Copyright statement
Copyright IBM Corporation 1997, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Publication Date: February 2009
Trademarks and Disclaimer
IBM
, Internet
Scanner
, Proventia
, RealSecure
, SecurePartner
, SecurityFusion
,
SiteProtector
, System Scanner
, Virtual Patch
, X-Force
, Inc. in
the United States, other countries, or both. Internet Security Systems, Inc. is a
wholly-owned subsidiary of International Business Machines Corporation.
Microsoft
, Windows
, and Windows NT
PRO/100
v Intel PRO/1000
Chapter 2. Installing and configuring Enterprise Scanner 25
Additional hardware
The following hardware has not been certified for a PXE boot server, but
should also work:
v 3Com 3c905C, 3c575, and 3c574
v Netgear FA51 and FA411
v Intel PRO/100 S Mobile Adapter
Note: IBM ISS supports only the network cards specified in the PXE boot
server hardware requirements.
Reinstalling an Enterprise Scanner agent
Reinstall your Enterprise Scanner agent only if your attempts at
troubleshooting do not resolve a serious problem. You should contact IBM ISS
Technical Support to try and resolve the problem before you reinstall the
agent.
Before you begin
Important: Before you attempt to reinstall your agent, make sure you have
read and understand the information in Preparing to reinstall an Enterprise
Scanner agent on page 25.
To reinstall Enterprise Scanner, you must have the following items:
v A computer to use as a PXE (Pre-boot eXecution Environment) boot server
Note: In some cases, you might need to connect to the agent through
terminal emulation. To determine if you need this, see Setting up your
appliance for initial configuration.
v The IBM Proventia Network Enterprise Scanner Recovery CD
v RJ-45 to DB9 modified serial console cable (the blue cable that came with
the agent)
v CAT-5 Ethernet crossover cable (the red cable that came with the agent)
Before you attempt to reinstall your agent, make sure you have read and
understand the information in Preparing to reinstall an Enterprise Scanner
agent on page 25.
About this task
After you reinstall an appliance, you must configure it as you would for an
original installation. If you saved a settings snapshot file, and downloaded it
to your PC before reinstalling the appliance, you can use Proventia Manager
26 Enterprise Scanner: Getting Started Guide
to upload that settings snapshot file to the appliance, and then apply it. (See
the chapter on Performing routine maintenance in the IBM Proventia Network
Enterprise Scanner User Guide.)
Procedure
1. Turn off your appliance.
Important: You cannot just reboot the appliance to initiate the
installation.
2. Connect one end of the red crossover cable to the management port of
the appliance, and then connect the other end of the cable to an Ethernet
port on the boot server computer.
Important: You must use the red crossover cable for this step. Do not use
a hub or switch because other servers on the network can interfere with
the PXE boot server.
3. Plug the RJ45 connection of the blue RJ45-to-DB9 cable into the Console
outlet on the appliance.
4. Plug the DB9 connection of the blue RJ45-to-DB9 cable into the serial port
on the back of the boot server computer.
5. Insert the IBM Proventia Network Enterprise Scanner Recovery CD into the
CD-ROM drive of the boot server, and then reboot the boot server
computer.
6. When the following message appears at the bottom of your screen, turn
on your appliance: ***
*** You may now boot your ES1500-esos via the network ***
*** Starting Terminal Emulator ***
*** Press Control-G to Exit and Reboot ***
The PXE boot server now acts as a terminal emulator for the appliance
and displays boot process messages.
7. Carefully watch the messages at the bottom of the screen, and then press
L as soon as you see the following: Press L to boot from LAN Messages
continue to display for a few more screens. If you do not press L quickly
enough, the appliance boots normally. If that happens, you must turn the
appliance off, and then turn it back on again, to restart the reinstallation.
8. When the boot prompt appears, type reinstall, and then press ENTER.
Note: It takes some time, but do not respond to any prompt until the
unconfigured.appliance login prompt appears.
9. When the unconfigured.appliance login prompt appears, type admin,
and then press ENTER. All passwords for the appliance are reset to the
defaults.
Chapter 2. Installing and configuring Enterprise Scanner 27
10. Type admin for the password, and then press ENTER. The Welcome to the
Proventia Manager Setup Wizard screen appears.
11. Go to Step 4 in the procedure for Configuring appliance-level settings . If
the boot server is not accepting input from your keyboard, you must set
up terminal emulation on another computer. See Setting up your
appliance for initial configuration.
28 Enterprise Scanner: Getting Started Guide
Chapter 3. Running your first scans from Proventia
Manager
This chapter guides you through the process of running basic ad hoc scans for
discovery and for assessment from the Proventia Manager.
These scans accomplish the following tasks:
v Introduce you to the basic workflow of scanning with the Proventia
Manager.
v Provide a foundation of understanding that you can build upon as you
customize scanning for your network.
Topics
Policy types in Proventia Manager on page 30
Running an ad hoc scan on page 32
Monitoring the status of a scan on page 33
Viewing the results of an ad hoc scan on page 34
Exporting scan results from Proventia Manager on page 35
Copyright IBM Corp. 1997, 2009 29
Policy types in Proventia Manager
You can configure discovery and assessment scan policies from Proventia
Manager for auditing purposes, and then use those policies for one-time (ad
hoc) scans that you initialize from the LMI Scan Control policy.
LMI Scan Control
The LMI Scan Control policy controls the following scanning parameters:
v Whether discovery scanning, assessment scanning, or both types of
scanning are enabled
v The perspective from which to scan against this group
Ad hoc scanning
You can run the following combinations of ad hoc scans:
v Discovery
v Discovery and an assessment
You cannot run an assessment only scan from the Proventia Manager. The
following table lists which scan policies are required to run an ad hoc scan
from Proventia Manager:
Table 9. Policies used for ad hoc scanning in Proventia Manager
Scan policy Required
Discovery Yes
Assessment Yes
Assessment Credentials No
Network Services No
Scan Exclusion No
*You should run a discovery scan policy first (to identify assets on the network)
before you run an assessment scan.
30 Enterprise Scanner: Getting Started Guide
Policy descriptions
The following table describes the policy types available in the Proventia
Manager:
Table 10. Descriptions of the policy types in the Proventia Manager
Policy Description
Assessment Defines the following for the ad hoc
assessment scan:
v Which checks to run against assets in
the group Assessment check parameters
v Common settings for assessment scans
Assessment Credentials Contains logon account information for
running checks that require authenticated
access.
Discovery Defines the following for ad hoc
discovery scans:
v IP addresses and address ranges for a
scan to discover
v How to handle discovered assets
Network Services Defines the ports on which services run.
Scan Exclusion Defines IP addresses, ports, or both that
you want to exclude from assessment
scans.
Policy locations
All scan policies are stored locally on the appliance in the following directory:
/var/www/html/viewer/SupportFiles/[Directory]
The scan policies are not shared with other appliances and you cannot import
the scan policies into the SiteProtector system.
Chapter 3. Running your first scans from Proventia Manager 31
Running an ad hoc scan
Ad hoc scans are one-time scans that you can run to discover new assets or to
assess existing assets. You run ad hoc scans from Proventia Manager using
scan policies that you configure and save on the Policy Management page.
You use the LMI Scan Control page on the appliance to define and run ad hoc
scans for assessment and discovery.
Procedure
1. Click Scan Run Scan in the navigation pane.
2. Use the default names for the scan jobs: LMI Discovery and LMI
Assessment.
Tip: The scan job name is useful when you want to view the results and
status of the scan.
3. From the fields provided in the LMI Scan area, select FirstDiscovery in
the Discovery list, and FirstAssessment in the Assessment list.
Note: You cannot run an assessment only scan from the Proventia
Manager. Because the appliance does not use a database to store asset
information, you must run a discovery scan followed by an assessment
scan.
4. Select Global in the Perform scans from this perspective (Network
location) list.
5. Click Save Changes to start the ad hoc scan.
32 Enterprise Scanner: Getting Started Guide
Monitoring the status of a scan
Use the Scan Status page in the Proventia Manager to view the status of ad
hoc discovery and assessment scans you have initialized from the LMI Scan
Control page.
About this task
While Proventia Manager processes the scan, you can perform one of the
following actions on the scan:
Table 11. Processing status of a scan
Action Icon Description
Pause Pause the job, but only
when it is in the processing
status. Pausing a job in any
other status might cause
problems if you try to
resume or rerun the scan.
Resume Resume the scan after you
have paused it
Cancel Cancel the scan altogether
Procedure
1. Click Scan Scan Status in the navigation pane.
The Scan Status page appears with a table displaying the status of the
scan.
Note: The results of the scan can take up to a minute to display on this
page.
2. Click the link for the scan in the Name column to display the results of
the scan on the Scan Results page.
Chapter 3. Running your first scans from Proventia Manager 33
Viewing the results of an ad hoc scan
Use the Scan Results page in the Proventia Manager to analyze
security-related data discovered by an ad hoc scan.
Procedure
1. Click Scan Scan Results in the navigation pane.
2. Choose the scan date (time stamp) from the List Scans list, and then click
Go.
3. Select the scan job from the Scan Type list, and then click Go. The results
of the scan are displayed in the table.
4. Click View/Manage Log Files.
5. Select the scan job in the File Name list. The name of the log file contains
the date the scan was run and uses this format: lmiScans/
mmddyyyy_xxxxx.log
6. Click Download to the download the log file for the scan to a directory on
your computer. Scan data files are located in the /var/log/esm/lmiScans
directory.
34 Enterprise Scanner: Getting Started Guide
Exporting scan results from Proventia Manager
Use the Scan Reports page on the appliance to export scan results to HTML or
CSV files from Proventia Manager.
About this task
This feature provides basic reporting for ad hoc scans initialized from
Proventia Manager. It is not intended to replace the full analysis and reporting
functions of SiteProtector.
Procedure
1. Click Scan Scan Reports in the navigation pane.
2. Select the discovery or assessment scan that you want to export from the
List Scans list.
3. Select how you want to sort the hosts in the report.
4. Select the Report checks which found no vulnerability check box if you
want to include information about checks that did not find a vulnerability.
5. Depending on the type of report you need to generate, click Generate
HTML Report or Generate CSV Files .
6. Save the file to your local system. Enterprise Scanner uses the following
file name convention for exported results:
Discovery:
DiscoveryResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-
<jobname>.csv
Assessment:
AssessmentResults-<YYYYMMDD>-<HHMMSS><timezone>-<scannername>-
<jobname>.csv
Example: A discovery scan that ran on March 30, 2008 at 1:20:39 PM EST
with a scanner name of testscan and a job name of testjob would display
the following file name: DiscoveryResults-20080330-132039EST-testscan-
testjob.csv
Chapter 3. Running your first scans from Proventia Manager 35
36 Enterprise Scanner: Getting Started Guide
Chapter 4. Running your first scans from SiteProtector
This chapter guides you through the process of running basic ad hoc and
background scans for discovery and for assessment.
These scans accomplish the following tasks:
v Verify that you have set up Enterprise Scanner to work correctly with the
SiteProtector system.
v Introduce you to the basic workflow of scanning with Enterprise Scanner
from the SiteProtector system.
v Provide a foundation of understanding that you can build upon as you
customize scanning for your Site.
Topics
Basic concepts on page 38
Running an ad hoc discovery scan with Enterprise Scanner on page 41
Running an ad hoc assessment scan with Enterprise Scanner on page 42
Monitoring ad hoc discovery and ad hoc assessment scans on page 44
Background scanning checklists for Enterprise Scanner on page 46
How to use perspective in Enterprise Scanner on page 40
Running a background scan on page 47
Disabling background scans on page 51
Copyright IBM Corp. 1997, 2009 37
Basic concepts
This topic explains the basic concepts you should know before you use the
SiteProtector system to manage the Enterprise Scanner agent. Keep these
concepts in mind as you work with the agent.
Types of scans
Enterprise Scanner runs the following types of scans in SiteProtector:
Table 12. Definitions of ad hoc and background scans
Type of scan Description
Ad hoc One-time scans for discovery, for
assessment, or for both.
Background Recurring, cyclical scans that refresh your
discovery information, assessment
information, or both at user-defined
intervals.
Discovery separate from assessment
With Enterprise Scanner, discovery scans and assessment scans are separate
for both ad hoc and background scans. You may, however, link scans so that
an assessment scan does not run until the corresponding discovery scan has
finished.
Scopes of scans
The scopes of discovery and assessment scans are based on the following
settings:
Table 13. Scope of discovery and assessment scans
Type of scan Scope
Discovery Operates on IP addresses (single, ranges,
or both) that you assign to the scan.
Note: The group you use for discovery
scans might already contain assets. Those
assets do not have to belong to the IP
range of the scan.
Assessment Operates on the assets in a group in the
SiteProtector system.
38 Enterprise Scanner: Getting Started Guide
Agent and asset groups
The assets that you scan can be in the same group as your agent, but they do
not have to be. The agent is associated with the groups it scans based on
perspective, not on the group to which it belongs.
Enterprise Scanner location
When you registered your Enterprise Scanner agent with the SiteProtector
system, you added it to a group that appears in the SiteProtector Console. To
modify policies and customize the scanning behavior of your agent, you must
locate that group. For the examples in this topic, the agent is in the
CorporateScanners group.
Location of assets
A group that you scan might have subgroups, and you can use the rules of
policy inheritance to change scanning behaviors for subgroups. For the
examples in this chapter, the assets to scan are also in the CorporateScanners
group.
Using the default perspective
For an initial installation of Enterprise Scanner, you should have no problem
using the default perspective, Global. If you have an established installation
and must use a different perspective, check with your security manager before
you continue.
Chapter 4. Running your first scans from SiteProtector 39
How to use perspective in Enterprise Scanner
This topic explains the meaning of perspective in different contexts.
Perspectives in policies
The exact role of perspective depends on the policy where you define or select
it. The following table describes how to use perspective in different policies:
Table 14. Perspectives in policies
Policy How to use Applies to
Network Locations policy Define a perspective as a
network location
The entire Site
Network Locations policy Assign an agent to a
perspective
A particular agent
Scan Control policy Identify the perspective
from which you want to
scan groups of assets
The group, or groups, to
scan with that policy
Illustration
The following figure illustrates a set up for scanning one group of assets from
inside the firewall and another group of assets from within a DMZ:
Sample
To scan some asset groups from inside your firewall and others from within
your DMZ, follow these steps:
1. Set up two groups in SiteProtector:
40 Enterprise Scanner: Getting Started Guide
v One group contains assets to scan from inside the firewall.
v One group contains assets to scan from the DMZ.
2. Define a perspective to identify the scanners at each place on your
network.
3. Assign one or more scanners to each perspective.
4. Set up a scan control policy for each asset group and specify, in each
policy, the perspective from which scanning should occur.
Running an ad hoc discovery scan with Enterprise Scanner
When you run an ad hoc discovery scan from the SiteProtector Console, you
must define the ranges of IP addresses to scan, including additional scanning
control parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except
for a Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from
the pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery
scan of this group check box.
5. Type a Job name to identify the job when it appears in the Command
Jobs window.
6. If you want the scan to run only during your scheduled scanning
windows, select the Run only during open discovery windows check
box.
7. Click Discovery in the left pane.
8. Type the range, or ranges, of IP addresses to scan in the IP range(s) to
scan box.
9. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets
to exclude in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Note: A red box appears around the IP range(s) to scan box until the
data is validated.
Chapter 4. Running your first scans from SiteProtector 41
10. If you want to ping each IP address before scanning to exclude
unreachable hosts from the scan, select the Ping hosts in this range,
before scanning, to exclude unreachable hosts check box.
11. If you want to add newly discovered assets to the group where you have
defined the scan, rather than to the Ungrouped Assets group, select the
Add newly discovered assets to group check box.
12. If you want to add previously known assets (that are not in the group) to
the group, select the Add previously known assets to group check box.
13. Click OK. The ad hoc discovery scan is displayed in the Command Jobs
window.
Running an ad hoc assessment scan with Enterprise Scanner
When you run an ad hoc assessment scan from the SiteProtector Console, you
can use the default settings, or choose the checks you want to run and other
scanning parameters.
Procedure
1. In the SiteProtector navigation pane, create a tab with any view except
for a Policy view.
2. Expand the Site to see the group you want to scan.
3. Right-click the group to scan; if given a choice of Internet Scanner or
Enterprise Scanner, select Enterprise Scanner; and then select Scan from
the pop-up menu.
4. In the Ad Hoc Discovery section, select the Perform one-time discovery
scan of this group check box.
5. Type a Job name to identify the job when it appears in the Command
Jobs window.
6. If you want the scan to run only during your scheduled scanning
windows, select the Run only during open discovery windows check
box.
7. Click Assessment in the left pane.
8. Configure the policy the same way you would configure the background
Assessment policy.
9. Select Global in the Perform scans from this perspective (Network
location) list.
10. Click the Advanced Settings tab.
11. In the Assessment Throttling section, use the Bandwidth Throttling
slider to set the amount of bandwidth the scan should consume.
The Enterprise Scanner agent will monitor threads once the value
becomes greater than you specified.
42 Enterprise Scanner: Getting Started Guide
To enable logging, add the following advanced parameter to the logging
parameters in SiteProtector: esm.portN.debug.logging where N is the port
number of the scan interface
The agent writes the log information to iss-esm-<port number of scan
interface>.log.
12. Use the remaining sliders to enable settings that prevent the scan from
overwhelming or flooding a slow network:
Option Description
Connections per host The maximum number of connections the
scan should make per host.
SMB Connections The maximum number of SMB
connections the scan should make during
a scan job.
Half-Scan Connections The maximum number of connections the
scan should use for opening and closing
ports.
13. Click the Debug Settings tab.
14. In the Packet Capture section, select Enabled and then set the filters for
the agent to use during the ad hoc assessment scan for network analysis.
Note: Packet capturing is not available for ad hoc background scanning.
The agent writes the capture results to
<filename>_<interface>_<timestamp>.cap located in
/cache/log/esm/PacketCapture. To view the results of the capture file:
a. Start Proventia Manager, and then click Support System Support
File.
b. Click Generate Support Data File.
c. Download the file to your computer, extract it, and then open the file
in any PCAP compatible software.
15. Click OK. The ad hoc assessment scan appears in the Command Jobs
window.
Chapter 4. Running your first scans from SiteProtector 43
Monitoring ad hoc discovery and ad hoc assessment scans
Use the procedure in this topic to monitor the ad hoc discovery and ad hoc
assessment scans in the SiteProtector Console.
Procedure
1. Right-click the group in the navigation pane, and then select Properties
from the pop-up menu.
2. Click Command Jobs in the navigation pane, or click the Control jobs
icon on the toolbar. The ad hoc discovery scan appears in the Command
Jobs window, and the task name appears under the Object column.
3. Click the Details-[Linked]First Ad Hoc Discovery tab. The job-level
statistics for the job display on the screen.
Note: [Linked] attached to the task name indicates that the assessment
scan was set up to run after the discovery scan has finished. The same
prefix is attached to the assessment scan to indicate that it is linked with a
discovery scan.
Tip: The status starts out as Pending, can go back-and-forth between Idle
and Processing until it finishes, and then its status is Completed.
Tip: For more information about how scan jobs run and how to find
information about them, see chapter on Monitoring scans in SiteProtector in
the IBM Proventia Network Enterprise Scanner User Guide.
4. Click the Activity tab. The task-level statistics for the job display on the
screen.
5. After the discovery scan has finished, set up a tab with the Asset view,
and then select the group.
The discovered assets display on the right pane.
Note: If the assets do not display on the screen, press F5 to refresh the
view.
Tip: Assessment scans assess assets by user-assigned criticality levels to
ensure that the most critical assets are scanned first. Assets discovered by
an Enterprise Scanner agent have a default criticality of Unassigned.
6. To monitor the progress of the assessment scan, right-click the group in
the navigation pane, select Properties from the pop-up menu, and then
click Command Jobs in the navigation pane.
Tip: Or click the Control jobs icon on the toolbar.
The assessment scan will not start until the discovery scan has finished.
44 Enterprise Scanner: Getting Started Guide
The Command Jobs window appears and the ad hoc assessment scan
appears in the Command Jobs window along with the completed
discovery scan.
7. To view statistics about the tasks in the job, click the Activity tab. Details
about the tasks display in the Activity tab.
Tip: The task name appears under the Object column. The status starts out
as Pending, can go back-and-forth between Idle and Processing until it
finishes, and then its status is Completed.
Tip: For more information about how scan jobs run and how to find
information about them, see chapter on Monitoring scans in SiteProtector in
the IBM Proventia Network Enterprise Scanner User Guide.
8. After the job has finished, click the Analysis view, and then select the
group.
9. To see if the scan identified any vulnerabilities for any of the assets in the
group, select one of the vulnerability views:
v Vuln Analysis - Asset
v Vuln Analysis - Detail
v Vuln Analysis - Target OS
v Vuln Analysis - Object
v Vuln Analysis - Vuln Name
Tip: If the events do not display on the screen, adjust display parameters,
such as the Start and End times.
Chapter 4. Running your first scans from SiteProtector 45
Background scanning checklists for Enterprise Scanner
This topic describes the minimum requirements to set up background
discovery and background assessment scanning. You should also use any
other policies that help you configure your scanning environment to meet
your security goals.
Checklist for background discovery scanning
The following table describes the requirements for setting up background
discovery scanning for a group:
1. Apply a Discovery policy to the group.
2. Apply a Scan Window policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
3. Optional: Apply an Assessment Credentials policy to the group for better
OS identification.
4. Apply a Scan Control policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
Checklist for background assessment scanning
The following table describes the requirements for setting up background
assessment scanning for a group:
1. Verify that the group already contains assets, possibly from a recent
discovery scan.
2. Apply an Assessment policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
3. Apply a Scan Window policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
4. Optional: Apply an Assessment Credentials policy to the group for better
OS identification.
5. Apply a Scan Control policy to the group (either directly or through
inheritance from a group that is at a higher level in the group structure).
46 Enterprise Scanner: Getting Started Guide
Running a background scan
Use these procedures to configure and then run a background scan from the
SiteProtector Console with the Enterprise Scanner agent.
Task 1: Define background discovery scans
Use this procedure to define the range of IP addresses to scan.
Procedure
1. In your SiteProtector Console, select the Policy view, and then create or
select a group for the range of IP addresses to discover.
2. Right-click the group, and then select New Policy Repository from the
pop-up menu.
3. Select Network Enterprise Scanner in the Agent Type list.
4. Select your version of Enterprise Scanner for the agent from the Version
list.
Note: The version can apply to the agent whose properties you are
defining or to the agent responsible for scanning the group whose
properties you are defining.
Important: Enterprise Scanner policies can apply to one or more
versions, as indicated in the policy view. If you use multiple agents at
different versions that do not share the same policy, you must define
separate policies for each version.
5. Select Asset in the Mode list.
6. In the left pane, click the Repository folder you just created.
7. Select New Policy to create a new Discovery policy based off the
default Discovery policy. The Create New Policy window is displayed on
the screen.
8. Select Generate Empty, and then select Discovery from the Policy Type
list.
9. Type a name for the new policy in the Policy Name box, and then click
OK. The policy opens for editing.
10. Type the IP addresses (in dotted-decimal or CIDR notation) of the assets
to discover in the IP range(s) to scan box as in the following examples:
v Type an IP address, and then press ENTER.
v Type a range of IP addresses, and then press ENTER.
Example: 172.1.1.100-172.1.1.200
v Type a combination of both choices above, and then press ENTER.
Chapter 4. Running your first scans from SiteProtector 47
Tip: Discovery policies cannot be inherited from a parent. Each group
must define its own Discovery policy.
11. From the Action menu, select Save Policy.
12. Click OK.
Task 2: Define background assessment scans
Use this procedure to enable background assessment scanning and define
which checks to run in the scan.
Procedure
1. In the navigation pane, select the group to scan.
2. In the left pane, click the Repository folder you just created.
3. Click New Policy to create a new Assessment policy based off the
default Assessment policy. The Create New Policy window is displayed on
the screen.
4. Select Generate Empty, and then select Assessment from the Policy Type
list.
5. Type a name for the new policy in the Policy Name box. The policy opens
for editing.
Tip: If you want to see or change the checks that run, click the Checks
tab. If you select the folder with the red X in the toolbar, the checks are
displayed in an ungrouped list.
Tip: If you want to see or change any common assessment settings, click
the Common Settings tab.
Tip: Assessment policies for subgroups are inherited from a parent by
default if the assessment policy is defined in the parent group. If the
policy is inherited, it displays the name of the parent in the list of policies
for the group.
6. From the Action menu, select Save Policy.
7. Click OK.
48 Enterprise Scanner: Getting Started Guide
Task 3: Define when scanning is allowed
Use this optional procedure to define the days and hours that scanning is
allowed.
Procedure
1. In the navigation pane, select the group to scan.
2. In the left pane, click the Repository folder you just created.
3. Select New Policy to create a new Scan Window policy based off the
default Scan Window policy. The Create New Policy window is displayed
on the screen.
4. Select Generate Empty, and then select Scan Window from the Policy
Type list.
5. Type a name for the new policy in the Policy Name box, and then click
OK. The policy opens for editing.
6. Click the Discovery Windows tab.
7. You can select the periods of allowed scanning using the following
methods:
If you want to... Then...
Allow scanning during specific hours Click and drag your cursor over those
hours for each day that you want to
allow scanning.
At any time Click Fill All. All squares turn black.
Remove all defined scans periods Click Clear All. All squares turn white.
Tip: For the purposes of testing, choose two hours each day, including
the current hour or the next two hours so that your background scans
can start soon.
Note: Scanning hours are selected; non-scanning hours are not selected.
8. Click the Assessment Windows tab, and then select hours for the
assessment windows just as you did for discovery.
9. Click the Time Zone tab.
10. Select the time zone during which you want the scan windows to be
open from the Time zone for windows defined in this policy list.
Tip: Typically, you will need to select the same time zone as the time
zone of the assets in the group.
11. From the Action menu, select Save Policy.
12. Click OK.
Chapter 4. Running your first scans from SiteProtector 49
Task 4: Enable scanning and define length of scanning cycles
Use this optional procedure to define when the first scanning cycle begins,
including the length of each scanning cycle.
Procedure
1. In the navigation pane, select the group to scan.
2. Select New Policy to create a new Scan Control policy based off the
default Scan Control policy. The Create New Policy window is displayed
on the screen.
3. Select Generate Empty, and then select Scan Control from the Policy
Type list.
4. Type a name for the new policy in the Policy Name box, and then click
OK. The policy opens for editing.
5. In the Background Discovery section, select the Enable background
discovery scanning of this group check box.
6. Type First Background Discovery Scan in the Job name box.
7. Select todays date in the Cycle start date list, and then select two days
in the Cycle duration boxes.
8. In the Background Assessment section, select the Enable background
assessment scanning of this group check box.
9. Type First Background Assessment Scan in the Job name box.
10. Select todays date in the Cycle start date list, and then select two days
in the Cycle duration boxes.
11. Select the Wait for discovery scan to complete before scheduling
assessment scan check box.
12. Leave the perspective list at its default setting, Global.
Tip: These scans will use the default perspective, which is Global. A
customized perspective allows you to limit the portion of the network
from which a given sensor can operate.
13. Click the Advanced Settings tab.
14. Set the amount of bandwidth the scan should consume using the
Bandwidth Throttling slider.
15. From the Action menu, select Save Policy.
16. Click OK.
50 Enterprise Scanner: Getting Started Guide
Task 5: Finish setting up background scanning
Use this procedure to initialize and monitor a background scan after you have
saved your scan policies.
Procedure
1. To monitor the progress of the scan, right-click the group in the navigation
pane, and then select Properties from the pop-up menu.
2. Click Command Jobs in the left pane. The background scans are displayed
in the Command Jobs window, and the job names are displayed under the
Object column.
Note: If you accidentally started your scan cycle for a later date, the jobs
will not be displayed until midnight on the first day of the new scan cycle.
Disabling background scans
Use this procedure to disable background discovery or assessment scanning of
a group by Enterprise Scanner.
Procedure
1. In the navigation pane, select the group you scanned, and then select the
Policy view.
2. Right-click the Scan Control policy, and then select Open from the pop-up
menu.
3. Choose an option:
If you want to disable... Then...
Background discovery scans In the Background Discovery section,
clear the Enable background discovery
scanning of this group check box.
Background assessment scans In the Background Assessment section,
clear the Enable background assessment
scanning of this group check box.
4. From the Action menu, select Save Policy.
5. Click OK.
Chapter 4. Running your first scans from SiteProtector 51
52 Enterprise Scanner: Getting Started Guide
Chapter 5. Setting up scanning permissions for users
After you register your agent with the SiteProtector system, you can control
access to it through the permissions in the SiteProtector system.
Permissions in the SiteProtector system are flexible so that you can define
access at different levels of granularity. You can set permissions for the
following levels:
v Global
v User or a group of users
v Group of assets
v Policies
Topics
Predefined Enterprise Scanner permissions on page 54
Creating user groups in the SiteProtector system on page 57
Adding members to SiteProtector user groups on page 58
Changing group-level permissions on page 59
Copyright IBM Corp. 1997, 2009 53
Predefined Enterprise Scanner permissions
This topic describes the predefined permissions in the SiteProtector system
that apply to Enterprise Scanner users. You define Enterprise Scanner
permissions just as you do for other permissions in the SiteProtector system.
Permissions
The following table describes the default Enterprise Scanner permissions:
Table 15. Enterprise Scanner Group permissions
Enterprise
Scanner
permission Description View Modify Control
Ad Hoc Scan
Whether you
can run an ad
hoc scan.
Note: The
Modify Policy
permission is
automatically
granted with
this permission.
X
Agent
Whether you
can manually
refresh agents.
X
Assessment
Credentials
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
Assessment
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
Discovery
Policy
Whether you
can view the
policy, modify
the policy, or
do both.
X X
54 Enterprise Scanner: Getting Started Guide
Table 15. Enterprise Scanner Group permissions (continued)
Enterprise
Scanner
permission Description View Modify Control
Network
Locations
Policy
Whether you
can view the
Network
Locations
policy.
Important: See
Creating user
groups in the
SiteProtector
system on
page 57 for
important
information
about users
with restricted
permissions.
X
Policy
Whether you
can modify any
policy whose
permissions are
not granted
explicitly,
including the
Scan Control
policy, which
enables
background
scanning.
X X
Proventia
Manager
Whether you
can open
Proventia
Manager from
the
SiteProtector
Console.
X
Scan Window
Policy
Whether you
can view a
policy, modify a
policy, or do
both.
X X
Chapter 5. Setting up scanning permissions for users 55
About group-level permissions
Group-level permissions control a users ability to view, modify, and work
with agents and assets in a specific group. For example, group-level
permissions control whether a user can scan a group of assets with Enterprise
Scanner or apply an XPU to the agents in a group. Group-level permissions
do not provide Site-wide functions. They only provide permission to perform
actions on the assets in the group where they are assigned. Because of the
specific and flexible nature of group-level permissions, you can use them to
maintain very specific control over a users actions in the SiteProtector system.
For example, you can set group-level permissions such that three users have
different permissions for the same group.
Managing group-level permissions
You should perform the following tasks before you configure group-level
permissions:
v Set up asset groups
v Import assets into the asset groups
You can, however, configure group-level permissions before you set up asset
groups and import assets, and then assign group-level permissions as
necessary. Subgroups you create later automatically inherit these permissions.
Ungrouped assets
When you import assets before you set up asset groups, the SiteProtector
system puts the assets in the Ungrouped assets folder. To assign permissions to
ungrouped assets, you must use the global permission, Managing Ungrouped
Assets.
56 Enterprise Scanner: Getting Started Guide
Creating user groups in the SiteProtector system
A SiteProtector User Group is a group of users who have the same set of
global and group-level permissions.
About this task
SiteProtector User Groups are useful because you can control the permissions
for an entire group of users simultaneously according to their role in your
organization.
Procedure
1. In the left pane, click the Site Group where you want to create the User
Group.
2. On the Tools menu, click User Groups.
3. In the left pane of the User Groups window, click Add, and then type the
name for the new User Group.
4. Press ENTER.
5. Click OK.
Chapter 5. Setting up scanning permissions for users 57
Adding members to SiteProtector user groups
This topic explains how to add members to a group of SiteProtector users
who have the same set of global and group-level permissions.
Procedure
1. In the left pane, click the Site Group where you want to add members to a
User Group.
2. On the Tools menu, click User Groups.
3. In the left pane of the User Groups window, select the group you want to
modify.
4. In the Members section, click Add.
5. Use the following table to determine your next step:
If you want to add...
To the SiteProtector user group, then
type the complete account...
Local users or groups Using the following syntax:
v computer name\user name
v computer name\group name
If you do not know the complete account
information, then you must look it up
using Windows Computer Management.
Domain users or groups Using the following syntax:
v domain name\user name
v domain name\group name
If you do not know the complete account
name, click Check Names to look it up.
The Select User and Groups window displays on the screen.
6. Click OK.
7. Select the name in the list you want to add to the User Group, and then
click OK. The user or group is added to the SiteProtector User Group and
is granted all the permissions granted to that User Group.
58 Enterprise Scanner: Getting Started Guide
Changing group-level permissions
This topic explains how to add and delete group permissions, how to change
inheritance properties, and how to change group owners.
Procedure
1. In the left pane, right-click a group, and then select Properties.
2. Click the Permissions icon.
3. In the Users and/or Groups column, select the user or group.
4. In the Manage Security section, select the circle that corresponds to the
permission you want to grant. The circle turns black indicating that the
permission is granted.
5. Click the Save icon.
6. Close the Properties tab.
Removing group-level permissions
Procedure
1. In the left pane, right-click a group, and then select Properties. The Group
Properties tab appears.
2. Click the Permissions icon.
3. In the Users and/or Groups column, select the user or group.
4. In the Manage Security section, clear the circle that corresponds to the
permission you want to grant. The circle turns white indicating that the
permission is removed.
5. Click the Save icon.
6. Close the Properties tab.
Chapter 5. Setting up scanning permissions for users 59
Configuring advanced permissions
Procedure
1. In the left pane, right-click a group, and then select Properties.
2. Click the Permissions icon. A group owner or a user with Full Access to
all Functionality can assign advanced permissions.
3. Click Advanced. The Advanced Properties window appears.
4. If you do not want this group to inherit advanced permissions from the
parent group, clear the Inherit from parent group check box on the
Permissions tab.
5. Click the Owner tab.
6. To change the owner of this group, type all or part of the user name or
group in the Change Owner box, and then click Check Names.
7. Select the new owner, and then click OK to return to the Advanced
Properties window.
8. Click OK.
60 Enterprise Scanner: Getting Started Guide
Index
A
account passwords 17, 20
ad hoc assessment scan 42
monitoring status 33
ad hoc discovery scan 41
monitoring status 33
ad hoc scan
policies 30
ad hoc scans 32
monitoring 44
running 32
Administrator password 15
agent manager 18
Agent Manager 7
agent manager certificate
copying 18
agent managers 17, 20
appliance-level settings 13
Application Server 7
assessment 42
assessment scan 38
assessment throttling 42
authentication levels 17, 20
B
background scan 38
background scanning checklists 46
background scans 46, 47
disabling 51
background scans, SiteProtector 47
bootloader password 15
C
Cancel scan icon 33
crm folder 17
CRM folder 17
CSV file
generate from LMI 35
D
dccert.pem 18
Debug Settings tab 42
default gateway 14
disabling background scans 51
discovery scan 38
DNS search path 14
DNS server path 14
documentation viii
documentation web site viii
E
Enterprise Scanner
architecture 4
communication channels 4
components 6
configuring 10
consoles 6
installation checklist 10
key concepts 2
known issues list 10
licenses 16
management interface 5
network interfaces 5
ports 5
reinstalling 25, 26
related publications viii
scanning interface 5
settings 13
setup 12
SiteProtector location 39
ungrouped assests 56
user interfaces 6
Enterprise Scanner permissions 54
default 54
defining 54
group-level 56
managing group-level 56
ETH0 14
ETH1 14
explicit-trust 17, 20
explicit-trust authentication 19
editing local properties file 18
F
first-time trust 17
first-time trust certificates
removing 17
first-time-trust 20
G
group-level permissions 56
adding 59
changing inheritance
properties 59
changing owners 59
configuring advanced 60
deleting 59
removing 59
H
Half-Scan Connections 42
HTML reports
generate from LMI 35
I
IBM Internet Security Systems
technical support ix
Web site ix
IBM license agreement viii
initial configuration 12
installation process 10
IP range 41
K
key concepts 2
knowledgebase article 10
L
licenses
acquiring 16
refreshing 16
LMI Scan Control policy 30, 32
N
network interfaces 5
new features 2
O
OneTrust 6
OneTrust licenses 16
P
packet capturing 42
passwords, account 17, 20
Pause scan icon 33
perspective 39, 40
using 40
Policy Management page 32
preface vii
Proventia Manager password 15
Proventia OneTrust 16
Proventia Setup Assistant 13
PXE boot server 25
certified hardware 25
PXE bootserver 15
R
readme 2
recovery CD 25
Copyright IBM Corp. 1997, 2009 61
Resume scan icon 33
root password 15
S
scan
viewing results 34
scan policies
description (Proventia
Manager) 31
location (Proventia Manager) 31
Proventia Manager 30
Scan Reports page 35
scan results
exporting 35
Scan Results page 34
Scan Status page 33
scans
types in SiteProtector 38
SiteProtector 7, 17, 20, 24
components 7
SiteProtector Console
logging on 24
SiteProtector Database 7
SiteProtector Registration page 20
SiteProtector User Groups 57, 58
adding members 58
creating 57
SMB Connections 42
T
terminal emulation programs 12
time settings 14
trust-all 17, 20
U
Ungrouped assets folder 56
Update Server 7
user groups 57, 58, 59, 60
W
Web site, IBM Internet Security
Systems ix
62 Enterprise Scanner: Getting Started Guide