IBM Proventia Network Enterprise User manual
IBM Internet Security Systems
IBM Proventia Network Enterprise Scanner
User Guide
Version 1.3
© Copyright IBM Corporation 1997, 2007.
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America.
All Rights Reserved.
IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United
States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner,
SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered
trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a
wholly-owned subsidiary of International Business Machines Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries
in which IBM operates.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if
you have received it from a source other than IBM Internet Security Systems (IBM ISS). Use of this information constitutes
acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own
risk. IBM Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall IBM ISS be liable for any damages whatsoever, including
direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if IBM Internet
Security Systems has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by IBM Internet Security
Systems. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM Internet Security
Systems, and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet
prevents IBM Internet Security Systems, Inc. from guaranteeing the content or existence of the resource. When possible, the
reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a
broken or inappropriate link, please send an email with the topic name, link, and its behavior to
support@iss.net
.
August 15, 2007
3
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Contents
Preface
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How to Use Enterprise Scanner Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Part I: Getting Started
Chapter 1: Introduction to Enterprise Scanner
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introducing Background Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Migrating from Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Enterprise Scanner Communication Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Component Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
The SiteProtector System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2: Installing and Configuring an Agent
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Setting Up Your Appliance for Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Appliance-Level Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Explicit-Trust Authentication with an Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Registering Enterprise Scanner to Connect to the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . 37
Logging On to the SiteProtector Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 3: Running Your First Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Finding Your Agent, Assets, and Policies in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . 44
Running Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring Ad Hoc Discovery and Ad Hoc Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Background Scanning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Background Scanning Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 4: Setting Up Scanning Permissions for Users
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Enterprise Scanner User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Considerations for Enterprise Scanner Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Creating User Groups in the SiteProtector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Changing Group Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4
Contents
IBM Internet Security Systems
Part II: Configuring Enterprise Vulnerability Protection
Chapter 5: Introduction to Enterprise Scanner Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Introduction to Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Contents of Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing Asset and Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Descriptions of Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Descriptions of Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Policy Inheritance with Enterprise Scanner Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Policy Inheritance with Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Policy Inheritance with Asset Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 6: Defining Background Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Determining When Background Scans Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
How Policies Apply to Ad Hoc and Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Background Scanning Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Enabling Background Scanning (Scan Control Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Defining Periods of Allowed Scanning (Scan Window Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Excluding Assets from Scans (Scan Exclusion Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Defining Network Services (Network Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Defining Assessment Credentials (Assessment Credentials Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Key Parameters for Defining Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Chapter 7: Configuring Discovery and Assessment Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
How Policies Apply to Discovery and Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Defining Assets to Discover (Discovery Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Defining Assessment Details Introduction (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Description of Check Information (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Grouping and Displaying Checks (Assessment Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Defining Common Assessment Settings (Assessment Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 8: Defining Agent Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Defining Scanning Network Interfaces (ESM Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Considerations for Subtask Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Defining Perspectives (Network Locations Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Defining Alert Logging (Notification Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Defining Agent Passwords (Access Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Defining Agent Interfaces (Networking Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Defining the Date and Time Settings of the Agent (Time Policy). . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Defining Services to Run on the Agent (Services Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Part III: Scanning
Chapter 9: Understanding Scanning Processes in SiteProtector
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
What is Perspective? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Defining Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
One Way to Use Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Scan Jobs and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Types of Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Priorities for Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Contents
5
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Stages of a Scanning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Optimizing Cycle Duration, Scan Windows, and Subtasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Chapter 10: Monitoring Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Finding Your Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Job Information in the Command Jobs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Viewing Runtime Details about Discovery Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Viewing Discovery Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Viewing Discovery Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Viewing Discovery Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Viewing Runtime Details about Assessment Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Viewing Assessment Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Viewing Assessment Job and Parent Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Viewing Base Assessment and Scanning Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Chapter 11: Managing Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Stopping and Restarting Scan Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Suspending and Enabling All Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Minimum Scanning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Generally Expected Scanning Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Expected Scanning Behaviors for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Expected Scanning Behaviors for Background Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Identifying Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Part IV: Analysis, Tracking, and Remediation
Chapter 12: Interpreting Scan Results
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting Up a Summary Page for Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Viewing Vulnerabilities in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
OS Identification (OSID) in Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
How OSID Is Updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Viewing Vulnerabilities by Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Viewing Vulnerabilities by Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Viewing Vulnerabilities by Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Viewing Vulnerabilities by Vuln Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Assessment Report Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Report Sorting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Chapter 13: Tracking and Remediation
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Ticketing and Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Possible Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Overview of the Remediation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Remediation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 14: Running Ad Hoc Scans
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Understanding How Ad Hoc Scans Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Expected Behavior for Ad Hoc Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Running an Ad Hoc Discovery Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
6
Contents
IBM Internet Security Systems
Running an Ad Hoc Assessment Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Part V: Maintenance
Chapter 15: Performing Routine Maintenance
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Logging On to Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Shutting Down Your Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Removing an Agent from SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Options for Backing up Enterprise Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Backing Up Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using Full System Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Acquiring Your Enterprise Scanner Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Preparing to Reinstall an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Reinstalling an Enterprise Scanner Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Chapter 16: Updating Enterprise Scanner
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Section A: Understanding the XPU Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
XPU Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Consoles to Use for XPUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
XPU Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Section B: Configuring the XPU Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Configuring Explicit-Trust Authentication with an XPU Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring an Alternate Update Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring an HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring Notification Options for XPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Section C: Scheduling Updates and Manually Updating an Agent . . . . . . . . . . . . . . . . . . . 225
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Update Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Scheduling a One-Time Firmware Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configuring Automatic Downloads and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Manually Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Chapter 17: Viewing Agent Status
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
The Proventia Manager Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Viewing Status in the SiteProtector Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Viewing Agent Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Viewing Application Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Viewing System Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter 18: Enterprise Scanner Logs and Alerts
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Types of Alerts and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Viewing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Viewing Different Types of Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Downloading an Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Clearing the Alerts Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Contents
7
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Viewing ES and System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Viewing ES Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Downloading ES Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
System Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Getting Log Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Changing Logging Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
8
Contents
IBM Internet Security Systems
9
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Preface
Overview
Introduction This is the User Guide for the IBM Proventia Network Enterprise Scanner appliance
(Enterprise Scanner) from IBM Internet Security Systems, Inc. (IBM ISS), which includes
the following models: the ES750 and the ES1500. The Enterprise Scanner appliance is a
vulnerability detection agent that is designed for the enterprise customer.
Scope This User Guide explains how to use Enterprise Scanner (and the IBM SiteProtector
system) through the entire vulnerability management process, including configuring the
agent, configuring scans, monitoring scans, tracking and remediation, and maintaining
the agent.
Audience This Guide is written for security analysts and managers who are responsible for
managing the vulnerabilities of assets of an enterprise network.
User background To use Enterprise Scanner you must understand your network topology and the criticality
of your assets. In addition, because Enterprise Scanner is managed through the
SiteProtector Console, you must have a working knowledge of the SiteProtector system,
including how to set up views, manage users and user permissions, and policies.
Preface
10 IBM Internet Security Systems
How to Use Enterprise Scanner Documentation
Introduction This topic describes the documentation that explains how to use Enterprise Scanner and
the SiteProtector system.
Using this guide This guide is organized according to the workflows needed to protect your enterprise:
Related publications The following related publications contain information that can help you use Enterprise
Scanner more effectively:
Workflow Description
Part I, Getting Started Install and configure the appliance.
Part II, Configuring
Enterprise Vulnerability
Protection
Set up a continuous scanning environment for your enterprise.
Part III, Scanning Follow scans through the scanning process.
Part IV, Analysis,
Tracking, and
Remediation
Monitor the protection status of your assets and your efforts to
remediate vulnerabilities
Part V, Maintenance Perform scheduled maintenance, such as product updates and log
maintenance, as well as tasks such as troubleshooting and performing
unscheduled maintenance
Table 1: Vulnerability management workflows in the User Guide
Document Description
IBM Proventia Network
Enterprise Scanner Quick
Start Card
Contains out-of-the-box instructions for setting up your Enterprise
Scanner agent.
Help Context-sensitive Help that contains procedures for tasks you
perform in the Proventia Manager and in the SiteProtector
Console.
the SiteProtector system
documents
Documents available on the IBM ISS Web site that provide
information about using the SiteProtector system and the
SiteProtector Console.
Enterprise Scanner–Internet
Scanner Migration Guide
Provides an overview and compares the functionality between
Enterprise Scanner and the IBM Internet Scanner Software. This
Guide discusses feature differences between the two products
and provides examples of how you can migrate from Internet
Scanner to Enterprise Scanner.
IBM Proventia Network
Enterprise Scanner Policy
Migration Utility
Describes the policy transition from Internet Scanner to Enterprise
Scanner. You can import an existing Internet Scanner policy and
use the utility to map it to an Enterprise Scanner policy. The utility
identifies any checks that cannot be migrated. You can then save
and export the new Enterprise Scanner policy.
Table 2: Related publications for Enterprise Scanner
How to Use Enterprise Scanner Documentation
11
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Version of the
SiteProtector
system
You manage your Enterprise Scanner agent through a SiteProtector Console. The
information in this guide about the SiteProtector system refers to Proventia Management
SiteProtector 2.0, Service Pack 6.1 (SiteProtector DBSP 6.31).
Preface
12 IBM Internet Security Systems
Getting Technical Support
Introduction IBM ISS provides technical support through its Web site and by email or telephone.
The IBM ISS Web
site
The IBM Internet Security Systems (IBM ISS) Resource Center Web site (
http://
www.iss.net/support/
) provides direct access to online user documentation, current
versions listings, detailed product literature, white papers, and the Technical Support
Knowledgebase.
Support levels IBM ISS offers three levels of support:
●Standard
●Select
●Premium
Each level provides you with 24x7 telephone and electronic support. Select and Premium
services provide more features and benefits than the Standard service. Contact Client
Services at
if you do not know the level of support your
organization has selected.
Hours of support The following table provides hours for Technical Support at the Americas and other
locations:
Contact information The following table provides electronic support information and telephone numbers for
technical support requests:
Location Hours
Americas 24 hours a day
All other
locations
Monday through Friday, 9:00 A.M. to 6:00 P.M. during their
local time, excluding IBM ISS published holidays
Note: If your local support office is located outside the
Americas, you may call or send an email to the Americas
office for help during off-hours.
Table 3: Hours for technical support
Regional
Office
Electronic Support Telephone Number
North America Connect to the MYISS
section of our Web site:
www.iss.net
Standard:
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Select and Premium:
Refer to your Welcome Kit or
call your Primary Designated
Contact for this information.
Latin America
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Table 4: Contact information for technical support
Getting Technical Support
13
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Europe, Middle
East, and Africa
(44) (1753) 845105
Asia-Pacific,
Australia, and
the Philippines
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Japan
Domestic: (81) (3) 5740-4065
Regional
Office
Electronic Support Telephone Number
Table 4: Contact information for technical support (Continued)
Preface
14 IBM Internet Security Systems
Part I
Getting Started
17
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Chapter 1
Introduction to Enterprise Scanner
Overview
Introduction Enterprise Scanner is the assessment component of the IBM Proventia Enterprise Security
Platform. Enterprise Scanner is based on a model in which vulnerability detection is
treated like a continuous network monitoring task rather than the ad hoc scanning model
used by earlier vulnerability management systems. Enterprise Scanner automates the
process of discovering and assessing your network assets through continuous
background scanning of your network. This model allows you to track the remediation
effort and use reports to evaluate your network’s security status at any time.
In addition to the continuous network monitoring, Enterprise Scanner gives you the
ability to configure and run ad hoc scans. Ad hoc scanning allows you to run a one-time
scan to discover new assets or to assess the vulnerability status of existing assets at any
time. Ad hoc scans are useful when you need to take immediate action because assets
have been added to your network or new vulnerabilities have been announced.
New concepts The beginning chapters of this guide introduce the key concepts behind the conceptual
framework of Enterprise Scanner, including background scanning. You should familiarize
yourself with the key concepts so that you will have a basis for understanding the
approach and procedures in the rest of the guide.
For Internet
Scanner users
If you are an Internet Scanner user, you should read this chapter carefully. It explains
important similarities and differences between Internet Scanner and Enterprise Scanner.
In this chapter This chapter contains the following topics:
Topic Page
New Features 18
Key Concepts 20
Introducing Background Scanning 21
Migrating from Internet Scanner 22
Enterprise Scanner Communication Channels 23
Component Descriptions 25
The SiteProtector System Components 26
Chapter 1: Introduction to Enterprise Scanner
18 IBM Internet Security Systems
New Features
Introduction Enterprise Scanner Version 1.3 provides an update to the firmware, and introduces a
smaller, portable version of the appliance hardware, the ES750.
Enterprise Scanner Version 1.2 fixed some known issues, and it introduced features to
improve discovery speed and assessment accuracy:
●ICMP ping
●application fingerprinting
●SSH support
ICMP ping A discovery scan can run faster if it can determine which assets in the scanning range are
available, and then scan only those assets with operating system identification (OSID)
techniques. The ICMP ping option in the Enterprise Scanner Discovery policy determines
which assets are available, as follows:
●At the beginning of each scanning window, the agent sends four (4) ICMP ping
commands to each asset identified in the discovery policy.
●The agent considers each asset that responds to a command as available, and keeps
track of all available assets.
●The discovery scan then continues to scan only the available assets.
When to use ICMP
ping
The ICMP ping function is especially useful in the following cases:
●The network is sparsely populated.
●Every asset on the network is configured to respond to ICMP ping commands.
To configure ICMP ping, see “Defining Assets to Discover (Discovery Policy)” on page 99.
Application
fingerprinting
The application fingerprinting option identifies which applications are communicating
over which ports and discovers any non-standard port usage. If you enable the
application fingerprinting option, you must select from the following:
●Run checks that apply to the protocol of the application communicating over a port,
such as HTTP.
●Run checks that apply to the specific application communicating over a port, such as
Apache running Coldfusion.
Non-standard port
assignments
Individuals in a corporation may use non-standard port assignments thinking that the
practice increases network security. Using non-standard port assignments may make it
harder—although not impossible—for an intruder to determine which applications are
communicating on ports. The practice may also hide critical vulnerabilities from your
agent, however, which could understate the real risk to a corporate network.
When to use
application
fingerprinting
Application fingerprinting is especially useful in the following cases:
●You know that some applications on the network communicate over non-standard
ports.
New Features
19
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
●You are unaware of any non-standard port assignments, but you want to be sure.
To configure application fingerprinting, see “Defining Common Assessment Settings
(Assessment Policy)” on page 106.
Support for SSH
communication
protocol to run
vulnerability checks
Enterprise Scanner 1.2 can communicate with SSH-capable devices such as Unix hosts,
routers and switches through an encrypted, secure communication protocol. SSH greatly
diminishes the threat that critical information will be intercepted and used for malicious
intent. This capability allows X-Force to create new vulnerability checks for non-network
exposed services, similar to the current Windows patch checks. For more information
about SSH, go to
http://www.openssh.com/
.
To configure SSH, see “Defining Assessment Credentials (Assessment Credentials
Policy)” on page 94.
Chapter 1: Introduction to Enterprise Scanner
20 IBM Internet Security Systems
Key Concepts
Introduction Enterprise Scanner is the next generation scanning appliance from IBM ISS. As a
component of the Enterprise Security Platform, Enterprise Scanner delivers true
enterprise scalability and scanning load balancing. Designed to run on Linux, Enterprise
Scanner delivers the core functionality necessary in today's enterprise environments.
Centralized control Enterprise Scanner works with the SiteProtector system to provide centralized security
management for your enterprise assets. After you install and configure your appliance,
you use the SiteProtector Console for scan management, tracking and remediation, and
reporting.
Asset-centric
approach
You probably already think about your vulnerability management in terms of your assets.
You know to prioritize your efforts to protect your most critical assets first and to provide
the same type of protection for similar assets. Enterprise Scanner makes this easier by
separating policies for groups of assets from the policies for agents:
●Asset policies define scanning requirements for groups of assets, including IP
addresses to scan, checks to run, and how often to refresh information.
●Agent policies define how agents operate, including the location in the network from
which they operate. That network location is called perspective.
Background
scanning
Background scanning is an automated, cyclical process that incorporates the key
operational concepts of the Enterprise Scanner vulnerability detection model. Background
scanning is explained in more detail in “Introducing Background Scanning” on page 21.
Ad hoc scanning
and auditing
Enterprise Scanner supports ad hoc scanning, but it is not designed to be an auditing tool.
You could use the ad hoc scanning capability between scheduled background scans for
the following types of needs:
●For network reconfiguration, you could use ad hoc scanning to refresh your discovery
and vulnerability information.
●For a new threat, you could use ad hoc scanning to assess the risk to your assets.
Load balancing Enterprise Scanner makes it easier for you to respond to the dynamic nature of an
enterprise network. You can create pools of agents to share a scanning load. You can add
agents or remove agents without having to change any discovery or assessment
configuration parameters. You can also adjust other operational parameters to ensure that
you have the coverage you need.
Perspective
definitions
You have different expectations for scanning results based on the location of an agent in
relation to the assets it scans. For example, results would be different depending on
whether you scanned a group of assets from inside a firewall or outside a firewall. (See
“What is Perspective?” on page 124.) In Enterprise Scanner, perspective definitions serve
several purposes:
●They identify locations on your network from which scanning is performed.
●They indicate where agents are connected to your network so that load balancing can
occur across agents that share a perspective.
●They indicate the location from which groups of assets should be scanned.
Table of contents
Other IBM Scanner manuals
