< Day Day Up > |
Policy means different thing to different people. To security practitioners and auditors, the word policy typically refers to a document that outlines how an organization plans to secure both physical and informational assets. This document is a living document that is ever changing as the business evolves, acquisitions occur, applications are deployed, and systems are installed. Policy can also refer to the implemented rule sets of a product that is meant to enforce those rules. You will often hear of the rule set implemented by a firewall as the firewall policy. The CSA also implements a policy in the same manner as the firewall. The local CSA agent software monitors system usage and prevents actions requested by the user or system that violate the defined policy. For a review of CSA policy, see Chapter 4, "Understanding CSA Policies, Modules, and Rules." How Policy Relates to CSAWhen speaking of CSA, policy is the centrally defined grouping of rules that identify how systems can be used. This policy is derived from the enterprise security policy document that specifically states how systems are allowed to interact. The security agent policy is a direct mapping of written policy to CSA-defined rules that accomplish the preventive or accepted nature of the written policy statements. The items mapped from the written policy into the CSA enforcement policies relate to approved application lists, approved use of products and systems, and allowed network interaction. In most environments, written policy cannot be enforced at the endpoint completely, and the enforcement mechanism attempted is simple trust of the user base. It has been proven over and over that whether or not you trust your users to take the correct actions regarding corporate resources, even a single deviation can severely impact the confidentiality, integrity, and availability of your most important data. CSA provides many of the functions necessary to comply with the internally written security policy as well as the externally enforced written policies such as HIPAA. The First Steps in Policy CreationTo successfully define policy for an organization, you must understand how the company functions daily. You must have detailed knowledge of the information flow among the various entities, partners, and customers. You must also be concerned with locating the company assets from an electronic information perspective. This information must be protected both at rest, when it is stored, and in transit, whether it is being moved or used via remote application. The three most important concepts relating to security policy creation are as follows:
The CSA and its policies enable you to maintain confidentiality, integrity, and availability. The various rules that are part of the deployed policy can guarantee that applications are used only as designed or allowed, ensure network connectivity and network services are available when necessary to whom and what should require them, and provide a mechanism to prevent unauthorized modification of data. To ensure that the rules created for the CSA deployment are accurate, you must have an approved security policy document on hand at the time of policy creation. Creating New Policies Versus Using Predefined CSA PoliciesThe CSA MC includes a number of policies that you can use as a starting point for your own policy development or as the policies installed natively in your architecture. These policies range in their use from base security policies for protecting various operating systems to specifically developed policies that protect and control various types of applications. In most cases, the predefined policies serve as a staring point from which you can fine-tune and further develop them to suit your business needs. Figure 12-1. Predefined CSA PoliciesBrief Review of Policy Component HierarchyThe CSA hierarchy is important to understand when attempting to efficiently create or modify policies for deployment. The components are rules, rule modules, policies, groups, and hosts. Rules are targeted enforcement mechanisms. This component controls specific interaction on a system. Rules can control whether a file can be accessed by a process, or possibly whether an application can use a certain TCP port for outbound access to the network. Rule modules are groupings or rules that collectively satisfy a common security enforcement goal. A rule module may group rules that protect a specific operating system from abnormal behavior, or possibly group rules that control how a specific application is allowed to function. Rule modules may also be composed of rules that will be enforced based only on system and user state profiles. Policies are collections of rule modules. You might have various rule modules that serve many purposes in implementing the enforcement of your written policy. Gathering these rule modules into policies enables you to group rule modules that serve a common pur-pose to be collectively paired with one another and therefore applied to systems as a whole. Policies are applied to groups. Groups take the various policies applied to them and formulate a combined policy from all of the derivative components. The hosts in the architecture are placed into groups. The hosts inherit the rules within the various assigned group policies and apply them as required on the endpoint, as shown in Figure 12-2. In addition, a host can participate in multiple groups, including the mandatory groups, and combine rules and settings from those groups as well. Figure 12-2. Combined Hierarchy of a HostWhere to Apply PoliciesPolices are best deployed in a manner that will be efficient within your architecture. This means reusing the building blocks rather than recreating new components. Another way to gain efficiency is to group necessary components together that will apply cross platform and to use the mandatory CSA groups effectively. A couple of ways to efficiently deploy and create new policies are to use mandatory groups and the cloning feature. Using Mandatory GroupsAs you learned in Chapter 3, "Understanding CSA Groups and Hosts," with mandatory groups you can implement the pieces of your written security policy that are global in nature. It is important to understand that any policy applied to the mandatory group also becomes mandatory to all members of that group. As part of a combined policy for a host, any rules applied through a mandatory group will be at the top of the list of the rule set when the rule priority is calculated. These rules cannot be overridden by any other less or more restrictive rules. They are what they are, and they are absolutely enforced. You want to write or use specific rules in your deployment. You should maintain these specific rules regardless of another policy. You might want, for example, to guarantee that no system under CSA agent control can ever use the Telnet protocol on port 23, because it is unencrypted. You could write a network access control list rule to prevent any application from creating a client-side connection to that port and apply it to the mandatory groups. This rule ensures that even another policy that specifically allows an application to use this sort of connectivity is not allowed and that your written policy is maintained. You can also use the various mandatory groups to implement global rules specific to worm prevention and other selectable system application programming interface (API) rule features. Cloning CSA ComponentsSometimes it is best to start with a framework instead of attempting to build a rule module from the ground up. Therefore, CSA provides a cloning feature. Cloning is a method to select an object within the hierarchy and re-create an exact copy with a new name. You can then edit the new object without impacting the integrity or application of the existing object. Cloning can prove useful when creating a similar policy to one that has already been built. To clone a rule module, follow these steps:
You can easily clone certain modules or other objects for testing or for a new purpose. Cloning can save a great deal of time, especially if the objects cloned are complex with a great number of included rules and objects. NOTE Cloning only clones the object selected and links that new object to the same included objects as followed by the hierarchy. Cloning one object does not create clones of all additional included objects. Creating a Simple CSA PolicyTo illustrate the work flow required and hierarchy used, this section shows how to create a very basic policy. This section does not cover every step necessary in detail, but it does mention all steps required. To create a test policy, follow these steps:
Investigating Predefined PoliciesEarlier, you learned that you can use the predefined policies as a starting point in developing your own purpose-driven policy. To better understand what you should expect when building your own policy, you should investigate some of the predefined CSA policies and their composition. This section briefly looks at three native policies to establish your own foundation:
Base Operating System Protection Windows PolicyThe Base Operating System Protection Windows policy provides various basic protective mechanisms for any supported Windows platform. As shown in Figure 12-11, this policy includes 6 combined rule modules (2 specific to Windows XP) with more than 40 total rules. Figure 12-11. Base Operating System Protection WindowsClick Explain Rules on the quick links menu to see a screen containing the verbose description of the rules that are combined. The rule modules include various types of rules ranging from agent service control to application control rules and system API rules. You can also use several rules pertaining to file access control to protect the Windows operating system and the local command shell and registry files. This is a very deep policy with many control mechanisms that will serve as an excellent learning tool for a new security administrator. Microsoft Office PolicyThe Microsoft Office policy is application specific and only serves to protect the system from Microsoft Office issues that might arise and to protect the Microsoft Office components from the system. This particular policy only includes a single rule module to accomplish this task. Ten rules are included in the rule module, and consist of the following types, as shown in Figure 12-12:
Figure 12-12. Microsoft Office PolicyInstant Messenger PolicyThe Instant Messenger policy is an application-specific policy geared toward limiting instant messenger applications from being compromised. This policy also only requires a single rule module and just seven rules to accomplish its focused task, as displayed in Figure 12-13. The rules are a combination of network and file access control rules, which use variables where possible. Clicking Explain Rules enables you to view the locations and uses of the variables throughout the configuration. One of the variables used is instant messenger executables. This file set includes msmsgs.exe (Microsoft Messenger), aim.exe (AOL Instant Messenger), and ypager.exe (Yahoo! Instant Messenger). You can easily edit this file set to include other instant messenger applications discovered in your network so that they too benefit from the same protective policy. Figure 12-13. Instant Messenger Policy |
< Day Day Up > |