Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

understand the behavior of the application, craft a policy, place it in test mode on the pilot machines, and examine the event log. Use the techniques in the rest of this section to tune/troubleshoot that application’s policy, re-examine the event log, and if you are satisfied with the result, place the application’s policy in live mode on the pilot machines. You repeat these steps with each application on your prioritized list.

Creating a completely custom set of policies. In this scenario, you have a team of network security experts who have assembled a detailed list of security features and studied the many supplied rule modules. The experts use the Analysis -> Application Behavior Investigation tool to thoroughly study the applications for which they will write rules. Then, the experts will craft custom policies by selecting the desired rule modules and rules. With this custom approach, consider conducting a small pilot of a few systems in a test lab and then expanding to a larger and more thorough pilot.

Using Test Mode

CSA policies can execute in live mode, where they enforce rules by denying or allowing events, or test mode, where they indicate in the event log what the action would have been to the given event. All entries in the event log for rules in test mode begin with the label TESTMODE: to make it easy to scan for events relating to rules under test. In general, you start a pilot in test mode and gradually change over to live mode as you examine the performance of each policy. You can use test mode in two different ways:

Place all policies for a group in test mode.

From the Systems->Groupsmenu, you use the supplied Systems - test mode group, which is available for Windows, Linux, and Solaris. You attach hosts (both desktops and servers) to each appropriate test mode group. You can make one or more agent kits available for download with the test mode groups. Be sure to include “test mode” in the name of the agent kit.

When the “test mode” phase of the pilot is completed, you can unattach hosts from the test mode groups to place the hosts in live mode.

Place a specific rule module in test mode.

 

Installing Management Center for Cisco Security Agents 5.2

2-10

78-17916-01

Page 44
Image 44
Cisco Systems DOC-78-17916 manual Using Test Mode, Place all policies for a group in test mode