Table of Contents
Advertisement
Appendix C: Endpoint Scanning
Remediation
When an endpoint fails the security policy scan, the administrator can block the endpoint
until it is in compliance. The endpoint has two means to address this:
•
Auto-remediation
•
Manual remediation
Auto-
If auto-remediation is enabled and the endpoint fails to scan, a FixAll button will appear
Remediation
on the Java Applet. When this is clicked, the Applet will attempt to fix the scan failures.
This could included auto-updating Anti-Virus definitions or enabling a Firewall.
Manual
If auto-remediation is disabled, then the endpoint is forced to manually address the scan
Remediation
failures. This could involve enabling a Firewall by hand or installing an Anti-Spyware
program.
Zero Config
A Walled Garden is a hole in the unregistered role to allow clients to reach certain web
Remediation
sites without having to authenticate. Because an endpoint is not authenticated until it
passes a scan, the client has the same policy as the Unregistered role. When scanning is
enabled, the BlueSecure controller will intelligently open the minimum amount of
destination IPs in the Unregistered role to allow endpoints to reach remediation sites. For
example, if the administrator requires McAfee antivirus, then www.mcafee.com is
allowed in the Unregistered role, but other sites, like www.avira.com are not. If you're
using a local site for anti-virus updates and other definitions, the holes in the Unregistered
role can be removed by de-selecting the GUI checkbox Enable Zero Config Remediation.
BlueProtectReme
As of 6.5, the BSC now supports an optional Remediation Role for client scanning. The
diation Role
following guidelines pertain to this role
Support
To enable the role, create a role called "BlueProtectRemediation" - it must match that
1.
name and case.
(Optionally) Inherit the role from the "Unregistered" Role (or replicate the policies you
2.
wish to allow).
(Though it is harmless), do not enable BlueProtect scanning for the
3.
"BlueProtectRemediation" role itself. Continue to Enable scanning on the client's
target role.
By default, all the normal remediation sites will be allowed in this role and not the
4.
Unregistered role.
There are two possible firewall policies/approaches to this role:
5.
•
•
A client in the remediation role will be allowed to browse to any site allowed in the
6.
role. If the site is blocked or not allowed, the client will be redirected to the Java
Agent and rescanned.
7.
If you allow all Web Traffic in the Remediation Role, then a client can fail a scan, but
browse the web forever. So be sure to restrict the role down to just the sites you want
a non-compliant client to reach.
In 6.5, proxy servers (either hardcoded in the client, or as a part of the Remediation
8.
role) aren't supported. This is because the firewall must know the real destination of
HTTP requests to filter them appropriately.
The Remediation Role is useful to allow administrators an extra level of security, while
restricting the Unregistered Role to only authentication. Once users are authenticated, the
sites they can reach are now governed by the Remediation Role. This prevents a user
C-8
Only allow specific intranet and internet sites that are deemed necessary for
remediation
Allow the internet but block intranet sites
Advertisement
Table of Contents
