eTrust Vulnerability Manager from Computer Associates International, Inc. (CA) can be easily implemented within the customer's network given attention to a few up-front details. Prior to performing an installation, consider the following:
- Identification of Known Assets to Manage. An implementation plan should be developed for the installation of eTrust Vulnerability Manager. (It is recommended that, at a minimum, the eTrust Vulnerability Manager Scoping Guide be used as a reference to help develop this plan.) The plan should include:
- The identification of network segments containing the assets that each eTrust Vulnerability Manager will be responsible for managing.
- The assets to be managed and the corresponding Asset Groups that will need to be created in the eTrust Vulnerability Manager to support segmentation of asset access. (Identify unique hostname conventions or contiguous IP ranges per segment that can be used to automatically group the assets.)
- The identification of system administrators for these segments, assets management responsibility, and asset group association, for the purpose of user account creation.
- Identification of Best Practice Standard Sets to use in the customer's environment, if any.
- TCP/IP Information required for eTrust Vulnerability Manager. The customer will need to provide a static IP address for each installed eTrust Vulnerability Manager. In addition, other required TCP/IP information includes the default gateway and DNS IPs, and subnet mask.
- Proxy Settings. If eTrust Vulnerability Manager is routed through a proxy server to gain network access to the CA Content Source for content and code updates, enter the proxy server URL and valid proxy credentials (user name and password) in the eTrust Vulnerability Manager Network page.
- Open Ports within the Network. Communication through TCP/IP port 5250 is required between eTrust Vulnerability Manager and the eTrust VM Service client. In addition, if using the On-Demand inventory feature, communication through default TCP Port 5251 is needed between eTrust Vulnerability Manager and the eTrust VM Service client. The eTrust VM Service installed on the assets will be listening on this port. (This port is configurable, accepting values between 1025 and 65535.)
eTrust Vulnerability Manager and the eTrust VM Service client communicate via port 5250. It is possible for eTrust Vulnerability Manager and the eTrust VM Service client to communicate through a security gateway (such as firewall, proxy, filtering router, VPN and so on) as long as the device is enabled to allow connectivity between eTrust Vulnerability Manager and assets through TC/IP port 5250.
If using an existing Unicenter Software Delivery (USD) infrastructure, and pointing the eTrust Vulnerability Manager to a USD Local server, communication through TCP/IP Port 4721 is needed between eTrust Vulnerability Manager and the Unicenter Local server, or eTrust Vulnerability Manager and the Unicenter Software Delivery remediation agent.
Browsers used to access the eTrust Vulnerability Manager communicate by SSL via Port 443. The appropriate browser security level and open ports must exist within the network between the browsers and the appliance in order for to successfully access the appliance.
- Open Ports to the Internet. eTrust Vulnerability Manager requests content and code updates from CA via port 5250 through a secure sockets layer (SSL) session. The client must allow traffic through port 5250 to CA in order to update content/code. Updates are based on an hourly or daily schedule that is customer specified, but the port used to pull the updates is not configurable, and there are no alternatives for updating code and content using any other resource at this time.
In addition connecting through the Internet to CA for content and code updates, the eTrust Vulnerability Manager will need to communicate through the Internet for Patch remediation download via HTTP Port 80. This connection varies by URL specified in the patch remediation data.
- Using Auto-Discovery. If the customer will be performing asset Auto-Discovery, eTrust Vulnerability Manager should be placed on a network segment that has network access to the subnets to be discovered. Before deciding where to place eTrust Vulnerability Manager in the network, consider which address ranges will be scanned and managed. The auto-discovery function of eTrust Vulnerability Manager is a non-intrusive discovery that gathers information on the active IP addresses and operating systems.
Asset Auto-Discovery can be performed on-demand or scheduled by user-specified discovery ranges. The eTrust Vulnerability manager utilizes ICMP and SNMP through port 161 (probes for public community only) in order to perform the asset discovery. In some cases, the asset may not be detected if you have ICMP or SNMP disabled.
- Installation of eTrust VM Service and Remediation Agent. Administrator privileges are required on all assets for installation of eTrust VM Service and Remediation File/Agent. If the customer does not have centralized software deployment tool (such as Unicenter Software Delivery), then the eTrust VM Service client can be installed via login script, or other internal deployment means.
When planning the distribution method, a metered deployment and installation approach is recommended. In order to manage network bandwidth and impact on appliance processing; limit the eTrust VM Service deployment and installation task to a maximum of 500 per day, occasionally monitoring the appliance for successful asset profile creation.
To download the installation packages for eTrust VM Service and Remediation File, click on the "All Platforms" link that appears on the eTrust Vulnerability Manager Login page. Login credentials are not required to download agents from this location. Please refer to Quick Start Guide or Installation Instructions for additional eTrust Vulnerability Manager and Remediation File installation information.
Recommended Order of Implementation
Once all the appliance set-up points have been considered, following is the recommended order of operation for implementing the appliance to ensure the most efficiency in the process and taking greatest advantage of automation:
- Install eTrust Vulnerability Manager
- Use network information as described above.
- Create Asset Groups in the appliance per decisions based on organizational considerations above. Create Asset Groups using hostname or IP range distinctions in order to take advantage of automatic Asset Group assignment.
- Schedule the Asset Groups to report to the appliance, staggering the reporting times.
NOTE: Creating Asset Groups using IP or Host Name convention to identify assets and scheduling the Asset Groups before deploying the eTrust VM Service to hosts will optimize appliance processing during the implementation phase.
- Create User Accounts, associating the appropriate Asset Groups to the user based on administration needs.
- Deploy the eTrust VM Service and Remediation Agent to assets that will be automatically managed and remediated.
- Associate Best Practice or User-Defined Configuration Standard groups with Asset Groups, if desired.
These steps, taken in the suggested order, will ensure the most optimal performance of the appliance during implementation. No configuration made during the implementation phase is permanent - any grouping or association made during the initial set-up can be changed at any point later in time - but changes are made more easily after all Services have finished reporting to the appliance and corresponding asset profiles created.
Given a planned and executed implementation of a 500 asset appliance with content and code two versions back, the average implementation will take approximately three days to complete:
- Day 1 Appliance installation, organization planning (code update #1).
- Day 2 Configuration per Day 1 planning, deploy eTrust VM Services (code update #2).
- Day 3 Finish Service deployment if necessary, deploy Remediation File, customer orientation.
Proactively considering each point presented above, the eTrust Vulnerability Manager implementation will be a quick, successful process, with the added benefit of being able to begin addressing vulnerability management in the network as soon as the implementation is complete.