< Day Day Up > |
Policies are combinations of rule modules that serve a specific purpose. You might, for example, create a policy to control network access allowed by workstations in your environment. This policy could include multiple rule modules designed for specific operating systems and functional controls. When you combine the rule modules into a policy, you can apply the policy to groups and deploy them to active agent systems. Policies follow the same precedence rules described earlier in the section "Rule Precedence and Manipulation" because the rules from various modules are combined into a single policy. It is important that you review the precedence rules and understand how policy is combined and the resulting rule sets are implemented on the endpoints. To view or configure a policy on the CSA MC, choose Configuration > Policies. As shown in Figure 4-42, the same options are available for managing policies on the CSA MC that are available for the rule modules. You are allowed to create, delete, clone, or compare policies. This page lists the configured policies on the system, including the predefined policies shipped with the product. As you saw earlier in the Rule Module page in Figure 4-33, the Policies page includes links and information related to policy name, number of modules included, and description. Figure 4-42. Predefined PoliciesUnderstanding Policy SettingsTo view a policy and the settings available at the policy level, choose the policy you want to view from the listing page by clicking its name. As shown in Figure 4-43, the configuration options on the specific policy page are as follows:
Figure 4-43. Viewing a PolicyYou also have quick links available at the top of the specific policy page, including the following:
Using CSA Predefined PoliciesSeveral policies that come installed with the CSA MC server can aid in the deployment and testing of the product. A few of the policies included are as follows:
NOTE The Installation Applications policy makes use of dynamic application classes to identify an installation. It offers a temporarily lowered security policy during installation of the product. If the installation s completion is not detected automatically, you can resume the higher security level on the agent from within the UI by clicking the Resume button on the System Security page.
This is only a sample of the policies included with the product. NOTE This book does not attempt to explain the predefined policies. These policies change over time with incremental server patches and version upgrades to the product. The best method available for those wanting to better understand those modules is to investigate the locally installed policies personally. Policy Relationship to Groups and AgentsNow that you understand how rules are combined into rule modules to create functional groupings, and rule modules are combined into policies to create cross-platform or functional policies, it is important to understand how this is applied to an agent system. Policies are applied to groups to serve as the implemented policy for all hosts in that group. Groups can contain more than one policy to further dictate the type of controls on the endpoint. Agents are then associated with a group or groups and inherit the assigned policies. All of the rules that are combined as a result of the merged information follow the rules of precedence for rule ordering on the agent system. To view the ultimate enforced policy for an endpoint or group designation, choose that item within the CSA MC and view the rule set assigned, which will be a combination of all assigned policy. Mandatory Groups and Combined Rule PrecedenceAnother factor to consider that affects the precedence of rules in relation to an endpoint enforcement mechanism is mandatory group assignment. All agents are assigned to one of the mandatory groups:
Any policy assigned directly to these groups is considered mandatory and has immediate precedence over all other rules. This is an excellent way to ensure services or controls are enforced across the entire architecture regardless of other policy assigned. For example, you could create a policy that contains a deny IRC rule to prevent IRC traffic on all systems of that particular operating system throughout the entire deployment regardless of any other conflicting rule. |
< Day Day Up > |