I view the building blocks in two separate parts. The first part is creating the actions that will be used to enforce the security policy. The second part is defining the different types of computers, such as desktops and servers, that have the same type of characteristics. Once these two parts are created, they are linked together so that the correct actions are linked to the appropriate types of computers.
The first part involves creating three objects that build upon each other: rules, rule modules, and policies. The first object is called a rule. This is the basic if/then action that determines enforcement. An example would be, "if an application tries to open a cmd.exe shell, deny and log the access". In addition to denying access, there are a number of different actions that can be taken. The diagram below shows the different actions available. The diagram is important, because, in many places within CSA, the icons associated with the actions are shown without the actual names.
The second object is called a rule module. A rule module combines multiple rules together that all pertain to the same operating system and provide the same type of functionality. Rule modules are then combined into a policy. The policy should contain all aspects that cover the security policy for a particular group of computers (ie desktops or servers). Unlike the rule modules, the policies are not restricted to pertaining to a single operating system. That completes the first part.
The second part is defining the types of computers. CSA calls these groups. These groups break up the computers based on operating system and other logical criteria such as function and business group. Additionally, CSA parameters, such as polling interval, alerts, and events, can be defined for the group instead of for individual hosts.
The last step is to tie the policies created to the groups. This creates an enforceable security policy for the different types of computers in the network.
No comments:
Post a Comment