Symantec™ Security
Information Manager 4.5
Installation Guide
Symantec Security Information Manager 4.5 Installation
Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version 1.1 PN: 10912602
Legal Notice
Copyright © 2007 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Symantec Enterprise Security Architecture, SESA, Symantec Security Information Manager, Symantec Enterprise Security Manager, Symantec Vulnerability Assessment, Symantec Security Response, and AttackTrace are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Microsoft, Windows, and Windows 2000 are trademarks or registered trademarks of Microsoft Corporation.
This product includes software that was developed by the Apache Software Foundation. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ A telephone and web-based support that provides rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support.
When you contact Technical Support, please have the following information available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
To access more information about Enterprise services, please visit our Web site at the following URL:
www.symantec.com
Technical Support
Chapter 1
Introducing Symantec Security Information Manager
4.5
About Symantec Security Information Manager ... 11
What's new in Information Manager 4.5 ... 12
Large scale event management ... 12
Console enhancements ... 13
Access and notification services ... 14
Chapter 2
Planning for installation
Installation requirements ... 15About creating sub-domains ... 16
Installation overview ... 17
Where to find more information about Information Manager ... 18
Accessing Help for the console ... 18
Chapter 3
Installing the hardware
Connecting the appliance ... 19Remote Access Card ... 24
Chapter 4
Installing the appliance software
Installing the appliance software ... 27Completing appliance configuration ... 28
Re-installing the appliance software ... 29
Chapter 5
Installing the Symantec Security Information Manager
console
About the Symantec Security Information Manager console ... 31Installing the Symantec Security Information Manager console ... 32
Uninstalling the Information Manager console ... 32
Index
Introducing Symantec
Security Information
Manager 4.5
This chapter includes the following topics:
■ About Symantec Security Information Manager
■ What's new in Information Manager 4.5
About Symantec Security Information Manager
Symantec™ Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data.
Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:
■ Firewalls
■ Routers, switches, and VPNs
■ Enterprise Antivirus
■ Intrusion detection and intrusion prevention
■ Vulnerability scanners
■ Authentication servers
■ Windows and UNIX system logs
Information Manager provides the following features to help you recognize and respond to threats in your enterprise:
1
■ Normalization and correlation of events from multiple vendors to recognize threats from all areas of the enterprise.
■ Event archives to retain events in both their original and normalized formats.
■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.
■ Real-time security intelligence updates from Symantec™ Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats.
■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.
■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritorizes incidents based upon the security policies associated with the affected assets.
■ A powerful event archive viewer that lets you easily mine large amounts of event data and perform network operations on the machines and users that are associated with each event.
■ A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions.
■ Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise.
What's new in Information Manager 4.5
Information Manager 4.5 provides large scale event management, an updated console, and a Web Services interface to Information Manager data.
Large scale event management
Information Manager 4.5 now supports attached storage for event archives. Attached storage archives provide for increased event data capacity and large scale data mining.
Information Manager 4.5 provides the following event management features:
■ Optimized event storage
Event data is now stored in compressed archives rather than in a relational database. The archive format allows for increased event capacity and high performance data queries.
■ Raw event data
Introducing Symantec Security Information Manager 4.5 What's new in Information Manager 4.5
In addition to normalized event data, you can now archive event data in its original format. The original format event data provides a historical context for security incidents.
■ Flexible storage options
Information Manager now has a logical volume manager that provides support for direct attached storage (DAS), storage area network (SAN), and
network-attached storage (NAS).
■ Event and incident viewer
The Information Manager console provides a powerful graphical viewer for intuitive data mining. You can query event, incident, summary, and state data. The viewer has built-in network operations, such as ping and whois, to help you identify the machines and users that are referenced in the events and incidents. You can also add your own custom tools to the viewer.
■ Enhanced reporting
Event and incident reports are now accessible from the Information Manager web configuration interface. You can schedule report generation and post the reports to the web interface or email the reports to users.
■ Advanced data summarization for reporting
Information Manager now processes events as they enter the system and stores summary records in a database. This feature allows for optimized reporting over very large amounts of data.
Console enhancements
The Information Manager console has been updated with the following new features:
You can now configure rules that trigger when an expected event does not occur, or when a slow or low volume attack takes place. You can assign notification services to rules and organize rules into logical groups.
Rules Editor
You can now view a graphical representation of your Information Manager deployment. The system view shows the status of each appliance and collector in your enterprise and includes event collection and event forwarding statistics.
System view
You can now merge multiple incidents to create a new incident and assign multiple incidents to the same ticket. Incident Management
13 Introducing Symantec Security Information Manager 4.5
You can selectively forward events from one appliance to another, using the same event filtering interface that you use to configure reports and archives.
Event forwarding
You can now view Antivirus statistics on the Global Intelligence Network Integration Manager Utilities page. Antivirus statistics
The improved report editor allows greater report layout flexibility.
Reporting tile
You can now "tear-off" console pages to view multiple pages simultaneously.
Detachable console pages
Access and notification services
Information Manager now provides programmatic access to individual Information Manager appliances. Using a standards-based Web Service, developers can securely access and update the data that is stored on an appliance. You can use the Web Service to publish event, asset, incident, and ticket information to external applications, such as help desks and dashboards. You can also use the Web Service to import Information Manager asset information from external asset management and inventory applications.
For more information about how to integrate Information Manager with other enterprise applications, see the Symantec Security Information Manager
Developer's Guide .
Introducing Symantec Security Information Manager 4.5 What's new in Information Manager 4.5
Planning for installation
This chapter includes the following topics:
■ Installation requirements
■ Installation overview
■ Where to find more information about Information Manager
Installation requirements
Before setting up the Symantec Security Information Manager appliance, make sure you have the following items:
■ Static IP address and host name for the appliance
■ Available rack space or a sturdy tabletop for the appliance
■ Grounded electrical outlet, preferably connected to an uninterruptible power supply (UPS)
■ Network cable (three, if you plan to use the second Ethernet port of the appliance and the DRAC card)
■ A cross-over network cable (if you plan to connect a computer directly into the appliance to configure it)
■ Event collector documentation and media
■ Keyboard, mouse, and monitor (not required if you install using all default settings)
■ Symantec™ Global Intelligence Network™ Threat Management System license key file
You must determine the name of the security domain that you will be creating before installing the appliance software. Once you have chosen the domain name, you cannot change it without re-installing the appliance software. You can add a
2
new appliance to an existing domain by using the Directory Registration page in the Web configuration interface. You can also create sub-domains; however, you must have the naming scheme determined before software installation. See“About creating sub-domains”on page 16.
To install and run the Symantec Security Information Manager console, your computer must meet the following minimum requirements:
■ Windows® 2000 Workstation or Windows® XP Professional operating system
■ Minimum screen resolution setting of 1024 x 768 (1280 x 1024 recommended)
■ 103 MB disk space
■ 512 MB RAM (1 GB recommended)
■ Connection to the same network as the appliance
About creating sub-domains
With some larger installations of Symantec Security Information Manager, it's advantageous to create sub-domains rather than having all Information Manager appliances within a single domain. There are many reasons for creating
sub-domains. For example, you might want to enhance performance by dividing the event storage and correlation duties among multiple groups of appliances. You might also use sub-domains based upon physical or logical divisions in your network, such as regions or functional groups. For example, if a corporation has offices in Europe, North America, and Asia, it might be advantageous to have a separate sub-domain for each region. Each region can monitor security events that are specific to those sub-domains and create region-specific reports. Each region can also forward events to the main corporate security site to create global reports. The sub-domains for this company might be as follows:
■ europe.corp.example.ses
■ americas.corp.example.ses
■ asia.corp.example.ses
Creating this organization is accomplished by specifying the desired sub-domain name when you install the appliance software for each region. Once the sub-domain is created, any other appliances in that region can be added to that sub-domain. You can then repeat this process for each new sub-domain that you want to create. Once you create these sub-domains, you must not set up an appliance to use the parent directory. In the example above, you must not set up an appliance to use corp.example.ses as its security domain. Further, you cannot create the parent
domain and then create sub-domains. To use sub-domains, all appliances must be part of a sub-domain and not the parent domain.
Note: Do not set up an appliance to use the parent domain, or the sub-domains will function as separate, unrelated domains. Re-establishing the desired sub-domains requires re-installing the Information Manager software on all affected appliances.
Installation overview
To install and configure Symantec Security Information Manager, you must complete the following steps in the order that is shown:
■ Rack mount the appliance and connect the cables. See“Connecting the appliance”on page 19.
■ Run the Information Manager installation wizard. See“Installing the appliance software”on page 27.
■ Download and install the Information Manager console.
See“Installing the Symantec Security Information Manager console”on page 32.
■ Configure your event collectors.
See your collector and relay documentation.
■ Register your Symantec Global Intelligence Network Threat Management System license.
See the Symantec Security Information Manager Administrator's Guide.
■ Specify policies that are used by your organization.
See the Symantec Security Information Manager Administrator's Guide.
■ Set up teams to be notified of security incidents.
See the Symantec Security Information Manager Administrator's Guide.
■ Specify the Assets list.
See the Symantec Security Information Manager Administrator's Guide.
■ Configure correlation rules and filters.
See the Symantec Security Information Manager Administrator's Guide.
■ Create queries and reports.
See the Symantec Security Information Manager User's Guide.
17 Planning for installation
Where to find more information about Information
Manager
For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at:
www.symantec.com/techsupp/enterprise
In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following:
■ Symantec Security Information Manager Administrator's Guide
■ Symantec Security Information Manager Installation Guide
Accessing Help for the console
Information Manager provides context-sensitive help for the console and for each of the views that are available in the View menu.
To access Help for the console
◆ In any window, press F1.
Planning for installation
Installing the hardware
This chapter includes the following topics:
■ Connecting the appliance
■ Remote Access Card
Connecting the appliance
Hardware installation consists of unpacking the box, rack-mounting the appliance, and connecting cables.
Warning: Before you connect the appliance, read and follow the safety instructions and important regulatory information in your Product Information Guide.
3
To connect the appliance and run the installation wizard
1
Unpack your appliance from the product box. The following illustrations show the basic components that you will unpack from the 9630 and 9650 appliances.Save all shipping materials in case you need them later. (Your appliance may not include all of the accessories that are shown.)
2
Install the appliance in a rack. The following illustrations show rack mounting of the 9630 and 9650 appliances.See your rack installation documentation for instructions on installing your appliance in a rack.
3
Connect the keyboard, mouse, and monitor. The following illustrations show the port locations for the 9630 and 9650 appliances.The connectors on the back of your appliance have icons indicating which cable to plug into each connector. Be sure to tighten the screws (if any) on the monitor's cable connector.
4
Connect the monitor's power cable to a grounded electrical outlet.5
Connect the appliance's power cable(s) to the appliance. Next, plug the other end of the cable into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS), or a power distribution unit (PDU). The following illustrations show power cord connections for the 9630 and 9650 appliances.6
Thread the power cables through the retention brackets to help ensure that the cables don't get disconnected accidentally. The following illustrations show how to thread the power cord through the retention brackets of the 9630 and 9650 appliances.7
Connect a network cable to the appliance GB1 port. If the appliance needs to communicate with a secondary network, connect another network cable to the appliance GB2 port. The cable for the primary network must be connected to GB1.8
Install the optional appliance cover plate.Remote Access Card
The Information Manager appliance includes the Dell™ Remote Access Card (DRAC). The DRAC is a systems management hardware and software solution designed to provide remote management capabilities, crashed system recovery, and power control functions. By communicating with the appliance's base-board management controller, the DRAC can be configured to send email alerts for warnings or errors related to voltages, temperatures, and fan speeds.
To minimize the risk that Information Manager may experience a security breach, implement the following DRAC-related security measures:
■ Change the DRAC default login name and password ("root" and "calvin" respectively).
■ Import and use secure socket layer (SSL) certificates instead of the default certificate.
■ Make sure that the subnet to which the DRAC is connected has the appropriate security. This subnet is not necessarily the same one that is connected to the Information Manager appliance.
For more information on using the DRAC, go to the following URL:
http://support.dell.com/support/edocs/software/smdrac3/drac5/1.00/en/index.htm
25 Installing the hardware
Installing the appliance
software
This chapter includes the following topics:
■ Installing the appliance software
■ Completing appliance configuration
■ Re-installing the appliance software
Installing the appliance software
Symantec Security Information Manager provides you with two options for installing the software that runs in the appliance. You can use the installation wizard to prompt you for information such as network and time zone settings, or you can let the installation run by itself using all default settings. Software installation can require an hour to complete and requires the system to reboot once.
In most cases, you should use the installation wizard, because some information (such as the name of the security directory) cannot be changed without re-installing the appliance software.
If you choose to install with all default settings, you must use the Information Manager Web configuration interface to specify configuration settings later. If your network is not configured to use private IP addresses, you must connect a computer to the appliance using a cross-over cable before you can access the Information Manager Web configuration interface.
For information on using the Web configuration interface, see the Symantec
Security Information Manager Administrator's Guide.
4
To install the appliance software
1
Turn on the monitor.2
Turn on the appliance.3
When the appliance starts up, press F2 to enter CMOS setup, and then use the options in the CMOS setup program to set the appliance date and time. Failure to set the time properly may result in difficulties with security certificates and the appliance database.4
Exit the CMOS setup program and reboot the appliance.5
When prompted by a message that asks you whether you want to continue or run the setup utility, press F1 to continue.6
Insert the Symantec Security Information Manager 4.5 Installation DVD into the DVD drive.7
When prompted, do one of the following:■ Press 1 to run the installation wizard (recommended). You must then follow the on-screen prompts to configure the appliance software.
■ Press 2 or wait 60 seconds to install the appliance software using all default settings. After the installation program completes, use the Information Manager Web configuration interface to specify settings.
Completing appliance configuration
When you have installed the appliance hardware and run the installation wizard, you are ready to do the following:
■ Use the Collector Registration page in the Web configuration interface to configure your event collectors and relays to work with the appliance.
■ Use the Global Intelligence Network Integration Manager Utilities page in the Web configuration interface to register your Symantec Global Intelligence Network license.
■ Install the Information Manager console.
See“Installing the Symantec Security Information Manager console”on page 32.
■ Use the System page in the Information Manager console to create user accounts, user groups, roles, and organizational units.
■ Use the Assets page in the Information Manager console to configure the list of network computers and their priority.
■ Use the Rules page in the Information Manager console to create and customize custom filters, rules, lookup tables, and alerts.
There is also a command line interface that is available to view configuration information and specify the following settings:
■ Network configuration
■ Speed and duplex mode for the network interface
■ simuser accountpassword
■ Verify network connectivity
■ Time and locale
For information about the command line interface, registering your Symantec Global Intelligence Network license, and configuring other settings using the Web configuration interface, see the Symantec Security Information Manager
Administrator's Guide.
See your collector or relay documentation for information about configuring them to work with the appliance.
Re-installing the appliance software
You can return the Symantec Security Information Manager software to its original settings by using the installation DVD. You may want to do so if there is a problem with the software or settings, and you want to return the appliance to a known good state.
Warning: Re-installing the appliance software deletes all data that is stored on the appliance. Before re-installing the appliance software, back up all data. For more information about backing up the appliance database and security directory, see the Symantec Security Information Manager Administrator's Guide. If you have security products that send events to the appliance, you should either forward those events to another appliance, or disable sending events until another appliance is available.
If for some reason, you are unable to re-install the appliance software, you can use the recovery CD that is provided with your appliance. After you have used the recovery CD, you can re-install the appliance software.
To re-install the appliance software
1
Close the Information Manager console on any computers that currently view information from the appliance.2
Insert the Symantec Security Information Manager 4.5 Installation DVD into the DVD drive.3
Using a Web browser, open the Information Manager Web configuration interface.4
From the Security Information Manager configuration page, click Shutdown/ Restart.
5
Click Restart Now.6
When prompted to confirm the restart, press Enter.7
When prompted, do one of the following:■ Press 1 to run the installation wizard (recommended). You must then follow the on-screen prompts to configure the appliance software.
■ Press 2 or wait 60 seconds to install the appliance software using all default settings. After the installation program completes, use the Information Manager Web configuration interface to specify settings.
Installing the Symantec
Security Information
Manager console
This chapter includes the following topics:
■ About the Symantec Security Information Manager console
■ Installing the Symantec Security Information Manager console
■ Uninstalling the Information Manager console
About the Symantec Security Information Manager
console
You use the console on a Microsoft® Windows 2000 or Windows XP computer to perform the following security monitoring functions:
■ Specify when security incidents are declared
■ Identify critical network hosts
■ View Symantec Global Intelligence Network information
■ Manage incidents
■ Manage tickets
■ Create reports
5
Installing the Symantec Security Information Manager
console
You install the Information Manager console using the Information Manager Web configuration interface.
To install the Information Manager console
1
Open a Web browser, and in the address bar, type the IP address of the appliance. By default, this address uses the syntax https://<IP-address>, where <IP-address> represents the IP address of your appliance. For example: https://192.168.0.10By default, the appliance uses self-signed certificates, which cannot be verified by certificate authentication services such as VeriSign®. If prompted, click
Yes to accept the appliance certificate.
2
On the Security Information Manager page, click Download Client.3
When prompted, click Run, and then follow the prompts to install the console. To run the console1
Click the Start menu, point to Programs, and then point to the Symantec Security Information Manager 4.5 program group.2
Click SSIM Client.3
When prompted, provide the username, password, domain, and IP address of the Information Manager appliance.The default username for the console is administrator, and the default password is password.
Note that entering the domain information is optional in a single domain environment.
Uninstalling the Information Manager console
You use the Microsoft Windows Control Panel to uninstall the Information Manager console.
To uninstall the Information Manager console
1
From the Windows desktop, click Start, point to Control Panel, and then clickAdd or Remove Programs.
2
Click Symantec Security Information Manager, and then clickChange/Remove.
A
account administrator 32 DRAC default 24C
console described 31 installation 32 unistalling 32D
Deepsight. See Global Intelligence Network DRAC 24
G
Global Intelligence Network 31