 15
S
scan
viewing results 34
scan policies
description (Proventia
Manager) 31
location (Proventia Manager) 31
Proventia Manager 30
Scan Reports page 35
scan results
exporting 35
Scan Results page 34
Scan Status page 33
scans
types in SiteProtector 38
SiteProtector 7, 17, 20, 24
components 7
SiteProtector Console
logging on 24
SiteProtector Database 7
SiteProtector Registration page 20
SiteProtector User Groups 57, 58
adding members 58
creating 57
SMB Connections 42
T
terminal emulation programs 12
time settings 14
trust-all 17, 20
U
Ungrouped assets folder 56
Update Server 7
user groups 57, 58, 59, 60
W
Web site, IBM Internet Security
Systems ix

Ibm Pnes GSG 2.3

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ibm Pnes GSG 2.3

Diunggah oleh

Hak Cipta:

Format Tersedia

IBM Proventia Network Enterprise Scanner

Getting Started Guide

and the IBM logo are trademarks or registered trademarks of

, Ahead of the threat, BlackICE

and X-Press Update

are trademarks of Microsoft

operating systems. Documentation for using them should be provided by the

to initialize the first time you do

II or later computers that have a serial port and a

Anda mungkin juga menyukai