If you're a member of the "better safe than sorry" camp, you'll probably want to disable the agent and network connection, install the patch or software, and then re-enable the agent. Note that though our upgrade didn't require modifying the policies for IIS to continue working (except for Sana, which required a re-adaptation), it is possible for a patch to require modifying the policy. If a patch changes the naming convention of log files, for example, your policies may need tweaking.
What We Still Want
As we said in "Last Line of Defense," implementing HIP is a pain in the rear. That's largely intentional--enacting fine control over your system, down to which registry keys and directories a process can read or write, rightfully requires hands-on attention. The software from Platform Logic and Cisco both include profiling capabilities that let us specify a process or processes to watch on a server, generating a profile of the application. These profiles included accessed directories, file access, registry entries and other access-control options. We then could edit the profile manually and import it into our rule set.
Sana's product automatically profiled our servers to determine their normal behavior, but we couldn't easily modify or even see the profile. CA doesn't offer an application profiler; rather, it simply plopped us in front of a blank screen to have fun for a few hours.
Profiling applications was a bit tricky. We did a profile of Notepad, a simple application by any standard, to illustrate this point. There were several dozen registry reads and file read requests. We created a text file and saved it to the desktop. The Cisco, Sana and Platform Logic profilers interpreted this action as, "Give Notepad.exe read and write access to any .txt file on the desktop," and nowhere else. These three products all attempt some wildcarding in their profilers. In the Notepad example, Cisco's CSA gave access to any text file on the desktop for any user. Sana's product could interpret if a program should have write access to a directory and allow it.
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
