RSA enVISION Basic introduction of 'OVERVIEW'

9:46 PM
RSA enVision

RSA enVision is a security information and event management (SIEM) application. It can gather log event data from a variety of event sources within an enterprise system and consolidate it into one logical location. This data can then be viewed, tracked, analyzed, reported on and securely stored.

RSA enVision transforms the raw, unrelated security and network events into meaningful intelligence that:

  • Reduces demand on IT staff
  • Increases security personnel effectiveness
  • Provides ongoing support for compliance regulations.

RSA enVision's Internet Protocol Database (IPDB) provides the architecture to automatically collect and protect data from network devices and event sources, without filtering or agents. It independently monitors network and security events to generate alerts for possible security and compliance breaches, and analyze and report on network performance.

RSA enVision Components & Sites

RSA enVision Components

RSA enVision is made up of three components:

  • Application - Supports interactive users and runs the suite of analysis tools.
  • Collector - Captures incoming events.
  • Database - Manages access and retrieval of captured events.

Site

RSA enVision is deployed on a site basis.

You set up your site during the enVision installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.

The number of appliances in an enVision site is determined by the enVision appliance series you purchased:

  • Single appliance site. These appliances are designed to operate in a stand-alone, non-distributed mode. They have all three enVision components (Database, Application, and Collector) installed on one appliance.
  • Multiple appliance site. These appliances are designed for distributed installations, with each enVision component (Database, Application, and Collector) on its own appliance type.

Each site has a unique site name. enVision appends the site name with series name to indicate the type of appliance. Each appliance in the site is referred to as a node.

A NIC Windows domain is established when you configure your enVision site. The naming convention issitename.nic.

You set up permissions for which sites a user can access on the Manage Site Login Permissions window.

Site Name

You set up your site and name it during the RSA enVision installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.

A valid site name is a 2-11 alphanumeric character string. Selecting the site name is extremely important. Once you name the site you cannot change the name.

The site name is used in the following names:

  • Node name for each of your appliances. See Node Name.
  • NIC Windows domain name created for your site. The site name also becomes the name of the Windows domain created for your site, sitename.nic. For example, if your site name is Boston, the Windows domain for the site is Boston.nic.

Important! The site name must be unique, it cannot be the same as any other enVision site name, nor can it be the same as any existing Windows domain name, or netbios name for a Windows domain. (The netbios name for a Windows domain is the name preceding the dot). For example if your Windows domain name is MyDomainName.com, then the netbios name for this Windows domain would be MyDomainName; it would then be wrong to install an enVision site with the name MyDomainName.

Node Name

Each appliance in a site is referred to as a node. The site name becomes part of the node name.

  • For single appliance sites the appliance name is sitename-appliancetype, where sitename is the site name and appliancetype is the appliance type. For example, if your site name is Seattle, the ES appliance name is Seattle-ES.
  • For multiple appliance sites:
    • For the Database server (D-SRV), the appliance name is sitename-DS1. For example, if your site name is Boston, the D-SRV name is Boston-DS1.
    • For the Application servers (A-SRV), the appliance name is sitename-ASx (where x indicates which A-SRV it is; values are from 1 to 3). For example, if you have 3 A-SRVs in your site, and your site name is Boston, the A-SRV names are Boston-AS1, Boston-AS2, and Boston-AS3.
    • For the Local Collectors (LC), the appliance name is sitename-LCx (where x indicates which LC it is; values are from 1 to 3). For example, if you have 2 LCs in your site, and your site name isBoston, the LC names are Boston-LC1 and Boston-LC2.
    • For Remote Collectors (RC), the appliance name is sitename-RC1. Each RC is considered a site, so the sitename for an RC is not the same name as its host site. For example, if you have 3 RCs associated your Boston site, and the RCs’ site names are Springfield, Worcester, andFramingham, the RC names are Springfield-RC1, Worcester-RC1, and Framingham-RC1.

Single Appliance Site

The RSA enVision single appliance series is designed to operate in a stand-alone, non-distributed mode. They have all three enVision components (Database, Application, and Collector) installed on one appliance. The single appliance is considered a site.

Multiple Site Deployment

The appliance types used in a multiple appliance site are as follows.

Component

Appliance Type

Description

Each site has ...

Database server

D-SRV

Manages access and retrieval of captured events.

One

Application server

A-SRV1
A-SRV2
A-SRV3

Supports interactive users.

Runs the suite of analysis tools.

Up to three.

You may want multiple A-SRVs so that you can separate the alerting processes from the reporting processes.

Collector (Local Collector)

LC1
LC2
LC3

Captures incoming events locally.

Up to three.

Each site has at least one LC.

Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Each master site can have up to 16 server appliances as slave sites. Remote collectors have store-and-forward technology that allows user-selectable critical events to be processed in real-time, while non-critical events are compressed, encrypted, and locally cached until they can be forwarded to the enVision site (by the NIC Forwarder Service) for historical analysis as available WAN bandwidth allows. (The Administrator sets up the remote collector Forwarder parameters in the Modify Collector Service window in enVision.)

Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.

The following diagram illustrates one possible configuration of a multiple appliance site

Remote Collector

The remote collector server (RC) captures incoming events remotely. Each RC is considered a remote site. Each remote site is associated with a multiple appliance site. You can have up to 16 RCs per multiple appliance site.

You set up the RC remote site during installation, using the enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide 50 Series Product Documentation.

In this example, sites 2 and 3 are remote sites associated with Site 1.


RCs have store-and-forward technology. On the RC site, enVision processes alerts in real-time.

RSA enVision compresses, encrypts other events and caches them locally until it can forward them to the master enVision site (by the NIC Forwarder Service) for historical analysis. This is called data forwarding.

Data Forwarding

The NIC Forwarder Service on the RC allows you to collect your data on the RC and then forward the data to the associated enVision site.

Forwarder Parameters

You set up the parameters for the RC Forwarder on the Modify Collector Service window.

Forwarder Scheduling

You must schedule the data forwarding task on the Schedule Task window. By default, the data forwarding task runs every 4 hours. You can specify when the data forwarding task is performed and how often.

NIC Domain

A group of multiple appliance sites is referred to as a NIC Domain. You can deploy up to ten D-SRVs in a NIC domain.

The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site. Data flow and configuration information are based on your NIC domain configuration.

You set up the NIC domain during installation, using the RSA enVision Configuration Wizard. For more information, see the RSA enVision Getting Started Guide 60 Series or RSA enVision Configuration Guide (50 Series) Product Documentation.

The following diagram illustrates the possible configuration of a NIC domain.


Master/Slave Relationship

The following diagram illustrates a basic enVision multiple site setup with a master and a slave. In a configuration with more than one site, the master is always Site 1 in the hierarchy.


In a multiple site NIC domain, Site 1 is the NIC domain master site. You can only have one NIC domain master site and it is always Site 1. The sites connected to Site 1 are slaves to Site 1.

A slave site can also be a master site in a multiple site deployment.

In the following example, the NIC domain consists of seven sites:

  • Site 1 is the NIC domain master site.
  • Sites 2 and 5 are slaves to site 1; site 1 is the master site for sites 2 and 5, in addition to being the NIC domain master site.
  • Sites 3 and 4 are slaves to site 2; site 2 is the master site for sites 3 and 4.
  • Sites 6 and 7 are slaves to site 5; site 5 is the master site for sites 6 and 7.
In enVision, the Overview > System Configuration > Services > Set Up Site Communications window lists the site names and the names of their corresponding master sites. If a multiple site deployment is set up as shown in the example illustration above, the master/slave relationship of the sites in this NIC domain is as follows:

Site Name

Master Site

Site 1

None

Site 2

Site 1

Site 3

Site 2

Site 4

Site 2

Site 5

Site 1

Site 6

Site 5

Site 7

Site 5

Site Access in the NIC Domain

Note: This topic is for multiple appliance sites only.

You can access and maintain data globally across all sites in the NIC Domain.

The exceptions are these site-specific-items that only have meaning to the site where they were configured:

  • Directories.
  • Module/tool settings that you set for:
    • System Performance tool - display options.
    • Query tool - process options and storage directory for saved queries.
    • Reports module - storage directory and format for saved report results.
    • Dashboard - item settings. (Note: Permissions for the items are set globally.)
  • Custom reports that you added.
  • Scheduled reports (can only be scheduled to run on the site where they were configured).
Custom queries that you added.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

RSA enVISION Basic introduction of 'OVERVIEW' RSA enVISION Basic introduction of 'OVERVIEW' Reviewed by BlackHat on 9:46 PM Rating: 5

Importing Watchlists for Correlation Rules

8:43 PM

Importing Watchlists for Correlation Rules

Some correlation rules require watchlists. RSA provides sample watchlist files with default values. You can import the values into the RSA enVision database and edit them as needed. The following table lists the correlation rules and their associated watchlists. Correlation Rule

Watchlist Name

CRL-00002-01

Blacklisted IP addresses

CRL-00013-02

Service User Names

CRL-00013-05

Known Service Accounts

Known Vendor Accounts

CRL-00013-06

Known Service Accounts

Known Vendor Accounts

CRL-00014

Administrative Groups

Administrative Users

CRL-00037-01

RFC 1918 IP List

CRL-00040-1.0

Known Service Ports

CRL-00101

RFC 1918 IP List

CRL-00102

RFC 1918 IP List

CRL-00103

Administrative Groups

Administrative Users

CRL-00110-DB

Confidential Data Patterns

Confidential Accounts

CRL-00110-Email

Confidential Data Patterns

Confidential Accounts

DLP Confidential Data Policies

CRL-00110-IDS

Confidential Data Patterns

Confidential Accounts

CRL-00110-FileIntegrity

Confidential Data Patterns

Confidential Accounts

CRL-00110-Hosts

Confidential Data Patterns

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


Importing Watchlists for Correlation Rules Importing Watchlists for Correlation Rules Reviewed by BlackHat on 8:43 PM Rating: 5

How do I install my enVision license file (key.ini)?

8:41 PM

Goal

How do I install my enVision license file?

Fact

enVision

I have received my license file and I'm not sure how to install it.

Fix

To install a new license:

1. Back up or rename the old key.ini file.

2. Download the key file that you received from RSA.

3. Rename the new key file to key.ini.

4. Place the new key.ini file in the appropriate folder:

l For a single appliance site, place the key.ini file in the E:\nic\csd\license\sitename folder, where sitename is

the name of your site.

l For a multiple appliance site, if you have a connected NAS, place each license key file in the appropriate

\\ip\vol0\nic\csd\license node folder, where ip is the IP address of your NAS.

l For a multiple appliance site with no connected NAS, place each license key file in the appropriate E:\nic\csd\

license\sitename node folder on the Database Server, where sitename is the name of your site.

5. Restart the NIC Service Manager on all nodes for which a key was applied.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

How do I install my enVision license file (key.ini)? How do I install my enVision license file (key.ini)? Reviewed by BlackHat on 8:41 PM Rating: 5

APP- How to Power down/ Shut Down shutdown or Restart the RSA Appliance 3.0

8:40 PM

Goal

Perform Operating system shutdown/restart and Authentication manager application stop/start

Fact

RSA SecurID Appliance 3.0

Linux Operating System

Shut down the appliance

power down

Stop Authentication Manager Daemons

Symptom

Restart the appliance

APP- How to Power down/Shut Down or Restart the RSA Appliance 3.0

How to reboot appliance 3.0

keywords shutdown shut down restart reboot

Fix

Step 1: Stop RSA Services:

Log on to the Appliance operating system using SSH, with the user ID
emcsrv and the operating system password

Change to root:

sudo su (enter the Operating System Password)

Switch to the rsaadmin account:

su rsaadmin <enter password>

Insure you are logged in as rsaadmin:

whoami

Shut down RSA services

cd /usr/local/RSASecurity/RSAAuthenticationManager/server

./rsaam stop all (takes about 5 minutes)

Insure services have stopped

./rsaam status all

All services should be SHUTDOWN

Type...

exit

...to return to the emcsrv user account.

Now, switch to the root account by typing:

sudo su -

...and when it asks for a password, use the emcsrv password again.

Operating System shutdown or restart can be done with the following once becoming the root account.

Be sure all Authentication Manager Daemons are stopped. See above.

Examples:
To power down the appliance with a 30 second delay, type the following on the command line:
/sbin/shutdown -h -t 30
If prompted, enter the operating system password

To reboot the appliance immediately, type the following on the command line:
/sbin/shutdown -r now
If prompted, enter the operating system password

Usage: shutdown [-akrhfnc] [-t secs] time [warning message]
-a: use /etc/shutdown.allow
-k: don't really shutdown, only warn.
-r: reboot after shutdown.
-h: halt after shutdown.
-f: do a 'fast' reboot (skip fsck).
-F: Force fsck on reboot.
-n: do not go through "init" but go down real fast.
-c: cancel a running shutdown.
-t secs: delay between warning and kill signal.
** the "time" argument is mandatory! (try "now") **

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

APP- How to Power down/ Shut Down shutdown or Restart the RSA Appliance 3.0 APP- How to Power down/ Shut Down shutdown or Restart the RSA Appliance 3.0 Reviewed by BlackHat on 8:40 PM Rating: 5

A concise guide to updating Auth Manager 7.1 passwords

8:38 PM

Goal

How to reset the master password, Security Console password and Operations Console password

How to change master password

How to change Security Console admin password

How to change Operations Console admin password

Fact

Authentication Manager 7.1

RSA SecurID Appliance 3.0

Symptom

Unable to access Operations Console

Unable to access Security Console

Does not have master password

Does not have Operations Console password

Does not have Security Console password

Unable to logon to Operations Console

Unable to logon to Security Console

Cause

During installation of Authentication Manager 7.1 you are asked for a SuperAdmin UserID and password. This UserID and password on day one is used for the following:
1. Security Console Login
2. Operation Console Login
3. MasterPassword
Note: Changing any one of these passwords does not change the others. Each of the Password Values is independent.

Fix

I. Reset the master password when it is lost, or change the master password when it is known.

A) When the current master password is lost or unknown.

· Obtain the reset-masterpwd.jar from RSA Customer Support.

· Copy the jarfile onto the Authentication Manager system.

· Copy the reset-masterpwd.jar into the RSA Authentication Manager\utils\lib directory and run it as follows:

Authentication Manager 7.1 (software)

C:\Program Files\RSA Security\RSA Authentication Manager\utils> rsautil reset-masterpwd

Enter New Master Password: **********

Confirm New Master Password: **********

Properties from C:\PROGRA~1\RSASEC~1\RSAAUT~1\utils\etc\systemfields.properties recovered successfully.

Appliance 3.0

cd /usr/local/RSA Security/RSA Authentication Manager/utils
./rsautil reset-masterpwd

Enter New Master Password: **********

Confirm New Master Password: **********




· If you need to run the rsautil again, you will need to delete the systemfields.properties.backup file created during the first run. Navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils and run the following command:

del C:\PROGRA~1\RSASEC~1\RSAAUT~1\utils\etc\systemfields.properties.backup

· If, when resetting the master password, the following error displays, then edit rsaenv.cmd to change the entry for CLU_User from User A to User B. Save/close. Test running the password change util again.

Error cannot run as user User A. rsautil can only be run by User B. User not longer exists.

B) When the current master password is known.

Change your master password. Type:
rsautil manage-secrets --action change -N new_password
where new_password is the new master password you want to use.

Press ENTER.

When prompted, type your current master password (the one you want to change), and press ENTER.
The message “Master password changed successfully” appears.

To make sure that your new master password is backed up, copy the systemfields.properties file in
<RSA_HOME>/utils/etc to a secure location using secure networking or removable media.

II. Create a new admin who logs on to the Security Console

· To change this admin password, open a command prompt and navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils.

· Run the following command to create a user named tempAdmin:

rsautil restore-admin –u tempAdmin –p <password to assign to tempAdmin>

Enter Master Password: **********

A temporary admin will be created with the user ID 'tempAdmin'.

Are you sure you want to continue (Y/N): Y

Admin created successfully.

· Note that tempAdmin's access will expire in 24 hours, so log onto the Security Console as tempAdmin as soon as possible. Once logged on, go to Identity > Users > Manage Existing. Search for your admin user whose password needed to be reset. From the context menu, select Edit. Scroll to the section labeled Password. Key in the correct password for this user and click Save.

III. Change the password for the admin who logs on to the Operations Console

· Open a command prompt and navigate to C:\Program Files\RSA Security\RSA Authentication Manager\utils.

· At the prompt, type the following command to see a list of all Ops Console admins. (Note: All actions for manage-oc-administrators requires the Super Admin name and password. This can be the Security Console admin from the steps above.)

rsautil manage-oc-administrator -a update

Super Administrator's name: tempAdmin

Super Administrator's password: ************

Enter User Name: admin

Enter User Password: ************

Confirm User Password: ************

User 'admin' updated successfully.

· Run the command rsautil manage-oc-administrators -a list to see a list of existing Ops Console admins.

note

There are three passwords that are defined when installing Authentication Manager 7.1 or the RSA SecurID Appliance 3.0.

These passwords are:

· As the master password (which is only used when you have to run command line utilities);

· The password used by the superadmin named Admin to access the Security Console;

· The password used by the Operations Console admin (who is also named Admin but in actuality is a different user) to access the Operations Console.

All of these passwords can be reset, but there are different procedures for each. If you have lost all of the passwords, follow the step in this solution to restore them.

After following these steps you should have access to your consoles.

For the RSA SecurID Appliance 3.0, the default install path is /usr/local/RSASecurity/RSAAuthenticationManager/. All of the commands above will be the same.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


A concise guide to updating Auth Manager 7.1 passwords A concise guide to updating Auth Manager 7.1 passwords Reviewed by BlackHat on 8:38 PM Rating: 5


SastiPrice.com Store

Powered by Blogger.