F-secure POLICY MANAGER 8.0 ADMINISTRATOR GUIDE
F-Secure Policy
Manager 8.0
Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and FSecure product names and symbols/logos are either trademarks or registered trademarks of FSecure Corporation. All product names referenced herein are trademarks or registered
trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in
the marks and names of others. Although F-Secure Corporation makes every effort to ensure that
this information is accurate, F-Secure Corporation will not be liable for any errors or omission of
facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in
this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No
part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of F-Secure Corporation.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
GB2374260
Copyright © 2008 F-Secure Corporation. All rights reserved.12000013-7A12
Contents
About This Guide 9
Overview ............................................................................................................................ 10
How This Guide is Organized ............................................................................................ 11
Conventions Used in F-Secure Guides .............................................................................. 13
Symbols .................................................................................................................... 13
Chapter 1 Introduction 15
1.1 Overview .................................................................................................................... 16
1.2 Installation Order........................................................................................................17
1.3 Features .....................................................................................................................18
1.4 Policy-Based Management ........................................................................................19
1.4.1 Management Information Base ............................................................ 21
Chapter 2 System Requirements 23
2.1 F-Secure Policy Manager Server ...............................................................................24
2.2 F-Secure Policy Manager Console ............................................................................ 25
Chapter 3 Installing F-Secure Policy Manager Server 26
3.1 Overview .................................................................................................................... 27
3.2 Security Issues........................................................................................................... 28
3.2.1 Installing F-Secure Policy Manager in High Security Environments ...... 28
3.3 Installation Steps........................................................................................................34
3.4 Configuring F-Secure Policy Manager Server............................................................ 47
iii
3.4.1 Changing the Communication Directory Path ....................................... 47
3.4.2 Changing the Ports Where the Server Listens for Requests ................. 48
3.4.3 F-Secure Policy Manager Server Configuration Settings ...................... 49
3.5 Uninstalling F-Secure Policy Manager Server ........................................................... 54
Chapter 4 Installing F-Secure Policy Manager Console 56
4.1 Overview .................................................................................................................... 57
4.2 Installation Steps........................................................................................................57
4.3 Uninstalling F-Secure Policy Manager Console.........................................................73
Chapter 5 Using F-Secure Policy Manager Console 74
5.1 Overview .................................................................................................................... 75
5.2 F-Secure Policy Manager Console Basics ................................................................. 76
5.2.1 Logging In ........................................................................................... 77
5.2.2 F-Secure Client Security Management ................................................. 80
5.2.3 The Advanced Mode User Interface ..................................................... 81
5.2.4 Policy Domain Pane ............................................................................ 82
5.2.5 Properties Pane................................................................................... 82
5.2.6 Product View Pane .............................................................................. 83
5.2.7 Messages Pane................................................................................... 90
5.2.8 The Toolbar......................................................................................... 90
5.2.9 Menu Commands ................................................................................ 92
5.3 Managing Domains and Hosts ................................................................................... 94
5.3.1 Adding Policy Domains ........................................................................ 96
5.3.2 Adding Hosts ....................................................................................... 97
5.3.3 Host Properties ................................................................................. 102
5.4 Software Distribution ................................................................................................ 104
5.4.1 F-Secure Push Installations ............................................................... 106
5.4.2 Policy-Based Installation ................................................................... 112
5.4.3 Local Installation and Updates with Pre-Configured Packages ........... 116
5.4.4 Information Delivery .......................................................................... 120
5.5 Managing Policies .................................................................................................... 120
5.5.1 Settings............................................................................................. 121
5.5.2 Restrictions ....................................................................................... 121
5.5.3 Saving the Current Policy Data .......................................................... 123
5.5.4 Distributing Policy Files ..................................................................... 123
iv
5.5.5 Policy Inheritance .............................................................................. 123
5.6 Managing Operations and Tasks ............................................................................. 126
5.7 Alerting .....................................................................................................................126
5.7.1 Viewing Alerts and Reports................................................................ 126
5.7.2 Configuring Alert Forwarding ............................................................. 128
5.8 Reporting Tool.......................................................................................................... 129
5.8.1 Policy Domain / Host Selector Pane................................................... 130
5.8.2 Report Type Selector Pane................................................................ 131
5.8.3 Report Pane ...................................................................................... 132
5.8.4 Bottom Pane ..................................................................................... 133
5.9 Preferences..............................................................................................................133
5.9.1 Connection-Specific Preferences ....................................................... 134
5.9.2 Shared Preferences........................................................................... 137
Chapter 6 Maintaining F-Secure Policy Manager Server 139
6.1 Overview .................................................................................................................. 140
6.2 Backing Up & Restoring F-Secure Policy Manager Console Data........................... 140
6.3 Replicating Software Using Image Files .................................................................. 143
Chapter 7 Updating F-Secure Virus Definition Databases 145
7.1 Automatic Updates with F-Secure Automatic Update Agent.................................... 146
7.2 Using the Automatic Update Agent ..........................................................................148
7.2.1 Configuration..................................................................................... 148
7.2.2 How to Read the Log File .................................................................. 149
7.3 Forcing the Update Agent to Check for New Updates Immediately.........................153
7.4 Updating the Databases Manually ...........................................................................153
7.5 Troubleshooting ....................................................................................................... 154
Chapter 8 F-Secure Policy Manager on Linux 155
8.1 Overview .................................................................................................................. 156
8.1.1 Differences Between Windows and Linux........................................... 156
8.1.2 Supported Distributions ..................................................................... 156
8.2 Installation ................................................................................................................ 157
8.2.1 Installing F-Secure Automatic Update Agent ...................................... 157
v
8.2.2 Installing F-Secure Policy Manager Server ........................................ 158
8.2.3 Installing F-Secure Policy Manager Console ...................................... 159
8.2.4 Installing F-Secure Policy Manager Web Reporting............................ 160
8.3 Configuration............................................................................................................ 161
8.4 Uninstallation............................................................................................................ 161
8.4.1 Uninstalling F-Secure Policy Manager Web Reporting........................ 161
8.4.2 Uninstalling F-Secure Policy Manager Console .................................. 162
8.4.3 Uninstalling F-Secure Policy Manager Server .................................... 162
8.4.4 Uninstalling F-Secure Automatic Update Agent .................................. 163
8.5 Frequently Asked Questions .................................................................................... 163
Chapter 9 Web Reporting 168
9.1 Overview .................................................................................................................. 169
9.2 Introduction .............................................................................................................. 169
9.3 Web Reporting Client System Requirements........................................................... 170
9.4 Generating and Viewing Reports .............................................................................170
9.4.1 Required Browser Settings for Viewing Web Reports ......................... 170
9.4.2 Generating a Report .......................................................................... 171
9.4.3 Creating a Printable Report ............................................................... 173
9.4.4 Generating a Specific URL for Automated Report Generation ............ 173
9.5 Maintaining Web Reporting...................................................................................... 174
9.5.1 Disabling Web Reporting ................................................................... 174
9.5.2 Enabling Web Reporting .................................................................... 174
9.5.3 Restricting or Allowing Wider Access to Web Reports ........................ 175
9.5.4 Changing the Web Reporting Port...................................................... 176
9.5.5 Creating a Backup Copy of the Web Reporting Database................... 177
9.5.6 Restoring the Web Reporting Database from a Backup Copy ............. 177
9.5.7 Changing the Maximum Data Storage Time in the Web Reporting
Database .......................................................................................... 178
9.6 Web Reporting Error Messages and Troubleshooting ............................................. 179
9.6.1 Error Messages ................................................................................. 179
9.6.2 Troubleshooting................................................................................. 180
Chapter 10 F-Secure Policy Manager Proxy 182
10.1 Overview .................................................................................................................. 183
vi
Chapter 11 Troubleshooting 184
11.1 Overview .................................................................................................................. 185
11.2 F-Secure Policy Manager Server and Console........................................................185
11.3 F-Secure Policy Manager Web Reporting................................................................ 190
11.4 Policy Distribution.....................................................................................................191
Appendix A SNMP Support 193
A.1 Overview ................................................................................................................. 194
A.1.1 SNMP Support for F-Secure Management Agent ........................................194
A.2 Installing F-Secure Management Agent with SNMP Support ..................................195
A.2.1 F-Secure SNMP Management Extension Installation ..................................195
A.3 Configuring The SNMP Master Agent...................................................................... 196
A.4 Management Information Base ................................................................................ 197
Appendix B Ilaunchr Error Codes 198
B.1 Overview ................................................................................................................. 199
B.2 Error Codes.............................................................................................................. 200
Appendix C FSII Remote Installation Error Codes 203
C.1 Overview ................................................................................................................. 204
C.2 Windows Error Codes .............................................................................................. 204
C.3 Error Messages........................................................................................................205
Appendix D NSC Notation for Netmasks 207
D.1 Overview ................................................................................................................. 208
Technical Support 210
Overview .......................................................................................................................... 211
Web Club ......................................................................................................................... 211
Virus Descriptions on the Web................................................................................ 211
Advanced Technical Support ........................................................................................... 211
F-Secure Technical Product Training ............................................................................... 212
Training Program .................................................................................................... 212
vii
Contact Information................................................................................................. 213
Glossary 214
About F-Secure Corporation
viii
ABOUT THIS GUIDE
Overview.................................................................................... 10
How This Guide is Organized..................................................... 11
9
10
Overview
F-Secure Policy Manager provides tools for administering the following
F-Secure software products:
F-Secure Client Security
F-Secure Internet Gatekeeper for Windows
F-Secure Anti-Virus for
Windows Workstations
Windows Servers
Citrix Servers
Microsoft Exchange
MIMEsweeper
F-Secure Linux Security
F-Secure Linux Client Security
F-Secure Linux Server Security
F-Secure Policy Manager Proxy.
How This Guide is Organized
The F-Secure Policy Manager Administrator’s Guide is divided into the
following chapters.
Chapter 1. Introduction. Describes the architecture and components of
the policy-based management.
Chapter 2. System Requirements. Defines the software and hardware
requirement for F-Secure Policy Manager Console and F-Secure Policy
Manager Server.
Chapter 3. Installing F-Secure Policy Manager Server. Covers the
installation of F-Secure Policy Manager Server on the server machine.
Chapter 4. Installing F-Secure Policy Manager Console. Covers the
installation of F-Secure Policy Manager Console applications on the
administrator’s workstation.
Chapter 5. Using F-Secure Policy Manager Console. Includes an
overview, setup procedures, the logon procedure, menu commands, and
basic tasks.
Chapter 6. Maintaining F-Secure Policy Manager Server. Covers backup
procedures and restoration routines.
About This Guide 11
Chapter 7. Updating F-Secure Virus Definition Databases. Describes the
various ways you can update your virus definition databases.
Chapter 8. F-Secure Policy Manager on Linux. Describes how to install
and manage F-Secure Policy Manager on Linux.
Chapter 9. Web Reporting. Describes how to use F-Secure Policy
Manager Web Reporting, a new enterprise-wide graphical reporting
system included in F-Secure Policy Manager Server.
Chapter 10. F-Secure Policy Manager Proxy. Contains a brief
introduction into F-Secure Policy Manager Proxy.
Chapter 11. Troubleshooting. Contains troubleshooting information and
frequently asked questions.
Appendix A. SNMP Support. Contains information about SNMP support.
Appendix B. Ilaunchr Error Codes. Contains a list of Ilaunchr error codes.
12
Appendix C. FSII Remote Installation Error Codes. Describes the most
common error codes and messages that can occur during the
Autodiscover Windows Hosts operation.
Appendix D. NSC Notation for Netmasks. Defines and offers information
on NSC notation for Netmasks.
Glossary — Explanation of terms
Technical Support — Web Club and contact information for assistance.
About F-Secure Corporation — Company background and products.
Conventions Used in F-Secure Guides
This section describes the symbols, fonts, and terminology used in this
manual.
Symbols
WARNING: The warning symbol indicates a situation with a
risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information
that you need to consider.
REFERENCE - A book refers you to related information on the
topic available in another document.
NOTE - A note provides additional information that you should
consider.
l
13
Fonts
TIP - A tip provides information that can help you perform a task
more quickly or easily.
⇒ An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to
buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book
titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table
captions, and for directory tree names.
Courier New is used for messages on your computer screen.
14
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your
keyboard.
PDF Document
For More Information
Arial underlined (blue)
Arial italics is used for window and dialog box names.
This manual is provided in PDF (Portable Document Format). The PDF
document can be used for online viewing and printing using Adobe®
Acrobat® Reader. When printing the manual, please print the entire
manual, including the copyright and disclaimer statements.
Visit F-Secure at http://www.f-secure.com for documentation, training
courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would
welcome your feedback. If you have any questions, comments, or
suggestions about this or any other F-Secure document, please contact
us at documentation@f-secure.com
is used for user interface links.
.
1
INTRODUCTION
Overview..................................................................................... 16
Installation Order ........................................................................ 17
Features ..................................................................................... 18
Policy-Based Management......................................................... 19
15
16
1.1 Overview
Main Components of F-Secure Policy Manager
F-Secure Policy Manager provides a scalable way to manage the security
of numerous applications on multiple operating systems, from one central
location. It can be used to keep security software up-to-date, manage
configurations, oversee enterprise compliance, and can be scaled to
handle even the largest, most mobile workforce. F-Secure Policy
Manager provides a tightly integrated infrastructure for defining security
policies, distributing policies and installing application software to local as
well as remote systems, and monitoring the activities of all systems in the
enterprise to ensure compliance with corporate policies and centralized
control.
The power of the F-Secure Policy Manager lays in the F-Secure
management architecture, which provides high scalability for a widely
distributed, mobile workforce. F-Secure Policy Manager is comprised of
F-Secure Policy Manager Console and F-Secure Policy Manager Server.
They are seamlessly integrated with the F-Secure Management Agent
that handles all management functions on local hosts.
F-Secure Policy Manager Console provides a centralized management
console for the security of the managed hosts in the network. It enables
the administrator to organize the network into logical units for sharing
policies. These policies are defined in F-Secure Policy Manager Console
and then distributed to the workstations through the F-Secure Policy
Manager Server. F-Secure Policy Manager Console is a Java-based
application that can be run on several different platforms. It can be used
to remotely install the Management Agent on other workstations without
the need for local login scripts, restarting, or any intervention by the end
user.
F-Secure Policy Manager Server is the repository for policies and
software packages distributed by the administrator, and status information
and alerts sent by the managed hosts. It provides scalability by working
as an extension to the Apache web server. Communication between
CHAPTER 1 17
Introduction
F-Secure Policy Manager Server and the managed hosts is accomplished
through the standard HTTP protocol, which ensures trouble-free
performance on the LAN and WAN.
F-Secure Policy Manager Web Reporting is an enterprise-wide web
based graphical reporting system included in F-Secure Policy Manager
Server. With F-Secure Policy Manager Web Reporting you can quickly
create graphical reports based on historical trend data, identify computers
that are unprotected or vulnerable to virus outbreaks.
F-Secure Policy Manager Update Server & Agent are used for
updating virus and spyware definitions on the managed hosts. F-Secure
Automatic Update Agent allows users to receive automatic updates and
informational content without interrupting their work to wait for files to
download from the Web. F-Secure Automatic Update Agent downloads
files automatically in the background using bandwidth not being used by
other Internet applications, so the users can always be sure they will have
the latest updates without having to search the Web. If F-Secure
Automatic Update Agent is always connected to the Internet, it will
automatically receive new virus definition updates within about two hours
after they have been published by F-Secure.
F-Secure Management Agent enforces the security policies set by the
administrator on the managed hosts, and provides the end user with a
user interface and other services. It handles all management functions on
the local workstations and provides a common interface for all F-Secure
applications, and operates within the policy-based management
infrastructure.
1.2 Installation Order
To install F-Secure Policy Manager, please follow this installation order
(unless you are installing F-Secure Policy Manager Server and F-Secure
Policy Manager Console on the same machine, in which case setup
installs all components during the same installation process):
1. F-Secure Policy Manager Server and F-Secure Policy Manager
Update Server & Agent,
2. F-Secure Policy Manager Console,
18
1.3 Features
Software Distribution
3. Managed point applications.
First-time installation on Windows domains with F-Secure Push
Installation.
Updating of executable files and data files, including virus
definition databases.
Support for policy-based updates. Policies force the F-Secure
Management Agent to perform updates on a host. Both policies
and software packages are signed, making the entire update
process strongly authenticated and secure.
Updates can be provided in several ways:
From the F-Secure CD.
From the F-Secure Web site to the customer. These can be
automatically ‘pushed’ by F-Secure Automatic Update Agent,
or voluntarily ‘pulled’ from the F-Secure website.
F-Secure Policy Manager Console can be used to export
pre-configured installation packages, which can also be delivered
using third-party software, such as SMS, and similar tools.
Configuration and Policy Management
Centralized configuration of security policies. The policies are
distributed from F-Secure Policy Manager Server by the
administrator to the user’s workstation. Integrity of the policies is
ensured through the use of digital signatures.
Event Management
Reporting through the Management API to the Event Viewer
(local and remote logs), SNMP agent, e-mail, report files, etc.
Event redirection through policies.
Event statistics.
Performance Management
Statistics and performance data handling and reporting.
Task Management
Management of virus scanning tasks and other operations.
1.4 Policy-Based Management
A security policy is a set of well-defined rules that regulate how sensitive
information and other resources are managed, protected, and distributed.
The management architecture of F-Secure software uses policies that are
centrally configured by the administrator for optimum control of security in
a corporate environment. Policy-based management implements many
functions:
CHAPTER 1 19
Introduction
Remotely controlling and monitoring the behavior of the products
Monitoring statistics provided by the products and the
Management Agent
Remotely starting predefined operations
Transmission of alerts and notifications from the products to the
system administrator
20
The information flow between F-Secure Policy Manager Console and the
hosts is accomplished by transferring policy files. There are three kinds of
policy files:
Default Policy files (.dpf)
Base Policy files (.bpf)
Incremental Policy files (.ipf)
The current settings of a product consist of all three policy file types:
Default Policy Files
The Default Policy file contains the default values (the factory settings) for
a single product that are installed by the setup. Default policies are used
only on the host. If neither the Base Policy file nor the Incremental Policy
file contains an entry for a variable, then the value is taken from the
Default Policy file. New product versions get new versions of the Default
Policy file.
Base Policy Files
Base Policy files contain the administrative settings and restrictions for all
the variables for all F-Secure products on a specific host (With domain
level policies, a group of hosts may share the same file). A Base Policy
file is signed by F-Secure Policy Manager Console, protecting the file
against changes while it is passing through the network and while it is
stored in the host’s file system. These files are sent from F-Secure Policy
Manager Console to the F-Secure Policy Manager Server. The host
periodically polls for new policies created by F-Secure Policy Manager
Console.
Incremental Policy Files
Incremental Policy files are used to store local changes to the Base
Policy. Only changes that fall within the limits specified in the Base Policy
are allowed. The Incremental Policy files are then periodically sent to
F-Secure Policy Manager Console so that current settings and statistics
can be viewed by the administrator.
1.4.1 Management Information Base
The Management Information Base (MIB) is a hierarchical management
data structure used in the Simple Network Management Protocol
(SNMP). In F-Secure Policy Manager, the MIB structure is used for
defining the contents of the policy files. Each variable has an Object
Identifier (OID) and a value that can be accessed using the Policy API. In
addition to basic SNMP MIB definitions, the F-Secure MIB concept
includes many extensions that are needed for complete policy-based
management.
The following categories are defined in a product’s MIB:
Settings Used to manage the workstation in the manner
of an SNMP. The managed products must
operate within the limits specified here.
Statistics Delivers product statistics to F-Secure Policy
Manager Console.
Operations Operations are handled with two policy
variables: (1) a variable for transferring the
operation identifier to the host, and (2) a variable
for informing F-Secure Policy Manager Console
about the operations that were performed. The
second variable is transferred using normal
statistics; it acknowledges all previous
operations at one time. A custom editor for
editing operations is associated with the
subtree; the editor hides the two variables.
CHAPTER 1 21
Introduction
Private The management concept MIBs may also
contain variables which the product stores for its
internal use between sessions. This way, the
product does not need to rely on external
services such as Windows registry files.
22
Traps Traps are the messages (including alerts and
events) that are sent to the local console, log
file, remote administration process, etc. The
following types of traps are sent by most of the
F-Secure products:
Info. Normal operating information from a host.
Warning. A warning from the host.
Error. A recoverable error on the host.
Fatal error. An unrecoverable error on the host.
Security alert. A security hazard on the host.
2
SYSTEM REQUIREMENTS
F-Secure Policy Manager Server ............................................... 24
F-Secure Policy Manager Console............................................. 25
23
24
2.1 F-Secure Policy Manager Server
In order to install F-Secure Policy Manager Server, your system must
meet the following minimum requirements:
Operating system: Microsoft Windows:
Microsoft Windows 2000 Server (SP 4 or higher)
Windows 2003 Server (32- and 64-bit)
Windows 2008 Server (32- and 64-bit)
Linux:
Red Hat Enterprise Linux 3, 4 and 5
openSUSE Linux 10.3
SUSE Linux Enterprise Server 9 and 10
SUSE Linux Enterprise Desktop 10
Debian GNU Linux Etch 4.0
Ubuntu 8.04 Hardy
Processor: Intel Pentium III 450 MHz processor or faster.
Managing more than 5000 hosts or using Web
Reporting requires Intel Pentium III 1 GHz level
processor or faster.
Memory: 256 MB RAM
When Web Reporting is enabled, 512 MB RAM.
Disk space: Disk space: 200 MB of free hard disk space; 500
MB or more is recommended. The disk space
requirements depend on the size of the
installation.
In addition to this it is recommended to allocate
about 1 MB per host for alerts and policies. The
actual disk space consumption per host is hard
to anticipate, since it depends on how the
policies are used and how many installation
packages are stored.
Network: 10 Mbit network. Managing more than 5000
hosts requires a 100 Mbit network.
2.2 F-Secure Policy Manager Console
In order to install F-Secure Policy Manager Console, your system must
meet the following minimum requirements:
CHAPTER 2 25
System Requirements
Operating system:
Processor:
Memory:
Disk space:
Display:
Network:
Microsoft Windows:
Microsoft Windows 2000 Professional (SP4 or
higher)
Windows XP Professional (SP2 or higher)
Windows Vista (32- and 64-bit)
Windows 2000 Server SP4
Windows 2003 Server (32- and 64-bit).
Windows 2008 Server (32- and 64-bit).
Linux:
Red Hat Enterprise Linux 3, 4 and 5
openSUSE Linux 10.3
SUSE Linux Enterprise Server 9 and 10
SUSE Linux Enterprise Desktop 10
Debian GNU Linux Etch 4.0
Ubuntu 8.04 Hardy
Intel Pentium III 450 MHz processor or faster.
Managing more than 5000 hosts requires
Pentium III 750 MHz processor or faster.
256 MB of RAM. Managing more than 5000
hosts requires 512MB of memory.
100 MB of free hard disk space.
Minimum 256-color display with resolution of
1024x768 (32-bit color with 1280x960 or higher
resolution recommended).
Ethernet network interface or equivalent.
10 Mbit network between console and server is
recommended. Managing more than 5000 hosts
requires 100Mbit connection between console
and server.
3
INSTALLING F-SECURE
P
OLICY MANAGER
ERVER
S
Overview..................................................................................... 27
Security Issues ........................................................................... 28
Installation Steps ........................................................................ 34
Uninstalling F-Secure Policy Manager Server............................ 54
26
3.1 Overview
CHAPTER 3 27
Installing F-Secure Policy Manager Server
The following are advanced instructions for installing F-Secure
Policy Manager Server on a machine dedicated only to the Server.
F-Secure Policy Manager Server can also be installed on the same
machine as F-Secure Policy Manager Console.
F-Secure Policy Manager Server is the link between F-Secure Policy
Manager Console and the managed hosts and acts as the repository for
policies and software packages distributed by the administrator, as well
as status information and alerts sent by the managed hosts.
Communication between F-Secure Policy Manager Server and other
components can be achieved through the standard HTTP protocol, which
ensures trouble-free performance on LAN and global networks.
The information stored by F-Secure Policy Manager Server includes the
following files:
Policy Domain Structure.
Policy Data, which is the actual policy information attached to
each policy domain or host.
Base Policy files generated from the policy data.
Status Information, including incremental policy files, alerts, and
reports.
Autoregistration requests sent by the hosts.
Host certificates.
Security News received from F-Secure.
Product installation and virus definition database update
packages.
The Web Reporting component stores statistics and historical
trend data about the hosts.
28
3.2 Security Issues
F-Secure Policy Manager Server utilizes Apache Web Server technology,
and even though we do the utmost to deliver a secure and up-to-date
technology we advise you to regularly consult the following sites from
information on Apache technology and security.
The most up to date information on security issues related to Operating
Systems and Apache web server can be found at the CERT web site:
http://www.cert.org.
A document containing advice on how to secure an installation of the
Apache web server is available at http://www.apache.org/docs/misc/
security_tips.html. and a list of vulnerabilities at
http://www.apacheweek.com/features/security-13
The release notes contain important information about installation
and security. Read these notes carefully!
3.2.1 Installing F-Secure Policy Manager in High Security
.
Environments
F-Secure Policy Manager is designed to be used in internal corporate
networks mainly for managing F-Secure Anti-Virus products. F-Secure
does not recommend using F-Secure Policy Manager over public
networks such as Internet.
IMPORTANT: When installing F-Secure Policy Manager in high
security environments, you should make sure that the
Administration port (by default port 8080) and the Host port (by
default port 80) are not visible in the Internet.
Installing F-Secure Policy Manager Server
F-Secure Policy Manager's Built-In Security Features
F-Secure Policy Manager has built-in security features that ensure
detection of changes in the policy domain structure and policy data. More
importantly, it is impossible to deploy unauthorized changes to managed
hosts. Both these features rely on a management key pair that is
available to administrators only. These features, based on strong digital
signatures, will in most cases provide the right balance between usability
and security in most Anti-Virus installations, but the following features
may require additional configuration in high security environments:
1. By default, all users can access the Policy Manager Server in
read-only mode but are only able to view the management data. This
is a convenient way of sharing information to users who are not
allowed full administrative rights. Multiple users can keep a read-only
session open simultaneously, monitoring the system status without
affecting other administrators or managed hosts in any way.
2. To enable easy migration to new management keys, it is possible to
re-sign the policy domain structure and policy data with a newly
generated or previously existing key pair. If this is done accidentally,
or intentionally by an unauthorized user, the authorized user will
notice the change when he tries to login to F-Secure Policy Manager
the next time. In the worst case, the authorized user needs to recover
backups in order to remove the possible changes made by the
unauthorized user. In any case, the policy domain structure and
policy data changes will be detected, and there is no way to distribute
the changes to managed hosts without the correct original key pair.
Both of these features may be undesirable in a high security environment
where even seeing the management data should be restricted. The
following measures can be taken to increase the level of system security:
CHAPTER 3 29
30
Possible different installation scenarios for high security
environments:
1. F-Secure Policy Manager Server and F-Secure Policy Manager
Console will be installed in the same machine and access to the
F-Secure Policy Manager Server will be limited only to the localhost.
After this, only the person who has physical access to the localhost
can use the F-Secure Policy Manager Console.
When access to the F-Secure Policy Manager Server is limited only
to the localhost during the installation (see Step 8. , 40), F-Secure
Setup modifies the #FSMSA listen directive in httpd.conf file as
follows:
#FSMSA listen
Listen 127.0.0.1:8080 <- Allow connections only from
localhost to PMC port 8080
2. Access to F-Secure Policy Manager Server will be limited only to the
separately defined IP addresses by editing the httpd.conf file.
If the access to port 8080 was limited only to the localhost during
the setup, you should now open the port and then define the list of
allowed IP addresses (see the Listen 8080 directive in the example
below).
Loading...