RSA enVision 4.

0 Configuration Guide

Revision 1

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-party licenses Portions of this application include technology used under license from Visual Mining, Inc. 2000 - 2009. Portions of this application include iAnywhere technology, 2001 - 2009. Winpcap: Copyright © 1999 - 2009 NetGroup, Politecnico di Torino (Italy).

Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 1996-2010 EMC Corporation. All Rights Reserved. April 2009 Revised: September 2010

RSA enVision 4.0 Configuration Guide

Revision History
Revision Date Number 1 9/7/2010 Revision 1. Added License Key installation procedure in Chapter 2, “Single Appliance Site,” Chapter 3, “Multiple Appliance Site,” and Chapter 4, “Remote Collector Site.”

Revision History

3

RSA enVision 4.0 Configuration Guide

Contents
Revision History .............................................................................................................. 3 Preface................................................................................................................................... 7
About This Guide................................................................................................................ 7 RSA enVision Documentation............................................................................................ 7 Related Documentation....................................................................................................... 7 Support and Service ............................................................................................................ 8 Before You Call Customer Support............................................................................. 8

Chapter 1: Introduction ............................................................................................... 9
Overview ............................................................................................................................. 9 Site Deployment.................................................................................................................. 9

Chapter 2: Single Appliance Site .........................................................................11
Configuration Tasks...........................................................................................................11 Next Steps ......................................................................................................................... 12 Configuration Wizard Planning Worksheet - Single Appliance Site................................ 12 Name the Site............................................................................................................. 12 Specify the IP Address............................................................................................... 13 Identify External Storage ........................................................................................... 13 Identify DNS Servers................................................................................................. 14 Specify Time Settings ................................................................................................ 14 Specify the External IP Address ................................................................................ 15

Chapter 3: Multiple Appliance Site .................................................................... 17
Overview ........................................................................................................................... 17 Site Deployment................................................................................................................ 17 Multiple Site Deployment.......................................................................................... 18 Site Access in the NIC Domain ................................................................................. 20 Multiple Appliance Site with Enhanced Availability ................................................ 20 Configuration Tasks.......................................................................................................... 21 Next Steps ......................................................................................................................... 23 Configuration Wizard Planning Worksheet - Multiple Appliance Site ............................ 23 NIC Domain............................................................................................................... 23 Site ............................................................................................................................. 23

Chapter 4: Remote Collector Site ....................................................................... 29
Overview ........................................................................................................................... 29 Configuration Tasks.......................................................................................................... 29 Verify the RC Configuration ..................................................................................... 30 Configure the Data Forwarding Task ........................................................................ 31 Test the Configuration ............................................................................................... 32 Configuration Wizard Planning Worksheet - Remote Collector Site ............................... 32 Name the Site............................................................................................................. 32

5

............................................................ 43 Access the Appliance from a Remote Location.................................................................. 43 Set Up the Remote Access Controller Utility ................................................. 43 Ports Used by RSA enVision for the DRAC Utility ......... 39 RSA enVision Client Software and Hardware Requirements ...... 37 Set Up RSA enVision ..................................................................................... 35 Specify the External IP Address ............................... and Mouse .............................................................................................. 33 Specify Site-to-Site Connection................ 47 Rename IP Address for Each Appliance before Setting Up Your Site ..................................................................................................................  Monitor......................................................................................... 47 Add Trusted Sites....................................................................... 38 Log On to RSA enVision . 35 Chapter 5: Next Steps . 39 Appendix A: Connect to the Appliance Using a Keyboard................................................................................................................................................................................................................. 41 Appendix B: Dell Remote Access Controller Utility .................................................................................................0 Configuration Guide Identify Appliance in the Site .............................................................................................................................RSA enVision 4............................. 45 Appendix C: Change RSA enVision Network IP Addresses .................... 48 Change the IP Addresses in the Configuration Wizard to Match Renamed Appliance Addresses .............................................................................................. 49 Glossary ............................................................... 33 Specify Time Settings ............................................................................................................................................................................. 38 Log Out of RSA enVision................................................... 37 Set Up Your Browser .......................................... 51 6 ............................... 33 Identify DNS Servers.......................................................................

Use this guide in conjunction with the Hardware Guide.RSA enVision 4. Instructions on migrating your data from a previous version of RSA enVision to the current version. Instructions on installing the RSA enVision Event Explorer client on your personal computer. Comprehensive instructions on setting up and using RSA enVision Event Explorer. Provides information about what is new and changed in this release. Intended audience is the system administrator. RSA enVision Event Explorer Help. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge. Instructions on configuring your RSA enVision site. Related Documentation For information about the RSA enVision Event Explorer module. Migration Guide.rsasecurity. Configuration Guide. Check RSA SecurCare Online for the latest documentation. see the following documentation: Installation Guide. It is intended for system administrators who need to configure an enVision site. Instructions on setting up your RSA enVision appliances.0 Configuration Guide Preface About This Guide This guide contains information on configuring your RSA enVision site. see the following documentation: Release Notes. RSA enVision Documentation For information about RSA enVision.com. Hardware Guide. Preface 7 . Comprehensive instructions on setting up RSA enVision processing options and using RSA enVision analysis tools. RSA continues to assess and improve the documentation. RSA enVision Help. as well as workarounds for known issues. Intended audience is the end user. Intended audience is the system administrator.

 RSA enVision software version number. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products.com www. and software downloads. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products. 8 Preface . Please have the following information available when you call:  The serial number of the appliance. important technical news. you can find the seven-character serial number on the chassis tag on the back of the appliance.rsasecured. On a 60-series appliance.0 Configuration Guide Support and Service RSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity. or open a Dell Openmanage Server Administrator session. and click System > Properties > Summary to find the serial number in the chassis service tag field.RSA enVision 4.rsa. It also offers information on new releases.com/support www. Before You Call Customer Support Make sure that you have direct access to the computer running the RSA enVision software.com RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems.  The name and version of the operating system under which the problem occurs.

to generate alerts for possible compliance breaches. Distributed multiple appliance sites allow multiple installations of any of the three appliance types to be deployed in order to manage the variety of network infrastructures found in production environments. Some single appliance sites have an external storage system.” 1: Introduction 9 . application. Each enVision component—Application. The LS series appliances are designed to operate in a distributed installation. A collector captures incoming events. security.” Multiple appliance site. They have all three enVision components— Application. Site Deployment RSA enVision is deployed on a site basis. non-distributed mode. from any network device. It gives you an accurate picture of how your network is being used. “Single Appliance Site. The enVision components are deployed based on the type of site you have. The ES series appliances are designed to operate in a stand-alone. and by whom. RSA enVision is made up of three components: Application. operating and storage environments. The two types of sites are: Single appliance site. The enVision LogSmart Internet Protocol Database (IPDB) provides the only architecture proven to collect and protect all the data automatically. Collector. RSA enVision is tightly coupled with its underlying appliance operating system and hardware. “Multiple Appliance Site. Collector. see Chapter 3. For information a single appliance site. and to analyze and report on network performance. and Database—is on its own appliance.RSA enVision 4. All multiple appliance sites have external storage systems For information on a multiple appliance site. and together they comprise a highly scalable platform that provides guaranteed levels of performance.0 Configuration Guide 1 Overview Introduction RSA enVision is a feature-rich compliance and security application. Collector. It allows you to capture and analyze log information automatically from your network. An application supports interactive users and runs the suite of analysis tools. It independently monitors your network to verify security policies. Database. see Chapter 2. and Database—installed on one appliance. without filtering or agents. The appliances together form a site. The single appliance is a site. The database manages access and retrieval of captured events.

” 10 1: Introduction .0 Configuration Guide For information on associating a Remote Collector site with a multiple appliance site. “Remote Collector Site.RSA enVision 4. see Chapter 4.

Complete the tasks in “Single Appliance Site” in the Hardware Guide. 4 Complete the enVision Configuration Wizard. verify that everything is correct on the Review Page. you should verify the LAN cable is not connected to an existing network or confirm the IP address is not being used before you run the configuration wizard. (You can also connect remotely using DRAC instead of using a local KVM.) In the last step. When the wizard displays the Review Page window. The log displays the steps the system is performing to configure the site. Set up the RSA enVision appliance hardware.RSA enVision 4. 2: Single Appliance Site 11 .55.exe file in the c:\windows\installations directory.168. The configuration tasks for a single appliance site are as follows: Task 1 2 3 Activity Plan the installation. Click Finish. (If the Review page is not correct.1. you must restart the wizard to configure your site. If you click Cancel at any time while using the wizard. double-click the lsconfigurationwizard. For this reason. Connect to the appliance using a KVM switch. The appliances restart automatically when the site configuration process is complete. To restart the wizard. the wizard displays the enVision Configuration Wizard Log window. The system restarts several times while completing the setup.0 Configuration Guide 2 Single Appliance Site Configuration Tasks The configuration process takes approximately 30 minutes to complete. Note: enVision uses the default IP address 192. IP address conflicts can occur if the LAN cable is connected to an existing network when you run the configuration wizard. “Dell Remote Access Controller Utility.”) The Configuration Wizard starts automatically. click Cancel and check your hardware setup. Complete the “Configuration Wizard Planning Worksheet . You cannot change any of the site configuration options after the wizard is finished. See Appendix B.Single Appliance Site” on page 12.

rsasecurity. see Chapter 5. by e-mail.0. 4. Click on Products. Complete the instructions available on that page to download and install the updates. Rename the new key file to key. where sitename is the name of your site. Under RSA enVision click Content Updates.ini. 6 Apply the license keys that were sent. For more information.Single Appliance Site The planning worksheet contains the following sections: • • • • • • Name the site Specify the IP address Identify external storage Identify DNS servers Specify time settings Specify the external IP address Name the Site Selecting the site name is extremely important.ini file. alphanumeric string.RSA enVision 4. Next Steps After the site configuration is complete.to 11-character.” Configuration Wizard Planning Worksheet . Go to RSA SecurCare Online https://knowledge. 2. RSA strongly recommends that you download and install two Content Updates: Event Source Update Package and VAM & Signature Content Update Package. Site Name 12 2: Single Appliance Site . “Next Steps. to the contact provided when you ordered the enVision appliance: 1. Download the key file that you received from RSA.ini file in the E:\nic\csd\license\sitename folder. Once you name the site you cannot change the name. Restart the NIC Service Manager Service on all nodes for which a key was applied. A valid site name is a unique 2. you must set up the processing options in enVision.0 Configuration Guide Task 5 Activity Immediately after you configure RSA enVision 4. 5. Place the new key. 3. Back up or rename the old key.com.

Gateway address.com. Specify the IP Address The default addresses for the appliance are: LAN IP address. The site name is used in the following names: • • Node name for the appliance. nor can it be the same as any existing Windows domain name. The subnet mask is used to determine to which subnet an IP address belongs. For example if your Windows domain name is MyDomainName. the ES appliance node name is Seattle-ES. it would then be wrong to install an enVision site with the name MyDomainName. (The NetBIOS name for a Windows domain is the name preceding the dot). If you want to override the default IP address value shown below.255.155 255. The LAN address is used to access the appliance on the LAN.RSA enVision 4. The site name also becomes the name of the Windows domain created for your site. The gateway address identifies the computer that routes the traffic to the outside network.255. if your site name is Seattle. the wizard recognizes this and prompts you to enter the IP address of the DAS external storage device. For example. sitename.2.203. If you want to override the default values.nic. if your site name is Seattle.nic.0 192.1 Override Value Identify External Storage If your ES series appliance has external storage. You can override the default values during configuration. or NetBIOS name for a Windows domain. For example. Subnet mask. write the new value in the table.168.101 Override Value 2: Single Appliance Site 13 .1. write the new values in the table. the Windows domain for the site is Seattle. Default LAN IP Address Subnet Mask Gateway Address 192.168.0 Configuration Guide The site name cannot be the same as any other enVision site name. then the NetBIOS name for this Windows domain would be MyDomainName. for an ES series appliance site. Default DAS IP Address 10.1. NIC Windows domain name created for your site.

If the process using forwarders for resolution fails to resolve a query. The default value is 5. Note the following: • If you are using a server to synchronize time. you should be aware that known NTP time servers. Field Do Not Use Recursion Description Select this check box to indicate that the DNS server uses forwarders exclusively to resolve queries on behalf of its DNS clients. If you change the time zone on the Time Zone tab. RSA enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting. The enVision Configuration Wizard allows you to use the Windows Date and Time Properties window to update your date and time directly from the wizard. DNS Server Primary Secondary IP Address Identify processing options for the DNS Servers. and options for the servers. Network Time Protocol You can identify a server to which enVision will periodically synchronize its time. Specify Time Settings RSA enVision uses your local time and optionally. RSA assumes no risk to your network if you choose to use a known NTP server.0 Configuration Guide Identify DNS Servers Identify the primary and secondary DNS servers on your network.RSA enVision 4. are outside your network and may be a security issue. Option  Do not Use Recursion Forwarding Timeout Type the number of seconds that the DNS _____ seconds server continues to attempt to contact and use a listed forwarder. If you do not click Apply on the Time Zone tab. a failure message is returned. DNS moves to the next forwarder on the list and repeats the process. When the timeout expires. you must click Apply before clicking on the Date & Time tab to change the time. such as atomic clocks. • 14 2: Single Appliance Site . a network time protocol for synchronization. changing the time on the Date & Time tab changes the time for the previously selected time zone.

edu bigben.mil Local Site Time Identify the time zone in which your site is located.mcs.usno.edu tick. Time Zone (While running the configuration wizard. Data Server LAN IP Address (internal IP address) Data Server LAN Port Number (internal port number) Data Server External IP Address Data Server External Port Number 2: Single Appliance Site 15 .cac.navy.gov navobs1.navy.mil navobs1.navy.navy.usnogps.alaska. Select             NTP Server ntp2.net ntp0.navy.  This site uses an external IP address and port number.edu tick. you must confirm the current date and time in your selected time zone.mil tick.mil tock.usno.mil tick.RSA enVision 4.ucla.mhpcc.edu ntp.mil tock.0 Configuration Guide The following table lists NTP Servers.usno.anl.hpc.oar.usnogps.) Specify the External IP Address Indicate whether this site uses an external address.wustl.washington.

.

You may want multiple A-SRVs so that you can separate the alerting processes from the reporting processes. Up to three. RCs capture incoming events remotely. The appliances together form a site. Each RC is considered a site. see Chapter 4. Remote collectors forward data collected to the enVision site (using the NIC Forwarder Service). For information about the hardware. Supports interactive users. see the Hardware Guide. For information on configuring RCs. “Remote Collector Site.RSA enVision 4. Component Database Server Appliance Type D-SRV Description Manages access and retrieval of captured events. multiple appliance sites allow multiple installations of any of the three appliance types to be deployed in order to manage the variety of network infrastructures found in production environments.” 3: Multiple Appliance Site 17 . Collector. and Database—is on its own appliance. Each multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances.0 Configuration Guide 3 Overview Multiple Appliance Site The LS series appliances are designed to operate in a distributed installation. Each enVision component—Application. Distributed. Runs the suite of analysis tools. Site Deployment The appliance types used in a multiple appliance site are as follows. The Administrator sets up the remote collector's Forwarder parameters on the Modify Collector Service window in enVision. Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Number per Component One Application Server A-SRV1 A-SRV2 A-SRV3 Up to three. Collector (Local Collector) LC1 LC2 LC3 Captures incoming events locally. Each site has at least one LC. All multiple appliance sites use external storage systems.

RSA enVision 4. You can deploy up to ten D-SRVs in a NIC domain. The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site. You set up the NIC domain during installation. The following figure illustrates a possible configuration of a multiple appliance site.0 Configuration Guide Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30. Data flow and configuration information are based on your NIC domain configuration. : Multiple Site Deployment A group of multiple appliance sites is referred to as a NIC domain. The following figure illustrates a possible configuration of a NIC domain. using the enVision Configuration Wizard. 18 3: Multiple Appliance Site .000 EPS.

Sites 3 and 4 are slaves to site 2. site 1 is the master site for sites 2 and 5. The sites connected to Site 1 are slaves to Site 1. Sites 2 and 5 are slaves to site 1. Sites 6 and 7 are slaves to site 5. In a configuration with more than one site. the NIC domain consists of seven sites: • • • • Site 1 is the NIC domain master site. site 2 is the master site for sites 3 and 4. the master is always Site 1 in the hierarchy. 3: Multiple Appliance Site 19 . In a multiple site NIC domain. site 5 is the master site for sites 6 and 7. You can only have one NIC domain master site and it is always Site 1. A slave site can also be a master site in a multiple site deployment Example Domain In the following example. in addition to being the NIC domain master site. Site 1 is the NIC domain master site.RSA enVision 4.0 Configuration Guide Master/Slave Relationship The following figure illustrates a basic enVision multiple site setup with a master site and a slave site.

item settings (Note: Permissions for the items are set globally. All multiple appliance sites use external storage systems.0 Configuration Guide In enVision.display options Query tool . Distributed. 20 3: Multiple Appliance Site . the master/slave relationship of the sites in this NIC domain is as follows: Site Name Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Master Site None Site 1 Site 2 Site 2 Site 1 Site 5 Site 5 Site Access in the NIC Domain You can access and maintain data globally across all sites in the NIC domain with a few exceptions. and Database—is on its own appliance. The appliances together form a site.process options and storage directory for saved queries Reports module .) Custom reports that you added Scheduled reports (can only be scheduled to run on the site where they were configured) Custom queries that you added Multiple Appliance Site with Enhanced Availability The LS series appliances are designed to operate in a distributed installation. The exceptions are these site-specific items that only have meaning to the site where they were configured: • • Directories Module or tool settings that you set for: – – – – • • • System Performance tool .RSA enVision 4. multiple appliance sites allow multiple installations of any of the three appliance types to be deployed to manage the variety of network infrastructures found in production environments.storage directory and format for saved report results Executive Dashboard . the Set Up Site Communications window (Overview > System Configuration > Services > Set Up Site Communications) lists the site names and the names of their corresponding master sites. Collector. If a multiple site deployment is set up as shown in the example illustration. Each enVision component—Application.

The system restarts several times while completing the setup. Click Finish. 4 Complete the enVision Configuration Wizard.1. To restart the wizard.0 Configuration Guide Optionally. 3: Multiple Appliance Site 21 . verify that everything is correct on the Review Page. double-click the lsconfigurationwizard. “Dell Remote Access Controller Utility. Task 1 Activity Plan the installation. you can set up enhanced availability (EA) for the Local Collectors (LCs). 2 3 Set up the RSA enVision appliance hardware.”) The Configuration Wizard starts automatically. click Cancel and check your hardware setup.RSA enVision 4. (If the Review page is not correct. Complete the tasks in Chapter 4 “Multiple Appliance Site” in the RSA enVision Hardware Guide. In a multiple site domain. Connect to the D-SRV appliance using a KVM switch. This allows you to define up to six cluster appliances (CAs) for a site to perform the LC roles. When the wizard displays the Review Page window. You can arrange for a Professional Services package by contacting RSA. Configuration Tasks The configuration process takes approximately 30 minutes to complete. The implementation of the enhanced availability feature for the Local Collectors is a Professional Services package. The appliances restart automatically when the site configuration process is complete. Note: enVision uses the default IP address 192. IP address conflicts can occur if the LAN cable is connected to an existing network when you run the configuration wizard.55. Complete the “Configuration Wizard Planning Worksheet . (You can also connect remotely using DRAC instead of using a local KVM.168. with the exception of Task 5.) In the last step. The log displays the steps the system is performing to configure the site. For this reason.exe file in the c:\windows\installations directory. you must restart the wizard to configure your site. Task 5 only needs to be performed once in a NIC domain. If you click Cancel at any time while using the wizard. repeat the tasks on each site. You cannot change any of the site configuration options after the wizard is finished. See Appendix B.Multiple Appliance Site” on page 23. the wizard displays the enVision Configuration Wizard Log window. you should verify the LAN cable is not connected to an existing network or confirm the IP address is not being used before you run the configuration wizard.

place each license key file in the appropriate \\ip\vol0\nic\csd\license node folder. Download the key file that you received from RSA. To do so. open the Services window. Install and start the NIC App Server service: CAUTION: You must have the NIC App Server installed on the A-SRV of the 6 NIC domain master site. Click on Products. Place the new key. Back up or rename the old key.ini. to the contact provided when you ordered the enVision appliance: 1.bat batch script in the nic\4000\servername\bin\ folder providing the external LAN IP address of the A-SRV machine in the NIC Domain master site. For example: E:\nic\4000\servername\bin\ appserver_install. locate the NIC DB Replication Client service.bat a-srv-ip_address This batch program installs and starts the NIC App Server Service on the A-SRV and adds it to the list of services in the Manage Services window in enVision.RSA enVision 4.bat batch program to install and start the NIC App Server Service. you must run the appserver_install. Complete the instructions available on that page to download and install the updates.com. If you have a site with no connected NAS. by e-mail. as an input parameter to the batch script.ini file in the appropriate folder: If you have a site with a connected NAS. Even if you have only one A-SRV in the NIC Domain. RSA strongly recommends that you download and install two Content Updates: Event Source Update Package and VAM & Signature Content Update Package. Go to RSA SecurCare Online https://knowledge. 4. 5. and ensure it is running. Before you begin. Run the appserver_install.0 software. place each license key file in the appropriate E:\nic\csd\license\sitename node folder.rsasecurity. 22 3: Multiple Appliance Site .0 Configuration Guide Task 5 Activity Within the NIC domain. Only one instance of the NIC App Server can be running in a given enVision domain. 2. 7 Immediately after you configure RSA enVision 4.0. Under RSA enVision click Content Updates. where sitename is the name of your site. where ip is the IP address of your NAS. Rename the new key file to key. make sure that you have installed the RSA enVision 4. 8 Apply the license keys that were sent. Restart the NIC Service Manager Service on all nodes for which a key was applied. verify that Replication is working correctly. 3.ini file.

The planning worksheet contains the following sections: • • • • • • • Name the site Identify appliances in the site Identify external storage Identify DNS servers Specify time settings Specify site-to-site connection Specify the external IP address Name the Site Selecting the site name is extremely important.to 11-character. A valid site name is a unique 2. For more information. Label each site with a site name to identify it for additional planning purposes. Complete this section for each site in your NIC domain.0 Configuration Guide Next Steps If there are Remote Collectors (RCs) for this site. Once you name the site you cannot change the name. “Remote Collector Site” for information on configuring the remote sites. After the site configuration is complete. so that you can complete a worksheet for each site. see Chapter 5. Complete this section for your NIC domain. you must set up the processing options in enVision. alphanumeric string.” NIC Domain Draw a topology diagram of your NIC domain. see “Chapter 4. (Make a copy of the worksheet.” Configuration Wizard Planning Worksheet .Multiple Appliance Site The worksheet consists of two sections: NIC domain. Site Name 3: Multiple Appliance Site 23 .) If you are configuring a Remote Collector (RC) for a multiple appliance site. Site. “Next Steps. see “Chapter 4.RSA enVision 4. Label the NIC domain master site. Site Complete this section of the worksheet for each site in the NIC domain. “Remote Collector Site.

1 192.168.255.0 255. The site name also becomes the name of the Windows domain created for your site. write the new values in the table.168.0 Gateway Address 192. 24 3: Multiple Appliance Site .168. For example. Subnet mask. the Database server appliance node name is Boston-DS1. The subnet mask is used to determine to which subnet an IP address belongs.1 If there are remote collectors for this site.255.0 255.155 192.255.0 Configuration Guide The site name cannot be the same as any other enVision site name.155 Subnet Mask 255. or NetBIOS name for a Windows domain.1. NIC Windows domain name created for your site. Select each appliance type in your site. sitename.255.168.1 192.1.nic. nor can it be the same as any existing Windows domain name.155 192. if your site name is Boston.255.1. The gateway address identifies the computer that routes the traffic to the outside network. The site name is used in the following names: • • Node name for each of the appliances in the site.168.1.Remote Collector Site”on page 32.155 192.168.1.RSA enVision 4.255.1 192.0 255.168.1 192. then the NetBIOS name for this Windows domain would be MyDomainName.168. (The NetBIOS name for a Windows domain is the name preceding the dot).255.255.1.255.168. For example.1.0 255.168.168. Select        Appliance Type A-SRV1 A-SRV2 A-SRV3 D-SRV LC1 LC2 LC3 IP Address 192.com.168.nic Identify Appliance in the Site The default addresses for the appliance are: LAN IP address. Gateway address. If you want to override the default values.168.255.1.0 255.1. the Windows domain for the site is Boston. if your site name is Boston.1 192.155 192. The LAN address is used to access the appliance on the LAN.1. complete the “Configuration Wizard Planning Worksheet .155 192.1 192.255.168.255. For example if your Windows domain name is MyDomainName.0 255.1. it would then be wrong to install an enVision site with the name MyDomainName.155 192.1.1.1.255.255.

RSA enVision 4. write the new value in the table. If the process using forwarders for resolution fails to resolve a query. enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting. a network time protocol for synchronization. The default value is 5. Default DAS IP Address 10. Network Time Protocol You can identify a server to which enVision will periodically synchronize its time. are outside your network and may be a security issue. Field Do Not Use Recursion Description Select this check box to indicate that the DNS server uses forwarders exclusively to resolve queries on behalf of its DNS clients. DNS Server Primary Secondary IP Address Identify processing options for the DNS Servers. When the timeout expires.0 Configuration Guide Identify External Storage If you want to override the default IP address value shown below. and options for the servers. Note the following: • If you are using a server to synchronize time. you should be aware that known NTP time servers. such as atomic clocks. 3: Multiple Appliance Site 25 . Option  Do not Use Recursion Forwarding Timeout Type the number of seconds that the DNS _____ seconds server continues to attempt to contact and use a listed forwarder. DNS moves to the next forwarder on the list and repeats the process.101 Override Value Identify DNS Servers Identify the primary and secondary DNS servers on your network. Specify Time Settings enVision uses your local time and optionally. RSA assumes no risk to your network if you choose to use a known NTP server.2.203. a failure message is returned.

ucla. you must click Apply before clicking on the Date & Time tab to change the time.usno.mil tick.0 Configuration Guide • The enVision Configuration Wizard allows you to use the Windows Date and Time Properties window to update your date and time directly from the wizard.RSA enVision 4.) Specify Site-to-Site Connection If this site is not the NIC domain master site.mil tock.mcs.net ntp0.mil tock. you must confirm the current date and time in your selected time zone. changing the time on the Date & Time tab changes the time for the previously selected time zone. If you do not click Apply on the Time Zone tab.usnogps.alaska. Time Zone (While running the configuration wizard. Master Site Data Server (D-SRV) IP Address (external IP address) 26 3: Multiple Appliance Site .navy.oar.edu bigben.  This site is connected to another site in the NIC domain.usno.navy.cac.wustl. identify the master site.edu tick. The following table lists NTP Servers.hpc.mil tick. If you change the time zone on the Time Zone tab.usnogps.washington.usno.mil navobs1.edu tick.mil Local Site Time Identify the time zone in which your site is located. Select             NTP Server ntp2. the site to which this site is connected.mhpcc.gov navobs1.edu ntp.navy.navy.anl.navy.

 The data server (D-SRV) for this site uses an external IP address and port number.0 Configuration Guide Master Site Name Specify the External IP Address Indicate whether the database server (D-SRV) for this site requires an external address and port number.RSA enVision 4. Data Server LAN IP Address (internal IP address) Data Server LAN Port Number (internal port number) Data Server External IP Address Data Server External Port Number 3: Multiple Appliance Site 27 .

.

0 Configuration Guide 4 Overview Remote Collector Site Each multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances. Configuration Tasks The configuration process takes approximately 30 minutes to complete. Complete the “Configuration Wizard Planning Worksheet . Complete the tasks in Chapter 5 “Remote Collector Site” in the RSA enVision Hardware Guide. RCs capture incoming events remotely. and up and running. Important: Before you configure the RC.000 EPS.RSA enVision 4. Remote collectors forward data collected to the enVision site (using the NIC Forwarder Service). Set up the RSA enVision appliance hardware.Remote Collector Site” on page 32. The Configuration Wizard starts automatically. You cannot change any of the site configuration options after the wizard is finished The configuration tasks to configure an RC site are as follows: Task 1 2 3 Activity Plan the installation. Each RC is considered a site. see Appendix A “Hardware Specifications” in the RSA enVision Hardware Guide. make sure that its master is configured. For the specifications for the LS series appliances.) The RCs use the LS series appliances. Note: The total EPS for all Collectors per site (per D-SRV) cannot exceed 30. 4: Remote Collector Site 29 . Connect to the RC appliance using a KVM switch. (The Administrator sets up the remote collector's Forwarder parameters on the Modify Collector Service window in enVision.

Configure the data forwarding scheduled task on the A-SRV for the master site of the RC. The system restarts several times while completing the setup. see “Configure the Data Forwarding Task” on page 31. Apply the license keys that were sent. by e-mail. 5. Place the new key. The appliances restart automatically when the site configuration process is complete. See “Test the Configuration” on page 32 for complete instructions. where ip is the IP address of your NAS. The log displays the steps the system is performing to configure the site.) In the last step. When the wizard displays the Review Page window.exe file in the c:\windows\installations directory. To verify the RC configuration on the master site's A-SRV: 1. To restart the wizard. For complete instructions. (If the Review page is not correct. 2.ini. where sitename is the name of your site. the wizard displays the enVision Configuration Wizard Log window. Download the key file that you received from RSA. 3. For complete instructions. to the contact provided when you ordered the enVision appliance: 1. verify that everything is correct on the Review Page. 7 8 Verify the RC Configuration Verify the configuration for the master site. see “Verify the RC Configuration” on page 30. you must restart the wizard to configure your site. Test the configuration. Restart the NIC Service Manager Service on all nodes for which a key was applied. If you click Cancel at any time while using the wizard. click Cancel and check your hardware setup. Click Finish.ini file in the appropriate folder: If you have a site with a connected NAS. Back up or rename the old key. Log on to enVision on the appliance server (A-SRV) of the master site.RSA enVision 4. 5 6 Verify the RC configuration on the RC’s master site’s A-SRV.ini file. 4. place each license key file in the appropriate \\ip\vol0\nic\csd\license node folder. place each license key file in the appropriate E:\nic\csd\license\sitename node folder. If you have a site with no connected NAS.0 Configuration Guide Task 4 Activity Complete the enVision Configuration Wizard. Rename the new key file to key. double-click the lsconfigurationwizard. 30 4: Remote Collector Site .

enVision displays the Schedule Task window. Select the remote collector from the Site drop-down list. b. 8. Press Enter. For example. start the NIC Scheduler Service. 3. Enter an executable name of "PI_LS_FORWARDER. If the NIC Scheduler Service is not running. Click Schedule. Click Overview > System Configuration > Services > Scheduler Service > Schedule Task. where address is the machine name or IP address of the A-SRV and 8080 is the port through which you access enVision. 7.30. click Set Recurrence.RSA enVision 4. enVision displays the task on the Manage Scheduled Tasks window. Configure the Data Forwarding Task Configure the data forwarding task for the Remote Collector. Make sure that the RC is listed as a site: a. enVision displays the Schedule Task window. a. Make sure that the RC is listed as a site and the information displayed is correct. 5. To specify when the data forwarding task is performed and how often. d. 4: Remote Collector Site 31 . Enter a task name of "NIC Forwarding”. c. Type http://address:8080 in the Address field. Complete the window and click Apply. enVision displays the Set Up Site Communication window. http://sunshine:8080 or http://10. To schedule the data forwarding task for the RC on the master site's A-SRV: 1.10. Click Overview > System Configuration > Services > Set Up Site Communication. The system displays the Log In window.140:8080. the data forwarding task runs every hour. b. 2. Type your password and click Log In. 4. Complete the following steps to log on to enVision on the appliance server (A-SRV) of the master site: a. b. enVision displays the Set Recurrence window. 6. Click Apply.EXE" Note: By default. Start your web browser.0 Configuration Guide 2.

then the NetBIOS name for this Windows domain would be MyDomainName. The site name is used in the following names: • • Node name for the appliance.to 11-character. 2. Configuration Wizard Planning Worksheet . at a minimum. The site name also becomes the name of the Windows domain created for your site. For example. Note: When you select the time range of the report.0 Configuration Guide Test the Configuration Ensure the configuration is working as expected. one hour old). NIC Windows domain name created for your site. the Windows domain for the site is Hartford. alphanumeric string. if your site name is Hartford. or NetBIOS name for a Windows domain. 3. sitename. 32 4: Remote Collector Site . For example if your Windows domain name is MyDomainName. After the Data Forwarding task runs.nic.Remote Collector Site The planning worksheet contains the following sections: • • • • • • Name the site Identify the appliance Identify DNS servers Specify time settings Specify site-to-site connection Specify the external IP address Name the Site Selecting the site name is extremely important. the forwarded data is four hours old by default (and.RSA enVision 4. Once you name the site you cannot change the name. Site Name The site name cannot be the same as any other enVision site name. A valid site name is a unique 2. Run a report. (for example. the appliance node name is Hartford-RC1. it would then be wrong to install an enVision site with the name MyDomainName. Bandwidth Usage by Address) to analyze the devices collected. Make sure that data was returned for your devices. (The NetBIOS name for a Windows domain is the name preceding the dot).com. For example. To test the configuration: 1. from the A-SRV analyze the devices collected on the RC site. nor can it be the same as any existing Windows domain name. if your site name is Hartford.nic.

RSA enVision 4. DNS moves to the next forwarder on the list and repeats the process.1. If you want to override the default values.0 Configuration Guide Identify Appliance in the Site The default addresses for the appliance are: LAN IP address. write the new values in the table.168. The subnet mask is used to determine to which subnet an IP address belongs. The LAN address is used to access the appliance on the LAN. The gateway address identifies the computer that routes the traffic to the outside network.1 Identify DNS Servers Identify the primary and secondary DNS servers on your network. The default value is 5.255. When the timeout expires. Gateway address.0 Gateway Address 192. 4: Remote Collector Site 33 . DNS Server Primary Secondary IP Address Identify processing options for the DNS Servers. a network time protocol for synchronization. Option  Do not Use Recursion Forwarding Timeout Type the number of seconds that the DNS _____ seconds server continues to attempt to contact and use a listed forwarder. and options for the servers. Subnet mask. Field Do Not Use Recursion Description Select this check box to indicate that the DNS server uses forwarders exclusively to resolve queries on behalf of its DNS clients. enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting. If the process using forwarders for resolution fails to resolve a query.1. Select each appliance type in your site. Specify Time Settings enVision uses your local time and optionally. a failure message is returned.255.168.155 Subnet Mask 255. Appliance Type RC1 IP Address 192.

mil tock.hpc.mil navobs1. RSA assumes no risk to your network if you choose to use a known NTP server. you must confirm the current date and time in your selected time zone.gov navobs1. you should be aware that known NTP time servers. If you change the time zone on the Time Zone tab.mhpcc.alaska.usnogps.navy.anl.net ntp0. you must click Apply before clicking on the Date & Time tab to change the time. Select             NTP Server ntp2.navy.edu tick. Note the following: • If you are using a server to synchronize time.mcs.usno.usno. If you do not click Apply on the Time Zone tab.mil Local Site Time Identify the time zone in which your site is located.cac.mil tock.usno.mil tick.usnogps.ucla.oar. are outside your network and may be a security issue.navy.edu tick. Time Zone (While running the configuration wizard.) 34 4: Remote Collector Site .edu bigben. such as atomic clocks.mil tick.RSA enVision 4.navy.edu ntp. The enVision Configuration Wizard allows you to use the Windows Date and Time Properties window to update your date and time directly from the wizard.wustl. changing the time on the Date & Time tab changes the time for the previously selected time zone.washington.0 Configuration Guide Network Time Protocol You can identify a server to which enVision will periodically synchronize its time.navy. • The following table lists NTP Servers.

identify the master site. Master Site Data Server (D-SRV) IP Address (external IP address) Master Site Name Specify the External IP Address Indicate whether the database server (D-SRV) for this site requires an external address and port number.RSA enVision 4. Data Server LAN IP Address (internal IP address) Data Server LAN Port Number (internal port number) Data Server External IP Address Data Server External Port Number 4: Remote Collector Site 35 . the site to which this site is connected.  The data server (D-SRV) for this site uses an external IP address and port number.  This site is connected to another site in the NIC domain.0 Configuration Guide Specify Site-to-Site Connection If this site is not the NIC domain master site.

.

5: Next Steps 37 . Set up message handling. • • • • • Set up data storage. See the enVision online Help for a list of the required reading topics for each task. Set up vulnerability and asset management.0 Configuration Guide 5 Next Steps After you complete the RSA enVision site configuration. Set up views. • • • • • • Set up event collection. 2. Additional tasks may be required to perform the specific processing that you want. Event source and vulnerability assessment (VA) tool configuration tasks. Set up application display options. Basic setup tasks. and requirements. enVision displays the Best Practices menu and splash screen. These are tasks that you perform outside of the enVision software. To access Help within enVision: 1. report. Set Up RSA enVision Setting up enVision involves three sets of tasks. These tasks to set up the enVision software allow you to collect. Optional setup tasks. Schedule reports.RSA enVision 4. Set up system access permissions. First you should plan how to set up the system to accomplish your security goals. Set up Alerts module tools. Set up customized reporting. policies. These are tasks to set up additional features or processing options. Click Overview > Best Practices. See the enVision online Help for information on setting up and using the enVision analysis tools. and alert on events from supported event sources. Set up data processing options. you must set up the processing options in enVision. Select Help from the menu. as described below.

2. connect to the Application Server. click the Advanced tab.0 Configuration Guide Set Up Your Browser Pop-up blockers. and personal firewalls can all interfere with the launching of enVision.RSA enVision 4. 2. https://sunshine: 8443 or https://10.10. Log On to RSA enVision You log in to enVision through a remote system. In the Internet Options dialog box. You must enable animation for web pages in your browser. Make sure that you set up the blockers to allow enVision to operate normally. click Tools > Internet Options. depending on how enVision has been configured: • • HTTPS (Hypertext Transfer Protocol Secure). 4. Use one of two protocols to access the system. ad banner blockers. Scroll to Multimedia and select Play animations in web pages. For example. Example: Type: https://address:port where: • address is the machine name or IP address of the machine on which the system is installed. Configure personal firewalls to allow connections between the enVision client and appliance. connecting to the enVision appliance (for multiple appliance sites. • port is the port through which you access enVision. To log in to enVision: 1. In the browser.10. Start your web browser. especially at first logon. using default port 8443. or disable these blockers. using default port 8080. A-SRV). Click OK. for multiple appliance sites. 5. 3.10: 8443. Enter the enVision URL in the Address field. Restart the browser. HTTP (Hypertext Transfer Protocol). To enable animation for web pages in Microsoft Internet Explorer: 1. 38 5: Next Steps . this is the A-SRV (Application Server).

0_13 Also Support: v1.0 Configuration Guide 3.1.0 or later1 Recommended: 1. v 1. RSA enVision closes all open windows. 4.5.6 Mozilla Firefox 2. See the online Help for instructions.4. such as. click Log Out in the bottom left-hand side of the window. Log Out of RSA enVision To log out of the user interface.x Mozilla Firefox 2.) The system displays the Log In window.2.5. your browser may display certificate validation messages the first time you access enVision.x 1. When you connect through HTTPS. a host name mismatch between the server and its certificate. Type your password and click Log In. these messages may cite validation issues.4.x 1. 5: Next Steps 39 .4.8Ghz Athlon 1800+ RAM Network Display Resolution 1You Macintosh OS X 10.1.0.1 Minimum: P3:1Ghz or P4:1.0 or later1 Browser Java Plug-In 1. RSA enVision Client Software and Hardware Requirements The hardware and software requirements for running the enVision client software are: Windows O/S Microsoft Windows 2000 or Windows XP Microsoft Internet Explorer v6.0. All enVision services and processes continue to run without interruption. (Depending on how server certificates are configured on the appliance. Press Enter. Note: Immediately change your password to a more secure one after you log onto enVision.RSA enVision 4.0_13 Minimum: G5 Processor Minimum: 512 MB Minimum: 100baseTX Minimum: 1024x768 at 16 bit color Minimum: 1 GB RAM Minimum: 100baseTX Minimum:1024x768 at 16 bit color cannot use Mozilla Firefox to view the Enterprise Dashboard tool.

0 Configuration Guide Note: Earlier versions of enVision automatically launched the Java Plug-In Installation. 40 5: Next Steps .0 and later.RSA enVision 4. Because of the security constraints in the image for RSA enVision 3. this no longer happens and you must install the JRE manually.5.

2. in the RSA enVision Hardware Guide. turn on the power using the front panel. For information on setting up the utility. see Chapter 2 “Hardware Layout”. “Dell Remote Access Controller Utility. You can connect from the USB connectors and the video connector on either the front or back panel. Connect the keyboard. A: Connect to the Appliance Using a Keyboard. You can continue to work using the KVM or you can use the Remote Controller Access utility. see Appendix B.0 Configuration Guide A Connect to the Appliance Using a Keyboard. you must connect using a Keyboard. and Mouse The first time you work with an appliance. If the appliance is off. Monitor.RSA enVision 4. Video and Mouse (KVM). monitor. For diagrams of the front and back panel of the appliance. and Mouse 41 . and mouse to the appliance.” To connect to the appliance through KVM: 1. Monitor.

.

Highlight NIC Selection and press the spacebar to set NIC Selection to Dedicated. 2. press CTRL-E to set up remote access.RAC FW update through RAC GUI Service Terminal Server (part of the appliance OS) Dell Remote Access Card for OOB Management Direction Inbound and Outbound Appliance Type All Set Up the Remote Access Controller Utility Follow this procedure to set up the Remote Access Controller utility. Ports Used by RSA enVision for the DRAC Utility The following table describes the details of the DRAC connections. 2.0 Configuration Guide B Item DRAC Dell Remote Access Controller Utility This appendix describes how to configure RSA enVision on your appliance from a remote location. access the appliance from a remote location and configure enVision. Highlight the IP Address Source option and use the plus (+) and minus (–) keys to select DHCP or Static.RSA enVision 4. B: Dell Remote Access Controller Utility 43 . The system displays the initial Remote Access Controller (setup utility) screen with several options. To do this you must: 1. Set up the Dell Remote Access Controller (DRAC) utility. You only need to configure the options described in these instructions to configure enVision. and when prompted. Restart the machine. 4. The setup utility opens a smaller screen with RCMP+ Encryption Key as the first option. To set up the Remote Access Controller utility: 1. Highlight the LAN Parameters option and press ENTER. Port HTTP 80 HTTPS 443 VNC proxy server 5900 Video VNC Port 5901 A random number larger than 32768 . Using a web browser. 3.

If you selected Static. do one of the following: • • If you selected DHCP. the values for MAC Address VLAN ID are completed by the utility and you cannot change them. The setup utility opens the smaller DNS Configuration Options screen. Press ESC to close the smaller screen. but you must enter a value for the following options: – – – – DNS Server1 DNS Server2 Register RAC Name (defaults to Off) Domain name from DHCP (defaults to Off) 8. Press ESC twice. Highlight the Advanced LAN Parameters option and press ENTER.RSA enVision 4. If you select Static. Highlight VLAN Enable and press the spacebar to set VLAN Enable to Off. the DNS Server from DHCP option is set to Off by the utility and you cannot change it. d. but you must specify a value for the following parameters: a. the DNS Configuration Options’ values are completed by the utility and you cannot change them. Highlight Ethernet IP Address and enter a value in the right column. 7. the rest of the values are completed by the utility and you cannot change them.0 Configuration Guide • • • If you are going to select DHCP. b. attach your network cable to a network that has DHCP or contact your network administrator. The setup utility prompts you to do one of the following: • • • Save Changes + Exit Discard Changes + Exit Return to Setup 9. Highlight Subnet Mask and enter a value in the right column. Highlight Save Changes + Exit and press ENTER. 5. 44 B: Dell Remote Access Controller Utility . The setup utility finishes the boot process. c. If you select DHCP. 6. Highlight Default gateway and enter a value in the right column. Depending on the IP Address Source option you selected in step 4.

The system displays the Remote Access Login window. 6. 2. (Change your password as soon as you can for security purposes. c. Click Yes. Type calvin for password (all lower case letters). Click OK. Complete the configuration instructions for your type of appliance site as described in one of the following chapters: • • • Chapter 2. “Multiple Appliance Site” Chapter 4. “Single Appliance Site” Chapter 3. 3. b. Click Connect to access the enVision Configuration wizard.0 Configuration Guide Access the Appliance from a Remote Location To access the appliance remotely: 1. To log on: a. 5. Click the Console tab at the top of the window. “Remote Collector Site” B: Dell Remote Access Controller Utility 45 . The system prompts you to proceed. If this is your first time accessing the Remote Access Controller utility.RSA enVision 4. the system prompts you to load the Console Redirection Plug-in. Type root for username (all lower case letters).) The utility displays the Remote Access Controller window. Start a web browser and go to the Ethernet IP Address you specified in step 4 b of the “Set Up the Remote Access Controller Utility” procedure on page 43. 4.

.

cfg file to match the addresses you renamed on the appliances. Access the appliance with a KVM (see Appendix A. Rename IP Address for Each Appliance before Setting Up Your Site To rename the IP addresses for each enVision appliance at your site: 1.0 Configuration Guide C Change RSA enVision Network IP Addresses Note: Use the instructions in this appendix only in multiple appliance sites if you are installing RSA enVision on pre-existing Celerra hardware and you want to maintain your IP address structure for this hardware. and Mouse”) or from a remote location (see Appendix B. In Windows. To change the IP addresses in accordance with enVision’s automatic IP address assignments: 1. “Dell Remote Access Controller Utility”). 2. Change IPaddresses in the lsconfigurationwizard. select Network Connections/SWITCH/Internet Protocol Settings and click properties (SWITCH is the name of the interface). Monitor. Rename the IP address for each appliance after factory typing and before you start the set up tasks.RSA enVision 4. 2. C: Change RSA enVision Network IP Addresses 47 . “Connect to the Appliance Using a Keyboard.

4. the enVision installation will fail. 48 C: Change RSA enVision Network IP Addresses . If you do not do this.2 to 10. To add trusted host so remote sites can access various appliances: 1. you must add trusted sites. 3.RSA enVision 4. Select the Sites radio button. You can use any value for the C class of the IP address. Open Internet Explorer.203. Add Trusted Sites To allow enVision to install the application on the other nodes in your NIC domain. 2. change 10.0 Configuration Guide 3. Change the C class of the IP address (for example. but enVision appends a value to each IP address as illustrated in the figure below.0). Click Tools > Internet Options and select the Security tab. Click the Local Intranet icon.0.

5.1-255.0. Change the IP Addresses in the Configuration Wizard to Match Renamed Appliance Addresses Factory and system typing of your appliance is done before delivery. C: Change RSA enVision Network IP Addresses 49 . change SwIpBase=10. you must do this before you change IP addresses in enVision configuration wizard to match renamed appliance addresses. 2.0 Configuration Guide 5. However. Edit the SwIpBase=10. 4. where site-ip-address can consist of your IP address naming conventions for the 1st octet and 2nd octet of the address. 3.exe to restart the configuration wizard so you can finish configuring enVision with the renamed IP addresses. Go to C:\WINDOWS\system32\drivers\etc.2 IP address in the lsconfiguration.RSA enVision 4.cfg file so that the IP addresses of the enVision appliances match the newly renamed addresses. Ping each machine to make sure that the renamed IP addresses are correct.0.* 6. if you are re-imaging your appliance.cfg file. click Cancel to stop the wizard. For example. the enVision configuration wizard. *://10. To update the enVision configuration wizard for the renamed IP addresses: 1. For example. When the configuration wizard starts automatically. Click Add > Close > OK. but you must use 1-255 for the 3rd octet.2 to SwIpBase=10. 6. The system closes Internet Options. Type *://site-ip-address.203. Save the edited lsconfiguration. This folder contains the lsconfiguration. Double-click E:\nic\4000\servername\bin lsconfiguratiuonwizard.203.cfg file.203.* in the Add this web site to the zone section.

.

the A-SRV is installed on its own appliance. In a single appliance site.RSA enVision 4. Application Server (A-SRV) The appliance or component of RSA enVision that supports interactive users and runs the suite of enVision analysis tools. Alerts module The RSA enVision module that provides tools to monitor. asset A system. software system. and configure alerts. that is within a network and makes up the enterprise environment. display. ADB See Asset Database. ad hoc report An unscheduled report that runs immediately. appliance The hardware on which RSA enVision software is deployed. In a multiple appliance site. administrator A user responsible for setting up and maintaining RSA enVision.0 Configuration Guide Glossary A-SRV See Application Server. RSA enVision sends alerts based on messages received under a configured set of circumstances such as filters. alert An indication that an event. Glossary 51 . or device. Analysis module The RSA enVision module that provides tools to view. and analyze collected data. workstation. The administrator defines alerts for each view. requires further investigation. Asset Database (ADB) A unified view of assets created by merging data from supported vulnerability assessment (VA) tools and imported asset information in the asset tracking tools. the Application Server (A-SRV) is a component of the enVision system. The ADB provides security managers with insight into their operations. An administrator has access to all enVision functions. See single appliance site and multiple appliance site. Alert History tool The RSA enVision tool that is used to display alerts from the events database. query. such as a host. or a sequence of events. See single appliance site and multiple appliance site.

The nine categories are properties. the Collector is a component of the enVision system. the D-SRV is installed on its own appliance. Database Server (D-SRV) The appliance or component of RSA enVision that manages access and retrieval of captured events. correlation A relationship between a set of events and a set of specific conditions. D-SRV See Database Server. owner. . collection The process of collecting. in the Log Smart Internet Protocol Database (IPDB). In a single appliance site. See single appliance site and multiple appliance site. and storing logs from event sources. The confidence level detects if a message from an IDS or an IPS should be considered an alert. importance. location. RSA enVision stores the logs. In a single appliance site. bind report A group of reports that can be scheduled to run as a single report. Common Storage Directory (CSD) A single directory that contains the configuration and statistical information for data collected on a site. In a multiple appliance site. The Common Storage Directory (CSD) can be located on a single appliance site. organization. physical. analyzing. and views. permissions. or on the Remote Collector of a distributed system. A device class provides a framework for organizing event sources by their general function. computer name See node. and zone. In a multiple appliance site.db) A repository that stores a user’s configuration settings such as user information. device See event source. confidence level filtering A filter defined by the administrator to determine if a supported intrusion detection system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness and applicability. with descriptive metadata. Collector The appliance or component of RSA enVision that captures incoming events. on the Database Server of a multiple appliance site. device class Identifies the classification of the event source. the Collector is installed on its own appliance. function.attribute category A group of categories defined by RSA enVision for device and asset attributes. vulnerability. the Database Server (D-SRV) is a component of the enVision system. Configuration database (nic.

0 Configuration Guide device type (dtype) An assigned internal name for an event source that is used by RSA enVision tools and utilities. VPNs. LC2. LC3 See Local Collector. events per second (EPS) Events captured per second by RSA enVision. reports. or appliance that produces a message (log) and is configured to send the log to RSA enVision. Glossary 53 . The dtype value is displayed on the enVision interface. EPS See events per second. LC. security platforms. A multiple appliance site can have up to three Local Collectors (LCs). Event sources include firewalls. routers. consisting of up to five levels: a NIC category. Event Explorer RSA enVision module that provides advanced tools for analysis of real-time and historical data. event source An asset such as a physical device.RSA enVision 4. Message variables are useful when analyzing data. incident escalation See task escalation. software. Enhanced Availability (EA) A site with Enhanced Availability (EA) is a multiple appliance site where the Local Collector (LC) functionality runs on Cluster Appliances (CAs). an alert category. Local Collector (LC) A component of an RSA enVision multiple appliance site that captures incoming events. EA See Enhanced Availability. antivirus software. and switches. and queries. See multiple appliance site. Message categories are hierarchical. LC1. and up to three levels of event category. These tools allow users to sift through logged data and apply security forensics. event category System-defined or administrator-defined group of messages for alerting and reporting that is assigned across device classes. operating systems. message variable Defines a type of data that is extracted from message payloads. incident management See task triage. message category A group of messages.

RC See Remote Collector. Reports module The RSA enVision module that provides tools to run standard network security and traffic analysis reports. syslog.0 Configuration Guide monitored device A supported event source that has been configured to send event messages to RSA enVision. disk space usage. Instant Messenger. Up to 16 RCs can be associated with a site. node An appliance in an RSA enVision site. or create and run custom reports. services. SNMP. and Database) are on one appliance. Collector. NIC database See Configuration database (nic.RSA enVision 4. NIC domain A group of multiple appliance sites that constitute an organization's entire deployment of RSA enVision. and other system events. RSA enVision collects and stores events from monitored devices. single appliance site An RSA enVision site in which all enVision components (Application. and task triage. The NIC_View alerts users to problems within the enVision software environment. NIC System device Generates event messages. SNPP. and tools of RSA enVision. Overview module The RSA enVision module that provides tools to configure enVision and monitor system health and performance. and Database) is on its own appliance. One site acts as the NIC domain master site. NIC_View Allows users to monitor the health of the RSA enVision system. The primary output actions are SMTP. This number is the same as the vendor message ID. output action Configured notification method for alerts. Remote Collector (RC) An optional component of an RSA enVision multiple appliance site that captures incoming events at a remote location. 54 Glossary . text file. Collector. run a command.db). multiple appliance site An RSA enVision site in which each enVision component (Application. NIC The acronym used to label many essential components. A Remote Collector (RC) runs on its own appliance. NIC message ID A number that identifies a message.

ODBC. UDC See Universal Device Collection. or File Reader. standard report Reports that are supplied within RSA enVision for compliance. defined during the configuration of RSA enVision. vulnerability and asset management A feature that provides unified management of assets and vulnerability incident analysis. Tasks can be further analyzed in Event Explorer. site name The name of the site. escalated to an external ticketing system.0 Configuration Guide site The basis on which RSA enVision is deployed. or both. VAM See vulnerability and asset management. trace view A set of parameters that define the information that is displayed in the form of tables and charts. messages. Vulnerability Knowledge Database (VDB) An embedded repository of vulnerability information derived from the National Vulnerability Database (NVD). task escalation A function that allows users to send tasks to an external application. Glossary 55 . and vulnerability and asset management. for which RSA enVision issues alerts. and Database Server. task triage A feature that allows users to group events into tasks for the purpose of investigation. event sources. A watchlist can easily function as a filter for events in reporting and alerting. within a single site. as well as for task triage. view An administrator-defined set of event sources. watchlist A named collection of strings that represent a list of like-values. for offline investigation. VDB See Vulnerability Knowledge Database. correlation rules. Each site consists of three main components: Application Server. such as a ticketing system. Universal Device Collection (UDC) Allows RSA enVision to collect log data from any event source that logs through SNMP. The two forms of trace views are standard and advanced trace views. correlated alerts.RSA enVision 4. Collector. and criteria.

Sign up to vote on this title
UsefulNot useful