Upload
odanyboy
View
787
Download
1
Tags:
Embed Size (px)
Citation preview
© 2009 BMC Educational Services
Atrium Discovery Prerequisites
© 2010 BMC Educational Services
We’ll Cover Requirements for the Following:
Atrium Discovery
credentials discovery
process
User Interface
Windows slave
people
© 2010 BMC Educational Services
Atrium Discovery: How It Is shipped
Atrium Discovery runs as an appliance on its own dedicated Red Hat Enterprise 5 Linux install
The appliance is a virtual machinecalled a ‘Virtual Appliance (VA)’
© 2010 BMC Educational Services
VMware support matrix
R – Recommended Platform S – Supported by BMC V – Supported by BMC only if VMware supported T – Will require conversion on deployment C – Community Support via Forum x – Not supported
Virtual Appliance
Community Edition
Small Production(< 500 OSI)
Large Production(> 500 OSI)
VMware vSphere 4 or later C R S T R S T
VMware ESXi v4 or later C R V T R V T
VMware VI (ESX) 3.0.2 or later C S T S T
VMware ESXi 3.5 or later C V T V T
VMware Server 2.0 or later C V x
VMware Player 2.x or later C x x
VMware Workstation 5.x or later C x x
© 2010 BMC Educational Services
VA Resources
Resources required for the VA
The lower bound is a minimum, the upper bound has sufficient headroom to ensure high performance
Sizing Classes
Resource POC Baseline Datacenter Consolidated Enterprise
CPUs 2 2 4 4-8
RAM (GB) 2 4 8 16-32
DB Disk (GB) no snapshot 50 100 200 200-660
DB Disk (GB) snapshot 50 200 500 660-1500
Proof of Concept Small test deployments of Atrium Discovery 150 OSIs
Baseline A typical baseline as offered by BMC 500 OSIs
Datacenter A typical large scale deployment 2000 - 5000 OSIs
Consolidated Enterprise
Enterprise scale deployments, typically a Consolidation Appliance taking feeds from many Scanning Appliances
20000 - 40000 OSIs
© 2010 BMC Educational Services
VA Disks
Atrium Discovery makes intensive use of disk resource
Deploy using the highest IO disk speed resource Low disk IO impacts performance and scanning rate
Use the Virtual Appliance capability to have a second disk dedicated to database files This allows the system to split the two most intense operations, writing
database files and maintain transaction log, across two separate disks to avoid contention
For more information see:http://www.tideway.com/confluence/display/73/
Configuring+the+Virtual+Appliance
© 2010 BMC Educational Services
Accessing the UI
Main user and administration functions Web based user interface: HTTP or HTTPS
Some administration functions Some duplication of UI Accessed via SSH (Unix commands)
© 2010 BMC Educational Services
Unix Discovery: Credentials
Require a regular user account on the target servers
Can be username/password or an SSH key Typical use is to deploy a public key as an authorized key across the
Unix estate
The scanning targets need to be visible on the network From the appliance
© 2010 BMC Educational Services
Unix Discovery: Discovery Scripts
Discovery runs commands on the hosts to recover the data needed by Atrium Discovery
These command should be authorized Agreed by the System Administrators/business Changes/additions may need to be re-approved
Discovery assumes the commands are on the $PATH Explicit locations or extensions to $PATH can be configured
© 2010 BMC Educational Services
Unix Discovery: Discovery Commands
Some commands require privilege escalation Typically “sudo” or “suexec” Other mechanisms can be configured
Some commands may need to be installed lsof (process to network connections) lputil, hbacmd (HBA card detection)
© 2010 BMC Educational Services
Unix Discovery: Escalated Commands
Linux: lsof, hwinfo, netstat, dmidecode, ethtool, mii-tool Read access to /etc/VRTSvcs/conf/config/main.cf for Veritas clustering
Solaris: ndd, netstat, ifconfig, lsof, ps, pmap, pfiles, /usr/ucb/ps Read access to /etc/VRTSvcs/conf/config/main.cf for Veritas clustering
AIX: lsof
HPUX: ifconfig, lsof
© 2010 BMC Educational Services
Windows Discovery: Slaves
Windows discovery requires Windows slaves Vista/Server 2008 discovery requires AD Slaves
Windows slaves run as Windows Services
The scanning targets need to be visible on the network To both the appliance and the Windows Slave
For AD slave, the slave’s server must be in the core Active Directory
© 2010 BMC Educational Services
Windows Discovery: Remote Access
In AD environments, use a Domain wide account with: Local admin right to the target Windows hosts “log on as user” right for all hosts in scope
WMI Installed and enabled Most data is obtained from this method
Remcom / Psexec Administrative shares must not be disabled Run command and File gets use these methods
© 2010 BMC Educational Services
Windows Discovery: Discovery Commands
Windows 2000 and older, require extra tools on the target for communications info:
OpenPorts: http://www.diamondcs.au/openports Tcpvcon : http://www.sysinternals/Utilities/TcpView.html
© 2010 BMC Educational Services
SNMP Discovery
Requires: SNMP agents on all target devices SNMP community string provided to Atrium Discovery V1 or 2c protocols
Discovery can get enough data from SNMP to recognise devices as Hosts
In general, not as rich data as normal Unix/Windows discovery
Required for Netware, OpenVMS, IBM I and z/OS discovery
© 2010 BMC Educational Services
Firewall Requirements
DMZ2
DMZ1
WintelMacHPUX
UnixLinuxAIX
WintelMacHPUX
UnixLinuxAIX
Tideway FoundationAppliance
Tideway Windows Slave
Unix Discovery (Appliance to Target Host)· 22 TCP (ssh)· 23 TCP (telnet) – optional· 513 TCP (rlogin) – optional
Windows Discovery
WMIAppliance to Target Host· ICMP Type 8 Echo Request (‘ping’)· 135 TCP (RPC)Slave to Target Host· 135 TCP, DCOM TCP Port Range· 1024-65535 (one used after
negotiation)
Remcom/RCMD / PSTools / Local CmdsAppliance to Target Host· ICMP Type 8 Echo Request (‘ping’)· 135 TCP (RPC)Slave to Target Host· 135 TCP, DCOM TCP Port Range· 139 TCP (netbios. For NT4 type
domains)· 445 TCP (MSFT Dir Services SMB)
Slave communication (Appliance to Slave)· 4321 TCP (Active Directory slave)· 4322 TCP (Workgroup slave)· 4323 TCP (Credential slave)
Sweep scan (Appliance to Target Host)· 4, 22, 23, 80, 135,139, 513 TCP· 161 UDP
SNMP discovery (Appliance to Target Host)· 161 UDP (SNMP)
Optional Consolidation Tideway Foundation Appliance
Consolidation (Appliance to Appliance)· 25032 TCP
Optional Consolidation Appliance
Windows Slave
Scanning Appliance
© 2010 BMC Educational Services
Alternative to Extensively Modifying Firewalls
Consolidation Appliance
Secured Network
Segment
Scanning Appliance
TCP port 25032
Your main IT estate
© 2010 BMC Educational Services
Access to the User Interface
Option 1 Suitable for most environments Direct access through any firewalls to the scanning appliance Web browser: TCP port 80 SSH terminal for advanced use: TCP port 22
Option 2 Suitable for the highest security environments Use consolidation to move scan data to a “safe” appliance with no
credentials configured
© 2010 BMC Educational Services
Option 1: Directly Access Atrium Discovery
Atrium Discovery
Appliance
Your IT estate
User’s
Workstation
User’s
Workstation
User’s
Workstation
© 2010 BMC Educational Services
Option 2: Use a Consolidator
Consolidation Appliance
Your IT estate
User’s
Workstation
User’s
Workstation
User’s
Workstation
Scanning Appliance
Scanning appliance sends scan data to the
consolidation appliance
TC
P p
ort
250
32
© 2010 BMC Educational Services
Atrium Discovery Scanning
Plan a progressive roll out of scanning across the estate to allow verification of and confidence in results
Compile a list of any particular IP devices which should be excluded from discovery
Ensure that the infrastructure/business owners approve of your planned scanning schedule
© 2010 BMC Educational Services
The People Aspect
People are sometimes your biggest challenge
Involve them early
Follow their change control procedures to roll out scanning
Remember that they’re responsible for the estate you want to scan
Give them access to the data in Atrium Discovery They’ll find it useful for their own purposes, building acceptance Ensure they feel involved, not threatened, by the technology
Encourage them to take a training course!
© 2010 BMC Educational Services
Further Resources
Online Documentation: http://www.tideway.com/confluence/display/81/Documentation
Configipedia for tips, tricks and articles: http://www.tideway.com/confluence/display/Configipedia/
Forums for help, ideas and discussion: http://www.tideway.com/community/forum/