Tải bản đầy đủ - 0 (trang)
Chapter 13. Developing a CSA Project Implementation Plan

Chapter 13. Developing a CSA Project Implementation Plan

Tải bản đầy đủ - 0trang

PlanningforSuccess

Themajortechnology-basedmistakesorganizationscontinuetomakeonadaily

basisaretypicallytheresultofpoorplanning.Itisforthatreasonthatyoumust

ensureyouhaveadetailedstep-by-stepprocessoutlinedbeforeyouinstalla

singlepieceofsoftware.Eachstepshouldincludethetaskthatistobe

performed,theindividualsperformingthetask,andthesuccesscriteriathat

accompanythetask.

Providingwell-definedsuccesscriteriaisastepoftenforgotten.Successcriteria

aresimplechecklistitemsthatmustbesatisfiedbeforeyouareallowedtomove

ontothenextstep.Withoutdefiningthesuccesscriteriaforaspecificstep,you

oftenmoveontoanothersteptooearly,whichcanprovetroublesomelateronin

theworkflow.Alternatively,youmightfindthatwithoutdefiningsuccess

criteria,youenduprunningintoscopecreep,wherebyyoucontinuallyadditems

atthisstepintheprocessandcanneverseemtomoveontothenextappropriate

step.Youmustdevelopthescopedocument,whichincludessuccesscriteria,

duringtheinitialstepsoftheproject,andallinvolvedpartiesmustagreetoit.

NOTE



TheCiscoCSABestPracticesdocumentisagoodstartforbasicbest

practices.Youcanfinditat

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900ae

orbysearchingfor"CiscoSecurityAgentDeploymentBestPractices

Guide"fromtheCisco.comhomepage.



TheProjectPlan

Manyorganizationsaresearchingforsolutionstotheirendpoint-relatedsecurity

issues.Aftertheycompilethedataregardingthemultitudeofissuestheyneedto

solve,theytypicallyfindthattheyneedtopurchaseseveralproducts,ranging

frompersonalfirewallstoothersystemandapplicationcontrolmechanisms.

Unfortunately,theuseofseveralproductsrequiresseparatemanagement

systems,supportcontracts,andlicensing,aswellascontinuedmaintenance,

whichcanburdenthecurrentsecuritystaff.

Generally,theCSAanditsmanysecuritycontrolmechanismscanbeapplied

acrossthecomputingarchitecturetosolvethemajorityoftheendpoint-based

securityissuesfacinganorganizationwhilewrappingtheentiresolutionwithina

singlelicense,endpointagent,managementsystem,andsupportcontract.For

obviousreasons,manyorganizationshaveselectedtheCSAastheproductto

solvetheirorganizationsecurityissues.



OutliningtheProjectPhases

HavingmadethedecisiontomoveforwardwiththeCSAproduct,thesecurity

teamneedstoagreeonthehigh-levelphasestheprojectwillfollow.The

organizationshouldalreadyhaveastandardmethodologyforthisprocess,

includingthefollowing:

Training

Planning

Testing

Pilot

Implementation

Continuedevolutionphases

Eachofthesemajorphaseshasseveralstepsincludedthatwillvaryfrom

environmenttoenvironment.Also,insmallerdeployments,youmightfindthat

youcancombinephaseseffectivelyandsafelywithoutimpactingthesuccessof

theproject.Throughoutthischapter,youseethebreakdownofeachmajorphase

anditsapplication.

NOTE

YoushouldconsiderdiscussingtheroleaCiscoPartnercouldplayin

yourdeployment,whetherpartialorcomplete,andwhatthepartner

canbringtotheguaranteedsuccessoftheimplementationbasedon

theirexpertiseandpriorinstallationbestpractices.Remember,there

arealwaysbestpractices,butyourorganizationmightnotcurrently

followthem.TofindaCiscoPartner,goto

http://www.cisco.com/en/US/partners/index.html.



TheTrainingPhase

Tobegintheproject,selectedindividualsshouldbetrainedtofullyunderstand

theproduct,itscapabilities,itsimplementation,anditsongoingmaintenance.

NOTE

CiscotrainingpartnersofferaHostIntrusionPreventionSystem

(HIPS)classinvariouslocationsaroundtheworld.Toattendoneof

theseclasses,consultyourpreferredCiscotrainingpartnerfor

schedulesandavailability.



ThePlanningPhase

Aftercompletingthetraining,thesecurityteamshouldentertheplanningphase,

whichiscrucialtothesuccessofthedeployment.Intheplanningphase,you

outlineallthedetailedstepsthatyouwillusethroughouttheprojectaswellas

thesuccesscriteriafortheprojectandwhoshouldperformeachtask.

Manyorganizationsusesoftwareapplicationstodefineandtracktheprojectas

wellastheassociatedtimelines,whicharetypicallydisplayedonGanttcharts.It

isimportanttounderstandthatthesestepsandsuccesscriteriawillfleshoutas

youproceedthroughtheprocessasthemeansbywhichyoudefinesuccess

criteriaforeachtaskbecomemoreevident.Althoughitistruethatthecriteria

andtasksmaychange,youmustbecertainthatanychangesinthedefinitionofa

taskoccurpriortothattaskbeginningsothatyoucancontrolthetaskandlimit

itseffectonsurroundingtaskswithintheworkflow.Fromaveryhigh-levelview,

youshoulddefinethemajortasksinvolvedineachphaseandthemajorsuccess

criteriaforcompletionofeachphase.Untilthesecriteriaarereached,youshould

notproceedtothenextstep.



TheTestingPhase

Thetestingphaseassistsinseveralwaystoensuretheorganizationcompletesa

successfuldeployment.Inthetestingphase,youinstalltheCSAMCserverand

otherkeyrepresentativesystemsinamockenvironmentdetachedfromthe

productionnetwork.Withinthistestenvironment,youcandothefollowing:

TrainotheremployeesontheCSAproduct

TestyourunderstandingoftheCSAarchitectureanditscomponents

GainabasicunderstandingoftheimpactoftheCSAonyourcritical

systems,host,andbusinessworkflow

Thefollowingstep-by-steplistoutlinestaskswithinthetypicaltestingphase:

Step1. Gatherinformation.

Step2. Decideonthetestbedsizeandcomponents.

Step3. Installthetestenvironment.

Step4. InstallthetestCSAmanagementarchitecture.

Step5. CreateandconfigurethetestCSAhierarchy.

Step6. ConfigureCSAadministrativeandmaintenancesettings.

Step7. Createthebasetestpolicy.

Step8. Deploythetestpolicy.

Step9. Tunethepolicy.

Step10. Addadvancedpolicies.



Step11. Continuetotunepolicy.

Step12. PlacethepolicyinEnforcementMode.

Step13. Createalerts.

Step14. Export,report,anddocumentthetestphase.

Step15. Trainstaffandusers.

Step16. Verifysuccesscriteria.



Thesephasescanvaryfromdeploymenttodeploymentbasedonthesizeand

scopeofthedeployment,includingthetypeofpoliciesandenforcementcontrols

thatareimplemented.Anotherfactorthatcanaffectthephases,whichyoulearn

moreaboutinsubsequentsections,isthelevelofinvolvementoftheCisco

Partnerthatmayhavebeenselectedtoassist.

NOTE

Thephasesoutlinedinthischapterdonotalwaysincludestep-bystepinstructionstocompletethetask,butratherjustsamplesuccess

criteria.Tocreatedetailedsteps,reviewtherespectivesectionsofthis

bookaswellasotherresources,includingyourtrainingmaterials,to

compiletheinformationforyourspecificdeployment.



GatherInformation

Asoneofthemostimportanttaskswithineachandeveryphase,gatheringall

appropriateandcorrectinformationenablesyoutodevelopsuitabletask-success

criteria.Youneedtogatherinformationthatisnotentirelytechnicalinnature

frommanypartsofyourorganization.Hereisasamplelistofinformation



required:

Whyareyoudeployingtheproduct?Itisimperativethatyoudetermine

veryearlyintheprojectwhattheultimategoalisinimplementingthe

productinyourenvironment.Youmightdecideyourorganizationonly

wantstopreventwormandvirusbehavior,oryoumightwanttoinclude

personalfirewallrules,systemanduserstaterules,applicationcontrol,and

soon.Makingthisdeterminationnowdoesnotlimitwhatyoucanenable

lateronintheproduct,butitwillhelpcontroltheprojectandmaintain

implementationtimelines.

Whatapplicationsareinuseinyourorganization?Compilingalistof

authorizedapplicationswillassistinthepolicycreationprocessaswellas

teamunderstandingofthebaselinesthatwillbecreated.Tuningtheproduct

ismucheasierwhenyouknowwhatshouldbeseenrunningonthesystems

sothatotherprocessescanbeflaggedassuspectandinvestigated.Ifyour

environmentseemstohavetoomanyauthorizedoracceptableapplications

tofullydocument,focusonthecriticalbusinessapplicationsinthisstep.

Ispoint-to-pointfilesharingallowed?Establishwhetheryourusersare

allowedtosharefilesdirectlyorovertheInternet.Thisinformationshould

beoutlinedinyourwrittensecuritypolicy.

CaneveryoneaccesstheInternetande-mail?Althoughmany

mechanismscanbedeployedontheegressofyournetworktocontrol

Internetaccessandusage,placingstrictpolicyontheendpointsthemselves

canpreventInternetusefromprotectedsystemsevenwhentheyarenot

connectedtoyourcorporatenetwork.

Whoisallowedtoinstallapplications?Inmanyenvironments,usersare

notpermittedtoinstallapplications.Unfortunately,theattempted

enforcementmechanismisusuallyintheformofasignedacceptableuse

policy.UsingtheCSAcontrolmechanismstopreventunauthorized

installationscanpreventunintendedapplicationsfromcompromisingyour

entirecomputinginfrastructure.

Areanyothersoftwareagentsdeployed?Withinanycorporate



environment,thereareoftenagentsdeployedthatcaninterrogatethe

systemhardware,performinstallationofapplications,provideVPNaccess,

actasapersonalfirewall,orprovidevirusprotection.Manyoftheselocally

installedagentscouldbeseenassuspectbytheCSAproductbecauseof

theirdeepinterrogationofthesystem.Youshouldbeawareofanysimilar

productpriortoinstallationsothatyoucanmakeappropriatedecisions

regardinginstallationoftheCSAnetworkshimandcreationofthe

necessaryexceptionpolicies.

Areanymultimediaapplicationsinuse?Multimediaapplicationsthat

accessthenetworkoftenusecomplexprotocolsandstreamstoexchange

informationbetweenentities.Notethesedynamicconnectionsbecauseyou

mightneedtocreateexceptions.

Howdoyoupatchsystemsandinstallupdatesorsoftware?Centralized

softwareupdatesandinstallationoverthenetworkoftentriggervarious

CSAprotectivemechanismsbecausedownloadingandinstallingremote

softwareisatraitofwormandTrojanhorsebehavior.Youneedto

understandtheinstallationtechniquesandconnectionsusedduringsoftware

installationtocreatepoliciesthatallowtheinstallationstocontinuetooccur

withindefinedsecurityparameters.

Whatnetworkingcontrolmechanismsareinplace?TheCSAMCand

agentsmustcommunicateoverthenetworktoprovidepolicyupdatesand

logeventsastheyoccur.Thesuccessfulcommunicationmightrequirethe

networkingandfirewallteamstoenablethetranslations,routing,andports

necessary.

Howlargeshouldthetestbedbe?Youmustdeterminewhichsystems,

applications,anduserenvironmentsneedtobere-createdinthetestbed.

Manyimportantpiecesofinformationmustbegatheredtosetappropriatetasks.

Manyoftheanswerstotheprecedingquestionsshouldbeinformationthatis

welldefinedinyourwrittensecuritypolicy,andsoyoucangleanmuch

informationfromthere.

DetermineTestBedSizeandComponents



Youmustdeterminewhichsystems,applications,anduserenvironmentsneedto

bere-createdinthetestbed.Systemsinthetestbedshouldbeofthesame

hardwaretypeandoperatingsystem/patchlevelthatistruetoproduction.This

taskisnotlimitedtotheapplicationserversanduserworkstationsthatshouldbe

replicated,butalsoappliestonetworkingcomponents.Youshouldacquirebasic

switching,routing,andfirewallsystemsrepresentativeofyourproduction

environmenttoensurecommunicationrulesandflowsareadequatelytested.

Thisenvironmentwillnotonlybeusedforinitialtests,butcanalsobeusedfor

trainingnewadministratorsandtheuntrainedstaffmembers.Anotherusefor

thisenvironmentistheongoingtestingofnewpolicyandrulemodulesasthey

aredevelopedaswellastestingnewapplicationsagainstcurrentpolicy

enforcementrules.

NOTE

EveryITorganizationshouldalreadyhavesolidchangecontroland

qualityassurancemechanismsinplace.Thetestbedyoucreate

shouldbeusedinthetestingphasesassociatedwithanyfuture

changethatmightbeimpactedbypolicyrulesandenforcement.The

CSAproduct,becauseofitsnature,needstobeincorporatedinto

thesepractices.



InstalltheTestCSAManagementArchitecture

Afterinstallingyourtestenvironment,youcanbegininstallingtheCSAMC

system.Thisstepandseveralothersinthissectioncouldbecompletedin

parallelbecausetheydonotinitiallyimpacteachother.Thelaterstepsneedto

becompletedinaspecificordertoensuresuccess.Thefirstitemtocompletefor

thistaskistheinstallationoftheCiscoWorksVPN/SecurityManagement

System(VMS)serverapplicationonhardwarethatmeets,orpreferablyexceeds,

theminimumrequirements.Youneedtoverifytheinstallationissuccessful.You

alsoneedtounderstandtheconfigurationparametersassociatedwiththis

application.Atthispoint,theonlycomponentwithintheapplicationsuiteyou

needtoinstallisCiscoWorksCommonServices.Aftersuccessfullyinstallingthe



VMSproduct,youcaninstalltheCSAMC.

InstallingtheCSAMCrequirestheteamtodecideonthetypeofinstallation.In

version4.5,youhavetheoptiontoinstallallcomponentsonasingleserveror

youcanbreakoutportionsoftheinstallationtootherservers.Thecomponents

requiredareasfollows:

TheCSAMCconfigurationfrontend

TheCSAMCdatabase

TheCSAMCloggingserver

Youshouldchoosetheappropriateinstallationtypeforyourdesiredlevelofhigh

availabilityaswellasthenumberofagentsyoumustservice.Inaddition,ifyou

areimplementingmorethan500agents,youneedtopurchaseandinstall

MicrosoftSQLserverasthedatabasebecausetheincludedMicrosoftDatabase

Engine(MSDE)databasecannotgrowbeyond2GB.AfterinstallingtheCSA

MCcomponents,youmustensuretheserversarereachableviaDomainName

Server(DNS)resolutionsothatthenecessarycommunicationandSecure

SocketsLayer(SSL)certificatescanfunction.

CreateandConfiguretheTestCSAHierarchy

Afterinstallingthenecessaryproducts,youcanbegintoconfiguretheCSAMC

buildingblocksandcustomizetheCSAMCtosuityourneeds.Duringthistask,

youmightdecidetoarchiveunnecessarybuilt-incomponentsthatclutteryour

viewtosimplifyyourfurtherconfiguration.Someadministratorsexportevery

componentbeforeconfiguringasingleCSAcomponent.Doingsoallowsthem

torevertorre-importtheobjectsiftheyareeverchangedormanipulated

accidentallyorinawaythatwouldwarrantbringingsomethingbacktothe

default.Afterexportingthecomponents,youcanremove/deletetheonesyou

willnotbeusingwithinyourdeployment.Whenthebasecomponentsare

viewabletoyourliking,youcancontinuebycreatingvariablesthatmightprove

usefultoyourorganization,suchasgroups,filesets,networksets,anduserand

systemstatesets.Youdonotneedtoconfigurealloranyofthesecomponentsat



thispointbecauseyoucancreatethemasyourpolicyevolves.

NOTE

Itisimportantthatyouunderstandwhatcomponentyouareremoving

andtheimpactitmighthave.UponinstallationoftheCSAMC,the

localVMSserverhasasecurityagentinstalledtoprotectthesystem.

Removinganyoftheattachedpolicyandsubcomponentscouldcause

problemstoarise.



WhenconfiguringthehierarchyoftheCSAMCarchitecture,youmust

determinethetypesofsystemsyouwillhavewithinyourdeploymentandthe

granularityofthepolicycontrolmechanismsasitrelatestothehierarchy.Many

noviceadministratorsinitiallybegincreatingseveralgroupsthatcorrespondto

severaloccupational-orsecurity-relatedfunctions.Itis,however,typicallya

betterstrategytostartwithveryfewgroupsandonlyaddgroupswhere

absolutelynecessary.

Whencreatinggroupsforusers(notserversatthispoint),theinitialquestionto

askis"WhatoperatingsystemsaredeployedthatwillbeprotectedbytheCSA

agents?"TheseoperatingsystemdeterminationswillbegroupedintoWindows,

Solaris,andLinux.Thenextquestiontoaskis"Whatsecuritypracticesare

commontoallsystemsinmyarchitectureandwhatsecuritypracticesare

commonperoperatingsystem?"Bothofthesequestionshelpyoudecidehowto

bestusethebuilt-inmandatorygroups.

TheCSAmandatorygroupsshouldincludeallsecuritycontrolsthatarerequired

acrossthearchitectureandperoperatingsystemgroup.Examplesoftheserules

include"Individualsmayonlyuseanapprovedwebbrowserwhenusingthe

Internetwithinacceptableuseguidelines"or"NosystemmayrunTFTP,web,or

FTPserverswithoutpriorapproval."Rulessuchasthisareconsideredglobal

andshouldnotpertaintoaspecificsubsetofusers,butrathertoallusers.The

mandatorygroupscouldalsoincludesystemapplicationprogramminginterface

(API)protectiverulesthatlimitwormandTrojanbehavior,rootvaluesfor

systempolling,andsoon.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 13. Developing a CSA Project Implementation Plan

Tải bản đầy đủ ngay(0 tr)

×