24
Planning the installation
About IP routing
About IP routing
As bastion hosts, firewalls traditionally incorporate some form of network address translation (NAT) between the two networks that the firewall bridges. For example, the management server may be on an internal network while the Agents are in a DMZ network, with a firewall between the two networks. Typically, the internal network IP addresses are hidden from the DMZ network, and are not routable from the DMZ network.
To allow the agents in the DMZ network to communicate with the management server on the internal network, use a DMZ IP address to represent the management server. Then, configure the firewall or router to forward requests for this IP address and port to the real, internal IP address of the management server. Open the agent port only if the agents are in a DMZ. Finally, configure the name database on the DMZ network to return the DMZ IP address for the management server instead of the internal IP address.
About intrusion prevention
The Symantec Critical System Protection agent installation kit includes an enable intrusion prevention option. When the enable intrusion prevention option is selected, the prevention features of Symantec Critical System Protection are enabled for the agent. The IPS drivers are loaded on the agent computer, and the agent accepts prevention policies from the management console.
When the enable intrusion prevention option is not selected, the prevention features of Symantec Critical System Protection are completely disabled for the agent. The IPS drivers are not loaded on the agent computer, and the agent does not accept prevention policies from the management console.
Symantec strongly recommends that you enable the intrusion prevention option when installing agents. Changing this option after installation (to disable or re- enable it) requires logging on to the agent computer, running the Agent Config Tool, and rebooting the agent computer.
If you are only interested in the detection features of Symantec Critical System Protection, Symantec recommends that you select the enable intrusion prevention option during agent installation, and use the Null prevention policy to avoid any blocking. If you later decide to use the prevention features of Symantec Critical System Protection, then you simply apply one of the prevention policies that are included with the product. Applying a policy requires no logging onto the agent computer, no running the agent config tool, no rebooting the agent computer.
