Professional Documents
Culture Documents
Vantio
Partner Information
Product Information
Partner Name Nominum, Inc.
Web Site www.nominum.com
Product Name Vantio
Version & Platform 5.2, Redhat Enterprise Linux 5/6, Suse Linux Enterprise Server 10/11
Product Description Caching DNS System
Nominum
Vantio
Solution Summary
Nominum’s Vantio caching nameserver outputs events that are easily consumed by RSA enVision for the
purpose of monitoring and alerting on network activity. In doing so, security threats directed at an
organization or directed at specific clients can be exposed prior to an actual security event. For example,
Vantio can send an alert to enVision when query loads increase beyond normal levels, indicating a
potential denial of service attack. Using this same output and reporting structure, another example of the
power of this combined offering is how Vantio and enVision provide visibility into resource utilization.
When utilization reaches abnormal levels due to non-responding name servers, an alert is generated to
show the potential of a misconfigured “popular” zone. To make use of this combined solution, Vantio
simply needs to be configured to send syslog messages to RSA enVision. Vantio has a number of options
that can be set to best match the organization’s requirements on security or operations monitoring,
making the overall solution both flexible and powerful.
Release Notes
Release Date What’s New In This Release
9/17/2012 Modified for content 2.0 format
10/28/2011 Initial support for Nominum.
-2-
Nominum
Vantio
-3-
Nominum
Vantio
Note: You will now be notified via e-mail when new or existing ESI
packages are updated.
3. The RSA enVision EventSource Integrator box will appear. If you wish to have the NIC Service Manager service
restart on all of your sites after the install, click Yes. If you plan to manually restart the services later, click No.
The time the script file takes to run depends on the number of event source XML files that need to be verified. If
you are deploying a new event source, the script assigns an event source type ID to the event source. If you are
updating an existing event source, the event source XML file is updated.
4. Login to the enVision console to confirm the new device type is displayed under Overview System
Configuration Devices Manage Device Types and listed as NominumVantioPE.
-4-
Nominum
Vantio
Vantio Configuration
The first step is to configure Vantio to send all log messages to the RSA enVision device.
1. Edit /etc/syslog.conf to include the following lines
# Log Nominum remotely to RSA enVision
local1.* @<IP address of enVision>
2. Restart the syslogd daemon:
> kill -HUP `cat /var/run/syslogd.pid`
3. Edit the file /usr/local/nom/etc/sysconfig/vantio and add the following line:
VANTIO_SYSLOG_FACILITY=local1
4. Restart Vantio:
>/etc/init.d/vantio restart
As the next step you want to consider the security releated events of interest and configure Vantio to emit
log messages accordingly. Please refer to the Vantio user guide for more details.
-5-
Nominum
Vantio
Message Management
Disabled device creates unknown device in monitored device list
Temporary nugget files are removed
Queries / Reports
Messages for device populate the table columns correctly
Ad Hoc report populates variables correctly
-6-
Nominum
Vantio
Appendix
In certain cases after deploying the ESI Package, the device may come into enVision as an Unknown
device type. To resolve this issue, complete the following steps.
1. In the enVision GUI, select Overview System Configuration Devices Managed Monitor Devices,
then click on the IP Address of the Unknown device.
-7-
Nominum
Vantio
2. From the Device Type pull-down menu, select the correct device type. For the name of the device as it
appears in enVision, refer to the above section RSA enVision Features, page 2.
-8-
Nominum
Vantio
6. Click Apply.
-9-