Setting Up Server Groups
The concept of server groups is fundamental to Halo. Halo uses group-based policy management, meaning that an individual security policy is designed to apply to any number of individual servers of a given kind. There is no need to create an individual policy for each individual server. By applying policies in this manner, you can efficiently scale your protection to fleets of thousands of servers. And in the dynamic environment of the cloud, Halo can instantly apply the proper group policy to any newly cloned or auto-scaled server.
Design GroupsThat Match Server Purpose
A server group is a set of similar servers—such as all of the web servers, or all of the load-balancers—that can share a single Halo security policy. For example, all servers in a given group will use the same firewall policy and the same configuration policy. In the Halo portal, you will assign a policy to a server group, not to an individual server. So you'll need to create server groups before any of your Halo policies can take effect.
To come up with the best set of groups for your organization, examine all of the servers you currently use, and categorize them in terms of platform, applications, and purpose, while trying to end up with the smallest possible number of groups.
The basic idea is that all the servers in a group need to be very similar (same O.S. and version, same applications, same firewall needs, same local user accounts) because a single set of policies covers all of them. However, it is not always strictly true:
- You can mix Linux and Windows servers in the same server group for those features (such as workload firewalls, configuration security monitoring, and file integrity monitoring) that allow assigning both a Windows and a Linux policy to a group.
You can do this because Halo automatically applies only Windows policies to Windows servers, and only Linux policies to Linux servers.
- Servers (of a given platform) within a group must have identical firewall needs if you are implementing Halo workload firewalls.
- Servers (of a given platform) within a group must have identical or very similar system-file and directory structures if you are implementing system configuration scanning or file integrity monitoring at the system level.
- Servers (of a given platform) within a group must have the same general application security needs if you are extending configuration security monitoring or file integrity monitoring to the application level.
- You probably will not want to mix strongly dissimilar distributions of the Linux platform (Ubuntu with CentOS, for example) within a server group, as this will make it harder to define configuration-policy rules that apply across all servers.
- You can share a single policy among several groups when that makes sense. For example, a web-server group might need a different firewall policy from a database-server group, but if the two groups' operating systems are identical, they might be able to share the same system-level configuration policy.
Implement Your Groups
Once you have designed your groups, create them in the Halo portal. Go to the Dashboard page by clicking the CloudPassage icon on the toolbar (or by selecting a security module from the Servers menu).
Note that the list of server groups shows each group's name followed by the number of servers in the group. The number of critical and non-critical issues that Halo has detected for the group appear below the group name.
Click the Add a New Group link at the bottom of the list of server groups. For now, just give each group a name; you'll assign servers and policies to the groups later. The group now appears in the list of server groups on the Dashboard.
About Halo built-in server groups
Halo includes a few built-in groups that you can use in special situations.
- Root group. The name of this group is by default the name of your organization, as it appears in your Halo account. The root group consists of all servers that have not been assigned to a server group. As soon as you install an agent on a server, it appears in this group, from which you can move it to the server group of your choice.
All other server groups can be considered children of the root group.
- Retired. This group consists of all servers that explicitly have been retired (see Maintain and Manage Your Servers). Move servers to this group when they are no longer used and you expect never to use them again.
- Unretired. This group consists of servers that were retired, but are now deemed useful again. Note that when a server is retired, it loses its server-group membership; therefore, unretiring it puts it into the "Unretired" group, not into its previous server group. However, you can assign servers from this group to any actual server group for re-use.
Maintain and Manage Your Groups
Use the Halo portal on an ongoing basis to manage your server groups. You can edit a group's name, add or remove any of its servers, and add or remove security policies as noted in Assign Policies to Server Groups.
When you no longer need a given server group, you can delete it. Select the server group on the Halo Dashboard, and click Delete below the group's name. If the group contains servers, Halo moves those servers to the root group and then permanently deletes the group.
// <![CDATA[ var pdfTitle="Halo Operations Guide"; var pdfURL="http://www.cloudpassage.com/document_images/ops/halo-operations.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>