IBM Proventia
JSA supports a number of IBM® Proventia DSMs.
Several IBM® Proventia DSMs are supported by JSA:
IBM Proventia Management SiteProtector
The IBM® Proventia® Management SiteProtector DSM for JSA accepts SiteProtector events by polling the SiteProtector database.
The DSM allows JSA to record Intrusion Prevention System (IPS) events and audit events directly from the IBM®SiteProtector database.
The IBM® Proventia Management SiteProtector DSM requires the latest JDBC Protocol to collect audit events.
The IBM® Proventia Management SiteProtector DSM for JSA can accept detailed SiteProtector events by reading information from the primary SensorData1 table. The SensorData1 table is generated with information from several other tables in the IBM®SiteProtector database. SensorData1 remains the primary table for collecting events.
IDP events include information from SensorData1, along with information from the following tables:
SensorDataAVP1
SensorDataReponse1
Audit events include information from the following tables:
AuditInfo
AuditTrail
Audit events are not collected by default and make a separate query to the AuditInfo and AuditTrail tables when you select the Include Audit Events check box. For more information about your SiteProtector database tables, see your vendor documentation.
Before you configure JSA to integrate with SiteProtector, we suggest that you create a database user account and password in SiteProtector for JSA.
Your JSA user must have read permissions for the SensorData1 table, which stores SiteProtector events. The JDBC - SiteProtector protocol allows JSA to log in and poll for events from the database. Creating a JSA account is not required, but it is recommended for tracking and securing your event data.
Ensure that no firewall rules are blocking the communication between the SiteProtector console and JSA.
Configuring a Log Source
You can configure JSA to poll for IBM®SiteProtector events:
- Click the Admin tab.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your log source.
- From the Log Source Type list, select IBM® Proventia Management SiteProtector.
- Using the Protocol Configuration list, select JDBC SiteProtector.
- Configure the following values:
Table 1: JDBC - SiteProtector Protocol Parameters
Parameter
Description
Log Source Identifier
Type the identifier for the log source. The log source identifier must be defined in the following format:
<database>@<hostname>
Where:
<database> is the database name, as defined in the Database Name parameter. The database name is required.
<hostname> is the host name or IP address for the log source as defined in the IP or Hostname parameter. The host name is required.
The log source identifier must be unique for the log source type.
Database Type
From the list, select MSDE as the type of database to use for the event source.
Database Name
Type the name of the database to which you want to connect. The default database name is RealSecureDB.
IP or Hostname
Type the IP address or host name of the database server.
Port
Type the port number that is used by the database server. The default that is displayed depends on the selected Database Type. The valid range is 0 - 65536. The default for MSDE is port 1433.
The JDBC configuration port must match the listener port of the database. The database must have incoming TCP connections that are enabled to communicate with JSA.
The default port number for all options includes the following ports:
MSDE - 1433
Postgres - 5432
MySQL - 3306
Oracle - 1521
Sybase - 1521
If you define a Database Instance when using MSDE as the database type, you must leave the Port parameter blank in your configuration.
Username
Type the database user name. The user name can be up to 255 alphanumeric characters in length. The user name can also include underscores (_).
Password
Type the database password.
The password can be up to 255 characters in length.
Confirm Password
Confirm the password to access the database.
Authentication Domain
If you select MSDE as the Database Type and the database is configured for Windows, you must define a Windows Authentication Domain. Otherwise, leave this field blank.
The authentication domain must contain alphanumeric characters. The domain can include the following special characters: underscore (_), en dash (-), and period(.).
Database Instance
If you select MSDE as the Database Type and you have multiple SQL server instances on one server, define the instance to which you want to connect.
If you use a non-standard port in your database configuration, or blocked access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
Table Name
Type the name of the view that includes the event records. The default table name is SensorData1.
AVP View Name
Type the name of the view that includes the event attributes. The default table name is SensorDataAVP.
Response View Name
Type the name of the view that includes the response events. The default table name is SensorDataResponse.
Select List
Type * to include all fields from the table or view.
You can use a comma-separated list to define specific fields from tables or views, if needed for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).
Compare Field
Type SensorDataRowID to identify new events added between queries to the table.
Polling Interval
Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.
Use Named Pipe Communication
If you select MSDE as the Database Type, select this check box to use an alternative method to a TCP/IP port connection.
When a Named Pipe connection is used, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.
Database Cluster Name
If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
Include Audit Events
Select this check box to collect audit events from IBM®SiteProtector.
By default, this check box is clear.
Use NTLMv2
Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.
If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.
Use SSL
Select this check box if your connection supports SSL communication.
Log Source Language
Select the language of the log source events.
- Click Save.
- On the Admin tab, click Deploy Changes.
The configuration is complete.
IBM ISS Proventia
The IBM®Integrated Systems Solutions® (ISS) Proventia DSM for JSA records all relevant IBM® Proventia® events by using SNMP.
- In the Proventia Manager user interface navigation pane, expand the System node.
- Select System.
- Select Services.
The Service Configuration page is displayed.
- Click the SNMP tab.
- Select SNMP Traps Enabled.
- In the Trap Receiver field, type the IP address of your JSA you want to monitor incoming SNMP traps.
- In the Trap Community field, type the appropriate community name.
- From the Trap Version list, select the trap version.
- Click Save Changes.
You are now ready to configure JSA to receive SNMP traps.
- To configure JSA to receive events from an
ISS Proventia device. From the Log Source Type list, select
IBM® Proventia Network Intrusion Prevention System (IPS).
For more information about your ISS Proventia device, see your vendor documentation.