We are still fine-tuning CSA prior to a rollout, and are having issues with CSA blocking all access to the registry on our servers. This is a learning curve for us, and we are still trying to determine why the machine account is modifying the registry on our servers (probably truly legit traffic, including auth to DC's). Has anyone seen this, and determined the majority of the requests to be legit? (This CSA purschase is the result of a nasty rootkit we had, and we cannot verify that all the reporting machines are 'clean'.) Any and all info regarding CSA would be appreciated.
Unfortuanly without seeing what the event is It's hard to say if it's valid or not. For the most part a majority of your events are going to be valid and should be allowed you just have to research what its accesing in the Registry.
I've been a part of training several groups on how to tune and create rules. Its mostly a matter of looking into your software running and how it works. One of the groups I work with has a ton of in house developed applications and have actually found CSA very useful in forcing there programmers to clean up the interactions.
Suzanne, Not sure if this will help or not. We had similar issues with almost all of our servers. CSA would detect different users accessing different registry keys. My guess is that you also dont have any "Wizard" options for creating allow rules. If you want to create an allow rule you will need to do it manually. I have found that in many cases having CSA deny certain registry access doesnt always break anything. Its a lot of trial and error. I placed some of my servers in Protect mode and performed tests with my users to determine which registry alarms were real and which were not causing any problems. I know thats probably not the easiest way to address the situation but maybe it will be helpfull.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...