Terms Flashcards
Plugins
software packages that can easily be integrated and expand the functionality of CounterACT
What is information from plugins used for?
– Creating polices which enable Actions and Reports
– Displaying Information Panel data
– Triggering Threat Protection events
Plugin updates
CounterAct will check automatically if new updates are availble for your plugins.
What are default plugins?
- User Directory
- Switch
- Macintosh/Linux
- Host Property Scanner (HPS)
- NBT Scanner
- Syslog
- DNS Client
- Reports
Default plugin: User Directory
Resolves user details via a User Directory
server such as Microsoft Active Directory or any
other LDAP-based directory server such as
SUN or Novell via LDAP protocol.
Default plugin: Switch
Allows CounterACT to display information about
hosts connected to specific switch ports
including information about the switch and
ports. Required for blocking network access via
ACL/VLAN or port assignment
Default plugin: Macintosh/Linux
Enables deep inspection of Macintosh/Linux
endpoints via SSH or SecureConnector access.
Default plugin: Host Property
Scanner (HPS)
Enables all of the windows endpoints operation
including vulnerability scanning, remediation
actions and windows host polling. Responsible
for organization operating system classification
using built-in components. Also contains
SecureConnector code and operations.
Default plugin: NBT Scanner
Attempts to obtain the username, MAC,
hostname and domain name that is logged onto
a given host.
Default plugin: Syslog
Lets you forward, receive and format event
messages to/from an external Syslog server.
Default plugin: DNS Client
Allows CounterACT perform DNS lookups to
resolve host names
Default plugin: Reports
Gathers information from CounterACT and
populates the reports, assets and dashboard
portals.
CounterAct Channels
A channel defines a pair of interfaces used by CounterACT to monitor and protect your network
** It is critical that the proper channel connection and definitions are configured correctly **
There are three interfaces:
- Monitor interface
- Response interface
- Management Interface
Monitor interface
Lets the Appliance monitor and track network traffic. Traffic is mirrored to a port on the switch or via a network tap and monitored by the Appliance.
Response interface
– The Appliance responds to traffic using this interface. Response traffic protects against malicious activity and performs policy actions. – In a Layer 3 Deployment, the response interface is set to “IP Layer”. In this case, the management interface is used for response.
Management Interface
Manages CounterACT and performs queries and deep inspection of endpoints. The interface must be connected to a switch port with access to all network endpoints.
What are policies composed of?
- a unique name
- policy scope
- policy conditions
- policy actions
What is a group?
A collection of hosts with something in common, such as hosts that run Windows systems, or guest hosts. Groups help you: – View and manage CounterACT detections – Logically track policy implementation
What are segments?
• Segments are used to organize your network endpoints into logical categories.
• Helpful for filtering hosts
–Specific for a network range(s)
–Quantify how many hosts exists in a specific segment
• Can create a segment
for an single IP or a
range of IP addresses
What is an organizational unit?
- It reflects one or more CounterACT segments that have something in common.
- It is used for reporting: In the executive dashboard the Compliance Trend are sorted by organizational units
Where does CounterAct sit?
– At the connection point between a protected network area and the rest of the network.
– Behind a VPN concentrator, where encrypted VPN channels are decrypted and malicious traffic enters your network
– Behind remote access servers, where remote access users are entering your network
What is CounterAct Appliance Packet Engine?
How does it work?
• To provide Intra-VLAN threat protection, the Appliance setup must have:
– A Layer 2 channel within broadcast domains (tagged packets in
the mirroring ports)
• To work with the Virtual Firewall, the Appliance must:
– Have channel visibility into traffic that will be controlled using the Virtual Firewall action
• To utilize HTTP notification and re-direction the ppliance must:
– See bi-directional traffic on the Channel, Asymmetric traffic will not work
– Be allowed to inject packets into the network, network layer antispoofing controls may need to be adjusted
What is SecureConnector?
SecureConnector is a lightweight, small-footprint
executable that runs at the endpoint so that CounterACT
can inspect it.
– SecureConnector opens an encrypted tunnel to
CounterACT allowing it to remotely inspect it.
Via TCP/10003 for Windows
Via TCP/2200 for MAC/Linux
Ports can be modified
– Used for endpoint inspection of unmanageable hosts
Useful for rapidly enhancing the versatility of CounterACT
endpoint actions
How does CounterAct maintain fault tolerance?
• Uses clusterin g to integrate two or more Appliances
(nodes) into a logical unit
– Active node: Controls the cluster and provides communication with the external world
– Standby node: Constantly ready to take over in case of failure of Active node
• Cluster Connectivity
– Each cluster has a VIP address used for communication with the network
– Appliances within a cluster are inter-connected by
synchronization cables
• Switch Connectivity
– Connections are for dual
management, span(monitoring) and response
– Dual Span
Connection to a single switch using dual span sessions
– Single Span
Connection to a single switch
using Single Span sessions, requires a TAP
