Critical System Protection

Hi... we are already running SEP in our environment and are now adding CSP for some of our infrastructure servers.  We'll start with our DC's.  Any known gotcha's or words of advice for someone new to the product?  I am trying to create a very restrictive policy for the DC's.

VERY new to the product, just looking for a step in the right direction...  management wants this implemented ASAP without training budget :)

MK_SEP_Admin

Check out the

"Best practices for Symantec Critical System Protection 5.0"

http://service1.symantec.com/support/intrusiondetectkb.nsf/854fa02b4f5013678825731a007d06af/4329d292f31acbe5882570ad00698be3?OpenDocument

I hope this was helpful.

Thomas

MK_Sep_Admin,

CSP is a very involved product on the IPS side as well as on the IDS side. Please always remember to disable prevention whenever applying a prevention policy without tuning. IDS is great to start with as its passive in nature (in most cases) so all that one can do is get flooded with events. As you read into the product documentation you may want to start with IDS, get a feel for the product, its event tuning, its logging functions, asset grouping, policy application, various reporting etc.. while running IPS with a null policy (tells IPS to do nothing). Then once confortable move to the Core or Strict (again more on that in the ips_ref.pdf document in the product /docs folder) with prevention disabled. Any events that come in as blue = would be blocked once prevention is turned on. that is where you start tuning via the available wizards. Again all this is in product documentation as well, so read read read.

I also highly recommend you receive training on the product if this is going on critical machines.