Tải bản đầy đủ - 0 (trang)
Chapter 6. Understanding CSA Components and Installation

Chapter 6. Understanding CSA Components and Installation

Tải bản đầy đủ - 0trang

youdonotneedtodeploythisinteractivecapabilitytoallusersinthe

architecture,oranyatall.

Inthischapter,youcontinuetogainanunderstandingoftheCSAarchitecture

throughanexplorationoftheagentsoftwarecomponents,protocol

communication,andinstallation.



GeneralCSAAgentComponentsOverview

Youhaveaccesstoseveral"under-the-hood"componentsthatarebuiltinto

CSA.TofullyunderstandhowCSAworks,itisbesttogetatleastahigh-level

understandingofafewofthekeycomponentsandtheirinteractiononthelocal

agentsystem.

Whenrulesarechanged,edited,added,orremovedontheCSAMCthatpertain

totheparticularrulesandpoliciesrunningonyouragent,youneedtoupdate

yourlocalpolicieswiththenecessarychanges.Todothis,yourlocalsecurity

agentsoftwarecommunicateswiththeCSAMCviaHTTPS(443)toretrievethe

newinformation.IfyourecallfromanearlierdiscussioninChapter2,

"IntroducingtheCiscoSecurityAgent,"theCSAarchitectureusesapullmodel

wherebytheagentrequestsinformationregardingpossiblepolicychangesata

setinterval,whichbydefaultis10minutes.CSAversion4.5includesasigned

UDPhintmessagethatcan"nudge"theremoteagentsintopollingearlierthan

thepredeterminedtimesothattheywillreceivetheupdateaheadofschedule.

Thisfeatureisveryconvenient,especiallyinenvironmentswhereyouhave

changedthedefaultpollingintervaltoahighertimevalueandyouneedthe

abilitytopush(thatis,requestapull)achangequickerthanthetypicalpoll

cycle.

Theagentpolicymanageristheagentcomponentthatreceivesthepoliciesfrom

theCSAMCserverandforwardsthemtoanotheragentcomponentknownas

therule/eventcorrelationengine.Thisenginereviewstheoldandnewrulesand

replacesorupdateswhateverisnecessarytoformthenewlocalruleset.

AnothercomponentintheCSAisknownasinterceptors.Interceptorsproxy

actionsthatareattemptedandverifyhowtoproceedagainsttherulesinthe

rule/eventcorrelationengine.Someoftheinterceptorsareasfollows:

NetworkTrafficinterceptorUseforSYNfloodandportscanprotection.

NetworkApplicationsinterceptorLimitorallowindividualapplications

toaccessthenetworkviaspecificprotocolsandnetworksaddressing

parameters.



FileinterceptorLimitanapplicationsabilitytoreadandwritetospecific

filesanddirectories.

Afinalnoteworthycomponentisthelocaleventmanager.Thelocalevent

managerlocallystoreseventsthataregeneratedbytherulesthathavebeen

triggeredandsettolog.Oncestoredandcachedlocally,theeventsthataretobe

loggedaresenttotheCSAMCforadministrativereviewandglobalevent

correlationcapabilities.IftheCSAMCisnotavailable,theagentstoresthe

eventsandtransmitsthenexttimetheagentcancommunicatewiththeCSAMC

serverwiththeappropriatetimestampsattached.

AllofthepreviouslymentionedagentcomponentsalsoresideintheUNIX

agents,althoughtheyareimplementedthroughdifferentprogrammingmethods

availabletothoseoperatingsystemarchitectures.



CSAInstallationRequirements

IneachoftheoperatingsystemsinwhichCSAmaybeinstalled,youmust

satisfyminimumhardwareandsoftwarerequirementstoensurethedeployment

issupportedbyCiscoTechnicalAssistanceCenter(TAC).Thissectiondescribes

thesoftwareandhardwarerequirementsandthecommunicationrequirements.



SoftwareandHardwareRequirements

CSAhasspecificminimumrequirementstoloadonanendpoint-protectedserver

orworkstation.BecausetheCSAisasoftwareproduct,itonlyrunson

appropriateoperatingsystems.Inversion4.5,theagentissupportedonsome

Solaris,Linux,andWindowsflavors.Futureversionsmightprovideyouwithan

expandedoperatingsystemsupportbase,butforversion4.5,followthe

operatingsystemrequirementsdescribedinthissectionorrefertothelatestCSA

documentationforthemostcurrentguidelines,whichareavailableatCisco.com.

ThehardwarerequirementsforWindows,Solaris,andLinuxagentsdiffer

slightly.Verifytherequirementsforyoursystembeforeattemptinginstallation

andarchitectureimplementation.

NOTE

CSAusesapproximately20-30MBofdiskspaceonallplatforms.



Table6-1showstheWindowsagentminimumrequirements.

Table6-1.WindowsAgentRequirements

System

Component



Requirement



Processor



IntelPentium200MHzorhigher.

Note:Uni/dual/quadprocessorsareallsupported.



Operatingsystems Windows2003.

WindowsXP(ProfessionalEnglish128bit)with

ServicePack0,1,or2.

Windows2000(Professional,Server,orAdvanced

Server)withServicePack0,1,2,or3orhigher.

WindowsNT(Workstation,Server,orEnterprise

Server)withServicePack5orhigher.

Note:CitrixMetaFrameandCitrixXParesupported.

TerminalServicesaresupportedonXPandWindows

2000.TerminalServicesisnotsupportedonWindows

NT.

Memory



128MBminimum.



Harddrivespace



15MBorhigher.



Network



Ethernetordialup.

Note:Maximumof64IPaddressessupportedona

singlesystem.



Table6-2liststheSolarisagentminimumrequirements.

Table6-2.SolarisAgentRequirements

System

Component



Requirement



Processor



UltraSPARC400MHzorhigher.

Note:Uni/dual/quadprocessorsareallsupported.



Operatingsystems Solaris8,64-bit7/01editionorhigher.

Note:Solarisminimumcoreinstallationisnot

sufficient.YoumustalsoinstalltheSUNWlibCx

library.

Memory



256MBminimum.



Harddrivespace



15MBorhigher.



Network



Ethernet.

Note:Maximumof64IPaddressessupportedona

singlesystem.



Table6-3showstheLinuxagentminimumrequirements.

Table6-3.LinuxAgentRequirements

System

Component



Requirement



Processor



500MHzorhigherx86processor.

Note:Uni/dual/quadprocessorsareallsupported.



Operatingsystems RedHatEnterpriseLinux3.0ES,AS,orWS.

Memory



256MBminimum.



Harddrivespace



15MBorhigher.



Network



Ethernet.

Note:Maximumof64IPaddressessupportedona

singlesystem.



AdditionalInstallationRequirements

FortheCSAtobecomefullyfunctional,youmustaddressafewotherpoints.

Beyondtherequirementtobeloadedonasupportedhardwareandsoftware

platform,theagentmustalsosupportthenecessarycommunicationtobesure

theagentremainscurrentfromapolicystandpoint.Theagentmustalsobeable

toresolvetheIPaddressoftheCSAMCserverbyitsfullyqualifieddomain

name(FQDN)withinDomainNameSystem(DNS).

CSAMCServerandDatabase

TheCSAMCservercontainstherulesandpoliciesthatarerequiredforagent

enforcement.TheMCisalsowhereconfigurationchangesandupdatesare

maintainedandisthefocalpointfortheagentswhentheyneedtoupdatetheir

localpolicyenforcementrules.Inaddition,theMCservesasthedestinationfor

agenteventmessagesthataretransmittedandthusprovidesacentralized

aggregationpointforglobaleventcorrelationandagenttroubleshooting.

ThedefaultinstallationoftheCSAMCincludestheinstallationofMicrosoft

DataEngine(MSDE)database.Thisdatabaseissufficientforsmaller

installationsof500agentsorfewer.TheMSDEdatabasehasadatabasesize

limitationof2GB,whichisnotsufficientinlargerdeployments.Whenthe

enterpriseagentdeploymenttotalincreasestoanumbergreaterthan500agents,

itisrecommendedthatyoumigratetheMSDEdatabasetoMSSQL.

Inversion4.5,youcankeeptheMSSQLdatabaselocaltotheCSAMCserver



itselforyoucanuseanexternallyloadedMSSQLserverinstallation.Itis

importantineithercasethatthisdatabaseandserverbesecuredfrombotha

networkandphysicalstandpoint.YoumightdecidetouseanexternalMSSQL

databaseinyourenterpriseforanumberofreasons,asfollows:

Off-boxSQLallowsforcoldstandbyCSAMCserversincaseofaserver

failure.

FewerenterpriseSQLdeploymentstomaintain(regularmaintenanceand

patching)becausetheSQLdatabasecanresideinyourcurrententerprise

SQLsystem.

TheabilitytoleveragehighlyeffectiveSQLhardware,includingserver

architecturesanddisasterrecoverymechanismssuchasstorage-area

networks(SANs).

CommunicationSecurity

ForpolicyandrulechangescreatedontheCSAMCtotakeeffectontheCSA,

theCSAmusthavetheabilitytocontactandcommunicatewiththeCSAMC

overthenetwork.Thiscommunicationpathcantakeanytransportnecessary

betweentheagentandMCmachinesaslongasthereisend-to-endIP

reachabilityforthedurationoftheconnection.

Fortheagenttorequesttheupdateortransmiteventlogmessages,theagent

attemptstoresolvetheMCIPaddressusingDNSoranyotherlocalresolution

meansavailablesuchasthelocalhostsfile.Itisimportantthatthisinformation

becorrecttofacilitatebothasuccessfulconnectionandtoverifythecertificate

usedintheSecureSocketsLayer(SSL)communication.

SSLoverthestandardTCPport443istheprotocolusedforallMC-to-agent

interaction.SSLensuresanauthenticatedandencryptedcommunicationofthe

updatesandeventtransmissions.Withinanenterprise,nameresolutionisnot

typicallyanissue;however,ifyouhavesystemsthatwillroamarounddisparate

networks,youneedtobecertainthatthemachineresolvesthecorrectaddress

andthattheCSAMCserverisreachablefromthoselocations.



NOTE

TheCSApolicyinformationislocaluponinstallationanddoesnot

needtobeincontactwiththeCSAMCforthepolicytoremain

active.CSAMCcontactisrequiredforpolicyandsoftwareupdates

andfortransmissionofthelocallystoredeventsforglobal

interrogationandcorrelation.



AgentKits

Agentsareinitiallyinstalledonendpointsviaanexecutableinstallfile.Youcan

downloadandinstallthisfiledirectlyfromtheCSAMCitselffromanSSLprotectedwebpage.Othermethodsofinstallationincludelocallyexecutingthe

EXEfilemanuallyorviamanyotherscriptedandautomatedinstallation

proceduressuchasanenterprisesoftwareinstallationsystem.



CreatinganAgentKit

Beforeyoucaninstallanagentkitonaworkstation,youmustaccomplishafew

tasks.Firstyoumustcreatetheappropriateinitialmodules,policies,andrules

thattheagentwilluse.Thenyoumustdefinethegroupandattachpoliciestoit.

Thenyoumustcreatetheagentkitanddefineafewinstallationkitparameters.

Thissectiondescribesthesetasksandexplainstheoptionsalongtheway.

Step1. ChooseSystem>AgentKitsfromthenavigationbar.Thisbringsyou

toaviewofallthecurrentlyavailablekits.(Therearepre-installed

agentkitsavailable.)SeeFigure6-1.



Figure6-1.AvailableAgentInstallationKits

[Viewfullsizeimage]



Step2. ClickNew.

Step3. WhenpromptedwiththeWhatIsYourTargetArchitecture?pop-up

window,choosetheappropriateplatform.Inthisexample,choose

Windows.

Step4. Createanameanddescriptionthatisappropriatetothisagentkit,as

showninFigure6-2.



Figure6-2.AgentKitCreation

[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 6. Understanding CSA Components and Installation

Tải bản đầy đủ ngay(0 tr)

×