® User Guide for Security Managers Version 2.0, Service Pack 5.2 Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328-4233 United States (404) 236-2600 http://www.iss.net © Internet Security Systems, Inc. 1994-2005. All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc. Patent pending. Internet Security Systems, System Scanner, Wireless Scanner, SecurityFusion Module, SiteProtector, Proventia Web Filter, Proventia Mail Filter, Proventia Filter Reporter, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, Proventia, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of HewlettPackard Company. IBM and AIX are registered trademarks of IBM Corporation. InstallShield is a registered trademark and service mark of InstallShield Software Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Active Directory, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. VERISIGN and THAWTE are registered trademarks of VeriSign. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice. Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes. Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to support@iss.net. May 20, 2005 Contents Preface Overview . . . . . . . . . . . . . . . . . . . . . . . How to Use SiteProtector Documentation . Conventions Used in this Guide . . . . . . . . Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix . x . xii xiii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 18 19 20 21 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 26 28 29 30 32 34 Part I: Introduction Chapter 1: Introduction to SiteProtector Overview . . . . . . . . . . . . . . . . . . . . . . What is SiteProtector?. . . . . . . . . . . . . SiteProtector Architecture . . . . . . . . . . SiteProtector Components and Features . Add-on Components . . . . . . . . . . . . . . . Agents that SiteProtector Manages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2: Using SiteProtector Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . The SiteProtector Console . . . . . . . . . . . . . . . Logging on to the Console and the Site Manager Logging on to the Enterprise Dashboard . . . . . . Logging on to SiteProtector Web Access . . . . . Setting Up the SiteProtector Event Viewer . . . . . Logging On to the Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part II: Getting Started Chapter 3: Configuring SiteProtector Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Initial Configuration Task Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Chapter 4: Adding Users to SiteProtector Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SiteProtector User Roles . . . . . . . . . . . . . . . . . . . . Privileges for User Roles. . . . . . . . . . . . . . . . . . . . . Adding Users to SiteProtector . . . . . . . . . . . . . . . . . User Roles and Asset Groups . . . . . . . . . . . . . . . . . Restricting User Access to Sites and to Asset Groups Managing Permissions for User Roles . . . . . . . . . . . Granting Permissions to User Roles . . . . . . . . . . . . . Removing Permissions from User Roles . . . . . . . . . . Permissions by User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 42 43 46 48 49 50 51 52 53 Chapter 5: Configuring Your Console Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Choosing General Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Choosing Site Manager Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 iii Contents Choosing Choosing Choosing Choosing Choosing Enterprise Dashboard Preferences . Documentation Preferences . . . . . Trace Preferences . . . . . . . . . . . . Proxy Preferences . . . . . . . . . . . . Security Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 63 65 66 67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 72 73 74 75 Part III: Installing Agents and Appliances Chapter 6: Installing Sensors and Appliances Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before You Install a Sensor or an Appliance. . . . . . Agent Registration, Authentication, and Encryption . Installing Sensors and Appliances. . . . . . . . . . . . . Downloading a Sensor Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 7: Installing Desktop Agents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Section A: Preparing SiteProtector for Desktop Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1: Adding a Desktop Agent License . . . . . . . . . . . . . . . . . . . Task 2: Adding an Account to the Agent Manager . . . . . . . . . . . . . Task 3: Creating a Policy Subscription Group . . . . . . . . . . . . . . . . Task 4: Assigning a Desktop Policy to the Policy Subscription Group Policy Assignments in Different Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 80 81 82 84 85 Section B: Installing Desktop Agents . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Option 1,Task 1: Generating an Agent Build . . . . . . . . . . . . . . . . . . . . . . . . . Option 1,Task 2: Providing the Desktop Build to Employees . . . . . . . . . . . . . . . Option 2: Installing a RealSecure Desktop Agent from the Deployment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 87 88 89 90 Chapter 8: Installing Internet Scanner and System Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Section A: Installing the Internet Scanner Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Using Internet Scanner with SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Setting Up Encryption Keys for an Existing Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Section B: Installing the System Scanner Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . Using System Scanner with SiteProtector . . . . . Installing the System Scanner Databridge . . . . . Viewing System Scanner Events in SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 . 98 . 99 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 104 105 107 109 111 113 116 Chapter 9: Configuring SiteProtector Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a License File . . . . . . . . . . . . . . . . . . . . . . . Registering Software Managed by SiteProtector . . . . . Importing Encryption Keys . . . . . . . . . . . . . . . . . . . Setting Up the Enterprise Dashboard for Multiple Sites Using a Different SSL Certificate for the Web Server . Enabling Authentication for the Application Server. . . . Starting and Stopping a SiteProtector Service . . . . . . iv . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contents Chapter 10: Configuring the SecurityFusion Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Section A: Setting up a Policy and Defining Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SecurityFusion Licenses . . . . . . . . . . . . . . . . . . . . . . . Asset Specifications for SecurityFusion Correlation . . . . . Importing Assets from a Host File . . . . . . . . . . . . . . . . Manually Specifying Assets for SecurityFusion Correlation Specifying Hosts with Multiple IP Addresses. . . . . . . . . . Deleting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying that the SecurityFusion Module is Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 120 121 122 123 124 125 126 Section B: Configuring Responses . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . Adjusting Severity Based on Event Impact . . . . . Displaying Events in Site Manager . . . . . . . . . . Logging Events to the SiteProtector Database . . Sending Email and SNMP Responses . . . . . . . . Configuring User-Specified Responses. . . . . . . . Responding to Server Sensor Correlated Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 127 128 129 130 131 133 134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Section C: Additional Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks for Configuring Vulnerability Data. . . . . . . . . . . . . . . . Configuring Vulnerability Data . . . . . . . . . . . . . . . . . . . . . . Customizing Parameters for Attack Patterns . . . . . . . . . . . . Encrypting Communications with the Site Protector Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 136 137 138 139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 145 146 148 149 150 152 153 155 158 Part IV: Organizing and Managing Your Assets Chapter 11: Adding Assets to SiteProtector Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Organize Groups of Assets . . . . . . . . . . . . How to Create and Populate Groups. . . . . . . . . . . Creating Site Ranges . . . . . . . . . . . . . . . . . . . . . Adding Asset Groups . . . . . . . . . . . . . . . . . . . . . Manually Adding Assets . . . . . . . . . . . . . . . . . . . Defining Membership Rules for Automatic Grouping Running a Discovery Scan . . . . . . . . . . . . . . . . . Importing Active Directory. . . . . . . . . . . . . . . . . . Modifying the System Scanner Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 12: Configuring the Desktop Environment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Designating a Backup Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Assigning a Group of Agents to a Different Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Chapter 13: Managing Policies and Responses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Management for Different Agents and Appliances . . . . . . . . . . . . . . . . . Policy Assignment with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying Policies to Sensors and Proventia G Series Appliances . . . . . . . . . . . . Applying Policies to Proventia M Series and Next Generation G Series Appliances Policy Subscription Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SiteProtector User Guide for Security Managers Version 2.0, SP5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 164 165 167 169 171 v Contents Response Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Response Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Response Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Chapter 14: Central Responses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Section A: Working with Response Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Overview . . . . . . . . . . . . . . . . . . . . . . . . Creating New Response Rules . . . . . . . . . . Creating Event-Based Response Rules . . . . Selecting Rule Events . . . . . . . . . . . . . . . . Specifying an Event Source and Destination . Selecting a Response . . . . . . . . . . . . . . . . Adding Event Details. . . . . . . . . . . . . . . . . Enabling Response Rules . . . . . . . . . . . . . Editing Response Rules. . . . . . . . . . . . . . . Customizing the Response Rules View . . . . Ordering Response Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 178 179 180 181 184 185 187 188 189 190 Section B: Working with Response Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Overview . . . . . . . . . . . . . . . . . . . . . . . . . Supported Response Objects and Agents . . . Configuring Email Response Objects . . . . . . . Configuring SNMP Response Objects . . . . . . Configuring User-Specified Response Objects . Removing a Response Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 192 193 195 196 197 Section C: Working with Network Objects . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Address Groups . . . . . . . . . . . . . . . . . Configuring Address Names . . . . . . . . . . . . . . . . . Configuring Port Groups . . . . . . . . . . . . . . . . . . . . Configuring Port Names . . . . . . . . . . . . . . . . . . . . Working with Dynamic Network Objects . . . . . . . . . Configuring Dynamic Address Names . . . . . . . . . . . Importing Network Objects from Another Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 199 201 203 205 207 209 210 211 Part V: Maintaining SiteProtector Components and Agents Chapter 15: Adding and Removing Components Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Installing Additional SiteProtector Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Removing and Reinstalling Individual SiteProtector Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Chapter 16: Maintaining the Site Database Overview . . . . . . . . . . . . . . . . . . . . Requirements and Considerations . . . Scheduling Database Maintenance . . . Configuring Index Defragmentation . . . Configuring a Log Purge . . . . . . . . . . Configuring a Scheduled Data Purge . . Configuring an Emergency Data Purge Data Backup Options . . . . . . . . . . . . Configuring Database Backups. . . . . . vi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 221 222 223 224 226 229 231 232 Contents Chapter 17: Managing X-Press Update Servers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Important Requirements and Considerations . . . . . . . . . . . . . . . Configuring Lists of X-Press Update Servers . . . . . . . . . . . . . . . Configuring X-Press Update Server Download Options . . . . . . . . . Verifying an X-Press Update Server’s Status . . . . . . . . . . . . . . . Forcing X-Press Update Servers to Check for New Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 237 238 240 242 243 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 247 248 250 251 253 Chapter 18: Updating Components and Agents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of X-Press Updates . . . . . . . . . . . . . . . . . . . . . Applying XPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Closing and Reopening the Apply Update Wizard . . . . . . . Applying Updates When You Do Not Have Internet Access Removing an Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 19: SiteProtector Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Section A: Creating Reports from Event Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Printing Reports from Event Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Saving Reports from Event Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Section B: Creating Summary and Compliance Reports . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . Compliance and Summary Report Descriptions Running a Report . . . . . . . . . . . . . . . . . . . . Viewing a Report . . . . . . . . . . . . . . . . . . . . . Saving a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 262 264 265 266 Section C: Creating Enterprise Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Overview . . . . . . . . Printing a Report . . . Saving a Report. . . . Scheduling a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 268 269 270 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . Issues Related to SiteProtector Encryption Keys . Issues Related to Operating SiteProtector . . . . . Issues Related to Low Memory . . . . . . . . . . . . Issues Related to Updating SiteProtector . . . . . Issues Related to SiteProtector Services . . . . . . Issues Related to Agents and Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 276 277 284 285 286 288 Part VI: Troubleshooting Chapter 20: Troubleshooting Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 vii Contents viii Preface Overview Introduction The SiteProtector User Guide for Security Managers contains the information a Security Manager needs to configure, update, and maintain SiteProtector. Scope This guide explains what you need to do to configure SiteProtector and make it fully operational. This guide also contains configuration information you need to maintain your Site as it grows and as new software becomes available. Before you begin, you must have installed SiteProtector and any components that support agents and appliances. (See the SiteProtector Installation Guide.) Audience This guide is written for the person who configures, updates, and maintains SiteProtector. For many Sites, that person is the Security Manager who is responsible only for maintaining the security of the network. For other Sites, the Security Manager may also be responsible for aspects of network and security administration, such as network administration and security analysis. What’s new in this guide This guide is new for this release of SiteProtector. It contains information that was previously included in several other user documents. The information is now located in one place to make it easier for you to reference as you configure your Site. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 ix How to Use SiteProtector Documentation Using this guide Use this guide to configure and maintain SiteProtector after you have installed SiteProtector and any components that support agents and appliances. To configure SiteProtector the first time, use the “Initial Configuration Task Checklist” on page 38. Then use the guide as a reference guide for installing agents and appliances, changing configuration settings, and maintaining SiteProtector. Assumptions The following assumptions may affect the procedures in this document: User role ● Some procedures may vary slightly depending on your operating system. The procedures in this guide are based on Microsoft Windows 2000 unless otherwise noted. ● When a procedure references an installation folder, it refers to the default installation folder. If you used a different folder, you must adjust the procedure accordingly. You must be assigned to the SiteProtector Administrator user role to perform most of the tasks in this guide. Related publications Use the following documents if you have not yet installed SiteProtector and need information about SiteProtector configuration options: Other SiteProtector user documents ● System Requirements ● Scalability Guidelines ● Supported Agents and Appliances Table 1 describes other SiteProtector user documents: Document Contents SiteProtector Installation Guide Provides the tasks for installing SiteProtector components and optional modules. It includes information about advanced configuration tasks such as hardening third-party software security, securing database communication, configuring firewalls for SiteProtector traffic, and configuring failover Event Collectors. SiteProtector Best Practices Guide Contains the following: SiteProtector Help • combines the various contexts of each ISS product (Internet Scanner, Network sensor, Server, System Scanner, BlackICE agents) into a unified protection strategy • shows security professionals how to deploy ISS products, maintain protection, and tune, expand and update their protection over time using security best practices • simplifies the process of planning and assessment by providing four protection models that managers can easily tailor to their environment Contains all the procedures that you need to use SiteProtector, including advanced procedures that may not be available in a printed user document. Table 1: Description of SiteProtector user documents x How to Use SiteProtector Documentation Document Contents SiteProtector Technical Reference Guide Contains the following: • information about SiteProtector logs that you may need for troubleshooting • database schema diagrams Table 1: Description of SiteProtector user documents (Continued) SiteProtector User Guide for Security Managers Version 2.0, SP5.2 xi Conventions Used in this Guide Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize. In procedures The typographic conventions used in procedures are shown in the following table: Convention What it Indicates Examples Bold An element on the graphical user interface. Type the computer’s address in the IP Address box. Select the Print check box. Click OK. SMALL CAPS A key on the keyboard. Press ENTER. Press the PLUS SIGN (+). Constant width A file name, folder name, path name, or other information that you must type exactly as shown. Save the User.txt file in the Addresses folder. Type IUSR__SMA in the Username box. Constant width italic A file name, folder name, path name, or other information that you must supply. Type Version number in the Identification information box. Æ A sequence of commands From the taskbar, select from the taskbar or menu bar. StartÆRun. On the File menu, select UtilitiesÆCompare Documents. Table 2: Typographic conventions for procedures Command conventions The typographic conventions used for command lines are shown in the following table: Convention What it Indicates Examples Constant width bold Information to type in exactly as shown. md ISS Italic Information that varies according to your circumstances. md your_folder_name [] Optional information. dir [drive:][path] [filename] [/P][/W] [/D] | Two mutually exclusive choices. verify [ON|OFF] {} A set of choices from which you must choose one. % chmod {u g o a}=[r][w][x] file Table 3: Typographic conventions for commands xii Getting Technical Support Getting Technical Support Introduction ISS provides technical support through its Web site and by email or telephone. The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/ support/) provides direct access to frequently asked questions (FAQs), white papers, online user documentation, current versions listings, detailed product literature, and the Technical Support Knowledgebase (http://www.iss.net/support/knowledgebase/). Support levels ISS offers three levels of support: ● Standard ● Select ● Premium Each level provides you with 24-7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at clientservices@iss.net if you do not know the level of support your organization has selected. Hours of support The following table provides hours for Technical Support at the Americas and other locations: Location Hours Americas 24 hours a day All other locations Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding ISS published holidays Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours. Table 4: Hours for technical support Contact information The following table provides electronic support information and telephone numbers for technical support requests: Regional Office Electronic Support Telephone Number North America Connect to the MYISS section of our Web site: Standard: www.iss.net (1) (888) 447-4861 (toll free) (1) (404) 236-2700 Select and Premium: Refer to your Welcome Kit or call your Primary Designated Contact for this information. Latin America support@iss.net (1) (888) 447-4861 (toll free) (1) (404) 236-2700 Table 5: Contact information for technical support SiteProtector User Guide for Security Managers Version 2.0, SP5.2 xiii Regional Office Electronic Support Europe, Middle support@iss.net East, and Africa Asia-Pacific, Australia, and the Philippines support@iss.net Japan support@isskk.co.jp Telephone Number (44) (1753) 845105 (1) (888) 447-4861 (toll free) (1) (404) 236-2700 Domestic: (81) (3) 5740-4065 Table 5: Contact information for technical support (Continued) xiv Part I ® Introduction Chapter 1 Introduction to SiteProtector Overview Introduction This chapter introduces SiteProtector components and the agents and appliances that work with SiteProtector. Terms to know Table 6 describes the terms used for security products in this document: Term Description agent The generic term for all sensors, scanners, and Desktop agents. appliance An security device on a network or gateway. Depending on the type of appliance, it can provide any combination of intrusion detection and prevention, antivirus, antispam, virtual private networking (VPN), Web filtering, and firewall functions. scanner An agent that scans assets for vulnerabilities and other security risks. sensor An agent that monitors network traffic on the network and on servers to identify and, in some cases, stop attacks. Table 6: Terms for security products In this chapter This chapter contains the following topics: Topic Page What is SiteProtector? 18 SiteProtector Architecture 19 SiteProtector Components and Features 20 Add-on Components 21 Agents that SiteProtector Manages 22 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 17 Chapter 1: Introduction to SiteProtector What is SiteProtector? Introduction SiteProtector unifies management and analysis tasks for network, server, and desktop protection agents and for appliances. You can easily scale SiteProtector to provide security for large, enterprise-wide deployments. SiteProtector components and agents The components and agents in a SiteProtector system fall into these categories: ● SiteProtector consists of required and optional components that provide the base functionality necessary to accept, monitor, and analyze network events. ● You can purchase add-on components for SiteProtector that provide additional security and management functions. ● You can purchase agents that complete your security system, including vulnerability scanners, intrusion detection and prevention appliances and sensors, and integrated security appliances. SiteProtector Table 7 provides lists of the required and optional SiteProtector components, add-on components by type components, and the agents that SiteProtector manages: SiteProtector Components Add-on Components Agents that SiteProtector Manages Agent Managera SiteProtector Reporting Internet Scanner Console SiteProtector SecurityFusion Module Proventia appliances SiteProtector Third Party Module RealSecure Desktop 7.0 Database Databridges for earlier versions of Internet Scanner and System Scanner Deployment Managera Event Proventia Desktop RealSecure Network RealSecure Server Sensor System Scanner Collectora Event Viewer SP Core (includes the application servera and sensor controllera) X-Press Update Servera Web Access Table 7: SiteProtector components and agents a. This component is included in the generic term, Site servers, which is used in this document. 18 SiteProtector Architecture SiteProtector Architecture Introduction The components of SiteProtector use well-defined communication channels. The installation programs set up the communication channels for the typical configurations. Installation options The most typical ways to install SiteProtector use one, two, or three computers. When you use more than one computer, the Recommended installation (from the Deployment Manager) installs the components on the correct computers. Illustration of components Figure 1 illustrates the components in a standard instance of SiteProtector with three computers: Figure 1: Components in a typical Site SiteProtector User Guide for Security Managers Version 2.0, SP5.2 19 Chapter 1: Introduction to SiteProtector SiteProtector Components and Features Introduction SiteProtector consists of required and optional components that provide the base functionality necessary to accept, monitor, and analyze network events. Depending on your Site requirements, you may need to install more than one of some components. Component descriptions Table 8 describes the purpose of the SiteProtector Core components: SiteProtector Component Description Agent Manager (previously known as Desktop Controller) The Agent Manager manages the command and control activities of the Desktop Protection agents, Proventia G and M appliances, and Update Server; and it facilitates data transfer from agents to the Event Collector. Console The SiteProtector Console is the main interface to SiteProtector where you can perform most SiteProtector functions, such as monitoring events, scheduling scans, generating reports, and configuring agents. Databridges Databridges accept data from earlier versions of agents and send them to the Event Collector in the correct format. Deployment Manager The Deployment Manager is a Web server that lets you install any of the SiteProtector components and agents on computers on your network. Event Collector The Event Collector manages real-time events from sensors and vulnerability data from scanners. Event Viewer The SiteProtector Event Viewer receives unprocessed events from the Event Collector to provide near real-time access to security data for troubleshooting. Site database The SiteProtector database stores raw agent data, occurrence metrics (statistics for security events triggered by agents), group information, command and control data, and the status of X-Press Updates (XPUs). SP Core The SP core includes the following components: • The application server enables communication between the SiteProtector Console and the SiteProtector database. • The sensor controller manages the command and control activities of agents, such as the command to start or stop collecting events. X-Press Update Server A Web server that downloads X-Press Updates (XPUs) from the ISS Download center and makes them available to the agents and components on the network. The Update Server eliminates the need to download updates for similar products more than once and allows users to manage the update process more efficiently. Web Access SiteProtector Web Access is a read-only interface that provides easy access to SiteProtector for monitoring SiteProtector assets and security events. Table 8: Description of the core components of SiteProtector 20 Add-on Components Add-on Components Introduction The add-on components described in this topic extend the protection capabilities and functionality of SiteProtector. SiteProtector SecurityFusion Module The SiteProtector SecurityFusion Module greatly increases your ability to quickly identify and respond to critical threats at your Site. Using advanced correlation and analysis techniques, the module identifies both high impact events and patterns of events that may indicate attacks. Impact analysis: The module correlates intrusion detection events with vulnerability assessment and operating system data and immediately estimates the impact of events. Attack pattern recognition: The module recognizes patterns of events that may indicate specific types of attacks, such as unauthorized scans, break-in attempts, and activity from a compromised host. SiteProtector Third Party Module The SiteProtector Third Party Module retrieves data from third-party firewalls, enabling you to view firewall activity and to associate security events with specific firewalls. SiteProtector Reporting Graphical summary and compliance reports provide the information managers need to assess the state of their security. Reports cover vulnerability assessment, attack activities, auditing, content filtering, Desktop, SecurityFusion, and virus activity. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 21 Chapter 1: Introduction to SiteProtector Agents that SiteProtector Manages Introduction Agents identify vulnerabilities and system weaknesses, detect and prevent intrusions, and unify other security protection functions. This topic describes the agents that SiteProtector manages. Supported agents For the most up-to-date list of supported agents, see the Supported Agents and Appliances document (http://documents.iss.net/literature/SiteProtector/ SPSupportedAgentsandAppliances20SP5.pdf). Vulnerability assessment Table 9 describes the vulnerability assessment agents, also known as scanners, that SiteProtector supports: Agent Name Description Internet Scanner Performs a vulnerability analysis of your network and identifies security risks that leave your network open to intrusion attempts. System Scanner Identifies vulnerabilities inherent in your software and hardware, configuration elements that make your system vulnerable to attack, and configuration elements that do not comply with your information security policy. Table 9: Vulnerability assessment agents Intrusion prevention Table 10 describes the intrusion prevention agents that SiteProtector supports: Agent Type Agent Name Description Desktop RealSecure Desktop 7.0 Desktop agents protect remote users from many diverse threats. They dynamically block attacks and prevent unauthorized programs from running on desktops. Agents also integrate firewall, intrusion prevention, and application protection services for remote or mobile computers. Proventia Desktop Gateway RealSecure Desktop Enforcement for VPNs Enforces the use of a Desktop agent on every system going through a network access point when deployed on the private side of that network access point and can prevent non-compliant clients from accessing the network or VPN. Proventia G Series Appliance Inline intrusion prevention appliances that automatically eliminate malicious traffic while allowing legitimate traffic to pass through. These appliances block malicious attacks while preserving network bandwidth and availability. Proventia M Series Appliance All-in-one Internet security appliances that provide advanced protection at the gateway and network level without jeopardizing network bandwidth or availability. These appliances reduce the need for stand-alone security technologies. Table 10: Intrusion prevention agents 22 Agents that SiteProtector Manages Agent Type Agent Name Description Network Proventia A Series Appliance Meet a range of needs, including complete threat protection for aggregate network bandwidth from 200 megabits per second (Mbps) to 1200 Mbps on one to four network segments. Server RealSecure Server Sensor Monitors log file activity, kernel-level activity, and network traffic to and from a single server. Blocks suspicious traffic and intercepts packets before they reach the operating system. Table 10: Intrusion prevention agents (Continued) Intrusion detection Table 11 describes the intrusion detection agents that SiteProtector supports: Agent Name Description RealSecure Network 10/100 Real-time intrusion detection that recognizes and responds to suspicious behavior on 10 or 100 megabit segments. RealSecure Network Gigabit Real-time intrusion detection that recognizes and responds to suspicious behavior on gigabit network segments. RealSecure Network 10/100 for Nokia Provides intrusion detection and response, integrating RealSecure Network 10/100 software with the IPSO platform and Nokia appliance. RealSecure Network for Crossbeam Provides intrusion detection and response on a scalable, high availability, multi-segment application platform. Table 11: Intrusion detection agents SiteProtector User Guide for Security Managers Version 2.0, SP5.2 23 Chapter 1: Introduction to SiteProtector 24 Chapter 2 Using SiteProtector Interfaces Overview Introduction This chapter describes the SiteProtector interfaces. It also explains when to use them and how to use them to log on to SiteProtector. SiteProtector interfaces Table 12 describes the different ways you can interact with SiteProtector: Use the SiteProtector… To… Console perform all command and control as well as analysis functions. Web Access view Site data through a browser. Event Viewer view events quickly—before the Event Collector processes them—which is especially useful for troubleshooting. Table 12: SiteProtector interfaces In this chapter This chapter contains the following topics: Topic Page The SiteProtector Console 26 Logging on to the Console and the Site Manager 28 Logging on to the Enterprise Dashboard 29 Logging on to SiteProtector Web Access 30 Setting Up the SiteProtector Event Viewer 32 Logging On to the Event Viewer 34 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 25 Chapter 2: Using SiteProtector Interfaces The SiteProtector Console Introduction The SiteProtector Console lets you perform all command and control as well as analysis functions. The specific tasks you can perform using the Console depend on your user role. (See “Privileges for User Roles” on page 43.) Console windows The Console includes the Site Manager window and the Enterprise Dashboard window. Each window includes its own menus and toolbar. Table 13 describes the purpose of each window: Window Purpose Site Manager Lets you manage SiteProtector components, sensors, appliances, and scanners, as well as view event information, for a single Site. The Site Manager is continuously updated with events from the Event Collector. Enterprise Dashboard Displays event metrics and trends for one or more SiteProtector Sites. The Enterprise Dashboard uses daily roll-ups of data from a Site. Table 13: Purpose of the Site Manager and the Enterprise Dashboard Site Manager window Figure 2 is an example of the Site Manager window: Figure 2: Example of a Site Manager window The Site name you used when you installed SiteProtector appears at the top of the Enterprise Groups pane. In this illustration, the Site name is Site 1. 26 The SiteProtector Console Enterprise Dashboard window Figure 3 is an example of the Enterprise Dashboard window: Figure 3: Example of an Enterprise Dashboard window SiteProtector User Guide for Security Managers Version 2.0, SP5.2 27 Chapter 2: Using SiteProtector Interfaces Logging on to the Console and the Site Manager Introduction The most common way to access SiteProtector is through the Console. First log on The first time you log on, you must use the Windows Administrator user ID that you used to install SiteProtector. If you want to use a different user ID after that, you must create one. (See “Adding Users to SiteProtector” on page 46.) Procedure To log on to the Console: 1. Click Start on the taskbar, and then select ProgramsÆ ISSÆ SiteProtectorÆ Console. 2. Type the IP address or the DNS name of the Site in the Server box. 3. If you do not use the default port number (3998), type the port number of the Site server to communicate with in the Port box. 4. Type your SiteProtector User name. Note: If your user name is part of a domain, use the following format: domain_name\user_name 5. Type your Password. 6. Click OK. The Site Manager appears as the default as shown in Figure 2 on page 26. 28 Logging on to the Enterprise Dashboard Logging on to the Enterprise Dashboard Introduction You can see event metrics and trends for multiple SiteProtector Sites on the Enterprise Dashboard. Dashboard data The Enterprise Dashboard uses daily roll-ups of data from a Site. By default, that data is not automatically loaded into the Dashboard. You can use the procedure below to set up a schedule to load data automatically on a daily, weekly, or monthly basis. Making Enterprise Dashboard the default You can make SiteProtector open the Enterprise Dashboard window in addition to or instead of the Site Manager window when you log on. (See “Choosing General Preferences” on page 59.) Procedure To log on to the Enterprise Dashboard: 1. On the Connection menu of the SiteProtector Console, select New Enterprise Dashboard. 2. Select the Site from the Enterprise Dashboard list in the left pane. 3. On the Site menu of the Enterprise Dashboard, select Load Site Data. 4. Select Run Once, and then click OK. A job of type Load Site Data appears in the Data Load tab of the Scheduled Jobs pane. Tip: You can also schedule periodic data loads from this window. 5. Click to refresh the Dashboard. 6. Click Close. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 29 Chapter 2: Using SiteProtector Interfaces Logging on to SiteProtector Web Access Introduction SiteProtector Web Access is a read-only, Web-based interface to SiteProtector. Web Access provides a convenient way for managers and other users who do not need command and control capabilities to see Site data. Web Access functions You can do the following through Web Access: Prerequisites ● Analyze event data. ● Use filters to customize the data that is displayed. ● Copy data to another application, such as to a spreadsheet. ● View the status of agents and appliances. Table 14 provides the prerequisites for using Web Access: 9 Prerequisite Microsoft Internet Explorer Sun Java runtime environment (JRE) 1.4.2_05 is a prerequisite in each of the following cases: • You do not have access to the Internet. • You are running Microsoft Windows Server 2003, and it is hardened to prevent program files from running in the browser. • You are running Microsoft Windows Server 2003 behind a proxy server. Note: In all other cases, JRE is installed automatically. Table 14: Prerequisites for Web Access Web Access Table 4 is an example of SiteProtector Web Access: Figure 4: Example of SiteProtector Web Access 30 Logging on to SiteProtector Web Access Time-out period After a period of inactivity, Web Access automatically times out and logs you off. You can customize the time-out period, which is 30 minutes by default. Procedure To log on to Web Access: 1. Type the address of the SiteProtector application server in the Address box of your browser using the following format: https://app_server_IP_address_or_DNS_name:3994/siteprotector/ Tip: Add this address to your list of favorites. 2. Type your SiteProtector Username and Password, and then click Submit. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 31 Chapter 2: Using SiteProtector Interfaces Setting Up the SiteProtector Event Viewer Introduction The SiteProtector Event Viewer provides a method of viewing events in almost real time, which may be especially helpful for troubleshooting. The Event Viewer displays events based on filters that you set, such as the source or destination IP address. Prerequisite To use the Event Viewer, you must enable it to save event logs from the Event Collector on your computer. Event logs are disabled by default. The procedure in this topic explains how to enable event logs. Important: Communication between Event Viewer components is always authenticated and encrypted. Additional Event Viewers The Basic and Recommended installation options automatically include an Event Viewer as part of the SiteProtector Console. You can also install an additional Event Viewer on a separate computer. Reference: If you want to install an additional Event Viewer, see the SiteProtector Installation Guide. Log file maintenance When a log file reaches its size limit, the Event Viewer starts a new log file. If not managed, the Event Viewer log files can quickly fill up the space on your hard disk drive. When you enable event logs, you can select options for automatically deleting old log files based on either the size of the log file folder or the age of the log file. Important: If you do not enable the automatic clean up option, you must manage the size of your log file folder manually. Log file names The names of the log files for the Event Viewer are based on the date and time in the following format: YYYYMMDD_nnnnnn.log For example, 20050130_183632.log could be the name of a log file from January 30, 2005. How events get into the Event Viewer Table 15 describes the process of how events get into the Event Viewer: Stage Component Action 1 User Enables event logging on the Event Collector. 2 Event Collector Creates log files and writes events to them. 3 Event Viewer Connects to an Event Viewer Service on the Event Collector. 4 Event Viewer Service Reads the log files to get the event data. 5 Event Viewer Service Based on filter settings, determines which events to send back to the Event Viewer. Table 15: How events get into the Event Viewer 32 Setting Up the SiteProtector Event Viewer Procedure To enable event logging in the Event Collector: 1. In the Enterprise Groups pane, select the group to which the Event Collector belongs, and then select the Sensor tab. 2. Right-click an Event Collector, and then select Event CollectorÆ Edit Properties from the pop-up menu. 3. Click Advanced. 4. Select the Enable event logging to log files check box. 5. Select the Automatically clean up old log files check box, and then accept or change the default settings. 6. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 33 Chapter 2: Using SiteProtector Interfaces Logging On to the Event Viewer Introduction This topic explains how to log on to the Event Viewer from the Site Manager or as a standalone application. How to run the Event Viewer You can start the Event Viewer from the Site Manager, or you can start it as a separate application without going through the Console. Starting the Event Viewer from the Site Manager To open the Event Viewer from the Site Manager: 1. In the Enterprise Groups pane, select the group to which the Event Collector belongs, and then select the Sensor tab. 2. Right-click the Event Collector, and then select Event CollectorÆ Launch Event Viewer from the pop-up menu. The Event Viewer appears. Tip: To continue working in the Event Viewer, see the Event Viewer Help. Starting a standalone Event Viewer To log on to a standalone Event Viewer: 1. Click Start on the taskbar, and then select ProgramsÆ ISSÆ SiteProtectorÆ Event Viewer. 2. Complete the fields as follows: Field Description Event Service The IP address or URL of the Event Collector computer. Event Service Port The port number to use with the Event Collector computer. The default is 3993. App Server App Server Port The IP address or URL of the application server computer. The port number to use with the Event Collector computer. The default is 3998. User name Your SiteProtector user name. Password Your SiteProtector password. 3. Click OK. The Event Viewer appears. Tip: As you work in the Event Viewer, see the Event Viewer Help. 34 Part II ® Getting Started Chapter 3 Configuring SiteProtector Overview Introduction After you have installed SiteProtector and any components that support agents and appliances, you must configure your Site to make SiteProtector fully operational. As you work with SiteProtector you may need to make configuration changes to accommodate growth and to meet additional security requirements. Initial configuration tasks This guide is organized around functions to make it easier to use as a reference guide. To make it easy to use the first time you configure SiteProtector, this chapter provides a checklist of initial configuration tasks. The “Initial Configuration Task Checklist” guides you through the sequence of tasks needed to configure SiteProtector. The exact configuration tasks that you must perform depend on a number of variables, such as which agents and appliances you use. Prerequisite Before you begin to configure SiteProtector, make sure that you have installed all the components you plan to use and migrated data from earlier agents as explained in the SiteProtector Installation Guide. In this chapter This chapter contains the following topics: Topic Initial Configuration Task Checklist SiteProtector User Guide for Security Managers Version 2.0, SP5.2 Page 38 37 Chapter 3: Configuring SiteProtector Initial Configuration Task Checklist Introduction This topic contains a checklist of initial configuration tasks to ensure that you perform all the tasks required at your Site. The checklist contains required tasks for all Sites. You may need to perform additional tasks, listed here, based on your Site requirements. Checklist Table 16 provides a checklist of initial configuration tasks: 9 Configuration Task 1. Add licenses for agents and appliances. Page 104 Note: This task is recommended if you have any licenses that you have not yet added. 2. Update SiteProtector components if applicable XPUs are available. 245 Note: This task is required if updates are available. 3. Replace the SSL certificate for the Web. 111 Note: This task is optional. If you want to use a different Web certificate between the Web browser and the Web server, you should set up the certificate now. 4. Add assets to SiteProtector (including with Active Directory). 143 Note: This task is required. 5. Add SiteProtector users. 41 Note: This task is not required, but you will most likely want to add additional users to your Site. 6. Install additional SiteProtector components. 216 Note: This task is optional. 7. Install agents and appliances. Note: You should install any agents you have to install now. 8. Register any software that is not automatically registered. 69 (Part III) 105 Note: This task is required only if you have software that is not automatically registered. 9. Configure the Desktop environment. 159 Note: This task is required only if you installed more than one Agent Manager to work with Desktop agents or if you want to make one Agent Manager a backup. 10. Implement a policy and response strategy. 163 Note: This task is required. 11. Set up the Console preferences. 57 Note: This task is required only if you want to store your security information and user documentation locally rather than to access them from the ISS Web site. 12. Set up the Enterprise Dashboard. Note: This task is optional. Table 16: Tasks for configuring your Site 38 109 Initial Configuration Task Checklist 9 Configuration Task 13. Set up Database maintenance procedures. Page 219 Note: This task is optional. If you do not have a database maintenance plan in place, ISS recommends that you use the database maintenance functions included with SiteProtector. 14. Configure your X-Press Update Servers. 235 15. Set up a failover Event Collector. n/a Note: This task is optional. See the SiteProtector Installation Guide for guidance. Table 16: Tasks for configuring your Site (Continued) SiteProtector User Guide for Security Managers Version 2.0, SP5.2 39 Chapter 3: Configuring SiteProtector 40 Chapter 4 Adding Users to SiteProtector Overview Introduction This chapter explains how to add users to SiteProtector and how to control their actions using user access controls. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 5. The next configuration task is Task 6, “Install additional SiteProtector components.“ See “Installing Additional SiteProtector Components” on page 216. User access controls Table 17 describes the SiteProtector user access controls: Access Control Description User role A set of permissions granted to a user Site asset group A group of assets in SiteProtector to which a user has access Enterprise Sites and groups A group of Sites in Enterprise Dashboard to which a user has access Table 17: Description of user access controls In this chapter This chapter contains the following topics: Topic Page SiteProtector User Roles 42 Privileges for User Roles 43 Adding Users to SiteProtector 46 User Roles and Asset Groups 48 Restricting User Access to Sites and to Asset Groups 49 Managing Permissions for User Roles 50 Granting Permissions to User Roles 51 Removing Permissions from User Roles 52 Permissions by User Role 53 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 41 Chapter 4: Adding Users to SiteProtector SiteProtector User Roles Introduction A user role is a set of permissions. When you assign a user role to a user, you give the user all the permissions granted to that user role. User roles in SiteProtector have corresponding group names in Windows. Table 18 describes each user role: User Role in SiteProtector Group Name in Windows Description Administrator RSSP-Administrator • Users who need full access to SiteProtector and all permissions. • Users are typically in charge of network security management. • Users who need limited access to SiteProtector and some permissions. • Users are typically members of a larger network security management or administration team. Analyst Operator RSSP-Analyst RSSP-Operator Users who need very limited access to SiteProtector and very restricted permissions. Table 18: User roles and group names Default user role 42 No user accounts exists in SiteProtector until you install the software. When you install SiteProtector, the system automatically creates the first user account in the system and gives the user account administrative permissions. The user ID for this account is the same user ID you used to log on to Windows when you install SiteProtector. Privileges for User Roles Privileges for User Roles Introduction This topic describes the privileges for each user role according to the types of functions available in SiteProtector. User role privileges Table 19 describes the privileges assigned to each user role by function: Function Privileges Console • start the Console and log on to Site Manager and to Enterprise Dashboard • edit Console preferences • load, save, refresh, configure, export (print, write to file, schedule, and include Help) security data • create, update, delete, and save analysis views and filters Database Full database management capabilities Agent Manager Start and stop Enterprise Dashboard • add, update, and delete responses for Desktop agents • apply updates • edit properties • update the list of approved Desktop application names • access to assigned Sites and groups • print, save, and schedule reports • refresh data Operator Analyst Administrator 9 9 9 9 9 9 9 Load Site data from other Sites (nightly roll ups) • add, edit, delete, contact, access, and load data from other Sites • initial authentication for Sites to communicate and exchange data • grant Site access permission to Analyst and Operator user roles 9 9 9 9 9 9 Events Clear events in the Consolea 9 9 9 Event Viewer Start the Event Viewer from the Consoleb 9 9 9 Exceptions and Incidents View (load) existing exceptions and incidents 9 9 9 9 9 Create, edit, and delete exceptions and incidentsc Table 19: Privileges for user roles SiteProtector User Guide for Security Managers Version 2.0, SP5.2 43 Chapter 4: Adding Users to SiteProtector Function Privileges Groups and subgroups Access to assigned groups in Site Manager and Enterprise Dashboard Operator Analyst Administrator 9 9 9 9 9 Add, edit, and delete groups other than the root group 9 Rename root group (the Site name) Hosts (Assets) 9 View assigned hosts • add hosts • edit and remove hosts 9 9 9 9 Incidents See “Exceptions and Incidents” on page 43. Licenses Full license management capabilities 9 Network objects Create 9 Policies and other sensor files • apply to sensors • send other files to sensors Derive, import, edit, and deleted Properties Create, edit, and deleted properties Reporting All reporting capabilities except Audit reports on the Reporting tab 9 9 9 9 9 9 9 9 Full reporting capabilities on the Reporting tab Responses Scans Apply to sensors • add, edit, and deleted responses • add, edit, and delete Central Responses 9 9 9 9 9 9 9 9 9 • start (launch) an Internet Scanner scan • create or update session properties for a scan Sensors and components • start and stop sensorsd • e Settings (Proventia M, some G-Series appliances) Add, edit, and apply 9 9 Ungrouped assets View, add, edit, and delete Site ranges 9 9 X-Press Updates Apply and remove X-Press Updates register and unregister 9 Table 19: Privileges for user roles (Continued) a. This is the only action available to operators that affects the database and events that other users may see. 44 Privileges for User Roles b. You must be logging Event Collector events to use the Event Viewer. (See “Setting Up the SiteProtector Event Viewer” on page 32.) c. The delete privilege applies whether or not the user created the incident. d. Does not apply to the Proventia M or “Next Generation” Proventia G appliances. e. Includes SiteProtector components except for the database and core components. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 45 Chapter 4: Adding Users to SiteProtector Adding Users to SiteProtector Introduction Use Windows computer management utilities to add users to SiteProtector. Adding a user is a two-task process that must be performed on the computer where the Application Server is installed. Table 20 describes the tasks for adding users: Task Description 1 Create a local user account for the new user. 2 Add the new user to one of the following groups: • RSSP-Administrator • RSSP-Analyst • RSSP-Operator Table 20: Tasks for adding users to SiteProtector User role You must be logged on as a Windows Administrator to add users. Rules for adding users The following rules apply to adding users to SiteProtector: ● You must add users on the computer where the Application Server is installed. ● You can assign a user to only one user role. SiteProtector recognizes only one user role per user. Note: If you assign a user to more than one user role, SiteProtector uses the role with the greater number of permissions. ● Task 1: Creating a local user account Before assigning a user to a new user role, delete the user from the current user role. To create a local user account in Windows: 1. Click Start on the taskbar, and then select SettingsÆ Control Panel. 2. Double-click Administrative Tools, and then double-click Computer Management. 3. In the navigation pane, expand System Tools, and then expand Local Users and Groups. 4. Right-click Users, and then select New user from the pop-up menu. 5. Type the new user information as follows: Field Description User name The unique identifier of the user. Full name The user’s full name in a format that you choose. Description A description of the account or the user. Password The password for the user account. Confirm password 6. Click Create, and then click Close. 46 Adding Users to SiteProtector Task 2: Adding a user to SiteProtector To add a user to SiteProtector: 1. Click Start on the taskbar, and then select SettingsÆ Control Panel. 2. Double-click Administrative Tools, and then double-click Computer Management. 3. In the navigation pane, expand System Tools, and then expand Local Users and Groups. 4. Select Groups. Local groups, including the RSSP-Administrator, RSSP-Analyst, and RSSP-Operator, appear in the right pane. 5. Right-click a group for one of the SiteProtector user roles, and then select Add to Group from the pop-up menu. 6. Follow the instructions on the window to add users to the group. 7. Click OK, and then click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 47 Chapter 4: Adding Users to SiteProtector User Roles and Asset Groups Introduction Users initially have access to most assets in SiteProtector and can work with them according to their assigned user roles. You may want to manage your Site such that different users monitor different groups of assets on your network and see data for only those groups. You can assign users to specific asset groups so that they can view and work with only those groups in the SiteProtector console according to their user role. Rules for restricting user access Access to subgroups 48 The following rules apply to restricting user access to groups: ● Group access restrictions apply to Operators and Analysts only; Administrators always have full access to all groups. ● Operators and Analysts can access all Sites and all Site assets unless you restrict them to specific Sites and asset groups. ● Only Administrators and Analysts can access ungrouped Site ranges. ● The same access restrictions apply to the user in either Site Manager or in Enterprise Dashboard. Note the following important points about restricting access to groups and subgroups: ● If you assign a user access rights to a subgroup, the user automatically receives access rights to its parent group as well. ● If you assign a user access rights to a parent group, the user has rights to only the group that you select. Restricting User Access to Sites and to Asset Groups Restricting User Access to Sites and to Asset Groups Introduction You can assign users access rights to groups at your Site from either Site Manager or Enterprise Dashboard; however, you must assign users access to additional Sites from Enterprise Dashboard. User role You must be a SiteProtector Administrator to restrict users to Sites and to asset groups. Logging in to Sites In the Enterprise Dashboard, users can open the Site Manager for a Site they have access to by drilling down to the Site. You can set up Site access permissions to force users to enter their log on credentials when they open Sites this way. (See “Setting Up the Enterprise Dashboard for Multiple Sites” on page 109.) Assigning group access in the Site Manager To assign group access to a user: 1. On the Tools menu in Site Manager, select Manage User Access Control. Users with the Operator or Analyst user roles appear in the navigation pane. 2. Select the Assign Groups tab. 3. In the left pane, select a user. SiteProtector groups appear in the right pane. 4. Select the check box for any group or subgroup you want to give the user access to. 5. Click OK. Assigning Site and group access in the Enterprise Dashboard To assign group access to a user: 1. On the Tools menu in the Enterprise Dashboard, select Manage User Access Control. Users with the Operator or Analyst user roles appear in the navigation pane. 2. Select the Assign Groups tab. 3. In the left pane, select a user. SiteProtector groups appear in the right pane. 4. Select the check box for any Site, group, or subgroup that you want to give the user access to. 5. If you want to require users to log on to Sites that they can access from Enterprise Dashboard, select the Force all users to login when drilling down to a Site check box. 6. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 49 Chapter 4: Adding Users to SiteProtector Managing Permissions for User Roles Introduction Guidelines Related information File location Use the security.xml file to manage user roles and permissions to perform actions in SiteProtector. You cannot create new user roles or permissions, but you can copy and paste permissions in the text-based file to do the following: ● grant permissions to a user role ● remove permissions from a user role Use the following guidelines when you are editing the security.xml file: ● do not change the structure of the file ● make sure each permission is assigned to at least one user role ● grant all permissions to the administrator user role Related information includes the following: ● For a complete list of permissions, see “Permissions by User Role” on page 53. ● For a list of default user role permissions, see “Privileges for User Roles” on page 43. The security.xml file is stored in the following location: \Program Files\ISS\RealSecure SiteProtector\Application Server\config\security.xml File description The security.xml file lists the three user roles and the permissions granted to each role. The following is an excerpt from a security.xml file: <policy> <role group="RSSP-Administrator"> <grant permission="java.security.AllPermission"/> </role> <role group="RSSP-Analyst"> <grant permission="net.iss.rssp.security.AnalysisPermission" name="clearEvent"/> <grant permission="net.iss.rssp.security. CommandAndControlPermission" name="exportData"/> </role> Element descriptions Table 21 describes the elements used in the security.xml file: Element Description <policy> Identifies the starting point for the security policy. <role group...> Identifies the role to which the permissions are granted. <grant permission...> Identifies the permission granted to the user role. Table 21: XML element descriptions 50 Granting Permissions to User Roles Granting Permissions to User Roles Introduction You can grant a permission to a user role by editing the security.xml file. Before You Begin Before you edit the security.xml file, make a copy of it, and then store it in a secure location. Procedure Caution: When you edit the security. xml document, make sure you do not change the structure of the file. The server will not start if the structure of the security.xml file is changed. To grant a permission to a user role: 1. Open the seurity.xml file using a text editor. The file is stored in the following location: \Program Files\ISS\RealSecure SiteProtector\Application Server\config\security.xml 2. Locate and copy the permission you want to grant. The following marker identifies permissions: <grant permission...> 3. Locate the user role to which you want to grant the permission, and paste the permission to that section. User roles are defined in the following marker: <role group...> 4. Save the file. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 51 Chapter 4: Adding Users to SiteProtector Removing Permissions from User Roles Introduction You can remove a permission from a user role by editing the security.xml file. Before You Begin Before you edit the security.xml file, make a copy of it, and then store it in a secure location. Procedure Caution: When editing the security. xml document, make sure you do not change the structure of the file. The server will not start if the structure of the security.xml file is changed. To remove a permission from a user role: 1. Open the seurity.xml file using a text editor. The file is stored in the following location: \Program Files\ISS\RealSecure SiteProtector\Application Server\config\security.xml 2. Locate the user role you want to modify. The following marker identifies permissions: <role group...> 3. Add the following comment marker around the permission as follows: <!-- trailing spaces <grant permission.../>--> Example: <!--<grant permission=”net.iss.rssp.security.permission. SiteProtector” name= “delete”/>--> 4. Save the file. 52 Permissions by User Role Permissions by User Role Introduction Table 22 describes all the available user permissions in SiteProtector and indicates which user roles have the permissions by default: Permission Description addusers • assign users to groups for SiteProtector • assign users to groups for Dashboard • apply policy • edit active policy • set policy group applyPolicy applyProperty applyResponse applyUserDefined • edit properties • edit known accounts • apply response • edit active response • get evidence log • send user-specified file Operator Analyst Admin 9 9 9 9 9 9 9 9 AttackIncidents run and view the Attack Incidents report 9 9 9 AttacksByGroup run and view the Attack by Group report 9 9 9 AttackStatusSummary run and view the Attack Status Summary report 9 9 9 AttackTrend run and view the Attack Trend report 9 9 9 browse • start System Scanner Console 9 9 • Use “What are the known vulnerabilities” • Use “What are the Protection Agents 9 9 9 9 changeSoftware • register software • assign Event Collectors • auto register software • start LMI 9 clearEvent clear events contact contact a Site from the Dashboard 9 delete delete a Site from the Dashboard 9 Table 22: Permissions by user role SiteProtector User Guide for Security Managers Version 2.0, SP5.2 53 Chapter 4: Adding Users to SiteProtector Permission Description desktopAgentCommands • generate agent builds • generate Proventia Desktop builds • send phone home 9 Analyst Admin 9 9 9 9 DesktopProtectionReport run and view the Desktop Protection report downloadlogs download server log files 9 editActionFile edit the Action file 9 ExecOSSummary run and view the Executive OS Summary report 9 9 9 ExecVulnSummary run and view the Executive Vulnerability report 9 9 9 exportData export Site data 9 9 9 general • populate Active Directory • set Active Directory credentials 9 HostAssessment run and view the Host Assessment report 9 9 9 HostAssessmentDetail run and view the Host Assessment Detailed report 9 9 9 HostOSSummary run and view the Host OS Summary report 9 9 9 HostServiceSummary run and view the Host Service report 9 9 9 HostVulnCount run and view the Host Vulnerability Count report 9 9 9 HostVulnDetail run and view the Host Vulnerability Detail report 9 9 9 HostVulnSummary run and view the Host Vulnerability Summary report 9 9 9 launchEventViewer Launch Event Viewer 9 9 9 loadData load Site Data 9 9 manageLicense • run jobs to export metrics data • manage desktop licenses • manage licenses ProtectionReport run and view the Protection report purgeData purge data Table 22: Permissions by user role (Continued) 54 Operator 9 9 9 9 9 Permissions by User Role Permission Description read,write (Group Permission) • use the Auto Group Hosts feature • add, delete, and edit groups • unlink a SiteProtector Group from a Dashboard Group • add a Sensor Wizard Action • edit and delete Group Settings • import hosts • set Policy Group remoteScan perform scans using Internet Scanner ServiceSummary run and view the Service Summary report start • start, pause, resume, and restart a sensor • view sensor details Operator 9 Analyst Admin 9 9 9 9 9 9 9 9 9 9 stop stop a sensor TopAttacks run and view the Top Attacks report 9 9 9 TopSourcesOfAttack run and view the Top Sources of Attacks report 9 9 9 TopTargetsOfAttack run and view the Top Targets of Attacks report 9 9 9 TopVirusActivity run and view the Top Virus Activity report 9 9 9 TopVulnerabilities run and view the Top Vulnerabilities report 9 9 9 viewPolicy manage policies 9 9 VirusActivityByGroup run and view the Virus Activity by Group report 9 9 9 VirusActivityByHost run and view the Virus Activity by Host report 9 9 9 VirusActivityTrend run and view the Virus Activity Trend report 9 9 9 VulnAssessment run and view the Vulnerability Assessment report 9 9 9 VulnAssessmentDetail run and view the Vulnerability Assessment Detail report 9 9 9 VulnerabilityByGroup run and view the Vulnerability by Group report 9 9 9 VulnerabilityByHost run and view the Vulnerability by Host report 9 9 9 Table 22: Permissions by user role (Continued) SiteProtector User Guide for Security Managers Version 2.0, SP5.2 55 Chapter 4: Adding Users to SiteProtector Permission Description VulnerabilityByOS Operator Analyst run and view the Vulnerability by OS report 9 9 9 VulnerabilityTrend run and view the Vulnerability Trend report 9 9 9 WebCategories run and view the Web Categories report 9 9 9 WebRequests run and view the Web Requests report 9 9 9 write (Host Permission) • delete assets from a group 9 9 • delete sensors from a group • delete appliances from a group • edit assets • update assets • add hosts to a group 9 9 write (Site Permission) • add and edit Dashboard site • perform database maintenance in SiteProtector • perform database purge in SiteProtector Write (Site Permission) • add, edit, and delete site range 9 9 writePolicy • force refresh 9 9 • edit central response • edit settings • use VPN wizard • create a VPN mesh • manage responses 9 9 • edit global responses • import global responses • write responses writeResponse writeSessionProperties manage session properties 9 9 writeSiteRule • create and edit Site rules 9 9 • create incidents • view exceptions xpu install and uninstall an XPU Table 22: Permissions by user role (Continued) 56 Admin 9 Chapter 5 Configuring Your Console Overview Introduction The Console preferences in SiteProtector let you choose different configurable options. These preferences include options for both Site Manager and Enterprise Dashboard. Initial configuration checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 11. This task is frequently optional, but read “What do you need to do?” next in this topic to review the most common console configuration tasks. The next configuration task is Task 12, “Set up the Enterprise Dashboard.” See “Setting Up the Enterprise Dashboard for Multiple Sites” on page 109. What do you need to do? Most console configuration tasks are optional. Review the situations in Table 23 to see if these commonly required tasks apply to you: Situation Task Reference Store security information locally rather than link to it over the Internet See “Choosing Documentation Preferences” on page 63. Store user documents locally rather than link to them over the Internet See “Choosing Documentation Preferences” on page 63. Access the Internet through a proxy server See “Choosing Proxy Preferences” on page 66. Require the application server to authenticate itself when communicating with a console See “Choosing Security Preferences” on page 67. Table 23: Most commonly required Console preference tasks In this chapter This chapter contains the following topics: Topic Page Choosing General Preferences 59 Choosing Site Manager Preferences 60 Choosing Enterprise Dashboard Preferences 62 Choosing Documentation Preferences 63 Choosing Trace Preferences 65 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 57 Chapter 5: Configuring Your Console Topic 58 Page Choosing Proxy Preferences 66 Choosing Security Preferences 67 Choosing General Preferences Choosing General Preferences Introduction The General tab includes various options, such as which window opens when you log on to the Console. Procedure To set general preferences: 1. On the Console Connection menu, select Preferences. 2. Change your preferences according to their descriptions in the following table: Field Description Launch Enterprise Dashboard on connect Whether to open the Enterprise Dashboard when you log on to a Site in the Console. Launch Site Manager on connect Whether to open the Site Manager when you log on to a Site in the Console. Update content on context change Whether to update data automatically when you change contexts, such as selecting a different tab. Update Host action available on connect Whether to make the Update Host option available for hosts from the pop-up menu in the Asset tab. This option displays the DNS name from the domain server and the NetBIOS and NetBIOS domain from the asset. Important: You must restart your Console to make this option take effect. Show the helpful tips dialog on connect Whether to display the Tip of the Day window when you start the Console. Group recursion on by default Whether you want to see data for all subgroups when you select a parent group. GMT Whether to display dates and times in Greenwich Mean Time format rather than the time zone of the operating system. Show past command jobs for these days n days The number of previous days’ worth of command jobs to include in the Command Jobs pane. Show vulnerabilities in asset tab for past n days The number of previous days’ worth of vulnerabilities to include in the Asset tab for the What are the known vulnerabilities option. System Scanner Web Console URL The URL for the System Scanner Web console—if you have installed System Scanner Vista. 3. Click Apply. 4. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 59 Chapter 5: Configuring Your Console Choosing Site Manager Preferences Introduction You can configure display options in Site Manager that affect what information appears in your console, how it is displayed, and how often it is updated About metrics on the Site Manager Metrics are available on the Enterprise Dashboard; however, the following metrics are available in the Enterprise Groups pane on the Site Manager: ● number of active and inactive sensors assigned to a group ● number of high, medium, and low events detected by sensors in the group The metrics appear as a ToolTip when you place your cursor over a group in the Enterprise Groups pane. Refresh intervals You can set refresh intervals for event data and metrics for the Site Manager. If the refresh interval is too short, it can have a negative effect on performance. If data or metrics are not refreshed within a reasonable amount of time (i.e., less than a minute), consider increasing the refresh interval. Procedure To set preferences for how information appears: 1. On the Console Connection menu, select Preferences. 2. Select the Site Manager tab. 3. In the Site Level Group Metrics group, select one of the following options: Choose… To… Show Sensor Status Metrics for Groups on next startup show the number of active and inactive sensors assigned to the group as a ToolTip in the Enterprise Groups pane. Show High, Medium and Low Count Metrics for Groups on next startup show the number of high–, medium–, and low–priority events detected by sensors assigned to the group as a ToolTip in the Enterprise Groups pane. 4. In the Data Display Setting group, select or type values for the following settings: 60 Field Description Show maximum number of analysis rows The number of rows to display at a time. Show maximum number of event details The number of event details to display on the Site Manager. Show maximum number of sensor rows The number of rows to display at a time. Show maximum number of asset rows The number of rows to display at a time. Default: 50,000 rows Default: 500 rows Default: 500 events Default: 5,000 rows Choosing Site Manager Preferences Field Description Show maximum number of Incidents/Exceptions The number of incidents or exceptions to display on the Site Manager. Range: 0 to 10,000. Default: 2000 rows Refresh analysis data (seconds) The number of seconds to see refreshed data on the Site Manager. Default: 60 seconds Refresh metrics data (seconds) The number of seconds to see refreshed metric data on the Site Manager. Default: 60 seconds 5. In the Analysis Time Display group, specify the following settings: Field Description Time format The format to use for times and dates except for the earliest and latest attack formats. Default: yyyy-mm-dd hh:mm:ss time zone Earliest attack time format Latest attack time format The format to use for the Earliest Attack column. Default: yyyy-mm-dd hh:mm:ss time zone The format to use for the Latest Attack column. Default: yyyy-mm-dd hh:mm:ss time zone Note: The time zone is based on the GMT option on the General tab. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 61 Chapter 5: Configuring Your Console Choosing Enterprise Dashboard Preferences Introduction You can choose whether to view groups that have been deleted from a Site in the Enterprise Groups pane on the Enterprise Dashboard. Procedure To display deleted groups in the Enterprise Dashboard: 1. On the Console Connection menu, select Preferences. 2. Select the Enterprise Dashboard tab. 3. To display groups that have been deleted from the Site, select the Show groups that have been deleted from a site check box. 4. Click Apply. 5. Click OK. 62 Choosing Documentation Preferences Choosing Documentation Preferences Introduction By default, detailed security information and user documents are stored on the Internet Security Systems Web site. If you prefer to provide access to those documents locally, you must perform the tasks and configure your preferences as described in this topic. Task overview: Store security information locally The Console can access security information locally, rather than over the Internet. Table 24 describes the tasks for accessing security information locally: Task Description 1 Download the security information zipped file (XForceHelpFiles.zip) from http:// www.iss.net/security_center/reference/vuln/ to your local drive. 2 Unzip the file. 3 Specify the path of the folder as described in the procedure below. Table 24: Tasks for accessing security information locally Task overview: Store user documents locally The Console can access user documents locally, rather than over the Internet. Table 25 describes the tasks for accessing user documents locally: Task 1 Description Download the zipped user document file (SPUserDoc20sp5.zip) from http:// www.iss.net/support/documentation/docs.php?product=16&family=8 to your local drive. 2 Unzip the file into the SiteProtector Application Server root directory, which is typically \Program Files\ISS\RealSecure SiteProtector\Application Server. 3 Specify the path of the folder as described in the procedure below. Table 25: Tasks for accessing user documents locally Procedure To set documentation preferences: 1. On the Console Connection menu, select Preferences. 2. Select the Documentation tab. 3. If you want to change the location of security information, do one of the following in the Location of security information section: To access security information… Select… locally Local directory, and then type or select the local path of the folder where the security information is located. from the ISS Web site Remote URL. Note: The default address is http://www.iss.net/ security_center/reference/vuln. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 63 Chapter 5: Configuring Your Console 4. If you want to change the location of user documents, do one of the following in the Location of documentation section: To access user documents… Select… locally On SiteProtector Server, and then type the address of the application server in the following format: https:// application_server_IP_address_or_DNS_name:3994/ from the ISS Web site 5. Click Apply. 6. Click OK. 64 On www.iss.net. Choosing Trace Preferences Choosing Trace Preferences Introduction Options on the Trace tab control how SiteProtector handles error tracing. Procedure To set preferences on the Trace tab: 1. On the Console Connection menu, select Preferences. 2. Select the Trace tab. 3. In the Level list, select a trace level to specify the minimum level of error to trace: Option Description Fatal Trace only fatal messages Error Trace error and fatal messages Warn Trace warn, error, and fatal messages Info Trace info, warn, error, and fatal messages Debug Trace debug and all other levels of tracing. Important: This level produces a high volume of messages. Caution: Change the trace level from the default (Error) only when you are troubleshooting under the direction of ISS Technical Support. 4. In the Trace To section, select the output format(s) to use for the trace: Option Description Standard Output Sends trace information to the standard output device of the operating system. Text File Sends trace information to the specified text file. 5. If you selected Text File, click Browse to change the file name and/or location. 6. Click Apply. 7. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 65 Chapter 5: Configuring Your Console Choosing Proxy Preferences Introduction When a proxy server separates your console from your remote documentation, you must specify the proxy server and the server port. You must do this because SiteProtector uses your Internet connection to access certain documentation and Help files remotely. Procedure To specify a proxy server: 1. On the Console Connection menu, select Preferences. 2. Select the Proxy tab. 3. Select the Use HTTP proxy check box. 4. Type the DNS name or IP address of the proxy server in the Proxy Host box. 5. If the port number is different from the default (8080), type or select it from the Proxy Port box. 6. Click Apply. 7. Click OK. 66 Choosing Security Preferences Choosing Security Preferences Introduction SiteProtector uses Secure Sockets Layer (SSL) to encrypt communication between the Console and the application server. Encryption is always turned on, and all data is encrypted. To further increase the security of the connection between Consoles and the application server, you can use your own root-signed certificate. With that certificate, the application server can authenticate itself to the Console. How to set up authentication Table 26 describes the process for activating authentication by the application server: Stage Description 1 You must obtain a root-signed certificate for your Site. 2 You must install the certificate on the application server computer and enable SSL certificate authentication. See “Enabling Authentication for the Application Server” on page 113. Note: This requires System Administrator rights. 3 Each Console user must enable the security settings as described in this topic. Table 26: Setting up authentication Procedure To change the security setting: 1. On the Console Connection menu, select Preferences. 2. Select the Security tab. 3. Select the option for Security Trust Settings for SSL certificate validation as follows: Option Maximum Description Accepts only valid root signed certificates. Note: Use this option to enable SSL certificate authentication. Reference: SiteProtector Installation Guide. None Does not validate certificates. Note: This is the default setting. 4. Click Apply. 5. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 67 Chapter 5: Configuring Your Console 68 Part III ® Installing Agents and Appliances Chapter 6 Installing Sensors and Appliances Overview Introduction This chapter provides the tasks for installing and deploying network sensors, server sensors, and appliances. You must install sensors and appliances before SiteProtector can monitor network activity. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 7. After you have installed all your agents and appliances as described in Part III, the next configuration task is Task 8, “Register any software that is not automatically registered.“ See “Registering Software Managed by SiteProtector” on page 105. Supported sensors and appliances For a complete list of supported sensors and appliances, see the Supported Agents and Appliances on the ISS Web site at http://documents.iss.net/literature/ SiteProtector/SPSupportedAgentsandAppliances20SP5.pdf. About removing a server sensor If server sensor is installed on the same computer as SiteProtector components, do not remove it unless you are also ready to remove SiteProtector. As you remove server sensor, you also remove the issDaemon service. Caution: If you remove server sensor, any SiteProtector components that use the issDaemon cannot function. In this chapter This chapter contains the following topics: Topic Page Before You Install a Sensor or an Appliance 72 Agent Registration, Authentication, and Encryption 73 Installing Sensors and Appliances 74 Downloading a Sensor Package 75 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 71 Chapter 6: Installing Sensors and Appliances Before You Install a Sensor or an Appliance Introduction This topic explains important information about installing sensors and appliances. Installation documentation To install a sensor or an appliance, you need the applicable installation guide or quick start card for the sensor or appliance. If you do not already have the document, see the ISS Web site at http://www.iss.net/support/documentation/. Latest software If you need a new or an updated installation package for a sensor, download it from the ISS Download Center (www.iss.net/download/). See “Downloading a Sensor Package” on page 75. Related documentation Deploying sensors and appliances under certain conditions requires special configuration and planning. Table 27 describes related documentation: Document Description RealSecure Network Sensor and Gigabit Network Sensor Installation Guide Provides information about installing a network sensor in either of the following: SiteProtector Installation Guide, Chapter 10, Section A, “Configuring Firewall Ports” • a switched environment • the DMZ (demilitarized Zone) Provides information about setting up communication between the network sensor and SiteProtector through a firewall Table 27: Special considerations for network sensors 72 Agent Registration, Authentication, and Encryption Agent Registration, Authentication, and Encryption Introduction SiteProtector components use a proprietary communications protocol, based on principles of public key cryptography and commonly accepted cryptographic algorithms to ensure the security of your sensitive data. With public key cryptography you can force a component to identify itself (authentication process) and ensure that communications between the components are secure (encryption). Public and private keys Public key cryptography is based on pairs of public and private encryption keys. Components must share their public encryption keys with the components they communicate with and keep their private keys secret. Although you can manually move the public keys to each component, SiteProtector can automatically do it for you in most cases through the registration process. SiteProtector requirements For authentication to work, every component, agent, and databridge managed through SiteProtector typically needs a copy of the following component’s public keys: ● Sensor Controller ● Event Collector (not needed by the Deployment Manager) Automatic key exchange If you enable the auto-import feature for encryption keys when you install agents, SiteProtector can push the sensor controller and Event Collector public keys to the appropriate folders on the remote computer the first time they connect. When automatic registration does not work If you install a sensor from the Deployment Manager, the sensor is automatically registered with SiteProtector. In other cases you may have to manually register agents: ● You installed a sensor from a sensor installation package and not from the Deployment Manager. Tip: To avoid manually registering the sensor, select the auto-import option when you install it. ● You installed the sensor before you installed SiteProtector. Note: With automatic registration, it may take a while for the Console to recognize the agent's status, and the Sensor details window may temporarily display the message, Connection refused. Important guidelines For auto-import to work, you must observe the following guidelines: ● Enable the auto-import option when you install SiteProtector components, sensors, and scanners that support this feature. ● Install all of the SiteProtector components before you attempt to connect to any of your sensors, appliances, scanners, or their corresponding issDaemon service. ● To install multiple sensors on one computer, install all of the sensors before you connect to any of them. ● Run the Console and configure the Event Collector, other SiteProtector components, sensors, appliances, and scanners. Note: ISS recommends that you configure the component, sensor, or scanner on a protected network segment until after the initial public key is imported. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 73 Chapter 6: Installing Sensors and Appliances Installing Sensors and Appliances Introduction You can install sensors from the Deployment Manager or from separate sensor installation packages. Task overview Table 28 describes the tasks for installing sensors and appliances: Task Description 1 Add the asset to an Enterprise Group. Reference: See “Manually Adding Assets” on page 150. 2 Install the sensor or appliance either from the Deployment Manager or from a separate installation package. Reference: See the applicable installation guide or quick start card for the sensor or the appliance. 3 Add the sensor or appliance license(s) to SiteProtector. Reference: See “Adding a License File” on page 104. 4 Register the sensor or appliance, if required. Reference: See “Registering Software Managed by SiteProtector” on page 105. Table 28: Tasks for installing sensors and appliances 74 Downloading a Sensor Package Downloading a Sensor Package Introduction You can download an updated sensor package for the Deployment Manager from the ISS Download Center. Procedure To download the ISS sensor package: 1. Access the ISS Download Center at www.iss.net/download/. 2. Find the download page for the specific product. 3. Download the setup package to the appropriate Deployment Manager folder: \Program Files\ISS\RealSecure SiteProtector\Application Server\webapps\dmdocroot\packages\product_name 4. Stop, and then restart, the Application Server service. The new sensor package appears in the Deployment Manager. Reference: See “Starting and Stopping a SiteProtector Service” on page 116. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 75 Chapter 6: Installing Sensors and Appliances 76 Chapter 7 Installing Desktop Agents Overview Introduction Desktop agents report to SiteProtector so that you can manage your entire enterprise security from the Console. You can manage both Desktop security events and Desktop agent updates from the Console. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 7. After you have installed all your agents and appliances as described in Part III, the next configuration task is Task 8, “Register any software that is not automatically registered.“ See “Registering Software Managed by SiteProtector” on page 105. References User documents for Desktop agents are available on the ISS Web site at http:// www.iss.net/support/documentation/. Desktop terms Table 29 describes terms that relate to Desktop agents: Term Definition Agent Manager (previously known as Desktop Controller) The SiteProtector component that accepts the following from Desktop agents: Desktop agent Agents that provide security for desktops, including agents previously managed by ICEcap. Desktop agents include the following: • real-time security events • scheduled administrative heartbeats • Proventia Desktop • RealSecure Desktop 3.6 • RealSecure Desktop 7.0 • RealSecure Desktop Enforcement for VPNs Desktop events A security event from any of the supported Desktop agents. Heartbeats A scheduled request for policy and configuration updates. Desktop agents periodically send heartbeats to the Agent Manager, and the Agent Manager then sends the Desktop agent any available updates. Heartbeats are encrypted HTTP requests (HTTPS with Proventia Desktop). Note: Scheduled heartbeats do not affect security events. Desktop agents send security events in real time. Table 29: Terms used with Desktop agents SiteProtector User Guide for Security Managers Version 2.0, SP5.2 77 Chapter 7: Installing Desktop Agents In this chapter This chapter contains the following sections: Section 78 Page Section A, "Preparing SiteProtector for Desktop Agents" 79 Section B, "Installing Desktop Agents" 87 Preparing SiteProtector for Desktop Agents SECTION A: Overview Introduction Before you can add Desktop Agents to SiteProtector, you must prepare SiteProtector to recognize those agents. User role You must be a SiteProtector Administrator to perform the tasks in this section. Task overview Table 30 describes the tasks for preparing SiteProtector to recognize Desktop agents: Task Description 1 To manage Desktop agents through SiteProtector, you must add Desktop licenses to SiteProtector. 2 When an agent communicates with an Agent Manager, it must include an account and a password for that Agent Manager. In task 2, you create an account with an Agent Manager for your Desktop agents to use. If you create a Desktop build (page 88) for users to install an agent with, the account information is included in the build. If you have your users install Desktop from the Deployment Manager, they must supply the account information during the installation (page 90). 3 Desktop agents belong to groups in the Enterprise Groups panes just like other sensors and assets. With Desktop agents, you assign policies to the agents according to their group membership. The group that you use for policy assignment is a policy subscription group that you create in Task 3. 4 Desktop comes with predefined policies that you use to create a custom policy for your agents. After you create this policy, you assign it to the policy subscription group that you created in Task 3. Table 30: Preparation tasks for Desktop agents Prerequisite You must have one or more licenses for each Desktop agent type that you plan to deploy. If you have not already received the licenses, contact licenses@iss.net. Encryption with Desktop agents The type of encryption that Desktop agents use does not require the application server’s public keys as other sensors do. In this section This section contains the following topics: Topic Page Task 1: Adding a Desktop Agent License 80 Task 2: Adding an Account to the Agent Manager 81 Task 3: Creating a Policy Subscription Group 82 Task 4: Assigning a Desktop Policy to the Policy Subscription Group 84 Policy Assignments in Different Scenarios 85 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 79 Chapter 7: Installing Desktop Agents Task 1: Adding a Desktop Agent License Introduction Desktop agent licenses consist of character strings for all agents except Proventia Desktop. Proventia Desktop uses license files. Choose the correct procedure for adding a license: ● To add a Desktop license string, follow the procedure in this chapter. ● To add Desktop license file, see “Adding a License File” on page 104. Upgrading to Proventia Desktop When you add a Desktop license string, the Agent Manager automatically converts that string to a Proventia Desktop type license so that you can upgrade to Proventia Desktop with your current license strings. Adding a Desktop license string To add a Desktop license string: 1. On the Site Manager Tools menu, select RealSecure Desktop Licenses. 2. Click Add. 3. Type, or copy and paste, the license string into the Key String box. 4. Type information about the Desktop license into the Description box. Note: This step is optional can help you distinguish one type of license from another. 5. Click OK. 6. Read the license agreement, and then click I Accept. The Manage Desktop Protection Licenses window displays the new license with License Status of Newly Added, indicating that the license has not yet been processed. Note: It takes about a minute to update the status of the license. 7. Click Close. Updating a license To update a license: 1. Follow the previous procedure, “Adding a Desktop license string,” to add the updated license. 2. On the Site Manager Tools menu, select Manage RealSecure Desktop Licenses. 3. Select the new license from the License Key list. The license status and details appear. 4. Review the replacement license details. 5. Select the license key string you want to replace from the License Key list. 6. Select the replacement key string from the Replacement Key list, and then click Apply Changes. Next task 80 You must now edit the Agent Manager properties. Go to “Task 2: Adding an Account to the Agent Manager,” next in this chapter. Task 2: Adding an Account to the Agent Manager Task 2: Adding an Account to the Agent Manager Introduction You must create an account that Desktop agents can use to communicate with an Agent Manager. Note: Each Agent Manager account name must be unique. Procedure To add an account: 1. In the Enterprise Groups pane, select the group to which the Agent Manager belongs, and then select the Sensor tab. 2. Right-click the Agent Manager, and then select Agent ManagerÆ Edit Properties from the pop-up menu. The Agent Manager Policy Editor appears. 3. Select Accounts in the left pane. The Accounts pane displays a list of the current account names and descriptions. 4. Click Add in the right pane. 5. Type a unique Account Name, and then click Set Password. 6. Type and confirm the Password, and then click OK. 7. Type a Description for the account, and then click OK. 8. On the File menu, select Exit. 9. Click Yes to save your changes. Next task You must now create the policy subscription group for the account. Go to “Task 3: Creating a Policy Subscription Group,” next in this chapter. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 81 Chapter 7: Installing Desktop Agents Task 3: Creating a Policy Subscription Group Introduction Agents receive updates from the Agent Manager based on their policy subscription group. The purpose of groups In SiteProtector, you create groups to organize your assets. You can define groups for different purposes, such as to monitor events or to administer policies. Groups that you create specifically to administer policies are called policy subscription groups. Tip: Groups in SiteProtector look the same regardless of their purpose. You might want to use a naming convention to distinguish policy subscription groups from other groups. Rules for policies The following rules apply to policies and policy subscription groups: ● Policies are set at the group level, so you should create at least one policy subscription group for every unique policy that you plan to deploy. ● You can assign Desktop agents to multiple groups for organizational purposes but to only one policy subscription group for policy assignment. Important: If an agent is already assigned to a policy subscription group, and you assign that agent to another policy subscription group, SiteProtector uses the last group assigned for policy assignment. Assigning subscription policy groups ● You can use any group in the Enterprise Groups pane as a policy subscription group except for the Ungrouped Assets group. ● In addition to using a group for Desktop policies, you can assign one policy for each of the following sensor types to a group: ■ Network sensor ■ Server sensor ■ Proventia A and G appliances When you copy or automatically group assets from the Ungrouped Assets folder into groups, all sensor types on the hosts are assigned a subscription policy group according to Table 31: If the host is being copied to a group that... Then... has a policy of the correct type set this group becomes the policy subscription group for the sensor(s) on that host. does not have a policy of the correct type set the sensor(s) are assigned the first group with the correct policy as its policy subscription group as you move up the tree towards the root node. If no parent group with the correct policy set is found, the sensor will not have a policy subscription group. Table 31: Assigning subscription policy groups 82 Task 3: Creating a Policy Subscription Group Procedure To create a policy subscription group: 1. In the Enterprise Groups pane, right-click the folder to use as the parent folder, and then select Add Group. A new node appears with the default text “New Group” highlighted. 2. Type a name for the group, and then press Enter. The name of the new group appears in the Enterprise Groups pane below the parent folder. Next task You must now set the Desktop policy for the policy subscription group. Go to “Task 4: Assigning a Desktop Policy to the Policy Subscription Group,” next in this chapter. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 83 Chapter 7: Installing Desktop Agents Task 4: Assigning a Desktop Policy to the Policy Subscription Group Introduction Assign a Desktop policy to a policy subscription group based on the level of security you want to provide the assets in the group. For example, if you want to enforce different firewall rules for the Human Resources department than for the Finance department, use separate policy subscription groups for each department and assign a different policy to each group. Build requirements To generate an agent build, you must assign a policy for the policy subscription group. SiteProtector provides several read-only Desktop policies from which you can derive a policy to use. Important: You cannot use the read-only Desktop policies to generate an agent build because they do not contain required information, such as the software version number for the agent or a Desktop license string. Procedure To select a Desktop policy for a policy subscription group: 1. In the Enterprise Groups pane, right-click a group for Desktop agents, and then select Desktop ProtectionÆ RealSecure DesktopÆ Set Group Policy from the pop-up menu. 2. Click Select. The Select Policy window appears with a list of Desktop policies. 3. If you have already created the policy you want to use, select the policy from the Policy box, and then go to Step 9. 4. Click Select to select to create a new policy. The Select Policy window appears. 5. Select a policy to use as the basis for the policy you are going to create, and then click Derive New. The Derive New Item window appears. 6. Type the name to use for the policy in the New item name box, and then click OK. 7. Edit the policy based on the desired agent configuration, and then click Save. 8. Select the policy to be applied to the group, and then click OK. The name of the policy appears in the Policy box. 9. Click OK. The policy is applied to the group. Next task 84 You are now ready to install the Desktop agents. Go to “Section B, "Installing Desktop Agents" on page 87. Policy Assignments in Different Scenarios Policy Assignments in Different Scenarios Introduction You can assign Desktop agents to more than one group, but the agents receive their policy from their assigned policy subscription group. This topic describes different scenarios that affect how the policy group is determined. How agents receive policies Table 32 depicts Desktop policy behavior in several scenarios: If... Then... the policy subscription group is deleted after the agent sends a heartbeat, the agent continues to function with the previous configuration. The next time the agent sends a heartbeat, the agent appears in the Ungrouped Assets folder in the appropriate Site range. the policy subscription group is deleted before the agent sends a heartbeat for the first time, when the agent sends the first heartbeat, the policy subscription group is created in the root group My Site but has no policy associated with it. It begins to use a default configuration. the Desktop policy is cleared (set to “No Policy”), regardless of whether parent groups have a Desktop policy set, the next time the agent sends a heartbeat, it begins to use the previous default configuration. The policy subscription group remains intact. a new group is created with the same name as the agent’s existing policy subscription group. If the agent has already sent a heartbeat at least once, the agent continues to function as before (same policy subscription group assignment and policy) because group names are ignored after the initial heartbeat. a new group is created with the same name as an agent’s existing policy subscription group. If the agent has not sent a heartbeat at least once, the next time the agent sends a heartbeat, the agent functions with the previous configuration. The asset hosting the agent moves to the Ungrouped Assets folder in the appropriate Site range. the asset hosting the Desktop agent is dragged into a group with a Desktop policy set, the agent assigns its policy subscription group as the group hosting the asset. The next time the agent sends in a heartbeat, it begins using its new policy subscription group’s assigned Desktop policy. the asset hosting the Desktop agent is dragged into a group without a Desktop policy set and none of the parent groups have a Desktop policy set, the agent assigns its policy subscription group as the group hosting the asset. The next time the agent send in a heartbeat, it begins using the previous configuration. the asset hosting the Desktop agent is dragged into a group without a Desktop policy set and the parent group has a Desktop policy set, the agent assigns its policy subscription group as the closest parent group with a Desktop policy set. The next time the agent sends in a heartbeat, it begins to use the policy assigned to its policy subscription group. Table 32: How agents receive policies SiteProtector User Guide for Security Managers Version 2.0, SP5.2 85 Chapter 7: Installing Desktop Agents 86 SECTION B: Installing Desktop Agents Overview Introduction After you finish the tasks in Section A, you can install the Desktop agents. This section describes the options for installing agents and explains how to perform the installations. Two options for installing agents The options for installing Desktop agents are as follows: ● Generate one or more Desktop agent builds that users can install on their computers. ● Have users install a Desktop agent from the Deployment Manager for a single desktop installation. Using agent builds This option requires more effort initially because you have to preconfigure and generate agent builds for each group that uses a different version. Agent builds are advantageous, however, if you want multiple users to use the same version. You completely preconfigure the agent build so that users do not have to supply any information during the installation. Installing from the Deployment Manager This option is most suitable if you use Desktop on a single computer or if you use a different version for each computer. Individual Desktop installations require user input. Until the agent sends a heartbeat, there is a period during which the policy is not applied. Troubleshooting A Desktop agent installation might fail for various reasons. Table 33 lists some potential reasons for installation failure and provides solutions to fix each: Problem Solution An existing RealSecure or Desktop agent exists on the computer. Uninstall the existing agent completely. A host is running any version of network sensor or server sensor supported by SiteProtector 2.0. Uninstall the existing network or server sensor before you install Desktop. Table 33: Problems and solutions for Desktop agent installation failures In this section This section contains the following topics: Topic Page Option 1,Task 1: Generating an Agent Build 88 Option 1,Task 2: Providing the Desktop Build to Employees 89 Option 2: Installing a RealSecure Desktop Agent from the Deployment Manager 90 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 87 Chapter 7: Installing Desktop Agents Option 1,Task 1: Generating an Agent Build Introduction An agent build is a fully configured installation file for a Desktop agent in a single program file that users can run to install an agent. No intervention from the end user is required because you define the configurable settings to use in the build. Important: You must completely configure the group and its associated policy before you generate the agent build as described in Section A, "Preparing SiteProtector for Desktop Agents" on page 79. Prerequisite for NAT environments If you are using a Network Address Translation (NAT) environment, you must edit the configuration file before you generate a Desktop build. See the SiteProtector Installation Guide, Chapter 10, Section B, “Configuring Components to Communicate through NAT Firewall.” Why an agent build might fail An agent build might fail if one of the following conditions exists: ● A selected group for the agent build has no assigned Desktop policy. ● A policy has no license selected or the agent software version is not selected. ● The selected Agent Manager has no accounts. Assigning an Agent Manager When you generate an agent build, you must select an Agent Manager to which the Desktop agent should report. The Desktop agents are pre-configured to use the selected Agent Manager. How this works The Agent Manager generates a build and then places it in a temporary folder beneath the installed Agent Manager installation folder you selected in the Enterprise Groups pane. The Agent Manager adds an associated link to its Available Downloads Web page. Note: If you accidentally delete the group, or create more than one group with the same name, the agent appears in the Ungrouped Assets folder in the Enterprise Groups pane. Procedure To generate an agent build: 1. In the Enterprise Groups pane, select the group on which you want to base the agent build. 2. Right-click the group, and then select Desktop ProtectionÆ RealSecure DesktopÆ Generate RealSecure Desktop Build. The Generate RealSecure Desktop Build window appears. 3. Select the Agent Manager to which the Desktop agents in this build will report from the Agent Manager list. 4. Type a Description of the build. 5. Click OK. 88 Option 1,Task 2: Providing the Desktop Build to Employees Option 1,Task 2: Providing the Desktop Build to Employees Introduction You must make the agent build progam file available to employees so that they can install Desktop on their computers. The Agent Manager keeps track of builds and provides links to them from an Available Downloads Web page. Desktop build Web page By default, the Agent Manager creates new links on its Available Downloads Web page for each agent build. The location of the Available Downloads Web page is: http://Agent_Manager_IP_address:8085 Note: The default port is 8085. You can change the default in the Agent Manager properties. Procedure To provide the link to the agent build: 1. Start a Web browser, and then go to the Desktop build Web page at http://Agent_Manager_IP_address:8085 2. In the File column, click the link to the build you want users to install. 3. Save the program to a shared network drive that the employees who need to install the build can access. 4. Send the location of the program file in an email message to your employees, together with instructions for installing the Desktop software. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 89 Chapter 7: Installing Desktop Agents Option 2: Installing a RealSecure Desktop Agent from the Deployment Manager Introduction You can install RealSecure Desktop from the Deployment Manager for single computers. Updating RealSecure Desktop The version of RealSecure Desktop on the Deployment Manager is not automatically updated through the XPU process like other agent software. If you want to update the version of RealSecure Desktop on the Deployment Manager, you must do it manually. Agents that you install from the Deployment Manager receive updated software and policies from the Agent Manager just like agents installed from agent build. Procedure To install a Desktop agent from the Deployment Manager: 1. Start Windows Internet Explorer on the computer where you want to install an agent. 2. Type the location of the SiteProtector Main Menu (on the Deployment Manager computer) in the Address box in the following format: https://ip_address_or_server_name:3994/deploymentmanager/index.jsp 3. Press ENTER. The Deployment Manager Main Menu appears. 4. Select Install AgentsÆ Install RealSecure Desktop. 5. Select the version to install from the RealSecure Desktop to be installed list, and then click Next. 6. Click Install. 7. The installation program prompts you for the account name, password, and the address of an Agent Manager. 90 Chapter 8 Installing Internet Scanner and System Scanner Overview Introduction Scanners assess your network assets to identify vulnerabilities and system settings that can enable intruders to gain access to your network and your assets. Table 34 describes the two scanning software applications that SiteProtector supports: Scanning Software Description Internet Scanner application Performs vulnerability detection and analysis of devices on your network, identifying security risks that leave your network open to intrusion attempts. System Scanner application Identifies vulnerabilities inherent in your software and hardware, configuration elements that make your system vulnerable to attack, and configuration elements that do not comply with your information security policy. Table 34: Scanning software applications supported in SiteProtector Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 7. After you have installed all your agents and appliances as described in Part III, the next configuration task is Task 8, “Register any software that is not automatically registered.“ See “Registering Software Managed by SiteProtector” on page 105. In this chapter This chapter contains the following sections: Section Page Section A, "Installing the Internet Scanner Application" 93 Section B, "Installing the System Scanner Application" 97 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 91 Chapter 8: Installing Internet Scanner and System Scanner 92 Installing the Internet Scanner Application SECTION A: Overview Introduction This section provides important information about installing the Internet Scanner application to work with SiteProtector. You can install Internet Scanner from the Deployment Manager, or you can install it from a separate Internet Scanner installation package. If Internet Scanner is already installed If you have already installed Internet Scanner and want to set it up to communicate with SiteProtector, you must set up the encryption keys as described on page 95. Securing your Internet Scanner ISS recommends that you use RealSecure Server sensor to protect the hosts that run RealSecure Network Sensor. Task overview Table 35 provides the tasks for installing Internet Scanner to work with SiteProtector: Task 1 Description Add the Internet Scanner licenses to SiteProtector. See “Adding a License File” on page 104. 2 Install Internet Scanner from the Deployment Manager. Table 35: Tasks for installing Internet Scanner In this section This section contains the following topics: Topic Page Using Internet Scanner with SiteProtector 94 Setting Up Encryption Keys for an Existing Internet Scanner 95 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 93 Chapter 8: Installing Internet Scanner and System Scanner Using Internet Scanner with SiteProtector Introduction This topic explains how Internet Scanner and SiteProtector communicate. It also compares the advantages of the SiteProtector Console with the advantages of the Internet Scanner console. Communication between SiteProtector and Internet Scanner Figure 5 illustrates the flow of communication between SiteProtector, Internet Scanner, and the Internet Scanner console. Note that the Internet Scanner console, which is optional, communicates only with Internet Scanner and does not interact with SiteProtector: Figure 5: Communication between Internet Scanner and SiteProtector Advantages of the two Consoles Table 36 describes the features and advantages of SiteProtector and the Internet Scanner console: SiteProtector provides... Internet Scanner console provides... • the ability to simultaneously manage multiple remote scanners • • centralized data for consolidated reporting the ability for local administrator to run smaller scans (for example, to verify that a problem has been resolved) • ease of maintenance • Internet Scanner’s predefined reports • graphical user interface for scheduling scans • ability for one user to scan relatively small environments • administrative control over scanning activity • access to vulnerability information in a multi-user environment Table 36: Features and advantages of SiteProtector and the Internet Scanner console Installation procedures 94 For detailed installation procedures for installing Internet Scanner, refer to the Internet Scanner Installation Guide. Setting Up Encryption Keys for an Existing Internet Scanner Setting Up Encryption Keys for an Existing Internet Scanner Introduction If you installed Internet Scanner and the Internet Scanner console before you installed SiteProtector, you must manually set up encryption keys to enable Internet Scanner to communicate with these SiteProtector components: ● Event Collector ● sensor controller This topic explains where to find the encryption keys and where to copy them. Copying Event Collector keys To copy the Event Collector encryption keys to the Internet Scanner 7.0 computer: 1. Copy the keys as follows: Copy Key/Path From rs_eng_computer_name_xxx.PubKey at \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\RSA\ To \Program Files\ISS\issSensors\sensor_name\Keys\RSA Computer Event Collector Internet Scanner 2. If you have more than one Event Collector, repeat Step 1 for each Event Collector in the Site. Copying sensor controller keys To copy sensor controller encryption keys to the Internet Scanner computer, copy the keys as follows: Copy Key/Path Computer From sp_con_computer_name_xxx.PubKey at Program Files\ISS\RealSecure SiteProtector\Application Server\Keys\RSA Sensor controller To \Program Files\ISS\issSensors\sensor_name\Keys\RSA Internet Scanner SiteProtector User Guide for Security Managers Version 2.0, SP5.2 95 Chapter 8: Installing Internet Scanner and System Scanner 96 Installing the System Scanner Application SECTION B: Overview Introduction If you set up System Scanner to work with SiteProtector, you can analyze data from the System Scanner application in the SiteProtector Console. System Scanner communicates with SiteProtector through the System Scanner Databridge that you must install. Note: You cannot perform command and control functions on System Scanner from the SiteProtector Console. What System Scanner does System Scanner application identifies the following: ● vulnerabilities inherent in your software and hardware ● configuration elements that make your system vulnerable to attack ● configuration elements that do not comply with your information security policy Reference This document assumes that your System Scanner is operational and that you are integrating it with SiteProtector to use SiteProtector’s analysis functionality. For information about how to install and use System Scanner, see the System Scanner user documents on the ISS Web site at http://www.iss.net/support/documentation/ docs.php?product=22&family=9. In this section This section contains the following topics: Topic Page Using System Scanner with SiteProtector 98 Installing the System Scanner Databridge 99 Viewing System Scanner Events in SiteProtector 101 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 97 Chapter 8: Installing Internet Scanner and System Scanner Using System Scanner with SiteProtector Introduction This topic explains how System Scanner works with SiteProtector. Required software Table 37 describes the System Scanner software that is required for you to view System Scanner events in the Site Manager: System Scanner software Description System Scanner Console Identifies vulnerabilities inherent in your software and hardware, configuration elements that make your system vulnerable to attack, and configuration elements that do not comply with your information security policy. System Scanner Databridge Pulls events from the System Scanner Console, and then places the events into your SiteProtector database. System Scanner agent Runs scans, stores results, and generates alerts. Table 37: Software required to view System Scanner events Communication between SiteProtector and System Scanner Figure 6 illustrates a simplified deployment of System Scanner, SiteProtector, and the System Scanner Databridge: Figure 6: Sample System Scanner set up 98 Installing the System Scanner Databridge Installing the System Scanner Databridge Introduction The System Scanner Databridge copies agent data from the System Scanner database to the SiteProtector database, enabling you to view System Scanner events through the Site Manager. Installation processes During the installation of the System Scanner Databridge, the auto-import feature exchanges the necessary authentication keys with the Databridge through the application server. When the Databridge installation is complete, the system notifies SiteProtector that the Databridge has been installed and the Databridge is automatically registered to SiteProtector. Prerequisites Before you install the System Scanner Databridge, install the following: ● System Scanner ● Microsoft Data Access Components (MDAC) Note: You can install the correct version MDAC from the Deployment Manager just before you install the Databridge. Where to install the System Scanner Databridge Install the System Scanner Databridge on the same computer as the System Scanner Console. You can install the System Scanner Databridge from the Deployment Manager or download it from the ISS Web site at http://www.iss.net/download/. Procedure To install the System Scanner Databridge: 1. Start Windows Internet Explorer on the computer where you want to install the System Scanner Databridge. 2. Type the location of the SiteProtector Main Menu (on the Deployment Manager computer) in the Address box in the following format: https://ip_address_or_server_name:3994/deploymentmanager/index.jsp 3. Press ENTER. The Deployment Manager Main Menu appears. 4. Find the System Scanner Databridge section. 5. If you have not already installed MDAC, use the link to install it now. 6. Click Install a System Scanner Databridge. 7. Select the version to install from the Internet Scanner Databridge to be installed list. 8. Select the Site to notify of the System Scanner Databridge installation from the SiteProtector to notify list, and then click Next. The System Scanner Databridge Installation page appears and displays a unique Installation ID number that is used for automatic registration. Note: If you cancel the installation and want to start it again, you must return to Step 6 to generate a new Installation ID number. Important: If you have not yet installed SiteProtector for the Site you select, the following message appears: No SiteProtector information found; and the automatic registration does not take place. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 99 Chapter 8: Installing Internet Scanner and System Scanner 9. Click Install. The File Download window appears. 10. Select either the Run this program from its current location or the Open option, and then click OK. 11. Click Yes. The InstallShield Wizard appears. 12. Click Next. 13. Read the license agreement, and then click I Accept. 14. Select the folder where you want to install the System Scanner Databridge files, and then click Next. Note: ISS recommends that you use the default installation path. 15. If another Choose Destination Location window appears, select the folder where you want to install the ISS Daemon component, and then click Next. 16. Select the Select Enable Auto Key Import check box, and then click Next. The Disable Authentication window appears. 17. Click Next. Note: ISS recommends that you clear the Disable all authentication check box. The Harden Security window appears. 18. Select the Lock Down the System check box, and then click Next. The SP Application Server window appears. 19. Type the name of the computer where your application server is, or will be, installed, and then click Next. The Cryptographic Setup window appears. 20. Click Next. The System Scanner Databridge files are installed. Note: You can use the Cryptographic Setup window to add or delete cryptographic providers. You can also change the order in which SiteProtector attempts to use cryptographic providers. 21. Click Finish on the InstallShield Wizard window. After the installation is complete and the auto-registration is successful, a summary message appears: SiteProtector has been notified about this installation. Reference: If the message does not appear, you must register the System Scanner Databridge manually. See “Registering Software Managed by SiteProtector” on page 105. 100 Viewing System Scanner Events in SiteProtector Viewing System Scanner Events in SiteProtector Introduction When you select an agent in the Enterprise Groups pane of the Site Manager, host information is listed in the Command pane of the Site Manager, including Sensor Type and Sensor Status. Sensor type The Sensor Type field identifies the type of sensor (for example, network sensor or Internet Scanner). SiteProtector assigns System Scanner agents a Sensor Type of External Sensor. Note: If the Sensor Type is listed as Unknown Sensor, restart the SiteProtector Application Server service. Sensor status The Sensor Status field displays the current status of a sensor (for example, Active or Stopped). SiteProtector assigns System Scanner agents a status of Not Managed. Agent command and control You cannot perform command and control from SiteProtector on System Scanner hosts. If you attempt to perform command and control operations on any System Scanner host, the operation fails. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 101 Chapter 8: Installing Internet Scanner and System Scanner 102 Chapter 9 Configuring SiteProtector Software Overview Introduction This chapter contains procedures that you might use for different components, agents, or appliances and procedures that you use only in specific circumstances. In this chapter This chapter contains the following topics: Topic Page Adding a License File 104 Registering Software Managed by SiteProtector 105 Importing Encryption Keys 107 Setting Up the Enterprise Dashboard for Multiple Sites 109 Using a Different SSL Certificate for the Web Server 111 Enabling Authentication for the Application Server 113 Starting and Stopping a SiteProtector Service 116 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 103 Chapter 9: Configuring SiteProtector Software Adding a License File Introduction A license file gives you permission to use certain components within the system. You must add license files for some SiteProtector components to enable the components to communicate with one another. Desktop licenses You cannot add licenses for Desktop agents earlier than Proventia Desktop with the procedure in this topic. To add those licenses, see “Task 1: Adding a Desktop Agent License” on page 80. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 1. This task is optional, but it is recommended if you have any licenses to add to SiteProtector. The next configuration task is Task 2, “Update SiteProtector components if applicable XPUs are available.” See Chapter 18, “Updating Components and Agents” on page 245. Prerequisites You must have the license file and be able to access it from the computer you use to log on to SiteProtector. If you do not have the license file, contact licenses@iss.net. Internet Scanner restriction files The SiteProtector Console does not accept Internet Scanner licenses that use restriction files. If you intend to manage the Internet Scanner sensor from the SiteProtector Console, make sure you are using an Internet Scanner license that does not require a restriction file. Reference: See the Internet Scanner User Guide. Procedure To add a license file: 1. On the Site Manager Tools menu, select Manage Sensor Licenses. 2. Select the Licenses tab, and then click Add. 3. Type or browse to the license file to add, and then click OK. Note: License files use .key and . isslicense as extensions. The License Agreement window appears. 4. Read the license agreement, and then click I Accept. 5. Verify that the license file has been successfully added. The License State field displays Newly Added, until the license is full processed. 6. Press F5 to refresh the information. The License State field displays Key Good to indicate that the license key is valid. 7. Click Close. 104 Registering Software Managed by SiteProtector Registering Software Managed by SiteProtector Introduction Components and agents must register with SiteProtector before SiteProtector can work with them. In most cases, registration occurs automatically during installation. In two cases you must manually register sensors and scanners: ● The sensor or the scanner was installed before SiteProtector was installed. ● The sensor or the scanner was installed without using the Deployment Manager. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 8, “Register any software that is not automatically registered.” This task is optional. The next configuration task is Task 9, “Configure the Desktop environment.“ See Chapter 12, “Configuring the Desktop Environment” on page 159. After registration If you must register a sensor or a scanner you might also have to manually import encryption keys. To avoid having to import encryption keys, enable the option to automatically import keys when you install the agent. Note: If the agent does not appear in the Console after you install it, see “Importing Encryption Keys” on page 107. Three methods Table 38 describes the three methods for registering security components: Registration Method Description Add Sensor Wizard Adds a single agent on a single asset. Automatic registration Registers agents on one or more existing assets. Manual • Used by experienced SiteProtector users only. • Used to implement custom solutions such as Event Collector stacking. Table 38: Sensor and scanner registration methods If a component does not respond A component may be running on a host that is unavailable for the following reasons: ● The issDaemon service is not running on the SiteProtector server or sensor host. ● You may have a license-related problem: ■ The appropriate software license file has not been registered with SiteProtector. ■ The registered software license file has expired for the applicable software. ■ The maximum number of sensors allowed by the software license file has been reached. ● Network connectivity problems between SiteProtector server and host. ● Public encryption keys have not been exchanged with the selected host. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 105 Chapter 9: Configuring SiteProtector Software Registering one agent on one asset To register one agent on one asset: 1. In the Enterprise Groups pane, select the host or sensor you want to add. 2. On the Grouping menu, select Add Sensor Wizard. 3. Type the IP address or DNS name of the computer where the sensor is installed, and then click Next. 4. Select the Event Collector the sensor will report to, and then click Finish. The Sensor Wizard Summary lists the sensors registered on this host. 5. Click Close. Registering multiple agents on one or more assets To register multiple agents on one or more assets: 1. In the Enterprise Groups pane, select the group containing the host(s) on which to register the components. 2. On the Asset tab, select the host on which to register the software. 3. On the Asset menu, select Automatically Register Software. The Auto Register Software on Selected Asset(s) window appears. 4. For sensors, scanners, databridges, and appliances, select the Event Collector to monitor the component in the Select Event Collector for Registered Software list. 5. Click OK. 6. Select the Sensor tab. The newly registered components appear. Manually registering components To manually register components: 1. In the Enterprise Groups pane, select the group containing the host(s) on which to register the software. 2. On the Asset tab, select the host on which you want to register software. 3. On the Asset menu, select Manually Register Software. The Register Software on Site_Name window appears. 4. Type the Software type. 5. Type the Name of the sensor to register, and then click Add. Note: You can select Query Host for Sensors to query the host for the sensor name. 6. Select the Event Collector for the registered software, and then click OK. 7. Click OK. 8. Select the Sensor tab. The newly registered component appears. 106 Importing Encryption Keys Importing Encryption Keys Introduction During installation, the encryption keys required for components, agents, and appliances to communicate are usually copied where they are needed. You can make sure this happens if you select the automatic import option when you install the software. If automatic import fails for any reason, you must copy the keys yourself. Two procedures You can use either of two procedures to copy the keys. You can install the public key configurator to enable the auto-import feature, or you can copy the keys manually. Enabling autoimport after installation To set up the auto import key function: 1. From the Deployment Manager, select Install Agents. The Sensor Installation page appears. 2. Select Install the public key configurator on my sensor or Internet Scanner agent. The File Download window appears. 3. Select Run this program from its current location. The Security Warning window appears. 4. Click Yes. Step 1 of the Public Key Configuration Wizard appears. 5. Click Next. The program stops the issDaemon service. You can only modify the settings for issDaemon operations when the service is stopped. Step 2 of the Public Key Configuration Wizard appears. 6. Enter the key administrator name representing the computer(s) that the sensor will accept authentication keys from, and then click Next. Step 3 of the Public Key Configuration Wizard appears. 7. Select the Auto-Import check box, and then click Next. The wizard activates the auto key import feature, which allows the daemon to accept public keys automatically. Step 4 of the Public Key Configuration Wizard appears. 8. Click Yes. The service restarts, and then Step 5 of the Public Key Configuration Wizard appears. 9. Click Finish. Manually importing the keys To manually import authentication keys: 1. Copy the sp_con_computer_name_xxx.PubKey keys from these paths: ■ \Program Files\ISS\RealSecure SiteProtector\Application Server\Keys\CerticomNRA\ ■ \Program Files\ISS\RealSecure SiteProtector\Application Server\Keys\RSA\ SiteProtector User Guide for Security Managers Version 2.0, SP5.2 107 Chapter 9: Configuring SiteProtector Software To these paths: Agent Computer Path Network sensor \Program Files\ISS\issSensors\network_sensor_1\Keys\ encryption_provider For Unix sensors: \opt\ISS\issSensors\sensor_name\Keys\encryption_prov ider Server sensor \Program Files\ISS\issSensors\server_sensor_1\Keys\e ncryption_provider For Unix sensors: \opt\ISS\issSensors\sensor_name\Keys\encryption_prov ider Databridges \Program Files\ISS\issSensors\Internet_Scanner_Datab ridge\Keys\encryption_provider \Program Files\ISS\Scanner6\Keys\encryption_provider Note: If this path is not there, create it. 2. Copy \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\CerticomNRA\rs_eng_computer_name_239.PubKey to these paths: Agent Computer Path Network sensor \Program files\ISS\issSensors\network_sensor_1\Keys\ encryption_provider For Unix sensors: \opt\ISS\issSensors\sensor_name\Keys\encryption_prov ider Server sensor \Program Files\ISS\issSensors\server_sensor_1\Keys\e ncryption_provider For Unix sensors: \opt\ISS\issSensors\sensor_name\Keys\encryption_prov ider Databridges 108 \Program Files\ISS\issSensors\Internet_Scanner_Datab ridge\Keys\encryption_provider Setting Up the Enterprise Dashboard for Multiple Sites Setting Up the Enterprise Dashboard for Multiple Sites Introduction Setting up multiple Sites on the Enterprise Dashboard is optional. If you install SiteProtector at more than one Site, you must establish communication between the Sites if you want to access the data from the remote Site. After you establish communication between the Sites, the administrator at one Site can have full access to the other Sites. Definition: central Site The Site from which you want to access the data for other sites and perform command and control functions for the other sites is the central Site. Initial configuration checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to set up SiteProtector for the first time, this is Task 12, “Set up the Enterprise Dashboard.“ This task is optional. The next configuration task is Task 13, “Set up Database maintenance procedures.“ See Chapter 16, “Maintaining the Site Database” on page 219. Reference See the following documentation for more information: ● SiteProtector Installation Guide, Chapter 10, “Configuring Firewalls for SiteProtector Traffic“ ● SiteProtector Best Practices Guide for additional information about multiple Site deployments. User role You must be a SiteProtector Administrator to set up the Enterprise Dashboard. Procedure To set up a remote Site: 1. Log on to the Site that you want to use as the central Site. 2. On the Connection menu of the Console, select New Enterprise Dashboard. 3. In the Enterprise Groups pane, right-click the Site node, and then select Add Site from the pop-up menu. 4. Type the following information about the Site: ■ name ■ IP/DNS ■ port ■ description 5. Select the Attempt to Connect option. 6. Select the Schedule loading data option. 7. Click OK. 8. Type your user name and password to log on to the remote Site, and then click OK. Note: The user login is required the first time you contact an added Site. The Default Data Load Schedule window appears. 9. Select the frequency with which you want to load data, and then click OK. The Site Contacted window appears. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 109 Chapter 9: Configuring SiteProtector Software 10. Click OK. The Site appears in the Enterprise Groups pane beneath the folder you selected. 11. If you want to force Administrators to log on to the Site, go to Step 14. 12. Right-click the new Site, and then select Manage User Access Control from the popup menu. 13. Clear the Force all users to login when drilling down to a site check box on the User Access tab, and then click OK. After you establish the connection to the Site, any SiteProtector Administrator or Analyst can access the Site’s data without logging in. Note: This option overrides access control. 14. On the Site menu, select Drill Down to Site to view the details. 15. If you restricted administrators from accessing Site data without logging in, type your log on name and password. 110 Using a Different SSL Certificate for the Web Server Using a Different SSL Certificate for the Web Server Introduction The SSL certificate for the Web server enables secure communication between the Web browser and the Web server. A Web Server certificate is installed when you install SiteProtector. You can replace the installed certificate with another, which may be required by your organization’s security policy. The certificate you use can have the same name or a different name. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 3. This task is optional. The next configuration task is Task 4, “Add assets to SiteProtector (including with Active Directory).” See Chapter 11, “Adding Assets to SiteProtector” on page 143. Requirement The certificate you use must be a PEM-encoded certificate. Reference For help in creating a certificate request, contact your System Administrator. For more information about Apache/SSL, go to http://httpd.apache.org/docs-2.0/ Replacing the certificate To replace the existing certificate: 1. Stop the Web server service. 2. Copy the replacement certificate and key files that have the same name as the current key files to the following locations: File Type Path Server certificate \Program Files\ISS\RealSecure SiteProtector\Application Server\webserver\Apache2\conf\ssl.crt\server.crt Server key \Program Files\ISS\RealSecure SiteProtector\Application Server\webserver\Apache2\conf\ssl.key\server.key Important: ISS recommends that you make a backup copy of the ISS-provided certificate and encryption key files before you replace them. 3. Restart the Web server service. Adding a new certificate To add a new certificate: 1. Stop Web server service. 2. Copy the new certificate and key files to the following paths: File Type Path Server certificate \Program Files\ISS\RealSecure SiteProtector\Application Server\webserver\Apache2\conf\ssl.crt\ Server key \Program Files\ISS\RealSecure SiteProtector\Application Server\webserver\Apache2\conf\ssl.key\ SiteProtector User Guide for Security Managers Version 2.0, SP5.2 111 Chapter 9: Configuring SiteProtector Software 3. Open SSL.conf. Tip: The path of the file is \Program Files\ISS\RealSecure SiteProtector\Application Server\webserver\Apache2\conf. 4. Find the references to server.crt and server.key and change them to your certificate and key file names. 5. Save and close SSL.conf. 6. Restart the Web server service. 112 Enabling Authentication for the Application Server Enabling Authentication for the Application Server Introduction SiteProtector uses a Secure Sockets Layer (SSL) to provide encrypted communication between the SiteProtector Console and the application server. Encryption is always turned on. You may also want to use SSL certificate authentication to ensure that the server to which you are connecting authenticates itself. Note: SSL certificate authentication is disabled by default because it requires the purchase of third-party software certificates. To enable SSL certificate authentication, install a rootsigned certificate for your Site. Important: Only the System Administrator in charge of setting up the system should use this procedure. Prerequisite You must purchase a root signature for your SiteProtector SSL certificate from a trusted third party certificate authority, such as VeriSign or Thawte. The certificate must support the Sun Java Runtime Environment (JRE), Encrypted certificates If you provide an encrypted certificate, you must update SiteProtector with the passphrase for the certificate by doing the following: 1. Go to the following folder: application_server_installation_dir\bin\ 2. Run the following utility: instutil -w new_passphrase Note: new_passphrase is the new password. This securely stores your certificate passphrase for SiteProtector to use with the SiteProtector Web Service. Reference A keytool manages certificates from trusted entities and a database of private keys and their certificate chains. You can find documentation about the keytool at the following Web site: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Procedure To enable SSL certificate authentication: 1. On the Console Connection menu, select Preferences. 2. Select the Security tab. 3. Select Maximum, and then click Apply. 4. Access the keytool command line utility that manages Java key-stores. Note: The keytool is located in the folder where you installed Java SDK, as follows: \Program Files\ISS\RealSecure SiteProtector\bin\keytool.exe SiteProtector User Guide for Security Managers Version 2.0, SP5.2 113 Chapter 9: Configuring SiteProtector Software 5. Use the keytool utility to create a new key-store, certificate, and key pair. For example, to create a key-store named MyKeystore with an alias MyKeys, run the following command: keytool -genkey -alias MyKeys -keystore MyKeystore The “alias” is the name of your new SSL key and certificate in the key-store. MyKeystore is the generated file. Note: Remember your password for the key-store because you will need it to access the key-store. 6. Use the keytool utility to create a certificate request for the alias. For example, to create a certificate request for the alias created in Step 5, run the following command: keytool -certreq -alias MyKeys -keystore MyKeystore -file MyRequest.csr The output file, MyRequest.csr, contains the MIME64 encoded certificated request needed in Step 7. 7. Contact the third-party certificate authority (supported by Java) to obtain a root signed certificate with your certificate request. The request file that you present to the certificate authority is a base64 encoded PKCS #10 file type. The certificate authority sends a root-signed certificate reply file to you. 8. Use the keytool utility to import the new root signed certificate into your key-store. For example, to import a certificate for the keys created in Step 5, run the following command: keytool -import -alias MyKeys -keystore MyKeystore -file CertReply The CertReply file is the certificate reply from the certificate authority obtained in Step 7. 9. Create a folder named backup in Program Files\ISS\RealSecure SiteProtector\Application Server\Config, and then copy the following files from the config folder to the backup folder: ■ add.properties ■ config.properties ■ spsslkeys.ks Note: If you make a mistake when performing this procedure, you can use these files to restore the system to its original configuration by copying them into the config folder from backup, and then restarting the application server. 10. Copy your new key-store to the computer where the SiteProtector Core is installed, in Program Files\ISS\RealSecure SiteProtector\Application Server\Config. 11. Locate the config.properties file in Program Files\ISS\RealSecure SiteProtector\Application Server\Config, and then open it in a text editor. 12. Locate the property with the iss.security.keystore name, and then set the value to the name of your key-store. In the example, use the key-store created in Step 5 and type the following command: iss.security.keystore=MyKeystore 13. Click Save, and then click Close. 14. Open a command prompt, and then open Program Files\ISS\ RealSecure SiteProtector\Application Server\bin. 114 Enabling Authentication for the Application Server 15. Run instutil -u <password> to set the key-store password in the application server startup configuration. In the example, the system prompted for this password when you created the MyKeystore key-store in Step 5. 16. Stop, and then start the application server. The application server now runs with the SSL keys and certificate you installed. 17. Start the SiteProtector Console. Reference: See “Logging on to the Console and the Site Manager” on page 28 for instructions. 18. In the Security tab, and then select the Maximum option. The SiteProtector Console now allows only connections to an application server that has a root signed certificate. 19. Click Apply, and then OK. Restoring the original If you made a mistake during this procedure, you can restore the system to its original configuration as follows: 1. Copy the files listed in Step 9 in the previous procedure into the config folder from the backup file. 2. Restart the application server. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 115 Chapter 9: Configuring SiteProtector Software Starting and Stopping a SiteProtector Service Introduction After you make certain configuration changes, you must stop and restart one or more SiteProtector services. Procedure To stop and restart a service: 1. Click Start on the taskbar, and then select SettingsÆ Control Panel. 2. Double-click Administrative Tools, and then double-click Services. 3. Right-click the service in the right pane, and then select an action from the pop-up menu: 116 ■ Start ■ Stop ■ Restart Chapter 10 Configuring the SecurityFusion Module Overview Introduction This chapter explains how to configure the SecurityFusion Module. Some tasks are required. Other tasks are optional but may be necessary to ensure that you configure the Module appropriately for your Site. The checklists in this chapter provide an outline of configuration tasks for the SecurityFusion Module. What is the SecurityFusion Module? The SecurityFusion Module increases your ability to quickly identify and respond to critical threats at your Site. Using advanced correlation and analysis techniques, the Module escalates high impact attacks and critical attack patterns to help you focus on the most important attack activity. When an intrusion detection sensor detects an attack, the SecurityFusion Module correlates the attack with information about the host—such as operating system, vulnerabilities, and responses taken by host agents—to determine the success or failure of the attack. The Attack Pattern component recognizes patterns of event activity that indicate serious security incidents, such as targeted and network break-in attempts or attack activity from compromised hosts. These patterns of attacks are consolidated into single incidents, which makes dealing with streaming event data much more manageable. Note: The SecurityFusion Module is a separately purchased add-on component for SiteProtector. Before you log in You must install the SecurityFusion Module as described in the SiteProtector Installation Guide, and the Module must appear with a status of active in the Sensor tab. Prerequisite for correlation SecurityFusion correlates events from intrusion detection/prevention agents with events from scanning agents. Before the Module can correlate events, you must set up SiteProtector to collect these events from the hosts you want to protect. When to configure You can configure the module either before or after you set up SiteProtector. The Module cannot correlate events, however, until SiteProtector is set up to gather them. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 117 Chapter 10: Configuring the SecurityFusion Module In this chapter This chapter contains the following sections: Section 118 Page Section A, "Setting up a Policy and Defining Assets" 119 Section B, "Configuring Responses" 127 Section C, "Additional Configuration Tasks" 135 SECTION A: Setting up a Policy and Defining Assets Overview Introduction You must create a custom SecurityFusion policy. At a minimum, you must specify which assets to cover with SecurityFusion licenses. In addition, you can configure responses, parameters for attack patterns, and other SecurityFusion options. Task overview Table 39 describes the tasks for setting up a policy and defining assets: Task Description 1 Create a policy. 2 Define hosts. 3 Apply the policy. 4 Verify that the SecurityFusion Module is working. Table 39: Tasks for setting up policies and defining assets Related documentation For information about how to create and apply a policy, refer to the SiteProtector Help. The SecurityFusion policy You create a custom SecurityFusion policy just as you would create a policy for other agents. Derive the policy from the default policy, which is FusionPolicy. For detailed instructions about creating policies, see the SiteProtector Help. In this section This section contains the following topics: Topic Page SecurityFusion Licenses 120 Asset Specifications for SecurityFusion Correlation 121 Importing Assets from a Host File 122 Manually Specifying Assets for SecurityFusion Correlation 123 Specifying Hosts with Multiple IP Addresses 124 Deleting Assets 125 Verifying that the SecurityFusion Module is Working 126 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 119 Chapter 10: Configuring the SecurityFusion Module SecurityFusion Licenses Introduction Your license agreement for the SecurityFusion Module allows you to protect a specific number of hosts with SecurityFusion correlation. A license enables both impact analysis and attack pattern correlation. You must specify which assets can use SecurityFusion licenses in the SecurityFusion policy. Important: The Module will not correlate events until you specify hosts. How the Module allocates licenses The Module allocates licenses at startup based on the following: ● the order in which hosts are specified for licensing in the SecurityFusion policy ● SiteProtector knows of the host because of one of the following: ■ The host belongs to a group in Site Manager. ■ An Internet Scanner scan identified the host. ■ SiteProtector received an event for which the host was either the source or the target. License compliance To understand more about SecurityFusion licenses, see the Help in the SecurityFusion policy. Guidelines for proxy servers If you use a proxy server for internet access, you should not include the IP address of the server in your list of hosts. If you do, you may see the following false alarms: ● Traffic into the proxy may be interpreted as incoming attacks directed at the proxy. ● Traffic out of the proxy may be interpreted as outgoing attacks originating at the proxy. Including a proxy for SecurityFusion correlation can cause false alarms in either of the following cases: Using DHCP addresses ● The proxy is both the source and the target of the attack. ● The source of the attack is a licensed IP address, and the target of the attack is the proxy. When you use DHCP, IP addresses are assigned randomly; and a host may use different IP addresses for each network log on. Random assignment of IP addresses may affect your use of licenses. The exact impact at your Site depends on the size of the range and the number of hosts that use the range. ISS recommends that you use static IP addresses for critical hosts and purchase enough licenses to cover all IP addresses in the range used by DHCP. 120 Asset Specifications for SecurityFusion Correlation Asset Specifications for SecurityFusion Correlation Two methods You can specify assets to the SecurityFusion policy either by typing the assets into the policy or by importing the hosts from a host file (.hst). Requirements for IP addresses IP addresses must meet the following requirements: ● Each IP address must be valid. Note: Each IP address does not have to be in use. ● Detailed formats for IP addresses Each computer must be accessible so that the Module can determine its IP address. Table 40 describes the formats for typing IP addresses into the IPs (single or ranges), host names, and URLs to validate box: To define a... Allowed Formats Examples single host IP address in dotted decimal notation 1.1.1.1 IP address that includes a wild card (*) 1.1.1.* IP address in CIDR format 1.1.1.1/24 DNS name host-a.example.microsoft.com computer namea MailServer01 Web addressb www.iss.net the first and last IP address separated by a hyphen 1.1.1.1-1.1.1.100 range of hosts 1.1.2.1-1.1.3.1 Table 40: Formats for IP addresses a.The Module translates the computer name into an IP address. b.The Module translates the Web address into an IP address. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 121 Chapter 10: Configuring the SecurityFusion Module Importing Assets from a Host File Introduction If you already have a Host File (.hst) available, you can import lists of assets from that file into SecurityFusion. Host files You can generate a host file with Internet Scanner or create one yourself. For either method, use the formats for host names and addresses as explained in “Detailed formats for IP addresses” on page 121. Procedure To import assets from a host file: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, select Host Configuration. 3. In the right pane, click Import Host File. 4. Locate the host file (.hst), and then click Import. The content of the file appears in the IPs (single or ranges), host names, and URLs to validate box. 5. Click Validate Hosts The valid IP addresses move to the The following hosts are available for SecurityFusion correlation box. 6. If there were any errors in your IP addresses, correct them, and then go to Step 5. 7. On the File menu, select Save, and then click the Close button. Note: If you did not modify the active policy, you must manually apply the policy to make it active. 122 Manually Specifying Assets for SecurityFusion Correlation Manually Specifying Assets for SecurityFusion Correlation Introduction If you have not generated or created a Host File (.hst), you can specify assets in SecurityFusion using single IP addresses, IP address ranges, computer names, or DNS names. Procedure To specify hosts for SecurityFusion correlation: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, select Host Configuration. 3. In the right pane, type the names and addresses of your assets in the IPs (single or ranges), host names, and URLs to validate box. Important: Specify host names, IP addresses, or DNS names as explained in “Detailed formats for IP addresses” on page 121. Note: If you duplicate the same IP address, such as in an overlapping range, SiteProtector counts only the first occurrence in the list. 4. Click Validate IPs. The valid IP addresses move to the The following hosts are available for SecurityFusion correlation box. 5. If there were any errors in your IP addresses, correct them, and then go to Step 4. 6. On the File menu, select Save, and then click the Close button. Note: If you did not modify the active policy, you must manually apply the policy to make it active. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 123 Chapter 10: Configuring the SecurityFusion Module Specifying Hosts with Multiple IP Addresses Introduction The SecurityFusion Impact Analysis Component can correlate events that occur on multihomed systems, or systems that have more than one network interface card. By default, SecurityFusion treats each IP address as a separate host, but you can configure SecurityFusion to treat multiple IP addresses as a single host to correlate events that occur on those IP addresses. Procedure To specify a host with multiple IP addresses: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, select Host Configuration. 3. In the right pane, scroll to the Multi-Homed Systems (MHS) Configuration box. 4. Click Add. 5. On the MHS Configuration dialog, type a host Name. 6. Type two or more IP Addresses, separated by commas or hard returns, and then click OK. 7. Repeat Steps 4 through 6 to add more multi-homed systems. 8. On the File menu, select Save, and then click the Close button. Note: If you did not modify the active policy, you must manually apply the policy to make it active. 124 Deleting Assets Deleting Assets Introduction To make licenses available to other assets, or if assets are removed from your network, you may need to delete the assets from the list of hosts. Procedure To delete hosts from the list of hosts for SecurityFusion correlation: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, select Host Configuration. 3. In the right pane, select the host(s) that you want to delete in the The following Hosts are available for SecurityFusion correlation box, and then click Delete. The host(s) is deleted. Note: You can only delete a line of hosts. If the line contains hosts that you do not want to delete, you must delete the line, and then add back the hosts to keep. Tip: Use the CTRL and SHIFT keys to select multiple lines or a range. 4. On the File menu, select Save, and then click the Close button. Note: If you did not modify the active policy, you must manually apply the policy to make it active. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 125 Chapter 10: Configuring the SecurityFusion Module Verifying that the SecurityFusion Module is Working Introduction To verify that the SecurityFusion Module is working, you can check its status and then look for specific SecurityFusion event statuses in the Status column of the Analysis tab. Note: You can find a list of statuses in the SiteProtector Help. Prerequisites If the Module does not appear to be working, make sure that you have met the following requirements: ● You must have specified hosts for the Module to correlate. ● You must have enabled impact analysis and attack pattern correlation in the SecurityFusion policy. Note: All Module functions are enabled by default at installation. ● SiteProtector must be collecting the vulnerability and IDS data for the specified hosts. Note: If you have not already set up SiteProtector to scan and monitor hosts, see “Vulnerability and IDS Data” in the SiteProtector Help. Procedure To verify that the Module is working: 1. In the Enterprise Groups pane, select the SecurityFusion computer, and then select the Sensor tab. If you have just installed the Module, it may take some time for it to appear. 2. If Active does not appear in the Status column, review the prerequisites listed above to ensure all the requirements are in place. 3. Select a view for correlated events. 4. The Module is working if any of the SecurityFusion statuses appear in the Status column. Note: The Failed attack (blocked by Proventia appliance), Failure likely (rolled-back change), and Simulated block (Proventia appliance in simulation mode) statuses are determined by sensors and appliances. They may appear whether or not the SecurityFusion Module is working. 5. If Unknown impact (SecurityFusion not enabled) appears in the Status column, the Event Collector is not configured correctly; or, in a multi-Event Collector environment, at least one Event Collector is not configured correctly. 126 SECTION B: Configuring Responses Overview Introduction The following tasks are recommended for configuring responses to correlated events. Depending on your Site configuration, you can decide which tasks to perform. Note: For more information about Responses, see “Managing Policies and Responses” on page 163. Prerequisite To use email, SNMP, or user-specified responses, you must create a response file before you can set up responses. Responses for the SecurityFusion module actually come from the Event Collector computer. You must apply the SecurityFusion response file to each Event Collector. See the SiteProtector Help if you need instructions about creating a response file. In this section This section contains the following topics: Topic Page Adjusting Severity Based on Event Impact 128 Displaying Events in Site Manager 129 Logging Events to the SiteProtector Database 130 Sending Email and SNMP Responses 131 Configuring User-Specified Responses 133 Responding to Server Sensor Correlated Events 134 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 127 Chapter 10: Configuring the SecurityFusion Module Adjusting Severity Based on Event Impact Introduction You can configure the SecurityFusion Module to change the severity of correlated events as follows: ● to reduce false alarms, lower the severity ● to emphasize an attack, raise the severity Default response The default is to use the response set by the sensor policy. Attacks that fail or failure is likely Table 41 describes the severity adjustment options (in the Adjust severity to list) for events that fail or are likely to fail: Option Description Low Sets the severity of the event to Low. Medium Sets the severity of the event to Medium. (One level lower) Sets the severity of the event to one level lower than the original severity. (Do not adjust) Does not change the severity of the event. Note: This is the default response. Table 41: Severity options for events likely to fail Attacks that succeed or success is likely Table 42 describes the severity adjustment options (in the Adjust severity to list) for events that succeed or are likely to succeed: Option Description High Sets the severity of the event to High. Medium Sets the severity of the event to Medium. (One level lower) Sets the severity of the event to one level lower than the original severity. (Do not adjust) Does not change the severity of the event. Note: This is the default response. Table 42: Severity options for events likely to succeed 128 Displaying Events in Site Manager Displaying Events in Site Manager Introduction You can configure the SecurityFusion Module to display or not display correlated events in Site Manager as follows: ● to reduce false alarms, do not display the event ● to emphasize an attack, display the event Default response The default is to use the response set by the sensor policy. Display options Table 43 describes the options (in the Modify DISPLAY to list) for displaying correlated events: Option Description Off Does not display the event in Site Manager. On Displays the event in Site Manager. Important: You must turn on DISPLAY and LOGDB before SiteProtector can display events in the Site Manager. (Do not adjust) Uses the response that is set for the sensor in the sensor policy. Table 43: Display Options for correlated events SiteProtector User Guide for Security Managers Version 2.0, SP5.2 129 Chapter 10: Configuring the SecurityFusion Module Logging Events to the SiteProtector Database Introduction You can configure whether or not to save correlated events in the SiteProtector Database (LOGDB). Use this response to ensure that you save only important events—regardless of the sensor response. Default response The default is to use the response set by the sensor policy. Logging options Table 44 describes the options (in the Modify LOGDB to list) for saving correlated events in the Site DB: Option Description Off Does not log the event to the Site DB. On Logs the event to the Site DB. Important: You must turn on both DISPLAY and LOGDB before SiteProtector can display events in the Site Manager. (Do not adjust) Uses the response that is set for the sensor in the sensor policy. Table 44: Logging options for correlated events 130 Sending Email and SNMP Responses Sending Email and SNMP Responses Introduction You can configure the SecurityFusion Module to emphasize correlated events by sending email and SNMP responses. Default response Email and SNMP responses are not sent unless you configure them. Prerequisites To send email and SNMP responses, you must have already done the following: ● created a custom policy file for the SecurityFusion Module ● created a custom response file for the Event Collector and pushed to the Event Collector ● specified in the SecurityFusion custom policy the response from the Event Collector’s response file ● applied the SecurityFusion custom policy to the SecurityFusion Module Note: The name of the default SecurityFusion response file is Event Collector Response.Policy. Procedure To configure an email or an SNMP response: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, expand Impact Analysis Component Settings. 3. Do one of the following: ■ To change the response for failed attacks, select Responses for Failed Attacks. ■ To change the response for successful attacks, select Responses for Successful Attacks. 4. Select the checkbox next to the type or response you want to send: ■ EMAIL ■ SNMP 5. Does an arrow appear in the Response Name column? ■ If yes, go to Step 6. ■ If no, go to Step 7. 6. If you want to choose a different response, click the arrow, and then select another response. The name of the response you chose appears in the Response Name column. 7. If you want to make additional policy changes, refer to the following topics in the SiteProtector Help: ■ Overview: SecurityFusion Licensing ■ Overview: Managing Vulnerability Data ■ Overview: Responses Based on Event Impact 8. On the File menu, select Save, and then click the Close button. One of the following occurs: SiteProtector User Guide for Security Managers Version 2.0, SP5.2 131 Chapter 10: Configuring the SecurityFusion Module 132 ■ If you modified the active policy, either a job automatically starts to apply the policy or a prompt appears for you to choose whether to apply the policy. ■ If you did not modify the active policy, you must apply the policy manually to make it active. Configuring User-Specified Responses Configuring User-Specified Responses Introduction You can configure the SecurityFusion Module to run system commands or your own programs in response to correlated events. Default response User-specified responses are not taken unless you configure them. Prerequisites In addition to the prerequisites for email and SNMP responses, you must do the following to use custom programs for user-specified responses: ● Copy the custom program file onto the sensors that you want to run it. ● Copy the custom response file into the path specified for the response in the custom response file. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 133 Chapter 10: Configuring the SecurityFusion Module Responding to Server Sensor Correlated Events Introduction For a small number of events, server sensor automatically correlates the event with host vulnerability data. By default, the SecurityFusion Module does not apply its responses to these events, but you can configure the Module to do so. Background In a small number of server sensor signatures (starting with version 6.5), the server sensor correlates events with host vulnerability data and determines a vulnerability status. In the server sensor policy, however, you cannot configure different responses based on host vulnerability. Consequently, the responses for these events may not be consistent with those applied by the SecurityFusion Module for events with the same vulnerability status. Procedure To apply SecurityFusion responses to server sensor correlated events: 1. Open your custom SecurityFusion policy for editing. 2. In the left pane, expand Impact Analysis Component Settings. 3. Select Options. 4. Select the Apply SecurityFusion logic to server sensor alerts that correlate vulnerability information at the server check box. 5. On the File menu, select Save, and then click the Close button. Note: If you did not modify the active policy, you must manually apply the policy to make it active. 134 SECTION C: Additional Configuration Tasks Overview Introduction The SecurityFusion Module provides additional settings that you can configure based on your Site needs. In this section This section contains the following topics: Topic Page Tasks for Configuring Vulnerability Data 136 Configuring Vulnerability Data 137 Customizing Parameters for Attack Patterns 138 Encrypting Communications with the Site Protector Database 139 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 135 Chapter 10: Configuring the SecurityFusion Module Tasks for Configuring Vulnerability Data Introduction The SecurityFusion Module requires current host vulnerability assessment data to accurately estimate the impact of events. Depending on your needs, you can configure how the Module uses vulnerability assessment data and how long the Module considers it as current. Task overview Table 45 describes the tasks for configuring vulnerability assessment data: Task Description 1 Limit how long the SecurityFusion Module considers scanned vulnerability assessment data as up-to-date and uses it to correlate events. 2 For Sites that use both network- and host-based scanners, choose whether to use the most recent scan data or the data from either the network- or host-based scanner when both are available. 3 Scan the hosts that you want to protect with SecurityFusion correlation. Table 45: Tasks for configuring vulnerability assessment data 136 Configuring Vulnerability Data Configuring Vulnerability Data Introduction To accurately estimate the impact of an event, the SecurityFusion Module needs up-todate host vulnerability assessment data. To ensure that your vulnerability data is current, you can set up the Module to ignore data that is older than is acceptable for your Site. Then you should set up your scanning schedule to scan your hosts before vulnerability data expires. Default setting The default setting is 60 days. How this option works—impact on event status The Module checks the age of the vulnerability and operating system data for each event, and then does one of the following: Choosing a default vulnerability data source ● If the data has not expired, the Module correlates the event. ● If the data has expired, the Module returns the status of Unknown impact (not scanned recently) and does not correlate the event. By default, the SecurityFusion Module uses the most recent vulnerability data available (on a check-by-check basis), whether the data is from a network-based or host-based scanner. You can, however, configure the Module to use one source of data over the other if both are available and current. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 137 Chapter 10: Configuring the SecurityFusion Module Customizing Parameters for Attack Patterns Introduction Types of attacks The SecurityFusion policy contains the definitions of the attack patterns that the Module can identify. You can do the following: ● Enable all or selected attack patterns. ● Where available, define configurable options for individual attack patterns. The SecurityFusion Module searches for attack patterns and identifies attacks that involve more than one event. For supported attack patterns, the SecurityFusion Module eliminates the manual task of searching a long list of events to determine which ones are related. The SecurityFusion Module correlates the following types of attack patterns: ● attacks that compromise hosts ● probing attacks that may include evasion or break-in activity ● break-in attacks against one or more hosts ● denial of Service attacks ● suspicious log-on activity For a complete description of attack patterns, see the SecurityFusion policy. 138 Encrypting Communications with the Site Protector Database Encrypting Communications with the Site Protector Database Introduction The SecurityFusion Module exchanges data with the SiteProtector database. By default, attack data is always encrypted; vulnerability correlation and other miscellaneous administrative data is not. If required at your Site, you can set up encryption to include all types of data. You can use either Multiprotocol or SSL (Secure Sockets Layer) methods. Important prerequisite Before you encrypt communications for the SecurityFusion Module, read the relevant documentation: ● For Multiprotocol, see the SiteProtector Installation Guide. ● For SSL, see “How do I set up Site Protector to use encryption for database communication?” in the Internet Security Systems Knowledgebase (http:// www.iss.net/support/). To find the article: ■ Type 1824 in the Search Text box, and select Answer ID in the Search by list. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 139 Chapter 10: Configuring the SecurityFusion Module 140 Part IV ® Organizing and Managing Your Assets Chapter 11 Adding Assets to SiteProtector Overview Introduction SiteProtector provides a flexible way to organize all your network assets, including SiteProtector assets, into groups in the Enterprise Groups pane. Before you identify the assets on your network, you should think about how you want to organize them into groups. This chapter explains how to create groups and add assets to them. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 4. This task is required. The next configuration task is Task 5, “Add SiteProtector users.“ See Chapter 4, “Adding Users to SiteProtector” on page 41. Definition: asset An asset is an individual computer or device with an IP address on a network. Assets include the following: ● SiteProtector Site servers (database server, application server, Event Collector, Agent Manager, Deployment Manager, and X-Press Update server) ● sensors (including the Internet Scanner) ● critical network hosts, such as Web servers and computers in the DMZ (demilitarized zone) Background information SiteProtector maintains information about assets in the Hosts table in the Site database. Site Manager displays the information in the Asset tab. In this chapter This chapter contains the following topics: Topic Page How to Organize Groups of Assets 145 How to Create and Populate Groups 146 Creating Site Ranges 148 Adding Asset Groups 149 Manually Adding Assets 150 Defining Membership Rules for Automatic Grouping 152 Running a Discovery Scan 153 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 143 Chapter 11: Adding Assets to SiteProtector Topic 144 Page Importing Active Directory 155 Modifying the System Scanner Group 158 How to Organize Groups of Assets How to Organize Groups of Assets Introduction This topic provides basic information about how to organize the groups in SiteProtector. Group types Groups in SiteProtector contain assets, or other groups of assets. Some groups provide additional functionality: ● Active Directory groups (See “Importing Active Directory” on page 155.) ● policy subscription groups (See “Task 3: Creating a Policy Subscription Group” on page 82.) ● System Scanner groups (See “Modifying the System Scanner Group” on page 158.) Note: SiteProtector automatically creates the System Scanner group after it receives the first System Scanner event. The group does not appear in the Enterprise Groups pane until you refresh the Console. Organizational categories You can add an asset to more than one group, so you can create more than one set of groups to represent your needs. For example, you could organize groups by one or more of the following categories: ● organizational structure ● geographic location ● business purpose ● type of asset or sensor ● how you want to monitor the groups Limitation If you use Active Directory or policy subscription groups, you can still assign an asset to multiple groups; however, you can assign the same asset to at most one Active Directory group and one policy subscription group. Grouping suggestions You should add the following to your Enterprise Groups pane: Subgrouping suggestions ● one or more groups for all your agents and appliances ● groups for the assets you want to monitor ● groups for the assets you want to scan You may also want to create subgroups for each sensor type within your agent groups. Common subgroup names include the following: ● Network sensors ● Server sensors ● System Scanner ● Internet Scanner ● Proventia appliances ● Desktop agents ● other software components, such as Databridges, Event Collectors, SiteProtector Core, and SiteProtector databases SiteProtector User Guide for Security Managers Version 2.0, SP5.2 145 Chapter 11: Adding Assets to SiteProtector How to Create and Populate Groups Introduction You can use a combination of methods to create and populate groups for your Site. This topic describes the methods available to you. The goals Choose the methods that best help you accomplish the following goals: Enterprise groups pane ● Create asset groups and a structure that best suits the needs of your organization. ● Assign assets to appropriate groups. ● Gather additional information about the assets. Asset groups appear in the Enterprise Groups pane in Site Manager. Figure 7 shows an example of the Enterprise Groups pane: Figure 7: Example of an Enterprise Groups pane Asset categories Table 46 describes categories of SiteProtector assets: Asset category Description Grouped An asset that is in a group in the Enterprise Groups New An asset that exists in your network but is not recognized by SiteProtector Ungrouped An asset that SiteProtector recognizes but that is not in a custom group in the Enterprise Groups pane Table 46: Categories of SiteProtector assets Create groups first or scan first? You can create groups before or after you scan for assets. Table 47 describes how assets that are identified through an Internet Scanner discovery scan are grouped: If you run a discovery scan… Then the identified assets go into the… before you create groups ungrouped assets group. after you create groups and assign IP addresses to the groups group to which you assigned the IP addresses. Any unassigned assets go into the ungrouped assets group. Table 47: Discovery scans and groups 146 How to Create and Populate Groups How to create groups How to add assets You can create asset groups in the Enterprise Groups pane as follows: ● Add groups manually. (See page 149.) ● Import your groups and assets into SiteProtector using Active Directory information. (See page 155.) Table 48 suggests when to use the different methods for generating asset information: Method When to Use Page Add Site ranges to the ungrouped assets group To make sure that you scan only the hosts that you really want to add to SiteProtector 148 Add assets manually To group your assets before you scan them or if you do not have Internet Scanner 150 Automatically group assets using group membership rules To add assets initially, or if you add assets frequently and you can define your asset groups using the membership rules 152 Discovery scan Only if you use Internet Scanner. Internet Scanner discovers information about new hosts, such as the operating system, DNS name, or NetBIOS name 153 Active Directory To import network asset details into SiteProtector 155 Table 48: Methods for generating host information Host files You can also define your assets in a file, a host file, and import them into SiteProtector from the file. You must follow the formatting rules for asset addresses, and you must name the file with the extension of .hst. (See “Detailed formats for IP addresses” on page 150.) Process for defining groups and adding assets Table 49 describes the process for defining groups and adding assets: Stage Task 1 Add Site Ranges to the ungrouped assets folder. 2 Add groups that reflect your method for organizing your assets. 3 Add assets to the groups: 4 • Add assets manually. • Create membership rules to automatically group the assets when you run a scan. Run a discovery scan in Internet Scanner. Table 49: Process for defining groups and adding assets SiteProtector User Guide for Security Managers Version 2.0, SP5.2 147 Chapter 11: Adding Assets to SiteProtector Creating Site Ranges Introduction During the SiteProtector installation, a default IP range is automatically created in the Ungrouped Assets group. The default IP range represents the subnet(s) on which your SiteProtector Site is located. You can create your own Site range(s) so that you can efficiently identify the specific assets that you want to protect. Definition: Site range Site ranges define the IP address ranges that are part of the network you are protecting. Site ranges apply to only the Ungrouped Assets group. You can use Site ranges to quickly define assets that belong to your organization. Some automatic grouping functions rely on Site ranges. Advantages of Site ranges Site ranges are optional; however, they enable you to identify assets on your network more efficiently. You can use predefined ranges to add multiple assets to groups. You can add, change, or delete Site ranges. Site range formats Specify a Site range using one or more of the following formats: About the IP address format ● single IP address ● range of IP addresses ● multiple Site ranges Table 50 lists the IP address formats to use for different types of Site ranges; X and Y in the format examples represent any number between 0 and 255: Type of Site Range Format Single IP address x.x.x.x Range of IP addresses x.x.x.x-y.y.y.y Table 50: Formats for Site ranges Procedure To create a Site range: 1. On the Enterprise Groups pane, right-click Ungrouped Assets, and then select New Site Range from the pop-up menu. A new group appears below the Ungrouped Assets folder. Note: By default, this folder is located at the bottom of the Enterprise Groups pane. 2. Click the selected group, and then type the IP address or IP address range to include in the new Site range. 3. Press Enter. The assets in your network that are within the Site range appear in the Asset tab. 148 Adding Asset Groups Adding Asset Groups Introduction You can add asset groups and organize them into a hierarchical structure that is meaningful to your organization. Use a grouping and naming convention that makes sense for your enterprise. Procedure To add a group: 1. In the Enterprise Groups pane, right-click the group to which you want to add the new group, and then select Add Group from the pop-up menu. The New group folder appears below the selected group. 2. Type the name to use for the new group, and then press ENTER. 3. If you do not want to add descriptive information about the group, go to Step 7. 4. Right-click the new group, and then select View/Edit Group. 5. Type a Description for the group. 6. Click OK. 7. If you want to add membership rules to the group, and you are ready to add them now, go to “Defining Membership Rules for Automatic Grouping” on page 152. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 149 Chapter 11: Adding Assets to SiteProtector Manually Adding Assets Introduction Detailed formats for IP addresses You can manually add assets to SiteProtector, and you can choose whether to use Site ranges: ● Without Site ranges, you must add assets to groups before you run a discovery scan. ● With Site ranges, you can scan before or after you add the assets to a group. Table 51 describes the formats you can use to define your assets: To define a... Type... Examples single host any of the following: 1.1.1.1 • IP address in dotted decimal notation MailServer01 • computer name DNS name Note: The Module translates the computer name or Web address into an IP address. www.iss.net the first and last IP address separated by a hyphen 1.1.1.1-1.1.1.100 single IP address with a comment the IP address followed by a space and your comment 209.134.161.35 www.iss.net comment line a # in the first position followed by a comment # IP addresses for IT range of hosts 1.1.2.1-1.1.3.1 Table 51: Formats for IP Addresses Adding assets without using Site ranges To add assets to a group without using Site ranges: 1. In the Enterprise Groups pane, right-click a group, and then select Add Host(s) from the pop-up menu. 2. If you do not want to import assets from a host file, go to Step 6. Tip: You can manually add assets and import host files. 3. Insert your cursor into the list where you want to insert the assets, and then click Import host file. 4. Select the host file to import, and then click Import. Note: The host file must have an extension of .hst. 5. If you do not want to add assets manually, go to Step 7. 6. Type the asset identifiers into the list using the rules in “Detailed formats for IP addresses” on page 150. 7. Click OK. 150 Manually Adding Assets Adding assets using Site ranges To add assets to a group using Site ranges: 1. In the Enterprise Groups pane, expand Ungrouped Assets, and then select a Site range. 2. Select the Asset tab. The assets in the Site range appear in the Asset tab. 3. Select assets in the Asset tab, and then drag and drop them into the group you have already created for them. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 151 Chapter 11: Adding Assets to SiteProtector Defining Membership Rules for Automatic Grouping Introduction Rule types Procedure You can define membership rules for groups and use them for the following: ● to specify the format or characters allowed for asset identifiers of the assets in the group ● to automatically add ungrouped assets to groups when you run a scan You can use only one type of rule per group: ● IP Address ● DNS Name ● NetBIOS Name ● Operating System Name To define membership rules for a group: 1. In the Enterprise Groups pane, right-click the group to which you want to add the membership rules, and then select View/Edit Group from the pop-up menu. 2. In the Type list, select the type of membership rules to use to for this group: ■ IP Address ■ DNS Name ■ NetBIOS Name ■ Operating System Name Note: You can use only one type per group. 3. Type a Rule in the row that has an asterisk in the first column, and then press ENTER. Help appears below the Type box for the selected rule. Note: For IP address types, if you type an invalid rule, the asterisk changes to a red X. You must correct the membership rule before you can continue. 4. Click OK. 152 Running a Discovery Scan Running a Discovery Scan Introduction You can identify the assets on your network by running a discovery scan with Internet Scanner. SiteProtector saves the information gathered during a discovery scan in the Hosts table in the Site database. SiteProtector displays the information in the Asset tab in Site Manager. Note: A discovery scan does not automatically add every asset in the range. It only adds active assets, that is, assets that respond to the scan. Prerequisites If you want the discovery scan to add the assets to specific groups, define the groups and the assets for those groups before you run the scan. Otherwise, all the discovered assets appear in the Ungrouped Assets group. Scope of scan You should scan only a single domain in a discovery scan. If you need to scan more than one domain, ISS recommends that you do the following: Information gathered Task overview ● Divide the scan into a series of scans. ● Install Internet Scanner on an asset in each domain. A discovery scan gathers the following information: ● IP Address ● NetBIOS Name ● DNS Name ● OS Name ● NetBIOS Domain Name Table 52 describes the tasks for running a discovery scan and provides links to documentation related to each task: Task Description Related documentation 1 Add an Internet Scanner, and then identify the Internet Scanner host. “Adding an Internet Scanner host” on page 153 2 Perform a discovery scan. “Running a scan” on page 154 3 Add assets to group any ungrouped assets. “Manually Adding Assets” on page 150 Table 52: Task to run a discovery scan Adding an Internet Scanner host To add an Internet Scanner host: 1. In the Enterprise Groups pane, select your default IP range in the Ungrouped Assets folder. 2. Select the Asset tab. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 153 Chapter 11: Adding Assets to SiteProtector 3. Select the IP address of your Internet Scanner in the Asset tab, and then drag it to the Your_Site folder in the Enterprise Groups pane. Note: If you have created additional groups, drag the Internet Scanner to the appropriate group. 4. If you did not install Internet Scanner through the Deployment Manager, you must register the scanner. Reference: See “Registering Software Managed by SiteProtector” on page 105. 5. Go to the next procedure in this topic. Running a scan To run a discovery scan: 1. In the Enterprise Groups pane, select the group with Internet Scanner. 2. Select the Sensor tab. 3. Right-click the Internet Scanner, and then select Internet ScannerÆ Launch Scan from the pop-up menu. The Launch a Scan window appears. 4. Type the IP address range to scan in the Scans target IP addresses box. 5. Select the policy to apply to the scanner, and then click Scan. Tip: Consider using the D1 Light Discovery policy for efficiency. 6. If new assets appear in the Ungrouped Assets folder, click the Analysis tab to view any vulnerability data created. 7. If you now want to add assets from the Site ranges to groups, go to “Adding assets using Site ranges” on page 151. 154 Importing Active Directory Importing Active Directory Introduction You can use asset details from Active Directory to populate an Active Directory view in the Enterprise Groups pane. Important: You can have only one Active Directory forest in the SiteProtector Enterprise Groups pane. Reference: For information about using Active Directory, see the Microsoft documentation. Active Directory and the Hosts table When you import new asset information using Active Directory, you update all the information in the Hosts table in the Site database. Caution: Before you import asset information, make sure that the information you are importing is up-to-date. Active Directory information that SiteProtector uses SiteProtector uses only a portion of the network asset details provided by Active Directory: ● The Active Directory hierarchy appears in the SiteProtector Enterprise Groups pane, with assets grouped according to how you use Active Directory to manage your network. ● User information appears on the Asset tab: ● ■ login name ■ full name ■ fully qualified path to user object in Active Directory ■ phone number ■ domain ■ authenticating server Asset configuration information appears on the Asset tab: ■ computer’s distinguished name ■ DNS ■ OS Organizing information within the Active Directory folder Before you use the Active Directory information for the first time, you can use a third-party tool to organize the structure of the information within the Active Directory folder (or Active Directory container). Then, when you import the Active Directory folder into SiteProtector, the information appears as you organized it with the third-party tool. Each time the Active Directory changes, you must rerun the job to repopulate the information. How to change Active Directory groups You cannot change the Active Directory group hierarchy within SiteProtector. You must make those changes within the Active Directory, and then reimport them into SiteProtector. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 155 Chapter 11: Adding Assets to SiteProtector When you add Active Directory assets to other groups You can add an Active Directory asset to additional SiteProtector groups. Whenever you update information about an asset, the record for that asset is updated in the Hosts table in the Site database. Any changes you make are reflected in every group to which that asset belongs. Procedure To populate the Enterprise Groups pane with Active Directory information: 1. In the Enterprise Groups pane, right-click Your_Site, and then select Active Directory Group Population from the pop-up menu. The Active Directory Group Population window appears. 2. In the Options section, click Set Credentials (to establish login credentials for the Active Directory domain). The Login Credentials for Active Directory window appears. 3. Type your Server or Domain name, your domain User name, and your domain Password. Tip: Click the Help on the Login Credentials for Active Directory window for additional information. 4. If you want to change the size of groups that you get from Active Directory, type or select the number in the Page size box. 5. Click OK. 6. Do you know the name of the domain list that you want to add to SiteProtector? ■ If yes, type the name of the domain in the Starting Domain box. ■ If no, click Get Domains, and then select the domain from the Starting Domain list. 7. If the sensor’s host is in both an Active Directory group and a SiteProtector group, and you want to require that agents use the policy assigned to the Active Directory group, select the Reassign sensor policy based on Active Directory grouping check box in the Options section. Important: If you already use SiteProtector, and you are adding the Active Directory information in the Enterprise Groups pane for the first time, do not use this setting because the policies for the SiteProtector groups may not work as scheduled. After you add the Active Directory groups to the Enterprise Groups pane, select them, and then apply the policies you want to use. Reference: See “Policy Assignment with Active Directory” on page 165. 8. If you want to display all the trees in the Active Directory forest, select the Grow Entire Forest check box in the Options section. Note: The starting domain must be the forest root. The forest root is denoted by (root) if you use Get Domains. 9. Do you want to add Active Directory information immediately? ■ If yes, select the Run Once option, and then go to Step 12. ■ If no, select the Recurrence pattern option you want to use. 10. In the Event time section, click the Start arrow to specify a date and time. 11. Do you want to specify an end date? 156 ■ If yes, select End by in the Range of recurrence section, and then click the arrow to specify a date and time. ■ If no, select No end date. Importing Active Directory 12. Click OK. The Active Directory job runs as scheduled. Select Your_Site to see the status of the job in the Command Jobs pane. 13. When the job finishes successfully, click SHIFT+F5 to refresh the Enterprise Groups pane with the Active Directory groups. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 157 Chapter 11: Adding Assets to SiteProtector Modifying the System Scanner Group Introduction SiteProtector automatically creates the System Scanner group when it receives the first System Scanner event from the System Scanner Databridge. This topic explains how to move the group or rename it. Reference: See “Installing the System Scanner Databridge” on page 99. Default subgroup structure SiteProtector automatically creates a subgroup structure for the System Scanner group in the Enterprise Groups pane. Table 53 describes the subgroup structure: Level Description 1 System Scanner 2 SystemScannerDNSName_SystemScannerDatabaseName 3 System Scanner group names that appear in the System Scanner Console. Table 53: System Scanner subgroups Moving the System Scanner group To move the System Scanner group: 1. In the Enterprise Groups pane, delete the default System Scanner group. 2. Create a group, and name it System Scanner. SiteProtector creates the new group structure as it receives new events, such as when you scan an asset. Renaming the System Scanner group To rename the System Scanner group: 1. In the Enterprise Groups pane, create a group, and give it any name. 2. Run the following SQL command in the SQL Query Analyzer: INSERT INTO VERSION (ATTRIBUTENAME, ATTRIBUTEVALUE) VALUES(‘SystemScannerGroupName’,’Custom_Group_Name’ Example: To change the name of your System Scanner group to “SystemScannerevents,” run the following command: INSERT INTO VERSION (ATTRIBUTENAME, ATTRIBUTEVALUE) VALUES(‘SystemScannerGroupName’,’SystemScannerevents’) SiteProtector creates the new group structure as it receives new events, such as when you scan an asset. 158 Chapter 12 Configuring the Desktop Environment Overview Introduction If you use Desktop protection, you may want to configure additional Agent Managers as follows: ● Install a second Agent Manager and designate it as a backup. ● Reassign agents that report to one Agent Manager to another Agent Manager. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to install SiteProtector for the first time, this is Task 9. This task is optional. The next configuration task is Task 10, “Implement a policy and response strategy.” See Chapter 13, "Managing Policies and Responses" on page 163. Install an additional Agent Manager If you want to install an additional Agent Manager, see the SiteProtector Installation Guide. In this chapter This chapter contains the following topics: Topic Page Designating a Backup Agent Manager 160 Assigning a Group of Agents to a Different Agent Manager 161 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 159 Chapter 12: Configuring the Desktop Environment Designating a Backup Agent Manager Introduction If you install multiple Agent Managers, you can designate one Agent Manager as the backup for the primary Agent Manager. You can designate an unlimited number of backup Agent Managers. Important: This procedure applies to RealSecure Desktop 7.x and to Proventia agents. Prerequisite The backup Agent Manager must have the same accounts and passwords as the primary Agent Manager. Procedure To designate an Agent Manager as a backup: 1. In the Enterprise Groups pane, right-click the Desktop agent group, and then select View/Edit Group from the pop-up menu. 2. Click Add/Edit Group Settings. 3. In the left pane, select Agent Manager List. 4. If the Agent Manager you want to use as a backup appears in the Controller Information list, go to Step 9. 5. Click Add. 6. If you want to select an Agent Manager that is on another Site, type the information in the fields, click OK, and then go to Step 10. 7. Click Choose an Agent Manager. 8. Select the Agent Manager to use as a backup, and then click OK. 9. Select the primary Agent Manager, and then click the up arrow to move the primary Agent Manager to the top row. Note: The backup Agent Managers in the remaining rows in order of priority. The Agent Manager in the second row is the first backup, the one in the third row is the second backup, and so on. 10. Click OK, and then click OK. 160 Assigning a Group of Agents to a Different Agent Manager Assigning a Group of Agents to a Different Agent Manager Introduction This topic explains how to reassign a group of agents from one Agent Manager to another Agent Manager. Procedure To reassign a group to a different Agent Manager: 1. In the Enterprise Groups pane, right-click the Desktop agent group, and then select View/Edit Group from the pop-up menu. 2. Click Add/Edit Group Settings. 3. In the left pane, select Agent Manager List. 4. If the Agent Manager you want to select appears in the Controller Information list, go to Step 9. 5. Click Add. 6. If you want to select an Agent Manager that is on another Site, type the information in the fields, and then go to Step 10. 7. Click Choose an Agent Manager. 8. Select the Agent Manager to use, and then click OK. 9. On the Add Controller window, click OK. 10. Select the primary Agent Manager, and click the up arrow to move the primary Agent Manager to the top row. 11. Click OK, and then click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 161 Chapter 12: Configuring the Desktop Environment 162 Chapter 13 Managing Policies and Responses Overview Introduction This chapter provides an introduction to policy and response management in SiteProtector. It explains the major differences in how you configure policies and apply responses for different types of agents and appliances. For more detailed information, see the SiteProtector Help. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 10, “Implement a policy and response strategy.” This task is required. The next configuration task is Task 11, “Set up the Console preferences.” See Chapter 5, "Configuring Your Console" on page 57. Terms to know Table 54 describes terms related to policies and responses: Term Description notification A type of response that is informational and does not take any action beyond sending an alert policy The definition of the level of security that an agent or an appliance provides response Notifications and active responses agents send based on policy settings. Table 54: Policy and response terms In this chapter This chapter contains the following topics: Topic Page Policy Management for Different Agents and Appliances 164 Policy Assignment with Active Directory 165 Applying Policies to Sensors and Proventia G Series Appliances 167 Applying Policies to Proventia M Series and Next Generation G Series Appliances 169 Policy Subscription Groups 171 Response Concepts 172 Response Hierarchy 173 Response Strategy 174 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 163 Chapter 13: Managing Policies and Responses Policy Management for Different Agents and Appliances Introduction How you apply and manage policies may differ according to the types and models of agents and appliances that you have. This topic provides a high-level explanation of the differences. Policies in the Site database The Site database contains a repository of default, or predefined, policies for Internet Scanner, the SecurityFusion Module, network and server sensors, RealSecure Desktop, and early Proventia G Series appliances. You can use these policies to derive policies that you can customize. Desktop agents Desktop Protection agents subscribe to policy subscription groups to get their policies. Internet Scanner You apply Internet Scanner policies when you run the scan. You do not apply policies directly to Internet Scanner or to a group of scanners. You can create and customize Internet Scanner policies in the Console through Sensor Management. SecurityFusion Module When you configure SecurityFusion Module, you can create and apply policies to the module. Network Sensor, Server Sensor, and G-Series Appliance You can apply policies to Network Sensor, Server Sensor, and G-Series appliances as follows: ● to the sensor or appliance ● to a group of sensors or appliances Note: You can apply policies to all the sensors or appliances in a group even if the sensors and appliances do not subscribe to the group. You create and customize policies for these agents and appliances through Sensor Management. Proventia M Series and Next Generation G Series Appliances 164 Proventia M and Next Generation G Series appliances have several policies that you configure through group-level settings. The policies relate to various appliance functions, such as antivirus, antispam, and Web filtering. You can selectively configure policies for each group, subgroup, and appliance. The appliance inherits its policies from the lowest level in the structure where it is configured. In other words, a policy set for the appliance overrides any policies set for a subgroup, and policies set at the subgroup override any policies set at the root group. Policy Assignment with Active Directory Policy Assignment with Active Directory Introduction If you use Active Directory to populate your Enterprise Groups pane, you may see conflicts about policy assignment for agents. This topic describes common conflicts and explains how to avoid or resolve them. Reference: See “Importing Active Directory” on page 155. Assets in multiple groups You can assign an asset to both an Active Directory group and a policy subscription group, and you can assign policies to both groups. Table 55 describes what happens if the agent receives its policy from the policy subscription group, and you run the Active Directory population function: If the Reassign sensor policy based on Active Directory grouping check box is … Then the agent… cleared continues to receive policies from the SiteProtector group. selected receives its policy from the Active Directory group. Table 55: Policy assignment with an asset in multiple groups Moving an asset to a different Active Directory group in the same domain Table 56 describes what happens if an agent subscribes to an Active Directory group for its policy, and the agent’s asset is moved to a different Active Directory group on the network: If the Active Directory information in SiteProtector is updated and the Reassign sensor policy check box is... Then the agent... cleared continues to receive its policy from the original Active Directory group. selected receives its policy from the new Active Directory group. Table 56: Moving Active Directory assets within a domain Moving a computer object to a different domain in the same forest If you move a computer object to a different domain in the same forest, what happens to the policy assigned to the original computer object depends on the Reassign sensor policy based on Active Directory grouping option, as shown in Table 57: If the Reassign sensor policy based on Active Directory grouping check box is... Then the policy... cleared remains assigned to the original computer object. selected assignment is unpredictable, and you should remove the computer object from the old domain to resolve the ambiguity. Table 57: Moving Active Directory assets to a different domain SiteProtector User Guide for Security Managers Version 2.0, SP5.2 165 Chapter 13: Managing Policies and Responses Moving an asset to a different domain in the same forest Table 58 describes what happens if you move an asset to a different domain in the same forest, based on the method you use to move the asset: If you… Then… join the computer to the new domain by renaming the domain in the computer’s properties • a new computer object is created in the new domain • the old computer object remains in the old domain • the new computer object receives a new GUID use the Active Directory Migration Tool • the old computer object remains in the old domain (in case you want to undo the operation) • the new computer object receives a new GUID • the old computer object is removed when the new computer object is created • the GUID does not change use the Microsoft MoveTree and Netdom utilities Table 58: Result of moving an asset to a different domain in the same forest 166 Applying Policies to Sensors and Proventia G Series Appliances Applying Policies to Sensors and Proventia G Series Appliances Introduction You can apply policies to sensors and Proventia G Series appliances as follows: ● directly to the sensor or appliance ● to all subscriber sensors in a group ● to all sensors in a group Load distribution SiteProtector distributes the load when applying policies to network and server sensors. For example, when applying policies to many network and server sensors, SiteProtector applies the policies to the sensors in increments over a period of time. Applying a policy to a sensor To apply a policy to a sensor: 1. In the Enterprise Groups pane, select the group to which the sensor belongs, and then select the Sensor tab. 2. On the Sensor tab, right-click the sensor to which you want to apply a policy, and then select type_of_sensorÆ Apply Policy from the pop-up menu. 3. Click Select. The Select Policy window appears with a list of policies for the selected sensor. 4. Select the policy to apply, and then click OK. The name of the policy appears in the Policy box on the Apply Policy window. 5. If you want to apply the policy daily, weekly, or monthly, select the applicable option. 6. Click OK. The policy becomes the active policy for the selected item. Subscribe a sensor to a policy subscription group To apply a policy subscription group to a sensor: 1. In the Enterprise Groups pane, select the group with the sensor, and then select the Sensor tab. 2. Right-click the sensor, and then select RealSecure DesktopÆ Set Policy Subscription Group from the pop-up menu. 3. Select one of the following: ■ Current Group ■ Parent Group with Policy 4. Click OK. Applying a policy to sensors in a group To apply a policy to a sensor in a group: 1. In the Enterprise Groups pane, right-click the group with the sensor, and then select {Network | Server | Desktop} Protection Æ Sensor_TypeÆ Apply Policy from the pop-up menu. 2. In the policy section, select a Policy. 3. In the policy section, do one of the following: SiteProtector User Guide for Security Managers Version 2.0, SP5.2 167 Chapter 13: Managing Policies and Responses ■ To apply the policy to only the sensors that subscribe to the group, select Applies to subscriber sensors only. ■ To apply the policy to all the sensors in the group whether or not they subscribe to the group, select Applies to all sensors. 4. Click OK. 168 Applying Policies to Proventia M Series and Next Generation G Series Appliances Applying Policies to Proventia M Series and Next Generation G Series Appliances Introduction Proventia M Series and Next Generation G Series policies contain the following types of settings that you can apply at either the Site, group, subgroup, or device level: ● Firewall/VPN ● Intrusion prevention ● Antivirus ● Notification ● Services ● Response Objects (Proventia G Next Generation only) ● Network objects (Proventia M only) ● Antispam ● Web filtering ● Web filter settings ● Web filter categories ● Web filter and antispam database In addition, the following polices are available at the device level only: ● Access ● Networking ● Routing Note: If you see certificates as an item in the policy tree, edit them using the Proventia Manager. Applying policies to all appliances in the Site To apply policies to all appliances in the Site: 1. Right-click Your_Site in the Enterprise Groups pane, and then select Network ProtectionÆ {Proventia M-Series|Proventia G-Series (Next Generation)}Æ Edit Settings on the pop-up menu. The policy settings window opens. 2. Configure each policy setting as necessary. Note: You must configure the Proventia M appliance agent to use the policy setting at the Site level. Tip: For information about each policy setting, click Help at the bottom of the window. 3. If you want the policy settings to take effect immediately, right-click the appliance, and then select Network ProtectionÆ {Proventia M-Series|Proventia G-Series (Next Generation)}Æ Force Refresh on the pop-up menu. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 169 Chapter 13: Managing Policies and Responses Applying policies to a group of M or Next Generation G Series appliances To apply policies to all appliances in a group: 1. In the Enterprise Groups pane, right-click the group that has the Proventia M or Next Generation G Series appliances to use, and then select Network ProtectionÆ {Proventia M-Series|Proventia G-Series (Next Generation)}Æ Edit Settings from the pop-up menu. The policy settings window opens. 2. Configure each policy setting as necessary. Note: You must configure the Proventia appliance agent to use the policy setting at the group level. Tip: For information about each policy setting, click Help at the bottom of the window. 3. If you want the policy settings to take effect immediately, right-click the Proventia appliance agent, and then select Network ProtectionÆ Proventia M-SeriesÆ Force Refresh on the menu. Applying policy settings to a single appliance To edit Proventia M Series policy settings and apply them to all Proventia M Series appliances in the Site: 1. In the Enterprise Groups pane, select the group that has the Proventia M or G Series appliances you want to view. 2. On the Sensor tab, right-click the appliance that uses the policy you want to edit, and then select {Proventia M-Series|Proventia G-Series (Next Generation)}Æ Edit Settings on the pop-up menu. The policy settings window opens. 3. Configure each policy setting as necessary. Tip: For information about each policy setting, click Help at the bottom of the window. 4. If you want the policy settings to take effect immediately, right-click the Proventia appliance agent, and then select Network ProtectionÆ Proventia M-SeriesÆ Force Refresh on the menu. 170 Policy Subscription Groups Policy Subscription Groups Introduction Use the procedures in this topic to apply a policy subscription group to a sensor, to determine which policy is assigned to a policy subscription group, or to determine which policy subscription group is assigned to a sensor. Which group policy is applied to a group? To view the policy assigned to a group: 1. In the Enterprise Groups pane, select the group. 2. Click the Summary tab. The policy set for the group appears in the Current Group Policies section. Which policy subscription group is assigned to a sensor? To view the policy subscription group assigned to a sensor: 1. Select any group containing the sensor's host. 2. Click the Sensor tab, and then read the value from the Get policy from column. Note: A policy subscription group is assigned at the sensor level. For a host with multiple sensors, each sensor could be assigned to a different policy subscription group. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 171 Chapter 13: Managing Policies and Responses Response Concepts Introduction As you define your policy and response strategy, use the concepts explained in this topic to define the best strategy for your security policy. Generic vs. specific responses Some responses are generic and do not require information outside the policy. Other responses require specific information about the action to take. You define specific information about the response in response files or in Central Responses. Multiple responses You can define more than one response for an event. Each response may be sent from the agent that detected the event, but not necessarily. You can also take advantage of SiteProtector’s hierarchy of responses, explained on the next page, to send responses from more than one source. Example You can set up a policy that requires an agent to monitor for a specific event, and you can define two responses for that event: ● Display the event in the SiteProtector Console. Note: This response requires that you turn on the DISPLAY and LOGDB responses. ● Send a notification email to a specific email address. Note: This response requires that you provide a specific email address, or addresses, which you define outside the policy. 172 Response Hierarchy Response Hierarchy Introduction Many Sites use more than one type of agent to ensure the security of their assets, and these agents provide different response options. SiteProtector and the agents that it supports provide a hierarchy of response options. To implement a coordinated response strategy, carefully consider the responses available from each agent. Start at the top where you can make a global impact. Then work your way down the hierarchy until you have set up the responses that support your security policy. Hierarchy of responses Table 59 describes the types of responses in the hierarchy from the broadest to the most specific: Response Category Description Central responses Highly configurable responses that you define in the SiteProtector Console and that apply to events from all supported agents. Global responses A master list of responses that you use to populate custom response files for different types of sensors, and then apply to specific sensors of that type. SecurityFusion responses Responses that you define for events that the SecurityFusion Module correlates and that you can define based on the estimated impact (status) of the event. Note: The SecurityFusion module is a separately purchased, addon component. Sensor responses Responses defined in custom response files. These responses come from the global response file and/or responses that you define in only the custom response file. Desktop responses By default, Desktop agents do not send responses. You can configure agents to send responses if that helps you meet your security goals. Table 59: Response types available in SiteProtector and SiteProtector agents SiteProtector User Guide for Security Managers Version 2.0, SP5.2 173 Chapter 13: Managing Policies and Responses Response Strategy Introduction Using the hierarchy of responses You can use the hierarchy to generate a single response for an event or to generate multiple responses to different events. You can even generate responses to the same event from different levels in the hierarchy. For example, you can generate multiple responses as follows: ● You can set up a sensor policy to send an email response for a particular type of event to a security operator. ● You can set up the SecurityFusion Module to send an email response to a security analyst but only if the SecurityFusion status indicates a successful attack. Table 60 describes how to use agent responses to generate responses at the highest level where they are available in the hierarchy: Create a… For… To… central response email responses generate the response for an event regardless of which agent sends it. SNMP responses log evidence responses quarantine responses define a response from Proventia G Series appliances. user-specified responses global response responses not already listed that you can set only at the sensor generate a response for many sensors. SecurityFusion response adjusting the severity of an event generate the response based on the status of the correlated event. logging the event to the database displaying the event user-specified responses Note: User-specified central responses provide more functionality than userspecified SecurityFusion responses. custom response responses not already listed that you can set only at the sensor Table 60: Responses in the hierarchy 174 generate the response based on the status of the correlated event, for sensors other than the Proventia G Series appliances. generate a unique response for a single sensor. Chapter 14 Central Responses Overview Introduction Central Responses takes the first step toward providing control over responses from a central location in SiteProtector. Currently, Central Responses includes only a subset of responses, but you can generate responses for all products. For the supported responses, you can customize the responses to meet your needs. User role You must be a SiteProtector Analyst or Administrator to work with Central Responses. Other response options Central Responses is part of an overall response strategy that is described in “Response Strategy” on page 174. Three components Table 61 describes the three components of Central Responses: Component Description Response rule Defines the criteria required to generate a response. Response object Defines a particular response, such as an email to one or more individuals. You assign response objects to response rules to define the response to generate for each rule. Response objects are configurable for Central Responses and Proventia G (Next Generation) appliances. Note: Response objects (Email, SNMP, and User-specified) are only available for use in Central Response policy configuration. Network object Network objects define individual assets and groups of assets. You can assign network objects to rules to define which assets the rule covers. Network objects are configurable for Central Responses and Proventia M appliances. Note: Network objects are optional. You can also define specific assets in the response rule. Table 61: Components of a central response In this chapter This chapter contains the following sections: Section Section A, "Working with Response Rules" SiteProtector User Guide for Security Managers Version 2.0, SP5.2 Page 177 175 Chapter 14: Central Responses Section 176 Page Section B, "Working with Response Objects" 191 Section C, "Working with Network Objects" 199 SECTION A: Working with Response Rules Overview Introduction A response rule defines the criteria required to generate a response. You can specify the following parameters for each rule: ● events that must occur, and how often they occur ● source IP addresses or ports to associate with events ● destination IP addresses or ports to associate with events ● response notifications associated with a matched rule, such as ● ■ generating an email ■ generating an SNMP trap ■ generating a user-specified response special values, such as a specific user name or sensor name Two ways to start You can start a response rule from scratch, or you can start a response rule based on events that have already occurred at your Site. Instructions for both procedures are provided in the first two topics in this section. Rules for response rules The following rules apply to response rules: In this section ● You can create up to 200 response rules per Site. ● You can associate up to 50 events with each rule. This section contains the following topics: Topic Page Creating New Response Rules 178 Creating Event-Based Response Rules 179 Selecting Rule Events 180 Specifying an Event Source and Destination 181 Selecting a Response 184 Adding Event Details 185 Enabling Response Rules 187 Editing Response Rules 188 Customizing the Response Rules View 189 Ordering Response Rules 190 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 177 Chapter 14: Central Responses Creating New Response Rules Introduction The Central Responses feature lets you create new response rules that are not based on existing events. To create response rules based on existing events, see “Creating EventBased Response Rules” on page 179. Procedure To create a response rule: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, click Add. 4. If you want to enable this rule immediately, select the Enabled check box. 5. Type a unique Name of up to 50 characters in length for the rule. 6. Type any important information, using up to 255 characters, about the rule in the Comment box. 7. Define the Rule Threshold. The Rule Threshold determines how often a response is sent when the rule is triggered. The default setting sends a response if the rule is triggered 1 time within a 60 second period. 8. Choose your next procedure based on how you want to further define the rule: 178 ■ To select rule events, see “Selecting Rule Events” on page 180. ■ To specify an event source or destination, see “Specifying an Event Source and Destination” on page 181. ■ To select responses, see “Selecting a Response” on page 184. ■ To add or select Attribute-Value pairs, see “Adding Event Details” on page 185. Creating Event-Based Response Rules Creating Event-Based Response Rules Introduction You can create response rules based on events that have already occurred on your Site. The rules you create appear in the Response Rules list in Central Responses. Note: You can associate up to 50 events with one response rule. Procedure To create a response rule based on an event: 1. In the Enterprise Groups pane, select Your_Site or a group, and then select the Sensor Analysis tab. 2. Select the Event Analysis Details view from the Load Analysis view list. Note: You can perform this procedure using other SiteProtector Views, but the rule will be auto-populated by only some of the parameters visible in that particular view. 3. Select up to 50 events on which to base the response rule. 4. Right-click the selected event, and then select Create New Response Rule from the pop-up menu. 5. Type a Name for the response rule, and then click Next. 6. If you want to change any settings for this response rule, select the rule you just named, and then click Edit. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 179 Chapter 14: Central Responses Selecting Rule Events Introduction As events occur on any sensor or appliance in your Site, they are matched to the rules that you have created. When an event matches a rule's criteria, SiteProtector determines if all the other parameters also match. If all parameters match the rule, SiteProtector generates a response. Note: You can associate up to 50 events with each response rule. Example You may add an event to a rule that includes all HTTP events with a high priority. When an HTTP event with a high priority occurs, SiteProtector will generate a response. Procedure To select event types to associate with a rule: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To use an existing rule, select a rule from the list, and then click Edit. 4. Select the Events tab. 5. Click Add. 6. Type the event name, or type the event criteria using a wildcard search. Note: If you are creating a rule from scratch, you must enter the name exactly as it appears in SiteProtector such as HTTP_GET. If you are not sure of the exact name, you can use wildcards such as *HTTP* , *HTTP, or HTTP*. 7. To filter event results, select a Priority and/or Status for the event. 8. Click OK. 9. In the Events section, select the check boxes in the Enabled column for the event types to associate with this rule. 10. Select another tab to continue, or click OK. Note: Either action saves your selections. 180 Specifying an Event Source and Destination Specifying an Event Source and Destination Introduction When you specify a rule's event source or destination, you are associating events with specific source and destination IP addresses and/or ports. When an event occurs, SiteProtector verifies that the event source and destination are IP addresses or ports you specified. If the event source/destination criteria match the event, along with the other criteria you specified for the rule, SiteProtector generates a response. To specify an event source/destination, complete one or both of the following tasks: About back door response events Specifying source IP addresses ● specify source/destination IP addresses ● specify ports If you set up a rule using a back door response event, and you specify source and/or destination IP addresses, due to the nature of back door events, the source and destination IP addresses are reversed on the Sensor Analysis tab: ● The source IP address appears in the destination IP address column (or appears as the victim). ● The destination IP address appears in the source IP address column (or appear as the attacker). To specify source IP addresses: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To edit an existing rule, select the rule from the list, and then click Edit. 4. In the Add/Edit Response Rules window, select the Source tab. 5. If you want to include events from all IP addresses, select Any. 6. To include events from specific IP addresses, select Use Specific Source Address, and then select a Mode from the list: ■ Select From to include events only from the IP addresses you specify. ■ Select Not From to exclude events from any IP addresses you specify. 7. In the Specific sources section, select one of the following options: Select this option... To do this... IP Address List Click Add to add single IP addresses to the list. Network Address/ #Network Bits (CIDR) Include an IP address on a subnet. Type the IP address and mask. The mask is the network identifier, and is a number from 1 to 32; for example: 128.8.27.18 / 16. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 181 Chapter 14: Central Responses Select this option... To do this... IP Address Range Include an address range, and then type the first and last addresses in the range. Do not use 0.0.0.0-255.255.255.255 as the Site range. If you use this as the Site range, random IP addresses are added to your ungrouped assets folder, such as IP addresses from Web sites, et cetera. Address List Entry Specifying destination IP addresses Include a Network Object Address Name. Select it from the list. To create a new Address Name to include here, click Add Address Name. The Select Network Object window appears and enables you to create a new list entry. To specify destination IP addresses: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To edit an existing rule, select the rule from the list, and then click Edit. 4. In the Add/Edit Response Rules window, select the Destination tab. 5. In the Destination Address section, select one of the following options: Select this option... To do this... Any Include events from all IP addresses. Single IP Address Include events only from IP addresses you specify. Tip: Click Add to add single IP addresses to the list. Network Address/ #Network Bits (CIDR) Include an IP address on a subnet. Type the IP address and mask. The mask is the network identifier, and is a number from 1 to 32; for example: 128.8.27.18 / 16. IP Address Range Include an address range, and then type the first and last addresses in the range. Do not use 0.0.0.0-255.255.255.255 as the Site range. If you use this as the Site range, random IP addresses are added to your ungrouped assets folder, such as IP addresses from Web sites, et cetera. Address List Entry Specifying ports Include a Network Object Address Name. Select it from the list. To create a new Address Name to include here, click Add Address Name. The Select Network Object window appears and enables you to create a new list entry. To specify source or destination ports: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 182 Specifying an Event Source and Destination 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To edit an existing rule, select the rule from the list, and then click Edit. 4. In the Add/Edit Response Rules window, select the Source tab or Destination tab. 5. In the Source Port or Destination Port section, select one of the following options: Select this option... To do this... Any Include all ports in your Site. Single Port Specify one port in your Site. Port Range Include an port range. Type the first and last ports in the range. Port List Entry Include a Network Object Port Name. Select it from the list. To create a new Port Name to include here, click Add Port Names. The Select Network Object window appears and enables you to create a new list entry. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 183 Chapter 14: Central Responses Selecting a Response Introduction When an event occurs that matches a response rule, SiteProtector can send an email to a responsible party, such as an incident response team or a Site Administrator, it can generate an SNMP response, or it can run a user-specified script on the application server. Note: The Response Frequency threshold is determined using the local time on your application server. If the local time on the application server is reset for any reason, response frequency may be met, and additional responses may be generated. Procedure To select a response: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To edit an existing rule, select the rule from the list, and then click Edit. 4. In the Add Response Rules window, select the Response tab. 5. If you want to set a frequency for the event, select the Response Frequency check box and then type or select the appropriate values for Send at most [n] responses within [n] [time period]. Note: The default is 1 response within 60 seconds. If you do not specify a response frequency, then SiteProtector sends a notification every time the rule is matched. 6. Complete one or more of the following tasks: Note: You create the email, SNMP, or user-specified responses that appear in Response Objects on the Responses tab. If you do not see the email, SNMP, or userspecified information you want to associate with this rule in the list, click Manage Responses to add it to the list. ■ Select the Email tab, and then select the check box in the Enabled column for the email response to associate with this rule. ■ Select the SNMP tab, and then select the check box in the Enabled column for the SNMP response to associate with this rule. ■ Select the User-Specified tab, and then follow the instructions for “Configuring User-Specified Response Objects” on page 196. 7. Select another tab to continue, or click OK. Note: Either action saves your selections. 184 Adding Event Details Adding Event Details Introduction A response rule includes event details. Attribute-value pairs (AVPs) are used to define the event details. Some AVPs are created for you automatically when you create the response rule. For example, when you create a response rule and specify 127.0.0.1 as the source IP address, an AVP is created for you automatically with the following attribute-value pair: ● Attribute (parameter) is SourceAddress ● Value is 127.0.0.1 You can add other AVPs for the response rule as necessary. For example, you can manually add AVPs for user name or sensor name. Guidelines Procedure When creating AVPs, use the following guidelines: ● Attributes (parameters) should be unique. ● Wildcard characters are not allowed. ● Do not use any of the following because these attributes can be defined in the Events, Source, and Destination tabs: ■ AlertName ■ SourceAddress ■ SourcePort ■ DestinationAddress ■ DestinationPort To add a event details (AVPs): 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, do one of the following: ■ To add a new response rule, click Add. ■ To edit an existing rule, select the rule from the list, and then click Edit. 4. In the Add Response Rules window, select the Event Details tab. 5. On the Event Details tab, complete one of the following tasks: ■ Click Add to add a new AVP. ■ Select an existing AVP and click Edit. 6. In the Add/Edit Event Details window, select the Enabled check box. 7. Type a unique Parameter for the AVP without spaces. Example: UserName Note: Do not use wildcard characters or any of the following: AlertName, SourceAddress, SourcePort, DestinationAddress, or DestinationPort. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 185 Chapter 14: Central Responses 8. Type a Value for the AVP without spaces. Example: BobW Note: Do not use wildcard characters. 9. When you are finished adding the necessary AVPs and want to save the AVPs, select another tab, or click OK. 186 Enabling Response Rules Enabling Response Rules Introduction You can enable response rules from Central Responses. Procedure To enable response rules: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. In the Response Rules list, select the Enabled check box for any response rule you want to enable. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 187 Chapter 14: Central Responses Editing Response Rules Introduction You can edit response rules for your Site from Central Responses. You do not have to disable rules before you edit them. Procedure To edit a response rule: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings on the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. Select the rule you want to edit, and click Edit. 4. If you want to enable this rule immediately after you edit it, select the Enabled check box. 5. If you want to change the rule order, see “Ordering Response Rules” on page 190. Note: Notice that you cannot enter a value in the Order box. The rule order is initially set to zero (0) for each rule you create. The rule's location in the list determines the rule order. (See “Ordering Response Rules” on page 190.) 6. If you want to change the rule name, type a unique Name, using up to 50 characters, for this rule. 7. Type any important information about this rule, using up to 255 characters, in the Comment box. 188 Customizing the Response Rules View Customizing the Response Rules View Introduction Adding or removing columns You can customize how rules appear on the Response Rules tab to help you find important information when you need it. This topic describes the following tasks: ● adding and removing columns in the Response Rules view ● sorting information in a column ● grouping rules by column To add or remove columns in the Response Rules view: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Responses tab, click Select Columns. 4. Select the check box beside the column you want to add or remove from the view. 5. Click OK. Sorting information in a column To sort information in a column: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, click the column header for the column you want to sort. The information is sorted alphabetically or numerically within the column. Grouping rules by column To group rules by column: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. On the Response Rules tab, click Group By. 4. In the All Columns list, select the column you want to use to group information. 5. Click Add. The column name appears in the Group by These Columns List. Tip: You can also right-click any column heading, and then click Group by on the pop-up menu to group rules by column. Each column you add to the list is nested under the previous column. To change how columns are nested, you must remove them from the list, and then add them back to the list in the desired order. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 189 Chapter 14: Central Responses Ordering Response Rules Introduction SiteProtector lets you determine the order of response rules. You can arrange the response rules in any order you choose such as by importance. You set the order of importance for response rules using the Central Responses feature. Default rule order SiteProtector implements response rules in the order you specify for your Site. The rule's location in the list determines the order in which it is implemented. When you create new response rules, they are automatically positioned in the response rule list as follows: ● If you select a response rule before you create the new response rule, the new response rule is placed above the rule you selected. ● If no rule is selected at the time you create the response rule, the new response rule is placed in the last position in the list. ● If you use the Rule Wizard to create the response rule, the new response rule is placed at the first position in the rule list. Before you begin Make sure the list you are changing is an unsorted list. You cannot change the order of a sorted response rules list. Procedure To change the order of response rules: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Rules. 3. Select a rule in the list, and then click the Move Up and Move Down buttons on the toolbar to change the order of the rule in the list. 190 SECTION B: Working with Response Objects Overview Introduction Response objects contain specific information that you can use in a response, such as email addresses, details for SNMP responses, or parameters for user-specified responses. You can associate a single response object with many response rules. If information in that object changes, you just change it in the response object to automatically make the change in each rule. Example You set up responses for very important response rules to send an email to the head of the Security Department. While she is out on maternity leave, you want to send the responses to her deputy. You change the email address in the response object, and every response rule that uses it automatically uses the new email address. User role You must be a SiteProtector Administrator or Analyst to work with Central Responses. In this section This section contains the following topics: Topic Page Supported Response Objects and Agents 192 Configuring Email Response Objects 193 Configuring SNMP Response Objects 195 Configuring User-Specified Response Objects 196 Removing a Response Object 197 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 191 Chapter 14: Central Responses Supported Response Objects and Agents Introduction Table 62 describes the response objects you can create: Response object Description Email Specify email addresses for groups or people who regularly receive notifications. SNMP Specify SNMP settings to set an SNMP trap when an event is detected. Log Evidence Enable logging when an event triggers a response. Quarantine Set firewall parameters that will trigger a blocking response after a sequence of events. User-Specified Create a user-specified response to triggered events. Table 62: Response Objects Supported agents and appliances Table 63 lists response objects and the agents they support: Response Object All Proventia G Email Yes Yes SNMP Yes Yes Log Evidence No Yes Quarantine No Yes User-Specified Yes Yes Table 63: Agents Supported by Response Objects Proventia G responses 192 You can apply the response objects you create for Proventia G to local responses on the appliance. Configuring Email Response Objects Configuring Email Response Objects Introduction When specific events happen on your Site, you can send a notification to interested or responsible parties. Use email response objects to configure email addresses that you want multiple components on your Site to share. Adding an email response object To add an Email response object: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Objects. 3. In the right pane, select the Email tab. 4. Click Add. 5. Type a unique Name for the Email response object, such as “Email_ResponseTeam1.” 6. Type the name of the SMTP Host to handle the email. 7. Type the email address from which the message originates in the From box. 8. Type the email address(es) where you want to send the notification in the To box. Note: Separate multiple email addresses with semicolons. 9. Type a Subject line for the email, or select an item to include in the message in the Sensor Parameters/Common Parameters folder, and then click Subject. 10. Type the Body of the email, or select an item to include in the message in the Sensor Parameters/Common Parameters folder, and then click Body. Note: If you select a parameter that does not match an event associated with a response rule, the parameter will appear in the email in the original tag format. Example: If you select the <ObjectName> parameter, and the event associated with the response in the response rule does not contain this parameter, it will appear as <ObjectName> in the email. 11. Click OK. Editing an email response object To edit an Email response object: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Objects. 3. In the right pane, select the Email tab. 4. Click Edit. 5. Change any of the following information: Field Description Name A unique name for the email response object, such as “Email_ResponseTeam1.” SMTP Host The name of the SMTP host that will handle the email. From The email address from which the message will originate. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 193 Chapter 14: Central Responses Field Description To The email address where you want to send the notification. Note: Use semicolons to separate multiple email addresses. Subject line The subject of the email notification. Body Text to appear in the email message. 6. Click OK. 194 Configuring SNMP Response Objects Configuring SNMP Response Objects Introduction SNMP responses set an SNMP trap. When SiteProtector detects an event, it sends an SNMP trap to the manager and community you specify when you create the response object. Use SNMP response objects to configure SNMP settings you want to share with multiple components on your Site. Adding an SNMP response object To add an SNMP response object: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Objects. 3. In the right pane, click the SNMP tab. 4. Click Add. The Add SNMP dialog box appears. 5. Type a Name to associate with the SNMP response. 6. Type the IP address to which the trap is sent in the Manager box. 7. Type the valid Community name the system uses to authenticate with the SNMP agent. 8. Click OK. Editing an SNMP response object To edit an SNMP response object: 1. In the Enterprise Groups pane, right-click Your_Site or a group, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Objects. 3. In the right pane, click the SNMP tab. 4. Click Edit. 5. Change any of the following information: Field Description Name The name associated with the SNMP response. Manager The IP address to which the trap is sent. Community name The name used to authenticate with the SNMP agent. 6. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 195 Chapter 14: Central Responses Configuring User-Specified Response Objects Introduction You can create responses to specific events that happen on your Site. User-specified response objects can include any script or application that runs on the SiteProtector server. Adding a userspecified response object To add a User-Specified response object: 1. In the left pane of the Central Responses window, select Response Objects. 2. In the right pane, select the User Specified tab. 3. Click Add. 4. Type a descriptive Name for the object. 5. Type a Command to associate with the object. 6. Expand the Common Parameters folder, and then select a parameter. 7. Click Add. 8. Click Move Up or Move Down to order the parameters you have added to the list. 9. Click OK. Editing a userspecified response object To edit a User-Specified response object: 1. In the left pane of the Central Responses window, select Response Objects. 2. In the right pane, select User Specified. 3. Click Edit. 4. Change the Name or Command, and then add or remove parameters to associate with the object. 5. Click OK. 196 Removing a Response Object Removing a Response Object Introduction This topic provides the procedure for removing a response object from SiteProtector. You can use the same procedure to remove any type of response object. Procedure To remove a response object: 1. In the Enterprise Groups pane, right-click Your_Site or group within the Site, and then select Site ManagementÆ Central ResponsesÆ Edit Settings from the pop-up menu. 2. In the left pane of the Central Responses window, select Response Objects. 3. In the right pane, click one of the following tabs: ■ Email ■ Log Evidence ■ Quarantine ■ SNMP ■ User-Specified 4. Select the response object to remove. 5. Click Remove. Important: When you remove a response object from the list, you must also change the response type for any response rule associated with that object. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 197 Chapter 14: Central Responses 198 SECTION C: Working with Network Objects Overview Introduction When you create policies and responses, you may use the same IP addresses and ports across different components. Network objects enable you to create custom network address and port lists that you can share across multiple components. Advantages Network Objects let you centralize data entry so that you only have to change the network object instead of each instance of the data. You can give network objects unique names such as the following: Network object types ● Atlanta Web Servers, which represents the IP range 192.168.5.35 - 192.168.5.45 ● Boston Web Servers, which represents the IP range 192.168.4.34 - 192.168.4.45 ● Main Branch Server, which represents the IP address 192.168.6.22 Table 64 describes the network object types: Network Object Description Address Name An object that includes any of the following: • any IP address • a single IP address • a single IP address range • a single IP address and CIDR mask • a single address list An address list can contain more than one IP address range. Address Group An object that includes one or more Address Names or Groups Port Name An object that includes a single port, or one or more port ranges Port Group An object that includes one or more Port Names or Groups Dynamic Address Name An object that provides one name with which you can associate unique dynamic address lists across multiple appliances in your Site Table 64: Network object types Network object categories Table 65 describes the network object categories: Category Description Example Name Contains one or more firewall or VPN elements • an Address Name containing a single IP address • a Port Name containing multiple port ranges • an Address Group containing a single Address Name • a Port Group containing multiple Port Names and a nested Port Group Group Contains any of the following: • one or more Name objects • one or more Group objects Table 65: Network object categories SiteProtector User Guide for Security Managers Version 2.0, SP5.2 199 Chapter 14: Central Responses In this section This section contains the following topics: Topic 200 Page Configuring Address Groups 201 Configuring Address Names 203 Configuring Port Groups 205 Configuring Port Names 207 Working with Dynamic Network Objects 209 Configuring Dynamic Address Names 210 Importing Network Objects from Another Component 211 Configuring Address Groups Configuring Address Groups Introduction Use the Network Objects Address Groups page to configure address groups. An address group is a network object that includes one or more address names or groups. If you edit or remove an address group associated with response rules, the associations are also removed. To restore the associations, you must manually associate the response rules with a new address group. Adding an address group To add an address group: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up menu: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, select the Address Groups tab. 4. Click Add. 5. Type a descriptive Name for the group. Important: You must type the name without spaces. 6. Type a description of the group in the Comment box. 7. In the Addresses area, click Add. 8. Complete one of the following tasks: ■ Select Address Name, and then select one from the Name drop-down list. Tip: To create a new Address Name and add it to the list, click Address Names. ■ Select Dynamic Address Name, and then select one from the Name drop-down list. Tip: To create a new Dynamic Address Name and add it to the list, click Dynamic Address Names. 9. Select Address Group, and then select one from the Group list. 10. Click OK. 11. Click OK. Editing an address group To edit an address group: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up menu: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, select the Address Groups tab. 4. Select an address group, and then click Edit. 5. Complete one or both of the following tasks: SiteProtector User Guide for Security Managers Version 2.0, SP5.2 201 Chapter 14: Central Responses ■ Edit the Name or Comment information. ■ Edit an address by selecting it and clicking Edit. The Edit Addresses window appears and enables you to change any values associated with this address. 6. Click OK. Removing an address group To remove an address group: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up menu: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, select the Address Group tab. 4. Select the group to remove, and then click Remove. 5. A message appears and asks you to confirm your selection. 6. Click Yes. 7. Click OK. 202 Configuring Address Names Configuring Address Names Introduction Use the Network Objects Address Names page to configure address names. An address name is a network object that includes any of the following items: ● any IP address ● a single IP address ● one or more IP address ranges ● a single IP address and CIDR mask ● a single address list Important: If you edit or remove an address name associated with response rules, those associations are removed. To restore those associations, you must manually associate those response rules with a new address name. Adding an address name To add an address name: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, select the Address Names tab, and then click Add. 4. Type a descriptive Name. Important: You must type the name without spaces. 5. Type a description of this Address Name in the Comment box. 6. Complete one of the following tasks: To add... Complete this task... Any IP address Select Any. One IP address Select Single IP Address and then type the IP Address in the form x.x.x.x. An IP address range Select Address Range, and then type the first and last IP addresses in the range in the IP Address Range boxes. An IP address on a subnet Select Network Address/#NetworkBits (CIDR), and then type the IP address and mask. The mask is the network identifier, a number from 1 to 32; for example, 128.8.27.18 / 16. An address list Select IP Address List, and then select an entry from the Address Range list. 7. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 203 Chapter 14: Central Responses Editing an address name To edit an address name: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia GÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, select the Address Names tab. 4. Select the address name to edit, and then click Edit. 5. Edit the address information. 6. Click OK. Removing an address name To remove an address name: 1. In the Enterprise Groups pane, right click Your_Site or a group, and then select one of the following from the pop-up: ■ Site ManagementÆ Central ResponsesÆ Edit Settings ■ Network ProtectionÆ Proventia GÆ Edit Settings ■ Network ProtectionÆ Proventia MÆ Edit Settings 2. In the left pane of the Central Responses window, select Network Objects. 3. In the right pane, click the Address Names tab. 4. Select the address name to remove, and then click Remove. 5. Click Yes, and then click OK. 204 Configuring Port Groups Configuring Port Groups Introduction A port group is network object that includes any of the following: ● one or more port names ● one or more port groups Use the port groups page to configure port groups. Port groups associated with responses or policies If you edit or remove a port group that is associated with responses or policies, those associations are removed. To restore those associations, you must manually associate those network objects with a new port group. Adding a port group To add a port group: 1. In the left pane of the policy editor, select Network Objects. 2. In the right pane, select the Port Groups tab, and then click Add. 3. Type a descriptive Name for the group. 4. Type a description of the list in the Comment field. 5. In the Ports area, click Add. 6. Complete one of the following steps: ■ Select Port Name, and then select an entry from the Port list. ■ Click Port Names to create or select a new port name. ■ Select Port Group, and then select an entry from the Group list. 7. Click OK, and then click OK Editing a port group To edit a port group: 1. In the left pane of the policy editor, select Network Objects. 2. In the right pane, select the Port Groups tab. 3. Select an item in the list to edit. 4. Click Edit. 5. Complete one or more of the following steps: ■ Type a new descriptive Name for the group. ■ Type a new description of the list in the Comment field. ■ To add another port, in the Ports area, click Add. The Add Ports window appears. ■ Select Port Name, and then select an entry from the Port list. ■ Click Port Names to create or select a new port name. ■ Select Port Group, and then select an entry from the Group list. 6. Click OK, and then click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 205 Chapter 14: Central Responses Removing a port group To remove a port group: 1. In the left pane of the policy editor window, select Network Objects. 2. In the right pane, select the Port Groups tab. 3. Select the item you want to remove. 4. Click Remove. 206 Configuring Port Names Configuring Port Names Introduction A port name is a network object that includes either of the following: ● a single port ● one or more port ranges. In the policy editor, use the Network Objects Port Names tab to configure port names. If you edit or remove a port name that is associated with policies or responses, those associations are removed. To restore those associations, you must manually associate those network objects with a new port name. Adding a port name To add a port name: 1. In the left pane of the policy editor, select Network Objects. 2. In the right pane, select the Port Names tab, and then click Add. 3. Type a descriptive Name for the port name. 4. Type a description of the list in the Comment field, and then click Add. 5. From the Protocol list, select one of the following options: ■ TCP. Transmission Control Protocol (TCP) applies to connections between two hosts that exchange streams of data. ■ UDP. User Datagram Protocol. Used for Unix traceroute commands. UDP allows direct sending and receiving of datagrams over a connectionless IP network. 6. In the Port area, complete one of the following steps: ■ Select Single Port, and then type a port value in the Single Port box. ■ Select Port Range, and then select a port range from the Range list. 7. Click OK, and then click OK. Editing a port name To edit a port name: 1. In the left pane of the policy editor, select Network Objects. 2. In the right pane, select the Port Names tab. 3. Select the item you want to edit, and then click Edit. 4. Complete one or more of the following steps: ■ Type a new descriptive Name. ■ Type a new description of the list in the Comment field. ■ To add another port name, click Add. The Add Port Names window appears. ■ Select another Protocol list option. ■ In the Port area, change your port option. 5. Click OK , and then click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 207 Chapter 14: Central Responses Removing a port name To remove a port name: 1. In the left pane of the policy editor, select Network Objects. 2. In the right pane, select the Port Names tab. 3. Select an item to remove from the list. 4. Click Remove. 208 Working with Dynamic Network Objects Working with Dynamic Network Objects Introduction In the policy editor, you may see two types of dynamic network objects. Table 66 describes each type: Type Description Dynamic address name An object that provides one name with which you can associate unique dynamic address lists across multiple appliances in your Site. Dynamic address list Addresses specific to an appliance that are associated with a shared Dynamic Address Name. Dynamic address lists appear only if you are accessing the policy editor through the Proventia Manager for the Proventia G series or Proventia M appliance. Table 66: Types of dynamic network objects Working with dynamic network objects for Proventia G and M You create the dynamic address name object, and then define the addresses for each appliance in a dynamic address list. You can share a dynamic address name among appliances, but you must associate individual addresses for each appliance in its dynamic address lists. When you use the dynamic address name to define a policy change in SiteProtector for a group of appliances, each appliance implements the change using the values in its individual dynamic address list associated with that name. Default dynamic address names in Proventia M Proventia M offers two default dynamic address names: ● ● CORP The CORP dynamic address name is automatically configured with the IP address and subnet mask for your appliance internal interface: ■ If you have upgraded your appliance firmware, this information is migrated from the earlier firmware version. ■ If you have purchased a new appliance, you must enter this information during the appliance setup process. DMZ This dynamic name is not configured for a new appliance installation. If you have upgraded your appliance firmware, this information is migrated from the earlier firmware version. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 209 Chapter 14: Central Responses Configuring Dynamic Address Names Introduction The dynamic address names network object enables you to specify one name with which you can associate multiple unique dynamic address lists from appliances in your Site. You associate dynamic address names with dynamic address lists at the appliance level. If you edit or remove a dynamic address name associated with response rules, those associations are removed. To restore those associations, you must manually associate those response rules with a new dynamic address name. Adding dynamic address names To configure dynamic address names: 1. In the left pane of the Central Responses window, select Network Objects. 2. In the right pane, select the Dynamic Address Names tab. 3. Click Add. The Add Dynamic Address Names window appears. 4. Type a descriptive Name. Important: You must type the name without spaces. 5. Type a unique description in the Comment field. 6. Click OK. The dynamic address name appears in the list. Editing dynamic address names To edit dynamic address names: 1. In the left pane of the Central Responses window, select Network Objects. 2. In the right pane, select the Dynamic Address Names tab. 3. Click Edit. The Add Dynamic Address Names window appears. 4. Complete the following steps: ■ Type a descriptive Name. Important: You must type the name without spaces. ■ Type a unique description in the Comment box. 5. Click OK. The dynamic address name appears in the list. Removing dynamic address names To remove dynamic address names: 1. In the left pane of the Central Responses window, select Network Objects. 2. In the right pane, select the Dynamic Address Names tab. 3. Select the item in the list that you want to remove. 4. Click Remove. 210 Importing Network Objects from Another Component Importing Network Objects from Another Component Introduction To save yourself the time of recreating network objects on each component, you can import network objects you use often from one policy editor to another. Procedure To import a network object: 1. In the left pane of the policy editor where the network object resides, select Network Objects. 2. In the right pane, select the tab for the network object type you want to export. 3. Select the item in the list and click Export. The Save window appears. 4. Type a Name for the object. 5. Navigate to the location where you want to save the object. 6. Click Save. 7. In the policy editor where you want to import the network object, click Import. The Open window appears. 8. Navigate to the object and select it. 9. Click Open. The network object appears in the list on the appropriate tab. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 211 Chapter 14: Central Responses 212 Part V ® Maintaining SiteProtector Components and Agents Chapter 15 Adding and Removing Components Overview Introduction This chapter provides information about installing additional components and about removing and reinstalling components. In this chapter This chapter contains the following topics: Topic Page Installing Additional SiteProtector Components 216 Removing and Reinstalling Individual SiteProtector Components 217 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 215 Chapter 15: Adding and Removing Components Installing Additional SiteProtector Components Introduction SiteProtector is a highly scalable application that allows you to add and reconfigure components as needed. Initial configuration checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 6, “Install additional SiteProtector components.” This task is optional. The next configuration task is Task 7, “Install agents and appliances.“ See Part III, “Installing Agents and Appliances” on page 69. Installation and configuration Detailed information about installing and configuring additional components is included in the SiteProtector Installation Guide. Additional components to install Table 67 provides a list of additional components that you may want to install and briefly describes why you might want to install them: Component Agent Manager Reason to Install Another • scaling for a large number of agents • upgrading to a version of SiteProtector that requires an Agent Manager to download updates • your network is partitioned into different geographical locations Console To allows multiple users to monitor SiteProtector. An additional Event Viewer is automatically included in the installation. Event Collector If you need to support more sensors than you can with your current Event Collector(s). Event Viewer If you want to monitor events on a computer that does not have any other SiteProtector components installed on it. X-Press Update Servers To cluster X-Press Update Servers to improve performance and provide failover. You can cluster with or without load balancing. Table 67: Additional components that you can install 216 Removing and Reinstalling Individual SiteProtector Components Removing and Reinstalling Individual SiteProtector Components Introduction This topic explains how to remove and reinstall individual SiteProtector components. If you want to remove SiteProtector completely, see the SiteProtector Installation Guide. How to reinstall components Reinstall components you remove as follows: ● For each component except the SiteProtector database, you can reinstall the component after you remove it. ● For the SiteProtector database, you must first remove all the SiteProtector components that are installed, and then reinstall them. Caution: If you simply reinstall the SiteProtector database, SiteProtector does not return to its pre-installation state. About SQL log on Removing individual components If a component that needs to connect to the database cannot connect, you must supply a log on user ID and password. If you are removing all SiteProtector components, you may be prompted for the User ID and password up to three times. Here are important points to remember about the SQL log on: ● On most systems, the sa login is the only SQL login with the access rights required to run the SQL scripts that remove the programs. ● Select this check box only if you have to. If the database is still installed and you enable this check box, the component you are removing will not be unregistered from the database. This may cause problems if you are planning to reinstall this component without reinstalling the database. To remove individual SiteProtector components: 1. Click Start on the taskbar, and then select ProgramsÆ ISSÆ SiteProtectorÆ Uninstall SiteProtector. The Select Components dialog appears. 2. Select the component(s) to remove, and then click Uninstall. A message lists the selected component(s). 3. Click Yes. 4. If the SQL Login Password window appears, do one of the following: ■ If you have not removed the database, type the SQL login Name and Password. ■ If you have removed the database or if the component cannot connect to the database for a reason other than an incorrect password, select the Do not connect to the database check box. 5. If the program does not remove a component successfully do one of the following: ■ If this is the first time that you tried to remove the component, go to Step 1 and attempt to uninstall the component again. ■ If you have tried to remove the component more than once, click Yes to view the log file, and then contact ISS Technical Support if you need further assistance. 6. Click OK, and then restart your computer. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 217 Chapter 15: Adding and Removing Components 218 Chapter 16 Maintaining the Site Database Overview Introduction The Site database is a critical component of the SiteProtector architecture. Use the database maintenance procedures in this chapter to prevent database failure and ensure optimum performance. Scheduled database maintenance tasks SiteProtector allows you to schedule the following database maintenance tasks to run on a daily or weekly basis: ● Index Defragmentation ● Log Purge ● Data Purge ● Data Backup Automatic database maintenance task SiteProtector provides an emergency data purge job that you can configure to run automatically if the database reaches a user-defined capacity limit. This job prevents the database from failing due to lack of storage space. Supported databases SiteProtector allows you to perform automatic database maintenance on any database installed using SiteProtector, including MSDE database. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 13. This task is optional, but recommended. The next configuration task is Task 14, “Configure your X-Press Update Servers.“ See Chapter 17, “Managing X-Press Update Servers‘’ on page 235. Related documentation For more information about database maintenance, refer to your Microsoft SQL documentation or go to the following Web site: http://www.microsoft.com/technet/prodtechnol/sql/default.mspx In this chapter This chapter contains the following topics: Topic Requirements and Considerations SiteProtector User Guide for Security Managers Version 2.0, SP5.2 Page 221 219 Chapter 16: Maintaining the Site Database Topic 220 Page Scheduling Database Maintenance 222 Configuring Index Defragmentation 223 Configuring a Log Purge 224 Configuring a Scheduled Data Purge 229 Configuring an Emergency Data Purge 226 Data Backup Options 231 Configuring Database Backups 232 Requirements and Considerations Requirements and Considerations Introduction This topic gives the requirements and considerations for scheduling database maintenance tasks in SiteProtector. User role You must be a SiteProtector Administrator to configure database maintenance. Purge options enabled by default If you installed the Express option, emergency purge and scheduled purge options are enabled by default. Consider disabling these if your configuration cannot support them. Reference: See the following topics for more information about purge options: Why configure database maintenance options? ● “Configuring an Emergency Data Purge” on page 229. ● “Configuring a Scheduled Data Purge” on page 226. Table 68 describes the possible reasons for enabling automatic database maintenance: Reason Description To prevent database failure The emergency purge option can purge the database before it becomes full and help to prevent database failure. To protect SiteProtector data Backing up the database can help protect SiteProtector data. If you do not have a backup recovery solution, consider enabling the automatic daily backup option. See“Configuring Database Backups” on page 232. To improve performance If you want to improve database performance, decrease the number of days SiteProtector stores log and data files and increase the frequency with which SiteProtector defragments indexes. Table 68: Reasons for enabling automatic database maintenance Emergency purge option The Emergency Purge option can prevent failure if the Site database reaches capacity. ISS recommends that you enable emergency purging. See “Configuring an Emergency Data Purge” on page 229. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 221 Chapter 16: Maintaining the Site Database Scheduling Database Maintenance Introduction You can schedule the following database maintenance tasks to run automatically: ● index defragmentation ● log purge ● data purge ● data backup Guideline Schedule database maintenance to occur during off-peak times so that it does not negatively impact your environment. Default run times for daily tasks Table 69 lists the default run times for daily tasks: Daily tasks run at this time... If you have this installation type... midnight local time Express midnight (GMT) Basic or Recommended Table 69: Daily tasks default run time Table 70 lists the default run times for weekly tasks: Weekly tasks run at this time... If you have this installation type... Sunday at midnight local time Express Sunday at midnight (GMT) Basic or Recommended Table 70: Weekly tasks default run time You can change the default run times by using the following procedure. Procedure To schedule database maintenance tasks: 1. On the Sensor tab, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance from the pop-up menu. The Database Maintenance window appears. 2. Select the Time tab. 3. Select either Eastern Standard Time or GMT. 4. Select the day when SiteProtector performs weekly database maintenance in the Weekly maintenance day list. 5. Select an hour between 00.00 and 23.00 in the Maintenance time of day box to determine when SiteProtector performs daily database maintenance. 6. Click OK. 222 Configuring Index Defragmentation Configuring Index Defragmentation Introduction Use the Index Defragmentation feature to keep the database as defragmented as possible for optimum performance. You can run the Defragmention feature while the system is in use. This feature only defragments indexes that need to be defragmented. Is the option enabled or disabled by default? For Express installations, the Index Defragmentation option is enabled. Criteria for defragmentation SiteProtector defragments indexes that meet the following criteria: For Basic and Recommend installations, the Index Defragmentation option is disabled. ● scan density is less than 90% ● logical fragmentation is greater than 10% Default schedule By default, SiteProtector defragments indexes on a weekly basis. Rebuilding indexes Please search the ISS Knowledgebase for more information about how to rebuild indexes. Procedure To set the defragment frequency: 1. On the Sensor tab, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance from the pop-up menu. The Database Maintenance window appears. 2. Select the General tab. 3. Select how often you want to perform index defragmentation from the Frequency list. 4. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 223 Chapter 16: Maintaining the Site Database Configuring a Log Purge Introduction SiteProtector allows you to control how long log entries are kept in the following files before they are purged: ● Analysis log ● Message log ● Maintenance log These files do not contain security or configuration data. They contain log entries that are used by DBServerInfo for diagnostic purposes only. The information is used to determine index fragmentation. Maximum log entry age fields Table 71 describes the maximum age fields on the General tab of the Database Maintenance window. Log data that exceeds these values are purged every ten minutes. Consider decreasing the values in these fields to improve database performance: Field Description Analysis log The maximum age (in days) of analysis log records. Records that exceed the maximum age are purged during automatic maintenance. Default: 7 Message log The maximum age (in days) of records contained in the message log. This log records errors and information messages generated by SQL procedures in the Site database. Records that exceed the maximum age are purged during automatic maintenance. Default: 30 Maintenance log The maximum age (in days) of records in the maintenance log. This log records the activity of automated maintenance procedures. Records that exceed the maximum age are purged during automatic maintenance. Default: 7 Table 71: Maximum Log Entry Age fields on the General tab Important: You cannot disable maximum age fields on the General tab. Log record purge schedule 224 SiteProtector purges log records every 10 minutes regardless of other automatic database maintenance tasks that you schedule. Configuring a Log Purge Procedure To set the maximum age for log file entries: 1. On the Sensor tab, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance from the pop-up menu. The Database Maintenance window appears. 2. Select the General tab. 3. Select how often you want to perform index defragmentation from the Frequency list. 4. Click Ok. 5. Specify the maximum number of days you want to keep log entries in the Analysis log, Message log, and Maintenance log boxes. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 225 Chapter 16: Maintaining the Site Database Configuring a Scheduled Data Purge Introduction The amount of data the Site Database stores and processes has a large impact on database performance. When the database receives a request for information, the database must determine the best way to retrieve the data, and then read the data from tables to provide the results. These operations involve using CPU, memory, and disk access. The best way to improve database performance is to store only data that is necessary. This approach prevents the database from processing unnecessary data. SiteProtector lets you configure how often to purge data from the database and how long to retain data in the database. Is this option enabled or disabled by default? For Express Installations, the Scheduled Data Purge option is enabled. Data types Table 72 describes the data types purged during scheduled data purge: For Basic and Recommended Installations, the Scheduled Data Purge option is disabled. Data Type Description Displayed Audit Detailed information about user’s activities in the system. Audit Report on the Reporting tab Incidents Detailed information about events that you designate as “incidents” using the Incidents feature. Create incidents sparingly and reserve this category for significant events. This approach allows you more space in the database to keep details and observances. Console The purge job does not delete the rules associated with the incident records. Metrics Highly summarized, metric data. Metric data uses very little disk storage space. Enterprise Dashboard Cleared Observances Summary information about events that you Not displayed designate as “cleared” using the Clear Event feature. Cleared Sensor Data Sensor data that you designate as “cleared” using the Clear Event feature. Not displayed Exceptions Information about events that you designate as “exceptions” using the Exceptions feature. Create exceptions sparingly and reserve this category for events you consider less significant than most events. This approach allows you more space in the database to keep details and observances. Console The purge job does not delete the rules associated with the exception records. Job History Information about jobs you schedule in SiteProtector such as Apply Policy, Apply Update, or Start Scan jobs. Table 72: Data types purged during scheduled data purge 226 Command Jobs pane on the Console in the Sensor tab Configuring a Scheduled Data Purge Data Type Description Displayed Observances Summary Information about events. Sensor Analysis tab on the Console When the system purges observances, it also purges cleared observances. Sensor Data Actual, sensor-generated events. Console When the system purges sensor data, it also purges cleared sensor data. Unused Hosts The IP address of any host that is ungrouped, unregistered, or not references in events, including source IPs, target IPs, and sensor IPs. The purge job removes the following: • all hosts whose “Added Date” is older than the date specified • all hosts that are not a member of a group • all hosts who no sensors registered to them • all hosts who have no events associated with them. Asset tab Table 72: Data types purged during scheduled data purge (Continued) Maximum item ages for data types Table 73 shows the default maximum item age for each data types and provides recommendations for setting this option: Field Default Recommendation Audit 14 days Use the default settings. Incidents 90 days Use the default settings. Metrics 180 days If you do not use the Enterprise Dashboard or create long term trend reports, disable the Dashboard Data Loading job to prevent storing this data in the database. Cleared observances 14 days Purge cleared observances more often than you purge observances. Cleared sensor data Example: To purge cleared observances more often than you purge observances, use these settings: 14 days • Cleared Observances Maximum Item Age = 14 days • Observances Maximum Item Age = 90 days Purge cleared sensor data more often than you purge sensor data. Example: To purge cleared sensor data more often than you purge sensor data, use these settings: • Cleared SensorData Maximum Item Age = 14 days • SensorData Maximum Item Age = 90 days Exceptions 14 days Use the default settings. Job history 7 days Use the default settings. Table 73: Descriptions of maximum age fields on the Purge tab SiteProtector User Guide for Security Managers Version 2.0, SP5.2 227 Chapter 16: Maintaining the Site Database Field Default Recommendation Observances 90 days Keep observances for a longer period of time than you keep cleared observances and SensorData. Example: To keep observances for a longer period of time than you keep cleared observances, use these settings: Sensor data 30 days • Observances Maximum Item Age = 90 days • Cleared Observances Maximum Item Age = 14 days Keep sensor data for a longer period of time than you keep cleared sensor data. Sensor Data can take up to 65% of total database storage space. For this reason, keep Sensor Data for a shorter period of time than you keep Observances data. Example: To keep sensor data for a longer period of time than you keep cleared sensor data, use these settings: Unused hosts 30 days • SensorData Maximum Item Age = 30 days • Cleared SensorData Maximum Item Age = 14 days Use the default settings. Table 73: Descriptions of maximum age fields on the Purge tab (Continued) Procedure To configure scheduled data purge options: 1. In the Sensor tab on the Site Manager, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance from the pop-up menu. The Database Maintenance window appears. 2. Select the Purge tab. 3. In the Purge: Item Age section, select how often to purge the database in the Frequency list. Note: Select Daily if you want to maximize database performance. To disable purging, select Never. 4. Specify the number of days SiteProtector stores item data in the Maximum Item Age (in days) section. 5. Click OK. 228 Configuring an Emergency Data Purge Configuring an Emergency Data Purge Introduction The Emergency Data Purge feature purges the database when it reaches the user-defined threshold percentage full. This feature is designed to prevent database failure in the event that the Site database reaches capacity. SiteProtector performs emergency purges when the database reaches the specified threshold regardless of how often regular database maintenance occurs or how old the data is. Default threshold By default, the database runs the Emergency Data Purge for Express installations when the database reaches 85% with a purge margin of 5%. Important: If you install SiteProtector using the Basic or Recommended installation options, you must enable the Emergency Data Purge option when you configure SiteProtector. Guidelines If you do not enable the Emergency Data Purge option, SiteProtector shuts down the Event Collectors and Agent Managers when the database reaches 85% full. These components remain inactive until you make more space available in the database. Process Table 74 lists database tables in the order in which they are purged. When the database reaches the Database Threshold, SiteProtector first purges the database tables in Table 74 based on the maximum age values you specify. If the first purge is not sufficient, SiteProtector purges only the Sensor Data, Observances, and Unused Hosts database tables a second time using the percentage specified in the Purge Margin field: Stage Database Tables First Purge Second Purgea 1 Exceptions 9 2 Incidents 9 3 Jobs 9 4 Metrics 9 5 Observances 9 9 6 Sensor Data 9 9 7 Unused Hosts 9 9 8 Audit Entries 9 9 Cleared Observances 9 10 Cleared Sensor Data 9 Table 74: Database tables that are purged during an emergency purge a. During the second purge, the database purges the tables in this order: Sensor Data, Observances, and Unused Hosts. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 229 Chapter 16: Maintaining the Site Database Procedure To configure emergency purge options: 1. On the Sensor tab on the Site Manager, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance. The Database Maintenance window appears. 2. Select the Purge tab, and then select the Emergency Purge check box. Note: If you installed the Express option, emergency purging is enabled by default. To disable the emergency purge option, clear this box. 3. Type or select the threshold (percentage of total database capacity) the database must reach before SiteProtector purges the database in the Database Size Threshold box. 4. Type or select the percentage of the oldest data SiteProtector purges from the database tables in the Purge Margin box. 5. Click OK. 230 Data Backup Options Data Backup Options Introduction SiteProtector lets you to perform two types of database backups on a daily or weekly basis: ● full ● differential SiteProtector also lets you to choose the database recovery model you want to use. The recovery model determines the type of backup SiteProtector performs. Recovery models SiteProtector provides three SQL Server recovery models. The model you choose determines whether SiteProtector creates a full or differential backup. Table 75 explains the three SQL recovery models: Recovery Model Description Simple Provides the fastest database performance and requires the least amount of space for backup files and transaction logs. This model is the easiest to implement and requires the least amount of processing. Full Requires a significantly large amount of space during routine operations and can require up to four times the size of the database for backups. Bulk Logged Requires a moderate amount of space during routine operations but can require up to four times the size of the database for backups. Table 75: SQL recovery models Important: For more information about the three recovery models, including the advantages and disadvantages of each, refer to the Microsoft SQL documentation. Frequency of database backups Table 76 shows the backup type and frequency SiteProtector uses for each recovery model: Recovery Model Backup Type Backup Frequency Simple Full Daily Full Full Weekly Differential Daily Full Weekly Differential Daily Bulk Logged Table 76: Database backup options supported by SiteProtector SiteProtector User Guide for Security Managers Version 2.0, SP5.2 231 Chapter 16: Maintaining the Site Database Configuring Database Backups Introduction Archived data ISS recommends that you configure backups for your database. Backing up the database can help you restore the following: ● data that is purged during automatic database maintenance ● databases that are damaged or corrupted During automatic database backups, SiteProtector archives user data in the Site database only. This backup does not archive the entire SQL Server system. To ensure that you can fully recover your database, you must regularly back up the following databases: ● master ● model ● msdb Reference: For information about database backup and recovery, see the Microsoft SQL documentation. Backup schedule SiteProtector creates database backups based on the schedule you set in the General tab on the Database Maintenance window. For instructions on how to schedule database backups, see “Scheduling Database Maintenance” on page 222. Task overview Table 77 describes the process for configuring a database backup device: Task Procedure 1 Configure automatic database backups. 2 Add backup devices. 3 Verify that backup devices were created . Table 77: Tasks for configuring a database backup device Prerequisites Before you perform the procedures in this topic, you must have the following: ● SiteProtector Administrator privileges ● SQL Server System Administrator (SA) privileges on the Site database Note: Because maintenance jobs are run as the IssApp user, you must run the Add Backup Device procedure from an SA or an equivalent account. Task 1: Configuring automatic database backups To configure the recovery options and a backup path: 1. In the Sensor tab on the Site Manager, right-click the SiteProtector Database, and then select SiteProtector DatabaseÆ Database Maintenance from the pop-up menu. The Database Maintenance window appears. 2. Select the Daily Backup tab. 232 Configuring Database Backups 3. To back up your database daily, select the Perform automatic daily backup check box. 4. In the Backup Path box, type the path of the backup device. Note: The size of your backup database will probably expand over time, so use a drive that contains sufficient space to accommodate growth. 5. In the Recovery Model list, select the recovery model you are using. Important: You must select the Simple recovery model if you want SiteProtector to perform full daily backups. Otherwise, SiteProtector performs daily differential backups and weekly full backups. 6. If you enabled full or bulk logged recovery models in Step 5, type or select the threshold (percentage of transaction log capacity) the transaction log must reach before SiteProtector performs a backup of the log in the Log backup threshold box. 7. Click OK. Task 2: Adding a backup device After you configure your database for backups, you must perform the Add Backup Device procedure. This procedure, which is stored in the Site database, adds a set of backup devices to the SQL Server database. Important: If you are using MSDE, then you do not have a full version of SQL Server and you must use the Command prompt to run the SQL Server script. To run the SQL Server script: 1. Open the SQL Server Analyzer tool on the computer where the database is installed. 2. In the SQL Server window, type the following: USE RealSecureDB Go EXEC iss_AddBackupDevice 3. Click the Execute icon. The output appears in the bottom window and lists the devices removed and added. 4. Close the window. Task 3: Verifying that backup devices were added The following procedure verifies that backup devices were added to the SQL Server database. To verify that the SQL Server script ran correctly: 1. On the SiteProtector Console, select the Sensor tab for the computer where the Site DB is installed. 2. Verify that the Status field for the SiteProtector Database is Active. 3. On the server where the SiteProtector Database is installed, click start Start on the taskbar, and then select ProgramsÆ Microsoft SQL ServerÆ Query Analyzer. 4. Run the exec sp_helpdevice command. 5. In the bottom portion of the page, locate the files beginning with RealSecureDB_. Note: These are the backup files for this database. 6. Verify that these files are pointing to the correct location. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 233 Chapter 16: Maintaining the Site Database 234 Chapter 17 Managing X-Press Update Servers Overview Introduction This chapter provides background information and procedures for configuring X-Press Update Servers. Initial Configuration Checklist task If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 14. The next task is Task 15, “Set up a failover Event Collector.” See the SiteProtector Installation Guide. Process overview Table 78 describes the process for applying updates to components: Stage Description 1 The Sensor Controller connects to the designated X-Press Update Server and requests X-Press Update files (XPUs). 2 The designated X-Press Update Server accepts the request and downloads the XPUs from one of the following: • www.iss.net and update.iss.net on port 443 • another X-Press Update Server on port 3994 3 The designated X-Press Update Server sends the XPUs to the Sensor Controller. 4 The Sensor Controller sends the XPUs to all SiteProtector components, including Network Sensor, Server Sensor, Agent Manager, and Database. 5 The Sensor Controller sends the XPUs to Proventia A Series and original G Series appliances; it does not send updates to the Proventia M Series appliances, Next Generation Proventia G Series appliances, or desktop agents. 6 The Proventia appliances and desktop agents download updates from the Agent Manager. Table 78: Component update process Updates Update is used in this chapter to refer to one or more of the following: ● X-Press Updates (XPUs) ● service releases ● full upgrades SiteProtector User Guide for Security Managers Version 2.0, SP5.2 235 Chapter 17: Managing X-Press Update Servers In this chapter This chapter contains the following topics: Topic 236 Page Important Requirements and Considerations 237 Configuring Lists of X-Press Update Servers 238 Configuring X-Press Update Server Download Options 240 Verifying an X-Press Update Server’s Status 242 Forcing X-Press Update Servers to Check for New Policy Settings 243 Important Requirements and Considerations Important Requirements and Considerations Introduction This topic gives you requirements and considerations for configuring X-Press Update Servers. X-Press Update Server updates You can configure X-Press Update Servers to download X-Press Update Server updates. Updates can be new or updated programs, fixes or patches to components, or full product upgrades. Components or agents that are downloading from X-Press Update Server groups If you are configuring agents or components to download updates from standalone XPress Update Servers, then you must configure a list of X-Press Update Servers. See “Configuring Lists of X-Press Update Servers” on page 238. Prerequisite checklist Table 79 provides a list of prerequisites that are required to perform the tasks in this chapter: 9 Prerequisite If you are configuring bandwidth and connection throttling, identify the total bandwidth of the connection to the X-Press Update Server. Identify the IP addresses and DNS names of the X-Press Update Servers that you are configuring. If firewall or proxy server exists between the Sensor Controller and the X-Press Update Server that the controller will download updates from, then you will need the following information: • the IP address of the firewall or proxy server • the port the X-Press Update Server uses to initiate communication with the firewall or proxy server • the username and password used to access the proxy server if the proxy server is an authentication server A proxy server can allow or deny a Web client access to the Internet based on the web client's User-Agent string. If your Update Server accesses the Internet using a proxy server, make sure the proxy server is configured to allow the User-Agent string called "UpdateMirrorWorker." The Update Server sends this User-Agent string when it tries to access the Internet through a proxy server. Table 79: Planning checklist SiteProtector User Guide for Security Managers Version 2.0, SP5.2 237 Chapter 17: Managing X-Press Update Servers Configuring Lists of X-Press Update Servers Introduction Before a standalone X-Press Update Server can download updates, you must configure a list of X-Press Update Servers. Use the procedure in this topic to configure X-Press Update Servers to download updates from other X-Press Update Servers. Important: ● If an X-Press Update Server is downloading updates from the ISS Download Center only, this procedure is not required. By default, X-Press Update Servers download updates from the ISS Download Center. ● This procedure does not configure X-Press Update Server lists for Proventia M Series or Proventia G Series appliances. You must configure these lists in the respective agent’s policy. What are X-Press Update Server lists? X-Press Update Server lists let you specify a list of X-Press Update Servers that an X-Press Update Server can download from. You specify this list in the XPU settings. You can add or remove servers from this list and change the list’s order. How agents and components download from XPress Update Servers An X-Press Update Server tries the first X-Press Update Server in the list. If this server is not available, it tries the second server in the list and, so on. Trust levels SiteProtector allows you to specify the trust level for communications between clients and servers. Table 80 describes each trust level: Trust Level Options Description Trust all The client trusts the server and does not try to validate the certificate. First-time trust The client trusts the first certificate it receives from the server and stores this certificate locally. The client uses this certificate to validate all future communication with this server. Explicit trust The server’s certificate must reside on the client’s local directory before the agent or component can initiate communication with the server. Typically, the server’s certificate is transferred to the client outside the standard communication channels. Table 80: Description of trust level options Configuring an agent’s X-Press Update Server list This procedure specifies a list of X-Press Update Servers in the XPU Settings policy. To configure a list of X-Press Update Servers: 1. Select the Sensor tab. 2. Right-click the X-Press Update Server you want to configure, and then select X-Press Update Server Æ Edit Settings from the pop-up menu. The Edit X-Press Update Server Settings window appears. 238 Configuring Lists of X-Press Update Servers 3. In the Policy Inventory table, select the Configure at this level check box in the row that corresponds to the XPU Settings policy. XPU Settings appears in the left pane. 4. Select XPU Settings, and then select the Servers tab in the right pane. Note: If you are configuring this agent or component for the first time, the first item in the list in the right pane is the ISS Download Center. 5. Click the Add button. The Add Download window appears. 6. Type a name for the X-Press Update Server in the Name box. 7. Type the DNS name or IP address of the X-Press Update Server in the Host or IP box. 8. Type the port that the agent or component uses to communicate with the X-Press Update Server in the Port box. Note: If the X-Press Update Server is the ISS Download Center, the default port is 443. If the X-Press Update Server is located on your network, the default port is 3994. 9. Is a firewall or proxy server between the agent or component and the X-Press Update Server? ■ If yes, type the IP address or DNS name in the Proxy Name box and then go to Step 10. ■ If no, then go to Step 12. 10. Type the port number that the X-Press Update Server uses to communicate with the firewall or proxy server in the Proxy Port box. 11. If firewall or proxy server requires authentication, then type this information in the following boxes: ■ User Name ■ Password 12. Select the trust mode the agent or component uses to authenticate with the X-Press Update Server in the Trust Level list. Note: See Table 80 on page 238 for more information about trust levels. 13. Click OK, and then click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 239 Chapter 17: Managing X-Press Update Servers Configuring X-Press Update Server Download Options Introduction XPU options control whether the X-Press Update Server automatically downloads and installs updates for X-Press Update Servers. Use the procedures in this topic to specify download and installation options for the following X-Press Update Servers: ● standalone X-Press Update Servers ● integrated X-Press Update Servers Note: This procedure only configures the X-Press Update Server to download and install X-Press Update Server service releases. These updates do not contain security content. X-Press Update Server download options Table 81 describes the options for downloading updates: Option Description Automatically download updates This option requires that the X-Press Update Server automatically download X-Press Update Server updates when they become available. By default, the frequency is every 24 hours, and the range is one hour to one week (168 hours). Automatically install updates This option requires that the X-Press Update Server automatically install X-Press Update Server updates after they are downloaded. If this option is disabled and the Automatically download updates option is enabled, you must install these updates manually. Table 81: X-Press Update Server download options Procedure To configure the X-Press Update Server download settings: 1. Select the Sensor tab. 2. Right-click the X-Press Update Server that you want to configure, and then select XPress Update Server Æ Edit Settings from the pop-up menu. The Edit X-Press Update Server Settings window appears. 3. In the Policy Inventory table, select the Configure at this level check box in the row that corresponds to the XPU Settings policy. XPU Settings appears in the left pane. 4. Select XPU Settings policy in the left pane. 5. Select the XPU tab in the right pane. The SiteProtector X-Press Update Server window appears in the right pane. 6. If you want the X-Press Update Server to automatically download updates from the ISS download Center or a standalone X-Press Update Server, select the Automatically download updates checkbox. 7. If you want the X-Press Update Server to automatically install updates after they are downloaded, select the Automatically install updates checkbox. 240 Configuring X-Press Update Server Download Options 8. In the Check for new updates every box, type or move the slider to indicate the frequency (in hours), that the X-Press Update Server does the following: ■ downloads new updates if the Automatically download updates checkbox is selected ■ installs new updates if the Automatically install updates checkbox is selected Note: The Security Contents table does not list X-Press Update Server content updates. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 241 Chapter 17: Managing X-Press Update Servers Verifying an X-Press Update Server’s Status Introduction Procedure SiteProtector provides an easy way to verify an X-Press Update Server’s status. You can verify the following: ● whether an X-Press Update Server is active ● the last update that an X-Press Update Server downloaded To verify an X-Press Update Server’s status: 1. Select the Sensor tab. 2. Right-click the X-Press Update Server that you want to verify, and then select X-Press Update Server Æ Module Status from the pop-up menu. 3. In the left pane, expand Module Status. 4. Select the X-Press Update Server, and then verify that the status is Active in the right pane. 5. In the left pane, expand Agent Status. 6. Select Last File Fetched, and then verify the last file that was downloaded in the right pane. 7. Click OK. 242 Forcing X-Press Update Servers to Check for New Policy Settings Forcing X-Press Update Servers to Check for New Policy Settings Introduction If you change XPU or Server settings for the X-Press Update Server, the changes may not take effect immediately. Use the procedure in this topic to force the X-Press Update Server to update itself with new policy settings. How it works X-Press Update Server policies are stored in the SiteProtector database. When you change a policy, the new policy settings are not sent to the X-Press Update Server until it checks the database. By default, X-Press Update Servers check the SiteProtector database for policy settings at least once per hour. Procedure To force the X-Press Update Server to update itself with new policy settings: 1. Select the Sensor tab. 2. Right-click the X-Press Update Server that you want to update, and then select XPress Update Server Æ Force Refresh from the pop-up menu. A message window appears. 3. Click OK. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 243 Chapter 17: Managing X-Press Update Servers 244 Chapter 18 Updating Components and Agents Overview Introduction X-Press Updates (XPUs) are software updates that are available between software upgrades. XPUs also automatically update the Help, if the Help has changed since the last update. Initial Configuration Checklist item If you are using the “Initial Configuration Task Checklist” on page 38 to configure SiteProtector for the first time, this is Task 2. This task is required if updates are available. The next configuration task is Task 3, “Replace the SSL certificate for the Web.“ See “Using a Different SSL Certificate for the Web Server” on page 111. Types of updates Table 82 describes the types of updates: Update Type Description X-Press Updates (XPUs) Adds protection against new computer viruses or other exploits that could cause harm. In SiteProtector, XPUs can also consist of service packs, which include enhancements or correct defects in SiteProtector components or the products it supports. An XPU may also update policies, responses, and documentation. Full Upgrades Upgrades the software to a new major version. Note: A standalone document is delivered with full upgrades. Table 82: Types of updates Multiple update feature In this chapter You can select and update more than one sensor at a time. Follow these rules when you use this feature: ● The components you update must be using the same version of the issDaemon, so the sensors must be the same type, same version, and same XPU level. ● The sensors must be running on the same operating systems and the same versions. ● The sensors must be running on different computers. If the sensors are on the same computer, you must update them separately. This chapter contains the following topics: Topic Overview of X-Press Updates SiteProtector User Guide for Security Managers Version 2.0, SP5.2 Page 247 245 Chapter 18: Updating Components and Agents Topic 246 Page Applying XPUs 248 Closing and Reopening the Apply Update Wizard 250 Applying Updates When You Do Not Have Internet Access 251 Removing an Update 253 Overview of X-Press Updates Overview of X-Press Updates Introduction ISS distributes XPUs to update the software or when new functionality is available. What do XPUs update? XPUs update the following products or components: How to identify available updates ● Agent Manager ● Event Collector ● Deployment Manager ● Internet Scanner ● SiteProtector components, including SP Core (application server, sensor controller, and Site database) ● SiteProtector SecurityFusion Module ● SiteProtector Third Party Module ● RealSecure Desktop ● RealSecure Server Sensor ● RealSecure Network Sensor ● System Scanner To determine if an update is available, click the Sensor tab in the Site Manager. If an update is available, Yes appears in the Available Update column, as shown in Figure 8: Figure 8: Updates available How updates are applied When you apply an X-Press Update, the system sends a request for the update to the application server. The application server contacts the X-Press Update Server to download the XPU package. Updates to the application server Most component updates affect only the component you are updating. Updates to the application server, however, affect the following additional components: ● Site database ● X-Press Update Server SiteProtector User Guide for Security Managers Version 2.0, SP5.2 247 Chapter 18: Updating Components and Agents Applying XPUs Introduction This topic explains how to apply an XPU to agents and components, except for the Update Server. For XPUs to the Update Server, see “Configuring X-Press Update Server Download Options” on page 240. Prerequisite You must have added licenses to SiteProtector for any component that you want to update. (See “Adding a License File” on page 104.) Scheduling XPUs You can apply an XPU immediately, or you can schedule a job to apply the XPU at a scheduled time. For scheduled updates, check for the job in the Command Jobs pane to find its status. Core Updates The core update process is different from other updates. When you perform a core update, the process occurs as follows: Procedure ● SiteProtector applies any database updates which are prerequisites. The time required to update the database depends on the number of updates that must be applied. ● After the core update is complete, you can log in to the Console. The Console will indicate that an update is available for the Console. ● When you select to update the Console, SiteProtector will uninstall the Console and reinstall the new version of the Console. To apply an update immediately: 1. In the Enterprise groups pane, select the group that has the agent or component to update, and then select the Sensor tab. 2. Right-click the agent or component, and then select {type_of_sensor |Agent Manager}Æ Apply Update from the pop-up menu. Important: To update an agent that is managed by the Agent Manager, you must first update the Agent Manager. 3. Select Run Once in the Recurrence Pattern section, and then click OK. The Apply Update Wizard starts immediately. 4. In the Update type section, select the update to install, and then click Next. The Update type section shows only the type of updates that are available for the selected sensor(s) or group. 5. Read the End User License Agreement, and then select I Accept. 6. Verify that the updates are the ones you want to install. 7. Click Install. The installation process begins, and the progress appears in the following: ■ Overall progress: shows the progress of the entire update process. ■ Current Step Progress: shows the progress of each specific step. The text box displays a summary of the current step. Note: When you apply an XPU to the SP Core or to the Deployment Manager, your Console is disconnected while the application server is stopped and updated. You 248 Applying XPUs cannot reconnect your Console until the application server service restarts, which may take up to 45 minutes. Caution: Do not reboot during this time. If the update fails, contact Technical Support before proceeding. 8. Click Finish when that button is available to complete the update process. 9. If you are updating Desktop Agents, you must update your Desktop policies to use the new version of the software. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 249 Chapter 18: Updating Components and Agents Closing and Reopening the Apply Update Wizard Introduction You can close the Apply Update Wizard while an update is in progress. The time-out period for the Apply Update Wizard is 20 minutes; however, so reopen it and check its status periodically. Procedure To close, and then reopen the wizard: 1. In the Apply Update Wizard, click Close. The Apply Update Wizard closes, but the update continues. 2. Double-click the job for the Apply Update Wizard on the Command Jobs pane on the Sensor tab. The SiteProtector Apply Update Wizard window opens. Note: The Finish button remains unavailable while the update is running. 3. Click Close or Finish. 250 Applying Updates When You Do Not Have Internet Access Applying Updates When You Do Not Have Internet Access Introduction If the sensor controller is installed on an application server that does not have Internet access, or if the sensor controller cannot access the update file, then you can use the Manual Upgrader utility to download the update files. Procedure To run the Manual Upgrader utility: 1. Copy ManualUpgrader.zip from the \accessories\ManualUpgrader folder located on the ISS CD to a computer that has access to the Internet. 2. Extract its contents to a directory. Note: If you extract the file with “Use Folder Names” enabled, the program will extract the files to a directory called “ManualUpgrader.” 3. In the folder where you extracted the Manual Upgrader files, double-click ManualUpgrader.exe. 4. Browse to a valid license file, and then select the file. 5. Read the End User License Agreement, and then click I Accept. Note: If the Export Agreement appears, read the agreement, and then click I Accept. 6. Click Yes on the Manual Upgrader Tool dialog to download a new catalog of available updates. 7. If you are prompted to download a Manual Upgrader update, click Yes. The update downloads, and you are prompted to download the most recent catalog files. 8. Click Yes. The Downloading XML Catalog dialog appears, displaying all of the ISS product lines in the top pane and all of the available operating systems in the bottom pane. 9. Select the ISS product lines and the operating systems for which you want to download updates, and then click Get Selected Updates. Important: ISS recommends that you always download the SiteProtector Core and SiteProtector Database updates you when download other updates because these are prerequisites. The utility downloads all available updates that were issued since your last update. 10. Locate the directory where you unzipped the Manual Upgrader files, and copy the following directories and contents: \RealSecure \SiteProtector \InternetScanner SiteProtector User Guide for Security Managers Version 2.0, SP5.2 251 Chapter 18: Updating Components and Agents 11. Paste the directories, including the XPU files located in each directory, to the following locations: \Program Files\ISS\RealSecure SiteProtector\Application Server\XPU\RealSecure \Program Files\ISS\RealSecure SiteProtector\Application Server\XPU\SiteProtector \Program Files\ISS\RealSecure SiteProtector\Application Server\XPU\InternetScanner Important: The FileÆ Copy Files to RSSP method only allows you to copy the files to a folder that already contains an XML file. This prevents accidental copies to an incorrect directory. The first time you copy files, you may have to copy the files manually because the XML catalog file may not be present. 12. Click Exit. 13. Restart the SiteProtector Sensor Controller server to make sure the new catalog files you installed can be read. Reference: See “Starting and Stopping a SiteProtector Service” on page 116. 252 Removing an Update Removing an Update Introduction You can only remove XPUs from sensors and scanners. This procedure removes only the last update you applied. For example, if you applied three updates on January 12, then only the last of the three is removed. You can continue to remove updates one at a time. Note: You cannot remove the updates from Desktop agents, Proventia M-Series appliances, or SiteProtector. Removing an update To remove an update: 1. In the Enterprise Groups pane, select the group that has the product or component with the update you want to remove. 2. On the Sensor tab, select the product or component with the update you want to remove. 3. On the Sensor menu, select X-Press UpdateÆ Remove Last Update. The Remove Last Update window opens. 4. Do one of the following: ■ To remove the update immediately, select Immediate. ■ To schedule the removal of the update, select Scheduled, and then create a schedule to remove the latest update at a future time and date. 5. Click OK. Verifying an update has been removed To verify that an update has been removed: 1. In the Enterprise Groups pane, select the group that has the sensor or scanner from which you removed an update. 2. On the Sensor tab, select the sensor or scanner that had the update you removed. The Status column in the Command Jobs table displays Completed and the version number in the Version column reflects the change. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 253 Chapter 18: Updating Components and Agents 254 Chapter 19 SiteProtector Reports Overview Introduction To ensure the security of your network, you need to understand the state of your security at different levels. SiteProtector helps you by providing report functions that let you create reports for different purposes: ● At the event level, you can create reports from the events in analysis views. ● At the Site level, you can create preformatted summary and compliance reports. Note: These reports require a separately purchased license for SiteProtector Reporting. ● At the enterprise level, you can create trend and summary reports for multiple Sites. This chapter explains how to create reports for each of these purposes. Job limitation By default, you can queue up to 10 printing jobs. Any that you queue in addition to that may fail to print. SiteProtector reports Table 83 explains where to create reports in SiteProtector: Type of Report Where You Create It Event analysis Analysis view in Site Manager Summary and compliance Reporting tab in Site Manager Trend and summary Enterprise Dashboard Table 83: Where to Create reports in SiteProtector In this chapter This chapter contains the following sections: Section Page Section A, "Creating Reports from Event Data" 257 Section B, "Creating Summary and Compliance Reports" 261 Section C, "Creating Enterprise Reports" 267 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 255 Chapter 19: SiteProtector Reports 256 SECTION A: Creating Reports from Event Data Overview Introduction You can create reports from event data that is displayed on an Analysis tab. You can do any of the following: ● Print a report. ● Save a report to a file in several file formats. ● Save reports and include vulnerability Help. ● Schedule reports. ● Copy and paste the report data into an email, a spreadsheet, or a text file. Note: An Analysis tab is named Sensor Analysis, by default although the name changes depending on the Analysis view that you select. Report generation techniques Keyboard shortcuts You can use any combination of the following techniques to generate the data for a report: ● Select an analysis view. ● Apply filters. ● Add, remove, or reorder columns. ● Select a guided question for the event from an Analysis view. Table 84 describes the keyboard shortcuts available for working with event reports: Keyboard Shortcut Description CTRL+P Prints data CTRL+R Exports data CTRL+V Exports data with vulnerability Help CTRL+Q Schedules export data Table 84: Keyboard shortcuts for event reports In this section This section contains the following topics: Topic Page Printing Reports from Event Data 258 Saving Reports from Event Data 259 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 257 Chapter 19: SiteProtector Reports Printing Reports from Event Data Introduction You can print a report from data that is displayed on an Analysis tab. Procedure To print a report from event data: 1. In the Enterprise Groups pane, select the group to use, and then click the Sensor Analysis tab. 2. Select an Analysis view, and then use any of the other data generation techniques to generate the data for the report. 3. From the Analysis menu, select Data ExportÆ Print Data. The Print window appears. 4. Change any printing settings that you want to change. 5. Click Print. 258 Saving Reports from Event Data Saving Reports from Event Data Introduction You can save a report to a file from the data displayed on an Analysis tab. You can save the report either with or without the vulnerability data for each event. You can save the report in any of the following file formats: ● hypertext markup language (HTML) ● comma-separated value (CSV) ● portable document format (PDF) Note: HTML is the default report file format. Procedure To save a report to a file: 1. In the Enterprise Groups pane, select a group, and then select the Sensor Analysis tab. 2. Select an Analysis view, and then use any of the other data generation techniques to generate the data for the report. 3. From the Analysis menu, select Data ExportÆ Export Data or select Data ExportÆ Export Data With Vulnerability Help. 4. Select a folder in the Save in list. 5. Type the File name for the report, and then select the type of file from the Files of type list. 6. Click Save. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 259 Chapter 19: SiteProtector Reports 260 Creating Summary and Compliance Reports SECTION B: Overview Introduction SiteProtector provides preformatted, high-level summary and compliance reports on the Reporting tab. These reports help you identify trends across your organization, evaluate the overall effectiveness of security measures, and verify the state of your security. Note: These reports require a separately purchased license for SiteProtector Reporting. Report categories Report formats The reports are grouped by the following categories on the Reporting tab: ● Assessment ● Attack Activity ● Audit (SiteProtector user actions) ● Content Filtering ● Desktop Protection ● Management ● Virus Activity You can print or save reports created on the Reporting tab in any of the following formats: ● portable document format (PDF) ● hypertext markup language (HTML) ● comma-separated value (CSV) Lengthy reports If a report exceeds 30 pages, the HTML format causes the text in the report to overlap and become unreadable. To avoid the problem, use the PDF or CSV formats when you run a report that may exceed 30 pages. In this section This section contains the following topics: Topic Page Compliance and Summary Report Descriptions 262 Running a Report 264 Viewing a Report 265 Saving a Report 266 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 261 Chapter 19: SiteProtector Reports Compliance and Summary Report Descriptions Introduction SiteProtector provides predefined reports on the Reporting tab. These reports contain the parameters needed to generate a report, including headers, footers, filters, and format. Assessment reports Table 85 describes the preformatted assessment reports: Report Name Description Host Assessment Detail Discovered hosts with detailed information about network services and vulnerabilities. Host Assessment Summary Discovered hosts and identifies network services and vulnerabilities for each host. Operating System Summary Percentage and number of hosts by operating system discovered during an automated network scan. Operating System Summary By Host The operating systems detected on the network. Service Summary The network services detected on the scanned hosts. Service Summary By Host The network services detected on each scanned host. Top Vulnerabilities The top vulnerabilities by frequency for a specified group and time. Vulnerabilities by Group Comparison of vulnerabilities across subgroups of a selected group. Vulnerabilities by Host The top hosts by number of vulnerabilities for a specified group and time. Vulnerability by OS Comparison of vulnerability counts by operating systems. Vulnerability Counts Detected vulnerabilities by total number and by percentage. Vulnerability Counts By Host The number and severity of vulnerabilities for each host. Vulnerability Detail By Host Detected vulnerabilities by host. Provides the DNS name, IP address, operating system type, and remediation information. Vulnerability Names By Host Detected vulnerabilities by DNS name, IP address, and the name of each vulnerability detected. Vulnerability Remedies By Host Detected vulnerabilities by host and includes remediation information. Vulnerability Summary By Host Detected vulnerabilities by DNS name, IP address, operating system, and the name of each vulnerability detected. Table 85: Assessment report descriptions Attack activity reports Table 86 describes the preformatted attack activity reports: Report Name Description Attacks by Group Comparison of attack counts across subgroups of a selected group. Table 86: Attack activity report descriptions 262 Compliance and Summary Report Descriptions Report Name Description Top Attacks The top attack names by frequency for a specified group and time. Top Sources of Attack The top attack sources by frequency for a specified group and time. Top Targets of Attack The top attack targets by frequency for a specified group and time. Table 86: Attack activity report descriptions (Continued) Audit report The Audit Detail report lists any significant actions that SiteProtector users perform on the Site. Content filtering reports Table 87 describes the preformatted content filtering reports: Report Name Description Top Web Categories Displays blocked and unblocked categories along with the number of hosts and requests. Web Requests Indicates the top requested blocked and unblocked categories or reports that indicate the top blocked and unblocked categories. Table 87: Reporting tab reports Desktop report The Desktop Protection report displays counts of hosts protected and not protected with version details. Management reports Table 88 describes the preformatted management reports: Report Name Description Attack Incidents All security incidents created for a specified time. Attack Status Summary Attack status summary, including Security Fusion and blocked events Attack Trend Attack activity by Day/Week/Month/Quarter/Year. Virus Activity Trend Virus activity by Day/Week/Month/Quarter/Year. Vulnerability Trend Vulnerabilities by Day/Week/Month/Quarter/Year. Table 88: Management report descriptions Virus activity reports Table 89 describes the preformatted virus activity reports: Report Name Description Top Virus Activity Top viruses by frequency for a specified group and time. Virus Activity by Group Comparison of virus activity across subgroups of a selected group. Virus Activity by Host The top hosts by amount of virus activity for a specified group and time. Table 89: Virus activity report descriptions SiteProtector User Guide for Security Managers Version 2.0, SP5.2 263 Chapter 19: SiteProtector Reports Running a Report Introduction This topic explains how to run a report on the Reporting tab. Procedure To create a report from the Reporting tab: 1. On the Site Manager, click the Reporting tab. 2. Right-click a report name, and then select Run Report. The Run Report dialog opens. 3. On the Report Specification tab, enter the Report Title and optional Report Description. 4. In the Report Period section, select Standard Time Period or Custom, and then select the time period for the report. 5. Select the settings you want to use for the custom report. 6. On the Recurrence tab, enter the Recurrence pattern, Event Time, and Range of recurrence information, if desired. 7. Click OK. The information about the job appears in the Report Jobs pane. Note: By default, you are allowed to queue up to 10 report jobs. Any that you queue in addition to that may fail to run. 264 Viewing a Report Viewing a Report Introduction This topic explains how to view a report that you created. Procedure To view a report: 1. On the Site Manager, select the Reporting tab. 2. Right-click a report, and then select List Reports from the pop-up menu. 3. Select the report you want to open, and then click View. The read-only report opens. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 265 Chapter 19: SiteProtector Reports Saving a Report Introduction This topic explains how to save a report. Procedure To save a report: 1. On the Site Manager, select the Reporting tab. 2. Right-click the report you want to see, and then select List Reports from the pop-up menu. 3. Select the report to save, and then click Save As. 266 SECTION C: Creating Enterprise Reports Overview Introduction The Enterprise Dashboard contains information about multiple Sites that report to the Enterprise Dashboard. The reports you create from the Enterprise Dashboard provide trend and summary information, identifying meaningful patterns of activity over time so you can determine your organization’s state of security and adjust your protection accordingly. Reference: For more information about creating and manipulating reports on the Enterprise Dashboard, see the SiteProtector Help. Features Enterprise Dashboard views Report formats In this section Reports created from the Enterprise Dashboard include the following features: ● reporting across multiple Sites ● Site comparisons ● same group comparisons ● trends and summaries Use the tabs in the right pane of the Enterprise Dashboard to periodically monitor groups or Sites. Each view compares and organizes the data for the Sites in a graph or chart format. You can save or print this information in report format. The tabs include the following: ● metrics ● current state comparison ● comparison ● detail You can print or save reports created on the Enterprise Dashboard in the following formats: ● hypertext markup language (HTML) ● portable document format (PDF) This section contains the following topics: Topic Page Printing a Report 268 Saving a Report 269 Scheduling a Report 270 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 267 Chapter 19: SiteProtector Reports Printing a Report Introduction This topic explains how to print a report from the Enterprise Dashboard. Procedure To print a report: 1. In the Enterprise Dashboard, select the Site and group to use. 2. In the right pane, select the tab for the type of report to create: ■ Metrics ■ Current State Comparison ■ Comparison ■ Detail 3. Select the Start Date and the End Date for the report to cover. 4. Select the severity (H(igh), M(edium), and L(ow)) checkboxes for the data to include for each category: ■ Attacks ■ Vulnerabilities ■ Attacked Vulnerabilities 5. On the Enterprise Groups Reporting menu, select Print Report. 6. Change the print settings, if desired. 7. Click Print. 268 Saving a Report Saving a Report Introduction This topic explains how to save a report from the Enterprise Dashboard. Procedure To save a report: 1. In the Enterprise Dashboard, select the Site and group you want to use. 2. In the right pane, select the tab for the type of report you want to create: ■ Metrics ■ Current State Comparison ■ Comparison ■ Detail 3. Select the Start Date and the End Date for the report to cover. 4. Select the severity (H(igh), M(edium), and L(ow)) checkboxes for the data to include for each category: ■ Attacks ■ Vulnerabilities ■ Attacked Vulnerabilities 5. On the Enterprise Groups Reporting menu, select Save Report. 6. Select the path to save the file in the Save in list. 7. Type or select the name for the file in the File name box. 8. Use the File type arrow to select one of the following formats: ■ CSV ■ PDF ■ HTML 9. Click Save. Note: You cannot include detailed Help for vulnerabilities when you save a report from the Enterprise Dashboard. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 269 Chapter 19: SiteProtector Reports Scheduling a Report Introduction This topic explains how to schedule an Enterprise report to run at a particular time. You can set up the report to run either once or on a recurring schedule. Procedure To schedule a report: 1. On the Enterprise Groups Reporting menu, select Schedule Report. 2. In the Output Parameters section, complete the following: Field Description File name The fully qualified path or the path based on the Universal Naming Convention (UNC) for the report Note: If you specify a relative path, the report is saved in the \Application Server\Temp folder. File Type Time for The format to use: • PDF • HTML The period to cover: • This or Previous Note: This covers the time elapsed since the beginning of the current calendar unit you choose below. Overwrite? • The number of calendar units to include. • The calendar unit—Day, Week, Month, or Year. Whether to overwrite an existing report file with the same name. 3. In the Current View Selection section, complete the following: Field Description Groups_list The Site and group to use. Attacks The severity of attacks to include—H(igh), M(edium), and L(ow). Vulnerabilities The severity of vulnerabilities to include—H(igh), M(edium), and L(ow). Attacked Vulnerabilities The severity of attacked vulnerabilities to include—H(igh), M(edium), and L(ow). View Type Time Unit 270 The type of report to run: • Metrics • Current State Comparison • Comparison • Detail The calendar period to use for grouping the data: • Day • Month • Quarter • Year Scheduling a Report 4. Click Edit Schedule, and then select how frequently to run the report, time of the day to run the report, and whether you want an end date for the running the report. By default, the report is generated immediately. 5. Click OK, and then click OK. Note: You cannot include detailed Help for vulnerabilities when you save a report from the Enterprise Dashboard. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 271 Chapter 19: SiteProtector Reports 272 Part VI ® Troubleshooting Chapter 20 Troubleshooting Overview Introduction This chapter provides descriptions and solutions for some of the issues you may encounter as you work with SiteProtector. It is not intended to represent a complete list of potential SiteProtector issues. Knowledgebase and ISS Customer Support For the most complete and up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, contact ISS Customer Support. In this chapter This chapter contains the following topics: Topic Page Issues Related to SiteProtector Encryption Keys 276 Issues Related to Operating SiteProtector 277 Issues Related to Low Memory 284 Issues Related to Updating SiteProtector 285 Issues Related to SiteProtector Services 286 Issues Related to Agents and Appliances 288 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 275 Chapter 20: Troubleshooting Issues Related to SiteProtector Encryption Keys Introduction This topic provides solutions to issues that you might encounter when working with SiteProtector encryption keys. Key exchange doesn’t work Description: The following message appears under the EC Public Keys sent row when you click Details for Solaris RealSecure Network 7.0. EC Public Keys sent : No - Error checking encryption algorithms on sensor, neither CerticomNRA nor RSA supported. No encryption key(include directory) found on sensor. This message indicates that the encryption key exchange between SiteProtector and the Solaris RealSecure Network 7.0 is not functioning. This issue also causes the RealSecure Network to display a status of Offline. To fix the issue, you must manually send the keys from SiteProtector to the RealSecure Network agent. Solution: Manually send the keys. To manually send keys: 1. Locate your Event Collector public keys. These keys reside on the Event Collector computer that communicates with your Solaris RealSecure Network. The default names and directories for your public keys are: ■ \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\CerticomNRA\rs_eng_<computer_name>_239.PubKey ■ \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\RSA\rs_eng_<computer_name>_1024.PubKey ■ \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\RSA\rs_eng_<computer_name>_1536.PubKey 2. Using the file transfer protocol (FTP), send rs_eng_<computer_name>_239.PubKey to the following location on your Solaris RealSecure Network 7.0 computer: /opt/ISS/issSensors/network_sensor_1/Keys/CerticomNRA 3. Using FTP, send rs_eng_<computer_name>_1024.PubKey and rs_eng_<computer_name>_1536.PubKey to the following location on your Solaris RealSecure Network 7.0 computer: /opt/ISS/issSensors/network_sensor_1/Keys/RSA Important: Be sure to change to binary mode before you FTP your keys. 276 Issues Related to Operating SiteProtector Issues Related to Operating SiteProtector Introduction This topic provides solutions to issues that you might encounter when operating SiteProtector. Who are the SiteProtector users? You can identify SiteProtector users on the application server computer. To identify SiteProtector users: 1. Click Start on the taskbar, and then select SettingsÆ Control Panel. 2. On the Control Panel, select Administrative ToolsÆ Computer Management 3. Under System Tools, select Local Users and GroupsÆ Groups. 4. Double-click the name of a SiteProtector user group in the right pane. The user names appear in the Members box in the Users Properties window. Cannot log on to SiteProtector Description: When you attempt to log on to the console, SiteProtector displays a Certificate Incompatibility message. Explanation: The Certificate Incompatibility message appears when you try to connect to the server, but the certificate validation process determines a discrepancy in the certificate assigned to the server. Solution: Record the information displayed in the Certificate Incompatibility message and contact your System Administrator to determine if the certificates have been updated. ● If your System Administrator confirms that they have updated the certificates, click Valid. The newly updated certificate will replace the previous certificate in the key store for that server. ● If your System Administrator verifies that they have not updated certificates, then click Invalid. The System Administrator should then contact ISS Technical Support for assistance. Note: The purpose of certificates is to alert you to attacks. Accepting an unknown certificate could make you vulnerable to attacks. Cannot view a report Description: SiteProtector displays the following error when you try to view a report: The requested URL could not be retrieved. This error can occur when you log on to the SiteProtector Console using a Netbios computer name, but your Internet Explorer application cannot resolve by Netbios name. Your Internet Explorer application is probably set to use a proxy, but the proxy server is not configured to resolve the Netbios address. Solution: Log out of the SiteProtector Console, and then log on using either the fully qualified domain name (FQDN) or the IP address of the SiteProtector application server. Cannot view PDF documentation Description: You are unable to view the PDF documentation from the SiteProtector Help menu when using Windows 2003. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 277 Chapter 20: Troubleshooting The default Windows 2003 security settings prevent users from opening non-HTML files by clicking the associated link or menu item. Solution: To open the SiteProtector PDF documentation, do one of the following: Missing or invalid license key errors ● Configure your Windows 2003 security settings to allow you to open non-HTML files by clicking the associated link or menu item. For information about configuring your security settings, see the Windows 2003 system documentation. ● Save the PDF documentation to your hard drive, and then access the PDF file directly. Description: After you add a license key through the SiteProtector console, the features do not appear, but errors related to a missing or invalid license key appear. Solution: The sensor controller polls for license changes every 60 seconds, so the change may not appear immediately. You can press the F5 key to refresh the licensing information. You can also wait 60 seconds, and then re-open the Add License window to see if the feature columns are populated. If the feature columns are populated, the license key has been successfully imported. Computer absent from Active Directory Description: Your computer appears in a domain and the DNS, but it does not appear in the Active Directory grouping tree. Solution: Your computer may not have an assigned DNS Server name in the Active Directory object. If this is the case, then SiteProtector cannot resolve a name for your computer. To verify that your computer has an assigned DNS name: 1. On the Domain Controller computer, access Administrative Tools. 2. Select Active Directory Users and Computer. 3. In the left pane, locate the computer that does not appear in the Active Directory listing. 4. Right-click the computer name, and then select Properties. The Computer_Name Properties window appears. 5. Does the full DNS name appear in the DNS name box? ■ If yes, then call ISS Technical Support to help you with this issue. ■ If no, then go to the next step. 6. Go to the computer that does not appear in the Active Directory listing. 7. Right-click My Computer, and then select Properties. The System Properties window appears. 8. Manually change the Full computer name in System Properties to reflect the complete name of the computer. Note: The procedure to change the name that appears in the Full computer name field depends on your operating system version. See your operating system documentation for information about how to change your computer name. 278 Issues Related to Operating SiteProtector SiteProtector is not collecting Internet Scanner 6.2.1 data Your Event Collector password was deleted or has expired Description: You re-installed Internet Scanner 6.2.1, and you are no longer collecting data. Solution: The Internet Scanner Databridge registers some of the Internet Scanner DLL files, so you must reinstall the Internet Scanner Databridge after you reinstall Internet Scanner 6.2.1. Description: Your Event Collector username/password was accidentally deleted, changed, or has expired. The encryption authentication between the Event Collector and the SiteProtector database is no longer valid. Solution: You must generate a new set of keys by re-generating the user account. Contact ISS Technical Support for assistance. Agent status is “Unknown” or “Not Responding” Description: The SiteProtector Console displays an “Unknown” or “Not Responding” status for one or more agents. Under normal conditions, an agent's status should be “Active” or “Stopped” if the agent is not assigned to an Event Collector. If the agent is assigned to an Event Collector, the status should be “Active” (if the agent is currently connected to an Event Collector) or “Offline” (if the Event Collector is unable to connect to the agent). Solution: This is probably the result of a missing or invalid SiteProtector authentication key on the computer where the agent is installed. To verify that this is the problem, go to the Keys folder on the computer where the agent is installed. Table 90 lists the folders where keys are stored for each product: Product Folder Deployment Manager \Program Files\ISS\RealSecure SiteProtector\Deployment Manager\Keys Desktop controller \Program Files\ISS\Realsecure SiteProtector\Desktop Controller\Keys RealSecure Network Gigabit (Linux) /opt/ISS/issSensors/network_sensor_1/Keys RealSecure Network Gigabit (Windows) \Program Files\ISS\issSensors\Network_Sensor_1\Keys ICEcap Databridge \Program Files\ISS\issSensors\ICEcap_Databridge\Keys Internet Scanner 7.0 \Program Files\ISS\issSensors\Scanner_1\Keys Internet Scanner 6.2.1 \Program Files\ISS\Scanner6\Keys Internet Scanner Databridge 6.2.1 \Program Files\ISS\issSensors\ Internet_Scanner_DataBridge\Keys RealSecure Network \Program Files\ISS\issSensors\network_sensor_1\Keys Proventia A-Series /opt/ISS/issSensors/network_sensor_1/Keys Proventia G-Series /opt/ISS/issSensors/network_sensor_1/Keys Table 90: Location of Keys folder SiteProtector User Guide for Security Managers Version 2.0, SP5.2 279 Chapter 20: Troubleshooting Product Folder Proventia M-Series /var/spool/crm/leafcerts Note: The Proventia M Series has an SSL Cert key instead of an encryption key. SecurityFusion Module \Program Files\ISS\issSensors\Security Fusion\Keys RealSecure Server Sensor \Program Files\ISS\issSensors\server_sensor_1\Keys System Scanner Databridge \Program Files\ISS\issSensors\ System_Scanner_Databridge\Keys Third Party Module (for Check Point) \Program Files\ISS\issSensors\ ThirdPartyModule_CheckPoint_1\Keys Third Party Module (for Cisco) \Program Files\ISS\issSensors\ ThirdPartyModule_Cisco_1\Keys Table 90: Location of Keys folder (Continued) Important: You need to examine both the Internet Scanner and Internet Scanner Databridge folders for Internet Scanner 6.2.1 installations. Each Keys folder can contain subfolders for each key provider present (e.g. \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the SiteProtector authentication key, which looks like sp_con_<ApplicationServerDNS>_<####>.PubKey. For example, if the SiteProtector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \Program Files\ISS\issSensors\server_sensor_1\Keys\RSA\sp_con_bob_239.PubKey (assuming RSA encryption. If this file is not present, or if the date does not match the date of the corresponding key on the RealSecure application server computer, then you must force the key to be pushed from the RealSecure application server to the local agent. The SiteProtector authentication keys for SiteProtector are located in the \Program Files\ISS\RealSecure SiteProtector\Application Server\Keys\<key provider>\ folders. Important: Make sure you compare keys in similar key provider subfolders. In the example above, compare the agent's RSA key folder to the Application Server's RSA key folder. To send the application server’s authentication keys to the agent: 1. Locate, and then delete sp_con*.PubKey in the \Program Files\ISS folder and below. 2. From a command prompt, type net stop issdaemon. 3. Edit \Program Files\ISS\issDaemon\crypt.policy file by changing the “allowfirstconnection<tab> =L<tab>0;” string to “allowfirstconnection<tab> =L<tab>1;”, 4. Save the file. 5. From a command prompt, type net start issdaemon. 280 Issues Related to Operating SiteProtector 6. From the SiteProtector console, issue a Start command to the agent so that it attempts to connect. This should change the agent status, though it may take a minute or so. Verify that the key was sent as described above. Agent status is “Offline” Description: The SiteProtector console displays the status for one or more agents as “Offline.” Explanation: This could be the result of a missing or invalid Event Collector authentication key on the agent computer. Solution: To verify that this is the problem, go to the Keys folder on the agent computer. For a list of typical folders, see Table 90, “Location of Keys folder” on page 279. Each Keys folder can contain subfolders for each key provider present (e.g., \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the Event Collector authentication key, which looks like rs_eng_<EventCollectorDNS>_<####>.PubKey. For example, if the Event Collector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \Program Files\ISS\issSensors\server_sensor_1\Keys\ RSA\rs_eng_bob_239.PubKey (assuming RSA encryption). If this file is not present, or if the date does not match the date of the corresponding key on the Event Collector host, then you must force the key to be pushed from the Event Collector to the local agent. The Event Collector computer’s authentication keys are located in the \Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys\<key provider>\ folders. Important: Make sure you compare keys in similar key provider subfolders. In our example above, compare the agent’s RSA key folder to the Event Collector’s RSA key folder. To apply the Event Collector’s authentication keys to the agent: 1. From the SiteProtector Console, issue a Stop command to the Event Collector, and wait until its status changes to “Stopped.” 2. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu. 3. Change the Event Collector box to None, and then click OK. 4. Issue a Start command to the Event Collector, and then wait until its status changes to either “Offline” or “Active.” 5. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu. 6. Change the Event Collector box from “None” to the appropriate Event Collector, and then click OK. This should change the agent status to “Active.” Verify that the key was sent, as described previously. Inaccessible file structure and application registry Description: When you install the SiteProtector Console, the file structure and the application registry may not be accessible for some users and groups that have limited access privileges. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 281 Chapter 20: Troubleshooting Solution: To change SiteProtector Console access permission on Windows 2000: Note: You must be an administrator or user with access privileges that allow modifications to the security settings for the SiteProtector Console installation. Specifically, you must be able to change the file systems and registry settings that are described in the following procedure: 1. Open Windows Explorer. 2. Navigate to the location where the SiteProtector Console is installed. The default location is: \Program Files\ISS\RealSecure SiteProtector\Console 3. Right-click the Console folder, and then select Properties. The folder’s properties window appears. 4. Select the Security tab. 5. Click Add. The Select Users, Computers, or Groups window opens. 6. Select the users and/or groups for which you want to add permissions, and then click Add. 7. Click OK. The Select Users, Computers, or Groups window closes. 8. Select each user and/or group you added, and then ensure that they have, at least, the following permissions: For file folders: ■ Write ■ Read ■ List & Execute ■ Modify For registry folders: ■ Read 9. Click Apply, and then click OK. 10. Open the registry editor program, regedt32.exe. Note: The registry editor program name is regedit.exe on Windows 2003. 11. Select the window titled HKEY_LOCAL_MACHINE on Local Machine, and then navigate the following path: HKEY_LOCAL_MACHINE\Software\ISS\SiteProtector 12. Select the Console folder, and then select SecurityÆ Permissions on the menu bar. Note: On Windows 2003, right-click the SiteProtector key, and then select Permissions. The Permissions for Console window opens. 13. Click Add. The Select Users, Computers, or Groups window opens. 14. Select the users and/or groups for which you want to add permissions, and then click Add. 282 Issues Related to Operating SiteProtector 15. Click OK. The Select Users, Computers, or Groups window closes. 16. Click OK to complete the operation. Desktop Protection agent not visible in the console Description: The Desktop Protection agent does not appear on the Sensor Tab in the SiteProtector Console. Solution: On the target computer (computer where your Desktop Protector agent is installed), verify that the executable, blackd.exe, is running. You verify this on the Processes tab in Windows Task Manager. You may have to limit the name of the final subdirectory in your Desktop Protection agent installation path to 17 characters or fewer.To limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer: 1. Navigate to the root of the directory where the Desktop Protection agent is installed. The default location is: \Program Files\ISS\issSensors\DesktopProtection 2. Double-click AgentRemove.exe. 3. In the Site Manager, select SensorÆ ManageÆ Policy. The Manage Policy window opens. 4. Select the appropriate policy. This is the policy that was selected for the target computer. 5. Click View/Edit. The Policy window opens. 6. Select Installation Configuration. 7. In the following fields, limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer: ■ WinNT/2000 Install Path ■ Win 9x Install Path 8. Save the policy, and then right-click the group that contains the malfunctioning Desktop Protection agent, and then select Desktop ProtectionÆ Generate Desktop Protection Build. The Generate Desktop Protection Build window opens. 9. In the drop-down list, select the desired Desktop Controller, and then type a description in the Description box. 10. Click OK. 11. After the Desktop Protection build is complete, navigate to the Desktop Protection Build page in the target computer’s Web browser. By default, this page is located on port 8085 of the computer where the Desktop Controller resides. 12. Select the newly generated Desktop Protection build. 13. Select Open on the Download window. 14. The new agent build is installed. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 283 Chapter 20: Troubleshooting Issues Related to Low Memory Introduction This topic provides descriptions and solutions for some of the issues you may encounter due to a lack of memory on your SiteProtector system. Importing a large application list Description: If you import an application list containing more than 8000 entries into the global application list or into a policy, then an out of memory error can appear when you attempt to edit the global application list. Solution: Perform the following procedure: 1. Click Start on the taskbar, and then select Run. The Run window appears. 2. Type regedit in the Open box. The Registry Editor application opens. 3. In the left pane, navigate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\ISS\CPE\Parameters 4. Edit the string value for MaxHeap to reflect the following: -Xmx<size in megabytes>M Note: ISS recommends that you start with a value of 128, and then increase the value, if necessary, until the application runs. For example, type -Xmx128M to set the heap size to 128 megabytes. Multiple console connections Description: Your SiteProtector system may generate an "out of memory" error on the application server if both of the following occur: ● Multiple consoles are simultaneously retrieving asset information from a Site. ● You have increased the default value for the maximum number of rows that SiteProtector displays. ● You are running very large, scheduled reports. Note: This is also applicable to the SiteProtector Web Portal. Solution: Perform the following procedure: 1. On the application server, click Start on the taskbar, and then select Run. The Run window appears. 2. Type regedit in the Open box. The Registry Editor application opens. 3. In the left pane, navigate the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPAppService\ Parameters 4. Edit the string value for MaxHeap to reflect the following: -Xmx<size in megabytes>M Note: ISS recommends that you start with a value of 384, and then increase the value, if necessary, until the application runs. For example, type -Xmx384M to set the heap size to 384 megabytes. 284 Issues Related to Updating SiteProtector Issues Related to Updating SiteProtector Introduction This topic provides descriptions and solutions for some of the issues you may encounter when updating your SiteProtector system. Cross-database ownership chaining Description: Some users have found that they cannot apply database updates after they install Microsoft SQL Server SP3. There are several reasons why your database updates may fail. Solution: You must enable cross-database ownership in MSSQL before you can apply database updates. You can do this using the Enterprise Manager or using the command prompt. Note: You only need to perform one of the following procedures. To enable cross-database ownership using the Microsoft SQL Enterprise Manager: 1. Open the Enterprise Manager. 2. Right-click on the database, and then click Properties. 3. Select the Options tab. 4. Select Allow Cross-database ownership chaining. 5. Click OK. To enable cross-database ownership without using the Microsoft SQL Enterprise Manager: 1. Type the following at the command prompt: osql -E 2. Press ENTER. The following prompt appears: 1> 3. Type the following at the prompt: exec sp_dboption 'RealSecureDB', 'db chaining', 'true' 4. Press ENTER. The following prompt appears: 2> 5. Type the following at the prompt: go 6. Press ENTER. SQL Agent not running Description: If the SQL Server Agent is not running on the SQL server that hosts the SiteProtector database, the updates will fail. Solution: Restart the SQL Server Agent, and then try applying the update again. Job ownership Description: If SiteProtector jobs are not owned by the IssApp account, you may not be able to apply updates to your SiteProtector database. Solution: Make IssApp the owner of these jobs, and then apply the update. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 285 Chapter 20: Troubleshooting Issues Related to SiteProtector Services Introduction This topic provides solutions to issues that you might encounter when working with the SiteProtector Services. Services failing to start Description: Communication between your application server or sensor controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation time. If this password is changed, your SiteProtector database and application server (and/or sensor controller) cannot communicate. The result is that the service will fail to start. Solution: The Application Server password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically. To change the password for your sensor controller and application server: 1. Click Start on the taskbar, and then select SettingsÆ Control PanelÆ Administrative toolsÆ Services. The Component Services window appears. 2. Right-click RealSecure SiteProtector Application Service, and then click Stop on the pop-up menu. 3. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Stop on the pop-up menu. 4. Click Start on the taskbar, and then select ProgramsÆ AccessoriesÆ Command Prompt. The Command Prompt window appears. 5. Change to the bin directory under the directory where the Application Server is installed. For example, if the Application Server is installed in the default location, you should type the following, and then press ENTER: cd "\Program Files\ISS\RealSecure SiteProtector\Application Server\bin" 6. At the command prompt, type the following command: instutil.bat -p <your new password> 7. Click Start on the taskbar, and then select SettingsÆ Control PanelÆ Administrative toolsÆ Services. The Component Services window appears. 8. Right-click RealSecure SiteProtector Application Service, and then select Start from the pop-up menu. 9. Right-click RealSecure SiteProtector Sensor Controller Service, and then select Start from the pop-up menu. 10. You must now change the ISSapp user password in the Site database. Desktop Controller Server fails 286 Description: Communication between your Desktop Controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation Issues Related to SiteProtector Services time. If this password is changed, your SiteProtector database and Desktop Controller will no longer be able to communicate. The result is that the service will fail to start. Solution: The Desktop Controller password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically. To change the password for your Desktop Controller: 1. Double-click DCLogin.exe. DCLogin.exe resides on the computer where your Desktop Controller is installed, and it is usually in the following location: \Program Files\ISS\RealSecure SiteProtector\Desktop Controller 2. Type the login name into the Login box. Note: This field already contains the current login name for the Desktop Controller. If you don't plan to change the login name with the password, you can leave this field as is. 3. Type the password into the Password box. 4. Type the password again into the Confirm box. 5. Click Save. 6. In the Site Manager, stop, and then restart the Desktop Controller. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 287 Chapter 20: Troubleshooting Issues Related to Agents and Appliances Introduction This topic provides solutions to issues that you might encounter when working with agents or appliances that are monitored and/or controlled by SiteProtector. Agent/ SiteProtector communication failure Description: Failure for RealSecure Network or RealSecure Server Sensor to communicate with SiteProtector may be due to the fact that RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 will not communicate with SiteProtector if any of the SiteProtector Databridge agents/scanners are installed. The event log creates the following message when attempting to communicate with these agents: ns60_computername_w2k) - OnError from 172.16.3.69: The currently selected provider does not support the requested cryptographic algorithm at the selected strength/length. [ID=0xc7280003] Solution: To avoid this issue, install RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 before you install Internet Scanner Databridge 6.2.1, ICEcap Databridge, or System Scanner Databridge. Error when downloading agent logs Description: SiteProtector issues the following error message when you attempt to download logs on a RealSecure Network that is running on a Unix operating system: Get files failed on Sensor #<sensor number>. 0 of 1 files transferred. Get file <file name> failed. The current session user does not have permission to perform the specified operation on the specified path. Please edit the access control file on the remote server and add the necessary permissions for the session.This problem is due to an incorrect permission contained in the iss.access file of the sensor’s daemon. Note: The error message also appears for RealSecure Server Sensor. Solution: Correct this issue as follows: 1. Access the iss.access file in the issDaemon folder, and then modify the following sections in the file: Note: The following text is an example. The path on your computer may be slightly different. Before edit [/opt/ISS/issSensors/network_sensor_1/Logs/]; ACL1 =S Role=Default FilePerms=RD DirPerms=R; After edit [/opt/ISS/issSensors/network_sensor_1/Logs/]; ACL1 =S Role=Default FilePerms=RD DirPerms=R Recursive; 2. Stop, and then restart the issDaemon service. 288 Glossary a Active Directory—An advanced, hierarchical directory service that is LDAP (Lightweight Directory Access Protocol) compliant and built on the Internet's Domain Naming System (DNS). Active Directory displays currently registered network assets. agents—Components that detect events and report them to the SiteProtector Console. The following are referred to as agents: sensors, scanners, and RealSecure Desktop. Agent Manager—The SiteProtector component that enables SiteProtector to collect and manage data from Desktop and other agents. appliance—An inline security device on a network or gateway. Depending on the type of appliance, it can provide any combination of intrusion detection and prevention, antivirus, antispam, virtual private networking (VPN), Web filtering, and firewall functions. application server—The SiteProtector component that enables communication between the SiteProtector console and the RealSecure database. attack—A type of event that is apparently a malicious assault on a network, computer, or other device, such as a router or switch. c checks—Code that detects vulnerabilites on hosts and network segments. communications protocol—A set of rules that govern the operations of functional units to achieve communication. (For example, TCP/IP). cryptography—A method of converting data into a secret code for secure transmission. Plaintext is converted into a coded equivalent, called ciphertext, using an encryption algorithm. The ciphertext is decoded at the receiving end and turned back into plaintext. custom scan—A scan that does not use a default policy included with Internet Scanner. d daemon—Pronounced “daymon.” A Unix program that executes in the background, ready to perform an operation when required. A daemon functions like an extension to the operating system, and is usually an unattended process that is initiated at startup. Typical daemons are print spoolers, email handlers, or a scheduler that starts another process at a designated time. In the Windows NT environment, a service is analogous to a daemon. databridge—Software that communicates scan results to the Event Collector. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 289 Glossary deployment—Downloading SiteProtector and related components, such as sensors, from the Deployment Manager so that they can be installed on more than one computer. Deployment Manager—A Web site that functions as a server that allows you to install all the SiteProtector components from a central computer on your network. Desktop agents—All of the agents that were previously managed by ICEcap, including Desktop agents, RealSecure Desktop, and RealSecure Desktop Enforcement for VPNs. The Agent Manager distributes configuration updates to Desktop agents and collects and posts agent event information to the Site Manager. DHCP—Dynamic Host Configuration Protocol is software that automatically assigns IP addresses to client stations logging onto a TCP/IP network. With DHCP, system administrators do not have to manually assign IP addresses. DHCP allows a larger group of computers to share a limited number of addresses, as long as all users are not logged on at the same time. Newer DHCP servers dynamically update the DNS servers after making assignments. Discovery scan—A scan you use to identify your assets. DMZ—Demilitarized zone. A common name for the network segment between the router that connects to the Internet and the firewall that connects to your internal network. In addition to the router and the firewall, it is common to find Web servers, domain name servers, mail servers, and FTP servers installed in the DMZ. e encryption keys—See public key and private key. Enterprise Groups pane—The part of the SiteProtector Console that you use to organize the assets associated with the Site into logical groups. Groups provide an efficient way to manage and analyze security. event—Any occurrence or activity on your network that may have an impact on your security. Sensors monitor these occurrences with sensors and then Site Manager displays the events. For example, three failed logins in 10 seconds might indicate a brute-force login attack. Event Collector—The SiteProtector component that receives data from the sensors and stores the data in the Site database. Event Viewer—The SiteProtector component that retrieves security and system events for security operators and security analysts to view for troubleshooting, providing near real-time access to security event information. f false alarm—An alert that occurs when normal network traffic causes an event to appear on your SiteProtector console. false positive—An alert that occurs when a sensor interprets one or more benign packets as an attack. filter—Selection criteria that allow you to include or exclude data displayed in columns in the analysis view on the SiteProtector Console. firewall—Hardware or software used for network security. A firewall can be implemented as a router that filters packets, or may consist of a combination of routers, proxy servers, and other devices. Firewalls are widely used to separate a company’s public servers from its internal network, and to give users relatively secure access to the Internet. They are also used to secure internal network segments. 290 Glossary forensic—Information that can be used as evidence in legal proceedings. forest—Part of the domain hierarchy in the Windows 2000 or higher Active Directory system. A forest is a collection of trees, which can be treated as one administrative unit by the administrator. fusion—See SecurityFusion Module. g grouped host—A host that has been added to a group in the Enterprise Groups pane. grouping tree—See Enterprise Groups pane. h hardening security——The process of protecting your security data from exposure to vulnerabilities by establishing restricted access to your security system. heartbeat—Encrypted HTTP requests that Desktop agents use to keep in contact with the Desktop Controller. host—An individual computer, device, or computer in a network that has an IP address. In the context of Internet Scanner, a host refers to the device that is being scanned. i Internet Scanner—An application that provides security vulnerability detection and analysis for routers, servers, computers, desktop computers, and firewalls on a network. Internet Scanner Databridge—The interface between the Internet Scanner scanning engines and SiteProtector that enables vulnerability data to be sent directly to an Event Collector. intrusion detection—The active monitoring of network traffic and local system activity for indications of attack and misuse. intrusion detection system—IDS is the software application that detects intrusion attempts. An IDS monitors the traffic that firewalls cannot block, such as HTTP traffic to and from a Web server. An IDS can also monitor all internal traffic for suspicious and malicious activity. k keys—See authentication keys or license files. l layering—The process of using server intrusion detection and network intrusion detection together to monitor traffic on both sides of firewalls. license files—Internet Security Systems software licenses that are required for SiteProtector to function properly. Without the appropriate license files (sometimes called license keys), SiteProtector cannot configure sensors or monitor attack activity. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 291 Glossary m MIB (Management Information Base)—A data structure that defines what is obtainable from the device and what can be controlled (turned off, on, etc.). n netBIOS (Network Basic Input/Output System)—A network protocol for PC local area networks (LANs). NetBIOS is commonly used within a network segment or corporation, and cannot be transmitted across a router without the use of another protocol. NetBIOS addresses typically consist of the computer name, thereby simplifying the networking details and addressing from the users. NetBIOS provides session and transport services (layers 4 and 5 of the OSI model), but does not provide a standard format for transmission over the network. Internet Scanner checks for accounts (group, computer, user) with NetBIOS names that can be used to identify a unique computer or a special group of computers, in addition to Microsoft networking services running on Windows NT-based computers. network latency—A delay in the response from devices on a network to packets sent to them. This delay, sometimes called a ping response, occurs when a host momentarily stores, analyzes, and then forwards a packet. network sensor——An agent that monitors network packets and searches for events that could indicate an attack against your network. A network sensor monitors all traffic to and from all devices on its network. new host—A host on your network that has not been recognized by SiteProtector. When you generate host information, new assets are added to SiteProtector. p packet—A block of data (a frame) used for transmission in LANs and packet switching systems. In Ethernet LANs, the terms packets and frames are used interchangeably. ping response—See network latency. policy—Policies control the kind of security events a sensor detects, the priority of each event, and the way a sensor responds to events. Each policy contains a list of items, called signatures, that determine what the sensor monitors for. The sensor uses each signature to detect a specific security event. port—A pathway into and out of the computer. Serial and parallel ports on a personal computer are external sockets for plugging in communications lines, modems, and printers. In programming, a port can be any symbolic interface to and from an application or utility. A server application is assigned a port number to channel data to the correct service. private key—The private part of a two-part, public key cryptography system, such as RSA. The private key is kept secret and never transmitted over a network. public key—The published part of a two-part, public key cryptography system, such as RSA. The private part is known only to the owner. r response—When a sensor detects an event that corresponds to a signature in its policy, the sensor can respond to the event using several built-in or user-specified responses. 292 Glossary RSA—A secure cryptography method that uses a two-part key: the private key is kept by the owner and the public key is published. Data is encrypted by the recipient’s public key, which can only be decrypted by the recipient’s private key. s scanner—An agent that performs vulnerability assessments of the network, identifying security holes in the system which could allow intruders to gain information and lead to improper access. Discovery scans identify the active hosts on your network and their corresponding operating system. SecurityFusion Module—The SiteProtector add-on component that correlates data from multiple sources, including network sensors, server sensors, and scanners, reducing the number of false alarms the sensors detect. You can also configure the SecurityFusion Module to automatically reduce false alarms (attacked hosts that are not vulnerable to the attack) and to automatically escalate attacks against vulnerable targets. sensor controller—The SiteProtector component that sends commands to the sensors, such as the command to start or stop collecting events. sensors—RealSecure sensors handle intrusion detection and response functions. Sensors monitor network and system traffic for attacks and events and generate responses to those events. server sensor—An agent that monitors log file and kernel-level activity and network traffic to and from the protected computer. signature—Code in a policy that determines what the sensor can detect. silent installation—An installation that does not require a user to provide any information. Site—The SiteProtector components that monitor and control sensors. Site database—See SiteProtector database. SiteProtector Console—A graphical user interface (GUI) that simplifies the tasks you perform to manage network security. With the console, you perform a variety of activities, such as monitoring events and scheduling scans. The specific tasks you can perform depend on your user role. SiteProtector Core—The two main components of the SiteProtector system: the sensor controller and the application server. From the installation point of view, when you install the SiteProtector Core, you are installing the SiteProtector application server. SiteProtector database—The database where sensor security data, command and control jobs, and asset information are kept. SiteProtector server—The core application that is comprised of the Event Collector, database, Sensor Controller, Application Server service, and XPU repository. SMTP (Simple Mail Transfer Protocol)—The standard email protocol on the Internet. SMTP servers route SMTP messages throughout the Internet to a mail server which provides a message store for incoming mail. SMTP is also used to route electronic mail between computers. SNMP (Simple Network Management Protocol)—A widely used network monitoring and control protocol. Data is passed from SNMP agents, who report activity in each network device (hub, router, bridge, etc.) to the workstation console used to oversee the network. The agents return information contained in an MIB. Originating in the Unix community, SNMP has become widely used on all major platforms. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 293 Glossary SP Core—See SiteProtector Core. SQL server—A relational database management system (RDBMS) that is part of Microsoft’s BackOffice family of servers. SQL Server was designed for client/server use and is accessed by applications using SQL. SQL Server runs on Windows NT version 3.5 or later and is compliant with the ANSI SQL-92 and FIPS 127-2 SQL standards. System Scanner—An agent that identifies vulnerabilities in your software and hardware, configuration elements that make your system vulnerable to attack, and configuration elements that do not comply with your information security policy. t TCP/IP (Transmission Control Protocol/Internet Protocol)—A communications protocol developed under contract from the U.S. Department of Defense to network dissimilar systems. It is a de facto Unix standard that is the protocol of the Internet and supported on all platforms. It is also a common shorthand, which refers to the suite of transport and application protocols that run over IP. The TCP part of TCP/IP provides transport functions, which ensures that the total amount of bytes sent is received correctly at the other end. The IP part of TCP/IP provides the routing mechanism. TCP/IP is a routable protocol, which means that the messages transmitted contain the address of a destination network, as well as a destination station. This allows TCP/IP messages to be sent to multiple networks within an organization or around the world, hence its use in the worldwide Internet. Third Party Module—A separately-purchased, add-on component for SiteProtector that integrates security information from third-party firewalls, enabling you to use SiteProtector to view activity on firewalls and associate security events with specific firewalls. tree—Part of the domain hierarchy in the Windows 2000 or higher Active Directory system. A tree is a group of domains that have the same DNS name. u ungrouped asset—An asset that has been added to the host table but not added to a group. v vulnerability—A security hole in a system, which could allow an intruder to gain access to information and lead to improper access to a system. vulnerability assessment (VA)—Involves scheduling and selecting probes of communication services, operating systems, key applications, and routers. Vulnerability assessment uncovers the most comprehensive set of known security weaknesses likely to be exploited during attempts to breach or attack your network. vulnerability check—The code in a policy that determines the security weaknesses for which scanners search. w Web server—A computer that provides World Wide Web services on the Internet. 294 Glossary x X-Press Update—A software update between major software releases. An X-Press Update consists of the most recently developed checks and signatures that detect the latest vulnerabilities or intrusion attempts on your system. The Help is also automatically updated during an X-Press Update. SiteProtector User Guide for Security Managers Version 2.0, SP5.2 295 Glossary 296 Index a accounts, Agent Manager 79, 81, 160 Active Directory creating groups with 155 definition of 289 groups 145 missing computer 278 policy assignment, and 165 Administrator user role creating 42 agent builds 88 Agent Manager accounts 79, 81, 160 additional 216 assigning agents to 161 backup 160 definition of 77, 289 description of 20 editing properties of 81 SiteProtector component, as 18 user role privileges 43 agents definition of 289 description of 17 registration 105 supported 22 agents, Desktop See Desktop agents Analyst user role creating 42 antispam policies 164 antivirus policies 164 appliances description of 17 installing 71 policies 164, 167, 169 registration 105 application server definition of 289 IP address, changing 113 architecture SiteProtector 19 assets adding to groups 147, 150, 152–153 categories of 146 controlling access to 41 display options 59 DMZ, and 143 groups, adding to 149 organizing 145 Site ranges, and 148 user role privileges, and 44 Attack Incidents report 263 attack pattern recognition, description of Attack Status Summary report 263 Attack Trend report 263 attacks definition of 289 formats for 61 Attacks by Group report 262 authentication, configuring 72 automatic grouping of assets 152 automatic registration after installation 105 encryption keys, and 73 21 b backup components 160 Best Practices Guide, content of builds, agent 88 x c Central Responses description of 173 objects 175 rules 175 supported agents 193 central Site, definition of 109 certificates, SSL authentication, enabling 113 replacing 111 checklist for configuration tasks 38 checks, definition of 289 command jobs, display options 59 communications protocol, definition of compliance and summary reports SiteProtector User Guide for Security Managers Version 2.0, SP5.2 289 297 Index descriptions 262 components Agent Manager 160 descriptions of 20 event detection 22 illus 19 installing additional 216 registration 105 user role privileges 44 configuration definition of 289 illus 19 initial tasks 38 registration 105 Console, SiteProtector additional 216 data update options 59 definition of 293 description of 20, 26 illus 26–27 Internet Scanner console, compared logging in to 28 preferences 57–67 SiteProtector component, as 18 System Scanner events 101 user role privileges 43 when to use 25 windows 26 conventions, typographical in commands xii in procedures xii in this manual xii CORP, network objects and 209 cryptography, definition of 289 custom scans, definition of 289 d daemons, definition of 289 database, definition of 293 databridge, definition of 289 Databridges description of 20 SiteProtector component, as System Scanner 99 Deployment Manager definition of 290 description of 20 installing Desktop from 90 installing sensors from 74 SiteProtector component, as 298 18 94 deployment, definition of 290 Desktop 77 agents. See Desktop agents Desktop Enforcement for VPNs 77 installing 90 license, updating 80 Desktop agents agent builds 87 assigning to a Desktop Controller 161 build page 89 Central Responses, and 173 definition of 77, 290 generating builds 88 heartbeats 77 installing 77, 90 installing from Deployment Manager 87, 90 licenses 80 policies 79, 82, 85, 164 policy subscription group 82 Desktop build Web page port number 89 Desktop Enforcement for VPNs 22, 77 DHCP (Dynamic Host Configuration Protocol), definition of 290 discovery scans definition of 290 host information generated 153 running 153 DMZ (demilitarized zone) assets, and 143 definition of 290 installing network sensors in 72 network objects and 209 documentation accessing locally 63 SiteProtector Best Practices Guide x SiteProtector Help x SiteProtector Installation Guide x SiteProtector Scalability Guidelines x SiteProtector Supported Agents and Appliances x SiteProtector System Requirements x SiteProtector Technical Reference Guide xi SiteProtector User Guide for Security Managers ix dynamic address lists, network objects and 209 dynamic address names, network objects and 209– 210 e 18 email responses, configuring encryption keys 193 Index definition of 290 importing 105, 107 requirements for 73 Enterprise Dashboard central Site 109 description of 26 illus 27 logging in to 29 open on connect 59 preferences 62 reports 267–271 setting up multiple Sites 109 Sites, access to 41 user role privileges 43 Enterprise Groups pane definition of 291 example 146 Event Collector additional 216 definition of 290 description of 20 logging for the Event Viewer 32 SiteProtector component, as 18 event data, reports 257–259 event logging, enabling 33 Event Viewer additional 216 description of 20 log files 32 logging in to 32–34 setting up 32 SiteProtector component, as 18 user role privileges 43 when to use 25 events detection components 22 user role privileges 43 exceptions, user role privileges 43 exporting data, Sensor Analysis tab 257 f false alarms, definition of 290 false positives, definition of 290 filters, definition of 290 firewalls definition of 290 network sensors, and 72 forensic, definition of 291 forest, definition of 291 g Global responses, description of 173 Greenwich Mean Time, using in the Console grouped host, definition of 291 grouping tree, See Enterprise Groups pane groups Active Directory 145 adding assets to 150, 152, 155 assigning access to 48–49 automatic grouping of assets 152 creating 147, 149 metrics, displaying 60 organizing 145 policy subscription 82 policy subscription groups 145 System Scanner 145, 158 Ungrouped Assets 146 user role privileges 44 59 h hardening security, definition of 291 heartbeats, definition of 77, 291 Help, SiteProtector, content of x Host Assessment Detail report 262 Host Assessment Summary report 262 hosts See also, assets definition of 291 Hosts table 143, 153 i IDS, definition of 291 impact analysis, description of 21 incidents, user role privileges 43 inline solutions, Proventia M-Series appliances installation appliances 71 Desktop agents 77–90 Internet Scanner 91, 93 options 19 sensors 71–72, 74 System Scanner 91, 97 Installation Guide, content of x Internet Scanner console 94 description of 22, 91 installing 91, 93–94 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 22 299 Index license files 159 restriction files for licenses 104 supported agent 18 Internet Scanner Databridge, definition of Internet Security Systems technical support xiii Web site xiii intrusion detection definition of 291 system, definition of 291 IP addresses changing on application server 113 specifying format of 148 n 291 k keys, encryption, definition of 291 keytool, command line utility 113 l LAN, definition of 292 layering, definition of 291 licenses adding to SiteProtector 104 configuration, initial 159 definition of 291 Desktop 79 Desktop agents 80 restriction files 104 updating an existing 80 user role privileges 44 local area network, definition of 292 local user account, SiteProtector users, and logging in Console, to 28 Enterprise Dashboard, to 29 Site Manager, to 28 Web Access, to 30 o 46 300 objects network 175 response 175 Operating System Summary by Host report Operating System Summary report 262 Operator user role creating 42 p m Management Information Base, definition of MDAC, installation requirement 99 MIB, definition of 292 modules SecurityFusion Module 21 SiteProtector Reporting 21 Third Party Module 21 multiple Sites, setting up 109 netBIOS, definition of 292 network latency, definition of 292 sensor, definition of 292 Network Address Translation (NAT), Desktop agents, and 88 network objects address groups, configuring 201 address names 203 advantages of 199 description of 175 dynamic 209 importing 211 port groups 205 port names 207 user role privileges 44 network sensors firewalls, and 72 installing 72 installing in DMZ 72 license files, installing 159 switched environments, and 72 new host, definition of 292 292 packets, definition of 292 ping response, definition of 292 policies Active Directory, and 165 applying to a sensor 167 definition of 292 Desktop agents 79, 85 groups, applying to 167 load distribution 167 managing 164, 167, 169 policy subscription groups 165 Proventia G-Series 169 Proventia M-Series 169 262 Index sensors, applying to in groups 167 setting for policy subscription group(s) 84 subscribing to groups 167 user role privileges 44 policy subscription groups Active Directory, and 165 creating groups 82 Desktop agents 79, 82 determining assignment of 171 groups 145 subscribing to 167 port numbers Desktop build Web page 89 ports definition of 292 private keys definition of 292 properties Agent Manager 81 user role privileges 44 Proventia appliances supported agent, as 18 Proventia Desktop supported agent, as 18 Proventia G-Series appliances policies 169 user role privileges 44 Proventia M-Series appliances policies 169 user role privileges 44 proxy servers, using with SiteProtector 66 public key cryptography, description of 73 public keys, definition of 292 r RealSecure Network 10/100 23 Network Gigabit 23 Site database, definition of RealSecure Desktop 7.0 supported agent, as 18 RealSecure Network 10/100 for Nokia 23 Crossbeam, for 23 supported agent, as 18 RealSecure Server Sensor supported agent, as 18 registration automatic 73, 105 encryption keys, and 73 manual 106 293 multiple agents 106 on one asset 106 remote Site, setting up 109 removing an update 253 Reporting Enterprise Dashboard reports 267–271 Reporting tab reports 261–266 SiteProtector add-on component, as 18 user role privileges 44 Reporting tab compliance and summary reports 262 creating a report 264 reports 261–266 summary and compliance reports 261 viewing a report 265 reports categories 255 compliance and summary 262 creating 255 event data 257–259 summary and compliance 261 reports, by category assessment Host Assessment Detail 262 Host Assessment Summary 262 Operating System Summary 262 Operating System Summary by Host 262 Service Summary 262 Service Summary by Host 262 Top Vulnerabilities 262 Vulnerabilities by Group 262 Vulnerabilities by Host 262 Vulnerability by OS 262 Vulnerability Counts 262 Vulnerability Counts by Host 262 Vulnerability Detail by Host 262 Vulnerability Names by Host 262 Vulnerability Remedies by Host 262 Vulnerability Summary by Host 262 attack activity Attacks by Group 262 Top Attacks 263 Top Sources of Attack 263 Top Targets of Attack 263 audit activity 263 content filtering Top Web Categories 263 Web Requests 263 Desktop 263 management Attack Incidents 263 Attack Status Summary 263 Attack Trend 263 Virus Activity Trend 263 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 301 Index Vulnerability Trend 263 virus activity Top Virus Activity 263 Virus Activity by Group 263 Virus Activity by Host 263 response objects agents supported by 192 creating 191 description of 175 email 193 removing 197 SNMP 195 types of 192 response rules creating 178–179, 182, 190 description of 175 destination, specifying 181–182 editing 188 enabling 187 event details, adding 185 events, selecting for 180 order followed 190 order, changing 190 parameters for 177 port, specifying 182 selecting 184 source, specifying 181 views of 189 responses definition of 292 hierarchy of 174 types of 172 user role privileges 44 restriction files 104 roles, installation requirements 42 RSA, definition of 293 RSSP-Administrator. See RSSP-Administrator. See user roles RSSP-Analyst. See user roles RSSP-Operator. See user roles s Scalability Guidelines, address of x scanners description of 17 installing 91 installing Internet Scanner 93–94 installing System Scanner Databridge System Scanner 91 vulnerability assessment 22 302 99 scanners, definition of 293 scans asset discovery, for 153 user role privileges 44 security trust settings, options 67 SecurityFusion Module definition of 293 description of 21 policies 164 responses, description of 173 SiteProtector add-on component, as 18 Sensor Analysis tab, exporting data for analysis reports 257 sensor controller, definition of 293 sensors definition of 293 description of 17 downloading installation packages for 75 downloading new 75 inline solutions 22 installing 71–72, 74 license files 159 policies 164, 167, 169 prerequisites for installing 72 status, displaying 60 user role privileges 44 sensors, responses 173 server sensor definition of 293 installing 72 license files 159 removing, special considerations for 71 server, definition of 293 Service Summary by Host report 262 Service Summary report 262 services, Windows, stopping and starting 116 signatures, definition of 293 silent installation definition of 293 Simple Mail Transfer Protocol, definition of 293 Simple Network Management Protocol, definition of 293 Site definition of 293 remote, setting up 109 Site database description of 20 Hosts table 143 maintaining 219–233 SiteProtector component, as 18 user role privileges 43 Site Manager Index description of 26 display options 60 logging in 28 open on connect 59 window, illus 26 Site ranges, definition of 148 Site servers, assets, as 143 SiteProtector architecture 19 components, See components configuration 38 Console. See Console, SiteProtector database, definition of 293 description of 18 license files 159 server, definition of 293 SiteProtector Console, See Console, SiteProtector SiteProtector Core, definition of 293 SiteProtector Reporting, description of 21 SiteProtector reports, See reports Sites assigning access to 49 controlling access to 41 SMTP, definition of 293 SNMP responses, configuring 195 SNMP, definition of 293 SP Core description of 20 SiteProtector component, as 18 SP Core, definition of 294 SQL Server, definition of 294 SSL certificates authentication 113 replacing 111 validation options 67 Strategy Guide. See Best Practices Guide subgroups assigning access to 48 user role privileges 44 viewing options 59 Supported Agents and Appliances, address of x switched environments network sensors, and 72 System Requirements, address of x System Scanner Agent, description of 98 Console 98 Databridge, installing 99 definition of 294 deploying with SiteProtector and databridge 98 description of 22, 91 events in the Console 101 group 145, 158 installing 91, 97 software components 98 supported agent, as 18 System Scanner Databridge description of 98 installing 99 t TCP/IP, definition of 294 Technical Reference Guide content of xi technical support, Internet Security Systems xiii Third Party Module definition of 294 description of 21 SiteProtector add-on component, as 18 time zone formats for 61 setting for the Console 59 Tip of the Day enable or disable 59 Top Attacks report 263 Top Sources of Attack report 263 Top Targets of Attack report 263 Top Virus Activity report 263 Top Vulnerabilities report 262 Top Web Categories report 263 trace options 65 Transmission Control Protocol/Internet Protocol, definition of 294 tree, definition of 294 typographical conventions xii u ungrouped assets definition of 294 description of 146 user role privileges 44 updates, See XPUs user roles adding users 46–47 controlling access privileges 41 description of 41 levels of 42 privileges 43 Security Manager tasks, for x users, adding to SiteProtector 46–47 SiteProtector User Guide for Security Managers Version 2.0, SP5.2 303 Index v user role privileges 44 X-Press Update Servers, and Virus Activity by Group report 263 Virus Activity by Host report 263 Virus Activity Trend report 263 vulnerabilities checks, definition of 294 definition of 294 display options 59 identifying 91 Vulnerabilities by Group report 262 Vulnerabilities by Host report 262 vulnerability assessment, definition of 22, 294 Vulnerability by OS report 262 Vulnerability Counts by Host report 262 Vulnerability Counts report 262 Vulnerability Detail by Host report 262 Vulnerability Names by Host report 262 Vulnerability Remedies by Host report 262 Vulnerability Summary by Host report 262 Vulnerability Trend report 263 w Web Access description of 20 logging in 30 logging in to 30 prerequisites 30 SiteProtector component, as 18 when to use 25 Web filtering, policies 164 Web Requests report 263 Web servers, definition of 294 Web site, Internet Security Systems xiii Windows services stopping and starting 116 x X-Press Update Servers additional 216 description of 20 managing 235 SiteProtector component, as X-Press Updates, See XPUs XPUs applying 245–253 definition of 295 removing an update 253 304 18 20 Internet Security Systems, Inc. Software License Agreement THIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPYING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE PRODUCT AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN. 1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and nontransferable, limited license for the accompanying ISS software product and the related documentation (“Software”) and the associated license key(s) for use only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS’ quotation and Licensee’s purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. A device may also include ISS hardware delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware. Except as provided in the immediately preceding sentence, Licensee may reproduce, install and use the Software on multiple devices, provided that the total number and type are authorized by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Software on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on a subscription basis for a Term and provides Licensee with a license key for each such subscription. Content subscriptions are licensed pursuant to this License based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs) and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS’ related analysis of such information, all of which ISS regards as its confidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The use or re-use of such content for commercial purposes is prohibited. Licensee’s access to the security content is through an Internet update using the Software. In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered in to ISS’ URL database and provided to Licensee as security content updates at regular intervals. ISS’ URL database is located at an ISS facility or as a mirrored version on Licensee’s premises. Any access by Licensee to the URL database that is not in conformance with this License is prohibited. Upon expiration of the security content subscription Term, unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request. 2. Migration Utilities – For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software to which the Migration Utility relates (the “Original Software”), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensee’s migration of the Original Software to the replacement software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes. 3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturer’s terms and conditions that will be provided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crystal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverseengineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing, data analysis or report delivery product or any other product that performs the same of similar functions as Crystal Decisions’ product offerings; Licensee agrees not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-purpose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a rental or timesharing basis or to operate a service bureau facility for the benefit of third–parties unless Licensee first acquires an Application Service Provider License from Crystal Decisions; Licensee may not use the Software or Runtime Software by itself or as part of a system to regularly deliver, distribute or share Reports outside of the Runtime Software environment: (a) to more than fifty (50) end users directly, or (b) to a location that is accessible to more than 50 end users without obtaining an additional license from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, OR IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FIRNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 “Software” means the Crystal Reports software and associated documentation supplied by ISS and any updates, additional modules, or additional software provided by Crystal Decisions in connection therewith; it includes Crystal Decisions’ Design Tools, Report Application Server and Runtime Software, but does not include any promotional software of other software products provided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product. 4. Beta License – If ISS is providing Licensee with the Software, security content and related documentation as a part of an alpha or beta test, the following terms of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the subject Beta Software or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/prototype software program, security content, if any, and any related documentation furnished by ISS (“Beta Software”) for Licensee’s evaluation and comment (the “Beta License”) during the Test Period. ISS’ standard test cycle, which may be extended at ISS’ discretion, extends for sixty (60) days, commencing on the date of delivery of the Beta Software (the “Test Period”). Upon expiration of the Test Period or termination of the License, Licensee shall, within thirty (30) days, return to ISS or destroy all copies of the Beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. Licensee will provide ISS information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Software. Licensee agrees that ISS shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensee’s use and evaluation of the Beta Software. Such information shall include but not be limited to changes, modifications and corrections to the Beta Software. Licensee grants to ISS a perpetual, royalty-free, nonexclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item resulting from Licensee’s evaluation of its installation and operation of the Beta Software. If Licensee is ever held or deemed to be the owner of any copyright rights in the Beta Software or any changes, modifications or corrections to the Beta Software, then Licensee hereby irrevocably assigns to ISS all such rights, title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and agrees that the Beta Software (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee further agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of the Beta Software as contemplated in this Agreement. With regard to the Beta Software, ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Software and related documentation within a reasonable time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Software may be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Software, Licensee is advised not to rely exclusively on the Beta Software for any reason. LICENSEE AGREES THAT THE BETA SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES THAT THE BETA SOFTWARE MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEE’S USE OF THE BETA SOFTWARE IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA SOFTWARE LICENSE BY WRITTEN NOTICE TO ISS. 5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evaluation in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUATION LICENSE BY WRITTEN NOTICE TO ISS. 6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Software. Licensee agrees: (i) the Software, security content or Beta Software is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software, security content or Beta Software from unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software, security content or Beta Software; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Software or make it available for time-sharing, service bureau, managed services offering, or on-line use. 7. Support and Maintenance – Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://documents.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and maintenance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified. 8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content, (ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VULNERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY. 9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE. 10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly notified in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software and security content. 11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it. 13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. ISS Software and security content are generally delivered to Customer by supplying Customer with license key data. If Customer has not already downloaded the Software, security content and documentation, then it is available for download at http://www.iss.net/download/. All ISS hardware with pre-installed Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS. 14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA. 15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, any related technology, or any direct product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the United States has embargoed the export of goods (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourcing and Fulfillment for export questions relating to the Software or security content (fulfillment@iss.net). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License. 16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that computer network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with all applicable laws, regulations and rules. 17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom. 18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the Disclosing Party. 19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Software and security content is in compliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the scope of use and/or the number of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addition to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License. 20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Licensee’s vendor within the framework of processing Licensee’s order. All personal data will be treated confidentially. Revised March 16, 2004.