Configuring SRS rules. Nortel Networks Nortel Secure Network Access Switch 4050
Add to my manuals922 Pages
advertisement
318 Chapter 7 TunnelGuard SRS Builder
Configuring SRS rules
The building blocks used to construct the Software Requirement Set (SRS) are files (or combinations of files) and registry key settings that must either be present or be absent on the client host. You can create different SRS rules for different groups.
You must use the TunnelGuard SRS Builder in the SREM to create or modify SRS rules. You cannot create your own SRS rules using the CLI.
You can use the TunnelGuard quick setup wizard in either the CLI or the SREM to create a test rule ( srs-rule-test ), which you can subsequently modify using the TunnelGuard SRS Builder. To create the test rule, see
TunnelGuard setup wizard in the CLI” on page 134 or
Quick Setup in the SREM” on page 172 . The test rule tests for the presence of the
following file on the client host:
C:\tunnelguard\tg.txt
To create an SRS rule, perform the following steps:
1 Create a software definition (see
“Creating a software definition” on page 327 )
2 Add entries to the software definition (see
“Adding entries to a software definition” on page 328 and
“Creating a registry entry” on page 341
)
3 Create logical expressions (see
“Creating logical expressions” on page 333
)
Note: When creating an SRS rule, consider the user rights that clients in your network have on their machines. For example, do not configure an
SRS rule to check for registry items that users may not be authorized to access.
The TunnelGuard user interface
To learn more about an item, select one of the following topics:
•
•
“SRS definition toolbar” on page 322
320818-A
Chapter 7 TunnelGuard SRS Builder 319
•
“Software Definition — Available SRS list” on page 323
•
•
“TunnelGuard Rule Definition screen” on page 325
Menu commands
Most functions within the TunnelGuard SRS Builder tool are accessed through the following menus:
•
•
“Software Definition menu” on page 319
•
“Software Definition Entry menu” on page 320
•
“TunnelGuard Rule menu” on page 321
•
File menu
Table 56 describes important items from the File menu.
Table 56 File menu items
Item
Save
Description
Save the SRS definition in the Nortel
SNAS 4050 LDAP database.
Software Definition menu
Table 57 describes important items from the Software Definition menu.
Table 57 Software Definition menu items (Sheet 1 of 2)
Item Description
New Software Definition Creates a new software definition.
Delete Software Definition Deletes the selected software definition.
Nortel Secure Network Access Switch 4050 User Guide
320 Chapter 7 TunnelGuard SRS Builder
Table 57 Software Definition menu items (Sheet 2 of 2)
Item Description
Clone Software Definition Clones the selected software definition.
Import Software Definition Imports a software definition from an
XML-formatted file.
Export Software Definition Exports a software definition to an
XML-formatted file.
Edit Software Definition
Comment
Edits the comment for the selected software definition.
Auto Generate TunnelGuard
Rule
Select this item to automatically create a rule when a new SRS is created.
Software Definition Entry menu
Table 58 describes important items from the Software Definition Entry menu.
Table 58 Software Definition Entry menu items (Sheet 1 of 2)
Item
Add OnDisk file as entry
Add Selected memory module as entry
Add Registry Key entry
Delete
Copy
Paste
Custom Path
Set Version Range
Set Date/Time Range
Description
Select a file from the local file system, a text configuration file, for example, and add it as one component of the SRS.
Add the selected memory module from the current memory snapshot as a required entry.
Add the registry key entry.
Delete the selected component.
Copy the selected component.
Paste a component (from one SRS definition to another).
Select this option to specify a customized path to a file.
Specifies a version or version range for a
SRS component.
Specifies a date and/or time range for a SRS component.
320818-A
Chapter 7 TunnelGuard SRS Builder 321
Table 58 Software Definition Entry menu items (Sheet 2 of 2)
Item
Add Vendor-Customized
API call check
Modify Registry entry
Ignore Hash Checking
Default Hash Algorithm
Description
Implements a third party API call to do additional checking on the software.
Modifies the registry entry
Select this item to ignore the hash value checking for the selected SRS entry.
Select the default hash algorithm, MD5 or
SHA1.
TunnelGuard Rule menu
Table 59 describes important items from the TunnelGuard Rule menu.
Table 59 TunnelGuard Rule menu items
Item
New TunnelGuard Rule
Delete TunnelGuard Rule
Clone TunnelGuard Rule
Description
Creates a new TunnelGuard rule.
Deletes the selected TunnelGuard rule.
Clones the selected TunnelGuard rule.
Tool menu
Table 60 describes important items from the Tool menu.
Table 60 Tool menu item descriptions
Item Description
Refresh memory snapshot Refreshes the list of processes shown in the memory snapshot area of the main screen.
You may want to refresh the view if you have launched other applications while running the
SRS builder or if other processes started after the SRS builder was started.
Nortel Secure Network Access Switch 4050 User Guide
322 Chapter 7 TunnelGuard SRS Builder
SRS definition toolbar
The buttons on the SRS definition toolbar allow you to create, delete, and manage
software requirement sets. Figure 82 on page 322 describes the toolbar icons. For
a description of each item see
.
Figure 82 SRS Definition toolbar
Delete an existing SRS definition
Import an SRS definition from an XML file
Export an SRS definition to an XML file
Table 61 SRS Definition toolbar item descriptions
Item Description
Create a new SRS definition Creates a new SRS definition.
Delete an existing SRS definition
Deletes the currently selected SRS definition.
Clone an SRS Creates a copy of the currently selected SRS definition.
Imports an XML-formatted SRS definition file.
Import an SRS definition from an XML file
Export an SRS definition to an XML file
Edit Software comments
Exports SRS definitions to an XML-formatted file.
Adds a comment. If the check fails, the specified comment is written to the log.
320818-A
Chapter 7 TunnelGuard SRS Builder 323
Software Definition — Available SRS list
The available SRS list shown in the Software Definition section of the
TunnelGuard SRS Builder main screen is initially retrieved from the Nortel
SNAS 4050. The list is updated when you make changes and click Save while running the SRS Builder.
SRS Components table
When an SRS is selected in the Software Definition section that lists available
SRS definitions, the components of the SRS are shown on the right-hand side in
the SRS Components table. Table 62
describes the SRS components.
Table 62 SRS Components table items
Item
Path
Process
Version
Date/Time
Registry Key
Registry Expression
DiskOnly
API
HashAlg
Hash
Description
Shows the full directory path to the file location.
Shows the process name, in which the component runs. For files the only exist on disk, this column does not apply.
Shows version information on the component.
Shows the last modified time of the component.
Shows the registry key entry.
Shows a regular expression used to match a registry key value.
If checked, means the file will not be loaded in memory. If this option is combined with the
API option, the file will be loaded and the API called.
If checked, means the component contains a third party API for further checking.
Shows the hash algorithm used to generate the hash.
Shows the hash value of the file.
Nortel Secure Network Access Switch 4050 User Guide
324 Chapter 7 TunnelGuard SRS Builder
Customizing a component
When an SRS component is selected by clicking on it, you can customize it using
the toolbar below the component table, as shown in Figure 83
. To learn more about available customizations, see
Figure 83 SRS Component table toolbar
Table 63 Component customization descriptions
Item
Add OnDisk file as entry
Add selected memory module as entry
Add registry key entry
Delete entry
Copy entry
Paste entry
Customize path
Set version range
Set date/time range
Add/Remove Vendor API call check
Modify registry entry
Ignore hash checking
Description
Select a file from the local file system and add it as one component of the SRS, for example, a text configuration file or a DLL.
This enables you to make an API call to a
DLL, that is not yet loaded by TunnelGuard or the application.
Add the selected memory module from current memory snapshot.
Add the registry key entry.
Delete the selected component.
Copy the selected component.
Paste component (from one SRS definition to another).
Replace part of the path with a string of system environment variables. For example:
%WINNT%\xxx.dll
Specify a particular version or a version range for the selected component.
Specify a last modified date/time of the component, or a date/time range.
Indicate if third party API calls will be made using this component to do further checking.
Modify the registry key entry.
Ignore hash value checking for the selected
SRS entry.
320818-A
Chapter 7 TunnelGuard SRS Builder 325
Memory snapshot
The memory snapshot section in the lower half of the of the TunnelGuard SRS
Builder Software Definition screen displays all processes currently running on the administrator’s system.
You can select and add any process currently running and loaded into the memory snapshot to the SRS set by double-clicking on it or using the Add a selected memory module menu command. To view descriptions of the information
.
Table 64 Memory snapshot item descriptions
Item
Process
PID
Description
Description
Shows the name of the process or file currently in memory.
Shows the unique system process ID for each running process.
Shows a text description, if one is available, for each process.
TunnelGuard Rule Definition screen
Select the TunnelGuard Rule Definition tab to access the rule definition screen.
You use this screen to create and manage rules. The SRS Rule toolbar appears at the top of the screen.
SRS Rule toolbar
The SRS rule toolbar icons allow you to:
• Define a new SRS rule
• Delete the selected SRS rule
• Clone the selected SRS rule
Nortel Secure Network Access Switch 4050 User Guide
326 Chapter 7 TunnelGuard SRS Builder
SRS Rule list
The SRS Rule list shows the existing SRS rules. These rules are retrieved from the
Nortel SNAS 4050 at the TunnelGuard SRS Builder applet start-up time. For a
description of the information provided, see Table 65 .
Table 65 SRS Rule information
Item
TunnelGuard Rule Name
TunnelGuard Rule
Expression
TunnelGuard Rule
Comment
Description
Shows the name of the rule.
Provides the rule expression.
Shows any comments related to the rule.
SRS Rule Expression Constructor
You use this section of the screen to define SRS rule expressions. To learn more about managing TunnelGuard rules and expressions see
“Managing TunnelGuard rules and expressions” on page 327 .
Available Expression list
The Available Expression list contains the elements you need to construct the
Boolean expression. The expressions can be basic SRS definitions or expressions you construct.
Rule Expression Constructor
You can group multiple SRS Rule expressions into more compound expressions using the AND, OR, or NOT operators.
Form TunnelGuard rule expression
Select this option to put the expression you created into the Available SRS Rule
Expression list.
320818-A
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project