IBM Proventia Network Enterprise Scanner User Guide Version 2.
Copyright statement © Copyright IBM Corporation 1997, 2009. All Rights Reserved. U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Trademarks and Disclaimer IBM® and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME™, Ahead of the threat, BlackICE™, Internet Scanner®, Proventia®, RealSecure®, SecurePartner™, SecurityFusion™, SiteProtector™, System Scanner™, Virtual Patch®, X-Force® and X-Press Update are trademarks or registered trademarks of Internet Security Systems™, Inc. in the United States, other countries, or both.
iv Enterprise Scanner: User Guide
Contents Trademarks and Disclaimer . . . . . . iii About this book . . . . . . . . . . . vii Related publications . . . Technical support contacts . . . . . . . . . . . . . . . . viii . viii Part 1. Scanning from the Proventia Manager . . . . . . . . . . . . . . 1 Chapter 1. Ad hoc scanning in the Proventia Manager . . . . . . . . . . 3 Section A: Network configuration . . . . . . Configuring the management network interface Configuring the scanning network interface . .
Scanning behaviors for ad hoc scans . . . . . . 99 Chapter 8. Interpreting scan results in SiteProtector . . . . . . . . . . . 103 OS identification (OSID) certainty . . . . . . How OSID is updated in Enterprise Scanner . . . Setting up a Summary view for vulnerability management . . . . . . . . . . . . . Summary page for vulnerability management . . Viewing vulnerabilities in the SiteProtector Console using Enterprise Scanner . . . . . . . . . Viewing vulnerabilities by asset in Enterprise Scanner .
About this book This section describes the audience for this guide; identifies related publications; and provides contact information. Audience Users of this guide should understand their network topology, including the criticality of network assets. In addition, because Enterprise Scanner can be managed through the SiteProtector Console, you must have a working knowledge of the SiteProtector system, including how to set up views, manage users and user permissions, and deploy policies.
Related publications Use this topic to help you access information about your Enterprise Scanner appliance. Publications The following documents are available for download from the IBM ISS Documentation Web site at http://www.iss.net/support/documentation/. v IBM Proventia Network Enterprise Scanner Version 2.3 Quick Start Card (Models ES750 and ES1500) v IBM Proventia Network Enterprise Scanner Version 2.3 Getting Started Guide v IBM Proventia Network Enterprise Scanner Version 2.
Part 1. Scanning from the Proventia Manager This section explains how to manage scans from the Proventia Manager for the Enterprise Scanner agent. Chapters Chapter 1, “Ad hoc scanning in the Proventia Manager,” on page 3 Chapter 2, “Interpreting scan results in the Proventia Manager,” on page 21 © Copyright IBM Corp.
2 Enterprise Scanner: User Guide
Chapter 1. Ad hoc scanning in the Proventia Manager This chapter explains how to use perspective and the high-level processes behind ad hoc scanning from the Proventia Manager.
Section A: Network configuration This section explains how to define the network interfaces for the management and scanning ports, how to assign perspectives to network interfaces, and how to configure the Enterprise Scanner appliance to select routes for traffic. Configuring the management network interface Use the Management Interface tab on the Network Interface Configuration page on the appliance to configure the management interface network settings (ETH0).
Configuring the scanning network interface Use the Scan Interface tab on the Network Interface Configuration page on the appliance to configure the scanning interface network settings (ETH1 - ETH5). About this task You configured the scanning interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings. Procedure 1. Click Configuration → Network Interfaces in the navigation pane. 2.
Configuring scanning interface DNS settings Use the DNS tab on the Network Interface Configuration page on the appliance to configure the DNS settings for the scanning interface. About this task You configured these settings when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings. Procedure 1. Click Configuration → Network Interfaces in the navigation pane. 2. Click the DNS tab. 3. Choose an option: If you want to... Then...
Assigning perspective to a scanning interface Use the Network Locations tab on the Network Locations page on the appliance to assign a perspective (network location) to a scanning interface. About this task You can only configure the ETH0 and ETH1 interfaces in Proventia Setup. You must configure the remaining interfaces on this page (Network Locations page).
Option Description Metric If you configure more than one route to the same segment for one perspective, a number that indicates the preferred route. The closer to 1, the more preferred the route. Note: The numbers you use do not have to be consecutive. 5. Click Save Changes. Section B: Policy configuration This section explains how to configure policy settings in order to manage vulnerabilities.
7. If you want to add previously known assets that are already defined in other groups to the scan group, select the Add previously known assets to group check box. Displaying assessment checks by groups Use the Checks tab in the Assessment policy to group checks by any combination of columns that you have chosen to display. For example, you might want to see checks by category, then by severity within that category.
If you want to... Then... Create groupings from a selection list 1. Click the Group By icon. The Group by Columns window appears. 2. Select a column to group by in the All Columns list, and then click Add. The column moves to the Group by these Columns list. 3. Repeat the previous step for each column that you want to group by. 4. If you want to remove items from the list, select an item in the Group by these Columns list, and then click Remove.
Selecting assessment checks with filters Use the Checks tab in the Assessment policy to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using regular expressions: v The match occurs against all columns in the table, whether or not the column is displayed. v If you use more than one regular expression, every regular expression must match for a check to be selected. Procedure 1. Click Scan → Policy Management in the navigation pane. 2.
Configuring common assessment settings for an Assessment policy Use the Common Settings tab in the Assessment policy to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1. 2. 3. 4. Click Scan → Policy Management in the navigation pane. Select Assessment from the Policy Types list, and then click Add. Type a name for the scan policy. Click the Common Settings tab. 5.
Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. You can specify ports using any of the following methods: v Type a port or range of ports. v Click Well known and select ports from the list. v Select All. Note: A generic UDP check is one whose target type is udp. 9.
Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy. This option does not identify applications communicating over non-standard ports. (Checks are run against standard ports as defined in the Network Services policy.) Fingerprint applications and run checks that apply to application protocol (e.g.
Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined. v Temporary lockout allowed: Enterprise Scanner runs password guessing checks only if the account lockout duration is less than or equal to the value specified in the Maximum Allowable Lockout Duration option later in this section.
Defining assessment credentials for a policy Use the Assessment Credentials policy type on the Policy Management page to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that are defined for the group when it scans assets in the group.
Option Account Type: SSH Local Description Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box. Account Type: SSH Domain Indicates that the user account is defined for Unix devices that allow SSH logons. In this context, ″Domain″ loosely refers to a set of devices, rather than to a specific type of domain.
Defining the service names associated with TCP and UDP ports Use the Network Services policy type on the Policy Management page to define service names associated with TCP and UDP ports. Procedure 1. 2. 3. 4. Click Scan → Policy Management in the navigation pane. Select Network Services from the Policy Types list, and then click Add. Type a name for the scan policy. For default or customized services, choose an option: If you want to... Then...
Defining ports or assets to exclude from a scan Use the Scan Exclusion policy type on the Policy Management page to define specific ports or assets to exclude from a scan of a group of assets. Procedure 1. 2. 3. 4. Click Scan → Policy Management in the navigation pane. Select Scan Exclusion from the Policy Types list, and then click Add. Type a name for the scan policy. Choose an option: If you want to... Then...
Configuring and saving a scan policy in the Proventia Manager Use the Policy Management page on the appliance to configure discovery and assessment scan policies from Proventia Manager for auditing purposes, and then use those policies for one-time (ad hoc) scans that you initialize from the LMI Scan Control page. Before you begin You will not be able to run scans from Proventia Manager if the appliance is registered with SiteProtector. Procedure 1. Click Scan → Policy Management in the navigation pane.
Chapter 2. Interpreting scan results in the Proventia Manager This chapter explains how to monitor and view scan results in the Proventia Manager. Topics “Running an ad hoc scan” on page 22 “Monitoring the status of a scan” on page 23 “Viewing the results of an ad hoc scan” on page 24 “Exporting scan results from Proventia Manager” on page 24 “Purging scan data from the database” on page 25 © Copyright IBM Corp.
Running an ad hoc scan Use the LMI Scan Control page on the appliance to define and run ad hoc scans for assessment and discovery. Before you begin Before you can run a scan, make sure you have configured a scan from the Policy Management page. Procedure 1. Click Scan → Run Scan in the navigation pane. 2. Depending on what type of scan you are running (discovery or assessment), provide a name for the scan job in the Discovery Job Name or Assessment Job Name field.
Monitoring the status of a scan Use the Scan Status page on the appliance to view the status of ad hoc discovery and assessment scans you have initialized from the LMI Scan Control page. About this task While Proventia Manager processes the scan, you can perform one of the following actions on the scan: Table 3. Processing status of a scan Action Icon Description Pause Use the Pause option only when a job is in the processing status.
Viewing the results of an ad hoc scan Use the Scan Results page on the appliance to analyze security-related data discovered by an ad hoc scan. Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Choose the scan date (time stamp) from the List Scans list, and then click Go. 3. Select the scan job from the Scan Type list, and then click Go. The results of the scan are displayed in the table. 4. Click View/Manage Log Files. 5. Select the scan job in the File Name list.
Purging scan data from the database Use the Scan Results page on the appliance to schedule the removal of scan data files from the /var/log/esm/lmiScans directory. Procedure 1. Click Scan → Scan Results in the navigation pane. 2. Click the Purge Scan Data link. The Purge Scan Data window provides the following information about the current scan data: Field Description Number of Scans The number of individual scans, not scan jobs.
26 Enterprise Scanner: User Guide
Part 2. Scanning from the SiteProtector Console This section explains how to manage scans from the SiteProtector Console for the Enterprise Scanner agent.
28 Enterprise Scanner: User Guide
Chapter 3. Enterprise Scanner policies This chapter explains how to use Enterprise Scanner policies to customize your scanning processes. The policies belong to meaningful categories based on their scope and impact on scans.
Policy inheritance with Enterprise Scanner policies The inheritance properties of policies in SiteProtector provide a flexible and efficient method for setting up your scanning environment in a hierarchical group structure. General inheritance behavior In general, inheritance works as follows: v When you define a policy for a group in your group structure, the policy automatically applies to the subgroups for the group unless a subgroup already has its own version of the policy.
v If you do not override the settings, the column follows the inheritance described in the table above; however, you must configure those policies. Deploying an Enterprise Scanner policy from the policy repository Use the policy repository to create, edit, and deploy Enterprise Scanner policies in SiteProtector. The repository keeps an archive of each saved version of your policies. After creating or editing a policy, you must deploy it to the appropriate Enterprise Scanner agents or groups.
Migrating a locally managed Enterprise Scanner agent into SiteProtector You must migrate the Enterprise Scanner agent out of the Locally Managed Agents area to take advantage of the policy features available in SiteProtector. About this task If the policies for the Enterprise Scanner agent are managed locally (from Proventia Manager), they will be displayed in the Locally Managed Agents node.
Viewing asset or agent policies for Enterprise Scanner In the SiteProtector Console, you can view asset and agent policies together, or you can view them separately. If you view the policies separately, you can use the views and tabs in SiteProtector to easily move back and forth between asset and agent policies. Procedure 1. 2. 3. 4. From the SiteProtector Console, click a tab with the Policy view. From the left pane, select the asset or agent whose policies you want to view.
Getting vulnerability help for a SiteProtector Console without Internet access If you use the SiteProtector Console on a computer without an Internet connection, you need to store the vulnerability Help on the computer or one it can access over your company’s network. Procedure 1. Download the vulnerability Help file (XForceHelpFiles.zip) from http://www.iss.net/security_center/reference/vuln to a directory on your computer. 2.
Agent policies for Enterprise Scanner Agent policies apply to Enterprise Scanner appliances and describe operational settings for the agents or global settings for all scans. In addition, some agent policies apply to only one agent. Agent policy descriptions for Enterprise Scanner Agent policies apply to both ad hoc and background scans.
Network Locations policy Use the Network Locations policy to define the perspective (network location) of an agent and to define routes for those perspectives. Note: The Network Locations policy does not automatically import the perspectives you set up in the Network Locations tab in the Proventia Manager (LMI). If you have defined perspectives in the Proventia Manager, you must redefine those perspectives for this policy in SiteProtector.
Important: Users who do not have permission to view the Network Locations policy, either through group association or by a specific grant, cannot run Enterprise Scanner scans. Assigning perspective to a scanning interface Use the Network Locations tab in the Network Locations policy on the SiteProtector Console to assign a perspective (network location) to a scanning interface. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2.
Option Description Metric If you configure more than one route to the same segment for one perspective, a number that indicates the preferred route. The closer to 1, the more preferred the route. Note: The numbers you use do not have to be consecutive. 5. Click OK. Notification policy Use the Notification policy to configure responses sent from the Enterprise Scanner appliance to the SiteProtector Console.
Configuring advanced parameters for event notification Use the Advanced Parameters tab in the Notification policy on the SiteProtector Console to provide greater control over the event notification behavior of your appliance. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2. In the navigation pane, select a group, and then open the Notification policy for that group. 3. Click the Advanced Parameters tab. 4.
2. In the navigation pane, select a group, and then open the Access policy for that group. 3. For each password you want to change, complete the following steps: a. Type the current password in the Current Password box. b. Click Enter Password, type the new password in the Password and in the Confirm password boxes, and then click OK. 4. If you want to require the use of the bootloader password to back up or restore the agent, select the Enable bootloader password check box.
Configuring the scanning network interface Use the Scan Interface tab in the Networking policy on the SiteProtector Console to configure the scanning interface network settings (ETH1 - ETH5). About this task You configured the scanning interface when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2.
Configuring scanning interface DNS settings Use the DNS tab in the Networking policy on the SiteProtector Console to configure the DNS settings for the scanning interface. About this task You configured these settings when you set up the appliance with the Proventia Setup Assistant. Use the procedures in this topic to change those settings. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2.
Services policy Use the Services policy on the SiteProtector Console to enable or disable access to your appliance from SSH (Secure Shell) applications on your network and to enable SNMP to monitor the Enterprise Scanner appliance for conditions that warrant administrative attention. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2. In the navigation pane, select a group, and then open the Services policy for that group. 3. Choose an option: If you want to... Then...
Time policy Use the Time policy on the SiteProtector Console to change the date and the time of the Enterprise Scanner agent, and to enable the network time protocol (NTP) to synchronize the agent time with a network time server. About this task The Time policy always contains the last manually configured values for date and time options, not the actual date and time. When you save the settings, the agent is set to the currently configured values, whether you have changed them or not.
Update Settings policy Use the Update Settings policy on the SiteProtector Console to configure how the agent automatically locates, downloads, and installs available updates. Asset policies for Enterprise Scanner Asset policies apply to groups of assets and describe the security policy for those assets. Asset policy descriptions for Enterprise Scanner Asset policies apply to both discovery scans and assessment scans depending on the policy.
v A Discovery policy applies to only the group where you define it. v The remaining policies are inheritable. A subgroup inherits a policy from the first group higher than itself in the group structure that has a defined policy. In the SiteProtector Console, you select a group in the left pane and the applicable policies are displayed in the right pane in a Policy tab.
Defining assets to discover Use the Discovery policy on the SiteProtector Console to define the parameters used to perform a discovery scan on a portion of a network. Before you begin Before it can perform OS fingerprinting on an asset, your agent must find one open and one closed port. To find an open and a closed port, the agent scans ports 1–1023 and any other ports specified in the applicable Network Services policy.
Assessment policy Use the Assessment policy on the SiteProtector Console to define the checks to run for assessment scans. The Assessment policy contains the following tabs: v Checks (display checks by groups, display information about checks, select checks with filters) v Common Settings Scope The Assessment policy applies only to assessment scans that run in the background. Ad hoc scans read this policy and use its settings to initialize the ad hoc Assessment policy.
Displaying assessment checks by groups Use the Checks tab in the Assessment policy on the SiteProtector Console to group checks by any combination of columns that you have chosen to display. For example, you might want to see checks by category, then by severity within that category. About this task The current grouping selections are displayed just above the column headers of the checks.
Selecting assessment checks with filters Use the Checks tab in the Assessment policy on the SiteProtector Console to provide filtering values on a selected list of assessment checks. About this task The following rules apply to using regular expressions: v The match occurs against all columns in the table, whether or not the column is displayed. v If you use more than one regular expression, every regular expression must match for a check to be selected. Procedure 1.
Configuring common assessment settings Use the Common Settings tab in the Assessment policy on the SiteProtector Console to choose settings that define additional scanning behavior for the checks you have selected to run in an assessment scan. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Assessment policy for that group. 3. Click the Common Settings tab. 4.
Option Description Ports to scan with generic UDP checks The set of UDP ports to scan with generic UDP checks. You can specify ports using any of the following methods: v Type a port or range of ports. v Click Well known and select ports from the list. v Select All. Note: A generic UDP check is one whose target type is udp. 8.
Option Description Do not perform application fingerprinting Does not try to specifically identify which applications are communicating over which ports, and runs the checks as selected in the Assessment policy. This option does not identify applications communicating over non-standard ports. (Checks are run against standard ports as defined in the Network Services policy.) Fingerprint applications and run checks that apply to application protocol (e.g.
Option Description Allowed account lockout Select a type of lockout: v No lockout allowed: Enterprise Scanner avoids running password guessing checks if account lockout is enabled on the target host, or if its status cannot be determined. v Temporary lockout allowed: Enterprise Scanner runs password guessing checks only if the account lockout duration is less than or equal to the value specified in the Maximum Allowable Lockout Duration option later in this section.
Assessment Credentials policy Use the Assessment Credentials policy on the SiteProtector Console to define authentication credentials for your assets. The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that are defined for the group when it scans assets in the group.
Option Description Account Type: Windows Domain/Workgroup Indicates that the user account is defined in a Windows Domain or Workgroup. The account is used to attempt to log in to all Windows devices within the domain or workgroup. When you choose this option, you must provide the Windows Domain or Workgroup name in the Domain/Host box. Account Type: Windows Active Directory Indicates that the user account is defined in a Windows Active Directory Domain.
Scan Control policy Use the Scan Control policy on the SiteProtector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Background scanning is based on scanning cycles. Scanning cycles define how frequently you want to rerun scans for a group. Note: Background scans run during open scan windows that you define in the Scan Window policy.
Defining scanning cycles and assigning perspectives to scans Use the Scan Control policy on the SiteProtector Console to define the duration of scanning cycles and to assign user-defined perspectives to scans. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Scan Control policy for that group. 3.
Scan Window policy Use the Scan Window policy on the SiteProtector Console to define hours of allowed scanning for discovery scans (scan windows), assessment scans (scan windows), and the time zone in which you want the scanning to occur, which is typically the time zone of the assets. By default, scanning is allowed at any time. If you want to limit scanning, be sure to define scan windows. Scope The Scan Window policy applies to background discovery and assessment scans.
Defining when scanning is allowed Use the Scan Window policy on the SiteProtector Console to define the days and hours that scanning is allowed. About this task The Scan Window policy applies to background discovery and assessment scans. For an ad hoc scan, you can choose whether to run the scan only during the windows defined in this policy or to run the scan without restriction. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2.
Scan Exclusion policy Use the Scan Exclusion policy on the SiteProtector Console to define specific ports or assets to exclude from a scan of a group of assets. Each Scan Exclusion policy defines the following information for the asset group associated with the policy (and the groups that inherit from it): v A list of ports against which no assessment checks will be run. (No checks run against these ports on any host in the group. This applies to both TCP and UDP ports.
Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. You can modify some properties of a default service in the policy, and you can add your own customized services to the policy. Scope The Network Services policy applies to assessment scans that run as either background or ad hoc scans.
Configuring a Network Services policy Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group. 3. For default or customized services, choose an option: If you want to... Then...
Ad Hoc Scan Control policy Use the Ad Hoc Scan Control policy on the SiteProtector Console to define Enterprise Scanner ad hoc scans for assessment and discovery. Configuration options For ad hoc scans you configure the following options: v With the Ad Hoc Scan Control option, you determine whether to run assessment or discovery scans, whether to run the scans only during available scan windows, how to lower the impact on the network from scanning, and the perspective to use.
11. If you want to add newly discovered assets to the group where you have defined the scan, rather than to the Ungrouped Assets group, select the Add newly discovered assets to group check box. 12. If you want to add previously known assets (that are not in the group) to the group, select the Add previously known assets to group check box. 13. Click OK. The ad hoc discovery scan is displayed in the Command Jobs window.
Option Description Half-Scan Connections The maximum number of connections the scan should use for opening and closing ports. 13. Click the Debug Settings tab. 14. In the Packet Capture section, select Enabled and then set the filters for the agent to use during the ad hoc assessment scan for network analysis. Note: Packet capturing is not available for ad hoc background scanning. The agent writes the capture results to __.cap located in /cache/log/esm/ PacketCapture.
Chapter 4. Understanding scanning processes in SiteProtector This chapter explains the high-level processes behind ad hoc and background scanning. It also explains how policy settings affect those processes. Use the following strategies for managing vulnerabilities with Enterprise Scanner: v Use background scanning for automated vulnerability management. v Use ad hoc scanning as needed to handle exceptional cases.
What is perspective? When you scan a group of assets, you anticipate and interpret results based on the location of your agent relative to the location of the assets. Scanning a group of assets from inside a firewall, for example, produces different results than scanning the same group of assets from outside the firewall. Perspective identifies network location With Enterprise Scanner, you use perspective to define logical locations on your network.
firewall, descriptive perspective names might be Atlanta-InsideFirewall and Atlanta-OutsideFirewall. Placing agents in the correct perspective A perspective name has no meaning to Enterprise Scanner. You must make sure that the agents you add to each perspective make logical sense placed there. If you add an agent to a perspective that is not logical for that agent, Enterprise Scanner cannot determine that you have made a mistake.
Figure 1. Network locations and perspectives To scan some asset groups from inside your firewall and others from within your DMZ, follow these steps: 1. Set up two groups in SiteProtector: v One group contains assets to scan from inside the firewall. v One group contains assets to scan from the DMZ. 2. Define a perspective to identify the scanners at each place on your network. 3. Assign one or more scanners to each perspective. 4.
Scan jobs and related terms To tune your system correctly, you must understand how scan jobs run and how the options you define in policies affect jobs and subtasks. Definitions The following table describes the terms used by the Enterprise Scanner agent in the scanning process: Table 8.
Scheduled and running scans To make it easier to explain the scanning processes, scans are considered scheduled when they are displayed in the Command Jobs window. Because jobs might not start to scan immediately, they are considered scheduled until the job actually starts to create tasks and run subtasks. The importance of tasks and subtasks Because a task assumes the criticality of the assets it contains, Enterprise Scanner can assign priority factors to tasks based on asset criticality.
Tasks per type of scan The following table explains the tasks needed for discovery and assessment scans: Table 10. Tasks per type of scan Scan type Number of tasks Discovery 1 job-level task 1 parent task 1 scanning task Note: There is no way to prioritize the order in which a discovery scan scans IP addresses, therefore there is no reason to divide the job into more than one scanning task.
Task prioritization The following table explains the reasons behind prioritization of scanning tasks: Table 11. Reasons for task prioritization Type of scan Reason for prioritization Ad hoc versus background Ad hoc scans run at higher priority than background scans because ad hoc scans fill extraordinary scanning needs: v Ad hoc scans help you identify major changes to your network or assess your assets against newly identified threats.
The process for a scanning cycle The following table describes the general process for a scanning cycle: Table 12. The process of a scanning cycle Stage Description 1 Scanning jobs are displayed in the Command Jobs window as they are scheduled: v A job for a background scan is scheduled at midnight on the first day of the refresh cycle defined in the Scan Control policy for a group. v A job for an ad hoc scan is scheduled when you initiate the scan.
Optimizing cycle duration, scan windows, and subtasks for Enterprise Scanner Background scanning jobs persist throughout a scan cycle, but are active only during open scan windows. The efficiency of background scanning relies on carefully calibrating the following items: v Quantity of IP addresses and assets to scan v The duration of the scan cycle v The size of subtasks and the size of the smallest scan window Size of scan windows You define scan windows for each day in multiples of hours.
Achieving the right balance If a refresh cycle is too short, you cannot scan all of your assets during the cycle. If a scan window is too short to finish subtasks, you can rerun subtasks that were nearly finished. To achieve the right balance, take the following actions: v Try to size your subtasks according to the size of your smallest scan window. v Try to size the quantity of IP addresses and assets to scan according to the duration of your refresh cycle.
78 Enterprise Scanner: User Guide
Chapter 5. Background scanning in SiteProtector This chapter describes the minimum requirements and options for defining background scanning in the SiteProtector Console. Because ad hoc scans use some of the background policies, this chapter also describes the impact of those shared policies on ad hoc scans. In addition, checklists in this chapter guide you through the process of setting up background scans.
Determining when background scans run This topic describes two important concepts for background scanning: scanning refresh cycles and scanning windows. These concepts control when background scans run. Scanning refresh cycle A scanning refresh cycle is the maximum duration (in days, weeks, or months) of a background scan. You define separate scanning refresh cycles for discovery and for assessment scans in a Scan Control policy. The cycles apply to the scans for all groups that the policy controls.
How policies apply to ad hoc and background scans Agent policies apply to both ad hoc and background scans, while asset policies apply to both ad hoc and background scans; however, you can reconfigure some asset policies when you define an ad hoc scan. The following table describes ad hoc and background scans: Table 13.
Table 15. Changes to Assessment and Discovery policies (continued) If you... Then you... Modify the configured settings Cannot save the policy. Therefore, the changes apply to only that ad hoc scan and do not affect configured background scans. Scan Control policy You cannot configure refresh cycles or scan windows for ad hoc scans because they are not included in the ad hoc Scan Control policy.
Background scanning checklists for Enterprise Scanner This topic describes the minimum requirements to set up background discovery and background assessment scanning. You should also use any other policies that help you configure your scanning environment to meet your security goals. Checklist for background discovery scanning The following table describes the requirements for setting up background discovery scanning for a group: 1. Apply a Discovery policy to the group. 2.
Enabling background scanning Use the Scan Control policy on the SiteProtector Console to define the duration of refresh cycles and to assign user-defined perspectives to scans. About this task Background scanning is based on scanning refresh cycles. Refresh cycles define how frequently you want to rerun scans for a group. Note: Background scans run during open scan windows that you define in the Scan Window policy.
Option Description Next cycle start date The beginning date of the next scan cycle. (Display only.) Use Discovery’s start date/duration and wait for discovery scan to complete before scheduling assessment scan Delays the start of the assessment scan until the discovery scan has finished to ensure that the discovery scan has identified all discoverable assets before the assessment scan begins. Note: This check box applies to assessments scans only. 5.
Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Scan Window policy for that group. 3. Click the Discovery Windows tab or the Assessment Windows tab. Note: Scanning hours are selected; non-scanning hours are not selected. 4. Select the periods of allowed scanning using the following methods: If you want to... Then...
Defining ports or assets to exclude from a scan Use the Scan Exclusion policy on the SiteProtector Console to define the specific ports, specific assets, or both, that you want to exclude from a scan of a group of assets. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Scan Exclusion policy for that group. 3. Choose an option: If you want to... Then...
Defining network services Use the Network Services policy on the SiteProtector Console to define service names associated with TCP and UDP ports. Procedure 1. From the SiteProtector Console, create a tab to display asset policies. 2. In the navigation pane, select a group, and then open the Network Services policy for that group. 3. For default or customized services, choose an option: If you want to... Then... Disable a service definition Clear the Enabled check box for that service.
Defining assessment credentials for a policy Use the Assessment Credentials policy on the SiteProtector Console to define authentication credentials for your assets. About this task The appliance uses authentication credentials to access accounts during assessment scans. Enterprise Scanner uses all instances of the credentials that are defined for the group when it scans assets in the group.
Option Account Type: SSH Local Description Indicates that the user account is defined locally on a single Unix device that allows SSH logons. The account is used to attempt login to a single Unix device. When you choose this option, you must provide an IP address in the Domain/Host box. Account Type: SSH Domain Indicates that the user account is defined for Unix devices that allow SSH logons. In this context, ″Domain″ loosely refers to a set of devices, rather than to a specific type of domain.
Chapter 6. Monitoring scans in SiteProtector This chapter uses terms that define scanning parameters for scan jobs with SiteProtector. Topics “Viewing your scan jobs” on page 92 “Viewing discovery job results” on page 92 “Viewing assessment job results” on page 93 © Copyright IBM Corp.
Viewing your scan jobs Use the Command Jobs window on the SiteProtector Console to view the status of a job, watch its progress, and view its final results. Procedure 1. In the SiteProtector Console, right-click the Site or a group, and then select Properties from the pop-up menu. 2. Select Command Jobs from the options in the left pane. The command jobs are displayed for the selected group.
Viewing assessment job results You can open a scanning job in the Command Jobs window as the job runs to see additional information it. Some information is not available until the job has finished running. About this task The Remote Scan window presents a snapshot of the information available when you open the job. To refresh the information, you must close and then reopen the job.
94 Enterprise Scanner: User Guide
Chapter 7. Managing scans in SiteProtector This chapter explains different ways to stop and restart scans. It also describes expected scanning behaviors and provides tips for troubleshooting your scan jobs. Topics “Stopping and restarting scan jobs” on page 96 “Suspending and enabling all background scans” on page 97 “Minimum scanning requirements” on page 98 “Scanning behaviors for ad hoc scans” on page 99 © Copyright IBM Corp.
Stopping and restarting scan jobs You can stop a scan job by pausing or canceling the job. You can also rerun a scan job. These actions apply to current scan jobs, not to scans to be scheduled in the future. Impact of stopping scan jobs The following table describes the impact of stopping scans with the Pause and Cancel options: Table 19. Impact of stopping scans Command Impact Pause Affects scanning for the remainder of the refresh cycle.
Suspending and enabling all background scans You can suspend and enable all scanning for the groups controlled by a Scan Control policy. This applies to current and future background scans. About this task If you stop background scans by disabling all scanning in the Scan Control policy, all current scans go into the idle status, and no more scans can be scheduled until you enable scanning again. The following occurs when you enable scanning again: Table 21.
Minimum scanning requirements This topic provides a brief review and summary of the minimum requirements for initiating different types of scans. Registration and authentication Your agent must be registered and authenticated with SiteProtector. You can check the status in Proventia Manager in Configuration → Authentication. Steps to initiate a scan The following table provides a brief reminder of the steps needed to initiate a scan: Table 22.
Scanning behaviors for ad hoc scans Different aspects of scanning behaviors are discussed in detail in different parts of this guide. This topic answers some of the most common questions about how jobs are scheduled and how they are displayed in the Command Jobs window. Inheritance Expect the following regarding inheritance: v There is a one-to-one correspondence between Scan Control policies and assessment jobs.
A: You did not define at least one IP address for a discovery scan. A: If you set up the scan to run during scan windows, but you have not defined Scan Windows for the group you are scanning. This could happen if you define a Scan Window policy for the group, but you have not defined any Scan Windows in the policy. The default for an unmodified Scan Window policy is that scan windows are open at all times.
v If the agent to run the background scan is available, the scan job appears in the Command Jobs window at midnight on the day of a new refresh cycle. v If the agent to run the background scan is not available, the scan job appears in the Command Jobs window when the agent is available, provided it is on a valid start date. Q: How many states does a background job go through? A: A background job starts out in the Pending state.
If you set up the Scan Control policy so that the assessment scan... Does not wait for the discovery scan to finish before the assessment scan begins 102 Enterprise Scanner: User Guide Then, the assessment scan... Starts as a single job. There is no need to create a separate assessment job for each subgroup because the assessment scan does not have to wait for the discovery job to finish before it can start.
Chapter 8. Interpreting scan results in SiteProtector This chapter explains how to use OS identification and the views in SiteProtector to analyze the results of vulnerability assessment scans by the Enterprise Scanner agent.
OS identification (OSID) certainty Enterprise Scanner determines whether to run a check against a host based on the certainty of the OS information in SiteProtector and the setting in the Assessment policy that specifies what action to take if the OSID is uncertain. What determines certainty? The certainty with which a source provides a completely accurate OSID is based on the quality of the information available to the source.
How OSID is updated in Enterprise Scanner Enterprise Scanner uses OSID information or reassesses the OSID during an assessment scan, and it explains when SiteProtector updates OSID that it has for an asset. Conditions for reassessing OSID The following conditions must be met for Enterprise Scanner to use the OSID information from SiteProtector: v The operating system name, the certainty of the OSID, and a timestamp must all be available.
Setting up a Summary view for vulnerability management Use the Summary view in the SiteProtector Console to dynamically display information about scanning and vulnerability management. Procedure 1. From the Tools menu, select Options. 2. Select Summary in the left column. 3. If you always want the portlets to reflect the summary information for the current group selected in the navigation pane, select the Update Content on Group Change check box.
Table 25.
Viewing vulnerabilities in the SiteProtector Console using Enterprise Scanner Use the Analysis view in the SiteProtector Console to view event data collected by the Enterprise Scanner agent. About vulnerability assessment Vulnerability assessment data identifies weaknesses in your network and hosts. Intruders or employees can exploit these weaknesses and attack or compromise your network and hosts. This type of data is collected by the Enterprise Scanner.
Field descriptions The following table describes the fields and descriptions for this vulnerability view: Table 26. Vulnerability view by asset Field Description Target IP Use this filter to monitor a specific IP address that you suspect is the target of attacks. The IP address can be either internal or external. This information is typically modified for you as you explore event data.
Table 26. Vulnerability view by asset (continued) 110 Field Description Tag Count Use to filter events according to the Tag Count column in the analysis views. SiteProtector calculates the Tag Count according to the number of events that are associated with each row of data in the analysis view. This filter filters data only in views that contain the Tag Count column.
Viewing vulnerabilities by detail in Enterprise Scanner Use this view to examine event details that might be related to an attack or that you consider unusual. Benefits You analyze event data to evaluate the effectiveness of your system’s security and to investigate any suspicious activity. You can analyze event data in several ways: v Examine events affecting specific agents, hosts, and groups. v Review high-level results and trends for groups or Sites.
Table 27. Vulnerability view by detail (continued) Field Description Object Type Use this filter to analyze a specific type of object that you suspect is the target of attacks. Object Name Use this filter to see events involving a specific object according to the object’s name. User Name Use this filter to display or suppress events that match the User Name, if any, associated with an event.
Viewing vulnerabilities by object in Enterprise Scanner Use this view to examine objects on your network or desktop computers that are a source of vulnerabilities. Benefits You can analyze specific objects that are more affected by vulnerabilities, such as ports or URLs. You can view an object by the type, name, events, or vulnerability type. Field descriptions The following table describes the fields and descriptions for this vulnerability view: Table 28.
Table 28. Vulnerability view by object (continued) Field Description Tag Count Use to filter events according to the Tag Count column in the analysis views. SiteProtector calculates the Tag Count according to the number of events that are associated with each row of data in the analysis view. This filters data only in views that contain the Tag Count column.
Table 29. Vulnerability view by target operating system (continued) Field Description Status Use the Status filter differently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v Vulnerabilities: The Status column indicates whether the vulnerability was found. Event Count Use this filter to determine which events occur most frequently. Target Count Use to filter by the count of target hosts.
Table 30. Vulnerability view by vulnerability name (continued) Field Description Status You use the Status filter differently for events and vulnerabilities. v Events: The Status column indicates the impact of the event. v Vulnerabilities: The Status column indicates whether the vulnerability was found. Use this filter to show only the statuses that interest you. 116 Event Count Use this filter to determine which events occur most frequently. Target Count Use to filter by the count of target hosts.
Running reports in the SiteProtector Console Use the Report view in the SiteProtector Console to schedule Enterprise Scanner reports. Procedure 1. In the navigation pane for the SiteProtector Console, select the group for which you want to run reports. 2. In the right pane, select and tab, and then select the Report view. 3. Right-click the report name to create, and then select New Report from the pop-up menu. 4. Customize the report according to your needs on the Report Specification tab.
Table 31. Assessment reports descriptions (continued) 118 Report Description Top Vulnerabilities A list of the top vulnerabilities, by frequency, for a specified group and time. Vulnerability by Asset A list of the top assets by number of vulnerabilities for a specified group and time. Vulnerability by Group A comparison of vulnerabilities across subgroups of a selected group. Vulnerability by OS A comparison of vulnerability counts by operating systems.
Viewing an Enterprise Scanner report in the SiteProtector Console Use the Report view in the SiteProtector Console to open an Enterprise Scanner report on your computer. Procedure 1. In the navigation pane for the SiteProtector Console, select the group that you want to run reports for. 2. In the right pane, select and tab, and then select the Report view. 3. Right-click the report name to create, and then select Properties from the pop-up menu. 4. Select Reports in the left pane. 5.
120 Enterprise Scanner: User Guide
Chapter 9. Logs and alerts This chapter explains how to generate log files and to set up alert notifications for the appliance.
Log files and alert notification Enterprise Scanner maintains log files on the appliance to use for diagnosing problems with the agent. The log files contain details about the scanning and operational processes running on the agent. Two types of log files Enterprise Scanner maintains two types of log files: Table 32. Types of log files Log type Description Enterprise Scanner (ES) Contains details about the scanning processes controlled by the agent.
System logs Use the System Event Log page in the Proventia Manager to examine entries in the system logs. System log descriptions The following table describes the system logs for Enterprise Scanner: Table 34. System logs Log name (file_name) Description Architecture Services Log (AS_Log.log) Contains low-level debugging information from the management services library resulting from the scheduler interactions with the Asset Service and the Task Service.
Getting log status information Use the Log Status page in the Proventia Manager to view usage information for alert event log statistics. Navigation: To access the Log Status page, click Status → Logs in the navigation pane. This page provides usage information for the following alert event log statistics: Table 35. Alert event log statistics Statistic Description Number of Logged Alerts The number of alert events that have been written to the log file.
Table 37. Enterprise Scanner (ES) log descriptions (continued) Log name (file_name) Description Interface Log (crm-esm.log) Details communications between the CRM and the ESM. Engine (ESM Blade) Log (iss-esm.log) Contains low-level information related to Common Assessment Module (CAM) sessions that are executed by discovery and assessment tasks, including all exception, information, and trace messages produced by CAM. Scheduler Log (iss-esmScheduler.
Downloading Enterprise Scanner (ES) log files Use the Log File Management page in the Proventia Manager to download an Enterprise Scanner (ES) log file from the Enterprise Scanner agent to a local workstation. About this task When you download a log file, Enterprise Scanner creates a backup of the log file for you to download. Enterprise Scanner saves the file with the standard name for the log file, but it appends the current time and date stamp, as in the following example: Crm.Trace.log.20060324141336.
Alerts log Use the Alert Event Log page in the Proventia Manager to view and manage security and system-related alerts. Navigation: You can access this page from (Logs → Alerts, Maintenance → Updates → Alerts, or Logs → Scanning Alerts) Risk level icons You can determine the risk level of an event by the icon in the Risk Level column of the log file: Table 38.
Downloading and saving an Alerts log Use the Alerts page in the Proventia Manager to save an alert log file to use for forensic purposes. About this task The Alert log is saved in three comma-separated values (CSV) files. The three files refer to the data displayed in the Alerts log: Table 39. Alert log files File Description filename_eventdata.csv v The distinct records that match the alert record number v The event name and the risk level filename_eventinfo.
Clearing the Alerts log Use the Alerts page in the Proventia Manager to clear all events from the Alert log. Before you begin Clearing the Alert log deletes the records and removes the alerts from the Alerts page. Before you clear the Alert log, you might want to save a copy for archiving. Procedure 1. 2. 3. 4. Log on to the Proventia Manager for the Enterprise Scanner agent. Click Logs → Alerts in the navigation pane. Click Clear current Alerts from event log. Click OK.
If you want to... Then... Search the Alert log file by filtering options 1. Select Auto Off from the Refresh Data list. 2. Select an option from the Filter Options list. Search value fields appropriate to the option are displayed later in this section in the Filter Options list. 3. Specify a search value for the chosen filtering option: v Select: No filter is selected. v Risk Level: Select a risk level from the list: – High – Medium – Low v Alert Name: Type any valid alert name in the box.
If you want to... Then... Search the Alert log file by Alert ID number 1. Type the 26-character alert ID number in the Search by Alert Id# box. Tip: You can copy the ID# from an Alert Event Details window and paste it into the search box to find all events with that ID#. To see the details window, click the name of the alert in the Alert Name column. 2. Click Go. Note: The search is limited to selected filtering options.
132 Enterprise Scanner: User Guide
Chapter 10. Ticketing and remediation This chapter explains how to use information from Enterprise Scanner with the ticketing feature in SiteProtector to manage tracking and remediation. Topics “Ticketing and Enterprise Scanner” on page 134 “Remediation process overview for Enterprise Scanner” on page 135 “Remediation tasks for Enterprise Scanner” on page 136 © Copyright IBM Corp.
Ticketing and Enterprise Scanner SiteProtector works with Enterprise Scanner to streamline your event tracking and remediation processes. This topic explains how to use information from Enterprise Scanner with the ticketing feature in SiteProtector to manage tracking and remediation. When remediation is necessary, such as patching a vulnerability, you can create a ticket directly from the SiteProtector Console.
When you save the ticket in SiteProtector, the action request system stores the information, too. You can edit and maintain tickets in the action request system. SiteProtector retains a copy of the ticket on the database server. Note: If you use Remedy to maintain tickets, then you cannot edit them in SiteProtector. However, SiteProtector saves a copy of each ticket you create.
If you do not want to modify the cycle duration for your background scans, you can run an ad hoc scan to verify and close tickets that are pending system verification. Remediation tasks for Enterprise Scanner Use information from Enterprise Scanner with the ticketing feature in SiteProtector to manage tracking and remediation. Task overview Task 1: Scan your network Use the information collected during your regularly scheduled scans, or you can run an ad hoc scan.
Table 40. Options for the Ticketing reports Option Tab Description Share report with other SiteProtector users General Select this option to give other SiteProtector users permissions to view the report you are running. Display assigned users Display Select this check box if you want users, who have been assigned tickets, to be displayed in the report. Display category Display Select this check box if you want custom categories that are assigned to tickets to be displayed in the report.
Table 40. Options for the Ticketing reports (continued) Option Tab Description Number of Records Report Format Specifies the number of records that will be displayed in the report from five to ALL records. Show Graph Report Format Select this check box if you want a graph to be displayed on the report. Task 6: Close the ticket After the work outlined in the ticket has been completed, you can close the ticket in one of two ways: v You can manually close the ticket by changing the status to Closed.
Part 3. Maintenance This section explains how to maintain and update the Enterprise Scanner agent. Chapters Chapter 11, “Performing routine maintenance,” on page 141 Chapter 12, “Updating Enterprise Scanner,” on page 147 Chapter 13, “Viewing the status of the Enterprise Scanner agent,” on page 157 © Copyright IBM Corp.
140 Enterprise Scanner: User Guide
Chapter 11. Performing routine maintenance This chapter explains maintenance procedures that you need to perform on the Enterprise Scanner agent. Topics “Shutting down your Enterprise Scanner” on page 142 “Removing an agent from SiteProtector” on page 143 “Options for backing up Enterprise Scanner” on page 144 “Backing up configuration settings” on page 145 “Making full system backups” on page 146 © Copyright IBM Corp.
Shutting down your Enterprise Scanner You can shut down Enterprise Scanner from the Proventia Manager. The shut down option also turns off the appliance. Before you begin If you have an agent with an early BIOS, the shut down command may not turn off the appliance. About this task Use this option if you need to turn off the appliance temporarily, but plan to continue using the agent with the same instance of SiteProtector.
Removing an agent from SiteProtector Use this procedure to remove an agent from SiteProtector. Procedure 1. In the SiteProtector Console, open a tab with an Agent view, and then select the group that contains your agent. 2. In the right pane, right-click the agent, and then select Delete from the pop-up menu. 3. If you want to delete the group, right-click the group in the navigation pane, and then select Delete from the pop-up menu.
Options for backing up Enterprise Scanner Use the Backup and Recovery page to manage snapshots of configuration settings and to create complete system backups. Types of backups Settings backup A settings backup is a snapshot file that stores all of your appliance configuration settings. You can have many settings snapshot files of different configurations. Full backup A full backup stores a complete image of the operating system and current configuration settings of the appliance.
Backing up configuration settings Use the Settings Backup tab on the Backup and Recovery page to create a settings snapshot file of the configuration settings for your agent. About this task A settings snapshot file contains the configuration settings, including the logon account credentials and networking settings, of the agent. The default settings snapshot file, factoryDefault.settings, contains the original agent settings.
Making full system backups Use the Full Backup tab on the Backup and Recovery page to create a complete image of the operating system and current configuration settings before you apply firmware updates or apply snapshot files that change the original configuration settings of the appliance. Procedure 1. Click Maintenance → Backup and Recovery in the navigation pane. 2. Click the Full Backup tab. 3. Choose an option: If you want to... Then... Create a full system backup Click Create System Backup.
Chapter 12. Updating Enterprise Scanner This chapter describes how to configure an agent for XPUs, how to schedule automatic and one-time XPUs, and how to apply XPUs manually. Occasionally, you must install XPUs for other products, such as for SiteProtector components, when you install an XPU for Enterprise Scanner. Additional update requirements, such as migrating policies, might also apply.
XPU basics This topic describes the types of updates for your Enterprise Scanner agent and explains where you can get the updates. Types of updates The following table describes the contents of firmware and assessment content updates: Table 41.
Updating options The XPU process provides the option to schedule automatic updates on a periodic basis, schedule one-time updates, or update an agent manually. You should configure automatic updates and use one-time and manual updates as needed between the automatic updates. Update options The following table describes the three update options: Table 43.
Configuring explicit-trust authentication with an XPU server You can configure the authentication between an Enterprise Scanner agent and a SiteProtector X-Press Update Server (XPU Server) to use either trust-all or explicit-trust authentication. Before you begin To use explicit-trust authentication with an XPU Server, follow these steps: v Copy the certificate file from the XPU Server to the agent as described in the procedure later in this section.
Configuring an Alternate Update location Use the Alternate Update Server page in the Update Settings policy on the SiteProtector Console if you want to update your Enterprise Scanner appliance from within your network instead of getting updates from the IBM ISS Download Center. About this task By default, an agent receives updates from the IBM ISS Download Center. You can also update your agent from a locally managed SiteProtector X-Press Update Server (XPU Server) instead.
Option Description Trust Level The authentication level for communications with the SiteProtector update server. Authentication level options for the SiteProtector update server are as follows: v Trust-all: The appliance trusts the SiteProtector update server, and does not use SSL certificates for authentication. This is the easiest way to set up the connection to the SiteProtector update server.
Configuring an HTTP Proxy Use the Proxy Server page in the Update Settings policy on the SiteProtector Console to configure proxy server information if your Enterprise Scanner agent uses a proxy server to access the Update Server. Procedure 1. From the SiteProtector Console, create a tab to display agent policies. 2. In the navigation pane, select a group, and then open the Update Settings policy for that group. 3. Select Enable Proxy. 4.
Scheduling a one-time firmware update Occasionally, you might not want to wait for your automatic update process to install an important update. You can schedule a one-time firmware update between automatic updates. Procedure 1. From the SiteProtector Console, open the Update Settings policy for the agent you want to update. 2. Click the Update Settings tab. 3. In the Firmware Updates section, select Schedule One-time Install 4.
Option Description Check for updates at given intervals Checks for updates at the interval that you specify. Note: The range is 60 minutes to 1440 minutes (1-24 hours). Make sure that your agent checks for updates at least one hour before automatic installations to ensure sufficient time for downloading updates. 5.
Manually installing updates In the Proventia Manager for the agent, you can manually download and install updates. You download firmware and assessment content updates at the same time, but you install them separately. Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. Click Maintenance → Updates in the navigation pane, and then click Available Downloads. 3. If downloads are available to download, click Download Updates to download them immediately.
Chapter 13. Viewing the status of the Enterprise Scanner agent This chapter explains the status information that is available for Enterprise Scanner in Proventia Manager and in the SiteProtector Console. Topics “Proventia Manager Home page” on page 158 “Viewing agent status in the SiteProtector Console” on page 160 “Viewing agent status” on page 160 “Viewing the status of the CAM modules” on page 161 “Troubleshooting the Enterprise Scanner sensor” on page 161 © Copyright IBM Corp.
Proventia Manager Home page The Proventia Manager Home page provides the latest diagnostic information about the appliance. Navigation: To access the Proventia Manager Home page, click Home in the navigation pane. System status The system status group box describes the current status of the system: Table 46. Current status of the system Statistic Description Model Number The model number of the agent. Serial Number The serial number of your agent.
Table 47. Current status of network interfaces (continued) Model Network interfaces ES1500 ETH0 (management port) ETH1 (scanning port) ETH2 (scanning port) ETH3 (scanning port) ETH4 (scanning port) ETH5 (scanning port) Updates status The update status group box provides the latest update information of the appliance: Table 48. Current status of updates Header Header Last Firmware Update The time the agent firmware was last updated.
Viewing agent status in the SiteProtector Console The same system status information that is available in the Proventia Manager Home page is available in the SiteProtector Console. You can also check your authentication status in the SiteProtector Console. Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. In an Agent or Policy tab in the SiteProtector Console, right-click an agent, and then select Properties from the pop-up menu. 3.
Viewing the status of the CAM modules Use the CAM Modules page in the Proventia Manager to view information about CAM sessions in Enterprise Scanner. Procedure 1. Log on to the Proventia Manager for the Enterprise Scanner agent. 2. Click Status → CAM Modules in the navigation pane. 3. If you want to refresh the diagnostics information, select a refresh option from the Refresh Data list.
Table 50. Sensor processes (continued) Module or process Description Enterprise Scanner scheduler The program file that module or iss-esmScheduler schedules and runs process Enterprise Scanner ad hoc discovery and assessment tasks. Troubleshooting option v Clean: Remove esmScheduler log files. (If the scheduler module is running, this process only removes *.bak files, otherwise all scheduler module logs are removed.) v Restart: Restart the esmScheduler process. v Start: Start the esmScheduler process.
Part 4. Appendixes © Copyright IBM Corp.
164 Enterprise Scanner: User Guide
Appendix. Safety, environmental, and electronic emissions notices Safety notices may be printed throughout this guide. DANGER notices warn you of conditions or procedures that can result in death or severe personal injury. CAUTION notices warn you of conditions or procedures that can cause personal injury that is neither lethal nor extremely hazardous. Attention notices warn you of conditions or procedures that can cause damage to machines, equipment, or programs.
When working on or around the system, observe the following precautions: Electrical voltage and current from power, telephone, and communication cables are hazardous. To avoid a shock hazard: v Connect power to this unit only with the IBM ISS provided power cord. Do not use the IBM ISS provided power cord for any other product. v Do not open or service any power supply assembly.
CAUTION: The battery contains lithium. To avoid possible explosion, do not burn or charge the battery. Do not: v Throw or immerse into water v Heat to more than 100°C (212°F) v Repair or disassemble Exchange only with the IBM ISS-approved part. Recycle or discard the battery as instructed by local regulations. In the United States, IBM ISS has a process for the collection of this battery. For information, call 1-800-426-4333. Have the IBM ISS part number for the battery unit available when you call.
Product safety labels One or more of the following safety labels may apply to this product. DANGER Hazardous voltage, current, or energy levels are present inside any component that has this label attached. Do not open any cover or barrier that contains this label. (L001) DANGER Multiple power cords. The product might be equipped with multiple power cords. To remove all hazardous voltages, cdisconnect all power cords.
Laser safety information The following laser safety notices apply to this product: CAUTION: This product may contain one or more of the following devices: CD-ROM drive, DVD-ROM drive, DVD-RAM drive, or laser module, which are Class 1 laser products. Note the following information: v Do not remove the covers. Removing the covers of the laser product could result in exposure to hazardous laser radiation. There are no serviceable parts inside the device.
Notice: This mark applies only to countries within the European Union (EU) and Norway. Appliances are labeled in accordance with European Directive 2002/96/EC concerning waste electrical and electronic equipment (WEEE). The Directive determines the framework for the return and recycling of used appliances as applicable through the European Union. This label is applied to various products to indicate that the product is not to be thrown away, but rather reclaimed upon end of life per this Directive.
on disposal of batteries outside the United States, go to http://www.ibm.com/ ibm/environment/products/ batteryrecycle.shtm or contact your local waste disposal facility. In the United States, IBM has established a return process for reuse, recycling, or proper disposal of used IBM sealed lead acid, nickel cadmium, nickel metal hydride, and other battery packs from IBM equipment. For information on proper disposal of these batteries, contact IBM at 1-800-426- 4333.
In accordance with the European Directive 2006/66/EC, batteries and accumulators are labeled to indicate that they are to be collected separately and recycled at end of life. The label on the battery may also include a symbol for the metal concerned in the battery (Pb for lead, Hg for the mercury, and Cd for cadmium).
Note: This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Canadian Department of Communications Compliance Statement This Class A digital apparatus complies with Canadian ICES-003.
IBM verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der IBM gesteckt/eingebaut werden. EN 55022 Klasse A Geräte müssen mit folgendem Warnhinweis versehen werden: ″Warnung: Dieses ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funk-Störungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen zu ergreifen und dafür aufzukommen.
Korean Class A Compliance Statement: Appendix.
176 Enterprise Scanner: User Guide
Index A Access policy 35, 39 account lockout 12 account lockout (SiteProtector) 51 active module icon 158 ad hoc assessment scan 65 monitoring status 23 ad hoc discovery scan 64 monitoring status 23 ad hoc scan running 22 types of 81 Ad Hoc Scan Control policy 64, 82 ad hoc scan policies 20 ad hoc scans expected scanning behavior 99 Admin password 39 advanced parameters event notification 39 event notification advanced parameters 39 agent managers 151 agent policies 35, 43, 44 descriptions 35 policy inherit
Enterprise Scanner report viewing in SiteProtector Console 119 Enterprise Scanner reports running in SiteProtector 117 Enterprise Scanner scan module 161 Enterprise Scanner scheduler module 162 ES logs 122, 124 changing detail 124 ESM blade log 124 ETH0 40 ETH1 40 event notification 38 configuring 38 Event Notification tab 153 explicit-trust 150, 152 L F N filename_eventdata.csv 128 filename_eventinfo.csv 128 filename_eventresp.
scan job (continued) resuming 96 scan jobs (SiteProtector) 71 scan policy configuring from LMI 20 scan priority 99 Scan Reports page 24 scan results exporting 24 Scan Results page 24, 25 Scan Status page 23 Scan Window policy 45, 59, 60, 85 Scan Window policy (SiteProtector) 85 allowed scanning 85 scan windows 59, 76 scanning (SiteProtector) minimum requirements 98 scanning behaviors 99 ad hoc scan 99 background scan 100 scanning cycle 75 scanning cycles 57 scanning interface assigning perspective 7, 37 sca
