Sophos NAC ADVANCED 3.0 AGENT PROFILE

Agent Profile

Agent Profile

Copyright 2007 Sophos Group. All rights
reserved. No part of this publication
may be reproduced, stored in retrieval
system, or transmitted, in any form or
by any means electronic, mechanical,
photocopying, recording or otherwise
unless you are either a valid licensee
where the documentation can be
reproduced in accordance with the license
terms or you otherwise have the prior
permission in writing of the copyright
owner.

All other product and company names
are trademarks or registered trademarks
of their respective owners.

Document version 3.0
Published July 2007

2

Agent Profile

Table of Contents

Agent Descriptions........................................................................................................................4

Agent Architecture Overview.........................................................................................................4

Resource Utilization................................................................................................................................................ 4

Network Bandwidth................................................................................................................................................. 4

Secure Execution.................................................................................................................................................... 7

Memory Consumption...................................................................................................................7

Agent Required User Permissions ................................................................................................8

3

Agent Profile

Agent Descriptions

Prior to installation, you must configure Sophos NAC Agent to use one of the following options:
▪ Continuous Agent: The Continuous Agent configuration assesses and verifies compliance with corporate

security policy prior to gaining access to network resources and on a periodic b asis during the user’s session,
requiring little or no user interaction. The Continuous Agent is used primarily for logging as well as network
quarantine. If a Continuous Agent is deployed and the self-quarantine options are required at a later date, you
must completely re-deploy with the Quarantine Agent; therefore, if advanced quarantine features are desired,
the Quarantine Agent is recommended.

▪ Quarantine Agent: The Quarantine Agent configuration assesses and verifies compliance with corporat e

security policy prior to gaining access to network reso ur ces and on a periodic basis during the user’s session,
limiting the endpoint to quarantined areas of the corporate network if the user falls out of compliance with policy.
The Quarantine Agent configuration provides all features of the Continuous Agent configuration with an
additional self-quarantine feature, which provides quarantine configuration and enforcement of endpoints that
are not compliant with the corporate security policy.

Agent Architecture Overview

The Sophos NAC Agent is designed to assess, comm unicate, and report compliance to the Sophos application
server in an accurate and efficient manner. The Agent architecture enables this efficiency by optimizing across four
main areas that are of concern to administrators:

▪ Minimal disk footprint
▪ Minimal resource utilization
▪ Minimal network bandwidth
▪ Secure execution

Resource Utilization

Both the Continuous and Quarantine Agent configurations are driven by a small background process on the
endpoint. The Agent does not remain active while continually polling for compliance ; instead, it is event-driven. The
Agent only becomes active when instructed by its timer to retrieve policy, assess policy, or report compliance. The
timer intervals are configurable and specified in policy so that assessments can run frequent ly enough to ensure
compliance. The assessment action is what uses the most system resources.

Network Bandwidth

Data transfer between the Agent and the application server is sporadic, not continuous. There are three events
under which this data transfer occu rs:

▪ Policy Retrieval: The Agent requests the current policy. If the local policy is current, no policy is downloaded.
▪ Compliance Reporting: The Agent periodically sends assessment results to the application server based on

the assessment timer. This information is also added to the report data store. This rep o rting interval is
configurable and can be specified per policy.

▪ Reporting: The Agent sends global reports during Agent registration. There is a direct correlation between the

size of the policy and the size of the report; therefore, if the policy is very large, the report will also become
large.

4

Agent Profile

Average Bandwidth Generated per Profile

▪ Patch: Each patch that is added to policy generates an average of .33KB.
▪ Anti-Virus: Each anti-virus profile that is added to policy generates an average of 3.4KB.
▪ Firewall: Each firewall profile that is added to policy generates an average of 1.43KB.

Agent bandwidth usage breakdown:

The following chart was based upon a policy with the following features: 25 Patches, 1 Sophos Assessment
Application, 1 Sophos Anti-virus Profile.

Agent Functions Size (KB) Constant/Changing Interval Used

Registration: 6.7 Constant None
Retrieve Policy: Same 7.0 Constant Policy Refresh
Retrieve Policy: New 17.3 Changing (based on

policy)

Patch Definitions 488.9 Changing (based on

policy)*

Set Compliance State 6.4 Constant Assess & Enforce
Batch Create Agent Session 6.6 Constant Reporting
Set Compliance State 6.7 Constant Assess & Enforce
Batch Create Global Report 7.5 Changing (based on

policy)

Batch Create Agent Session 6.6 Constant Reporting

* The patch definitions file is pulled onto the application server nightly. When a new policy is created or an existing
policy is updated, the Agent is forced to download the new patch file from the application server.

(based on policy): The bandwidth usage decreases if a smaller policy is used and increase s if a larger policy is
used.

Initial registration of Agent should generate the following actions:

Registration 6.7KB
Fetch Policy: New 17.3KB (based on policy size)
Patch Definitions 488.9KB
Set Compliance State 6.4KB
Batch Create Agent Session 6.5KB
Batch Create Global Report 7.5KB (based on policy size)

--------------

Total: 532.3KB

Each new or updated policy should generate the following actions based on Policy Refresh Interval:

Fetch Policy: New 17.3KB (based on policy size)
Patch Definitions 488.9KB (if Windows patches are in the policy)

----------------

Total: 506.2KB

Policy Refresh

New Policy/Reboot

Reporting

5

Agent Profile

Each login should generate the following actions:

Retrieve Policy: New or Same 17.3/7.0KB (depending if new policy exists)
Patch Definitions (if new policy) 488.9KB
Set Compliance State 6.4KB
Batch Create Global Report 7.5KB (based on policy size)
Batch Create Agent Session 6.5KB

----------------

Total: 525.6KB (new policy) 26.4KB (same policy)

Network Performance

The Quarantine Agent configuration inspect s network packets coming from the endpoi nt to ensure the destination is
valid according to the current assessment state and policy. To measure the effect on network performance, a series
of FTP downloads was performed on 10MB and 75MB files from a local network address. Average download ti me
for endpoints, both with and without t he Quarantine Agent configuration installed, are noted

Agent 10MB file (seconds) 75MB file (seconds)

No Agent Installed 13.4 84.3
Quarantine Agent Installed 16.7 88.6

in the following table:

As the test indicates, overall network performance is only slightly affected due to the filter driver that is installed with
the Agent.

Agent Disk Space Utilization

The Sophos NAC Agent 98 (for Windows 98) install file is 5.5MB and the Agent NT (for all other Windows versions)
is 6.5MB. The base Sophos files that are installed with the Agent consume approximately 5.3MB of disk space in
the Sophos install directory. The following example includes a Quarantine Agent retrieving a policy that incl udes an
Agent application, a firewall application, an anti-virus application, a service pack, and 50 patches. The following files
were placed on the endpoint during the initial policy retrieval and assessment.

File Size (KB)

Policy cache 103
Patch Assessment results 98
Other Policy results 34

Report 42

The encrypted report file is stored on the endpoint until the report interval, which is specified in policy, is reached.
When this report interval is reached, the report file is sent to the application server for reporting, and the file is
deleted from the endpoint. This report file grows by only a miniscule amount as long as the state of the endpoint
remains unchanged.

Also, the policy cache is stored in an encrypted format on the endpoint. This file size may increase or decrease
after a policy refresh if the corresponding policy on the application server changes.

6

Agent Profile

Secure Execution

The Agent does not require local administrator privileges to execute on the endpoint and operat es normally in
restricted user mode. This feature allows IT administrators to lock down endpoints to further se cure vital corporate
assets.

Memory Consumption

Separate tests using the Continuous, Quarantine, and Web Agent configurations on Windo ws® XP SP2 determined
the Agent memory consumption. The following measurements for average private bytes and average wo rking set
are for a period of 30 minutes. Private bytes measure the current size, in bytes, of memory that a process has
allocated that cannot be shared with other processes. Working set measures the current size, in bytes, of the set of
memory pages recently touched by the threads in the process. These two measurements serve as an indication of
the memory consumption of the two Agent services. For all policies in these tests, the Policy Refresh Interval and
the Report Interval were specified as 3 minutes, the Assess and Enforce Interval was specified as 1 minute. For the
Web Agent the IExplore.exe process was monitored before running the Agent and the memory usag e of Internet
Explorer (15.70mb private bytes, 21.53mb working set) was subtracted from the total memory usage when the
Agent was running to determine an approximate amount of memory the Web Agent uses. All results are in
megabytes.

Small Policy: OS-Win XP, 35 Patches, 1 NAC Agent Assessment, 1 Firewall
Medium Policy: OS-Win XP, 55 Patches, 1 NAC Agent Assessment, 1 Firewall, 1 Anti-Virus
Large Policy: OS-Win XP, 75 Patches, 1 NAC Agent Assessment, 1 Firewall, 1 Anti-Virus, 1 Anti-Spyware

Test

Small Policy

Medium Policy

Large Policy

Agent

Configuration

Continuous

Quarantine

Web IExplore
Continuous

Quarantine

Web IExplore
Continuous

Quarantine

Service

AgentAPI
AgntTray
AgentAPI
AgntTray

AgentAPI
AgntTray
AgentAPI
AgntTray

AgentAPI
AgntTray
AgentAPI
AgntTray

Avg. Private

Bytes (MB)

14.49 14.54 17.35 17.50

4.08 4.11 3.54 3.60

8.61 8.72 11.68 11.81

1.96 1.98 3.64 3.73

1.08 3.15 7.10 25.19

17.53 17.56 17.74 17.78

4.12 4.14 3.66 3.68

10.81 11.00 14.54 14.74

3.51 3.54 6.25 6.30

10.65 36.19 9.33 33.80

17.52 17.59 18.06 18.19

4.26 4.29 5.33 5.40

12.29 13.01 15.27 15.86

3.49 3.60 5.54 5.73

Peak Private

Bytes (MB)

Avg. Working

Set (MB)

Peak Working

Set (MB)

Web IExplore

11.76 38.19 10.61 35.86

7

Agent Profile

Agent Required User Permissions

The Sophos NAC Agent operates under any user mode. The Agent does not require local administrator privileges
to execute and operates normally in restricted user mode.

Installing the Agent requires local administrative privileges, as do most MSI-based instal l programs. If the user
cannot log on as a local administrator, the MSI can be executed with administrative rights using the “runas…”
command. Additionally, since the Agent MSI is built using standard Windows Installer technology, it can be pushed
to endpoints using common software distribution products.

8