Critical System Protection

 View Only

  • 1.  Critical Systems Protection 5.2.9 - IPS Component: High Utilization Servers

    Posted Oct 02, 2013 08:30 AM

    Hi,

    Does anyone know if high utilization servers, such as Domain Controllers, running SCSP with the Intrusion Prevention System (IPS) component enabled have the same issue as IPS in SEP on high utilization servers. Here is an article about SEP on high utilization servers for reference:

    http://www.symantec.com/business/support/index?page=content&id=TECH162135&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1380715261479fPuU5u533CZ4B29m420523FbQyuaj8W0n4zln

    If you have a link that mentions either the same problem with SCSP-IPS or that states it does not have this issue, that would great. I have searched unsuccessfully.

    Thanks in advance for any help with this.



  • 2.  RE: Critical Systems Protection 5.2.9 - IPS Component: High Utilization Servers

    Broadcom Employee
    Posted Oct 02, 2013 08:39 AM

    use the latest version of SCSP which addresses one of the domain controller issue if that's what you are seeing.



  • 3.  RE: Critical Systems Protection 5.2.9 - IPS Component: High Utilization Servers

    Posted Oct 03, 2013 01:53 PM

    MyCo,

    SCSP is specifically designed for high-utilization servers.  The IPS is not network based like in SEP, instead it uses sandboxing techniques to control the behavior of executables, and a properly tuned CSP policy will place any unknown executables into a sandbox (we call them Process Sets, or PSETs) that has limited access to the system resources or a PSET that has no access to system resources.

    I have seen SEP cause network slowdown on servers when the IPS module is enabled, because it does stateful packet inspection of every packet that comes into the system, and that takes resources.

    SCSP has a firewall component, but it is an application layer firewall, where we control what processes can access network connections by blocking them at the kernel level.  In essence, SCSP is a gatekeeper to the kernel, and a properly tuned policy will block anything from accessing the network stack unless given permission.  Because we block processes from accessing the network stack by intercepting calls to the kernel, we have an extemely low impact on network speed.

    CSP also uses only between 1-5% (on the average server) of the CPU, has a very small footprint, and does not use a lot of memory.

    I have seen this installed on many extremely busy domain controllers without any noticable impact on the system.



  • 4.  RE: Critical Systems Protection 5.2.9 - IPS Component: High Utilization Servers

    Posted Oct 03, 2013 01:59 PM

    Please do note that you will want to use at least 5.2.9 MP3 on 2008 and 2012 domain controllers (or other really busy 2k8/2k12 servers), due a chagne in the way that Windows notifies drivers about the teardown of network connections.  Earlier builds of CSP ended up using a lot of memory on extremely busy 2k8 and newer machines.



  • 5.  RE: Critical Systems Protection 5.2.9 - IPS Component: High Utilization Servers

    Posted Oct 30, 2013 04:06 PM

    MyCo,

    Was the information provided adequate?

    If not, please let us know.

    If so, please mark the isolution so others can easily find it.

    Thanks!