Burton Group names Symantec, RSA, and Websense as best DLP vendors
Recently came across an article, from my Google News feed in regards to a recent study about DLP products.
A great point from the article is that DLP is no longer just concerned about monitoring the network and what happens there, there is an even bigger need to monitor data on the endpoint and also on file shares. Data at Rest (DAR) is only a click away from being Data In Motion (DIM) and needs to be protected just as well.
Another interesting point is the convergence via acquisition that is occurring as the big companies are snapping up the smaller DLP players and integrating them into the existing product suite.
9 out of 10 firms??? – Really???
Saw this linked from Kevin Rowney, from Symantec, head of the DLP product and wanted to respond.
The article, “Nine out of 10 firms use data leakage prevention tools" and I wanted to respond “Oh Really?” What exactly is their definition of data leakage tools? A lot of the companies I work with and talk have no data loss prevention tools and in fact most of them don’t have anything budgeted in regards to these types of tools
A DLP purchase is often times not a budgeted purchase, but something that is driven by a business need and not an IT need.
Interested in DLP, drop me a note
Deployment Server 7.1 Roadmap
At the Cleveland user group meeting Hugo Parra the PM for Deployment Solution presented the roadmap for DS.
DS 6.X will continue to get changes and support, DS 6.9 SP4 will be released in Q2 2010 including hardware updates, OS Updates, and any fixes to priority defects
DS 7.X Roadmap
7.0 is currently out there
Limited functionality
Not a point solution
7.1 (Code named Avalon)
December release
Will help out in the following questions:
- DS Servers need to share data and keep in sync’ed
- Make it easier to manage images and software packages to get to the locations where they are needed
- Better security roles, more granular, global scoping
- Provide job status and reports, what machines have pending jobs, how long have they been waiting for a job, which jobs failed/succeeded/etc
- Smarter jobs with better branch logic, more reusability
- Dynamic groups and filters
- Make P2V and V2p transformations more fluid, provide advanced deployment capabilities of virtual machines
Based on the NS 7 (Symantec Management Platform) console, complete integration
PXE support
Will be brought back into DS
A site server will have the option to have the PXE Server service installed on it
PXE updates will occur through the Altiris NS agent
Server Support will be back into DS
Able to do a bare metal build of a server
Single Database, the Symantec_CMDB
No longer use the AClient or DAgent
Everything will run though the NS Agent and the DS Plug-in
DS Portal page
“Home” page for working within DS 7.1
Built on Silverlight
Drag and drop ability within the console
Can Drag jobs to computers, computers to jobs
7.2 (Codenamed Everest)
July 2010 release
MAC support
Thin client support (completely on par with DS 6.9)
Saw a demo of DS 7.1 and it looked really really cool, the DS Portal built on Silverlight was very fast and responsive, liked the drag and drop capability
Would love to hear your thoughts
Shame on Symantec – No Upgrade path for Recovery Server 7
This past week I have been upgrading a client from Client Management Suite (CMS) 6 and Recovery Solution (RS) 6 to CMS 7 and RS 7.
According to the documentation found on the Altiris Knowledge Base, there is a method to upgrade from Recovery Solution 7.0 as part of an off-box upgrade. This article can currently be found here.
After getting my migration plan approved which included the steps outlined in the document, we started the migration. The CMS 6 to CMS 7 migration went great, migrated 1200 nodes w/o issue and everything was rocking. Until we got to the RS upgrade. There were several references in the articel I couldn’t find or figure out, so a quick call to Symantec Tech Support would hopefully resolve it.
The support person I was working with looked up the KB # and told me it was no longer valid and shouldn’t even being visible to clients. I was then told there was another article to help me out. But he couldn’t find that other article either.
The recommended upgrade path from the support person? Uninstall completely and Install from scratch.
So we lost all the backups from version 6 and have to start creating our backups all over again. Also means that until we have backups done, we can’t recover anything.
This week’s FAIL whale goes to Symantec
When you write a blog a about a security vulnerability address the actual product
Through one of my Google Alerts, I stumbled across an article titled "Isn’t your Symantec Altiris Deployment Solution in Troube?" found here.
The article address some security vulnerabilities that have been found recently in Symantec’s Deployment Solution. The problem is not he vulnerabilities but the fact the author obviously has no clue what she is talking about.
The article clearly states for those who are not a user of the Deployment Solution is you might not understand it. The author then explains what it is:
“Alltiris service-oriented management solutions offer a modular and future-proof approach to manage highly diverse and widely distributed IT infrastructures. They are open solutions that allow lifecycle integration of client, handheld, server, network and other IT assets with audit-ready security and automated operation. The Symantec Altiirs Deployment Solutoion can run on Windows 2003/XP/Vista.”
I am amazed at how wrong this quote is when addressing Symantec Altiris Deployment Solution. First off the author is talking more about the Symantec Management Platform, or the Notification System. Secondly is the author referring to the agents that install on client machines? Because then it runs on Windows 2003/Vista/XP however the server installs only on a Windows 2003 server.
Then we get to the included screenshot of the application and I almost fell off my chair laughing. The screenshot in the “article” covers the Symantec Installation Manager, not the application with the vulnerabilities.
So let’s start over a bit. The Deployment Solution is a separate part of Altiris. Deployment Solution aids with computer imaging and computer migration. Deployment Solution can integrate within the rest of Altiris.
Just to correct the record
Could DLP have saved Goldman Sachs from a big headache
In an article on Channel Insider, the author raises the question, Could a solid Data Loss Prevention product stopped the transfer of data from Goldman Sachs to a third part web hosting.
For those that don’t remember the whole story, a quick Google news search will be a quick refresher or from a New York Times article
“Mr. Aleynikov, who is free on $750,000 bond, is suspected of having taken pieces of Goldman software that enables the buying and selling of shares in milliseconds. Banks and hedge funds use such programs to profit from tiny price discrepancies among markets and in some instances leap in front of bigger orders.”
One key point of the article states
“DLP is often seen as the panacea for stopping the accidental or unauthorized release of data… Even the market-leading products by companies such as Websense, Symantec, McAfee, RSA, CA and Trend Micro are limited to detecting mostly static data strings and content, such as Social Security numbers and credit card numbers.”
However this is not true within the Symantec DLP product. Symantec acquired the market leader Vontu and rebranded it as Symantec DLP (for more information, drop me a note or visit their website).
Symantec DLP can detect both structured and unstructured data based on the indexing technology it uses can track data such as source code, drawings or other intellectual property.
Let me give you an example of Symantec DLP protecting this type of data. A client I was working with receives a PDF from subcontractors with payroll information on it. This document needs to be either faxed in or brought in person, not emailed in. Using the indexing technology of Symantec DLP, we indexed the PDF and created a policy saying if we saw X% of the PDF flag it as an incident. We able to see several examples of this happening.
So there is the possibility of tracking unstructured data with Symantec DLP.
A response to FAI vs Altiris
I tried to post this on Stephen’s blog but had issues w/ his CAPTCHA, where he talks about using FAI to perform an automated install of Ubuntu 64-bit Server edition vs. a Windows 2003 64-bit install via Altiris Deployment Solution.
As an Altiris consultant I felt bound to respond. A scripted OS install ran through Altiris Deployment solution is a very slow process as an image w/ an empty partition first needs to be laid down, then a reboot into the scripted OS install.
An image deployment of Server 2003 64-bit would beat the 1 hour time frame that Stephen mentions.
So why a scripted OS install?
Also I wish Symantec supported Ubuntu but alas it doesn’t and doubt it will.
Managing the DLP Endpoint Agent with the Integrated Component
Summary:
In an earlier article I talked about installing the DLP Integrated Component within the Symantec Management Console. This article will cover how to manage the endpoint agent with this component
What can the DLP Agent Do?
The DLP Endpoint Agent provides control of Data Loss Prevention policies and manage the data on those machines. The DLP Endpoint Agent is made up of two agents, the endpoint agent and the watchdog agent. These two agents watch each other to make sure they are still running and will restart the service If one of those services are started.
With the endpoint agent, policies applied to the Data at Rest targets and the network via Data in Motion can be applied to laptops and desktops. All scans on endpoints are controlled through the agent and information is reported to the Enforce server.
Another important feature of the Endpoint Agent is it can control removable media and also can monitor the copy & paste buffer along with monitoring fax and print information. This controls information that is flowing on the endpoint.
For more information, see
Installing the DLP Agent
In order to install the DLP Agent from the Symantec Management Console, we first need to discover the computers, and then push the Altiris Agent followed by the DLP Endpoint Agent.
All work in deploying and configuring the Endpoint Agent is done through the Symantec Management Console and the Data Loss Prevention Portal. The portal looks like the following:
Discovering Computers
Before we deploy the Altiris Agent and the DLP Endpoint Agent we need to discover the computers to add them to the database. There are two types of discovery that can be done through the DLP Portal, a Domain Browse or an AD Import.
The Active Directory Import provides the best way to discover and import your machines into the Symantec Management Console. An important note is this is just a read of the Active Directory, we do not modify AD or even need to do an AD Schema modification.
To begin an Active Directory discovery, click on the link “AD Import” which will bring up the following page:
A couple of notes about this screenshot are that I have already selected the correct domain, subnet and sites to import. Also I have filled out a schedule, under “specified schedules” to automatically import and update the Management Console.
The second type of discovery is a Domain Browse import and can be run by clicking on the link in the Data Loss Prevention Portal and looks like the following:
Provide the domain information to browse and discover computers.
Installing the Altiris Agent
Once we have discovered the computers, we can install the Altiris Agent. After the Altiris Agent is installed we will push out the DLP Endpoint Agent. From the DLP Portal page under “2. Deploy Endpoint Data Loss Prevention,” select “Install Altiris Agent.” This will open up the following screen:
As you can see from the screenshot, the computers we have discovered show up in the list of computers. To install the Altiris Agent, highlight a computer and select “Install Altiris Agent.” Multiple machines can be selected by using either the shift key or control key.
Installing the DLP Endpoint Agent
Once the Altiris Agent is installed on the managed device we will install the DLP Endpoint Agent. From the Data Loss Prevention Portal in the Symantec Management Console, select “Install Symantec DLP Agent,” which will open up the following screen.
What is unique to this install is that it is a part of an ongoing policy on the Symantec Notification Server. By default any computer in the filter “Computers managed without DLP Agent” will receive the DLP Endpoint Agent the next time the computer checks in.
A brief note of explanation for those not familiar with the Notification Server. Polices are applied to groups of computers called “Filters.” A computer will be added into this filter when they have the Altiris Agent installed on them (managed) and do not have the DLP agent on them. Once the DLP agent is installed, the computer will automatically move out of the Filter.
This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” This will turn it to green. A client with the Altiris Agent will check in, receive this policy and install the DLP Agent.
Upgrading the DLP Agent
The first policy we talked about was the DLP Agent Install policy. This is the second policy in the DLP Portal page. To enable this policy, click on “Upgrade Symantec DLP link within the Symantec Management Platform. This will open up a window that looks like the following:
This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” The policy will then become active and will upgrade automatically any endpoint whose agent is older then the current policy.
Endpoint Agent Tasks
Within the DLP Portal Home page there are 8 default tasks created. The Symantec Management Console allows us to create and manage tasks to control the Altiris Agent and a managed (computer wit Altiris Agent on it) computer.
Start Agents/Stop Agents/Kill Agents/Restart
The first three agents are all about agent control and look and act the same way. This task allows us to control the status of the Endpoint Agent through the Altiris Agent. In case someone stops the Watchdog Agent or the Endpoint Agent, this task can reset the agent. The screenshot shows the Start Agent task
There are two ways we can execute this task, either via a quick run task or via a schedule. A quick run tasks executes immediately and through the drop down you can select the computer to run the task on. If you want to schedule one of these tasks over a time, you can do so through the scheduler.
Pull Agents Logs
The Pull Agent Logs task will copy the DLP Agent Logs from the managed computer to the Symantec Management Console server allowing you to review what is happening on the endpoints.
This task functions similar to the other tasks where you could schedule the task or run it immediately.
Set Log Level to Info/Set Log Level to Finest
This task allows you to change the logging level of the Endpoint Agent without having to interact with the agent locally or change things manually.
Get Agents Configuration
The final pre-built task allows you to get the configuration of the Endpoint Agent without visiting the machine.
Installing the Dell Management Console
Summary:
This article will cover the steps to install and configure the Dell Management Console, including the steps to build a server, requirements for the server and steps for installing the DMC.
Overview
The Dell Management Console (DMC) is built around the Symantec Management Console and the Symantec Management Platform. DMC allows you to centrally manage your Dell Servers and clients along with managing the OpenManage Server Administration Agent (OMSA). DMC allows you to manage things like BIOS level, Dell specific patches, and allows you to create monitoring policies to monitor the health of your servers. For more information visit http://dell.symantec.com
Requirements for installing the Dell Management Console
The following tables come from the Symantec Planning and Configuration Guide for Altiris Notification Server 7. This document can be found on the Altiris knowledge base, http://kb.altiris.com. The tables are broken up into whether or not you are installing the DMC with SQL on the same box or off box. Also the requirements are for managing under 3000 nodes. Following the requirements for the server, are the requirements for installing the Altiris Agent (the Altiris Agent will then be used for managing, pushing out the OMSA agent, and then creating monitoring policies).
Notification Server managing under 3000 Endpoints with SQL on Box
| Hardware | Recommendation |
| CPU | 8 Cores |
| CPU Speed | 2.4 GHZ |
| Memory | 8 GB |
| Network | Gigabit |
| Disk | 10 GB free |
| Operating System | Windows 2003 Server Enterprise (32-bit) |
| Software | Recommendation |
| .NET | Microsoft .NET 3.5 |
| Web Browser | IE 7 |
| Web Server | IIS 6.0 |
Notification Server managing under 3000 Endpoints with SQL off box
| Notification Server Hardware | Recommendation |
| CPU | 4 cores |
| CPU Speed | 2.4 GHz |
| Memory | 4 GB |
| Network | Gigabit |
| Disk | 10 GB free |
| Operating System | Windows 2003 Server (32 bit) |
| SQL | SQL Server 2005 off box |
| Software | Recommendations |
| Web browser | Internet Explorer 7 |
| .NET | Microsoft .NET 3.5 |
| IIS | IIS 7.0 |
| SQL Hardware | Recommendation |
| CPU | 4 Cores |
| CPU Speed | 2.4 GHz |
| Memory | 8 GB |
| Network | Gigabit |
| Disk | 10,0000 RPM SCSI or better with RAID 1+0 |
| Operating System | Windows 2003 Server Enterprise (64-bit) |
| SQL | SQL Server 2005 |
| See Microsoft KB for optimal SQL Configuration |
Altiris Agent Requirements
| Item | Specification |
| Operating System | Windows 2000 SP4, Windows 2003 (32-bit, 64-bit), Windows XP SP2/SP3, Windows Vista (32-bit, 64-bit), Windows 2008 (32-bit, 64-bit (not core) |
| Hard Disk Space | 60 MB |
| RAM | 64 MB minimum (128 recommended) |
| Internet Explorer | IE 5.0 or later |
| Access Rights | Account used to install agent must have local admin rights |
| Windows XP Items | Turn off simple file sharing, open port 80/445 directed to Notification Server IP |
Steps for Installing the DMC
Installing the Server
Follow your standard build documents for installing and building a new server. A couple of pieces of software to make sure you need to have. IIS and ASP.net need to be installed and enabled. The easiest way to do this is through the “Configure Your Server” wizard and turn the server into an Application Server. .NET 3.5 needs to be installed, an important note is to NOT install .NET 3.5 Service Pack 1. IE 7 needs to be installed as well.
If you are going to be using SSL (HTTPS), please install and configure IIS to use SSL before installing DMC. If you try to make this change after the install, there will be problems within the system.
If you are running SQL Server on the same box, please install this and configure it correctly before proceeding to the next steps.
The Symantec Management Console is installed under the Default Web site which will cause problems if you have other web servers running on the DMC system.
Installing SIM
The Symantec Management Console utilizes the Symantec Installation Manager (SIM) to install all parts of the Management Console. SIM can be downloaded from the Symantec Website (http://www.symantec.com/business/products/trialware.jsp?pcid=pcat_infrastruct_op&pvid=cm_suite_1). Once this is downloaded launch the executable and you will be greeted with this screen:
Select Next and you will be presented with the directory to install SMC into. A quick word of warning, the directory you select here is the directory all of the Console will be installed to.
Once the installation is finished, the Symantec Installation Manager will start allowing you to install other portions of the console.
Installing the Symantec Management Console
When the Symantec Installation Manager is launched it will be default open up to Install New Solutions. While you can install both the DLP component and also the Management Console at the same time, I recommend installing just the Console and then the component.
From the Installation Manager scroll down until you find the Symantec Management Console
After selecting “Review selected products” and then Next, aceept the license agreement and continue. Fill out the required information. This information is required to verify export controls.
After the information is filled out, select Next for the systems requirement check
The Symantec Management Console requires ASP.net, IIS, IE 7.0, at least 2.0 gigs of RAM, and Windows 2003 Server along with MS SQL 2005. As you can see in the screenshot I do not meet the requirements. If you do not, close the Installation Manager and resolve any problems.
If you meet the requirements select Next to begin installation of the Symantec Management Console. While it is not necessary to restart after the installation is complete, I have had the best luck rebooting before moving on to other installations.
Installing DMC
After the Symantec Management Console has been installed, reboot the system. While this is not a requirement, after much testing this provides the best option.
Launch the Symantec Installation Manager from Start – All Programs -> Altiris -> Symantec Installation Manager and launch the Symantec Installation Manager.
Select Install new products and once you find the Dell Management Console from the list
After selecting the DMC, all of the dependencies will be installed as well
Click on Ok to proceed and move on. Once the install is complete we begin installing the Altiris Agent and the OMSA Agent.
Deploying the Altiris and OMSA Agent
Discovering Dell Servers
There are 3 ways to discover computers within the DMC, import from Active Directory, domain discover and network discovery.
An Active Directory import is the most reliable discover of all of the methods. An important item to remember is this is just an import, nothing is modified in Active Directory, no schema modification, nothing. To perform the Active Directory Import, within the DMC, navigate to Actions -> Discover -> Import Active Directory. The console will look like the following:
Fill out the correct information and run the import. More information on running the AD import can be found in the DMC Manual.
The second way to discover computers is through a domain membership or domain browse. This type of discovery will query the Master Browse list for computers. To perform this discovery, navigate in the DMC to Actions -> Discover -> Import Domain Membership/WINS. The screen will look like the following:
Fill out the correct information and run the discover. More information can be found in the DMC Manual.
The third way of discovery computers is through a network discovery. This can take the longest depending on how large of a discovery you are running. To perform a network discover navigate in the DMC to Actions -> Discover -> Network Devices. The console will look like the following:
Fill out the correct information and run the discover. More information can be found in the DMC Manual.
Pushing out Agents
Once we have discovered Dell Servers we can roll out our agents. The first agent we need to push is the Altiris Agent, and then the OMSA Agent.
To deliver the Altiris Agent, navigate in the DMC to Actions -> Agents/Plug-ins -> Push Altiris Agent
Select the server from the list of computers and select Install Altiris Agent. For more help on the pushing the Altiris Agent, see the DMC Manual.
To install the OpenManage Administrator Agent, navigate to the DMC Home Portal and select Deploy OpenManage Administrator.
From this part of the console, select Launch Dell OpenManage Server Administrator Deployment Wizard. Select the computers from the drop down and then hit next. By default the installation of the OMSA agent is scheduled for now. There will be a task at the bottom of the Dell OpenManage Server Portal page that will turn green when the installation is complete.
Symantec Government Symposium Part II
Earlier I wrote about the Symantec Government Symposium, and was just notified that content and presentations are now available online.
For more information including PowerPoint presentations, look here
-
Archives
- October 2009 (8)
- September 2009 (5)
- August 2009 (8)
- July 2009 (7)
- June 2009 (8)
- May 2009 (5)
- April 2009 (6)
- March 2009 (7)
- February 2009 (8)
- January 2009 (7)
- December 2008 (7)
- November 2008 (8)
-
Categories
-
RSS
Entries RSS
Comments RSS
