WHITE PAPER: ENDPOINT SECURITY. Symantec Endpoint Protection Managed Services Implementation Guide

Transcription

1 WHITE PAPER: ENDPOINT SECURITY Symantec Endpoint Protection Managed Services Implementation Guide Michael Plavin, Field Enablement Manager Security Product Group

2 White Paper: Endpoint Security Symantec Endpoint Protection Managed Services Implementation Guide Table of Contents Introduction... 3 Managed Service Provider Deployment Overview... 3 Technical Considerations... 4 Hardware and Database Sizing Recommendations... 4 Design Questions to Consider When Planning a Managed Service Deployment... 5 Architecture Examples... 6 Network Map... 8 Communication... 9 Pull/Push Mode Comparison Pull Mode Overview When to Use Push Mode Setting the Heartbeat Interval Calculating Content Distribution Time Communication Summary Management Scenarios Adding Administrators for Managed Customers Creating and deploying client installation packages Updating Content on the Endpoint Protection Clients Alerting Logging and Reporting Sample Service Provider New Customer Questionnaire References... 35

3 Introduction As the economic climate continues to change, many businesses are looking to outsource their endpoint security management needs to trusted service providers. Organizations are looking to Managed Service Providers to manage their endpoint security software, including securely delivering content updates, creating custom reports, and in some cases, providing console access to individuals at the customer s site, without needing to install a management server on-premise. Additionally, service providers can make policy changes in real time to address emerging threats to their customers environments. With this in mind, Symantec built the Symantec Endpoint Protection s management console (called the SEPM or Symantec Endpoint Protection Manager ) to be highly scalable, customizable, and easy-to-administer. This document offers technical guidance for using Symantec Endpoint Protection in a Managed Service Provider environment and lays out the deployment procedure in detail. After reading this document, Managed Service Providers (MSP) will be able to install and configure the Symantec Endpoint Protection Manager in a central location, deploy Symantec Endpoint Protection clients to multiple customers, and manage them all from a single console. Please note that Symantec Endpoint Protection Small Business Edition is not supported in the configuration outlined in this document due to technical limitations. Managed Service Provider Deployment Overview The following steps are required to set up Symantec Endpoint Protection in a Managed Service Provider environment: 1. Harden the operating system on the computer that Symantec Endpoint Protection Manager will be installed in the DMZ. One way to accomplish this is to install Symantec Critical System Protection on the Endpoint Protection Manager Server. For more information about Critical System Protection, please see 2. Install Symantec Endpoint Protection Manager. See Chapter 4 of the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control: w=manuals&pid=54619 for instructions on how to install the Symantec Endpoint Protection Manager. Optional: configure Internet Information Service and the Symantec Endpoint Protection Manager to allow HTTPS communication between the Manager and the endpoints. See 3

4 for instructions on how to enable HTTPS communication. All content will be digitally signed between the server and the client, thereby minimizing the need for a secure communication path. 3. Configure customer domains on the Symantec Endpoint Protection Manager 4. Configure administrators and/or limited administrators for each customer domain 5. Deploy Symantec Endpoint Protection clients at the customer s site 6. Configure Group Update Providers (recommended but optional) Technical Considerations Hardware and Database Sizing Recommendations Symantec recommends the following hardware specifications for organizations hosting less than 10,000 Endpoint Protection clients: 2 GB RAM minimum Single processor For organizations hosting more than 10,000 Endpoint Protection clients, the following hardware specifications are recommended: 4GB RAM Dual processor or better For organizations hosting more than 50,000 Endpoint Protection clients, Symantec recommends the following hardware specifications: 64GB RAM Quad quad-core processors For complete system and installation requirements, please refer to Chapter 2 of the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Symantec recommends using an off-box Microsoft SQL database running on a physical host (as opposed to a virtual machine) for managing remote Endpoint Protection clients. This will improve performance by reducing the chance of disk I/O and other resource bottlenecks. Additionally, Symantec recommends no more than five Symantec Endpoint Protection Managers per SQL database. 4

5 Tech Note The embedded database can be used for small Service Provider deployments (less than 5,000 total managed clients), although Symantec recommends using a Microsoft SQL database for its enhanced backup and high-availability functionality. Design Questions to Consider When Planning a Managed Service Deployment 1. How many Endpoint Protection Managers will be required at the Service Provider? 2. How will high availability and load balancing be addressed for both the Endpoint Protection Manager and the SQL server at the Service Provider? 3. How many geographic locations are your customers in? 4. How will security polices change when users move to different locations? 5. What protection technologies will be deployed? Will they vary by customer? 6. How often does the customer want content updates? 7. How will Endpoint Protection patches be deployed? 8. Which method of distribution does the customer want to use? 9. Is there need to tie in to an existing 3rd party tool or authentication scheme? 10. How long does the customer need to retain logs? 11. What metrics need to be frequently gathered for your customers? 12. What is the frequency of customer requests for data older than one week, one month, and one year? 13. Who needs access to the data outside of the service provider s location? 14. Does the customer want remote administration access? If so, what do they want to be able to manage? 5

6 Architecture Examples Centralized Service Provider Site This is the preferred architecture for less than 25,000 individual Endpoint Protection clients. Symantec recommends the single site design for Service Providers that have only one datacenter. In this single site scenario, it is recommended that two Symantec Endpoint Protection Managers be used for redundancy. Service Providers can cluster the SQL database to ensure high availability concerns are addressed. Tech Note This is also the recommended deployment when an on-site Endpoint Protection Manager is required. The Managed Service Provider can use a remote control tool (such as pcanywhere or Remote Desktop) to remotely manage the Endpoint Protection Manager. 6

7 Distributed (Multi-Site) This is the preferred architecture for Service Providers that have more than one datacenter or multiple large physical locations. In this scenario, each site is performing bi-directional replication of Groups and Policies, but logs and content are not replicated by default. In this model, Service Provider administrators must connect to a Symantec Endpoint Protection Manager to view customer reporting information for that site. For example, to view reports for Customer A (who is managed by Service Provider Site 1), the administrator must connect to a Symantec Endpoint Protection Manager at Site 1. This option is preferred when access to remote site data is not critical. Fault-Tolerance and Disaster Recovery Customers may require a Service Level Agreement (SLA) that necessitates a fault-tolerant environment. Thus, Symantec recommends configuring at least two Symantec Endpoint Protection Managers in high-availability mode. 7

8 If one Manager fails, communication will automatically move to the secondary systems. Please see Chapter 4 in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control for details on how to install multiple Symantec Endpoint Protection Managers: als&pid=54619 When running a virtual environment, do not install the redundant Symantec Endpoint Protection Managers on the same physical host. Additionally, Symantec does not recommend running virtualized SQL servers due to potential performance issues with disk input/output. Symantec recommends following the instructions in the knowledge base article for backing up the Microsoft SQL server, Backing up a Microsoft SQL database with the Database Maintenance Plan wizard. Network Map Symantec recommends installing the Symantec Endpoint Protection Manager(s) behind the Managed Service Provider s firewall in a DMZ. This will allow direct communication between the Symantec Endpoint Protection Manager and the Endpoint Protection clients without the need for 8

9 additional security, such as a point-to-point VPN to each remote site. This is also why Symantec recommends hardening of the Symantec Endpoint Protection Manager operating system. Communication Symantec Endpoint Protection clients communicate with the Symantec Endpoint Protection Manager over TCP 8014 by default; although this can be changed to TCP 443 (HTTPS) if required. Please see the knowledge base article Configuring the management server to support HTTPS communication for more information. 9

10 TCP 8014 or 443 will need to be opened on the firewall to allow communication between the Endpoint Protection clients and the management server. Additionally TCP 9090 will need to be open to allow remote console access and TCP 8443 is required to allow the remote console to communicate with the Symantec Endpoint Protection Manager. Symantec recommends creating explicit firewall rules to allow TCP 9090 and TCP 8443 traffic through the firewall to the Symantec Endpoint Protection Manager in the DMZ only from trusted endpoint IP addresses. For more information about using the remote console, please see knowledge base article, How to log on to the Symantec Endpoint Protection Manager Console remotely. Tech Note The Endpoint Protection Manager will work behind a NAT device (such as a firewall or router). If multiple Endpoint Protection managers are behind NAT devices at different locations (London and New York, for example), make sure that the ports needed to replicate data are configured on the edge devices (TCP 8443 by default). Endpoint Protection clients can download updated content (antivirus/antispyware definitions, IPS signatures, etc) via Symantec LiveUpdate on the Internet or directly from the Symantec 10

11 Endpoint Protection Manager (recommended). The average traffic per endpoint to manager would typically be less than 500k per day. For more information about distributing content update, please see the section, Updating Content on the Endpoint Protection Clients. The frequency of client-to-symantec Endpoint Protection Manager communication depends on the heartbeat and communication configuration. Tech Note The heartbeat is the frequency at which client computers upload data such as log entries and download policies. A heartbeat is a protocol that each client uses to communicate with the Symantec Endpoint Protection Manager. The heartbeat size is generally between KB with an average daily total of ~200KB when there are no new policies or updates to download. Symantec Endpoint Protection clients can be configured to communicate with the Symantec Endpoint Manager using Push Mode or Pull Mode. For best performance, ensure the connectivity between the Symantec Endpoint Protection Manager database and Symantec Endpoint Protection Manager Server is fast and use Pull Mode to communicate with the Endpoint Protection clients. Pull/Push Mode Comparison Pull Mode Clients process updates at a set interval, dependant on the heartbeat frequency Requires fewer resources because the clients do not maintain a persistent TCP connection No maximum number for clients connecting to the Manager Push Mode Clients process updates from the Manager immediately Additional memory is required due to the persistent TCP connection Symantec does not recommend more than 5,000 Clients per Manager Pull Mode Overview In pull mode, the endpoint connects to the manager periodically, depending on the frequency of the heartbeat setting. This procedure repeats indefinitely. In pull mode, the number of agents that can be supported on a single server is dependent on the server performance, network 11

12 bandwidth used for agents, server communication, and heartbeat frequency. In general, the less frequent the heartbeat, the more agents the server can support. Tech Note While there is no maximum number of clients that can connect to a Manager in Pull Mode, it is common for deployments to use a ratio of 20,000-25,000 clients to one Symantec Endpoint Protection Manager When to Use Push Mode Push mode can be used when updates must be processed by the clients immediately. In push mode, the Endpoint Protection agent establishes a persistent TCP connection to the Symantec Endpoint Protection Manager. If the client cannot connect to the management server, it retries periodically depending on the frequency of the heartbeat setting. When there is a change in the server status, the server notifies the agent. Additionally, logs are sent from the client to the Symantec Endpoint Protection Manager based upon the heartbeat internal set. Push mode is ideal for customers that require the fastest response possible from the service provider when action needs to be taken. Setting the Heartbeat Interval The following performance numbers are based on testing done in a controlled environment and server(s) with the following specifications configured in a single site. All times listed below are in minutes. Symantec Endpoint Protection Manager Server CPU: Intel Core2 CPU 6600@2.40Ghz 2.39GHz Memory(RAM): 4GB Operating System: Microsoft Windows 2008 server 64Bit SQL Database Server CPU: Intel Xeon CPU E5420@2.50GHz (Please consult charts below for processor core requirements) Memory(RAM): 64GB Operating System: Microsoft Windows 2008 server 64Bit Database Software: Microsoft SQL Server

13 Tech Note The heartbeat times listed in the charts are taken from a lab environment with the hardware specifications listed above, and do not include the performance overhead introduced by additional factors, including site-to-site database replication, reporting configuration, lower hardware specifications, available network bandwidth, and network congestion. These can adversely affect performance numbers and will require increasing the heartbeat numbers to achieve the desired performance in your environment. 5,000 Clients SQL Specs 1 SEPM 2 SEPM Single Core (1 CPU) 50m 30m Dual Core 20m 15m Quad Core 15m 10m 2 x Quad Core 10m 10m 15,000 Clients SQL Specs 1 SEPM 2 SEPM 3 SEPM Dual Core 50m 35m 25m Quad Core 20m 15m 10m 2x Quad Core 20m 10m 10m 25,000 Clients SQL Specs 1 SEPM 2 SEPM 3 SEPM 4 SEPM 5 SEPM Dual Core 85m 55m 45m 35m 30m Quad Core 30m 20m 20m 15m 10m 2x Quad Core 30m 20m 15m 10m 10m 13

14 50,000 Clients SQL Specs 2 SEPM 3 SEPM 4 SEPM 5 SEPM Dual Core 80m 65m 50m 40m Quad Core 30m 25m 20m 15m 2x Quad Core 25m 20m 15m 10m 100,000 Clients SQL Specs 2 SEPM 3 SEPM 4 SEPM 5 SEPM Quad Core 50m 40m 35m 30m 2x Quad Core 40m 35m 30m 20m Heartbeat Sizing Example Example 1 Number of Total Clients: 50,000 Number of Symantec Endpoint Protection Managers: 2 (25,000 clients per SEPM) SQL server Specification: Dual Core (2 CPU) If the hardware specifications for the Symantec Endpoint Protection Manager servers are consistent with those listed above, the heartbeat frequency should not be set lower than 80 minutes. Example 2 Number of Total Clients: 50,000 Number of Symantec Endpoint Protection Managers: 2 (25,000 clients per SEPM) SQL server Specification: Quad Core (4 CPU) If the hardware specifications the Symantec Endpoint Protection Manager servers are consistent with those listed above, the heartbeat frequency should not be set lower than 30 minutes. 14

15 Calculating Content Distribution Time Another factor to consider is the time it takes to update protection content on managed customer endpoints. Content updates can consist of antivirus/antispyware definitions, Intrusion Prevention signatures, and engines updates and can vary in size and frequency. Use the following formula to determine the time needed to perform a typical content distribution update: Concurrent Connections x Content Size* Available Bandwidth = Content Distribution Time *Average Content Size = 70KB Sample Content Distribution Time Using 70KB Update Bandwidth Number of Endpoints Time T1 (1.54 Mbps) 10 Mbps 100 Mbps 1 Gbps 5,000 15,000 5,000 15,000 5,000 15,000 5,000 15, minutes 2 hours 4 minutes 14 minutes 30 seconds 2 minutes 3 seconds 9 seconds The example assumes the use of the entire bandwidth, and it is worth noting that latency can also be affected by network utilization and protocol overhead. To decrease the amount of time it takes to perform content distribution updates, Symantec recommends deploying Group Update Providers at the customers sites or using alternative methods for deploying content updates (like Symantec s LiveUpdate servers). For information about using Group Update Providers, please see Distributing content using Group Update Providers. Communication Summary All communication between the console, endpoints and manager can be secured using HTTPS/SSL Endpoint Protection clients receive updated policies and upload logging directly to the Manager(s) in the DMZ. Average network traffic per endpoint to manager would typically be below 1mb per day 15

16 Endpoints can receive updated content (antivirus/antispyware definitions, IPS signatures, etc) via Symantec LiveUpdate on the Internet or from the Symantec Endpoint Protection Manager For best performance, use Push Mode to communicate between the Manager and the endpoints Management Scenarios Centralized Management, Single Client Domain Configuration Customers are part of the same client domain, but separated into different client groups. Details This is ideal for smaller Managed Service Providers who do not want to provide remote administrative access to their customers. Tech Note A domain is a structural container in the Symantec Endpoint Protection Manager Console used to organize a hierarchy of groups, clients, computers, and policies. Domains can be created for each discrete customer a Service Provider wishes to manage. Please note that the domains in Symantec Endpoint Protection Manager do not relate to Microsoft domains. How to Manage Customers Using Groups Managed customers can be separated into Customer Groups, with multiple subgroups that can be sorted logically for configuration, settings and reporting as appropriate. Subgroup structure can be based on function, role, geography, or a combination of criteria. 16

17 In the above example, three customers are being managed by the service provider. Customer A asked the service provider to create subgroups for their New York, Los Angeles, and Portland offices, in addition to their remote employees and their Windows servers. Symantec Endpoint Protection Manager contains the following default groups: The My Company group is the top-level group. It contains a flat tree of child groups The Default Group is a subgroup to My Company. Clients are assigned to the Default Group when they first register with Symantec Endpoint Protection Manager, unless they belong to a predefined customer group. You cannot create subgroups under the Default Group. You cannot rename or delete the default groups For complete details about Groups, please see Chapter 3 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Considerations While remote management is available using Roles Based Administration capabilities within the product, this configuration does not provide the flexibility of the multi-domain setup. 17

18 Centralized Management, Separate Customer Domains Configuration Customers are separated into their own domains. Details This is the recommended deployment scenario when you want to provide some level of remote control to an administrator at the customers locations via the remote console. Each customer has their own separate domain, meaning their data is separate from all other customers in the database. Given the inherent security of having the separate Domains, remote administration accounts can be created so customers can remotely manage their Endpoint Protection installation. When the Symantec Endpoint Protection Manager is first installed, the console includes one domain. For every new customer a service provider wants to manage, a new domain will need to 18

19 be created. Each domain that is added shares the same management server and database, but provides an additional instance of the console. All data in each domain is completely separate to prevent administrators in one domain from viewing data in other domains. An administrator account can be added so that each domain has its own administrator. These administrators can view and manage the contents of their own domain, but they cannot view and manage the content of other domains. Once the domain has been created for the customer, groups can be added based on function, role, geography, or a combination of criteria. 19

20 In the above example, Customer A wants different security policies for their locations in New York, Los Angeles, Portland, and their remote employees. Additionally, there need to be different policies for the servers, contractors, and corporate machines at each site. For detailed information on using domains, including how to create and configure them, please see Chapter 13 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid= Considerations The Managed Server Provider will need to log in to each customer s domain in order to make changes. For example, if the Service Provider s administrator needs to make a change to all of their customers configurations, they must log into each customer domain individually and make the change to each domain. For additional details on domains, including how to add them to the Symantec Endpoint Protection Manager Console, please see chapter 13 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=

21 Adding Administrators for Managed Customers About administrators Symantec Endpoint Protection Manager Console provides the following types of administrator roles: system administrator, administrator, and limited administrator. The various administrator roles allow service provider to give different levels of access to their customers, depending on how much or how little control they want them to have over their Symantec Endpoint Protection administration. The system administrator is the super administrator of a network. System administrators can view and modify the entire organization and are recommended for providing administrative access to the service provider. When Symantec Endpoint Protection Manager is installed, a default system administrator called admin is created. An administrator can view and manage all the tasks within one domain only. A limited administrator can only manage certain tasks within the domain. For example, a limited administrator can only manage a limited number of groups within a domain. Administrator and limited administrator roles are recommended for providing console access to remote users at customers sites. It is likely that each type of administrator role will be used in a managed services environment. For example, a Managed Service Provide may use the following types of administrators: A system administrator who controls all customer domains managed by the service provider, maintains the servers and databases, and installs patches An administrator, who creates and maintains the Antivirus and Antivirus Policies and LiveUpdate Policies on the endpoints for Company A and is in charge of security and creates and maintains the Firewall Policies and Intrusion Prevention Policies for their endpoints A limited administrator, who creates reports and has read-only access to the policies for Company B To add an administrator 1. In the console, click Admin. 21

22 2. For multi-domain implementations, ensure the domain you want to create administrators for is selected as the (Current Domain). 3. On the Admin page, click Administrators. 4. Under Tasks, click Add Administrator. 5. In the Add Administrator dialog box, enter the administrator name. 6. This name is the name with which the administrator logs on and by which the administrator is known within the application. 7. Optionally enter the full name of the administrator in the second text box. 8. Type and retype the password. 9. The password must be six or more characters. All characters are permitted. 10. To configure the authentication method, click Change. 11. The default value is Symantec Management Server Authentication. You can configure when the password expires for the default method, or change the authentication method. 12. Click OK. 13. Select one of the following administrator types: 14. System Administrator 15. Administrator 16. Limited Administrator By default, Limited administrators do not have any access rights, but they can be explicitly configured. 17. Click OK. Creating and deploying client installation packages Two types of packages are available: The default installation package that is created when Symantec Endpoint Protection Manager is installed A customized client package that is created especially for a particular group or set of groups. This type of installation package may contain customized group polices and settings Either type of package can be created as a 32-bit or 64-bit package. When the default package is installed, clients appear in the Temporary group and receive the default policies. A customized package is not typically assigned to the Temporary group. For managed environments, the default package will be sufficient in many cases. 22

23 To create a client installation package 1. In the Symantec Endpoint Protection Manager console, click Admin. 2. In the Tasks pane, click Install Packages. 3. In the right pane, under Package Name, select the package to export. 4. In the lower-left pane, under Tasks, click Export Client Install Package. 5. In the Export Package dialog box, click Browse. 6. In the Select Export Folder dialog box, browse to and select the directory to contain the exported package, and then click OK. 7. In the Export Package dialog box, ensure Create a single.exe for this package is selected. Set the other options according to the installation goals. For details about the other options in this dialog box, click Help. 8. Click OK. Deploying the client installation package Once the package (called setup.exe by default) has been exported, it can be deployed in a variety of ways. For example, it can be taken to the customer s site and installed on each system locally or the file can be loaded onto a share at the customer s location and the end users can be directed to it via an ed link. Similarly, it can also be uploaded to a publicly-facing web server at the service provider s location and the link to the executable can be ed to the end users. Please see Chapter 5 in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control for details on the various methods available for installing the Symantec Endpoint Protection client: als&pid=

24 Updating Content on the Endpoint Protection Clients Symantec recommends using Group Update Providers at the customers sites to update Endpoint Protection client content, but other content distribution methods are also available. Below are the most common ways to update content. Method Description When to use it Group Update Provider to clients Symantec Endpoint Protection Manager to clients Symantec LiveUpdate to clients A Group Update Provider is a client that acts as a proxy between a Symantec Endpoint Protection Manager and the clients in the group. The Group Update Provider receives updates from a management server and then forwards the updates to the other clients in the group. A Group Update Provider can update multiple groups. The default management server can update the clients it manages. You might have multiple management servers in your Symantec Endpoint Protection Manager network. The site that includes the management servers receives LiveUpdate content. Clients can receive updates directly from Symantec LiveUpdate. This is the recommended method for updating content at hosted Endpoint Protection installations. Note that a Group Update Provider distributes all types of LiveUpdate content except client software updates. This method is configured by default after management server installation. You can also combine this method with a Group Update Provider. Not recommended for hosted Endpoint Protection deployments. Use an external Symantec LiveUpdate server for the selfmanaged client computers that are not always connected to the corporate network. Note: Do not configure large numbers of managed, networked clients to pull updates from an external Symantec LiveUpdate server. This configuration consumes unnecessary amounts of Internet bandwidth. 24

25 Tech Note If communication to the Symantec Endpoint Protection Manager(s) is unavailable (due to an outage at the Service Provider, for example), clients can be configured to automatically download content updates from Symantec s LiveUpdate Servers. For complete details on all the ways to distribute content to Endpoint Protection clients, please see Chapter 7 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Distributing content using Group Update Providers A Group Update Provider is a client computer at the customer s location that is designated to download content updates from the management server and distribute content updates to other systems running the Endpoint Protection client. This helps conserve bandwidth by ensuring that only one customer machine is connecting to the Endpoint Protection Manager at the Service Provider s site. In Symantec Endpoint Protection and later, administrators can limit the amount of bandwidth that Group Update Providers use when downloading content from the Symantec Endpoint Protection Manager. Additionally, Group Update Providers can be tagged by using rules and conditions, such as an IP address or host name, registry key or registry key value. For more information, please see New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP). Assuming best practices are followed, a single Group Update Provider officially supports updating content for up to 10,000 connected Endpoint Protection clients. That said, if a GUP is running on a machine that also performs other functions, such as a Domain Controller, Web Server or File Share, shared resource utilisation impact should be considered. Ensure the Group Update Provider is running Symantec Endpoint Protection or later, so all available optimisations and fixes are leveraged. 25

26 If a Group Update Provider has 5,000 or more Endpoint Protection clients connected and is running on a non-dedicated machine, Symantec recommends not enabling Network Threat Protection on the Update Provider s local Endpoint Protection client to ensure resource utilisation is not saturated. For mobile systems (e.g. laptops), configure at least two locations to retrieve content updates from one for when they are connected to the corporate network (e.g. the Group Update Provider) and one for when they are not (e.g. Symantec s public LiveUpdate servers). This will help ensure the content remains current when the client reconnects to the corporate network. This will reduce the size of the content update from the Group Update Provider when the mobile system is reconnected with the corporate network. Configure the Endpoint Protection Manager to retain at least 42 content revisions. This will ensure the Group Update Provider can provide an incremental content update for connecting Endpoint Protection clients, even if they are out of date on content by up to two weeks. Additionally, this will help minimise impact on local network bandwidth. Tech Note Each content revision retained by the Endpoint Protection Manager will require approximately 300MB additional disk space on the Endpoint Protection Manager and SQL database machines. By default, when Endpoint protection clients are first installed, they will initially attempt to download a full content update. Keep this in mind when enabling a Group Update Provider at a customer s site. If a large number of Endpoint Protection clients (5000+) are being installed within the same short time window and are configured to connect to the same local Group Update Provider, the GUP may experience unusually high and sustained resource utilisation until the connected Endpoint Protection clients are updated to a relatively recent content update version. Tech Note If the Group Update Provider runs a non-symantec firewall, it may need to be modified to permit the TCP port to receive server communications (the default port is TCP 2967). By default, the Symantec Firewall Policy is configured correctly. 26

27 For more information on Group Update Providers, including how to configure and administer them, please see Chapter 7 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Alerting An important component of a hosted security solution is the ability to send real-time alerts when events occur. Symantec Endpoint Protection offers the ability to send alerts based on events that have taken place in your customers networks, including but not limited to management server issues, client changes, and outbreaks. Additionally, alerts can be created by customer domain/group. Tech Note To configure a mail server in order to receive alerts by , click the Admin > Servers page, select a server, click Edit Server Properties, and then click the Mail Server tab. For complete details about Alerting, please see Chapter 12 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=

28 For example, an alert can be set up to Mike, one of the administrators at the service provider, when more than 10 Category 3 or higher threats are detected in one minute s time at Customer A s New York office. 28

29 A second alert can be set up to Scott, another administrator at the service provider, when virus definitions on at least 10 machines are more than seven days old. 29

30 To create an alert 1. In the console, click Monitors. 2. On the Notifications tab, click Notification Conditions. 3. Click Add, and then select the type of alert to be configured. 30

31 4. In the new window that appears, in the Notification name text box, type a descriptive name. 5. Specify the customer s domain and/or group for the alert in the filter options. 6. Specify the notification settings and the actions that will occur when this alert is triggered. 7. Click OK. Logging and Reporting The reporting functions give up-to-date information that allows you to make informed decisions about the security posture of your customers networks. The Symantec Endpoint Protection Manager console Home page displays automatically generated charts that contain information about the important events that have recently happened. Additionally, using Filters on the Reports page will generate predefined or custom reports for managed customers. The Reports page can also be used to view graphical representations and statistics about the events that occurred. Filters can also be used on the Monitors page to view more detailed, real-time information about customers security posture from the logs. 31

32 Additionally, there are several choices for exporting the data in the Symantec Endpoint Protection logs, including a comma-delimited text file, a tab-delimited text file (also called a dump file), or to a Syslog server. Log data export is especially useful for accumulating the logs from all customers in a centralized location. Additionally, log data export is also useful for correlating with a security incident manager. Considerations Logging activity can be controlled in two ways: the number of entries and the length of time they will be stored in the log (in days). As entries get added to the log, there is a disk space cost that should be considered. The following charts outline approximate disk costs per log entry type: 32

33 Log data sizes Log System Admin System Client Server Activity System Enforcer Audit Log System Server Activity Client Activity Security Log Traffic Log Packet Control Size per 10,000 Entries 10 MB 9 MB 6 MB 6 MB 66 MB 45 MB 45 MB 45 MB 45 MB 45 MB Approximate detected/quarantined virus event sizes Number of threats in database Approximate Disk Space 1, MB 5, MB 15, MB 25, MB 50, MB For details about logging and reporting, please see Chapters 10 and 11 of the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=

34 Sample Service Provider New Customer Questionnaire 1. How many endpoints will be managed? 2. How many different locations will the endpoints be in? 3. Will different security policies be required for the various locations and computer types (e.g. servers versus desktops/laptops, on-site employees versus remote)? If so, please describe the different groups you would like to create policies for. 4. What protection technologies do you want to be deployed and managed for each group? Antivirus and Antispyware Protection Network Threat Protection (HIGHLY recommended) Includes firewall and intrusion prevention POP/SMTP Scanning Outlook Scanning Lotus Notes Scanning Proactive Threat Scanning Application and Device Control For example: Servers: Antivirus/Antispyware, Network Threat Protection Workstations: Antivirus/Antispyware, Outlook Scanning, Network Threat Protection, Application and Device Control Remote Users: Antivirus/Antispyware, Outlook Scanning, POP/SMTP Scanning, Network Threat Protection, Application and Device Control 5. Do you want to be able to administer your Symantec Endpoint Protection deployment or would you prefer to leave that up to the administrators at the Service Provider? 6. Do you want to be able to run your own reports? 34

35 References Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control: als&pid=54619 Backing up a Microsoft SQL database with the Database Maintenance Plan wizard Configuring the management server to support HTTPS communication How to log on to the Symantec Endpoint Protection Manager Console remotely ndocument New features and functionality in Symantec Endpoint Protection Release Update 5 (SEP RU 5) Group Update Provider (GUP) endocument Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 endocument 35

36 About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA USA +1 (650) (800) Copyright 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 10/09