Understanding CSA Hosts

Previous page
Table of content
Next page
 < Day Day Up > 

In the CSA architecture, hosts are the machines you want to protect. The agent software is installed on host systems. Those endpoints are, from that point on, referred to as hosts within the CSA MC. Hosts are initially assigned group and policy information upon installation of the agent kit. An agent kit is the agent installation executable, which Chapter 6, "Understanding CSA Components and Installation," discusses in detail. After the agent has been installed on the host, it attempts to connect to the CSA MC to register and pull the latest policies tied to the group to which it was assigned.

Viewing Host Configuration

To see the list of hosts that have registered with the CSA MC, choose Systems > Hosts. From this page, you can filter the list of hosts via two easy-to-use drop-down menus. The menu on the upper left is a selection method that enables you to filter by operating system, as follows:

  • All

  • Windows

  • Linux

  • Solaris

The menu on the upper right is a selection tool that enables you to filter by the following criteria:

  • Active Only lists hosts that actively polled during the last update poll interval

  • Protected Only lists hosts that have policies attached to their assigned groups

  • Latest Software Only lists hosts that are running the latest available software and are not in need of an agent software upgrade

  • Test Mode Lists hosts that are currently running in Test Mode are listed as ON

  • Last Poll Sort hosts by the time stamp of their last poll

The Hosts window shown in Figure 3-14 gives you some basic top-level information about the host, such as the host name and a description that includes operating system and service pack, processor information, and amount of memory installed. You can also delete the host from this screen. Deleting a host frees up a license on the CSA MC for another machine to register; this proves useful when you decommission old hardware and re-issue new hardware.

Figure 3-14. Viewing the Host List


When a host is a member of a particular group, it inherits the behavior of that group, which could relate to items such as the following:

  • Configuration polling intervals

  • Security policy rules

  • Test Mode operation

The next sections describe polling intervals and Test Mode operation in more detail. Chapter 4 thoroughly explains security policy rules.

Polling Intervals

Understanding polling intervals is important when attempting to best deploy and scale your CSA architecture. The remote CSA agents only request policy updates from the CSA MC server after the designated polling interval for that agent has expired. The default polling interval is 10 minutes. You can increase this time up to a maximum of 24 hours. If your environment has very secure and controlling policies and you have set many of the rules to log events, or you have a very large number of agents reporting to a single CSA MC, you might want to increase the polling interval to decrease the load placed on the MC. The polling interval is one way to control how often network traffic between the MC and remote agents needs to take place. Even though the typical traffic between the agent and MC is relatively low bandwidth, if you have a large number of hosts attempting to communicate over low-bandwidth WANs, you might want to increase the period between polls.

The amount of polling traffic communicating with the CSA MC limits the number of agents the CSA MC can successfully manage because of the overhead required to process the requests. Although this overhead is low and the CSA MC architecture can scale to service up to 100,000 hosts, the polling interval should be addressed beginning in the pilot.

NOTE

When a host belongs to more than one group, that host inherits the shortest polling interval assigned any of the groups of which it is a member.


Using Test Mode

Test Mode is an extremely important CSA topic. Test Mode is an invaluable feature often used when initially deploying the CSA product, when modifying policies down the road, or even during troubleshooting an agent. Test Mode is a state the agent can enter where it no longer is taking preventive measures. When in Test Mode, agents inspect all interaction as defined in the combined rule set running on the agent system and log all information with regard to how the agent would have reacted as any policy match occurs; however, the agent does not enforce the action specified in the matching rule and therefore does not prevent an application from functioning or an attack from succeeding.

When you initially roll out CSA, it is beneficial to implement the product in Test Mode so that you can see how the policy will affect day-to-day business without negatively impacting it. After you have fine-tuned the policies, you can take the agent out of Test Mode and all policies will be placed in full effect (that is, Protect Mode) after the next successful agent poll. Remember, when in Test Mode, the policies are actively inspecting transactions but are not enforcing the rule action, such as denying access to system resources. In Chapter 4, you learn another way to use Test Mode to test specific policies rather than entire groups.

Working with Hosts

Clicking the link on the host list takes you to the configuration detail page for that particular host. (See Figure 3-15.) This page gives you great detail regarding the particular host selected. You are presented with the host name and description, as you also saw on the Hosts page. You also have a Contact Information section, which can be expanded to show the associated username, e-mail, phone number, and location if the user has entered the information into the remote agent user interface (UI).

Figure 3-15. Host Detail Page


Below the Contact Information, you see a section that can be expanded as in Figure 3-16 to reveal detailed host status. This information is broken out into three sections:

  • Host Identification Under Host Identification, you see the following detailed breakout:

    • Product Information CSA agent version currently reported.

    • Last Known IP Address (and History) The last IP address from which the agent polled. This historical account of previously reported IP addresses, including start and finish times for which the IP addressed were in use, is available in a pop-up window by clicking the History link.

    • Host ID The ID associated to the host at registration time for necessary linkage within the CSA MC database.

    • UID ID associated with the agent kit used for installation.

    • Registration Time Initial date and time of registration.

    • Operating System The reported OS on the host.

    • Cisco Trust Agent Installed Whether the Cisco Trust Agent is installed and, if installed, the associated posture state currently assigned to this agent. This feature is part of the Cisco Self-Defending Network Initiative and more specifically Network Admission Control (NAC).

  • Host Status From here, you obtain information regarding the current operational status of the agent, such as the following:

    • Events Issued in the Past 24 Hours Clickable link and number of events from this particular host within the past 24-hour period.

    • Software Version Whether the agent software version is current.

    • Policy Version Whether the agent is running the latest, current policy.

    • Time Since Last Poll Time since the last successful poll.

    • Time Since Last Application Deployment Data Upload If an application deployment job has been run for this agent, the time since the last upload will be listed.

    • Detailed Status and Diagnostics Link This option enables you to get current information about the endpoint, including IP address and current or out-of-date policy, by requesting the agent to poll immediately with this information. You can also clear remote cached entries on the remote host directly from this screen and reset the agent back to default installation parameters from the Diagnostics window without physically visiting the device.

  • Host Settings The Host Settings portion of the Status section gives you insight into some configurable on/off parameters for the host agent. Many of these options are only configurable within the groups that the host is a member of, but from here you get a good view of how the host is set to behave based on conflicting policies that may be present within multiple groups. Here is a list of what is reported under Host Settings:

    • Polling Interval The polling interval for this host.

    • Send Poll Hint Whether UDP hint messages are enabled for this host.

    • Test Mode Shows whether the agent is in Test Mode.

    • Verbose Logging Mode Whether the agent is suppressing repeated messages within the allotted timeframe.

    • Log Deny Actions Denotes whether the host is set to log all deny actions or just those set to log per rule definition.

    • Filter User Info from Events Whether the host is filtering user information for privacy reasons when reporting to the event log.

    • Application Deployment Investigation Enabled Shows whether the agent is actively running an application deployment investigation.

Figure 3-16. Hosts Status Detail Information


The Host Detail screen also shows a nesting of which groups the host is a member, the policies assigned to the groups, and the modules within the policies (see Figure 3-17).

Figure 3-17. Group and Policy Inheritance Nesting Example


Just below the nested hierarchy appears a list of all rules running on the host as combined from all associated groups, policies, and modules. This list is divided into two major sections: enforce rules and detect rules. Enforce rules typically deny, terminate, or allow actions to occur; whereas, detect rules monitor and log actions. Chapter 4 covers the types of rules in greater detail.

A useful feature when working with the combined rule set deployed to an agent is the ability to sort the rules listed at the bottom of the Hosts page in the Combined Policy Rules section. The default displays All Rules; however, by clicking All, you can filter the displayed rules. You can select the specific rule type to view, system state conditions, or user state conditions. (See Figure 3-18.)

Figure 3-18. Filtering Combined Policy Rules


Changing a Host's Group Membership

Earlier in the section "Viewing and Changing Group Membership" you learned how to add and remove a host from a particular group you are viewing. You can also change a host s group membership from the host detail window shown in Figure 3-19. When viewing the host configuration, you can click Modify Group Memberships from the quick links menu. This screen is very similar to the options earlier, but now you have lists of groups to which the host belongs and those of which the host is not yet a member. Just as before, choose the groups you want to join or unjoin and click Add or Remove. This function is similar to what you accomplished from the group option, except that you are now working with a specific host s membership and not a specific group s members. The outcome of either transaction results in a host belonging to new group(s) or being removed from an existing group and, therefore, running the newly combined policy and control mechanisms inherited from its newly defined membership.

Figure 3-19. Assigning Group Membership


Viewing Host-Associated Events

When troubleshooting a particular host, it is advantageous to filter the event log so that you are only viewing events issued from that particular host. An easy way to accomplish this is to click either the View Related Events quick link or choose Host Status > View Events Issued in the Past 24 Hours. The latter option only displays 24 hours worth of events, whereas the former option displays all events in the database from the host. Both options can prove valuable based on when the issue you are troubleshooting took place.

Figure 3-20. Host-Associated Events Filter


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Adobe After Effects 7.0 Studio Techniques
    Network Security Architectures
    Managing Enterprise Systems with the Windows Script Host
    Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
    InDesign Type: Professional Typography with Adobe InDesign CS2
    Java All-In-One Desk Reference For Dummies
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy