< Day Day Up > |
Application classes are very important components in the CSA Management Console (MC) management architecture. Application classes are groups of applications (executables) that are common in function. This section reviews how CSA rules work so that you may better understand how application classes are applied and how they relate to rules. When you define a CSA rule, most likely you are creating it so that you can deny or allow an action that might attempt to take place. You also define how and where that rule should be applied. In some cases, you might want a particular rule to apply to every process running on the endpoint. An example of this is a rule that denies an endpoint the ability to use the Telnet (TCP/23) protocol no matter what application is attempting this specific network connectivity. However, when creating the rule, you might more granularly decide to allow Telnet from the endpoint, but only from a specific set of capable applications. To take that a step further, you might also want to monitor the application and subprocesses started by that specific application. Application classes enter the equation at this point. By defining an application class, which includes the specifically allowed Telnet clients (or executables), you can then apply the rule to only those applications and subprocesses. Do not worry if you do not fully grasp the concept of using application classes just yet. It is a very important concept, and the upcoming sections illustrate application class usage by example. Purpose of CSA MC Built-In Application ClassesThe CSA MC includes some built-in application classes to get you started. These application classes initially serve two purposes:
To acquaint you with application classes, this section first looks at some of the built-in classes to discover the basic settings and configuration. To see a list of built-in application classes, you need to get to the Application Classes Configuration screen by choosing Configuration > Applications > Application Classes [Windows]. (See Figure 5-1.) Figure 5-1. Application Classes Menu Selection LocationNOTE This book uses Windows for the majority of examples to simplify the learning process. Configuring Application ClassesThe Application Classes Configuration screen lists the currently defined application classes, which you can sort to show all, Windows-specific, or UNIX-specific application classes by changing the selection in the drop-down selection box in the upper-left corner of the screen. You can perform other tasks from this screen, too, such as create a new application class, delete an application class, clone an application class to create a similar application class, or just compare two application classes by clicking the respective buttons at the lower-left corner of the web page. Figure 5-2 shows the drop-down selection field and the action buttons. Figure 5-2. Application Classes Overview PageTo view the configuration of an already created application class, use the scroll bar until you locate the application class you want to view or edit, and then click the name of the application class. For example, choose the Command Shell application class to view a basic configuration. Figure 5-3 shows the Configuration page of the Command Shell application class. Figure 5-3. Example Application Class Configuration: Part 1You have only a few tunable parameters and clickable links available when configuring an application class. The following list describes this specific application class page from the top to the bottom of the Configuration page:
You can see from the predefined Command Shell application class example configuration that this class is Windows specific and enables you to apply rules to the processes related to your specifically named command shells. This particular application class is used in several predefined modules and several rules that are listed by number and are clickable links. (You can display this information by clicking Show Reference List, as mentioned earlier.) Now that you know the specific rules and modules that this example relates to, take a look at an example of how to apply it. In this example, Rule 121, as shown in Figure 5-4, is a rule within the Required Windows System module that uses the Command Shell application class. You can translate Rule 121 to read as follows: Allow and do not log when desktop interface applications attempt to run applications in the Command Shell application class. You can see that the goal of the rule is to allow desktop applications to launch command shells on your protected endpoints. Figure 5-4. Rule 121 Using the Example Application ClassBuilt-In Application ClassesYou can use built-in application classes when defining rules, but you cannot edit them in the application class Configuration page. These application classes are also predefined on the CSA MC at installation time, but differ in that they are not configurable but can still be used in your rules. They serve very special purposes and use underlying code to provide classification rather than the CSA MC variables other application classes use. Built-in application classes display differently from other application classes in that they are surrounded by brackets (for example, <All Applications>), as shown in Figure 5-5. Figure 5-5. Built-In Application ClassesNOTE There are two types of built-in application classes: editable and noneditable. Editable built-in application classes are identified by the asterisk in the name after the opening bracket, whereas noneditable built-in application classes are in brackets but do not include the asterisk in the name. Configurable built-in application classes are also surrounded by brackets, but include a leading asterisk in the name (for example, <*Suspected Virus Applications>). You can configure these built-in application classes, but you can use them only with a rule that dictates what causes processes to become classified as one of these particular application types. You can edit the classes with asterisks (*); however, you should do so only if absolutely necessary. Built-in application classes that do not have the asterisk in front of their name have a special purpose; therefore, you cannot edit them. NOTE You can find a complete list of the built-in application classes and their descriptions in the CSA MC online Help documents via the Help link at the upper-right corner of all CSA MC web pages. Here is a list of some of the built-in application classes:
The following list includes a few of the built-in configurable application classes:
Introducing Static and Dynamic Application ClassesApplication classes are extremely important to CSA success and past performance. Within application classes, you can explicitly identify certain processes by name; such processes are called static application classes. You can also create an application class whose members dynamically change over time as certain processes exhibit specific behaviors. The next few sections examine these two application class types. Creating a Static Application ClassStatic application classes relate to applications you know are running in your environment that you want to control through CSA rules. You can create an application class by following these steps:
By following these steps, you create a new application class that includes the main process and any subprocesses resulting from executing either telnet.exe or telnet32.exe on a protected Windows system. Now that you have defined this application class, you can apply rules to control the behavior of the included processes. Configuring Dynamic Application ClassesDynamic application classes differ from static application classes. Whereas static classes refer to the name of the associated executable or process you want to group, dynamic application classes are grouped based on the behavior of applications and processes. This grouping enables you to benefit from the efficiencies gained through application classes without the need to know exactly which applications are running in your enterprise. In the example static application class created in the previous section, notice one major issue: You needed to know the exact name of the application you wanted to control via CSA rules. This requirement is fine if you can guarantee that telnet.exe and telnet32.exe are the only two applications on your enterprise workstations that use the Telnet protocol, but having this level of control is unlikely. Other examples of applications that you might want to group via protocol rather than name include the following:
Applications that behave "well" from a protocol standpoint are easily mapped to dynamic application classes, but other applications, such as instant messengers and peer-to-peer file-sharing applications, might try several communication protocols to get a connection and might be best grouped via static application classes. You can also add a process to a dynamic application class via the outcome of a rule that queries a user for a response. By choosing Terminate when a process attempts an action denied by another rule, you can add that new process to an application class that could further control the questionable process. Consider the Telnet example previously used to demonstrate how static application classes work, but this time use a dynamic application class. Follow these steps to create a dynamic application class:
Creating the dynamic application class itself is only half of the required configuration for it to be useful. To make the dynamic application class useful to you, you need to identify the processes that should be grouped by this class. To do this, you must create an application builder rule that identifies the processes and adds them to the dynamic application class based on the process behavior. Follow the next steps to create the application builder rule:
You have now completed the creation of an application builder rule that identifies any Telnet (TCP/23) traffic from a protected machine and places the client application (or process/subprocess) into an application class. This dynamic application class will be a list of Telnet client processes that you can now monitor or control with other rules applied to the same clients. You can see that the few extra steps it takes to define these objects and rules gives you greater control over your network endpoints without the need for an exhaustive enterprise application audit and the naming of very specific applications. To complete this example, the next steps configure a rule that uses the dynamic application class to deny Telnet applications from running on the endpoints. To create this rule, add another application control rule to the same module as you used for the application builder rule, and then follow the remaining steps, which are shown in Figure 5-10:
Figure 5-10. Applying the Dynamic Application ClassYou have now completed many steps. Without knowing the exact name of the Telnetcapable clients on your network or the location where they reside in the file structure, you are now certain that if any Telnet client runs and attempts to communicate over TCP port 23, you will terminate that application and send an event to the CSA MC for possible further examination. Managing Application ClassesIf you think you have too many application classes listed in the various application class selection boxes used throughout CSA MC configuration pages for rules, application deployment investigation, and application behavior investigation, you can limit the selection that is viewable on those screens. You control which ones show up by choosing Configuration > Applications > Application Class Management. From the Application Class Management window, you can enable or disable application classes for various portions of the CSA MC. Figure 5-11 shows an example of this screen. Figure 5-11. Application Class ManagementControlling Shell ScriptsYou should control shell scripts on UNIX systems because their execution and compromise could affect the security of your UNIX system. When attempting to use application classes to control shell scripts on UNIX machines, you need to understand a few things. To succeed, the scripts must satisfy two requirements:
Other methods for launching a script can circumvent your attempt at adding a script to the dynamic application class. It is very important that you use solid UNIX endpoint security to disallow many of these alternative methods to ensure your application classes succeed in achieving your goals. System ProcessesAny application class you create will never include system processes. To include these processes in a rule along with the application class you created, you must include the built-in classes <System Processes> or <All Applications> along with your application class, which would include the nonsystem processes you want to match. |
< Day Day Up > |