CSA Policies

Policies are combinations of rule modules that serve a specific purpose. You might, for example, create a policy to control network access allowed by workstations in your environment. This policy could include multiple rule modules designed for specific operating systems and functional controls. When you combine the rule modules into a policy, you can apply the policy to groups and deploy them to active agent systems. Policies follow the same precedence rules described earlier in the section "Rule Precedence and Manipulation" because the rules from various modules are combined into a single policy. It is important that you review the precedence rules and understand how policy is combined and the resulting rule sets are implemented on the endpoints.

To view or configure a policy on the CSA MC, choose Configuration > Policies. As shown in Figure 4-42, the same options are available for managing policies on the CSA MC that are available for the rule modules. You are allowed to create, delete, clone, or compare policies. This page lists the configured policies on the system, including the predefined policies shipped with the product. As you saw earlier in the Rule Module page in Figure 4-33, the Policies page includes links and information related to policy name, number of modules included, and description.

Figure 4-42. Predefined Policies

Understanding Policy Settings

To view a policy and the settings available at the policy level, choose the policy you want to view from the listing page by clicking its name. As shown in Figure 4-43, the configuration options on the specific policy page are as follows:

• Name and Description Click View or Edit to enter or modify the policy name and description.

• Target Architectures Verify the target operating systems that are chosen for this policy and modify as necessary. The number of modules and combined rules are listed next to the target operating system.

• Attached Rule Modules View the attached rule modules for accuracy. You can click the rule module name to directly link to that module for viewing.

• Combined Policy Rules View the combined policy rules for this policy as they are listed in order of precedence after the merger of the attached rule modules. You can filter this view by clicking the View All Rules link above the rule list. You are allowed to filter the view based on rule type, enabled rules, and state conditions.

Figure 4-43. Viewing a Policy

You also have quick links available at the top of the specific policy page, including the following:

• Modify Group Associations Displays the groups to which the policy is attached on the right side of the screen and the available groups on the left side of the screen.

• Modify Rule Module Associations Displays the rule modules attached to the policy per operating system, and enables you to add additional rule modules to this policy.

• Explain Rules Displays a verbose readable version of the combined rule modules and associated rules. The rules are divided into sections so that you can quickly locate the type or information you are attempting to find.

• View Change History Displays a filtered view of the audit log, which represents all of the changes made to this policy.

Using CSA Predefined Policies

Several policies that come installed with the CSA MC server can aid in the deployment and testing of the product. A few of the policies included are as follows:

• Base Operating System Protection

• Cisco Trust Agent

• Default Security

• Installation Applications

NOTE

The Installation Applications policy makes use of dynamic application classes to identify an installation. It offers a temporarily lowered security policy during installation of the product. If the installation s completion is not detected automatically, you can resume the higher security level on the agent from within the UI by clicking the Resume button on the System Security page.

• Microsoft Office

• Network Personal Firewall

• Virus Scanner

• Web Server

This is only a sample of the policies included with the product.

NOTE

This book does not attempt to explain the predefined policies. These policies change over time with incremental server patches and version upgrades to the product. The best method available for those wanting to better understand those modules is to investigate the locally installed policies personally.

Policy Relationship to Groups and Agents

Now that you understand how rules are combined into rule modules to create functional groupings, and rule modules are combined into policies to create cross-platform or functional policies, it is important to understand how this is applied to an agent system. Policies are applied to groups to serve as the implemented policy for all hosts in that group. Groups can contain more than one policy to further dictate the type of controls on the endpoint. Agents are then associated with a group or groups and inherit the assigned policies. All of the rules that are combined as a result of the merged information follow the rules of precedence for rule ordering on the agent system. To view the ultimate enforced policy for an endpoint or group designation, choose that item within the CSA MC and view the rule set assigned, which will be a combination of all assigned policy.

Mandatory Groups and Combined Rule Precedence

Another factor to consider that affects the precedence of rules in relation to an endpoint enforcement mechanism is mandatory group assignment. All agents are assigned to one of the mandatory groups:

• All Windows

• All Linux

• All Solaris

Any policy assigned directly to these groups is considered mandatory and has immediate precedence over all other rules. This is an excellent way to ensure services or controls are enforced across the entire architecture regardless of other policy assigned. For example, you could create a policy that contains a deny IRC rule to prevent IRC traffic on all systems of that particular operating system throughout the entire deployment regardless of any other conflicting rule.