Addmi 03-addm prerequisites

© 2009 BMC Educational Services

Atrium Discovery Prerequisites


We’ll Cover Requirements for the Following:

Atrium Discovery

credentials discovery

process

User Interface

Windows slave

people


Atrium Discovery: How It Is shipped

Atrium Discovery runs as an appliance on its own dedicated Red Hat Enterprise 5 Linux install

The appliance is a virtual machinecalled a ‘Virtual Appliance (VA)’


VMware support matrix

R – Recommended Platform S – Supported by BMC V – Supported by BMC only if VMware supported T – Will require conversion on deployment C – Community Support via Forum x – Not supported

Virtual Appliance

Community Edition

Small Production(< 500 OSI)

Large Production(> 500 OSI)

VMware vSphere 4 or later C R S T R S T

VMware ESXi v4 or later C R V T R V T

VMware VI (ESX) 3.0.2 or later C S T S T

VMware ESXi 3.5 or later C V T V T

VMware Server 2.0 or later C V x

VMware Player 2.x or later C x x

VMware Workstation 5.x or later C x x


VA Resources

Resources required for the VA

The lower bound is a minimum, the upper bound has sufficient headroom to ensure high performance

Sizing Classes

Resource POC Baseline Datacenter Consolidated Enterprise

CPUs 2 2 4 4-8

RAM (GB) 2 4 8 16-32

DB Disk (GB) no snapshot 50 100 200 200-660

DB Disk (GB) snapshot 50 200 500 660-1500

Proof of Concept Small test deployments of Atrium Discovery 150 OSIs

Baseline A typical baseline as offered by BMC 500 OSIs

Datacenter A typical large scale deployment 2000 - 5000 OSIs

Consolidated Enterprise

Enterprise scale deployments, typically a Consolidation Appliance taking feeds from many Scanning Appliances

20000 - 40000 OSIs


VA Disks

Atrium Discovery makes intensive use of disk resource

Deploy using the highest IO disk speed resource Low disk IO impacts performance and scanning rate

Use the Virtual Appliance capability to have a second disk dedicated to database files This allows the system to split the two most intense operations, writing

database files and maintain transaction log, across two separate disks to avoid contention

For more information see:http://www.tideway.com/confluence/display/73/

Configuring+the+Virtual+Appliance


Accessing the UI

Main user and administration functions Web based user interface: HTTP or HTTPS

Some administration functions Some duplication of UI Accessed via SSH (Unix commands)


Unix Discovery: Credentials

Require a regular user account on the target servers

Can be username/password or an SSH key Typical use is to deploy a public key as an authorized key across the

Unix estate

The scanning targets need to be visible on the network From the appliance


Unix Discovery: Discovery Scripts

Discovery runs commands on the hosts to recover the data needed by Atrium Discovery

These command should be authorized Agreed by the System Administrators/business Changes/additions may need to be re-approved

Discovery assumes the commands are on the $PATH Explicit locations or extensions to $PATH can be configured


Unix Discovery: Discovery Commands

Some commands require privilege escalation Typically “sudo” or “suexec” Other mechanisms can be configured

Some commands may need to be installed lsof (process to network connections) lputil, hbacmd (HBA card detection)


Unix Discovery: Escalated Commands

Linux: lsof, hwinfo, netstat, dmidecode, ethtool, mii-tool Read access to /etc/VRTSvcs/conf/config/main.cf for Veritas clustering

Solaris: ndd, netstat, ifconfig, lsof, ps, pmap, pfiles, /usr/ucb/ps Read access to /etc/VRTSvcs/conf/config/main.cf for Veritas clustering

AIX: lsof

HPUX: ifconfig, lsof


Windows Discovery: Slaves

Windows discovery requires Windows slaves Vista/Server 2008 discovery requires AD Slaves

Windows slaves run as Windows Services

The scanning targets need to be visible on the network To both the appliance and the Windows Slave

For AD slave, the slave’s server must be in the core Active Directory


Windows Discovery: Remote Access

In AD environments, use a Domain wide account with: Local admin right to the target Windows hosts “log on as user” right for all hosts in scope

WMI Installed and enabled Most data is obtained from this method

Remcom / Psexec Administrative shares must not be disabled Run command and File gets use these methods


Windows Discovery: Discovery Commands

Windows 2000 and older, require extra tools on the target for communications info:

OpenPorts: http://www.diamondcs.au/openports Tcpvcon : http://www.sysinternals/Utilities/TcpView.html


SNMP Discovery

Requires: SNMP agents on all target devices SNMP community string provided to Atrium Discovery V1 or 2c protocols

Discovery can get enough data from SNMP to recognise devices as Hosts

In general, not as rich data as normal Unix/Windows discovery

Required for Netware, OpenVMS, IBM I and z/OS discovery


Firewall Requirements

DMZ2

DMZ1

WintelMacHPUX

UnixLinuxAIX

WintelMacHPUX

UnixLinuxAIX

Tideway FoundationAppliance

Tideway Windows Slave

Unix Discovery (Appliance to Target Host)· 22 TCP (ssh)· 23 TCP (telnet) – optional· 513 TCP (rlogin) – optional

Windows Discovery

WMIAppliance to Target Host· ICMP Type 8 Echo Request (‘ping’)· 135 TCP (RPC)Slave to Target Host· 135 TCP, DCOM TCP Port Range· 1024-65535 (one used after

negotiation)

Remcom/RCMD / PSTools / Local CmdsAppliance to Target Host· ICMP Type 8 Echo Request (‘ping’)· 135 TCP (RPC)Slave to Target Host· 135 TCP, DCOM TCP Port Range· 139 TCP (netbios. For NT4 type

domains)· 445 TCP (MSFT Dir Services SMB)

Slave communication (Appliance to Slave)· 4321 TCP (Active Directory slave)· 4322 TCP (Workgroup slave)· 4323 TCP (Credential slave)

Sweep scan (Appliance to Target Host)· 4, 22, 23, 80, 135,139, 513 TCP· 161 UDP

SNMP discovery (Appliance to Target Host)· 161 UDP (SNMP)

Optional Consolidation Tideway Foundation Appliance

Consolidation (Appliance to Appliance)· 25032 TCP

Optional Consolidation Appliance

Windows Slave

Scanning Appliance


Alternative to Extensively Modifying Firewalls

Consolidation Appliance

Secured Network

Segment

Scanning Appliance

TCP port 25032

Your main IT estate


Access to the User Interface

Option 1 Suitable for most environments Direct access through any firewalls to the scanning appliance Web browser: TCP port 80 SSH terminal for advanced use: TCP port 22

Option 2 Suitable for the highest security environments Use consolidation to move scan data to a “safe” appliance with no

credentials configured


Option 1: Directly Access Atrium Discovery

Atrium Discovery

Appliance

Your IT estate

User’s

Workstation

User’s

Workstation

User’s

Workstation


Option 2: Use a Consolidator

Consolidation Appliance

Your IT estate

User’s

Workstation

User’s

Workstation

User’s

Workstation

Scanning Appliance

Scanning appliance sends scan data to the

consolidation appliance

TC

P p

ort

250

32


Atrium Discovery Scanning

Plan a progressive roll out of scanning across the estate to allow verification of and confidence in results

Compile a list of any particular IP devices which should be excluded from discovery

Ensure that the infrastructure/business owners approve of your planned scanning schedule


The People Aspect

People are sometimes your biggest challenge

Involve them early

Follow their change control procedures to roll out scanning

Remember that they’re responsible for the estate you want to scan

Give them access to the data in Atrium Discovery They’ll find it useful for their own purposes, building acceptance Ensure they feel involved, not threatened, by the technology

Encourage them to take a training course!


Further Resources

Online Documentation: http://www.tideway.com/confluence/display/81/Documentation

Configipedia for tips, tricks and articles: http://www.tideway.com/confluence/display/Configipedia/

Forums for help, ideas and discussion: http://www.tideway.com/community/forum/

Technology

Addmi 03-addm prerequisites