Symantec Security Information Manager 4.5 Installation Guide

Symantec Security Information Manager 4.5 Installation Guide PN: 10912602

Symantec Security Information Manager 4.5 Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 1.1 PN: 10912602 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Symantec Enterprise Security Architecture, SESA, Symantec Security Information Manager, Symantec Enterprise Security Manager, Symantec Vulnerability Assessment, Symantec Security Response, and AttackTrace are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, and Windows 2000 are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: www.symantec.com/techsupp/ Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Introducing Symantec Security Information Manager 4.5 About Symantec Security Information Manager... 11 What's new in Information Manager 4.5... 12 Large scale event management... 12 Console enhancements... 13 Access and notification services... 14 Planning for installation Installation requirements... 15 About creating sub-domains... 16 Installation overview... 17 Where to find more information about Information Manager... 18 Accessing Help for the console... 18 Installing the hardware Connecting the appliance... 19 Remote Access Card... 24 Installing the appliance software Installing the appliance software... 27 Completing appliance configuration... 28 Re-installing the appliance software... 29 Installing the Symantec Security Information Manager console About the Symantec Security Information Manager console... 31 Installing the Symantec Security Information Manager console... 32 Uninstalling the Information Manager console... 32 Index

10 Contents

Chapter 1 Introducing Symantec Security Information Manager 4.5 This chapter includes the following topics: About Symantec Security Information Manager What's new in Information Manager 4.5 About Symantec Security Information Manager Symantec Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise:

12 Introducing Symantec Security Information Manager 4.5 What's new in Information Manager 4.5 Normalization and correlation of events from multiple vendors to recognize threats from all areas of the enterprise. Event archives to retain events in both their original and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Symantec Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritorizes incidents based upon the security policies associated with the affected assets. A powerful event archive viewer that lets you easily mine large amounts of event data and perform network operations on the machines and users that are associated with each event. A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions. Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise. What's new in Information Manager 4.5 Information Manager 4.5 provides large scale event management, an updated console, and a Web Services interface to Information Manager data. Large scale event management Information Manager 4.5 now supports attached storage for event archives. Attached storage archives provide for increased event data capacity and large scale data mining. Information Manager 4.5 provides the following event management features: Optimized event storage Event data is now stored in compressed archives rather than in a relational database. The archive format allows for increased event capacity and high performance data queries. Raw event data

Introducing Symantec Security Information Manager 4.5 What's new in Information Manager 4.5 13 In addition to normalized event data, you can now archive event data in its original format. The original format event data provides a historical context for security incidents. Flexible storage options Information Manager now has a logical volume manager that provides support for direct attached storage (DAS), storage area network (SAN), and network-attached storage (NAS). Event and incident viewer The Information Manager console provides a powerful graphical viewer for intuitive data mining. You can query event, incident, summary, and state data. The viewer has built-in network operations, such as ping and whois, to help you identify the machines and users that are referenced in the events and incidents. You can also add your own custom tools to the viewer. Enhanced reporting Event and incident reports are now accessible from the Information Manager web configuration interface. You can schedule report generation and post the reports to the web interface or email the reports to users. Advanced data summarization for reporting Information Manager now processes events as they enter the system and stores summary records in a database. This feature allows for optimized reporting over very large amounts of data. Console enhancements The Information Manager console has been updated with the following new features: Rules Editor System view Incident Management You can now configure rules that trigger when an expected event does not occur, or when a slow or low volume attack takes place. You can assign notification services to rules and organize rules into logical groups. You can now view a graphical representation of your Information Manager deployment. The system view shows the status of each appliance and collector in your enterprise and includes event collection and event forwarding statistics. You can now merge multiple incidents to create a new incident and assign multiple incidents to the same ticket.

14 Introducing Symantec Security Information Manager 4.5 What's new in Information Manager 4.5 Event forwarding Antivirus statistics Reporting tile Detachable console pages You can selectively forward events from one appliance to another, using the same event filtering interface that you use to configure reports and archives. You can now view Antivirus statistics on the Global Intelligence Network Integration Manager Utilities page. The improved report editor allows greater report layout flexibility. You can now "tear-off" console pages to view multiple pages simultaneously. Access and notification services Information Manager now provides programmatic access to individual Information Manager appliances. Using a standards-based Web Service, developers can securely access and update the data that is stored on an appliance. You can use the Web Service to publish event, asset, incident, and ticket information to external applications, such as help desks and dashboards. You can also use the Web Service to import Information Manager asset information from external asset management and inventory applications. For more information about how to integrate Information Manager with other enterprise applications, see the Symantec Security Information Manager Developer's Guide.

Chapter 2 Planning for installation This chapter includes the following topics: Installation requirements Installation overview Where to find more information about Information Manager Installation requirements Before setting up the Symantec Security Information Manager appliance, make sure you have the following items: Static IP address and host name for the appliance Available rack space or a sturdy tabletop for the appliance Grounded electrical outlet, preferably connected to an uninterruptible power supply (UPS) Network cable (three, if you plan to use the second Ethernet port of the appliance and the DRAC card) A cross-over network cable (if you plan to connect a computer directly into the appliance to configure it) Event collector documentation and media Keyboard, mouse, and monitor (not required if you install using all default settings) Symantec Global Intelligence Network Threat Management System license key file You must determine the name of the security domain that you will be creating before installing the appliance software. Once you have chosen the domain name, you cannot change it without re-installing the appliance software. You can add a

16 Planning for installation Installation requirements new appliance to an existing domain by using the Directory Registration page in the Web configuration interface. You can also create sub-domains; however, you must have the naming scheme determined before software installation. See About creating sub-domains on page 16. To install and run the Symantec Security Information Manager console, your computer must meet the following minimum requirements: Windows 2000 Workstation or Windows XP Professional operating system Minimum screen resolution setting of 1024 x 768 (1280 x 1024 recommended) 103 MB disk space About creating sub-domains 512 MB RAM (1 GB recommended) Connection to the same network as the appliance With some larger installations of Symantec Security Information Manager, it's advantageous to create sub-domains rather than having all Information Manager appliances within a single domain. There are many reasons for creating sub-domains. For example, you might want to enhance performance by dividing the event storage and correlation duties among multiple groups of appliances. You might also use sub-domains based upon physical or logical divisions in your network, such as regions or functional groups. For example, if a corporation has offices in Europe, North America, and Asia, it might be advantageous to have a separate sub-domain for each region. Each region can monitor security events that are specific to those sub-domains and create region-specific reports. Each region can also forward events to the main corporate security site to create global reports. The sub-domains for this company might be as follows: europe.corp.example.ses americas.corp.example.ses asia.corp.example.ses Creating this organization is accomplished by specifying the desired sub-domain name when you install the appliance software for each region. Once the sub-domain is created, any other appliances in that region can be added to that sub-domain. You can then repeat this process for each new sub-domain that you want to create. Once you create these sub-domains, you must not set up an appliance to use the parent directory. In the example above, you must not set up an appliance to use corp.example.ses as its security domain. Further, you cannot create the parent

Planning for installation Installation overview 17 domain and then create sub-domains. To use sub-domains, all appliances must be part of a sub-domain and not the parent domain. Note: Do not set up an appliance to use the parent domain, or the sub-domains will function as separate, unrelated domains. Re-establishing the desired sub-domains requires re-installing the Information Manager software on all affected appliances. Installation overview To install and configure Symantec Security Information Manager, you must complete the following steps in the order that is shown: Rack mount the appliance and connect the cables. See Connecting the appliance on page 19. Run the Information Manager installation wizard. See Installing the appliance software on page 27. Download and install the Information Manager console. See Installing the Symantec Security Information Manager console on page 32. Configure your event collectors. See your collector and relay documentation. Register your Symantec Global Intelligence Network Threat Management System license. See the Symantec Security Information Manager Administrator's Guide. Specify policies that are used by your organization. See the Symantec Security Information Manager Administrator's Guide. Set up teams to be notified of security incidents. See the Symantec Security Information Manager Administrator's Guide. Specify the Assets list. See the Symantec Security Information Manager Administrator's Guide. Configure correlation rules and filters. See the Symantec Security Information Manager Administrator's Guide. Create queries and reports. See the Symantec Security Information Manager User's Guide.

18 Planning for installation Where to find more information about Information Manager Where to find more information about Information Manager For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at: www.symantec.com/techsupp/enterprise In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following: Accessing Help for the console Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager Installation Guide Information Manager provides context-sensitive help for the console and for each of the views that are available in the View menu. To access Help for the console In any window, press F1.

Chapter 3 Installing the hardware This chapter includes the following topics: Connecting the appliance Remote Access Card Connecting the appliance Hardware installation consists of unpacking the box, rack-mounting the appliance, and connecting cables. Warning: Before you connect the appliance, read and follow the safety instructions and important regulatory information in your Product Information Guide.

20 Installing the hardware Connecting the appliance To connect the appliance and run the installation wizard 1 Unpack your appliance from the product box. The following illustrations show the basic components that you will unpack from the 9630 and 9650 appliances. Save all shipping materials in case you need them later. (Your appliance may not include all of the accessories that are shown.)

Installing the hardware Connecting the appliance 21 2 Install the appliance in a rack. The following illustrations show rack mounting of the 9630 and 9650 appliances. See your rack installation documentation for instructions on installing your appliance in a rack.

22 Installing the hardware Connecting the appliance 3 Connect the keyboard, mouse, and monitor. The following illustrations show the port locations for the 9630 and 9650 appliances. The connectors on the back of your appliance have icons indicating which cable to plug into each connector. Be sure to tighten the screws (if any) on the monitor's cable connector. 4 Connect the monitor's power cable to a grounded electrical outlet.

Installing the hardware Connecting the appliance 23 5 Connect the appliance's power cable(s) to the appliance. Next, plug the other end of the cable into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS), or a power distribution unit (PDU). The following illustrations show power cord connections for the 9630 and 9650 appliances.

24 Installing the hardware Remote Access Card 6 Thread the power cables through the retention brackets to help ensure that the cables don't get disconnected accidentally. The following illustrations show how to thread the power cord through the retention brackets of the 9630 and 9650 appliances. Remote Access Card 7 Connect a network cable to the appliance GB1 port. If the appliance needs to communicate with a secondary network, connect another network cable to the appliance GB2 port. The cable for the primary network must be connected to GB1. 8 Install the optional appliance cover plate. The Information Manager appliance includes the Dell Remote Access Card (DRAC). The DRAC is a systems management hardware and software solution designed to provide remote management capabilities, crashed system recovery, and power control functions. By communicating with the appliance's base-board management controller, the DRAC can be configured to send email alerts for warnings or errors related to voltages, temperatures, and fan speeds. To minimize the risk that Information Manager may experience a security breach, implement the following DRAC-related security measures: Change the DRAC default login name and password ("root" and "calvin" respectively).

Installing the hardware Remote Access Card 25 Import and use secure socket layer (SSL) certificates instead of the default certificate. Make sure that the subnet to which the DRAC is connected has the appropriate security. This subnet is not necessarily the same one that is connected to the Information Manager appliance. For more information on using the DRAC, go to the following URL: http://support.dell.com/support/edocs/software/smdrac3/drac5/1.00/en/index.htm

26 Installing the hardware Remote Access Card

Chapter 4 Installing the appliance software This chapter includes the following topics: Installing the appliance software Completing appliance configuration Re-installing the appliance software Installing the appliance software Symantec Security Information Manager provides you with two options for installing the software that runs in the appliance. You can use the installation wizard to prompt you for information such as network and time zone settings, or you can let the installation run by itself using all default settings. Software installation can require an hour to complete and requires the system to reboot once. In most cases, you should use the installation wizard, because some information (such as the name of the security directory) cannot be changed without re-installing the appliance software. If you choose to install with all default settings, you must use the Information Manager Web configuration interface to specify configuration settings later. If your network is not configured to use private IP addresses, you must connect a computer to the appliance using a cross-over cable before you can access the Information Manager Web configuration interface. For information on using the Web configuration interface, see the Symantec Security Information Manager Administrator's Guide.

28 Installing the appliance software Completing appliance configuration To install the appliance software 1 Turn on the monitor. 2 Turn on the appliance. 3 When the appliance starts up, press F2 to enter CMOS setup, and then use the options in the CMOS setup program to set the appliance date and time. Failure to set the time properly may result in difficulties with security certificates and the appliance database. 4 Exit the CMOS setup program and reboot the appliance. 5 When prompted by a message that asks you whether you want to continue or run the setup utility, press F1 to continue. 6 Insert the Symantec Security Information Manager 4.5 Installation DVD into the DVD drive. 7 When prompted, do one of the following: Press 1 to run the installation wizard (recommended). You must then follow the on-screen prompts to configure the appliance software. Press 2 or wait 60 seconds to install the appliance software using all default settings. After the installation program completes, use the Information Manager Web configuration interface to specify settings. Completing appliance configuration When you have installed the appliance hardware and run the installation wizard, you are ready to do the following: Use the Collector Registration page in the Web configuration interface to configure your event collectors and relays to work with the appliance. Use the Global Intelligence Network Integration Manager Utilities page in the Web configuration interface to register your Symantec Global Intelligence Network license. Install the Information Manager console. See Installing the Symantec Security Information Manager console on page 32. Use the System page in the Information Manager console to create user accounts, user groups, roles, and organizational units. Use the Assets page in the Information Manager console to configure the list of network computers and their priority. Use the Rules page in the Information Manager console to create and customize custom filters, rules, lookup tables, and alerts.

Installing the appliance software Re-installing the appliance software 29 There is also a command line interface that is available to view configuration information and specify the following settings: Network configuration Speed and duplex mode for the network interface simuser accountpassword Verify network connectivity Time and locale For information about the command line interface, registering your Symantec Global Intelligence Network license, and configuring other settings using the Web configuration interface, see the Symantec Security Information Manager Administrator's Guide. See your collector or relay documentation for information about configuring them to work with the appliance. Re-installing the appliance software You can return the Symantec Security Information Manager software to its original settings by using the installation DVD. You may want to do so if there is a problem with the software or settings, and you want to return the appliance to a known good state. Warning: Re-installing the appliance software deletes all data that is stored on the appliance. Before re-installing the appliance software, back up all data. For more information about backing up the appliance database and security directory, see the Symantec Security Information Manager Administrator's Guide. If you have security products that send events to the appliance, you should either forward those events to another appliance, or disable sending events until another appliance is available. If for some reason, you are unable to re-install the appliance software, you can use the recovery CD that is provided with your appliance. After you have used the recovery CD, you can re-install the appliance software. To re-install the appliance software 1 Close the Information Manager console on any computers that currently view information from the appliance. 2 Insert the Symantec Security Information Manager 4.5 Installation DVD into the DVD drive.

30 Installing the appliance software Re-installing the appliance software 3 Using a Web browser, open the Information Manager Web configuration interface. 4 From the Security Information Manager configuration page, click Shutdown / Restart. 5 Click Restart Now. 6 When prompted to confirm the restart, press Enter. 7 When prompted, do one of the following: Press 1 to run the installation wizard (recommended). You must then follow the on-screen prompts to configure the appliance software. Press 2 or wait 60 seconds to install the appliance software using all default settings. After the installation program completes, use the Information Manager Web configuration interface to specify settings.

Chapter 5 Installing the Symantec Security Information Manager console This chapter includes the following topics: About the Symantec Security Information Manager console Installing the Symantec Security Information Manager console Uninstalling the Information Manager console About the Symantec Security Information Manager console You use the console on a Microsoft Windows 2000 or Windows XP computer to perform the following security monitoring functions: Specify when security incidents are declared Identify critical network hosts View Symantec Global Intelligence Network information Manage incidents Manage tickets Create reports

32 Installing the Symantec Security Information Manager console Installing the Symantec Security Information Manager console Installing the Symantec Security Information Manager console You install the Information Manager console using the Information Manager Web configuration interface. To install the Information Manager console 1 Open a Web browser, and in the address bar, type the IP address of the appliance. By default, this address uses the syntax https://<ip-address>, where <IP-address> represents the IP address of your appliance. For example: https://192.168.0.10 By default, the appliance uses self-signed certificates, which cannot be verified by certificate authentication services such as VeriSign. If prompted, click Yes to accept the appliance certificate. 2 On the Security Information Manager page, click Download Client. 3 When prompted, click Run, and then follow the prompts to install the console. To run the console 1 Click the Start menu, point to Programs, and then point to the Symantec Security Information Manager 4.5 program group. 2 Click SSIM Client. 3 When prompted, provide the username, password, domain, and IP address of the Information Manager appliance. The default username for the console is administrator, and the default password is password. Note that entering the domain information is optional in a single domain environment. Uninstalling the Information Manager console You use the Microsoft Windows Control Panel to uninstall the Information Manager console. To uninstall the Information Manager console 1 From the Windows desktop, click Start, point to Control Panel, and then click Add or Remove Programs. 2 Click Symantec Security Information Manager, and then click Change/Remove.

Index A account administrator 32 DRAC default 24 C console described 31 installation 32 unistalling 32 S Symantec Security Information Manager about 11 features 11 system requirements 15 T technical support 18 D Deepsight. See Global Intelligence Network DRAC 24 G Global Intelligence Network 31 I installation console 32 hardware 19 overview 17 requirements 15 software 27 software re-installation 29 IP address default 32 P password console default 32 DRAC default 24 R re-imaging appliance 29 remote access card 24