Symantec Critical System User Manual
Symantec™ Critical System Protection Installation Guide
Symantec™ Critical System Protection
Installation Guide
The software described in this book is furnished under a license agreement and may be
used only in accordance with the terms of the agreement.
Documentation version 5.1.3
Legal Notice
Copyright © 2007 Symantec Corporation.
All rights reserved.
Federal acquisitions: Commercial Software - Government Users Subject to Standard
License Terms and Conditions.
Symantec, the Symantec Logo, Norton, Norton AntiVirus, and LiveUpdate are trademarks
or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014 USA
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product feature
and function, installation, and configuration. The Technical Support group also
authors content for our online Knowledge Base. The Technical Support group
works collaboratively with the other functional areas within Symantec to
answer your questions in a timely fashion. For example, the Technical Support
group works with Product Engineering and Symantec Security Response to
provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right
■ Telephone and Web-based support that provides rapid response and up-to-
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide.
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our
Web site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support. The specific features that
are available may vary based on the level of maintenance that was purchased
and the specific product that you use.
amount of service for any size organization
the-minute information
Support is provided in a variety of languages for those customers that are
enrolled in the Platinum Support program
Contacting Technical Support
Customers with a current maintenance agreement may access Technical
Support information at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to
recreate the problem.
When you contact Technical Support, please have the following information
available:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our
technical support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html.
Select your region or language under Global Support, and then select the
Licensing and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about Symantec Value License Program
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
■ Asia-Pacific and Japan: contractsadmin@symantec.com
■ Europe, Middle-East, and Africa: semea@symantec.com
■ North America and Latin America: supportsolutions@symantec.com
Additional enterprise services
Symantec offers a comprehensive set of services that allow you to maximize
your investment in Symantec products and to develop your knowledge,
expertise, and global insight, which enable you to manage your business risks
proactively.
Additional services that are available include the following:
Symantec Early Warning
Solutions
Managed Security
Services
Consulting services Symantec Consulting Services provide on-site technical
Educational Services These services provide a full array of technical training,
These solutions provide early warning of cyber attacks,
comprehensive threat analysis, and countermeasures to
prevent attacks before they occur.
These services remove the burden of managing and monitoring
security devices and events, ensuring rapid response to real
threats.
expertise from Symantec and its trusted partners. Symantec
Consulting Services offer a variety of prepackaged and
customizable options that include assessment, design,
implementation, monitoring and management capabilities,
each focused on establishing and maintaining the integrity and
availability of your IT resources.
security education, security certification, and awareness
communication programs.
To access more information about Enterprise Services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
Contents
Technical Support
Chapter 1 Introducing Symantec™ Critical System Protection
About Symantec Critical System Protection ................................................... 11
Components of Symantec Critical System Protection ................................... 12
How Symantec Critical System Protection works .......................................... 13
About the policy library ...................................................................................... 13
Where to get more information .........................................................................14
Chapter 2 Planning the installation
About planning the installation ........................................................................15
About network architecture and policy distribution ..................................... 15
System requirements ..........................................................................................16
Operating system requirements ................................................................ 17
Solaris packages ...................................................................................18
Linux kernel driver support ...............................................................19
Hardware requirements ..............................................................................20
Disabling Windows XP firewalls ........................................................................21
Disabling Internet Connection Firewall ................................................... 21
Disabling Windows Firewall ......................................................................22
About using firewalls with Symantec Critical System Protection ............... 22
About name resolution ....................................................................................... 23
About IP routing ..................................................................................................24
About intrusion prevention ............................................................................... 24
About simple failover ..........................................................................................25
How simple failover works .........................................................................25
About the fail back interval ........................................................................26
Specifying the management server list for an agent .............................27
About the Windows NT agent installation ......................................................27
About log files ......................................................................................................28
What to do after installation ..............................................................................29
Chapter 3 Installing Symantec Critical System Protection on Windows
About installing Symantec Critical System Protection on Windows ..........32
About port number mapping ..................................................................... 32
8 Contents
Bypassing prerequisite checks ..................................................................33
About installing a database to a SQL Server instance ...................................34
About SQL Server installation requirements .......................................... 34
About installing on computers that run Windows 2000 .......................35
Configuring the temp environment variable ..................................................36
Installing the management server .................................................................... 36
About installation types and settings ....................................................... 36
Installing the management server into a database instance
previously used for Symantec Critical System Protection .... 37
Management server installation settings and options ..................38
Installing evaluation installation that runs MSDE on the local
system ....................................................................................................42
Installing evaluation installation using existing MS SQL instance ..... 44
Installing production installation with Tomcat and database schema 45
Installing Tomcat component only ........................................................... 47
Installing and configuring the management console .................................... 48
Installing the management console ..........................................................48
Configuring the management console .....................................................49
Installing a Windows agent ................................................................................51
About the SSL certificate file ..................................................................... 51
About the installation settings and options ............................................ 51
Installing the Windows agent software ................................................... 55
Unattended agent installation ...........................................................................59
Displaying InstallShield commands ......................................................... 59
Microsoft Windows Installer commands ................................................. 60
Installation properties ................................................................................ 61
Installing the Windows NT policy .....................................................................64
Uninstalling Symantec Critical System Protection .......................................65
Uninstalling an agent using Add or Remove Programs ........................66
Unattended uninstallation of an agent .................................................... 66
Uninstalling the management console ....................................................67
Uninstalling the management server and database ..............................67
Temporarily disabling Windows agents ..........................................................68
Temporarily disabling Windows 2000, Windows Server 2003,
or Windows XP Professional agents .................................................68
Resetting the prevention policy to the built-in Null policy .......... 68
Temporarily disabling Windows NT agents ............................................ 69
Reinstalling Windows agents ............................................................................ 71
Chapter 4 Installing UNIX agents
About installing UNIX agents ............................................................................73
Bypassing prerequisite checks ..................................................................77
Installing an agent in verbose mode .................................................................78
Installing an agent in silent mode .....................................................................79
Uninstalling agents using package commands ...............................................84
Uninstalling agents manually ...........................................................................85
Uninstalling Solaris agents manually ......................................................85
Uninstalling Linux agents manually ........................................................87
Uninstalling HP-UX agents manually ...................................................... 88
Uninstalling AIX agents manually ............................................................ 89
Uninstalling Tru64 agents manually ........................................................90
Disabling and enabling UNIX agents ................................................................91
Disabling and enabling Solaris agents .....................................................91
Temporarily disabling the IPS driver ............................................... 91
Permanently disabling Solaris agents .............................................. 92
Enabling a disabled Solaris agent ...................................................... 93
Disabling and enabling Linux agents ........................................................93
Temporarily disabling the IPS driver ............................................... 93
Permanently disabling Linux agents ................................................ 93
Enabling a disabled Linux agent ........................................................ 94
Disabling and enabling HP-UX agents .....................................................94
Temporarily disabling HP-UX agents ...............................................94
Permanently disabling HP-UX agents .............................................. 95
Enabling a disabled HP-UX agent ...................................................... 95
Disabling and enabling AIX agents ........................................................... 95
Temporarily disabling AIX agents ....................................................96
Permanently disabling AIX agents .................................................... 96
Enabling a disabled AIX agent ........................................................... 96
Disabling and enabling Tru64 agents .......................................................97
Temporarily disabling Tru64 agents ................................................ 97
Permanently disabling Tru64 agents ...............................................97
Enabling a disabled Tru64 agent ....................................................... 98
Monitoring and restarting UNIX agents .......................................................... 98
Troubleshooting agent issues ............................................................................99
9Contents
Chapter 5 Migrating to the latest version
Migrating legacy installations of Symantec Critical System Protection ..101
Providing scspdba password during management server upgrade ...102
Unattended Windows agent migration ..................................................103
Specifying the management server list for an agent ...........................103
Migrating other legacy agent installations ...................................................105
Checklist for migrating from Symantec Intruder Alert ..............................106
Checklist for migrating from Symantec Host IDS ........................................108
Migrating legacy agent software .....................................................................109
Preparing for detection policy migration ......................................................109
Installing the authoring environment and policy conversion utility 110
10 Contents
Index
Copying files required for the policy conversion utility ......................110
Migrating legacy detection policy files ..........................................................111
Converting legacy detection policy files ................................................111
Importing the zip file ................................................................................113
Creating a new policy ................................................................................113
Validating your rules ................................................................................114
Validating rule types and criteria ...........................................................115
Configuring an option group ...................................................................116
Compiling a policy .....................................................................................116
Applying policies created and compiled
in the authoring environment .........................................................117
Chapter
Introducing Symantec™ Critical System Protection
This chapter includes the following topics:
■ About Symantec Critical System Protection
■ Components of Symantec Critical System Protection
■ How Symantec Critical System Protection works
■ About the policy library
1
■ Where to get more information
About Symantec Critical System Protection
Symantec™ Critical System Protection provides policy-based behavior control
and detection for desktop and server computers. Symantec Critical System
Protection provides a flexible computer security solution that is designed to
control application behavior, block port traffic, and provide host-based
intrusion protection and detection. Symantec Critical System Protection
provides this security by controlling and monitoring how processes and users
access resources.
Symantec Critical System Protection agents control behavior by allowing and
preventing specific actions that an application or user might take. For example,
a Symantec Critical System Protection prevention policy can specify that an
email application may not spawn other processes, including dangerous
processes like viruses, worms, and Trojan horses. However, the email
application can still read and write to the directories that it needs to access.
12 Introducing Symantec™ Critical System Protection
Components of Symantec Critical System Protection
Symantec Critical System Protection agents detect behavior by auditing and
monitoring processes, files, log data, and Windows
® registry settings. For
example, a Symantec Critical System Protection detection policy can specify to
monitor the Windows registry keys that the Welchia worm changes during
infection and send an alert. As a result, Windows registry security-related
events can be put into context and appropriate measures taken.
Components of Symantec Critical System
Protection
Symantec Critical System Protection includes management console and server
components, and includes agent components that enforce policies on
computers. The management server and management console run on Windows®
operating system. The agents run on Windows and UNIX operating systems.
The major components of Symantec Critical System Protection are as follows:
Management console Coordinate, distribute, and manage policies and agents
The management console lets you manage Symantec Critical
System Protection policies and agents, and perform
administrative tasks such as creating user accounts, restricting
the functions that they can access, modifying policies,
configuring alerts, and running reports.
Management server Store and correlate agent events and the policy library
The management server stores policies in a central location and
provides an integrated, scalable, flexible, agent and policy
management infrastructure. The management server
coordinates policy distribution, and manages agent event logging
and reporting.
Agent Enforce policy on the endpoints
Each Symantec Critical System Protection agent enforces rules
that are expressed in policies, thereby controlling and
monitoring application (process) and user behavior.
Authoring
environment
Edit the policy library
The authoring environment lets users author prevention and
detection policies.
How Symantec Critical System Protection works
How Symantec Critical System Protection works
Symantec Critical System Protection controls and monitors what programs and
users can do to computers. Agent software at the endpoints controls and
monitors behavior based on policy. There are two types of policies: prevention
and detection. An agent enforces one prevention policy at a time. An agent can
enforce one or more detection policies simultaneously.
For example, prevention policies can contain a list of files and registry keys that
no program or user can access. Prevention policies can contain a list of UDP and
TCP ports that permit and deny traffic. Prevention policies can deny access to
startup folders. Prevention policies also define the actions to take when
unacceptable behavior occurs.
Detection policies can contain a list of files and registry keys that when deleted,
generate an event in the management console. Detection policies can also be
configured to generate events when known, vulnerable CGI scripts are run on
Microsoft Internet Information Server (IIS), when USB devices are inserted and
removed from computers, and when network shares are created and deleted.
Communication between the management server and the management console
is secured with Secure Sockets Layer X.509 certificate-based channel
encryption.
13Introducing Symantec™ Critical System Protection
About the policy library
Symantec Critical System Protection provides a policy library that contains preconfigured prevention and detection policies, which you can use and customize
to protect your network. A prevention policy is a collection of rules that governs
how processes and users access resources. A detection policy is a collection of
rules that are configured to detect specific events and take actions.
14 Introducing Symantec™ Critical System Protection
Where to get more information
Where to get more information
Product manuals for Symantec Critical System Protection are available on the
Symantec Critical System Protection installation CD. Updates to the
documentation are available from the Symantec Technical Support and
Platinum Support Web sites.
The Symantec Critical System Protection product manuals are as follows:
Installation Guide Install the Symantec Critical System Protection
Administration Guide Manage policies and agents, and perform basic
Policy Override Guide Use the policy override tool to override prevention
Prevention Policy Reference Guide Description of Symantec Critical System
components.
administrative tasks such as creating user
accounts for accessing the management console
and authoring environment.
policy enforcement on Windows, Solaris, or Linux
agent computers.
Protection prevention policies.
Detection Policy Reference Guide Description of Symantec Critical System
Protection detection policies.
Policy Authoring Guide Author prevention and detection policies.
Agent Event Viewer Guide Use the agent event viewer to display recent
events that were reported by a Symantec Critical
System Protection agent.
Release Notes Description of new features and enhancements for
the latest version of Symantec Critical System
Protection.
You can obtain additional information from the following Symantec Web sites:
Public Knowledge Base
Releases and updates
Manuals and other documentation
Contact options
Virus and other threat information
and updates
Product news and updates http://enterprisesecurity.symantec.com
Platinum Support Web access https://www-secure.symantec.com/platinum/
http://www.symantec.com/techsupp/enterprise/
http://securityresponse.symantec.com
Chapter
Planning the installation
This chapter includes the following topics:
■ About planning the installation
■ About network architecture and policy distribution
■ System requirements
■ Disabling Windows XP firewalls
■ About using firewalls with Symantec Critical System Protection
■ About name resolution
2
■ About IP routing
■ About intrusion prevention
■ About simple failover
■ About the Windows NT agent installation
■ About log files
About planning the installation
You can install the management console and management server on the same
computer or on separate computers. You can install agents on any computer. All
computers must run a supported operating system.
About network architecture and policy distribution
When you install Symantec Critical System Protection for the first time for
testing purposes, you do not need to consider network architecture and policy
distribution. You can install a management server and management console,
16 Planning the installation
System requirements
along with a few agents, and become familiar with Symantec Critical System
Protection operations. When you are ready to roll out policies to your
production environment, you can roll out different policies that are based on
computing needs, and prevention and detection levels.
Areas where computing needs and prevention and detection levels might differ
include the following:
■ Local workstations
■ Remote annex workstations
■ Computers that run production databases
■ Computers that are located in demilitarized zones (DMZ) such as Web
servers, mail proxy servers, public DNS servers
Prevention policies pushed to local and remote workstations would most likely
be less restrictive than prevention policies pushed to production databases and
DMZ servers.
Detection policies pushed to local workstations, production databases, and DMZ
servers would also differ. Detection policies pushed to production databases and
DMZ servers are more likely to offer more signatures than policies pushed to
workstations.
You can distribute different policies to different computers by creating agent
groups with the management console and then associating the agents with one
or more groups during agent installation. You first create the groups using the
management console, set the different policies for the groups, and then
associate the agents with the groups during installation. It is not necessary,
however, to associate an agent with a group during installation. You can
perform this operation after installation.
See the Symantec Critical System Protection Administration Guide for details on
how to create agent groups.
System requirements
System requirements fall into the following categories:
■ Operating system requirements
■ Hardware requirements
System requirements
Operating system requirements
Table 2-1 lists Symantec Critical System Protection component operating
system requirements:
Table 2-1 Operating system requirements
Component Operating system Service pack Kernel version
17Planning the installation
Management console Windows 2000 Professional/Server/
Advanced Server
Windows XP Professional SP1 or later
Windows Server™ 2003 Standard/
Enterprise 32-bit
Windows Server 2003 Standard/
Enterprise 64-bit
Management server Windows Server 2003 Standard/
Enterprise 32-bit
Windows Server 2003 Standard/
Enterprise x64
Agent Windows 2000 Professional/Server/
Advanced Server
Windows XP Professional SP1 or later
Windows Server 2003 Standard/
Enterprise x64
Windows Server 2003 Standard/
Enterprise 32-bit
Wind ows NT® Server 4, patch 6a
Sun™ Solaris™ 8.0/9.0/10.0
See “Solaris packages” on page 18.
SP4
SP1, R2
SP1, R2
SP1, R2
SP4 or later
SP1, R2
SP1, R2
32-bit and 64-bit kernel
Red Hat® Enterprise Linux ES 3.0
See “Linux kernel driver support” on
page 19.
2.4.21-20 (update 3,
released 2004-09)
2.4.21-27 (update 4,
released 2004-12)
2.4.21-32 (update 5,
released 2005-05)
2.4.21-37 (update 6,
released 2005-09)
18 Planning the installation
System requirements
Table 2-1 Operating system requirements
Component Operating system Service pack Kernel version
Red Hat Enterprise Linux ES 4.0 2.6.9-5.EL
2.6.9-11.EL (update 1,
released 2005-06)
2.6.9-22.EL (update 2,
released 2005-10)
2.6.9-34.EL (update 3,
released 2006-03)
SUSE® Enterprise Linux 8
See “Linux kernel driver support” on
page 19.
SUSE Enterprise Linux 9 2.6.5-7.97
Hewlett-Packard® HP-UX® 11.11 (11i v1)
11.23 (11i v2) PA-RISC (IDS only)
Hewlett-Packard HP-UX 11.23 (v2)/11.31
(v3) on Itanium 2® Processor (IDS only)
Hewlett-Packard Tru64 UNIX® 5.1B-3
(IDS only)
IBM® AIX® 5.1/5.2/5.3 PowerPC® (IDS
only)
2.4.21-304 (SP4, released
2005-03)
2.4.21-306 (kernel
update, released 2006-02)
2.6.5-7.139 (SP1, released
2005-01)
2.6.5-7.191 (SP2, released
2005-07)
2.6.5-7.244 (SP3, released
2006-04)
2.6.5-7.252 (kernel
update)
64-bit kernel
32-bit and 64-bit kernel
Solaris packages
The agent installation checks for the presence of Solaris system packages.
The following core system packages are required for computers running Solaris
8.0, Solaris 9.0, and Solaris 10.0 operating systems:
■ SUNWcar Core Architecture, (Root)
System requirements
■ SUNWkvm Core Architecture, (Kvm)
■ SUNWcsr Core Solaris, (Root)
■ SUNWcsu Core Solaris, (Usr)
■ SUNWcsd Core Solaris Devices
■ SUNWcsl Core Solaris Libraries
■ SUNWloc System Localization
The following extended system packages are required for computers running
Solaris 8.0, Solaris 9.0, and Solaris 10.0 operating systems:
■ SUNWxcu4, XCU4 Utilities
Utilities conforming to XCU4 specifications (XPG4 utilities)
■ SUNWesu Extended System Utilities
■ SUNWuiu8 Iconv modules for UTF-8 Locale
Linux kernel driver support
Symantec Critical System Protection agent supports the Linux kernel for Red
Hat Enterprise Linux ES 3.0 and ES 4.0 and SUSE Enterprise Linux 8 and Linux 9
SP4. The agent comes packaged with precompiled drivers that support the latest
stock kernel versions.
The Linux stock kernel versions are as follows:
19Planning the installation
Red Hat Enterprise
Linux ES 3.0
Red Hat Enterprise
Linux ES 4.0
SUSE Enterprise
Linux 8
The kernel versions are as follows:
■ 2.4.21-4.EL
■ 2.4.21-9.EL
■ 2.4.21-15.EL
■ 2.4.21-20.EL
■ 2.4.21-27.EL
■ 2.4.21-32.EL
■ 2.4.21-37.EL
The kernel versions are as follows:
■ 2.6.9-5.EL
■ 2.6.9-11.EL
■ 2.6.9-22.EL
■ 2.6.9-34.EL
The kernel versions are as follows:
■ 2.4.21-304
■ 2.4.21-306
20 Planning the installation
System requirements
SUSE Enterprise
Linux 9
The kernel versions are as follows:
■ 2.6.5-7.97
■ 2.6.5-7.139
■ 2.6.5-7.191
■ 2.6.5-7.244
■ 2.6.5-7.252
If a system is configured with a different kernel, the agent will attempt to load the
latest version available for the system during boot.
Hardware requirements
Table 2-2 lists the recommended hardware for Symantec Critical System
Protection components.
Table 2-2 Recommended hardware
Component Hardware Specific OS (if applicable)
Management console 150MB free disk space
256 MB RAM
Pentium III 1.2 GHz
Management server 1GB free disk space (all platforms and
databases
1 GB RAM
Pentium III 1.2 GHz
EM64T Windows Server 2003 Standard/Enterprise x64
AMD™64 Windows Server 2003 Standard/Enterprise x64
Agent 100MB free disk space (all platforms)
256 MB RAM
Pentium III 1.2 GHz
Sun SPARC™ 450 MHz Sun Solaris 8, 9, 10
Sun SPARC32, SPARC64 Sun Solaris 10
Hewlett-Packard PA-RISC 450 MHz HP-UX on PA-RISC
IBM PowerPC® (CHRP) 450 MHz AIX
Disabling Windows XP firewalls
Table 2-2 Recommended hardware
Component Hardware Specific OS (if applicable)
x86 Windows NT Server
Windows Server 2003 32-bit
Windows XP Professional
Red Hat Enterprise Linux ES 3.0, 4.0
SUSE Linux Enterprise 8, 9
Sun Solaris 10 (IDS only in non-global zone)
EM64T Windows Server 2003 Standard/Enterprise x64
Red Hat Enterprise Linux ES 3.0, 4.0
SUSE Linux Enterprise 9
Sun Solaris 10 (IDS only in non-global zone)
AMD™64 Windows Server 2003 Standard/Enterprise x64
Red Hat Enterprise Linux ES 3.0, 4.0
SUSE Linux Enterprise 8, 9
Sun Solaris 10 (IDS only in non-global zone)
IA32 SUSE Linux Enterprise 8
IA64 HP-UX on Itanium 2
21Planning the installation
Alpha Tru64 5.1B-3
Disabling Windows XP firewalls
Windows XP and Windows 2003 Server contain firewalls that are enabled by
default. If these firewalls are enabled, you might not be able to establish network
communications between the management console, management server, and
agents.
Disabling Internet Connection Firewall
Windows XP with Service Pack 1 includes a firewall called Internet Connection
Firewall that can interfere with network communications. If any of your
computers run Windows XP, you can disable the Windows XP firewall before or
after you install Symantec Critical System Protection components.
To disable Internet Connection Firewall
1 On the Windows XP taskbar, click Start > Control Panel.
2 In the Control Panel window, double-click Network Connections.
3 In the Network Connections window, right-click the active connection, and
then click Properties.
22 Planning the installation
About using firewalls with Symantec Critical System Protection
4 On the Advanced tab, under Internet Connection Firewall, uncheck Protect
my computer and network by limiting or preventing access to this
computer from the Internet.
5 Click OK.
Disabling Windows Firewall
Windows XP with Service Pack 2 and Windows 2003 Server include a firewall
called Windows Firewall that can interfere with network communications. If any
of your computers run Windows XP with Service Pack 2 or Windows Server
2003, you can disable Windows Firewall before or after you install Symantec
Critical System Protection components.
To disable Windows Firewall
1 On the Windows XP taskbar, click Start > Control Panel.
2 In Control Panel, double-click Network Connections.
3 In the Network Connections window, right-click the active connection, and
then click Properties.
4 On the Advanced tab, under Internet Connection Firewall, click Settings.
5 In the Windows Firewall window, on the General tab, uncheck On
(recommended).
6 Click OK.
About using firewalls with Symantec Critical System
Protection
To use Symantec Critical System Protection with a firewall, you need to
configure the firewall to support communications by opening ports, or by
specifying trusted services.
Note: All ports are default settings that you can change during installation.
You should note the following about using firewalls with Symantec Critical
System Protection:
■ The management server uses UDP port 1434 to query the MS SQL Server
system and find the port used by the Symantec Critical System Protection
instance. Once the MS SQL Server system returns the port for the Symantec
Critical System Protection instance, the management server then connects
About name resolution
to the instance using that port. Thus, your firewall must allow traffic from
the management server to the MS SQL Server system on UDP port 1434 and
on the TCP port used by the Symantec Critical System Protection instance.
You can get more information about MS SQL Server's use of ports at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;823938.
■ The bulk log transfer feature of the Symantec Critical System Protection
agent is implemented by the bulklogger.exe. If you have a host-based
firewall that allows specific programs to access the Internet, you must allow
bulklogger.exe as well as SISPISService.exe to access the Internet. The
bulklogger.exe program uses the same ports as SISIPSService.exe. If you do
not use the bulk log transfer feature, bulklogger.exe will not run.
Table 2-3 lists the services that you can permit to send and receive traffic
through your firewalls.
Table 2-3 Components, services, and traffic
Component Service Traffic
23Planning the installation
Management
console
Management server SISManager.exe Communicates with the management
Agent SISIPSService.exe
Console.exe Communicates with the management
sisipsdaemon
bulklogger.exe
About name resolution
To verify proper name resolution for the management server, use a utility, such
as nslookup, to look up the host name for the management server. If you cannot
resolve the host name of the management server, you will need to modify the
DNS database or the host file that the client uses to look up host names.
server using remote TCP ports 4443, 8006,
and 8081.
console using local TCP ports 4443, 8006,
and 8081.
Communicates with the agents using local
TCP port 443.
Communicates with remote production SQL
servers using the remote TCP port that the
SQL server uses for the server instance.
Communicates with the management
server using local TCP port 2222, and
remote TCP port 443.
24 Planning the installation
About IP routing
About IP routing
As bastion hosts, firewalls traditionally incorporate some form of network
address translation (NAT) between the two networks that the firewall bridges.
For example, the management server may be on an internal network while the
Agents are in a DMZ network, with a firewall between the two networks.
Typically, the internal network IP addresses are hidden from the DMZ network,
and are not routable from the DMZ network.
To allow the agents in the DMZ network to communicate with the management
server on the internal network, use a DMZ IP address to represent the
management server. Then, configure the firewall or router to forward requests
for this IP address and port to the real, internal IP address of the management
server. Open the agent port only if the agents are in a DMZ. Finally, configure
the name database on the DMZ network to return the DMZ IP address for the
management server instead of the internal IP address.
About intrusion prevention
The Symantec Critical System Protection agent installation kit includes an
enable intrusion prevention option. When the enable intrusion prevention
option is selected, the prevention features of Symantec Critical System
Protection are enabled for the agent. The IPS drivers are loaded on the agent
computer, and the agent accepts prevention policies from the management
console.
When the enable intrusion prevention option is not selected, the prevention
features of Symantec Critical System Protection are completely disabled for the
agent. The IPS drivers are not loaded on the agent computer, and the agent does
not accept prevention policies from the management console.
Symantec strongly recommends that you enable the intrusion prevention option
when installing agents. Changing this option after installation (to disable or reenable it) requires logging on to the agent computer, running the Agent Config
Tool, and rebooting the agent computer.
If you are only interested in the detection features of Symantec Critical System
Protection, Symantec recommends that you select the enable intrusion
prevention option during agent installation, and use the Null prevention policy
to avoid any blocking. If you later decide to use the prevention features of
Symantec Critical System Protection, then you simply apply one of the
prevention policies that are included with the product. Applying a policy
requires no logging onto the agent computer, no running the agent config tool,
no rebooting the agent computer.
By default, the enable intrusion prevention option is selected during Symantec
Critical System Protection agent installation.
Symantec Critical System Protection supports intrusion prevention on
computers that run Windows, Solaris, and Linux operating systems.
About simple failover
Symantec Critical System Protection includes simple failover. Should the
primary management server fail, simple failover lets agents automatically
switch to the next management server in an ordered list of alternate servers.
Simple failover enables you to deploy a set of front-end Tomcat servers without
reconfiguring your IT infrastructure. The ordered list of management server
host names or IP addresses is maintained by the Symantec Critical System
Protection agent configuration.
Another use for simple failover is static load balancing. With static load
balancing, you manually assign a set of agents to each Tomcat server. Each
agent can fail to a different Tomcat server if its primary server becomes
inaccessible.
About simple failover
25Planning the installation
How simple failover works
Simple failover works as follows:
■ When the IPS Service starts up, it uses the first server in the ordered list of
management servers. The first server in the ordered list is considered the
primary management server; the remaining servers are alternate servers.
The IPS Service uses server #1 as long as communication with the server is
successful.
■ At startup, the IPS Service always uses the first server in the ordered list of
management servers, regardless of which server was in use when the IPS
Service was shut down.
■ When the ordered list of management servers changes, the IPS Service
immediately attempts to connect to the first server in the new list.
■ When communication with a server fails, the IPS Service uses the next
server in the ordered list of management servers. When communication
with the last server fails, the IPS Service uses the first server in the list. The
IPS Service loops through the ordered list of management servers
indefinitely.
■ When the IPS Service switches to a new management server, it logs the
action.
26 Planning the installation
About simple failover
■ Once the IPS Service fails away from the first server in the ordered list, it
periodically checks if server #1 is back, based on the fail back interval.
See “About the fail back interval” on page 26.
■ When the fail back interval expires, the IPS Service checks if server #1 is
available. If server #1 is available, the IPS Service starts using it
immediately. If server #1 is not available, the IPS Service continues to use
the current alternate server; the IPS Service does not traverse the entire
ordered list of management servers.
Simple failover with static load balancing works as described in the following
example:
■ Suppose you have two Tomcat servers pointing to a single database, and
two agents.
■ You initially configure Agent1 with a management server list of Tomcat1,
Tomcat2. You initially configure Agent2 with a management server list of
Tom c at2, Tomcat1.
■ After installation completes, Agent1 should be talking to Tomcat1, and
Agent2 should be talking to Tomcat2.
■ Take Tomcat1 off the network.
■ Agent1 should fail talking to Tomcat1 and switch to Tomcat2. Now both
agents are talking to Tomcat2.
■ Put Tomcat1 back on the network.
■ Wait longer than the fail back interval.
■ Agent1 should fail back to Tomcat1. Agent2 continues to use Tomcat2.
Everything is back to the initial state; both agents should be communicating
successfully with their original Tomcat servers.
About the fail back interval
Once an agent fails away from the first server in an ordered list, the agent
periodically checks if the first server is back. The agent uses a fail back interval
to determine when to perform this server check. By default, the agent performs
the server check every 60 minutes.
For example, suppose you configured three management servers. The primary
server #1 and alternate server #2 have failed; alternate server #3 is working.
When the fail back interval expires, the agent checks if server #1 is available. If
server #1 is available, the agent immediately starts using server #1. If server #1
is not available, the agent continues to use server #3; it does not recheck the
ordered list of servers. The agent resets the fail back interval, so it can perform
future server checks.
About the Windows NT agent installation
Specifying the management server list for an agent
To use simple failover for an agent, you must provide the list of primary and
alternate management servers using one of the following methods:
■ If you are installing Symantec Critical System Protection for the first time,
you provide the list of primary and alternate management servers during
agent installation.
■ If you are upgrading to Symantec Critical System Protection 5.1.1 or higher,
you provide the list of primary and alternate management servers using the
agent config tool.
To use simple failover, you must upgrade the management server,
management console, and agent to version 5.1.1 or higher.
See “Migrating legacy installations of Symantec Critical System Protection”
on page 101.
The primary and alternate management server host names or IP addresses
configured for a single agent must be Tomcat servers that talk to a single
Symantec Critical System Protection database. Using multiple databases can
result in unexpected agent behavior.
The primary and alternate management servers must use the same server
certificate and agent port.
27Planning the installation
About the Windows NT agent installation
You can install the Symantec Critical System Protection agent on computers
that run Windows NT Server.
The Windows NT agent differs from the other the Windows agents in the
following ways:
■ The Windows NT agent has a separate installation kit
(agent-windows-nt.exe).
■ All Windows NT agents must use the Windows NT prevention policy. The
Windows NT prevention policy has significantly fewer PSETs and options
than the other Windows prevention policies. The Windows NT prevention
policy only works with Windows NT agents.
■ The Windows NT policy is not part of the Symantec Critical System
Protection installation. You must install the Windows NT policy separately.
See “Installing the Windows NT policy” on page 64.
■ Windows NT Server does not provide a safe mode startup to allow booting a
Windows NT agent without the Symantec Critical System Protection
28 Planning the installation
About log files
About log files
drivers. To temporarily disable agents that run on Windows NT Server, you
create an alternate hardware profile with the drivers disabled.
See “Temporarily disabling Windows NT agents” on page 69.
■ Symantec Critical System Protection services (IPS Service, IDS Service, Util
Service) do not automatically restart after aborting.
Symantec Critical System Protection uses log files to record events and
messages related to agent and management server activity.
Multiple versions of a log file may exist, as old versions are closed and new
versions are opened. The versions are denoted by a number (for example,
SISIDSEvents23.csv, sis-console.3.log).
See the Symantec Critical System Protection Administration Guide for more
information on log files.
Table 2-4 lists the Symantec Critical System Protection agent log files.
Table 2-4 Agent log files
File name Description Default location
SISIPSService.log This log file contains events that are related to
the following:
■ Agent service operation
■ Applying policies and configuration
settings
■ Communication with the management
server
SISIDSEvents*.csv This log file contains all events recorded by
the Symantec Critical System Protection
agent.
The asterisk in the file name represents a
version number.
Windows:
Program Files\Symantec\Critical
System Protection\Agent\scsplog\
UNIX:
/var/log/scsplog/
Windows:
Program Files\Symantec\Critical
System Protection\Agent\scsplog\
UNIX:
/var/log/scsplog/
What to do after installation
Table 2-5 lists the management server log files.
Table 2-5 Management server log files
File name Description Default location
29Planning the installation
sis-agent.*.log This log file is used for agent activity.
The asterisk in the file name represents a
version number.
sis-alert.*.log This log file is used for alert activity.
The asterisk in the file name represents a
version number.
sis-console.*.log This log file is used for console activity.
The asterisk in the file name represents a
version number.
sis-server.*.log This log file is used for general server
messages.
The asterisk in the file name represents a
version number.
What to do after installation
You can begin enforcing the Symantec Critical System Protection policies on
agents immediately after agent installation and registration with the
management server.
Symantec recommends that you first apply a policy to a few agents, and then
verify that the agent computers are functioning properly with the applied
policy.
See the Symantec Critical System Protection Administration Guide for
information about applying policies to agents.
Wind ows:
Program Files\Symantec\Critical System
Protection\Server\Tomcat\logs
Wind ows:
Program Files\Symantec\Critical System
Protection\Server\Tomcat\logs
Wind ows:
Program Files\Symantec\Critical System
Protection\Server\Tomcat\logs
Wind ows:
Program Files\Symantec\Critical System
Protection\Server\Tomcat\logs
30 Planning the installation
What to do after installation
Loading...