< Day Day Up > |
In the CSA architecture, hosts are the machines you want to protect. The agent software is installed on host systems. Those endpoints are, from that point on, referred to as hosts within the CSA MC. Hosts are initially assigned group and policy information upon installation of the agent kit. An agent kit is the agent installation executable, which Chapter 6, "Understanding CSA Components and Installation," discusses in detail. After the agent has been installed on the host, it attempts to connect to the CSA MC to register and pull the latest policies tied to the group to which it was assigned. Viewing Host ConfigurationTo see the list of hosts that have registered with the CSA MC, choose Systems > Hosts. From this page, you can filter the list of hosts via two easy-to-use drop-down menus. The menu on the upper left is a selection method that enables you to filter by operating system, as follows:
The menu on the upper right is a selection tool that enables you to filter by the following criteria:
The Hosts window shown in Figure 3-14 gives you some basic top-level information about the host, such as the host name and a description that includes operating system and service pack, processor information, and amount of memory installed. You can also delete the host from this screen. Deleting a host frees up a license on the CSA MC for another machine to register; this proves useful when you decommission old hardware and re-issue new hardware. Figure 3-14. Viewing the Host ListWhen a host is a member of a particular group, it inherits the behavior of that group, which could relate to items such as the following:
The next sections describe polling intervals and Test Mode operation in more detail. Chapter 4 thoroughly explains security policy rules. Polling IntervalsUnderstanding polling intervals is important when attempting to best deploy and scale your CSA architecture. The remote CSA agents only request policy updates from the CSA MC server after the designated polling interval for that agent has expired. The default polling interval is 10 minutes. You can increase this time up to a maximum of 24 hours. If your environment has very secure and controlling policies and you have set many of the rules to log events, or you have a very large number of agents reporting to a single CSA MC, you might want to increase the polling interval to decrease the load placed on the MC. The polling interval is one way to control how often network traffic between the MC and remote agents needs to take place. Even though the typical traffic between the agent and MC is relatively low bandwidth, if you have a large number of hosts attempting to communicate over low-bandwidth WANs, you might want to increase the period between polls. The amount of polling traffic communicating with the CSA MC limits the number of agents the CSA MC can successfully manage because of the overhead required to process the requests. Although this overhead is low and the CSA MC architecture can scale to service up to 100,000 hosts, the polling interval should be addressed beginning in the pilot. NOTE When a host belongs to more than one group, that host inherits the shortest polling interval assigned any of the groups of which it is a member. Using Test ModeTest Mode is an extremely important CSA topic. Test Mode is an invaluable feature often used when initially deploying the CSA product, when modifying policies down the road, or even during troubleshooting an agent. Test Mode is a state the agent can enter where it no longer is taking preventive measures. When in Test Mode, agents inspect all interaction as defined in the combined rule set running on the agent system and log all information with regard to how the agent would have reacted as any policy match occurs; however, the agent does not enforce the action specified in the matching rule and therefore does not prevent an application from functioning or an attack from succeeding. When you initially roll out CSA, it is beneficial to implement the product in Test Mode so that you can see how the policy will affect day-to-day business without negatively impacting it. After you have fine-tuned the policies, you can take the agent out of Test Mode and all policies will be placed in full effect (that is, Protect Mode) after the next successful agent poll. Remember, when in Test Mode, the policies are actively inspecting transactions but are not enforcing the rule action, such as denying access to system resources. In Chapter 4, you learn another way to use Test Mode to test specific policies rather than entire groups. Working with HostsClicking the link on the host list takes you to the configuration detail page for that particular host. (See Figure 3-15.) This page gives you great detail regarding the particular host selected. You are presented with the host name and description, as you also saw on the Hosts page. You also have a Contact Information section, which can be expanded to show the associated username, e-mail, phone number, and location if the user has entered the information into the remote agent user interface (UI). Figure 3-15. Host Detail PageBelow the Contact Information, you see a section that can be expanded as in Figure 3-16 to reveal detailed host status. This information is broken out into three sections:
Figure 3-16. Hosts Status Detail InformationThe Host Detail screen also shows a nesting of which groups the host is a member, the policies assigned to the groups, and the modules within the policies (see Figure 3-17). Figure 3-17. Group and Policy Inheritance Nesting ExampleJust below the nested hierarchy appears a list of all rules running on the host as combined from all associated groups, policies, and modules. This list is divided into two major sections: enforce rules and detect rules. Enforce rules typically deny, terminate, or allow actions to occur; whereas, detect rules monitor and log actions. Chapter 4 covers the types of rules in greater detail. A useful feature when working with the combined rule set deployed to an agent is the ability to sort the rules listed at the bottom of the Hosts page in the Combined Policy Rules section. The default displays All Rules; however, by clicking All, you can filter the displayed rules. You can select the specific rule type to view, system state conditions, or user state conditions. (See Figure 3-18.) Figure 3-18. Filtering Combined Policy RulesChanging a Host's Group MembershipEarlier in the section "Viewing and Changing Group Membership" you learned how to add and remove a host from a particular group you are viewing. You can also change a host s group membership from the host detail window shown in Figure 3-19. When viewing the host configuration, you can click Modify Group Memberships from the quick links menu. This screen is very similar to the options earlier, but now you have lists of groups to which the host belongs and those of which the host is not yet a member. Just as before, choose the groups you want to join or unjoin and click Add or Remove. This function is similar to what you accomplished from the group option, except that you are now working with a specific host s membership and not a specific group s members. The outcome of either transaction results in a host belonging to new group(s) or being removed from an existing group and, therefore, running the newly combined policy and control mechanisms inherited from its newly defined membership. Figure 3-19. Assigning Group MembershipViewing Host-Associated EventsWhen troubleshooting a particular host, it is advantageous to filter the event log so that you are only viewing events issued from that particular host. An easy way to accomplish this is to click either the View Related Events quick link or choose Host Status > View Events Issued in the Past 24 Hours. The latter option only displays 24 hours worth of events, whereas the former option displays all events in the database from the host. Both options can prove valuable based on when the issue you are troubleshooting took place. Figure 3-20. Host-Associated Events Filter |
< Day Day Up > |