Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

RealSecure Network Sensor Installation Guide Version 6.5

TM
Network Sensor
Installation Guide
Version 6.5
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 1998-2001. All rights reserved worldwide. Customers may make reasonable numbers of
copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in
part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc. Patent
pending.
ActiveAlert, Database Scanner, FlexCheck, Internet Scanner, Internet Security Systems, Online Scanner, RealSecure,
SAFElink, SecureLogic, System Scanner, X-Force, and X-Press Update are trademarks, and SAFEsuite a registered
trademark, of Internet Security Systems, Inc. Acrobat and Adobe are registered trademarks of Adobe Systems
Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point,
FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its
affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered
trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium
are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader,
and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info,
Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings,
Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH
Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and
UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in
the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its
affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United
States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of
their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject
to change without notice.
Copyright © Sax Software (terminal emulation only).
Disclaimer: The information contained in this document may change without notice, and may have been altered or
changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance
for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk.
ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct,
indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the
X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security
Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet
Security Systems, Inc., and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the
Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the
reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a
broken or inappropriate link, please send an email with the topic name, link, and its behavior to support@iss.net.
January 2002
Internet Security Systems, Inc.
Software License Agreement
THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY
THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15)
DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE WAS OBTAINED BY
DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN.
1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a
nonexclusive and nontransferable, limited license for the accompanying ISS software product in machine-readable form and the related
documentation (“Software”) for use only on the specific network configuration, for the number of devices, and for the time period (“Term”)
that are specified in Licensee’s purchase order, as accepted by ISS, and the invoice and license key furnished by ISS. ISS limits use of
Software based upon the number and type of devices upon which it may be installed, used, gather data from, or report on, depending
upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including
remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. Licensee may reproduce,
install and use the Software on multiple devices, provided that the total number and type are authorized in Licensee’s purchase order, as
accepted by ISS, and the invoice and license key furnished by ISS. Licensee may make a reasonable number of backup copies of the
Software solely for archival and disaster recovery purposes. If Software is ISS’ SAFEsuite Decisions product, then it is delivered with
Seagate Info, a third party software product of Seagate Software Information Management Group Holdings, Inc. Seagate Info is restricted
to use with ISS SAFEsuite Decisions and no other application. A license of ISS SAFEsuite Decisions allows Licensee to implement up to
three (3) copies of SAFEsuite Decisions of which one (1) of these copies may be for production use. Each Seagate Info license includes
ten (10) “Client” licenses and one (1) Report/Query Add-In “Designer” license. Additional copies require additional licenses. Seagate Info
is subject to the terms and conditions of the license agreement accompanying such software. ISS will provide to Licensee, upon request
and in any event upon delivery of such software, copies of licensing documentation applicable to such software. Seagate Info is supplied
by ISS “AS IS”, without any warranties of ISS whatsoever.
2. Covenants - ISS reserves all intellectual property rights in the Software. Licensee agrees: (a) the Software is owned by ISS and/or its licensors, is a valuable
trade secret of ISS, and is protected by copyright laws and international treaty provisions; (b) to take all reasonable precautions to protect the Software from
unauthorized access, disclosure, copying or use; (c) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover
the source code of the Software; (d) not to use ISS trademarks; (e) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software; (f)
not to transfer, lease, assign, sublicense, or distribute the Software or make it available for timesharing, service bureau, or on-line use; and (g) not to disseminate
performance information or analysis (including without limitation benchmarks) from any source relating to the Software.
3. Support and Maintenance - During the term for which Licensee has paid the applicable support and maintenance fees, ISS will, upon request, provide software
maintenance and support services that it makes generally available under its then current Maintenance and Support Policy. Support and maintenance include
telephone support and electronic delivery to Licensee of error corrections and updates to the Software (but NOT new releases or products that substantially
increase functionality and are marketed separately) and documentation as described in ISS’ then current Maintenance & Support Policy.
4. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period
of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Licensed Software will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software is installed, implemented,
and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the
warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software, (ii) modification of the Software, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If
Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or, if ISS determines that repair or replacement is
impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF
THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT LICENSED SOFTWARE IS NO GUARANTEE AGAINST INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME
BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR
THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED OR THAT THE PERFORMANCE OF THE LICENSED SOFTWARE WILL
RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 4 ARE THE SOLE AND
EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
5. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE IS PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF IMPLIED WARRANTIES, SO
THE ABOVE LIMITATION MAY NOT APPLY TO LICENSEE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN
THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
6. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software that are granted herein. ISS shall defend and
indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or
patent as a result of the use or distribution of a current, unmodified version of the Software; but only if ISS is promptly notified in writing of any such suit or claim,
and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The
foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software.
7. Limitation of Liability - Licensee acknowledges that some of the Software is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee accepts the risk of such possibility and hereby waives all rights, remedies, and causes of action against
ISS and releases ISS from all liabilities arising therefrom. ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL
BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR
TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL
OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
8. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the license, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may
immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or
expiration of the License, Licensee shall cease all use of the Software and destroy all copies of the Software and associated documentation. Termination of this
License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.
9. General Provisions - This License, together with the identification of the Software, pricing and payment terms stated in the applicable Licensee purchase order
as accepted by ISS and ISS invoice and license key, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. This License will
be governed by the substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the
United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found
void or unenforceable, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License
may only be modified in writing signed by an authorized officer of ISS.
10. Notice to United States Government End Users - Licensee acknowledges that any Software furnished under this License is commercial computer software
developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this
commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance
with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and Subsection 227.7202-3 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.
11. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, any related technology, or any direct product of either
except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List, or to any country to which the United States has embargoed goods, or for use with chemical or biological
weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any
such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S.
laws and regulations. Please contact ISS’ Customer Operations for export classification information relating to the Software (customer_ops@iss.net). Licensee
understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License.
12. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation
of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of
the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that computer network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use
the Software in accordance with all applicable laws, regulations and rules.
13. No High Risk Use - Licensee acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous environments requiring
fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any
other applications in which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property damage. ISS disclaims any
implied warranty of fitness for High Risk Use.
Revised October 22, 2001
Contents
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ix
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . .
How to Use RealSecure Documentation
Conventions Used in this Guide . . . . . .
Getting Technical Support . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
xi
. xi
. xii
. xiii
. xv
Chapter 1: Introduction to the Network Sensor. . . . . . . . . . . . . . . . .
.........
.........
.........
.........
.........
Environment
.........
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
. 1
. 2
. 4
. 6
. 7
. 9
10
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
11
12
15
16
17
18
...
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automatically Importing Authentication Keys . . . . . . . . . . . . . . . .
Customizing Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administering Public Authentication Keys and Master Status Rights
Installing Multiple Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Support for Non-English Windows Versions and Characters . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
19
19
20
22
24
26
30
31
32
Overview . . . . . . . . . . . . . . . . . . . . . .
About the RealSecure System . . . . . . . .
Traffic Monitored by Network Sensors . .
Installation Programs and Utilities . . . . .
Network Sensor Deployment Suggestions
Deploying Network Sensors in a Switched
System Requirements Documentation. . .
Chapter 2: Upgrading Sensors
Overview . . . . . . . . . . . . . . . . . .
Upgrading Sensors Remotely. . . . .
Troubleshooting Remote Upgrades.
Upgrading Sensors Manually . . . . .
After Updating 5.x Sensors . . . . . .
Upgrading Policies . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 3: Before Installing a Network Sensor
v
Contents
Chapter 4: Installing a Network Sensor on Windows . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installation Options on Windows. . . . . . . . . . . . . . . . . . . . . . . . .
Installing a Typical Network Sensor on Windows. . . . . . . . . . . . . .
Installing a Custom Network Sensor on Windows . . . . . . . . . . . . .
Automating Installations on Windows . . . . . . . . . . . . . . . . . . . . .
Customizing the Automated Installation Response File . . . . . . . . . .
Using the Silent Installation Feature . . . . . . . . . . . . . . . . . . . . . .
Automated Installation Frequently Asked Questions . . . . . . . . . . . .
Working with Cryptographic Providers During Windows Installations
Archiving Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 5: Installing a Network Sensor on Solaris . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installation Options on Solaris . . . . . . . . . . . . . . .
Installing a Network Sensor on Solaris . . . . . . . . .
Automating Network Sensor Installations on Solaris
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 6: Installing the Nokia Appliance. . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Before Installing the Nokia Appliance . . . . . . . . . . . .
Enabling Hostname Resolution . . . . . . . . . . . . . . . . .
Enabling Logging . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrading or Reinstalling RealSecure from a Package .
Installing a Second Sensor Using Voyager . . . . . . . . .
Working with Newly Configured Interfaces . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
35
35
36
38
41
45
48
61
64
67
69
71
71
72
74
79
81
81
82
83
85
86
89
90
Chapter 7: Configuring a Network Sensor . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Authentication . . . . . . . . . . . . . .
Configuring Authentication with the Deployment
Configuring Authentication Manually . . . . . . . .
Location of Authentication Keys . . . . . . . . . . .
Restoring Archived Private Keys. . . . . . . . . . .
Changing Encryption Settings. . . . . . . . . . . . .
Uninstalling Components and Updates . . . . . .
Adding Key Administrators . . . . . . . . . . . . . .
Starting and Stopping Sensors. . . . . . . . . . . .
Testing the Sensor . . . . . . . . . . . . . . . . . . .
Network Sensor Stealth Configuration. . . . . . .
Chapter 8: Troubleshooting
......
......
Wizard.
......
......
......
......
......
......
......
......
......
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
91
. 91
. 93
. 94
. 97
100
102
104
105
110
111
112
113
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
vi
Contents
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
ISS Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
125
vii
Contents
viii
Tables
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
Typographic conventions for procedures . . . . . . . . . . .
Typographic conventions for commands . . . . . . . . . . .
Hours for technical support . . . . . . . . . . . . . . . . . . .
Contact information for technical support . . . . . . . . . .
RealSecure installation files. . . . . . . . . . . . . . . . . . . .
Policies that sensors can accept . . . . . . . . . . . . . . . .
Prerequisites to installing RealSecure. . . . . . . . . . . . .
Installation program default settings . . . . . . . . . . . . .
Network sensor windows availability . . . . . . . . . . . . . .
Default Log File Names for Autoinstall . . . . . . . . . . . .
Autoinstall Response File Parameters . . . . . . . . . . . .
Autoinstall Response File Parameters Provider Section .
Silent mode return codes . . . . . . . . . . . . . . . . . . . . .
Default parameters for network sensor for Solaris . . . .
Solaris installation files for network sensor . . . . . . . . .
Location of Keys directory for all sensors . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . xiii
. . xiv
. . xv
. . xv
.. 6
. 18
. 20
. 36
. 40
. 47
. 49
. 55
. 62
. 72
. 74
100
ix
Tables
x
Preface
Overview
Purpose
This guide describes the procedures and requirements for deploying,
installing, and upgrading the RealSecure network sensor.
Audience
This guide is intended for system administrators who are installing or
upgrading the network sensor.
What’s new in this
guide
The RealSecure Network Sensor Installation Guide Version 6.5 includes new
or revised information about the following topics:
remotely upgrading sensors
configuring authentication
installing sensors
xi
Preface
How to Use RealSecure Documentation
Using this guide
Read the entire guide before installing the network sensor.
Related publications For additional information about sensors, the Workgroup Manager, or
SiteProtector, see the following publications:
xii
RealSecure Workgroup Manager Installation Guide
RealSecure Server Sensor Installation Guide
RealSecure SiteProtector Strategy Guide
RealSecure Workgroup Manager User Guide
RealSecure Server Sensor Policy Guide
RealSecure Network Sensor Policy Guide
RealSecure Signatures Reference Guide
RealSecure Help
Conventions Used in this Guide
Conventions Used in this Guide
Introduction
This topic explains the typographic conventions used in this guide to
make information in procedures and commands easier to recognize.
In procedures
The typographic conventions used in procedures are shown in the
following table:
Convention
What it Indicates
Examples
Bold
An element on the graphical
user interface.
Type the computer’s
address in the IP Address
box.
Select the Print check box.
Click OK.
SMALL CAPS
A key on the keyboard.
Press ENTER.
Press the PLUS SIGN (+).
Constant
width
A file name, folder name,
path name, or other
information that you must
type exactly as shown.
Save the User.txt file in
the Addresses folder.
Type IUSR__SMA in the
Username box.
Constant
width
italic
A file name, folder name,
path name, or other
information that you must
supply.
Type Version number in
the Identification
information box.
à
A sequence of commands
From the taskbar, select
from the taskbar or menu bar. StartàRun.
On the File menu, select
UtilitiesàCompare
Documents.
Table 1: Typographic conventions for procedures
xiii
Preface
Command
conventions
The typographic conventions used for command lines are shown in the
following table:
Convention
What it Indicates
Examples
Constant
width bold
Information to type in exactly
as shown.
md ISS
Italic
Information that varies
according to your
circumstances.
md your_folder_name
[]
Optional information.
dir [drive:][path]
[filename] [/P][/W]
[/D]
|
Two mutually exclusive
choices.
verify [ON|OFF]
{}
A set of choices from which
you must choose one.
% chmod {u g o
a}=[r][w][x] file
Table 2: Typographic conventions for commands
xiv
Getting Technical Support
Getting Technical Support
Introduction
ISS provides technical support through its Web site and by email or
telephone.
The ISS Web site
The Internet Security Systems (ISS) Resource Center Web site (http://
www.iss.net/customer_care/resource_center/) provides direct
access to much of the information you need. You can find frequently
asked questions (FAQs), white papers, online documentation, current
versions listings, detailed product literature, and the Technical Support
Knowledgebase (http://www.iss.net/customer_care/
knowledgebase/).
Hours of support
The following table provides hours for Technical Support at the Americas
and other locations:
Location
Hours
Americas
24 hours a day
All other locations
Monday through Friday, 9:00 A.M. to 6:00 P.M. during
their local time, excluding ISS published holidays
Note: If your local support office is located outside the
Americas, you may call or email the Americas office for
help during off-hours.
Table 3: Hours for technical support
Contact information
The following table provides email addresses and telephone numbers for
technical support requests:
Regional Office
Email Address
Telephone Number
North America and
Latin America
support@iss.net
(1) (888) 447-4861 (toll
free)
(1) (404) 236-2700
Europe, Middle
East, and Africa
support@iss.net
(44) (118) 959-3900
Table 4: Contact information for technical support
xv
Preface
Regional Office
Email Address
Telephone Number
Asia-Pacific and
Philippines
asiasupport@iss.net
(63) (2) 886-6014
Japan
support@isskk.co.jp
(81) (3) 5475-6456
Table 4: Contact information for technical support (Continued)
xvi
Chapter 1
Introduction to the Network
Sensor
Overview
Introduction
In this chapter
This chapter describes the following:
the RealSecure system and components
traffic that the network sensor monitors
where network sensor installation programs and utilities are located
deployment recommendations
where to find system requirements
This chapter contains the following topics:
Topic
Page
About the RealSecure System
2
Traffic Monitored by Network Sensors
4
Installation Programs and Utilities
6
Network Sensor Deployment Suggestions
7
Deploying Network Sensors in a Switched Environment
9
System Requirements Documentation
10
1
Chapter 1: Introduction to the Network Sensor
About the RealSecure System
Introduction
The RealSecure system is an automated, real-time intrusion detection and
response system that unobtrusively analyzes activity across your
computer systems and networks.
A RealSecure system contains two major components:
Management
components
sensors
management
The management component serves the following purposes:
visually monitors events (with a console)
collects data from sensors (with one or more event collectors)
stores data from sensors (in a database)
You must choose one of the following two types of management software
to manage and monitor sensors:
Workgroup Manager
SiteProtector
This guide describes using the Workgroup Manager to configure and
upgrade sensors.
References: For information about using SiteProtector to configure and
upgrade sensors, see the SiteProtector Strategy Guide or the SiteProtector
Help.
RealSecure sensors
Sensors monitor network and system traffic for attacks and other
security-related events. Sensors respond to and notify you about these
events as they occur.
RealSecure provides two types of sensors:
2
network
server
About the RealSecure System
Network sensors
Network sensors monitor network packets and look for events that could
indicate an attack against your network. Network sensors monitor all the
traffic on their network segments. A network segment is also called a
“collision domain” because the network is shared among all of the
devices on a single segment and because a station on this segment can see
all of the traffic going to other stations. Network sensors provide the
earliest possible warning of unauthorized activity and can often
terminate the attack before damage is done.
A network sensor is installed on a Solaris or Windows computer or on a
Nokia appliance with a network adapter card that supports promiscuous
mode. Promiscuous mode capable cards are required for network sensors
only.
Promiscuous mode
Promiscuous mode allows the sensor to monitor all traffic on a segment,
instead of traffic destined only to the computer running the network
sensor.
Server sensors
For information about server sensors, see the RealSecure Server Sensor
Installation Guide or the RealSecure Server Sensor Policy Guide.
3
Chapter 1: Introduction to the Network Sensor
Traffic Monitored by Network Sensors
Introduction
This topic describes the following:
the traffic that network sensors monitor
collision domains
using the network sensor in switched and hubbed networks
where to find suggestions for deciding what to protect with network
sensors
What network
sensors monitor
A network sensor monitors all the traffic in its particular collision
domain. A network segment is also called a “collision domain” because
the network is shared among all of the devices on a single segment and
because a station on this segment can see all of the traffic going to other
stations.
What creates a
collision domain?
Most networks have multiple collision domains (network segments).
Devices like firewalls, routers, bridges, and switches divide a large
collision domain into several smaller ones. These devices are usually
installed to improve network performance and network security.
Important: A network sensor operates only within its local collision
domain. You must install a network sensor for each local collision domain
you want to monitor.
Environment types
You can install network sensors in a hubbed or switched environment.
Hubbed networks
In a hubbed environment, network sensors require a network adapter
card that supports promiscuous mode. Promiscuous mode enables the
sensor to monitor traffic to and from all hosts, rather than traffic to and
from the computer running the network sensor. The collision domain is
any device attached to the same hub as the network sensor.
Switched networks
In a switched environment, network sensors must monitor traffic through
a span port or tap at the switch. The collision domain is any network
device attached to the switch.
4
Traffic Monitored by Network Sensors
Reference: For information about configuring a network sensor to work
in a switched environment, see “Deploying Network Sensors in a
Switched Environment” on page 9.
Identifying collision
domains to protect
You should deploy RealSecure network sensors on each network segment
that contains a vital network or informational resource.
References: For more information, see “Network Sensor Deployment
Suggestions” on page 7.
The SiteProtector Strategy Guide also contains useful information about
developing IDS and sensor strategies.
5
Chapter 1: Introduction to the Network Sensor
Installation Programs and Utilities
Installation
programs
Utilities
Location of
installation files
The network sensor has individual installation programs for each of the
following operating systems:
Windows NT/Windows 2000
Solaris (separate packages for each supported version)
IPSO (Nokia appliance)
The ISS CD also contains utilities that run like installation programs to
serve the following purposes:
Distribute public cryptographic keys
Restore archived private cryptographic keys
Table 5 lists the location of the installation files on the CD:
For this component...
install this file...
network sensor for
Windows NT/Windows
2000
cd-rom
drive:\RealSecure\Retail\network_sensor\Win
dows_ NT_x86_4.0-5.0\setup.exe
network sensor for Solaris
SPARC
cd-rom mount point:/RealSecure/Retail/
network_sensor/Solaris_SPARC_2.6-7 {or
2.6}/rs6.5.2001.xxx-sparc-solarisxx-release
network sensor for Nokia
appliance
cd-rom mount point:/RealSecure/Retail/
network_sensor/IPSO_x86_3.4.1
Public Key Distribution
program
cd-rom
drive:\RealSecure\Retail\RS_Key_Utility\Win
dows_NT_ x86_4.0-5.0\setup.exe
Restore cryptographic
private keys program
cd-rom
drive:\RealSecure\Retail\RS_Key_Utility\Win
dows_NT_ x86_4.0-5.0\setup.exe
Table 5: RealSecure installation files
6
Network Sensor Deployment Suggestions
Network Sensor Deployment Suggestions
Introduction
In the DMZ
Common places to install RealSecure network sensors are as follows:
in the demilitarized zone (DMZ)
just inside the firewall, on the intranet
on key segments of the internal network
By installing a network sensor in the DMZ of a network’s internet access
point, you can protect the devices installed in the DMZ from attack.
Protecting the firewall is important, because the firewall acts as the
control point for data flowing into your internal network and is often the
initial target of an attack.
By adding a network sensor to your DMZ, you are dedicating an
additional processor to the defense of your network perimeter. Every
internet access point should include a firewall and a network sensor.
Reference: For more information about configuring network sensors, see
“Network Sensor Stealth Configuration” on page 113.
Just inside the
firewall, on the
intranet
By installing a network sensor inside the firewall, you can detect changes
to firewall operation and monitor the traffic passing through the firewall.
A network sensor installed inside the firewall ensures that the following
occurs:
The firewall is functioning properly, has not been compromised, and
has not been misconfigured.
The tunnels through the firewall are not being used to launch an
attack against your internal network.
You can also use this network sensor, in conjunction with a network
sensor in the DMZ, to evaluate the effectiveness of your firewall. For
example, you might choose to record the serious events at both network
sensors and then generate a report of these events that compares the
number of occurrences seen inside the firewall with the number seen
outside.
7
Chapter 1: Introduction to the Network Sensor
On key segments of
the internal
network
Key segments of the internal network are associated with vital network
resources. Most losses from network attacks are caused by attacks from
inside an organization. Many companies are now taking steps to reduce
this loss by deploying intrusion-detection systems on their intranet.
Additional network
sensor deployment
possibilities
The previous recommendations are the most common places for
deploying a RealSecure network sensor. Your specific deployment
strategy depends on your network and your security strategy.
Other likely locations include the following:
Deploying multiple
sensors
on the network backbone, so that interdepartmental traffic can be
examined
immediately behind a WAN router, WAP server, or a modem pool,
to protect against unauthorized access from the telephone network
in the wiring closet, where it can be connected to different segments
as network activity dictates
RealSecure supports multiple sensors on the same computer. You can
install one or more network sensors to protect multiple parts of your
network. You can also install server sensor on the same computer to
provide additional protection and to concurrently monitor your network.
There are several possible ways you can deploy multiple sensors on the
same computer. Consider the following scenarios:
8
computer with one or more network sensors (one sensor per NIC/
subnet)
computer with one server sensor without Network Monitoring and
one or more network sensors (one sensor per NIC/subnet)
Deploying Network Sensors in a Switched Environment
Deploying Network Sensors in a Switched Environment
Introduction
This topic describes configuration issues that arise when you deploy a
RealSecure network sensor in a switched environment.
Switched network
In a switched network, the traffic is separated at the switch, and routed
based on the MAC address of the interface. This configuration controls
the amount of traffic received by each interface. When used with other
forms of traffic management, a switched network configuration results in
an effective method of bandwidth control, allowing each device to
communicate more effectively. Because the traffic is managed at the
switch, placing a NIC in promiscuous mode has no effect on what traffic
the network sensor can or cannot monitor, effectively blinding the sensor,
a packet sniffer, or any other device that relies on promiscuous mode
operation.
Routing traffic to a
selected port
To eliminate the problem, you must use a tap or have a managed switch
capable of routing all traffic to a selected port or ports. This is known as
spanning or mirroring.
Reference: For more information about routing traffic to ports, contact
your switch manufacturer. Listed below are the addresses for several
popular manufacturers’ Web sites:
Reference
http://support.3com.com/switches.htm
http://support.intel.com/support/network/#Switches
http://www.cisco.com/univercd/home/home.htm
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/
emodules/documentation/documentation_main.jsp
For more information about configuring the network sensor to work in a
switched environment, see the “Implementing a Network-Based
Intrusion Detection System” how to guide (switched.zip) at:
http://www.iss.net/customer_care/resource_center/
realsecure_tech_center/tips_tricks/
9
Chapter 1: Introduction to the Network Sensor
System Requirements Documentation
Introduction
The System Requirements document contains the most current
information about memory, processor speed, hard drive space and many
other hardware and software requirements for each RealSecure
component.
Document location
The System Requirements document is located on the ISS Web site at:
http://documents.iss.net/literature/RealSecure/
rs_sysreqs.pdf
International
system
requirements
International system requirements are described in the following topic,
“Support for Non-English Windows Versions and Characters” on
page 32.
10
Chapter 2
Upgrading Sensors
Overview
Introduction
This chapter describes how to upgrade version 5.x and 6.0 RealSecure
sensors and policies to 6.5.
Upgrade
requirement for
Workgroup
Manager
components
Version 6.0 Workgroup Manager components are not compatible with 6.5
sensors. Therefore, upgrade all necessary Workgroup Manager
components before upgrading sensor components.
Using SiteProtector management? SiteProtector 1.0 is compatible with
both 6.0 and 6.5 sensors. Therefore, it is not necessary to upgrade the
console before upgrading a 6.0 sensor to version 6.5.
In this chapter
This chapter contains the following topics:
Topic
Page
Upgrading Sensors Remotely
12
Troubleshooting Remote Upgrades
15
Upgrading Sensors Manually
16
After Updating 5.x Sensors
17
Upgrading Policies
18
11
Chapter 2: Upgrading Sensors
Upgrading Sensors Remotely
Introduction
This topic describes the following:
prerequisites for upgrading all sensor versions
specific prerequisites for upgrading 5.x sensors
where to find upgrade packages
why it is necessary to upgrade the Workgroup Manager before
upgrading sensors
how to remotely upgrade a sensor
Upgrading with the
Workgroup
Manager
If you have installed 5.x or later sensors, you can use the Workgroup
Manager to remotely upgrade your sensors to 6.5.
Upgrading with
SiteProtector
SiteProtector can remotely upgrade 6.0 sensors to 6.5.
Reference: For information about remotely upgrading sensors with
SiteProtector, see the SiteProtector Help.
Prerequisites for all
sensor versions
Before remotely upgrading any 5.x or 6.0 sensor to 6.5, you must do the
following:
upgrade all Workgroup Manager components (consoles, event
collectors and the database) to 6.5
Caution: If you upgrade a sensor from a 6.0 Workgroup Manager
console, you will not be able to monitor or manage the sensor until
you upgrade the Workgroup Manager (console, event collector and
database) to 6.5.
Reference: For more information, see the RealSecure Workgroup
Manager Installation Guide.
know the location of the upgrade package
Upgrade packages are available in several locations:
on the Web at https://www.iss.net/update/RealSecure
on the Internet Security Systems CD in the /updates/RealSecure
directory
12
Upgrading Sensors Remotely
Prerequisites for
5.x sensors
If upgrading from a 5.x sensor, do the following:
Apply service release 1.1, and then apply micro-update 2.3
Reference: For step-by-step instructions, see “Installing X-Press
Updates” in the RealSecure Help.
synchronize the sensor log file with the console database
Reference: For step-by-step instructions, see “Synchronizing 5.x log
files with the Enterprise databases” in the RealSecure Help.
Upgrading multiple
sensors at a time
You can use the remote upgrade process to upgrade more than one sensor
at time. However, you must select sensors of a similar sensor type (server
sensor or network sensor) and of the same operating system (like
Windows or Solaris).
If you have installed multiple network sensors on a single computer, you
cannot update them as a group. You must update them individually.
Procedure
To remotely upgrade a sensor:
1. Open the Workgroup Manager console and manage the sensor (or
sensors) you want to upgrade.
Reference: For information about how to manage a sensor, look up
“managing, sensors” in the Help.
2. Select the sensor or sensors you want to upgrade, and then right-click
them.
Important: You can update a group of sensors of the same type and
operating system. You cannot update a group of sensors installed on
the same computer.
A pop-up menu lists possible command options.
3. Select X-Press Update or Program Update.
The RealSecure Update Installer window appears.
4. Select the location of the upgrade package.
5. Select Upgrade or Service Release.
6. Click Next.
The Available updates box shows the updates available for that
sensor.
13
Chapter 2: Upgrading Sensors
7. Select the update you want, and then click Next.
The Strong Encryption Export Agreement window appears.
8. Read the agreement, select YES, and then click OK.
The update program downloads the update, and then prompts you to
continue the installation.
9. Click Continue.
A message informs you that the upgrade could take several minutes
and warns you that the upgrade should be performed from a 6.5
console and event collector.
10. Click Yes.
After a few seconds, the component status changes to Unknown. The
control status shows several errors related to the daemon (not
running, connection refused or closed, and restarting). When the
upgrade is complete (which could take several minutes), the
component status changes back to Active, and the installation is
complete.
Unix sensors: If you are upgrading a Solaris or Linux server sensor,
the system is shut down and restarted before the installation is
complete.
11. If upgrading from a 5.x sensor, you must configure it to work with the
event collector.
Reference: For a step-by-step procedure, see “After Updating 5.x
Sensors” on page 17.
14
Troubleshooting Remote Upgrades
Troubleshooting Remote Upgrades
Introduction
This topic describes some of the error messages that you may receive
when you remotely upgrade a sensor and how to respond to the errors.
Signature error
messages
The sensor cannot monitor new signatures in the update until you apply
a policy with the new signatures. The sensor issues detector warnings to
remind you that the current policy the sensor is using does not support
the new signatures.
Reference: To apply a policy, look up “applying policies” in the
RealSecure Help or SiteProtector policy editor Help.
Policy and control
channel error
messages
If you receive the following error message after upgrading, you must stop
managing the sensor, and then start managing the sensor, again, to correct
the problem.
Error message text: The sensors current policy file was not successfully
transferred when the control channel was opened and therefore it is not
available to the application. This is usually due to a problem reading the
file from the sensor after opening the control channel. It can also be due to
the fact that after a fresh install there is not current policy file until the
sensor is started if this is the case then Start the sensor. [ID=0xc72c0026]
15
Chapter 2: Upgrading Sensors
Upgrading Sensors Manually
Introduction
If you do not want to use the remote upgrade feature of RealSecure, you
can upgrade a sensor manually.
Upgrading Windows
sensors
You can run the 6.5 installation program to upgrade Windows sensors.
You are do not have to uninstall the previous sensor.
Reference: For installation instructions, see the Windows installation
chapter in this guide.
Upgrading Unix
sensors
To manually upgrade Unix sensors to 6.5, you must uninstall any
previous versions of the sensor and then install the new version.
References: For instructions on uninstalling a sensor on a Unix platform,
see “Uninstalling Components and Updates” on page 105.
For installation instructions, see one of the Unix installation chapter in
this guide.
16
After Updating 5.x Sensors
After Updating 5.x Sensors
Introduction
When you update your sensor from version 5.x, events no longer go
directly to the console; they pass through the event collector first.
Setting up a sensor
You must configure the event collector to recognize the sensor as an event
source and configure the sensor to accept authenticated communication
from the event collector if you use authentication.
Configuring the
event source and
authentication
Use the Deployment Wizard to perform these tasks automatically or
perform them manually.
Using the
Deployment Wizard
If you want to use the Deployment Wizard, see “Configuring
Authentication with the Deployment Wizard” on page 94.
Manual
configuration
If you encounter errors using the Deployment Wizard, or you want to
manually configure the sensor, use the following topics to guide you:
Use the “Adding public keys” topic in the Help to copy the event
collector keys to the updated sensor.
Use the “Configuring event sources” topic in the Help to set up an
event source for the updated sensor.
17
Chapter 2: Upgrading Sensors
Upgrading Policies
Introduction
Policy compatibility
This topic describes the following:
policy versions that are compatible with network sensors
policy upgrade issues
Table 6 defines the policies that network sensors can use.
Important: If you apply a policy to an earlier sensor version (a 6.5 policy
to a 6.0 sensor, for example), the sensor cannot use the new signatures in
the policy and generates sensor errors to inform you of the discrepancy.
Sensor version...
Accepts these policies...
2.5
2.5, 3.0
3.0
2.5, 3.0
3.1
3.1, 3.2, 4.5
3.2
3.1, 3.2, 4.5
4.5
3.1, 3.2, 4.5
5.0
5.0
6.0/6.5
5.0, 6.0, 6.5
Table 6: Policies that sensors can accept
Upgrading from
earlier versions
To import the custom policies that you created in the earlier version, you
must import them using the policy editor.
Reference
For information about importing sensor policies, see the following
documentation:
18
To import policies using the Workgroup Manager, see “Importing
Policies” in the RealSecure Workgroup Manager User Guide or
RealSecure Workgroup Manager Help.
To import policies using SiteProtector, see the SiteProtector policy
editor Help.
Chapter 3
Before Installing a Network
Sensor
Overview
Introduction
This chapter describes what you need to know before you install network
sensors on Windows or Unix platforms.
In this chapter
This chapter contains the following topics:
Topic
Page
Before Installation
20
Using Authentication
22
Automatically Importing Authentication Keys
24
Customizing Encryption
26
Administering Public Authentication Keys and Master Status
Rights
30
Installing Multiple Sensors
31
Support for Non-English Windows Versions and Characters
32
19
Chapter 3: Before Installing a Network Sensor
Before Installation
Prerequisites
After you have decided how to deploy your sensors, you must make sure
you have met the following prerequisites:
Task
For more information, see...
Create a naming convention for sensors
“Sensor naming conventions” on
this page
Decide how the components are going to
communicate.
“Using Authentication,” page 22
Install new encryption software, if needed.
“Customizing Encryption,”
page 26
Determine public keys administrators
“Administering Public
Authentication Keys and Master
Status Rights,” page 30
If you want to use non-English characters
“Support for Non-English
or a non-English Windows operating
Windows Versions and
system, configure the system appropriately. Characters” on page 32
If you want to install multiple sensors on a
single computer, make sure you have met
the multi-sensor prerequisites
“Installing Multiple Sensors,”
page 31
If you want to use stealth mode, install the
right hardware and configure the computer
to hide the interface.
“Network Sensor Stealth
Configuration,” page 113
Table 7: Prerequisites to installing RealSecure
Sensor naming
conventions
A sensor naming convention helps you identify sensors in the console.
For example, you may want your sensor name to indicate whether a
sensor is inside or outside the firewall or in a specific department.
Caution: Sensor names can contain only alphanumeric characters with
underscores or dashes.
As you install a sensor, the installation program allows you to assign a
name to the sensor or accept the default name. You cannot rename a
sensor after you install it. To rename a sensor, you must uninstall, and
20
Before Installation
then reinstall the sensor. Therefore, it is important that you establish a
logical sensor naming convention before deploying your sensors.
Example: The following naming convention categorizes sensors by
physical and geographical location and also identifies their host name:
nyc_dmz_hostname1
nyc_int_hostname2
atl_dmz_hostname3
atl_int_hostname4
21
Chapter 3: Before Installing a Network Sensor
Using Authentication
Introduction
Authentication is a way for a component to prove who it is to another
component, such as an event collector or a sensor. Authentication occurs
when communication connections are established, and it relies on a
public/private key pair created by the cryptographic providers you
selected when you set up the component.
RealSecure
authentication
When you enable authentication, each sensor authenticates any
component that attempts to connect to it, like the RealSecure console and
event collector. Also, each event collector authenticates any console that
attempts to connect to it.
Therefore, event collectors must have the public authentication keys of
consoles to authenticate them. Likewise, sensors must have the public
authentication keys of consoles and event collectors, because both
components connect to sensors. This method of authentication makes
each console or event collector prove itself to the sensor (or event
collector) before the sensor (or event collector) sends sensitive security
data that it has been collecting.
Changing
cryptographic
providers
Once you have installed a component, changing the configured
cryptographic providers is not easy.
In Windows, you must uninstall and then reinstall the component with
the new settings to change the providers. If multiple sensors or a
combination of an event collector and a sensor exist on the computer, then
you must uninstall, and then reinstall both (or all) components. You do
not necessarily have to uninstall the console along with the sensors or
event collector, unless you need to change the providers for it, too.
In Unix, you must uninstall the sensor or event collector, and then
reinstall it to change the providers no matter how many sensors are
installed on the computer.
Authentication and
public/private keys
22
Authentication uses public and private keys to prove a console’s or event
collector’s identity to each component. For authentication, each sensor or
event collector monitored by the console must have a copy of the
console’s public keys. The sensor must also have a copy of the event
collector's public key. You must move the public keys to each
Using Authentication
component’s system by using the automatic key import option, copying
them, or using the deployment wizard. The private keys are stored
securely on the system where the key pairs were generated.
Key names
The installation program saves public keys in the Keys subdirectory for
each component. Console keys start with rs_con. Sensor and event
collector keys start with rs_eng.
Reference: For a more detailed description of key pairs, encryption, and
authentication, see the RealSecure Workgroup Manager User Guide. For
more information about copying the console’s public keys to sensors, see
“Configuring Authentication Manually” on page 97. For more
information about key management, see “Administering Public
Authentication Keys and Master Status Rights” on page 30.
Authenticated
connections
When authentication is enabled, the sensors must have the console’s
public keys and the event collector’s public keys before accepting traffic,
and the event collectors must have the console’s public keys before
accepting traffic. Public keys can be imported with the automatic key
import option. If needed, you can manually copy keys to the sensor with
the Workgroup Manager key administrator feature, remotely over the
network, or locally from a disk. No reduction in performance occurs
when authentication is enabled.
Reference: For more information, see “Automatically Importing
Authentication Keys” on page 24,“Administering Public Authentication
Keys and Master Status Rights” on page 30, and “Configuring
Authentication Manually” on page 97.
Connections that
are not
authenticated
When authentication is disabled, the sensor trusts any console or event
collector and automatically accepts the public keys on a per session basis.
The console or event collector uses the appropriate public/private key
pair created when the console or event collector was installed. The
console or event collector sends its public key to the component, which
does not verify that the console or event collector appears to be who it
says it is. When authentication is disabled, any device implementing the
RealSecure protocol can monitor the component.
Reference: For more information, see “Administering Public
Authentication Keys and Master Status Rights” on page 30.
23
Chapter 3: Before Installing a Network Sensor
Automatically Importing Authentication Keys
Automatic
authentication key
import
The RealSecure installation program includes an option to automatically
import an authentication key from the console. When you select the autoimport option, the sensor receives the initial authentication key over a
standard network connection initiated from the console. The installation
program imports only the console’s public keys. You must manually copy
the public keys of other components, such as event collectors, to the
sensors, unless you use the deployment wizard to automatically
distribute all necessary authentication keys.
Reference: See “Configuring Authentication” on page 93.
Caution: Using this feature can lead to potentially unknown users having
access to the RealSecure sensor, if the sensor receives its first connection
from such a user. Afterwards, when a known user tries to copy public
keys to the sensor, a warning indicates that a key already exists. The
known user's keys are not copied to the sensor.
Automatic key
import and
SiteProtector
If you are using SiteProtector for management and you want to use
authentication, you must enable the automatic key import option during
installation so that SiteProtector can configure and manage the sensors.
Auto-import and
multiple sensors
When multiple sensors are installed on the same computer or when an
event collector and a server sensor reside on the same computer, the autoimport feature is enabled for both components.
For auto-import to work correctly, you must meet the following
requirements:
1. Install the Workgroup Manager or SiteProtector Console and enable
the Automatic Key Import option if you are installing the event
collector on the same system.
2. Install all the sensors or event collectors on the computer and Enable
the Automatic Key Import option during installation.
3. Do not attempt to connect to any of the sensors, event collectors, or
daemons until you have finished installing all the components that
will reside on a single computer.
24
Automatically Importing Authentication Keys
4. After installation is complete, connect to any sensor, daemon, or
event collector on the computer using the deployment wizard. All
authentication keys and key administrator privileges are configured
on all the installed components.
Installing
components after
first connection
If you install a component with the auto-import option, connect to the
component, and then later install a second component, you must
manually copy the authentication keys to second component before you
can manage or monitor it.
Reference: For more information about manually copying keys, see
“Configuring Authentication Manually” on page 97.
Authentication key
recommendation
ISS recommends that you configure the RealSecure sensor on a network
segment that is protected from unauthorized network access until the
initial public key has been imported by the console.
After connecting to the sensor for the first time, it is important to verify
that only the appropriate users have access to the sensor. You can verify
this by viewing the active public keys on that sensor using the Maintain
Keys menu option in the RealSecure console.
Reference: For step-by-step procedures on adding and deleting
authentication keys, see “Managing public keys” in the RealSecure Help.
25
Chapter 3: Before Installing a Network Sensor
Customizing Encryption
Introduction
Overview of
encryption
This topic provides the following information:
an overview of cryptographic providers
custom options
encryption keys
other rules about configuring encryption during installation
a description of the built-in Certicom provider and the Microsoft RSA
provider
a brief description of US export laws regulating the use of encryption
The RealSecure software uses an ISS proprietary communication protocol
to secure the information passed among components (consoles, event
collectors, and sensors). This protocol relies on encryption provided
through one or more built-in providers or external Cryptographic Service
Providers (CSPs), such as Microsoft RSA. During installation, you make
several choices concerning cryptographic providers and how the
encryption algorithms are configured. To make adjustments to these
choices, you must uninstall and then reinstall one or more components
with the new settings.
Reference: For more information, see “Changing Encryption Settings” on
page 104.
Encryption custom
options
During installation, you can customize the encryption settings in the
following ways:
Choose (from a list of available providers on your system, including
the ISS ECNRA Built-In provider) one or more providers that you
want the particular component to use.
Nokia sensors: If you are managing Nokia sensors, you must use the
Certicom ECNRA default algorithms.
26
Arrange the providers in order of preference, which determines the
provider that the component (sensor or event collector) attempts to
use first.
Customizing Encryption
Customize any default encryption algorithms or key strengths.
Important: You must select common encryption algorithms and keys
for the console and for each sensor and event collector. If you do not,
the components will not be able to communicate with each other. If
you make a change in the default settings, make a note of it so that
you can apply the same algorithms or keys to the other components.
Encryption keys
At the end of the installation, the program generates a public/private
encryption key pair for each provider you selected. These keys are used
to encrypt and decrypt a symmetric encryption key passed between
components and to let another component authenticate the one you just
installed, if you choose to use authentication.
Reference: For more information about setting up authentication using
these public keys, see “Using Authentication” on page 22.
Other rules about
configuring
encryption during
installation
Built-in Certicom
encryption
The following rules apply to configuring cryptographic providers during
installation:
Custom sensor installation programs prompt you to select
cryptographic providers.
The option to configure cryptographic providers is always available
during the RealSecure console installation.
If you install the console and event collector together, you will receive
one prompt to add and remove cryptographic providers. Your
choices apply to both components unless a sensor is already installed
on this computer.
The first time you install a network sensor, server sensor, or event
collector, options for selecting cryptographic providers, selecting
authentication strength, and enabling auto import are available.
After you install the first sensor or event collector, all other sensors or
event collectors have the authentication strength, cryptographic
providers, and auto import setting from the first sensor or event
collector installation.
Certicom public/private key encryption is built into the RealSecure
software, providing key strengths of at least 113, 163, and 239 bits
(default). The built-in Certicom provider also provides symmetric
encryption using the DES, the DESX, or the Triple DES encryption
27
Chapter 3: Before Installing a Network Sensor
algorithms with SHA1 integrity hash (checksum). Certicom encryption
works for all platforms.
Microsoft RSA
encryption
On Windows platforms, you can use the Microsoft RSA Base, Strong, or
Enhanced Cryptographic Providers to encrypt communication between
Windows components. The providers typically offer RSA public/private
key encryption at 512, 1024, or 2048 bit strengths.
These providers may also offer symmetric encryption using DES, DESX,
2-key Triple DES, Triple DES, RC2, and RC4 algorithms. The RC2 and
RC4 algorithms typically support 40, 56, or 128 bit key strengths.
Cryptographic hash algorithms typically include MD2, MD4, MD5, and
SHA-1. The exact choices that appear depend on your operating system
level, service pack, and browser installation.
Reference: For more information about provider availability and
capability, see the Microsoft Web site. Any provider upgrades or
installations must be completed before starting to install the RealSecure
software.
Important: If you also have, or plan to have, Unix components, you must
select Certicom in addition to Microsoft RSA during installation.
Service Packs: To download and install the latest Service Pack, see the
Microsoft Web site at:
http://support.microsoft.com/support/downloads
You may have to register with Microsoft before you can read this page.
On current Internet Explorer browser levels, you can also choose “Tools/
Windows Update” to access options for your platform.
How the
RealSecure
software configures
encryption
28
The RealSecure software configures encryption in the following ways:
Designating (from a list of available providers on your system,
including the ISS ECNRA Built-In provider) one or more providers
that you want the particular component to use.
Arranging the providers in order of preference, which determines the
provider that the component (sensor or event collector) attempts to
use first.
Customizing Encryption
Customizing any default encryption algorithms or key strengths.
Important: You must select common encryption algorithms and keys
for the console and for each sensor or event collector. If you do not,
the components will not be able to communicate with each other. If
you make a change in the default settings, make a note of it so that
you can apply the same algorithms or keys to the other components.
At the end of the installation, the program generates a public/private
encryption key pair for each provider you selected. These keys are used
to encrypt and decrypt a symmetric encryption key passed between
components and to let another component authenticate the one you just
installed, if you choose to use authentication.
Reference: For more information about setting up authentication using
these public keys, see “Using Authentication” on page 22.
Caution: If you install a new provider in Windows, you must reinstall the
component and select this new provider during installation to use it.
Only one provider, the built-in provider, is available for Unix sensors.
Encryption and US
laws
Encryption technologies are restricted by U.S. export laws. These
technologies cannot be exported or re-exported to certain countries.
Reference: For more information about U.S. export laws, see the
Commercial Encryption section of the Bureau of Export Administration’s
Web site at:
http://www.bxa.doc.gov/Default.htm
29
Chapter 3: Before Installing a Network Sensor
Administering Public Authentication Keys and Master
Status Rights
Introduction
Key management provides a method for managing and distributing
public authentication keys. Using key management, you can specify one
or more users as key administrators. A key administrator can manage
public authentication keys remotely from the RealSecure console.
Key administrators
and master status
roles
A key administrator also has rights to maintain daemon roles, which is an
access list of users with special privileges maintained by the issDaemon.
Users are identified in the list as computername_username, such as
computername_administrator. Daemon roles include Master Status
Manager and key administrator.
Assigning
administrator rights
during installation
During the initial installation of a Windows component, you must set up
at least one key administrator to use the deployment wizard or the key
administrator features if you do not plan to also select the automatic key
import option (which configures the first connecting user as the key
administrator).
For Unix components, you can add an initial key administrator at a later
time or use the automatic key import option to set up a key administrator.
Reference: For more information about using the automatic key import
option, see “Automatically Importing Authentication Keys” on page 24.
Assigning
administrator rights
after installation
Other key administrators can added or deleted from the key
administrator directory by anyone who has key administrator rights.
After installation, key administrator rights can be granted by modifying
the daemon roles.
If you are already a key administrator, you can add additional key
administrators using the Command Line Interface (CLI) or the console.
public key administrator rights are granted to a user by adding the user’s
computer name and user name to the key administrator list.
Reference
30
For more information about modifying key administrator rights, see the
RealSecure Workgroup Manager User Guide.
Installing Multiple Sensors
Installing Multiple Sensors
Introduction
Installing several sensors on a single computer requires additional
prerequisites. You can install the following combinations:
server sensor and network sensor
multiple network sensors
Server sensor and
network sensor
You should install server sensor on all your important servers, including
computers running network sensors. To install these sensors on the same
computer, you must disable the Network Monitoring Component of the
server sensor during installation. Instructions for disabling this
component are described in the server sensor custom installation
procedure in the RealSecure Server Sensor Installation Guide.
Multiple network
sensors
You can install multiple network sensors on the same computer to
monitor multiple, low-bandwidth segments. Although you can install
three or more network sensors on a single computer, ISS does not
recommend installing more than two.
Before installing
two network
sensors
Before installing two network sensors on the same computer, follow these
steps:
1. Read the system requirements to determine if the computer has
enough memory for two network sensors.
Reference: The system requirements are located on the ISS Web site
at the following location:
http://documents.iss.net/literature/RealSecure/
rs_sysreq.pdf
2. Install two network interface cards (NICs) in the computer.
3. Connect the NICs to the two network segments that you want to
monitor with the sensors.
4. Run the custom network sensor installation to choose the NIC you
want each sensor to monitor.
31
Chapter 3: Before Installing a Network Sensor
Support for Non-English Windows Versions and
Characters
Non-English
versions of
Windows
The RealSecure software has been tested on non-English versions of
Windows, including French, Japanese, and Spanish. However, the
RealSecure software is most thoroughly tested on English versions of
Windows, and ISS recommends that you use the English version of
Windows when possible.
Foreign characters
for other programs
If you need to use foreign characters for other applications on the
computer running the RealSecure software, you can configure Windows
to support your location and language instead of installing the nonEnglish version of Windows.
Foreign characters
If you change your locale settings, sensor names, directories, user names,
and any other character-based name must use English characters or
numbers.
Caution: Using foreign characters can cause sensors or other components
to malfunction.
Reference
For more information on system locales, see the Microsoft Web site at:
http://www.microsoft.com/globaldev/FAQs/Locales.asp#ques7.
Localizing the US
English version of
Windows NT 4.0
To configure the US English version of Windows NT 4.0 to support your
system locale:
1. From the taskbar, select Start→Settings→Control Panel.
The Control Panel window appears.
2. Double-click the Regional Settings icon.
The Regional Settings Properties window appears.
3. From the Regional Settings tab, select a language from the list.
4. Select the Set as system default locale check box, and then click
Apply.
32
Support for Non-English Windows Versions and Characters
5. Click OK.
The system applies the language’s default code page and associated
fonts to your system.
6. Do the display settings need to be adjusted?
If yes, go to step 7.
If no, go to the step 10.
7. From the Control Panel window, double-click the Display icon to
display the Display Properties window.
8. Select the Appearance tab. Select a font size from the list. Click
Apply.
9. Click OK to exit the Display Properties window.
10. From the Regional Setting Properties window, select the Input
Locales tab.
11. Click Add.
The Add Input Locale window appears.
12. Select the language from the list, and then click OK.
The Input Locales tab appears.
13. In the Default input locale field, click Set as Default to make the
language the default input locale.
14. In the Switch Locales field, select the desired shortcut key
combinations for switching between input locales.
15. Select the Enable indicator on taskbar check box, and then click OK.
16. Click Apply to exit the Regional Properties window.
17. Restart your system for the system locale changes to take effect.
Localizing the US
English version of
Windows 2000
To configure the US English version of Windows 2000 to support your
system locale:
1. From the taskbar, select Start→Settings→Control Panel.
The Control Panel window appears.
2. Double-click the Regional Options icon.
The Regional Options Properties window appears.
3. From the Regional Options tab, select a language from the list.
33
Chapter 3: Before Installing a Network Sensor
4. Select the Set default check box.
The Select System Locale window appears.
5. Click OK, and then click Apply.
6. Click OK.
The system applies the language’s default code page and associated
fonts to your system.
7. Do the display settings need to be adjusted?
If yes, go to Step 8.
If no, go to Step 11.
8. From the Control Panel window, double-click the Display icon to
display the Display Properties window.
9. Select the Appearance tab. Select a font size from the list. Click
Apply.
10. Click OK to exit the Display Properties window.
11. From the Regional Setting Properties window, select the Input
Locales tab.
12. Click Add.
The Add Input Locale window appears.
13. Select the language from the list, and then click OK.
The Input Locales tab appears.
14. In the Installed input locales field, click Set as Default to make the
language the default input locale.
15. In the Hot keys for input locales field, select the desired shortcut key
combinations for switching between input locales.
16. Select the Enable indicator on taskbar check box, and then click OK.
17. Click Apply to exit the Regional Properties window.
18. For the system locale changes to take effect, restart your system.
34
Chapter 4
Installing a Network Sensor on
Windows
Overview
Introduction
This chapter describes the RealSecure network sensor installation
programs and installation procedures for Windows environments.
In this chapter
This chapter contains the following topics:
Topic
Page
Installation Options on Windows
36
Installing a Typical Network Sensor on Windows
38
Installing a Custom Network Sensor on Windows
41
Automating Installations on Windows
45
Customizing the Automated Installation Response File
48
Using the Silent Installation Feature
61
Automated Installation Frequently Asked Questions
64
Working with Cryptographic Providers During Windows
Installations
67
Archiving Private Keys
69
35
Chapter 4: Installing a Network Sensor on Windows
Installation Options on Windows
Installation
methods
You can install the network sensor for Windows using one of several
methods:
typical (simple) installation
custom (advanced) installation
automated installation
SiteProtector Users: If using SiteProtector management and
authentication, you must install sensors using the custom installation so
that you can enable the automatic key import option.
Typical installation
To install a network sensor with the default options (skipping advanced
configuration), choose the typical installation option during the
installation process.
The typical installation program uses these default settings:
Option
Default Setting
Select components
All available components are installed.
Select network card
Selects the first network card.
You must select “custom” to install more than one
network sensor on a computer.
Choose sensor name
For one network sensor: network_sensor_1
For multiple network sensors on one computer:
network_sensor_1 (first installation)
network_sensor_2 (second installation)
Choose folder for
ISSDaemon
C:\Program Files\ISS\issDaemon
Choose folder for
network sensor
C:\Program Files\ISS\issSensors
Select program folder
ISS
Enable Authentication
Enabled
Table 8: Installation program default settings
36
Installation Options on Windows
Option
Default Setting
Automatic key import
Disabled
Harden security
Enabled
Table 8: Installation program default settings (Continued)
Reference: For more information, see “Installing a Typical Network
Sensor on Windows” on page 38.
Custom installation
If you need to customize the settings described in Table 8, “Installation
program default settings” on page 36, choose the custom installation
option during the install process.
Reference: For more information, see “Installing a Custom Network
Sensor on Windows” on page 41.
Automated
installation
If you intend to install several network sensors using the same settings,
you can use the automated installation process. With this feature, you
install a network sensor once, save the settings you choose during that
installation, and then use those settings to install the same configuration
on other computers without having to monitor the entire installation
process.
Reference: For more information, see “Automating Installations on
Windows” on page 45.
37
Chapter 4: Installing a Network Sensor on Windows
Installing a Typical Network Sensor on Windows
Introduction
Select the typical installation option to install all RealSecure network
sensor components using default settings.
Reference: For a list of the default settings, see Table 8, “Installation
program default settings” on page 36.
Procedure
To install a network sensor using a typical configuration:
Note: Depending on the components you select and your network
configuration, some of the steps in the procedure may not be required,
and certain windows may not appear. For more information, see Table 9,
“Network sensor windows availability” on page 40.
1. Insert the Internet Security Systems CD into the CD_ROM drive, and
then locate the following folder to access the setup program:
cd-rom
drive:\RealSecure\Retail\network_sensor\Windows_NT_
x86_4.0-5.0\setup.exe
2. Run setup.exe.
The Welcome window appears.
3. Click Next.
The License Agreement window appears.
4. Read the Software License Agreement, and then click Yes to accept its
terms.
The Readme window appears.
5. Read the text, and then click Next.
The Setup Types window appears.
6. Click Typical.
The Automatic Key Import window appears.
7. Select or clear the Allow Auto Import check box, and then click Next.
When you select the auto-import option, the sensor receives the
initial authentication key over a standard network connection
initiated from the console.
SiteProtector users must select this option if using authentication.
38
Installing a Typical Network Sensor on Windows
Reference: For more information, see “Automatically Importing
Authentication Keys” on page 24.
The Select Public Key Administrators window appears.
8. Type the Public Key Administrators name, using the format
computername_username
Important: You should add at least one key administrator. If you do
not add at least one administrator, you will have to reinstall the
component to set up a key administrator.
9. Click Add.
Tip: To delete an administrator’s name, click Remove; to delete all
names from the list, click Clear All.
10. Click Next.
The Start Copying Files window appears.
11. Do the settings (components and destination locations) need to be
adjusted?
If yes, click Back and adjust the settings as needed.
If no, click Next, and then go to Step 12.
12. Did the Archive Private Keys window appear?
If yes, go to Step 13.
If no, go to Step 15.
13. Select or clear the Archive the private keys check box.
14. Select a folder and passphrase, and then click Next.
Reference: For more information, see “Archiving Private Keys” on
page 69.
15. Click Finish.
RealSecure completes the installation.
39
Chapter 4: Installing a Network Sensor on Windows
Installation windows Table 9 lists windows that may appear during installation and the system
configuration that causes them to appear:
Window
System Configuration
Select Network Card
Only if you have two or more network cards installed
on your computer.
Choose Folder for
ISSDaemon
Only if another daemon component (event collector
or sensor) has not been previously installed
Enable Authentication
Only if another daemon component (event collector
or sensor) has not been previously installed
Automatic Key Import
Only if another daemon component (event collector
or sensor) has not been previously installed
Sensor Cryptographic
Setup
Only if another daemon component (event collector
or sensor) has not been previously installed
Table 9: Network sensor windows availability
40
Installing a Custom Network Sensor on Windows
Installing a Custom Network Sensor on Windows
Introduction
Use the custom option to install specific components and to change
default settings.
Procedure
To install a custom network sensor:
Note: Depending on the components you select and your network
configuration, some of the steps in the procedure may not be required,
and certain windows may not appear. For more information, see Table 9,
“Network sensor windows availability” on page 40.
1. Insert the Internet Security Systems CD into the CD_ROM drive, and
then locate the following folder to access the setup program:
cd-rom
drive:\RealSecure\Retail\network_sensor\Windows_NT_
x86_5.0-6.0\setup.exe
2. Run setup.exe.
The Welcome window appears.
3. Click Next.
The License Agreement window appears.
4. Read the Software License Agreement, and then click Yes to accept its
terms.
The Readme window appears.
5. Read the text, and then click Next.
The Setup Types window appears.
6. Click Custom.
The Select Components window appears.
7. Select RealSecure Network Sensor.
8. Click Next.
The Select Network Card window appears.
Note: This window appears only if you have two or more network
cards installed on your computer.
9. Select the network card that you want the sensor to use to monitor
your network.
41
Chapter 4: Installing a Network Sensor on Windows
10. Click Next.
The Choose a Sensor Name window appears.
11. Type the sensor name.
Caution: Sensor names can contain only alphanumeric characters
with underscores or dashes.
Reference: For more information, see “Sensor naming conventions”
on page 20.
12. Click Next.
The Choose Folder for The Network Sensor window appears.
13. Select an installation folder.
Important: ISS recommends that you accept the default destination
location so that Setup can locate important files that may have been
previously installed. The default location is
C:\Program Files\ISS\issSensors\network_sensor_name.
14. Click Next.
The Choose Folder for the ISSDaemon window appears.
15. Select an installation folder for the daemon.
Important: ISS recommends that you accept the default destination
location so that Setup can install the daemon in the appropriate
location. The default location is
C:\Program Files\ISS\issDaemon
16. Click Next.
The Enable Authentication window appears.
17. Do you want to use authentication to secure sensor and console
communication?
Important: ISS recommends that you configure the sensor to use
authentication to prevent unauthorized users from controlling and
potentially hiding attacker activity.
Reference: For information about authentication, see “Using
Authentication” on page 22.
If yes, click Next.
If no, select Disable All Authentication, and then click Next.
The Automatic Key Import window appears.
42
Installing a Custom Network Sensor on Windows
18. Do you want to automatically import an authentication key?
When you select the auto-import option, the sensor receives the
initial authentication key over a standard network connection
initiated from the console.
SiteProtector users must select this option if using authentication.
Reference: For more information, see “Automatically Importing
Authentication Keys” on page 24.
If yes, select Allow Auto-Import, and then click Next.
If no, click Next.
The Harden Security for the RealSecure Network Sensor? window
appears.
19. Do you want to make the network sensor installation more secure by
locking down file and registry entry permissions so that only an
administrator of this computer can make changes to them?
Important: ISS recommends that you harden security to secure the
application from unauthorized use.
If yes, click Next.
If no, select Do Not Lock Down, and then click Next.
The Select Public Key Administrators window appears.
20. Type the Public Key Administrators name, using the format
computer_username
Important: If you are not using the automatic key import option, you
must add at least one key administrator. If you do not add at least one
administrator, you will have to reinstall the component to set up a
key administrator.
Reference: For more information, see “Adding Key Administrators”
on page 110.
21. Click Add.
Note: To delete an administrator’s name, click Remove; to delete all
names form the list, click Clear All.
22. Click Next.
The Network Sensor Cryptographic Setup window appears.
43
Chapter 4: Installing a Network Sensor on Windows
23. Add, change, or delete cryptographic providers.
References: For more information, see “Customizing Encryption” on
page 26 and “Working with Cryptographic Providers During
Windows Installations” on page 67.
24. When you have finished working with cryptographic providers, click
Next.
The Start Copying Files window appears.
25. Do the settings (adapters, sensors, and destination locations) need to
be adjusted?
If yes, click Back and adjust the settings as needed.
If no, click Next.
26. Did the Archive Private Keys window appear?
If yes, go to Step 27.
If no, the Setup Complete window appears. Go to Step 29.
27. Select or clear Archive the private keys.
28. Select a folder and passphrase, and then click Next.
Reference: For more information, see “Archiving Private Keys” on
page 69.
The Setup Complete window appears.
29. Click Finish.
RealSecure completes the installation.
44
Automating Installations on Windows
Automating Installations on Windows
Introduction
You can use the Autorecord and Autoinstall features to automatically
install Workgroup Manager components or sensors.
Note: The option to archive private keys is not available in the
automated installation.
Benefits
Autorecord and Autoinstall are useful when you want to install
RealSecure on multiple systems.
Autorecord
Using Autorecord mode, you can save your responses to Setup prompts
in a response file as you install RealSecure on a system. You can edit the
response file as desired for use on systems configured differently from the
original system. You can also manually create a response file with the
desired responses.
Some specialized, installation options (response file parameters) are not
recorded during autorecord. Specifically, the Upgrade, Trace, and
AbortIfNoHotFix settings are not recorded. You can customize the
response file if you want to add them.
Reference: For more information, see “Customizing the Automated
Installation Response File” on page 48.
Autoinstall
Using Autoinstall mode, you can use the response file you created with
Autorecord to install RealSecure on other systems. Setup reads your
choices from the response file instead of requiring you to manually
respond to Setup prompts.
Setup also generates a log file in the WINNT directory which you can use
to verify successful installation. The log file name varies depending on
the RealSecure module you install:
Workgroup Manager Autoinstall generates
workgroup_manager_install.log
Network sensor Autoinstall generates
network_sensor_install.log
Server sensor Autoinstall generates server_sensor_install.log
45
Chapter 4: Installing a Network Sensor on Windows
Autorecording an
installation
To autorecord your installation:
1. From the Start menu, select Start→Run.
2. Click Browse, and the locate the setup.exe for the RealSecure
module you want to install.
3. In the Open box in the Run window, change the command to
full path to file\setup.exe -pfull path to file\response
file_name
Example: d:\RealSecure\Retail\Windows_NT_x86\
workgroup_manager\6.5\setup.exe -pc:\temp\autoinst.rsp
4. Click OK.
The Installation Wizard appears.
5. Record the installation steps.
Reference: For more information about completing the installation
steps, see the typical and custom installation topics in this chapter.
Autoinstalling
RealSecure
To autoinstall a component:
1. From the Start menu, select Start→Run.
2. Locate setup.exe for the RealSecure module you want to install.
3. In the Open box in the Run window, change the command line to
full path to file\setup.exe -gfull path to file\response
file_name
Example: d:\RealSecure\Retail\Windows_NT_x86\
workgroup_manager\6.5\setup.exe -gc:\temp\autoinst.rsp
4. Click OK.
5. Be sure the installation was successful by checking the autoinstall log.
Autoinstall log file
46
When running in Autoinstall mode, Setup generates a log file in the
Windows (WINNT) directory containing error and other messages.
Always check this file for error messages after you run Setup in
Autoinstall mode.
Automating Installations on Windows
Setup uses default names for the different modules as follows:
Module
Default Autoinstall log file name
Workgroup Manager
workgroup_manager_install.log
Network Sensor
network_sensor_install.log
Server Sensor
server_sensor_install.log
Table 10: Default Log File Names for Autoinstall
47
Chapter 4: Installing a Network Sensor on Windows
Customizing the Automated Installation Response File
Overview
The autorecord features automatically generates a response file that you
can use to install components unattended. However, you can further
customize the installation by customizing the response file.
When to customize
a response file
For example, some options in the response file are not available during
installation. Also, you may want to use wildcards in the cryptographic
providers section during an unattended installation.
Specifying
cryptographic
providers
If you are creating a response file from scratch, use care when specifying
cryptographic providers. Consider the following:
Using wildcards for
provider
parameters
The response file must contain at least one Provider section,
beginning with [Provider0].
Setup requires the first provider in the response file be installed and
configured on the target system.
If the first provider is not already installed, Setup terminates.
If the response file includes additional providers, Setup attempts to
configure them; however, if Setup is unable to configure these
additional providers, it does not terminate.
The order of the providers in the response file determines the order
RealSecure uses them when attempting to establish connections
between consoles and sensors.
In the response file, you can use wildcards in a limited way in the
Provider sections for more flexibility in the automated installation. With
wildcards, Setup can search all the installed providers and find one that
matches the specified parameters. The following example shows a
Provider section that utilizes wildcards:
[Provider0]
ProviderType=*
ProviderName=*
ExchangeName=*
ExchangeID=44032
ExchangeLen=191
SecretName=*
SecretID=26115
48
Customizing the Automated Installation Response File
SecretLen=168
HashName=*
HashID=32772
HashLen=160
Setup first checks for the wildcard character in the ProviderName field. If
it finds a wildcard, Setup then searches through the installed providers
for a match on ExchangeID, ExchangeLen, SecretID, SecretLength,
HashID, and HashName. If Setup finds a provider that matches all six
parameters, Setup then configures the provider. If Setup does not find a
provider that matches, it continues or terminates depending on whether
it is processing the first provider in the response file. The first provider is
required, but subsequent providers are not.
Important: Although wildcards may appear in parameters other than
ProviderName, Setup checks only for the wildcard in ProviderName.
Also, ExchangeID, ExchangeLen, SecretID, SecretLength, HashID, and
HashLen are required entries.
Setup fails if there are no matching installed providers.
Response file
parameters
Required Key(s)
The automated installation capability is provided in part by the
parameters of a response file. The response file is created in the Windows
initialization file (.INI) format, with sections and key-value pairs. You can
generate this file by running Setup in automated record mode or by
populating it manually. The parameters and possible values are provided
in Table 11 and Table 12.
Possible Values
Applies To
Default Setting
Comments
Workgroup
Manager,
network sensor,
server sensor
6.5
Do not change. Used
by script to see if
generated with current
release.
[RealSecure Response File] section
Version
6.5
Table 11: Autoinstall Response File Parameters
49
Chapter 4: Installing a Network Sensor on Windows
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
Workgroup
Manager,
network sensor,
server sensor
None
Any combination of
values.
Workgroup
Manager
C:\Program
Files\ISS\
RealSecure 6.5
Console
None
[SelectedComponents] section
Component_1,
Component_2,
Component_3,
Component_4
Workgroup
Manager
Targets\RealSecure
Workgroup Manager\
RealSecure Event
Collector\Event
Database
Targets\RealSecure
Workgroup Manager\
RealSecure Event
Collector\Event
Collector Services
Targets\RealSecure
Workgroup Manager\
RealSecure
Console\Asset
Database
Targets\RealSecure
Workgroup Manager\
RealSecure Console\
Console Services
Network Sensor
Targets\RealSecure
Network Sensor
Server Sensor
Targets\RealSecure
Server Sensor Host
Targets\RealSecure
Server
Sensor\Server
Sensor without
Network Monitoring
[Console Destination] section
Destination
valid path
Table 11: Autoinstall Response File Parameters (Continued)
50
Customizing the Automated Installation Response File
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
Workgroup
Manager
C:\Program
Files\ISS\
RealSecure 6.5
Event Collector
None
Workgroup
Manager,
network sensor,
server sensor
C:\Program
Files\ISS\
issDaemon
None
server sensor
C:\Program
Files\ISS\
issSensors\
server_sensor_1
None
network sensor
C:\Program
None
Files\ISS\issSens
ors\network_sens
or_1
server sensor
server_sensor_1
Does not allow spaces
within the names.
Any valid name (no
spaces)
network sensor
network_sensor_
1
Does not allow spaces
within the names.
0,1, 2, ...
network sensor
0
Indicates which
network card to
monitor.
[Event Collector Destination] section
Destination
valid path
[Daemon Destination] section
Destination
valid path
[Server Sensor Destination] section
Destination
valid path
[Network Sensor Destination] section
Destination
valid path
[Server Sensor Name]
Name
Any valid name (no
spaces)
[Network Sensor Name]
Name
[Adapter Number]
AdapterNumber
[Program Folder]
Table 11: Autoinstall Response File Parameters (Continued)
51
Chapter 4: Installing a Network Sensor on Windows
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
Folder
Any folder name
Workgroup
Manager
Internet Security
Systems
None
Workgroup
Manager,
network sensor,
server sensor
1
Authentication strength
means that the sensor
verifies that it knows
who the peer is
(usually a console) and
that there is no party in
the middle proxying
the data stream.
Workgroup
Manager
Yes
Restricts related
registry keys and
directories to having
only administrator
privileges.
Workgroup
Manager
Yes
Restricts related
registry keys and
directories to having
only administrator
privileges.
[Authentication Strength]
AuthenticationStre 1, 0
ngth
[Console Harden Security]
LockDownSystem
Yes, No
[Event Collector Harden Security]
LockDownSystem
Yes, No
[Engine Harden Security]
LockDownSystem
Yes, No
network sensor
[Allow Auto Key Import]
Table 11: Autoinstall Response File Parameters (Continued)
52
Restricts related
registry keys and
directories to having
only administrator
privileges.
Customizing the Automated Installation Response File
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
AllowAutoKeyImp
ort
1, 0
network sensor,
server sensor
0
When you select the
“Automatically import
initial key” option, the
sensor receives the
initial authentication
key over a standard
network connection
initiated from the
console. Using this
feature can lead to
potentially unknown
users having access to
the RealSecure
sensor, if the sensor
receives its first
connection from such
a user. Afterwards,
when a known user
tries to copy public
keys to the sensor, a
warning indicates that
a key already exists.
The known user's keys
are not copied to the
sensor.
Workgroup
Manager,
network sensor,
server sensor
None
Failure to add at least
one key administrator
prevents key pushing
to sensors on this
computer. This is the
only optional section in
the response file. All
other sections are
required.
[Key Administrators]
(optional)
computername_
KeyAdministrator_ username
1,
KeyAdministrator_
2,...
[Asset DB Remote Location]
Table 11: Autoinstall Response File Parameters (Continued)
53
Chapter 4: Installing a Network Sensor on Windows
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
ServerName
any valid computer
name
Workgroup
Manager
None
Server name where
asset database is
installed; does not
have to be remote.
Workgroup
Manager
None
Server name where
event/enterprise
database is installed;
does not have to be
remote.
Workgroup
Manager
a number
between 5 and
100, for example
5 would be 5%
SQL Server or MSDE
can be configured to
set an upper limit on
memory usage. It is
recommended that this
upper limit for memory
usage be roughly 25%
of the physical memory
installed on the
system. If SQL Server
or MSDE is configured
to have an upper limit
of memory usage that
is roughly equivalent to
the amount of physical
memory on the system
then other applications
such as the
RealSecure console
may not have enough
memory to operate
properly.
Workgroup
Manager
0
Allows migration of
asset database data.
[EventCollector DB Remote Location]
ServerName
any valid computer
name
[SQL Server Maximum Memory Size]
SQLMaxMem
5% to 100% of total
physical memory
[Migrate Asset Database]
MigrateAssetDB
1, 0
[Migrate Event Database]
Table 11: Autoinstall Response File Parameters (Continued)
54
Customizing the Automated Installation Response File
Required Key(s)
Possible Values
Applies To
Default Setting
Comments
MigrateEventDB
1, 0
Workgroup
Manager
0
Allows migration of
event database data.
1, 0
Workgroup
Manager
1
The RealSecure event
collector requires SQL
Server Authentication.
If setup is not
authorized to enable
SQL Server
Authentication, then
the install ends.
Yes, No
network sensor,
server sensor
None
Depending on the
state of the system,
Setup may need to
restart to shut down a
service or delete a file.
[Enable SQL Server Authentication]
EnableSQLAuth
[Reboot System]
RebootSystemIfN
eeded
Yes allows the restart,
and you must run the
Setup again to
complete the
installation.
No causes Setup to
end.
Table 11: Autoinstall Response File Parameters (Continued)
Parameter
Possible Values
Applies To
Default Setting
Comments
[Providerx] section(s)
ProviderType
Depends upon
provider
network sensor,
console,
server sensor
none
Optional if
ProviderName is
wildcard.
ProviderName
Depends upon
provider
network sensor,
console,
server sensor
none
Must be either a valid
provider name or “*”
(wildcard)
Table 12: Autoinstall Response File Parameters Provider Section
55
Chapter 4: Installing a Network Sensor on Windows
Parameter
Possible Values
Applies To
Default Setting
Comments
Exchange Name
Depends upon
provider
network sensor,
console,
server sensor
none
Optional if
ProviderName is
wildcard.
ExchangeID
Depends upon
provider
network sensor,
console,
server sensor
none
Required
ExchangeLen
Depends upon
provider
network sensor,
console,
server sensor
none
Required
SecretName
Depends upon
provider
network sensor,
console,
server sensor
none
Optional if
ProviderName is
wildcard.
SecretID
Depends upon
provider
network sensor,
console,
server sensor
none
Required
SecretLen
Depends upon
provider
network sensor,
console,
server sensor
none
Required
HashName
Depends upon
provider
network sensor,
console,
server sensor
none
Optional if
ProviderName is
wildcard.
HashID
Depends upon
provider
network sensor,
console,
server sensor
none
Required
HashLen
Depends upon
provider
network sensor,
console,
server sensor
none
Required
Table 12: Autoinstall Response File Parameters Provider Section (Continued)
Example workgroup
manager response
file
56
This is an example Workgroup Manager response file:
[RealSecure Response File]
Version=6.5
[SelectedComponents]
Component_1=Targets\RealSecure Workgroup Manager\
RealSecure Event Collector\Event Database
Customizing the Automated Installation Response File
Component_2=Targets\RealSecure Workgroup Manager\
RealSecure Event Collector\Event Collector Services
Component_3=Targets\RealSecure Workgroup Manager\
RealSecure Console\Asset Database
Component_4=Targets\RealSecure Workgroup Manager\
RealSecure Console\Console Services
[Console Destination]
Destination=C:\Program Files\ISS\RealSecure 6.5 Console
[Event Collector Destination]
Destination=C:\Program Files\ISS\RealSecure 6.5 Event
Collector
[Daemon Destination]
Destination=C:\Program Files\ISS\issDaemon
[MSDE Destination]
Destination=C:\MSSQL7
[Program Folder]
Folder=ISS
[Authentication Strength]
AuthenticationStrength=1
[Console Harden Security]
LockDownSystem=Yes
[Event Collector Harden Security]
LockDownSystem=Yes
[Key Administrators]
KeyAdministrator_1=computer_username
KeyAdministrator_2=computer_username
KeyAdministrator_3=computer_username
[Asset DB Remote Location]
ServerName=USERNAME
[EventCollector DB Remote Location]
ServerName=USERNAME
[SQL Server Maximum Memory Size]
SQLMaxMem=32
[Migrate Asset Database]
MigrateAssetDB=0
[Migrate Event Database]
MigrateEventDB=0
[Enable SQL Server Authentication]
EnableSQLAuth=1
[Provider0]
ProviderType=998
ProviderName=ISS ECNRA Built-In Provider, Strong Encryption
Version
ExchangeName=EC_KEYX EC239A01
57
Chapter 4: Installing a Network Sensor on Windows
ExchangeID=44032
ExchangeLen=239
SecretName=DESX
SecretID=26116
SecretLen=168
HashName=SHA1
HashID=32772
HashLen=160
[Provider1]
ProviderType=1
ProviderName=Microsoft Enhanced Cryptographic Provider v1.0
ExchangeName=RSA_KEYX (1024 bit)
ExchangeID=41984
ExchangeLen=1024
SecretName=RC4 (128 bit)
SecretID=26625
SecretLen=128
HashName=SHA-1
HashID=32772
HashLen=160
Example network
This is an example network sensor response file:
sensor response file
[RealSecure Response File]
Version=6.5
[SelectedComponents]
Component_1=Targets\RealSecure Network Sensor
[Adapter Number]
AdapterNumber=0
[Network Sensor Name]
Name=network_sensor_1
[Network Sensor Destination]
Destination=C:\Program
Files\ISS\issSensors\network_sensor_1
[Daemon Destination]
Destination=C:\Program Files\ISS\issDaemon
[Authentication Strength]
AuthenticationStrength=1
[Allow Auto Key Import]
AllowAutoKeyImport=1
[Engine Harden Security]
LockDownSystem=Yes
[Key Administrators]
KeyAdministrator_1=computer_username
58
Customizing the Automated Installation Response File
KeyAdministrator_2=computer_username
[Provider0]
ProviderType=998
ProviderName=ISS ECNRA Built-In Provider, Strong Encryption
Version
ExchangeName=EC_KEYX EC239A01
ExchangeID=44032
ExchangeLen=239
SecretName=DESX
SecretID=26116
SecretLen=168
HashName=SHA1
HashID=32772
HashLen=160
[Provider1]
ProviderType=1
ProviderName=Microsoft Enhanced Cryptographic Provider v1.0
ExchangeName=RSA_KEYX (1024 bit)
ExchangeID=41984
ExchangeLen=1024
SecretName=RC4 (128 bit)
SecretID=26625
SecretLen=128
HashName=SHA-1
HashID=32772
HashLen=160
Example server
An example server sensor response file appears below:
sensor response file
[RealSecure Response File]
Version=6.5
[SelectedComponents]
Component_1=Targets\RealSecure Server Sensor\Server Sensor
Host Component
Component_2=Targets\RealSecure Server Sensor\Server Sensor
without Network Monitoring
[Server Sensor Name]
Name=server_sensor_1
[Server Sensor Destination]
Destination=C:\Program Files\ISS\issSensors\server_sensor_1
[Daemon Destination]
Destination=C:\Program Files\ISS\issDaemon
[Authentication Strength]
AuthenticationStrength=1
59
Chapter 4: Installing a Network Sensor on Windows
[Allow Auto Key Import]
AllowAutoKeyImport=1
[Key Administrators]
KeyAdministrator_1=computer_username
KeyAdministrator_2=computer_username
[Provider0]
ProviderType=998
ProviderName=ISS ECNRA Built-In Provider, Strong Encryption
Version
ExchangeName=EC_KEYX EC239A01
ExchangeID=44032
ExchangeLen=239
SecretName=DESX
SecretID=26116
SecretLen=168
HashName=SHA1
HashID=32772
HashLen=160
[Provider1]
ProviderType=1
ProviderName=Microsoft Enhanced Cryptographic Provider v1.0
ExchangeName=RSA_KEYX (1024 bit)
ExchangeID=41984
ExchangeLen=1024
SecretName=RC4 (128 bit)
SecretID=26625
SecretLen=128
HashName=SHA-1
HashID=32772
HashLen=160
60
Using the Silent Installation Feature
Using the Silent Installation Feature
Running automated
install in silent
mode
The automated installation feature can be used with InstallShield’s Silent
Install feature to suppress the display of the RealSecure Setup window.
Caution: If you install the event collector, the installation is not
completely silent. The install program requires that you enter passwords
for certain windows.
Syntax
InstallShield Silent requires the /s parameter and the Silent Install
response file (by default, this response file is called setup.iss). The
syntax for using the automated and silent installation together is as
follows:
setup.exe -gfull path to automated install response
file\response file name -s -f1 path\Silent Install
ResponseFile
The -f1 switch specifies an alternate location and name of the response
file (.iss file).
Note: The order of the switches in the command line is important. When
running an automated install in silent mode, be sure to specify the -g
switch before the -s switch.
Example response
file
An example InstallShield Silent response file appears below:
[InstallShield Silent]
Version=v6.50.000
File=Response File
[File Transfer]
OverwrittenReadOnly=NoToAll
[Application]
Name=RealSecure
Version=1.00.000
Company=ISS
Lang=0009
RealSecure ships with a setup.iss file that allows Setup to run in Silent
mode.
61
Chapter 4: Installing a Network Sensor on Windows
Silent install log file
When running Setup in Silent mode, you automatically generate a log file
called setup.log in the same directory as that of the setup.ins (the
compiled setup script file). You can specify an alternate silent install log
file location using the -f2 switch.
The Setup.log file for a successful silent setup of InstallShield is shown
below.
[InstallShield Silent]
Version=v6.50.000
File=Log File
[ResponseResult]
ResultCode=0
[Application]
Name=RealSecure Workgroup Manager 6.5
Version=1.00.000
Company=ISS
Lang=0009
Note: The Setup.log file is the same for network sensors and server
sensors, except for the Name parameter.
Silent install log file
result codes
After running Setup in Silent mode, check the silent install log file
setup.log to see if the setup succeeded. Table 13 lists the possible result
codes and their meanings:
Result Code
Meaning
0
Success
-1
General error
-2
Invalid mode
-3
Required data not found in the Setup.iss file
-4
Not enough memory available
-5
File does not exist
-6
Cannot write to the response file
-7
Unable to write to the log file
-8
Invalid path to the InstallShield Silent response file
Table 13: Silent mode return codes
62
Using the Silent Installation Feature
Result Code
Meaning
-9
Not a valid list type (string or number)
-10
Data type is invalid
-11
Unknown error during setup
-12
Dialog boxes are out of order
-51
Cannot create the specified folder
-52
Cannot access the specified file or folder
-53
Invalid option selected
Table 13: Silent mode return codes (Continued)
63
Chapter 4: Installing a Network Sensor on Windows
Automated Installation Frequently Asked Questions
Introduction
This topic answers some of the most frequently asked questions about
automatically installing Windows components.
How do I generate an
automatic install
response file?
To generate a response file:
1. Run Setup using the -p switch and a response file name, like this:
setup.exe –pc:\temp\autoinst.rsp
(This command assumes that you call the response file
autoinst.rsp and want it placed in C:\TEMP.)
2. Answer the user prompts just as you would with a normal
installation.
3. At the conclusion of the installation, the response file will be located
in the folder specified.
How do I run an
automated
installation?
To run an automated installation:
1. Create a response file either manually or by running Setup in
Autorecord mode (see one of the following sections: “Automating
Installations on Windows” on page 45, “Customizing the Automated
Installation Response File” on page 48, or “Automating Network
Sensor Installations on Solaris” on page 79).
2. Modify the response file manually as needed depending on the
configuration of the target system.
3. Run Setup on the target system using the -g option, like this:
setup.exe –gc:\temp\autoinst.rsp
(This assumes that the response file is named autoinst.rsp and that
it is located in the C:\TEMP directory.)
How do I know if the
automatic install
completed
successfully?
64
To ensure the install completed successfully:
1. In the WINNT directory, locate the log file pertaining to the module
you installed.
Module
Log file
Workgroup Manager
workgroup_manager_install.log
Automated Installation Frequently Asked Questions
Module
Log file
Network Sensor
network_sensor_install.log
Server Sensor
server_sensor_install.log
2. Open the log file using any text editor, such as Notepad.
3. Scroll to the bottom of the log file.
4. If the setup was successful, you see a message like this:
Setup completed successfully.
Return code=0
If the setup was not successful, you see a message like this:
Setup terminating....
Return code=-1
What do I do if the
automatic install
failed?
If the automatic installation failed:
1. Scroll upward from the bottom of the log file until you find the error
message.
2. Correct the cause of the error and run the Setup again.
How do I use a
different name for the
automatic install log
file?
If you want to use a different name, such as autoinst.log in this procedure:
1. Locate the SETUP.INI file in the same directory as setup.exe.
2. Open the file using any text editor, such as Notepad.
3. Add this line to the [Startup] section:
AutoLogFileName=autoinst.log
4. Run the setup in autoinstall mode.
How do I run a silent
automated install?
Silent install requires a silent install response file. An example response
file named setup.iss ships with RealSecure in the same directory as
setup.exe.
Use this file along with the autoinstall and the silent install switches as
follows:
setup.exe –gc:\temp\autoinst.rsp –s
65
Chapter 4: Installing a Network Sensor on Windows
By default, Setup looks in its current directory for the silent install
response file. If you need to specify a different location for the silent
install response file, use the -f1 switch as follows:
setup.exe –gc:\temp\autoinst.rsp –s -f1c:\temp\setup.iss
How do I know if the
silent automated
install succeeded?
Check both the automated install log file and the silent install log file for
errors. Setup creates the silent install log file in the same directory as the
setup.ins file. By default, this file is called setup.log.
To specify an alternate location and name for the silent install log file by
using the -f2 switch, type:
setup.exe –gc:\temp\autoinst.rsp –s -f2c:\temp\silent.log
or
setup.exe –gc:\temp\autoinst.rsp –s -f1c:\temp\setup.iss –
f2c:\temp\silent.log
66
Working with Cryptographic Providers During Windows Installations
Working with Cryptographic Providers During
Windows Installations
Introduction
Cryptographic providers encrypt communications between the console
and sensors, console and event collector, and event collector and sensors.
Encrypting communications secures the information that is passed
between components.
Reference
For more information about setting up encryption, see “Customizing
Encryption” on page 26.
Adding a provider
To add a provider during a Windows installation:
1. Click Add.
2. Select a provider from the list of providers installed on your system.
3. Click OK.
Important: If this console is going to communicate with any Unix
sensors, a Certicom provider such as the ISS ECNRA Built-In
provider must be listed in this window. If you do not see the ISS
ECNRA provider, click Add to add it to the list.
Changing default
algorithms for the
provider
To change the default algorithms during a Windows installation:
1. Click Add to add the provider to customize.
2. Clear the Use algorithm defaults box.
The Configure Algorithms window appears.
3. Choose an algorithm for each of the three categories.
4. Click OK.
Important: You must use the same algorithm for the console and
each of the sensors. If you do not, the components will not be able to
communicate with each other.
67
Chapter 4: Installing a Network Sensor on Windows
Deleting a provider
To delete a cryptographic provider during a Windows installation:
1. Select the provider that you do not want the console to use.
2. Click Delete.
Note: If you delete a provider by mistake, click Add to add it back to
the list. Deleting a provider does not delete the public/private key
pair associated with that provider configuration. If you later add the
provider back to your configuration, the existing key pair is used
rather than generating a new key pair.
68
Archiving Private Keys
Archiving Private Keys
Introduction
Use the Archive Private keys window to archive a copy of the
cryptographic provider’s private key that was created during installation.
If you archive a copy of the private key, you can recover the private key if
it becomes damaged or destroyed. The archived copy of the private key is
encrypted and passphrase protected.
Important: The Setup program can only archive private keys when it
creates them; it cannot archive existing private keys.
Benefits
If the cryptographic provider's private key becomes damaged or
destroyed and you have an archived copy, you can retrieve the archived
copy by using the Restore Cryptographic Private Keys utility. Since the
cryptographic provider's public key will already exist on other
components, no additional steps are necessary.
If the private key becomes damaged or destroyed and you do not have an
archived copy of the key, you must reinstall the component whose key is
damaged to create a new private/public key pair. Then you must copy
the new public key to other components before authenticated
communication can occur.
Reference: For more information, see “Restoring Archived Private Keys”
on page 102.
Archiving the
private key
To archive the private key during installation:
1. Select the Archive the private keys check box.
2. Use the default location, or type a location in the Save the key files in
this folder field.
3. Type a passphrase in the Passphrase field.
4. Type the passphrase in the Confirm field.
5. Click Next.
69
Chapter 4: Installing a Network Sensor on Windows
Bypass archiving
To bypass archiving during installation:
1. Clear the Archive the private keys check box.
2. Click Next.
3. Click Next.
The Start Copying Files window appears.
4. Do the settings need to be adjusted?
If yes, click Back and adjust the settings as needed.
If no, click Next.
The installation program reviews the bindings settings and displays a
message that the bindings review is complete.
5. Click OK.
RealSecure completes the installation.
70
Chapter 5
Installing a Network Sensor on
Solaris
Overview
Introduction
This chapter describes the RealSecure network sensor installation
programs and installation procedures for Solaris environments.
In this chapter
This chapter contains the following topics:
Topic
Page
Installation Options on Solaris
72
Installing a Network Sensor on Solaris
74
Automating Network Sensor Installations on Solaris
79
71
Chapter 5: Installing a Network Sensor on Solaris
Installation Options on Solaris
Installation
methods
Typical installation
You can install the network sensor for Solaris using one of several
methods:
typical (simple) installation
custom (advanced) installation
automated installation
To install a network sensor with the default options (skipping advanced
configuration), choose the option to accept the default settings during the
installation process.
Table 14 lists the default settings in a network sensor for Solaris
installation.
Option
Setting
Auto import of keys
(daemon only)
No
Install path (daemon
only)
/opt/ISS
Network sensor directory
(sensor only)
network_sensor_1
Key management
(sensor only)
Key Administrators: No
Cryptographic provider
(daemon only)
ISS ECNRA Built-In Provider, Strong Encryption
Version
Table 14: Default parameters for network sensor for Solaris
Custom installation
If you need to customize the settings described in Table 14, then you can
choose the option to customize the sensor settings during the install
process.
Automated
installation
If you intend to install several network sensors using the same settings,
you can use the automated installation process. With this feature, you
install a network sensor once, save the settings you choose during that
72
Installation Options on Solaris
installation, and then use those settings to install the same configuration
on other computers without having to monitor the entire installation
process.
Reference: For more information, see “Automating Network Sensor
Installations on Solaris” on page 79.
73
Chapter 5: Installing a Network Sensor on Solaris
Installing a Network Sensor on Solaris
Introduction
Prerequisite
This topic describes the following:
prerequisite to installing a network sensor on a Solaris system
installing a network sensor
installing additional sensors
The files needed for installation are stored in a tar file. Before installing a
network sensor, open this file using the tar -xvf rsns6.5.2001.xxxsparc-solaris.multi.tar command.
Installation
Opening the file generates two packages and one installation script
packages and script needed for installation. Use these packages to install daemons and
sensors:
This file...
is used to...
pkgISSXdmn
install the daemon manually
pkgISSXrsns
install the sensor manually
pkgISSXnsinstall.sh
install daemons and sensors by running a script
Table 15: Solaris installation files for network sensor
Installing a network
sensor
To install a network sensor on Solaris:
Caution: If you have already installed a sensor on this computer, use the
procedure in “Installing additional network sensors” on page 77.
1. Log on using a superuser account, such as root.
2. Type the .pkgISSXnsinstall.sh all command to start the
installation.
3. Press ENTER to install all the packages that are in the file.
The installation program begins to install the file. Next, it prompts
you to accept the terms of the ISS license agreement and the default
installation parameters.
74
Installing a Network Sensor on Solaris
4. Do you accept all of the terms of the ISS RealSecure License
Agreement, and do you want to install RealSecure with the default
parameters?
If yes, type y to install with default parameters (recommended),
and then go to step 10.
Reference: For a list of default settings, see Table 14, “Default
parameters for network sensor for Solaris” on page 72.
If no, type n. The installation asks you if you want to read the
entire license agreement.
5. Type y to read the agreement.
The installation prompts you to accept the terms of the agreement.
6. Type y to accept the terms of the ISS RealSecure License Agreement.
The installation program prompts you for the installation directory of
the daemon component.
7. Press ENTER to accept the default directory of /opt/ISS.
The installation program prompts you to choose an auto-import
option.
8. Do you want to automatically import an authentication key?
When you select the auto-import option, the sensor receives the
initial authentication key over a standard network connection
initiated from the console.
SiteProtector users must select this option if using authentication.
Reference: For more information, see “Automatically Importing
Authentication Keys” on page 24.
If yes, type y.
If no, type n.
The installation program displays the default cryptographic provider
configuration.
9. Set up as many cryptographic providers as you need.
References: For more information, see “Customizing Encryption” on
page 26.
The installation prompts you to allow it to create the opt/ISS
directory.
75
Chapter 5: Installing a Network Sensor on Solaris
10. Type y to have the installation create the directory.
The installation program informs you that it must execute several
scripts with the superuser account.
11. Type y to allow the installation to continue.
The installation installs the daemon portion of the network sensor,
and then prompts you to select a sensor package (there should only
be one package named ISSXns1).
12. Press ENTER to install all the packages that are in the file.
The installation program begins to install the file. Next, it prompts
you to accept the terms of the ISS license agreement and the default
installation parameters.
13. Do you accept all of the terms of the ISS RealSecure License
Agreement, and do you want to install RealSecure with the default
parameters?
If yes, type y to install with default parameters (recommended),
and then go to the last step.
Reference: For a list of default settings, see Table 14, “Default
parameters for network sensor for Solaris” on page 72.
If no, type n. The installation asks you if you want to read the
entire license agreement.
14. Type y to read the agreement.
The installation prompts you to accept the terms of the agreement.
15. Type y to accept the terms of the ISS RealSecure License Agreement.
The installation program prompts you for a name and directory for
the network sensor.
16. Do you want to use network_sensor_1 as your network sensor
name and installation directory?
Reference: For more information, see “Sensor naming conventions”
on page 3.
If yes, type y to accept the default name of network_sensor_1.
If no, type n, and then type the new name.
Caution: Sensor names can contain only alphanumeric characters
with underscores or dashes.
76
Installing a Network Sensor on Solaris
17. Do you want to set up one or more key administrators for this sensor?
Reference: If you selected the automatic key import option, the first
person to connect to this sensor will obtain key administrator rights.
For more information, see “Automatically Importing Authentication
Keys” on page 24.
If yes, type y (recommended), and then set up each administrator
using the format computer_username.
If no, type n.
The installation program informs you that it must execute several
scripts with the superuser account.
18. Type y to allow the installation to continue.
The program finishes the network sensor installation and removes all
temporary files created during installation.
Installing additional
network sensors
If you are installing a second or third network sensor or if you have
previously installed server sensor on this computer, you must use the
following procedure to install an additional sensor:
1. Log on using a superuser account, such as root.
2. Type the .pkgISSXnsinstall.sh netsensor command to start the
installation.
The installation prompts you to select a sensor package (there should
only be one package named ISSXns1).
3. Press ENTER to install all the packages that are in the file.
The installation program begins to install the file. Next, it prompts
you to accept the terms of the ISS license agreement and the default
installation parameters.
4. Do you accept all of the terms of the ISS RealSecure License
Agreement, and do you want to install RealSecure with the default
parameters?
If yes, type y to install with default parameters (recommended).
The program completes the installation.
Reference: For a list of default settings, see Table 14, “Default
parameters for network sensor for Solaris” on page 72.
If no, type n. The installation asks you if you want to read the
entire license agreement.
77
Chapter 5: Installing a Network Sensor on Solaris
5. Type y to read the agreement.
The installation prompts you to accept the terms of the agreement.
6. Type y to accept the terms of the ISS RealSecure License Agreement.
The installation program prompts you for a name and directory for
the network sensor.
7. Do you want to use network_sensor_1 as your network sensor
name and installation directory?
Reference: For more information, see “Sensor naming conventions”
on page 3.
If yes, type y to accept the default name of network_sensor_1.
If no, type n, and then type the new name.
Caution: Sensor names can contain only alphanumeric characters
with underscores or dashes.
8. Do you want to set up one or more key administrators for this sensor?
Reference: If you selected the automatic key import option, the first
person to connect to this sensor will obtain key administrator rights.
For more information, see “Automatically Importing Authentication
Keys” on page 24.
If yes, type y (recommended), and then set up each administrator
using the format computer_username.
If no, type n.
The installation program informs you that it must execute several
scripts with the superuser account.
9. Type y to allow the installation to continue.
The program finishes the network sensor installation and removes all
temporary files created during installation.
78
Automating Network Sensor Installations on Solaris
Automating Network Sensor Installations on Solaris
Introduction
The RealSecure network sensor can be automatically installed on Solaris
by using pkgask to generate a response file and by using an admin file to
suppress pkgadd from asking for confirmation to run the package setup
scripts.
Note: You must run the automated installation for the daemon before
you install the sensor.
Prerequisites
About response
files
If you are installing daemons and sensors for the first time, you must
complete the following prerequisites:
Open the pkg ISSXdmn package that contains the installation files for
the daemon.
Open the pkg ISSXrsns package that contains the installation files
for the network sensor.
The pkgask command runs the request script for a package and stores the
information necessary to install the package. Using the request script is
similar to using pkgadd to install the package, but no files are installed.
Note: Separate response files are required for the daemon and the sensor.
About admin files
An admin file contains installation parameters for the Solaris package
administration commands. Use an admin file to install RealSecure,
because the RealSecure package contains shell scripts that are run with
superuser (or root) permissions. To run pkgadd non-interactively for a
package with installation scripts, you must specify an admin file and turn
off these checks.
The admin file should contain, at a minimum, the following lines:
action=nocheck
conflict=nocheck
instance=overwrite
79
Chapter 5: Installing a Network Sensor on Solaris
Installing the
daemon
Install the daemon before you install the sensor.
To automatically install the daemon:
1. Type the following command to generate the response file:
pkgask -r response -d ./pkgISSXdmnns
2. Type the following command to create an admin file:
echo “action=nocheck” > admin
echo "conflict=nocheck" >> admin
echo "instance=overwrite" >> admin
3. Type the following command to install the daemon package:
pkgadd -n -r response file name -a admin -d ./pkgISSXdmn
all
Installing the
sensor
Install the sensor after you install the daemon. An installed daemon is
required for network sensor autoinstallations.
To automatically install the sensor:
1. Install the temporary sensor data by typing the following command:
pkgadd -n -a admin -d ./pkgISSXrsns
The temporary package pkg ISSXns is created in the /tmp directory.
2. Remove the temporary sensor data by typing the following
command:
pkgrm ISSXrsns
3. Create the response file by typing the following command:
pkgask -r response -d /tmp/pkgISSXns
4. Install the sensor package by typing the following command:
pkgadd -n -r response file name -a admin -d /tmp/pkg/
ISSXns all
80
Chapter 6
Installing the Nokia Appliance
Overview
Introduction
This chapter describes the configuration steps necessary for proper
operation of RealSecure on the Nokia appliance. It also contains
instructions for upgrading or reinstalling RealSecure.
In this chapter
This chapter contains the following topics:
Topic
Page
Before Installing the Nokia Appliance
82
Enabling Hostname Resolution
83
Enabling Logging
85
Upgrading or Reinstalling RealSecure from a Package
86
Installing a Second Sensor Using Voyager
89
Working with Newly Configured Interfaces
90
81
Chapter 6: Installing the Nokia Appliance
Before Installing the Nokia Appliance
Prerequisites
82
You must perform the following tasks in Nokia Network Voyager before
you run RealSecure on your Nokia appliance:
enable hostname resolution
enable RealSecure logging
Enabling Hostname Resolution
Enabling Hostname Resolution
Introduction
You must enable hostname resolution so that your network appliance can
communicate with the workstation that runs the console. Use one of the
following methods to enable hostname resolution:
select DNS servers to resolve hostnames
add static hosts
Important: You must add an IP address to the Host Assignment. This
address must match the host name as it appears in the upper left corner of
the Static Host Entries window.
Selecting DNS
servers
Ensure that there is at least one active DNS server on your network.
To select DNS servers:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Config.
3. Click DNS in the System Configuration section.
4. Type the domain name in the Domain name edit box.
5. Type the IP address of the primary DNS server in the Primary name.
6. (Optional) Type the IP address of a secondary DNS server in the
Secondary name server box.
7. (Optional) Type the IP address of a tertiary DNS server in the Tertiary
name server box.
8. Click Apply.
9. Click Save.
83
Chapter 6: Installing the Nokia Appliance
Adding static hosts
If you choose not to select a DNS server, follow this procedure to add
static host entries.
To add static host entries:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Config.
3. Click the Host Address Assignment link in the System
Configuration section.
4. Type the hostname of this appliance in the Add new hostname edit
box.
5. Click Apply.
6. Type the IP address of this appliance in the IP address edit box.
7. Click Apply.
8. Repeat Steps 4-7 to add any additional static hosts.
Examples: SMTP server if email is enabled, SNMP manager if SNMP
is enabled, and firewalls if OPSEC is enabled.
9. Click Save.
84
Enabling Logging
Enabling Logging
Introduction
RealSecure should be configured to log informational messages that can
help with troubleshooting. (Error and warning messages are logged by
default.)
Procedure
To enable logging:
1. Log in to RealSecure using the console or telnet.
2. Type the following command at the command line prompt:
dbsetsyslog:action:file:/var/log/messages:
selector:daemon.info t
3. Type the following command at the command line prompt:
dbset:save
85
Chapter 6: Installing the Nokia Appliance
Upgrading or Reinstalling RealSecure from a Package
Introduction
If RealSecure is not already installed on your network application
platform or if you want to upgrade RealSecure, you can run the newpkg
command (at a command prompt) or use Nokia Network Voyager to
perform the installation or upgrade.
Before you upgrade a 5.x sensor, you should synchronize the sensor log
with the console’s database. See the RealSecure Workgroup Manager User
Guide for information about how to do this.
Upgrading sensors
remotely
There are certain prerequisites and procedures that you must follow
before you remotely upgrade 5.x sensors to 6.x. These prerequisites and
procedures are described in Chapter 2, "Upgrading Sensors".
Reference: For information and complete instructions for upgrading
sensors remotely, see “Upgrading Sensors Remotely” on page 12.
newpkg procedure
The following is an example of what you will see when you execute the
newpkg command. (This example assumes that the RealSecure package
is on your local file system.)
To install RealSecure from a package:
1. Log in to RealSecure for Nokia using the console or telnet.
2. Type the following command at the command line prompt:
newpkg
The following text appears:
1. Install from CD-ROM.
2. Install from anonymous FTP server.
3. Install from FTP server with user and password.
4. Install from local filesystem.
Choose an installation method (1-4):
3. Type 4.
The following text appears:
Enter pathname to the packages [none]:
86
Upgrading or Reinstalling RealSecure from a Package
4. Type the path to the directory where the package is stored.
The following text appears:
Loading Packages...done
Found packages:
RSNS_NokiaRelease_6_5_200x_xxx.tgz
Package Description: RealSecure network intrusion
detection system
Would you like to:
1. Install this as a new package
2. Skip this package
Choose (1-2):
5. Type 1.
The following text appears:
Installing RSNS_NokiaRelease_6_5_200x_xxx.tgz
Extracting Package
Done installing ISS
cleaning up..done
Reboot System to activate packages
6. Type the following command at the command line prompt:
reboot
RealSecure starts automatically after the appliance reboots.
Voyager procedure
The following procedure assumes that your RealSecure for Nokia
package is in the /opt directory on your Nokia appliance.
To install using Voyager:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Config on the home page.
3. Click Manage Installed Packages in the System Configuration
section.
87
Chapter 6: Installing the Nokia Appliance
4. Click FTP and Install Packages.
Your RealSecure for Nokia package should be listed in the Select
package for unpack field.
5. Select the appropriate package.
6. Click Apply.
The package appears in a table called Information of selected
package.
7. Click Click here to install/upgrade.
The Package Selected for Installation or Upgrade page appears.
8. Select Yes in Install or Upgrade, as appropriate.
9. If you are upgrading, click the name of the current package under
Choose one of the following packages to upgrade from.
10. Click Apply.
A message indicates that the application was successful.
11. Click Save.
12. Click Home.
13. Click Config.
14. Click Reboot, Shut Down System (at the bottom of the page).
RealSecure starts automatically after the appliance reboots.
15. Click Reboot.
88
Installing a Second Sensor Using Voyager
Installing a Second Sensor Using Voyager
Introduction
This topic describes how to install a second network sensor using
Voyager.
Second sensor
procedure
To install the second network sensor using Voyager:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Security & Access Configuration on the home page.
3. Click RealSecure for Nokia.
4. Click Install network sensor two.
Voyager begins installing the second network sensor. The installation
program may take a few moments. The following message appears
when the installation is complete:
Network_sensor_2 is successfully installed
5. Once the installation is complete, run the Deployment Wizard to
configure authentication for the sensor.
Reference: For more information about running the Deployment
Wizard, see “Configuring Authentication with the Deployment
Wizard” on page 94.
89
Chapter 6: Installing the Nokia Appliance
Working with Newly Configured Interfaces
Introduction
The console will not necessarily recognize changes made to the interfaces
of your Nokia appliance. In particular, the console may not recognize a
newly configured interface.
Procedure
After you make interface configuration changes, you can force the
console to recognize the changes.
To recognize interface configuration changes:
1. Start the console.
2. In the Sensors window, right-click the object that represents the
Nokia appliance installation.
3. Select Properties.
4. In the Network Sensor Properties window, click the General tab.
5. Select the Adapter of Monitored Network menu.
Note: If the newly configured interface appears, you do not need to
force the console to recognize it and can stop. The status Stealth
displays next to the interface, rather than an IP address. If the status is
Inactive, it means that there is no physical connection between the
hub and the switch. Finish this procedure.
6. Click Cancel.
7. In the Sensors window, right-click the object that represents the
Nokia appliance installation.
8. Select Shutdown.
9. Click Yes.
10. Right-click the object that represents the Nokia appliance installation.
11. Select Start.
Note: After you restart the sensor, the sensor is aware of the interface
change. The console, however, may take a few moments (depending
on the poll interval) to establish a connection with the sensor. To see
changes immediately, stop and then manage the sensor, again.
12. Return to the Adapter of Monitored Network menu, and then verify
that the newly configured interface is available.
90
Chapter 7
Configuring a Network Sensor
Overview
Introduction
The chapter describes required and maintenance tasks you can do to
configure a RealSecure network sensor.
After installation
requirements
After installing a network sensor, you must configure your management
console to communicate with the sensor.
Reference: For general information about setting up sensors to work with
your management console, see the RealSecure Help (for the Workgroup
Manager) or the RealSecure SiteProtector Strategy Guide (for SiteProtector
management).
After installation
requirements for
Workgroup
Manager only
Sensor
maintenance
If using the Workgroup Manager, you may need do the following:
if using authentication, configure the sensors to accept authenticated
communication from SiteProtector or Workgroup Manager
if using stealth mode, configure the console and sensor to hide the
monitoring interface
After installing a network sensor, you may need to do the following:
test the sensor
start or stop the sensor
add new key administrators
restore an archived private key
uninstall the sensor
change encryption or authentication settings
91
Chapter 7: Configuring a Network Sensor
In this chapter
This chapter contains the following topics:
Topic
92
Page
Configuring Authentication
93
Configuring Authentication with the Deployment Wizard
94
Configuring Authentication Manually
97
Location of Authentication Keys
100
Restoring Archived Private Keys
102
Changing Encryption Settings
104
Uninstalling Components and Updates
105
Adding Key Administrators
110
Starting and Stopping Sensors
111
Testing the Sensor
112
Network Sensor Stealth Configuration
113
Configuring Authentication
Configuring Authentication
Purpose
If you installed RealSecure components with the authentication option,
then you must configure the sensors to accept authenticated
communication from Workgroup Manager or SiteProtector before you
can monitor and manage them.
Automatically
configuring
authentication
If you selected the auto-import option during installation and are using
the Workgroup Manager for management, you can use the RealSecure
Deployment Wizard to automatically configure authentication for you.
Reference: For more information, see “Configuring Authentication with
the Deployment Wizard” on page 94.
If using SiteProtector, you must select auto-import when you install
sensors. Authentication is automatically configured when you set up
SiteProtector to monitor the sensor.
Reference: For more information, see the RealSecure SiteProtector Strategy
Guide.
Manually
configuring
authentication
If you did not select the auto-import option, you can set up the
authentication manually.
Reference: For more information, see “Configuring Authentication
Manually” on page 97.
93
Chapter 7: Configuring a Network Sensor
Configuring Authentication with the Deployment
Wizard
Introduction
The Deployment Wizard is a program that automatically configures
authenticated communication between the Workgroup Manager
components and RealSecure sensors.
Prerequisites
Before running the RealSecure Deployment Wizard, you must complete
the following prerequisites:
Install the 6.5 Workgroup Manager.
Enable the Automatic key import option in the Workgroup Manager
installation program and in the sensor installation programs.
Note: If you did not enable this option when you installed each
component, you must configure authentication manually.
Reference: See “Configuring Authentication Manually” on page 97.
Give the Workgroup Manager from which you plan to run the
Deployment Manager Key Administrator status over any sensors
that you have previously installed (fresh sensor installations using
the auto-import option will automatically give your Workgroup
Manager Key Administrator status when you run the Wizard).
Reference: See “Adding Key Administrators” on page 110.
Obtain a valid ISS license key.
Reference: See Chapter 7, “License Keys,” in the RealSecure
Workgroup Manager Installation Guide.
Starting the
Deployment Wizard
94
You can start the Deployment Wizard from the Workgroup Manager
console in any of the following ways:
From the File menu, select Run Deployment Wizard.
When the console starts, it displays a window entitled Run
Deployment Wizard. If you select the check box Show at Startup, the
window appears whenever the console starts.
From the View menu, select Options. On the General tab, select the
Deployment Wizard Prompt to turn on or off the Run Deployment
Wizard window that displays when the console starts.
Configuring Authentication with the Deployment Wizard
Procedure
To use the Deployment Wizard to configure authentication:
1. Start the Deployment Wizard.
The License Key Configuration window appears.
2. Type the path to your ISS license key, or click Browse to search for the
folder where the key is located.
Default: The default location of the license key is as follows:
\Program Files\ISS\iss.key
3. Click Next.
The Event Collector Location window appears.
4. Click Assets.
The Choose Asset windows appears.
5. Select Network Assets.
6. Click Add, and then select Daemon.
The Add New Daemon Asset window appears.
7. Type the daemon name.
8. Type the host name (DNS) or IP address.
9. Select the Add All Daemon Components check box.
10. Click Add Asset.
11. Click Close.
12. Select the event collector.
13. Click OK.
The Event Collector Location window appears.
14. Click Next.
The Event Collector Verification window appears.
15. Did the event collector verification process complete?
If yes, click Next.
The Sensor Configuration window appears.
If no, click Back to return to the Event Collector Location window
and add an asset. Repeat Steps 4-10.
95
Chapter 7: Configuring a Network Sensor
16. Select a sensor from the list of available assets.
The wizard verifies that the event collector can connect to a sensor.
Note: Green indicates a configured asset. Blue means that the asset
has not yet been configured. You must have at least one blue asset to
continue the configuration. If all assets have been configured, click
Assets.
17. Click Next.
The Encryption Key Configuration window appears. To monitor a
sensor, the Workgroup Manager’s rs_con key and the event
collector’s rs_eng key must exist on the sensor. The event collector
keys should already appear in the list.
18. Select the keys to push to the sensors, or click Browse to search for
the folder where the key is located.
19. Click Next.
The Event Collector Configuration window appears.
20. Click Finish.
The wizard configures the event collector and the blue
(unconfigured) sensors.
21. Click Close.
Reference
96
If you encounter errors, see “Error Messages” on page 122 for possible
causes and solutions.
Configuring Authentication Manually
Configuring Authentication Manually
Introduction
Purpose
This topic describes the following:
purpose of configuring authentication
when to manually configure authentication
which authentication keys go where
After you install a sensor or event collector on a remote system, the
component must have one or more of the console’s public authentication
keys and one or more of the event collector’s authentication keys before
the component and console can communicate. Copying the
authentication keys configures authentication between the components.
Reference: For more information about how authentication works, see
“Using Authentication” on page 22.
When to manually
configure
authentication
If you did not enable the automatic authentication key import option for
all your RealSecure components, or you do not want to use the
Deployment Wizard to distribute authentication keys, then you must
copy the authentication keys manually.
About the Keys
directory
Each component has its own Keys directory. This directory contains the
component’s public authentication keys after installation and must
contain the public authentication key of any component that is
authenticated.
Which keys go
where
You must copy the public authentication keys of the following
components:
Location of console
authentication keys
copy console keys to the event collector and to the sensors
copy event collector keys to the sensors
The default location of the console’s public key directory is:
\Program Files\ISS\RealSecure 6.5 Console\Keys\
97
Chapter 7: Configuring a Network Sensor
Default
subdirectories
Usually, there are two subdirectories under the Keys directory:
CerticomNRA—Public console keys used by Windows and Unix
components
RSA—Public console keys used only by Windows components
Depending on the cryptographic options you choose during installation,
each directory could contain one or more console keys using the
following naming format:
rs_con_machine name_user name_length.PubKey
Copying console
public keys
Copy these rs_con_machine name_user name_length.PubKey files to
the corresponding CerticomNRA or RSA subdirectories on each event
collector and sensor.
Unix sensors: Because Unix sensors do not use RSA encryption, you only
have to copy the keys in the CerticomNRA directory.
Reference: For the exact location of the keys directories on the event
collector and sensors, see “Location of Authentication Keys” on page 100.
Event collector
authentication keys
The default location of the event collector’s public key directory is:
\Program Files\ISS\RealSecure 6.5 Event Collector\Keys\
Usually, there are two subdirectories under the Keys directory:
CerticomNRA—Public keys used by Windows and Unix components
RSA—Public keys used only by Windows components
Depending on the cryptographic options you choose during installation,
each directory could contain one or more event collector keys using the
following naming format:
rs_eng_machine name_length.PubKey
98
Configuring Authentication Manually
Copying event
Copy these rs_eng_machine name_length.PubKey files to the
collector public keys corresponding CerticomNRA or RSA subdirectories on each sensor.
Unix sensors: Because Unix sensors do not use RSA encryption, you only
have to copy the keys in the CerticomNRA directory.
Reference: For the exact location of the keys directories on the event
collector and sensors, see “Location of Authentication Keys” on page 100.
99
Chapter 7: Configuring a Network Sensor
Location of Authentication Keys
Location of console
keys
The console’s public keys are located in the following directories by
default:
\Program Files\ISS\RealSecure 6.5
Console\Keys\CerticomNRA\rs_con_machine name_user
name_length.PubKey
and
\Program Files\ISS\RealSecure 6.5
Console\Keys\RSA\rs_con_machine name_user
name_length.PubKey
Location of event
collector keys
The event collector’s public keys are located in the following directories
by default:
\Program Files\ISS\RealSecure 6.5 Event
Collector\Keys\CerticomNRA\rs_eng_machine
name_length.PubKey
and
\Program Files\ISS\RealSecure 6.5 Event
Collector\Keys\RSA\rs_eng_machine name_length.PubKey
Location of sensor
keys
The location of the sensor’s Keys directory depends on the operating
system on which it runs.
Operating system
Sensor’s public keys
Windows
\Program Files\ISS\issSensors\sensor name\
Keys\CerticomNRA\rs_eng_machine
name_length.PubKey
—and—
\Program Files\ISS\issSensors\sensor
name\Keys\RSA\rs_eng_machine
name_length.PubKey
Table 16: Location of Keys directory for all sensors
100
Location of Authentication Keys
Operating system
Sensor’s public keys
Unix (Solaris, HPUX, or IBM AIX)
/opt/ISS/issSensors/sensor name/Keys/
CerticomNRA/rs_eng_machine
name_length.PubKey
IPSO (Nokia
appliance)
/opt/ISS/RealSecure6_5/Keys/CerticomNRA/
rs_eng_machine name_length.PubKey
Table 16: Location of Keys directory for all sensors (Continued)
RSA keys and Unix
Unix sensors cannot use RSA keys. Therefore, you do not have to copy
the RSA keys to Unix sensors, even if an RSA directory exists under the
Keys directory on the sensor.
101
Chapter 7: Configuring a Network Sensor
Restoring Archived Private Keys
Introduction
If you installed a RealSecure component for Windows, you had the option
of archiving your private keys at the end of the installation process. Unix
installations do not provide this option.
Purpose
Under ordinary circumstances, you should not have to restore your
cryptographic private keys. You may have to restore the keys under the
following circumstances:
Prerequisites
The hardware on which RealSecure is installed is damaged and you
need to load RealSecure onto a new computer.
The Windows Registry is corrupted and your private keys are
inaccessible.
Before restoring the archived private keys:
Locate a copy of the archived keys.
Install the same providers the previous console used.
Important: The archived copy of the private key is encrypted and
protected with a passphrase. You must have the passphrase to restore the
archived private key.
Procedure
Restore the private keys using the Restore Cryptographic Private Keys
utility.
To restore archived private keys:
1. Insert the Internet Security Systems CD into the CD-ROM drive, and
then locate the following folder to access the Utilities setup program:
cd-rom drive:\RealSecure\Retail\Windows_NT_
x86\RS_Key_Utility\6.5\setup.exe
The Welcome window appears.
2. Select Restore cryptographic private keys.
The Restoring the Archived Private Key window appears.
102
Restoring Archived Private Keys
3. Type the path of the folder where the archived key is stored in the Get
the key files from the directory field, or click Browse to search for
the folder.
4. Type the passphrase in the Passphrase field.
5. Type the passphrase in the Confirm field.
6. Click Next.
After the restore process completes, Setup terminates. If Setup was
unsuccessful in restoring the keys, it reports an error. Possible causes
of failure include corrupted private key archives, incorrect
passphrase, or different key names.
Unable to restore
archived private
keys
If you are unable to restore your private keys from their archives, you
must reinstall the RealSecure console and generate new public/private
keys.
Important: Reinstalling the console generates cryptographic keys
different from the old ones. You must distribute the new public keys to all
sensors that you manage from this console.
103
Chapter 7: Configuring a Network Sensor
Changing Encryption Settings
Introduction
To change the encryption settings of one or several components, you
must completely uninstall one or more components, and then reinstall the
components with the new encryption settings.
Changing
encryption on
Windows
On a Windows system, you must uninstall, and then reinstall a sensor to
change the encryption settings.
If you have multiple sensors on the computer, you must uninstall, and
then reinstall all of them. When you reinstall the first daemon component
(the sensor), you can reconfigure the cryptographic settings.
Changing
encryption on Unix
104
On a Unix system, you are only required to uninstall the daemon
component to change the encryption settings.
Uninstalling Components and Updates
Uninstalling Components and Updates
Introduction
If you need to remove a RealSecure component from a computer, you can
uninstall it.
If you have upgraded a sensor through the remote upgrade process, you
can uninstall the sensor upgrade (downgrade) to return the sensor to the
last version, if necessary.
Reference: For more information about using the remote upgrade process
to “Upgrading Sensors Remotely” on page 12.
This topic describes the following:
Uninstalling remote
upgrades
how to uninstall remote network sensor upgrades
how to uninstall components on Windows
how to uninstall components on Solaris
how to uninstall components on a Nokia appliance
If you upgraded a network sensor using the remote upgrade process, you
can uninstall the remote upgrade from the console.
You cannot uninstall a full remote upgrade from a server sensor from the
console. Instead, you must uninstall the sensor, and then reinstall the
correct sensor version.
To uninstall a network sensor remote upgrade:
1. Manage each sensor that you want to downgrade.
2. Select one or more sensors, and then right-click them.
Important: You can downgrade a group of network sensors only if
they are installed on the same operating system, but are not installed
on the same computer. Network sensor upgrades installed on a single
computer must be uninstalled individually.
A pop-up menu lists possible command options.
3. Select Uninstall Update.
A message informs you that the program will uninstall the last
upgrade you applied.
105
Chapter 7: Configuring a Network Sensor
4. Click Yes to continue.
After several seconds, the component status of the sensor changes to
unknown. The control status displays several errors while the
program uninstalls the upgrade. The process could take several
minutes.
If you have other sensors on this system, the daemon version remains
at 6.5 to accommodate them. Otherwise, the daemon is uninstalled
with the sensor.
Uninstalling a
Windows
component
To remove RealSecure from a Windows system:
1. Select Start→Settings→Control Panel.
2. Double-click Add/Remove Programs.
The Add/Remove Programs Properties window appears.
3. Select a RealSecure component:
RealSecure Workgroup Manager 6.5
RealSecure Console 6.5
RealSecure Event Collector 6.5
RealSecure Network Sensor 6.5
RealSecure Server Sensor 6.5
4. Click Add/Remove.
The InstallShield Wizard window appears.
5. Select the component you want to remove.
6. Click OK.
A Confirmation window to uninstall the RealSecure component
appears.
7. Click Yes.
The Backup Configuration window appears.
8. Do you want to backup the components and save any files you have
created?
If yes, click Yes.
If no, click No.
106
Uninstalling Components and Updates
Note: If you choose to save these files, RealSecure creates backups of
the log event database, enterprise database, and asset database. If you
choose not to save these files, they are deleted.
9. Click Finish.
10. After you remove RealSecure, restart the system.
Uninstalling Solaris
sensors
To remove a RealSecure sensor from a Solaris system, you must first
remove all sensors before removing the daemon.
To remove RealSecure from a Solaris system:
1. Log on using a superuser account, such as root.
2. Type the command applicable to the type of sensor:
pkgrm ISSXnsx (network sensor, where x is the sensor number)
pkgrm ISSXss (server sensor)
The uninstallation program asks you to confirm the removal.
3. Type y to confirm.
4. Do you need to remove any other sensors from this computer?
If yes, repeat steps 2 and 3 for each sensor that you want to remove.
If no, go to the next step.
5. Are you planning to keep any other sensors on this computer?
If yes, you do not need to uninstall the daemon. The uninstallation
is complete.
If no, go to the next step to remove the daemon.
6. Remove the daemon by typing the following command:
pkgrm ISSXdmn
7. Type y to confirm the removal.
8. After the RealSecure components are removed, restart the Solaris
system.
Removing
directories
After you uninstall Solaris network or server sensors, you must remove
the /opt/ISS directory from your computer.
107
Chapter 7: Configuring a Network Sensor
To remove the directories:
1. Log in using a superuser account, such as root.
2. Type the following command:
rm -rf /opt/ISS
Uninstalling a
sensor from a
Nokia appliance
To remove RealSecure from a Nokia appliance:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Config.
3. Click the Manage Installed Packages link in the System
Configuration section.
4. Select Off in the RealSecure network intrusion detection system
field.
5. Click Apply.
6. Click Save.
7. Click Delete Packages (on the same page).
8. Select Delete in the RealSecure network intrusion detection system
field.
9. Click Apply.
10. Click Save.
11. Click Home.
12. Click Config.
13. Click Reboot, Shut Down System (at the bottom of the page).
14. Click Reboot.
Note: It is not necessary to press Halt after removing a sensor. Pressing
Halt stops the system but does not turn the power off. If you accidentally
press the button, manually turn the power off and on.
108
Uninstalling Components and Updates
Uninstalling a
second sensor from
a Nokia appliance
To remove a second network sensor from a Nokia appliance:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Security & Access Configuration on the home page.
3. Click RealSecure for Nokia.
4. Click Remove network sensor two.
Voyager begins uninstalling the second network sensor. The
following message appears:
Network_sensor_2 is successfully removed
109
Chapter 7: Configuring a Network Sensor
Adding Key Administrators
Introduction
If you need to allow a user to transfer authentication keys or other files to
and from sensors, the user must have key administrator status.
General procedure
You can add a key administrator to any sensor from the console if you
select at least one key administrator during the initial installation of the
sensor.
Key administrators
and multiple
sensors
If you have installed multiple sensors on the same computer or a server
sensor and an event collector together, key administrator status applies to
all components installed on that computer. In other words, when you set
up a key administrator for one component, that person is automatically a
key administrator for the other component.
Reference
For information about using the console to add a key administrator, see
the RealSecure Help.
Windows
For Windows sensors, you must set up at least one key administrator
during installation or enable auto-import during installation (the first
person to connect to the sensor gains key administrator rights).
Solaris
For Solaris sensors, you can use the console to add a key administrator if
you set up at least one key administrator during installation. If you did
not configure a key administrator during installation, you can add an
administrator after installation from the command line by using a script.
Using the Solaris
script
If you selected the option to install the sensor using the defaults, the
installation program did not set up a key administrator. If you need to set
up a key administrator after the install is complete, run the
keyadmin_setup.sh command in the /opt/ISS/issDaemon/
keyadmin.sh directory.
110
Starting and Stopping Sensors
Starting and Stopping Sensors
Introduction
You can start and stop sensors from the console or locally from the
computer running the sensor. This topic describes how to start the
sensors manually from the sensor’s computer.
Reference: For information about starting or stopping the sensor using
the console, see the RealSecure Help or the SiteProtector Help.
Starting and
stopping a sensor
on Windows
To start or stop a sensor running in Windows:
1. Open the Services window.
Windows 2000: From the Start menu, select Control
PanelàAdministrative ToolsàComponent ServicesàServices.
Windows NT: From the Start menu, select Control
PanelàServices.
2. Double-click the issDaemon service.
3. Click Start to start it or Stop to stop it.
Starting a Solaris
sensor
Start a Solaris sensor by either one of the following methods:
Restarting the system. The sensor will start when the system starts.
Typing the following command:
/etc/init.d/realsecure start
Stopping a Solaris
sensor
To stop a Solaris sensor, type the following command:
/etc/init.d/realsecure stop
111
Chapter 7: Configuring a Network Sensor
Testing the Sensor
Introduction
After applying policies to sensors, you should be able to monitor network
activity through the console. Depending on the behavior of the network,
data may not appear on the console immediately.
Testing the sensor
If you have applied policies and started sensors, but no information
appears in any of the console windows, a network sensor can be tested by
telnetting to an SMTP server at port 25 that is on the collision domain
being monitored. When connected, type WIZ on a line by itself. Press
ENTER. A server sensor may be tested by logging in or by changing the
audit policies.
Running a network
scan
If ISS Internet Scanner is available, run a scan on the collision domain
where the sensor is located. Alerts appear in the Priority windows, and
entries in the Activity Tree window.
Reference: For more information about sensor settings, see the RealSecure
Workgroup Manager User Guide for the sensor you are installing.
112
Network Sensor Stealth Configuration
Network Sensor Stealth Configuration
Introduction
This topic describes the following:
definition of stealth mode
using the kill response with stealth mode
how to set up stealth mode
Definition: stealth
mode
RealSecure allows you to configure a network sensor so that it monitors
events with one network interface card (NIC) in promiscuous mode and
communicates with the private network through another NIC. This is
called stealth mode because the promiscuous NIC does not have a protocol
stack bound to it and is therefore relatively invisible on the monitored
network.
Kill responses and
stealth mode
RealSecure kills (TCP resets) must originate from the NIC that monitors
network traffic (NIC 1). If you use the kill response, attackers may be able
to guess that the network sensor exists.
Tasks to set up
stealth mode
Setting up a network sensor to use stealth mode involves three major
tasks that are described in detail in this topic:
1. Install at least two NICs on the network sensor computer. (All Nokia
appliances have at least three NICs.)
Reference: See “NIC card requirements” on page 114 for more
information.
2. Configure one of the NICs (the NIC to monitor network traffic) to use
stealth mode.
Reference: See one of the following procedures for more information:
“Installing stealth NIC on Windows NT” on page 115
“Installing Stealth NIC on Windows 2000” on page 117
“Configuring the stealth network sensor on Unix” on page 118
“Configuring the stealth NIC on the Nokia appliance” on page 118
3. Configure the network sensor to use stealth mode.
Reference: See “Configuring a network sensor to use stealth mode”
on page 114.
113
Chapter 7: Configuring a Network Sensor
NIC card
requirements
A stealth configuration is implemented using two network interface cards
on the network sensor.
Windows and
Solaris sensors
For Windows and Solaris sensors, you should configure the first NIC to
be the reporting NIC. This NIC is connected to an internal, secured
network and has a full TCP/IP protocol stack with an IP address and IP
services. This channel is used by the network sensors to communicate
with the console. The console could be several network hops away, or you
could create a small network segment just for the network sensors and
console by using a hub or crossover cable.
The second NIC is connected to the monitored network segment. It does
not have a protocol stack bound to it; therefore, it does not have an IP
address or any IP services available. This configuration makes it more
difficult for an external attacker to attack the network sensor itself
through this interface.
Nokia (IPSO)
sensors
For sensors running on a Nokia appliance, the first NIC should monitor
the network segment, and the second NIC should connect to the console.
(The reverse of the configuration described above.)
Email and SNMP
To use the EMAIL response and SNMP traps, the Email gateway and
SNMP collector must be accessible from the safer NIC (NIC 2 for Solaris
and Windows, NIC 1 for Nokia).
Safe DMZ
configuration
A common configuration is to connect NIC 1 to the DMZ segment outside
the firewall and to connect NIC 2 to an internal segment inside the
firewall. Since no protocol stack is attached to NIC 1, there is no danger of
routing packets past the firewall on the network sensor computer.
Configuring a
network sensor to
use stealth mode
To configure stealth mode for network sensor on Windows NT or
Windows 2000:
1. Install the console.
2. Copy the keys to the network sensor.
Reference: For more information, see “Configuring Authentication
Manually” on page 97.
3. From the console system, start the RealSecure console.
114
Network Sensor Stealth Configuration
4. From the Managed Assets menu, select Manage→Asset.
The Choose Asset window appears.
5. Start the network sensor for which the stealth NIC has been
configured.
6. After the sensor has been started and the event channel established,
right-click the sensor, and then click Properties.
7. Click the General tab.
8. For Sensor Port, accept the default.
Important: If you have multiple sensors installed on your system, the
port number changes incrementally by three for each additional
sensor. For example, 901 is the default port for sensor 1. For the next
installed sensor (sensor 2), the default port is 904. For sensor 3, the
default port is 907.
9. For Adapter of Monitored Network, select the NIC of the interface
the sensor uses to monitor the segment.
10. Click OK.
11. Stop the sensor from the GUI.
12. Restart the sensor.
13. From the console, begin monitoring the sensor again.
Installing stealth
Before setting up a stealth configuration, you must first install the stealth
NIC on Windows NT NIC (NIC1) and the private network NIC (NIC2).
To install the stealth NIC on Windows NT:
1. Install both NICs and their drivers.
2. After installation, select Control PanelàNetwork.
The Network window appears.
3. Select the Adapters tab.
4. Select the adapter, and then click Properties.
5. Click the Bindings tab. You will see the bindings being set. If you
receive any errors, click OK.
6. In the Show Bindings For box, click All Adapters.
7. For NIC2, click the “+” beside the NIC.
115
Chapter 7: Configuring a Network Sensor
8. Highlight each binding one–by–one, and then click Disable.
Verify that NIC2 and all the bindings listed below are disabled. For
RealSecure to watch the network, it does not need the NIC to bind to
TCP/IP because the Raw Packet Driver installed during the Setup
places the NIC into promiscuous mode and reads the raw data from
the NIC. NIC1 will have no IP address.
9. Click the Protocols tab.
10. Highlight TCP/IP Protocol.
11. Click Properties to display the Microsoft TCP/IP Properties window.
12. Verify that the Adapter list only contains NIC1. If it contains NIC2,
you have not properly disabled the TCP/IP Protocol for that NIC.
13. Select NIC1.
14. Enter all the appropriate TCP/IP information for this network
segment.
15. When finished, click Apply.
16. Click OK to exit the window.
17. Restart your system.
116
Network Sensor Stealth Configuration
Installing Stealth
NIC on Windows
2000
Before setting up a stealth configuration, you must first install the stealth
NIC (NIC1) and the private network NIC (NIC2).
To install the stealth NIC on Windows 2000:
1. Install both NICs and their drivers.
2. After installation, select Start→Settings→Network and Dial Up
Connection.
The Network window appears.
3. Select the second NIC.
4. Right-click and select Properties.
5. The Properties window appears.
6. Clear all the component check boxes, including Internet Protocol
(TCP/IP).
For RealSecure to watch the network, it does not need the NIC2 to
bind to TCP/IP because the Raw Packet Driver installed during the
Setup places the NIC into promiscuous mode and reads the raw data
from the NIC.
7. Click OK.
8. Select the first NIC.
The system uses this NIC to communicate with the RealSecure event
collector or RealSecure Workgroup Manager.
9. Right-click NIC1, and select Properties.
10. Select TCP/IP and select Properties.
The Local Area Connections Properties window appears.
11. Enter all the appropriate TCP/IP information for this network
segment.
12. When finished, click OK.
13. Click OK to exit the window.
117
Chapter 7: Configuring a Network Sensor
Bidirectional
communication
If the RealSecure network sensor is installed on the management port of a
switch, the “kill connection” action will not work, unless the
management port supports bidirectional communications. The TCP reset
packet that kills the connection must be sent from the monitoring
interface. However, all other actions are initiated from NIC2 and function
normally.
Configuring the
stealth network
sensor on Unix
The system is configured so that the stealth interface is not enabled at
system boot. In the RealSecure startup script, bring up the stealth
interface with the following command:
/usr/sbin/ifconfig nf0 plumb -arp up
Running ifconfig -a shows the following for the device:
nf0: flags=8c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu
4352
inet 0.0.0.0 netmask 0
ether 8:0:20:f0:0:ba
Configuring the
stealth NIC on the
Nokia appliance
You can configure the stealth NIC on the Nokia appliance using Nokia
Network Voyager. This procedure includes selecting a link for the logical
and physical interfaces you will use for monitoring.
Note: This procedure is required only if the Active option is selected or
an IP address is defined for the interface.
To configure a second interface for monitoring:
1. Log in to the appliance using Nokia Network Voyager.
The Voyager window appears.
2. Click Config.
The Configuration window appears.
3. Click Interfaces.
4. Click the link for the logical interface that you will use for monitoring
(for example, eth-s1p2c0).
Note: The interface will vary according to the Nokia appliance.
5. Select Off for the Active option.
118
Network Sensor Stealth Configuration
6. Select the Delete check box.
7. Click Save.
8. Click Apply.
9. Click Up.
10. Verify that the Active option is Off and that there is no IP address or
destination address.
11. Close the Web browser.
12. Open the RealSecure Workgroup Manager and select the interface
from the Adapter of Monitored Network list.
Reference: See “Working with Newly Configured Interfaces” on
page 90.
119
Chapter 7: Configuring a Network Sensor
120
Chapter 8
Troubleshooting
Overview
Introduction
The chapter describes several techniques for troubleshooting problems.
In this chapter
This chapter contains the following topics:
Topic
Page
Error Messages
122
ISS Daemons
123
121
Chapter 8: Troubleshooting
Error Messages
Introduction
This topic describes error messages you may encounter and what to do to
resolve them.
Deployment Wizard
errors
If you encounter errors as you run the Deployment Wizard, you cannot
click Finish to close the wizard process. Read the error text and either fix
the error or click Cancel. All settings and changes you make are saved.
Sensor
All sensors should have a single management address that is used by all
management errors consoles and event collectors. If a sensor is managed at multiple IP
addresses, an error message may occur that says the sensor is not being
managed by the event collector. This error will occur when the IP address
used by the event collector for a sensor is different from the IP address
used by the console to manage that same sensor.
122
ISS Daemons
ISS Daemons
Introduction
For troubleshooting purposes, you may need to manually start or stop the
ISS daemon.
Definition: ISS
daemon
The ISS daemon is a component that is installed on computers running an
event collector or one or more sensors. The daemon manages commands
from the console and the connection between the components, such as the
communication between an event collector and a sensor.
Managing daemons
in Windows
On a Windows system, you can manage the daemon through the
Windows Services Control Panel.
Reference: For a detailed procedure, see “Starting and Stopping Sensors”
on page 111.
Managing daemons
in Unix
On a Unix system, you can manage the daemon using these commands:
/etc/init.d/realsecure start
/etc/init.d/realsecure stop
Troubleshooting: If you manually installed the ISSED Maintenance Utility
software, or if you do not have a Start menu shortcut (some installations
do not install shortcuts), locate and run the TN-SQL1.exe file. It is located
in the C:\Program Files\ISS\ folder.
123
Chapter 8: Troubleshooting
124
Index
a
c
adding
key administrators 110
static hosts 84
administering public keys 30
algorithms (encryption) 26–27
alphanumeric characters 20
archiving private keys 69, 102
authentication 22–23
changing 104
keys 30
public/private keys 22–23, 97
automated installation
Solaris 79–80
Windows 45–66
automatic key import 23–24
Certicom 27, 67
See Also ECNRA 67
characters, foreign 32
collision domain 4
collision domains 3
configuring
authentication 93–101
event collectors 93
console
authentication keys 100
conventions, typographical
in commands xiv
in procedures xiii
in this manual xiii
cryptographic keys 6
cryptographic providers 26–27, 44, 67
changing 104
CSPs, See cryptographic providers
customizing encryption 26
b
built-in Certicom provider, See ECNRA
Bureau of Export Administration’s Web
page 29
d
daemons
cryptographic providers 27
roles 30
starting and stopping 123
troubleshooting 123
dashes 20
125
Index
default settings
Solaris 72
Windows 36
demilitarized zone 7
deploying sensors 7–9
deployment
sensors 21
wizard 93–95, 122
DES 27
DESX 27
distributing public keys 6
DMZ 7
domestic countries, as defined by the US
government 29
e
ECNRA Built-in CSP 26–28, 67
Enabling 85
enabling hostname resolution 83
enabling logging 85
encryption 26
algorithms 26–27, 29
changing 104
customizing 26
export laws 29
Nokia 26
public/private keys 29
See Also Certicom and RSA 28
event collector
authentication keys 100
error messages 122
export laws 29
126
f
firewalls 7
foreign characters 32
French Windows 32
full remote upgrades 105
h
Halt button 108
hardware requirements
hash (checksum) 28
hubs 4
10
i
importing policies 18
installation
automated
Solaris 79–80
Windows 45–66
choosing installation directory 41
default settings 36
Solaris 72
location of files 6
network sensor
IPSO (Nokia) 86–87
Solaris 71–80
windows 35–70
packages 6
prerequisites for Nokia appliance 82–85
stealth mode 115, 117
international versions of Windows 32
Index
Internet Security Systems
technical support xv
Web site xv
IPSO 114
ISS
ECNRA, See ECNRA
ISS CD 6
j
Japanese Windows
32
k
keyadmin_setup.sh 110
keys
administering 110
Keys directory 97
See Also authentication keys or license keys
l
locales 32
location of installation files 6
logging informational messages on Nokia
appliances 85
m
master status 30
mirror port 4, 9
modems 8
MSDE 6
multiple sensors 8, 31
n
naming sensors 20
network monitoring component 31
network segments 3–4
scanning 112
network sensor
network segments 4
stealth mode, description 113
newpkg command 86
NICs
stealth 115, 117
Nokia 114
appliance 118
encryption 26
installation prerequisites 82–85
Nokia Network Voyager 82, 87, 89, 108–
109, 118
o
operating systems
10
127
Index
p
s
packages for installation 6
passphrase 102
perimeter protection 7
pkgrm 107
policies
importing 18
ports
mirror or span 4, 9
private keys 6
archiving 69
restoring 102
promiscuous mode 3–4, 117
protocol (ISS) 26
providers, See cryptographic providers
public keys 6, 23–24
administering 30
copying to daemon components 97
location of 97, 101
SAFEsuite CD, See ISS CD 6
scanning a network segment 112
selecting DNS servers 83
sensors
authentication keys 100
error messages 122
installing multiple 31
multiple 8
naming 20
scanning a network segment 112
starting and stopping 111
testing 112
troubleshooting 122
upgrading 86
where to install 7–9, 21
setup files 6
Silent mode return codes 62
software requirements 10
span port 4, 9
Spanish Windows 32
starting
daemons 123
sensors 111
stealth mode
description of 113
installing stealth NIC 115, 117
stopping
daemons 123
sensors 111
strong encryption
and export laws 29
switches 4, 9
synchronizing the sensor log 86
system locales 32
system requirements 10
r
recording Windows installations 45
remote upgrades 105
requirements 10
response file 45, 49
restoring archived private keys 102
restoring cryptographic keys 6
RSA encryption 28
running the newpkg command 86
128
Index
t
Web site, Internet Security Systems xv
Windows, international versions of 32
taps 4
technical support, Internet Security Systems
testing sensors 112
Triple DES 27
troubleshooting
daemons 123
Deployment Wizard 122
event collector error messages 122
ISSED Maintenance Utility 123
sensor error messages 122
sensors 112
typographical conventions xiii–xiv
xv
u
U.S. export laws 29
underscores 20
uninstalling
network sensor for the Nokia appliance
remote upgrades 105
Solaris components 107
Windows components 106
upgrading
policies 18
requirements 11
sensors 86
108
w
WAN routers
WAP servers
8
8
129
Index
130
Related documents
Summery of thermal flow sensor
Summery of thermal flow sensor
Aerospace Sensors Working Group
Aerospace Sensors Working Group
Sensors for metal ions, toxins, and other chemicals in the environment
Sensors for metal ions, toxins, and other chemicals in the environment
3.4 Computer control and data logging
3.4 Computer control and data logging
INTRODUCTION - The Simon Group
INTRODUCTION - The Simon Group
Home monitoring of patients with Parkinson`s disease via wearable
Home monitoring of patients with Parkinson`s disease via wearable
Development and evaluation of novel 3D nano
Development and evaluation of novel 3D nano
Distribution Automation Communications
Distribution Automation Communications
Download