Embed Size (px)
DESCRIPTION
BASIC FUNCTIONALITY. Agenda. Main topics Policy Manager Communication Understanding communication Information flow Communication modules F-Secure Policy Concept Policy file structure Data integrity Software distribution process. COMMUNICATION. Policy Manager Communication. - PowerPoint PPT Presentation
Citation preview
BASIC FUNCTIONALITY
Page 2
Agenda
Main topics
• Policy Manager Communication
• Understanding communication
• Information flow
• Communication modules
• F-Secure Policy Concept
• Policy file structure
• Data integrity
• Software distribution process
COMMUNICATION
Page 4
Policy Manager Communication
Understanding how communication is working in
Policy Manager is one of the key issues
• Software distributions => How does the installation reach the host?
• Connection troubleshooting => What component is causing the problem?
Most important components are
• Policy Manager Console
• Policy Manager Server
• Managed Hosts
PMC Host
PMS
?
Page 5
Policy Manager Console
Policy Manager Console is used to
• Set up corporate, departmental or individual policies
• Deploy and distribute policies, updates and installation files to PMS
• Receive alarms and alerts when policies are in danger and when security breaches were attempted but thwarted
• Generated reports on configurations, statistics, alerts, etc. for policy domains or individual managed devices
• Policy Manager console needs access to both Managed Hosts (Push Installations) and Policy Manager Server
PMC Host
PMS
Page 6
Policy Manager Server
Policy Manager Server hosts
• Data repository which includes all policy related information (a.k.a. commdir)
• Automatic Update System (virus and spyware updates)
• Apache Server which manages the connection requests
• Policy Manager Web Reporting module including SQL backend
Policy Manager Server has to be accessible by Policy Manager Console and Managed Hosts
PMC Host
PMS
Page 7
Managed Host
Provides the platform for different centrally
managed applications
• Workstation, Server and Gateway applications
All managed hosts need access to the
Policy Manager Server in order to be able to
fetch policies and software packages and
send back status information (e.g. alerts)PMC Host
PMS
Page 8
Information Flow
From the Policy Manager Console to the Policy Manager Server
• Settings (in the policy)
• Software distributions
From Management Agent to the Policy Manager Server
• Status information
• Alerts
Page 9
Information Flow Example
PMS
PMCHost
Software Distribution• Policy based installation
Host reports• Alerts and status information
Page 10
Introducing Communication Modules
Policy Manager Server
• Apache Server
• Handles all connections coming from managed hosts and Policy Manager Console
Managed host
• F-Secure Management Agent (FSMA)
• Handles all policy related connections to the Policy Manager Server
• F-Secure Automatic Update Agent (AUA)
• Handles all database update related connections to the Policy Manager Server
Page 11
F-Secure Management Agent (FSMA)
Local communication module used by managed hosts
• Fetches policy data from the server’s data repository (commdir)
• Posts alerts and status information to the commdir
Interprets and enforces the base policy issued by PMC
• Instructs the installation of point applications
• Restricts/regulates point application settings
Each FSMA has a UID (Unique Identifier)
• Differentiates hosts from each other even if IP-address or WINS-name is identical
Page 12
Apache Server
F-Secure Policy Manager Server uses a stripped down version of
Apache Server which manages the communication request coming
from the console and managed hosts
Apache Server modules
• F-Secure Management Server Host Module (FSMSH)
• F-Secure Management Server Admin Module (FSMSA)
• F-Secure Web Reporting Module
Page 13
Apache Server Modules
Host Module (FSMSH)
Admin Module (FSMSA)
Web Reporting Module
• Handles FSMA connection requests• E.g. policy file or software package download• Listens on HTTP (by default port 80)
• Handles PMC connection request• E.g. software distribution by administrators• Listens on HTTP (by default port 8080)
• Handles Web Reporting connection request• Listens on HTTP (by default port 8081)
Page 14
Apache Communication
PMS
Apache Server
Communication Directory
AdminModule
HostModule
Web ReportingModule
PMC FSMA
HTTP (Port 8080) HTTP (Port 8081) HTTP (Port 80)
Page 15
What are Virus Definitions?
Virus definitions are file signatures used for malware detection and
removal
Updates include
• Virus definitions
• Spyware definitions
• Virus news updates
F-Secure has an automated virus definitions update mechanism, so
administrators do not have to update databases manually
Page 16
F-Secure Automatic Update System (AUSYS)
PMS
FSAUSYS
Communication Directory
Automatic Update Agent (AUA)
Automatic Update Server (AUS)
AUA
HTTP (Port 80)
1. UDP (Port 370)2. HTTP (Port 80)
Root Update Server
Update channels
Primary
Secondary
Page 17
Policy Manager Proxy Server (AUP)
Headquarter PMS
FSAUSYS
Communication Directory
Automatic Update Agent (AUA)
Automatic Update Server (AUS)
AUA
HTTP (Port 80)
SubsidiaryPM Proxy
FSAUSYS
Automatic Update Proxy (AUP)
AUAUpdate channels
Primary
Secondary
HTTP (Port 80)
1. UDP (Port 370)2. HTTP (Port 80)
Root Update Server
POLICY FILE CONCEPT
Page 19
F-Secure Policy File Concept
F-Secure policies are a set of well defined rules that regulate how
sensitive information and other resources are managed, protected
and distributed
Policy files are centrally configured by the administrator and
distributed to the managed hosts via Policy Manager Server
• A Policy is a host oriented file, it is not a product oriented file
• It contains configurations/settings for all point applications installed on a host
Page 20
Policy Files
BPF (Base Policy File)
• Created on the PMC, holds administrators settings for a host
• Signed with admin.prv
IPF (Incremental Policy File)
• Created on host, includes local changes and status information, statistics
DPF (Default Policy File)
• Used after installation by default until BPF arrives on host
APF (Anonymous Policy File)
• Created on PMC, included in an installation package
Page 21
Policy Hierarchy
IPF is the primary source of
settings
• BPF is secondary source of settings, unless a setting is marked ”final”, in which case it is primary
• DPF is used if IPF and BPF and APF are missing
FSMA AVCS
IPF
BPF
DPF DPF
Page 22
Policy Manager Data Integrity
The integrity of the policy domain is secured by an asymmetric key pair
Private key (admin.prv)
• Private part of the key system
• Used for digitally signing policy data (creating the encrypted hash)
• Only available to Policy Manager Administrators
Public key (admin.pub)
• Public part of the key system
• Distributed to all managed hosts (publicly available, not kept secure)
• Used for hash decryption and signature verification
SOFTWARE DISTRIBUTION
Page 24
Installation Types
Remote installation
• Push Installation
• Auto discover Windows hosts
• Push install based on IP-address or WINS name
• Policy-based installation
Local installation
• From CD-ROM
• With pre-configured package
Page 25
Installing Point Applications:F-Secure Intelligent Installation
1. PMC creates a package
2. PMC pushes the package
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Policy Manager Server
Apache Server
CommDir
Managed Host Policy Manager Console
JAR Installation PackageJAR PackageAnti-Virus Client Security
FSMA Policy
Policy
Policy
Page 26
Installing Point Applications:Remotely
Push install to Windows Hosts feature is used to push installation to
hosts based on their IP address or host name
• Works in the same manner as if host was autodiscovered
Page 27
Installing Point Applications:Locally
From cd, using login script or through some EMS (SMS, Tivoli etc),
followed by the Autoregistartion process
• Using a login script: ILaunchr utility and JAR package on a fileserver
Page 28
Installing Point Applications:ILaunchr Utility
PMC generates a package, xyz.jar
Copy iLaunchr.exe and the xyz.jar to a shared folder on a file server
Edit your login script with new command lines
Page 29
Auto registration Process
1. PMC creates a package
2. PMC pushes the package
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Policy Manager Server
Apache Server
CommDir
Managed Host Policy Manager Console
JAR PackageAnti-Virus Client Security
FSMA Policy
Policy
Policy ARR
ARR
ARR
Page 30
Policy Distribution Process
1. PMC creates a package
2. PMC pushes the package
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Policy Manager Server
Apache Server
CommDir
Managed Host Policy Manager Console
Anti-Virus Client Security
FSMA New Policy
Old Policy
Old Policy
New Policy
New Policy
Page 31
Policy Based Installation
Once the Management Agent has been installed, it is possible to do
installations based on the policy
• Make an installation package and distribute a policy where a workstation is instructed to install the product
Page 32
Summary
Main topics
• Policy Manager Communication?
• Understanding communication
• Information flow
• Communication modules
• F-Secure Policy Concept
• Policy file structure
• Data integrity
• Software Distribution Process
