coretracebouncer6 envision 4-1

7/29/2019 CoreTraceBouncer6 EnVision 4-1

1/10

CoreTraceBouncer

RSA enVision Ready Implementation Guide

Last Modified: April 12th, 2012

Partner Information

Product InformationPartner Name CoreTraceWeb Site www.coretrace.com

Product Name BouncerVersion & Platform 6.0.1, Windows 2000, 2003, 2008, XP, Vista and 7Product Description Bouncer is a powerful, flexible, and secure Enterprise Application

Whitelisting solution. Bouncer provides three major benefits to yourenvironment: Security, Configuration Control, and Compliance. Bouncerprovides security against hacking and malware, including zero day attacks.As a Configuration Control mechanism, Bouncer ensures that software canonly be added, updated, or removed through managed and approvedsources. Bouncer also enables regulatory compliance as a primary orcompensating measure for industries struggling to meet the competing

requirements of stability, manageability, and security.
http://www.coretrace.com/http://www.coretrace.com/


2/10

- 2 -

CoreTraceouncer

Solution Summary

The Bouncer Control Center can be configured to send syslog data to one or more Syslog EventCorrelation devices. By integrating with RSA enVision, Bouncers log activity can be used in an effectivesecurity log management solution for real-time alerting, correlated rules and events, and scheduledreporting.

RSA enVision Features

CoreTrace Bouncer 6.0.1

EventSource Integration package name coretracebouncerpe.zip

Device display name within enVision CoreTraceBouncerPE

enVision table Application Firewall

Event source class Application Firewall

Collection method Syslog

Release Notes

Release Date Whats New In This Release04/12/2012 Updated ESI Package for enVision 4.1.03/14/2011 Initial support for CoreTrace Bouncer.


3/10

- 3 -

CoreTraceouncer

EventSource Integrator Package

The RSA enVision Intelligence Community is an online forum for customers and partners to exchangetechnical information and best practices with each other. The forum also contains the location todownload the EventSource Integrator Package for this guide. All enVision customers and partners areinvited to register and participate in the Intelligence Community:https://rsaenvision.lithium.com.

Once you have downloaded the CoreTraceBouncerPE package from the Intelligence Community, youmust deploy the package on all enVision appliances in your environment as described in the followingtable.

RSA enVision Site Where to Deploy the Event Source XML PackageSingle appliance site On the applianceMultiple appliance site On all components:

Application Servers (A-SRVs) Database Servers (D-SRVs) Local Collectors (LCs)

Remote Collectors (RCs)Multiple appliance sitewith EnhancedAvailability

On all components: Application Servers (A-SRVs) Database Servers (D-SRVs) Cluster Appliances (CAs)

EventSource Integrator Package Notifications

An EventSource Integrator package may be updated frequently depending on the vendor or changes tothe log messages of the device. To ensure you receive e-mail notifications on all new and existing RSAPartner ESI Packages, simply subscribe to the Partner Created Contentmessage board within the RSAenVision Intelligence Community. To do, perform the following steps:

1. Login to theenVision Intelligence Community.

2. Scroll down and click enVision Content and Event Sources

Partner Created Content.
https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/https://rsaenvision.lithium.com/


4/10

- 4 -

CoreTraceouncer

3. On the top menu, click Board OptionsSubscribe.

Note: You will now be noti fied via e-mail when new or existing ESIpackages are updated.

Deploying an EventSource Package

To deploy an event source package:

1. Extract the EventSource Package directly into the following folder: %_ENVISION%\update.

Important : Do not create a subfo lder with in the %_ENVISION%\updatedirectory when extracting the package.

2. Run the script file, DeployEventSourceSetup.vbs.

3. The RSA enVision EventSource Integrator box will appear. If you wish to have the NIC Service Manager servicerestart on all of your sites after the install, click Yes. If you plan to manually restart the services later, click No.The time the script file takes to run depends on the number of event source XML files that need to be verified. Ifyou are deploying a new event source, the script assigns an event source type ID to the event source. If you areupdating an existing event source, the event source XML file is updated.

4. Login to the enVision console to confirm the new device type is displayed under OverviewSystemConfigurationDevicesManage Device Types and listed as CoreTraceBouncerPE.

Important : The new device will no t be disp layed in the enVisionconso le until the NIC Service Manager service has been restarted.


5/10

- 5 -

CoreTraceouncer

Partner Product Configuration

Before You Begin

This section provides instructions for configuring the Bouncer Control Center with RSA enVision. Thisdocument is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability toperform the tasks outlined in this section. Administrators should have access to the productdocumentation for all products in order to install the required components.

All Bouncer Control Center components must be installed and working prior to the integration. Performthe necessary tests to confirm that this is true before proceeding.

Bouncer Control Center Configuration

To configure Bouncer Control Center to send syslog data to enVision, perform the following steps:

1. Log in to the Bouncer Control Center.

2. Select theConfiguration tab.


6/10

- 6 -

CoreTraceouncer

3. Select theSyslogsub-tab.4. Right-click into the whitespace on the page.5. SelectAdd.

6. Enter the IP Address and Portnumber of the enVision server. Click OK.

7. Click Save.


7/10

- 7 -

CoreTraceouncer

Certification Checklist for RSA enVision

Date Tested: April 12th, 2012

Certification EnvironmentProduct Name Version Information Operating System

RSA enVision 4.1 SP1 Microsoft Windows 2003

RSA EventSource Integrator 1.2 Microsoft Windows XP

RSA Event Source Update (ESU) 20110106-120053 Microsoft Windows XP

CoreTrace Bouncer 6.0.1.5696 Microsoft Windows 2003

enVision Test Case ResultDevice Management

Device discovers properly under Manage Monitored DevicesVendor name appears in enVision GUI correctlyDevice can be deleted from Manage Monitored DevicesDevice can be disabled from Manage Device Types

Device Class type is correct under Manage Device Types

Device displays properly under Manage Messages to Parse

Message Management

Disabled device creates unknown device in monitored device list

Temporary nugget files are removed

Queries / Reports

Messages for device populate the table columns correctlyAd Hoc report populates variables correctly

J J O / PAR =Pass =Fail N/A =Non-Available Function


8/10

- 8 -

CoreTraceouncer

Appendix

In certain cases after deploying the ESI Package, the device may come into enVision as an Unknowndevice type. To resolve this issue, complete the following steps.

1. In the enVision GUI, select OverviewSystem ConfigurationDevicesManaged Monitor Devices,then click on the IP Address of the Unknown device.


9/10

- 9 -

CoreTraceouncer

2. From the Device Type pull-down menu, select the correct devicetype. For the name of the device as itappears in enVision, refer to the above section RSA enVision Features, page 2.

3. Select OKto the information dialog box shown below.


10/10

- 10 -

CoreTraceouncer

4. From the Collection pull-down menu, selectAct ive.

5. Select theAnal yze radio button.

6. ClickAppl y.

Important : You must restart the enVision NIC Collector windowsservice for your changes to take effect.

coretracebouncer6 envision 4-1

Documents