•
DeploymentDeployment success depends on everything you do up to this point. Push the big red button! How will it affect your environment? If you carefully performed all the steps outlined in previous phases, you should be able to answer that question.
•
Postdeployment Analysis and Ongoing WorkThe deployment successfully completed. Now what? If you are not careful about your planning and preparation throughout your information gathering and pilot phases, you might miss a piece critical to the success of your project. How do you correct those gaps and ensure they do not happen the next time you upgrade CSA? What ongoing training do you need to ensure that support staff, administrators, and users all have the tools they need to do their jobs with CSA in their environment?
It might seem like a huge amount of work, but depending on the size of your environment, many of these phases can be resolved in a few short meetings. However, to carry out an effective pilot and deployment, you must thoroughly understand your environment. The next section looks at what information you need to gather and how to proceed.
Understanding the Environment
CSA might be a host (desktop, laptop, server) security software package, but you need to understand all the aspects of your environment to:
•
Maximize your ROI.•
Apply security policies in CSA effectively so they match your expectations for a secure environment.•
Minimize the effects on your environment (network, system, enduser).You want to accomplish the three tasks listed previously because you do not want to do all the work outlined in the first half of this chapter only to have users select CSA as the first package they try to remove from their workstations after you install it. You would not get much return for your investment (or protection).
Is it possible to use a security package that does not impact users or applications—a package users will not hate? Well, nothing is without impact, especially security packages.
However, it is possible to establish a livable balance between security and usability. After all, we all hate reimaging or remediating (for example, cleaning up) machines that have been infected.
Network
First, take a look at your network. You should gather information on several things—none unusual to any large deployment of a software package.
You need to answer some key questions first:
•
Are all your users in one location or spread geographically?•
How are the sites interconnected? Fast lines? ISDN? DSL? Dialup connections?•
What is the bandwidth between your sites? If most have pretty good bandwidth available, are there any stragglers (slow sites)?•
How do you distribute software applications to your users/systems?The following examines these questions and discusses their implications.
Having all your users in one location should typically eliminate all the other main issues.
Local bandwidth is easy to come by (100 M Ethernet or Gigabit-Ethernet are fairly common).
If your users are spread geographically, what might the CSA issues be? The CSA issues would be typical of any other software package and could be categorized as follows: regular bandwidth usage (in the case of CSA, sending events to the server and receiving
notifications from the server) and other bandwidth usage (full policy updates, deployment of the initial agent software package, and software updates to the agent itself).
There are ways to work within whatever network bandwidth level you have available to your environment, but CSA typically uses the following bandwidth in version 4.5 and later:
•
Agent sending the management console an event: 3 KB-10 KB for an average event upload.•
Agent receiving a “hint” message to poll the management console for a new policy: 1 UDP packet per deployed agent, however only if NAT has not occurred for the host on which the agent is running. If NAT has occurred, the management console detects this and does not send hint messages.•
Agent polling: 2 KB–3 KB if there are no changes. 50 KB–100 KB depending on the size of the ruleset picked up by the agent.•
Agent receiving a software update from the management console: currently 8 MB–9 MB (the size of an agent kit).As you can see, the largest network bandwidth load is the software update (or “Scheduled Software Update” in the management console software). If you have 100 people
downloading that update at the same time across a T1 link, it keeps that link fairly loaded until those updates complete.
Understanding the Environment 37
So take a look at how your users are distributed, and start thinking about how you would like to distribute both the initial copy of the CSA and updates. Ask yourself some questions about your environment:
•
Do you have any prepositioning spots available? For example, do you have the Cisco Application and Content Network System (ACNS) or other web cache engine devices in your environment where you can use them to cache the CSA software update content to save time and bandwidth for local users?•
Do you already have software distribution points deployed to most of your sites where you could preposition the software or cache it in some way to save networkbandwidth?
Servers
When deploying CSA into a server environment, you need to gather several pieces of data for use in the later phases of your project and pilot planning. Start with the operating systems in your environment and what operating systems CSA currently supports.
Reading the CSA 4.5.1 documentation, you see that CSA currently supports the following server operating systems for the end agents:
•
Sun Solaris 8 (2.8) 64-bit 12/02 edition or later (corresponds to kernelGeneric_108528-18 or higher), with SUNWlibCx libraries, and UltraSPARC single, dual, and quad processor systems
•
Microsoft Windows NT 4.0 (Service Pack 6a only—earlier service pack versions no longer have support)•
Microsoft Windows 2000 (Server, Advanced Server) with Service Pack 0, 1, 2, 3, or 4•
Microsoft Windows 2003 Server Standard, Enterprise, Web, or Small Business Edition including Service Pack 1•
RedHat Enterprise Linux (RHEL) 3.0 Advanced or Enterprise ServerFor the latest on what operating systems Cisco supports for CSA, see the release notes for the version of CSA you are getting ready to test or install.
Make a list of the operating systems you need to cover in your pilots and ensure you are supported. You might also decide to break up your pilot and rollout into phases that include the systems you can cover now and keep working with Cisco in the interim to develop support for the other operating systems you need.
All the operating systems listed previously are supported at approximately the same level.
However, you should note that there is no graphical user interface to CSA on Solaris 8. All the others have the same look and feel to the user interface as their desktop equivalents.
In a server environment, you probably do not have as many applications as you do in a typical desktop environment, but those applications are no less critical (sometimes more critical) to the operation of your business.
To be prepared, ask yourself the following questions:
•
What are the issues you currently encounter in this server environment that you can correct with CSA? For example, are viruses your biggest issue? Are unauthorized access problems causing you headaches? What about users installing applications not properly reviewed for security vulnerabilities? Is patching in a timely fashion an issue?•
Do you have a central build or default build for the servers or do server administrators build their servers however they like?•
What are your standard applications in your server environment?•
What do you want to include in your server policies to ensure appropriate protection?For example, do you want to protect web or database content from unauthorized modification? Do you want to stop application owners from modifying system software or stop application owners from installing new, unauthorized, or unreviewed applications?
The answers to those questions vary, but it is important that you have the answers for two reasons. You need to make sure you have a clear understanding of how to use the policies and capabilities of CSA, and you need to think about issues to examine.