Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Policy Manager Server

advertisement 
BASIC FUNCTIONALITY
Agenda
Main topics
• Policy Manager Communication
• Understanding communication
• Information flow
• Communication modules
• F-Secure Policy Concept
• Policy file structure
• Data integrity
• Software distribution process
Page 2
COMMUNICATION
Policy Manager Communication
Understanding how communication is working in
Policy Manager is one of the key issues
• Software distributions
=> How does the installation reach the host?
• Connection troubleshooting
=> What component is causing the problem?
PMS
Most important components are
• Policy Manager Console
• Policy Manager Server
• Managed Hosts
PMC
?
Host
Page 4
Policy Manager Console
Policy Manager Console is used to
• Set up corporate, departmental or individual
policies
• Deploy and distribute policies, updates and
installation files to PMS
• Receive alarms and alerts when policies are
in danger and when security breaches were
attempted but thwarted
• Generated reports on configurations,
statistics, alerts, etc. for policy domains or
individual managed devices
PMS
PMC
Host
• Policy Manager console needs access to
both Managed Hosts (Push Installations)
and Policy Manager Server
Page 5
Policy Manager Server
Policy Manager Server hosts
• Data repository which includes all policy
related information (a.k.a. commdir)
• Automatic Update System (virus and
spyware updates)
• Apache Server which manages the
connection requests
PMS
• Policy Manager Web Reporting module
including SQL backend
Policy Manager Server has to be
accessible by Policy Manager Console
and Managed Hosts
PMC
Host
Page 6
Managed Host
Provides the platform for different centrally
managed applications
• Workstation, Server and Gateway
applications
PMS
All managed hosts need access to the
Policy Manager Server in order to be able to
fetch policies and software packages and
send back status information (e.g. alerts)
PMC
Host
Page 7
Information Flow
From the Policy Manager Console to the Policy Manager Server
• Settings (in the policy)
• Software distributions
From Management Agent to the Policy Manager Server
• Status information
• Alerts
Page 8
Information Flow Example
Software Distribution
• Policy based installation
PMC
PMS
Host reports
• Alerts and status information
Host
Page 9
Introducing Communication Modules
Policy Manager Server
• Apache Server
• Handles all connections coming from managed hosts and Policy
Manager Console
Managed host
• F-Secure Management Agent (FSMA)
• Handles all policy related connections to the Policy Manager Server
• F-Secure Automatic Update Agent (AUA)
• Handles all database update related connections to the Policy
Manager Server
Page 10
F-Secure Management Agent (FSMA)
Local communication module used by managed hosts
• Fetches policy data from the server’s data repository (commdir)
• Posts alerts and status information to the commdir
Interprets and enforces the base policy issued by PMC
• Instructs the installation of point applications
• Restricts/regulates point application settings
Each FSMA has a UID (Unique Identifier)
• Differentiates hosts from each other even if IP-address or WINS-name is
identical
Page 11
Apache Server
F-Secure Policy Manager Server uses a stripped down version of
Apache Server which manages the communication request coming
from the console and managed hosts
Apache Server modules
• F-Secure Management Server Host Module (FSMSH)
• F-Secure Management Server Admin Module (FSMSA)
• F-Secure Web Reporting Module
Page 12
Apache Server Modules
• Handles FSMA connection requests
• E.g. policy file or software package download
• Listens on HTTP (by default port 80)
Host Module (FSMSH)
• Handles PMC connection request
• E.g. software distribution by administrators
• Listens on HTTP (by default port 8080)
Admin Module (FSMSA)
• Handles Web Reporting connection request
• Listens on HTTP (by default port 8081)
Web Reporting Module
Page 13
Apache Communication
PMS
Communication Directory
Apache Server
Admin
Module
Web Reporting
Module
Host
Module
HTTP (Port 8080)
HTTP (Port 8081)
HTTP (Port 80)
PMC
FSMA
Page 14
What are Virus Definitions?
Virus definitions are file signatures used for malware detection and
removal
Updates include
• Virus definitions
• Spyware definitions
• Virus news updates
F-Secure has an automated virus definitions update mechanism, so
administrators do not have to update databases manually
Page 15
F-Secure Automatic Update System
(AUSYS)
PMS
Communication Directory
FSAUSYS
Automatic Update Agent
(AUA)
Automatic Update Server
(AUS)
HTTP (Port 80)
Update channels
Primary
1. UDP (Port 370)
2. HTTP (Port 80)
AUA
Root Update Server
Secondary
Page 16
Policy Manager Proxy Server (AUP)
Subsidiary
PM Proxy
FSAUSYS
Automatic Update Proxy
(AUP)
Headquarter PMS
Communication Directory
FSAUSYS
Automatic Update Agent
(AUA)
HTTP (Port 80)
HTTP (Port 80)
AUA
Update channels
Primary
Secondary
Automatic Update Server
(AUS)
AUA
1. UDP (Port 370)
2. HTTP (Port 80)
Root Update Server
Page 17
POLICY FILE CONCEPT
F-Secure Policy File Concept
F-Secure policies are a set of well defined rules that regulate how
sensitive information and other resources are managed, protected and
distributed
Policy files are centrally configured by the administrator and
distributed to the managed hosts via Policy Manager Server
• A Policy is a host oriented file, it is not a product oriented file
• It contains configurations/settings for all point applications installed on a
host
Page 19
Policy Files
BPF (Base Policy File)
• Created on the PMC, holds
administrators settings for a host
DPF (Default Policy File)
• Used after installation by default
until BPF arrives on host
• Signed with admin.prv
APF (Anonymous Policy File)
IPF (Incremental Policy File)
• Created on host, includes local
changes and status information,
statistics
• Created on PMC, included in an
installation package
Page 20
Policy Hierarchy
IPF is the primary source of
settings
• BPF is secondary source of
settings, unless a setting is
marked ”final”, in which case
it is primary
• DPF is used if IPF and BPF
and APF are missing
AVCS
FSMA
IPF
BPF
DPF
DPF
Page 21
Policy Manager Data Integrity
The integrity of the policy domain is secured by an asymmetric key
pair
Private key (admin.prv)
• Private part of the key system
• Used for digitally signing policy data (creating the encrypted hash)
• Only available to Policy Manager Administrators
Public key (admin.pub)
• Public part of the key system
• Distributed to all managed hosts (publicly available, not kept secure)
• Used for hash decryption and signature verification
Page 22
SOFTWARE DISTRIBUTION
Installation Types
Remote installation
• Push Installation
• Auto discover Windows hosts
• Push install based on IP-address or WINS name
• Policy-based installation
Local installation
• From CD-ROM
• With pre-configured package
Page 24
Installing Point Applications:
F-Secure Intelligent Installation
1. PMC creates a package
2. PMC pushes the package
Policy Manager Server
Apache Server
Policy
CommDir
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Managed Host
Policy Manager Console
FSMA
Policy
Policy
Package
Anti-Virus ClientJAR
Security
JAR Installation Package
Page 25
Installing Point Applications:
Remotely
Push install to Windows Hosts feature is used to push installation to
hosts based on their IP address or host name
• Works in the same manner as if host was autodiscovered
Page 26
Installing Point Applications:
Locally
From cd, using login script or through some EMS (SMS, Tivoli etc),
followed by the Autoregistartion process
• Using a login script: ILaunchr utility and JAR package on a fileserver
Page 27
Installing Point Applications:
ILaunchr Utility
PMC generates a package, xyz.jar
Copy iLaunchr.exe and the xyz.jar to a shared folder on a file server
Edit your login script with new command lines
Page 28
Auto registration Process
1. PMC creates a package
2. PMC pushes the package
Policy Manager Server
Apache Server
Policy
CommDir
ARR
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Policy Manager Console
Managed Host
Policy
FSMA
ARR
Package
Anti-Virus ClientJAR
Security
Policy
ARR
Page 29
Policy Distribution Process
1. PMC creates a package
2. PMC pushes the package
Policy Manager Server
Apache Server
New
Policy CommDir
Old Policy
3. FSMA and point apllication are
installed
4. PMC issues a policy for the new
host
5. FSMA fetches the policy
Managed Host
Policy Manager Console
FSMA
New Policy
New
Old Policy
Policy
Anti-Virus Client Security
Page 30
Policy Based Installation
Once the Management Agent has been installed, it is possible to do
installations based on the policy
• Make an installation package and distribute a policy where a workstation is
instructed to install the product
Page 31
Summary
Main topics
•
•
•
Policy Manager Communication?
•
Understanding communication
•
Information flow
•
Communication modules
F-Secure Policy Concept
•
Policy file structure
•
Data integrity
Software Distribution Process
Page 32
Related documents
PPT F-Secure Policy Manager 6
PPT F-Secure Policy Manager 6
How Creativity Can Influence Individuals` Behaviour
How Creativity Can Influence Individuals` Behaviour
Policy Manager Server
Policy Manager Server
PMC`s Biggest Winner Challenge!
PMC`s Biggest Winner Challenge!
RR+ER=TR
RR+ER=TR
Multi-Step PP
Multi-Step PP
Placement Reviews
Placement Reviews
Annual Report 2010 - F
Annual Report 2010 - F
Download
advertisement