How Does the Gateway Use the Host Information to Enforce
Policy?
The gateway uses the host information to enforce policy based on HIP object and HIP
profile matches.
While the app gets the information about what information
to collect from the client configuration downloaded from the portal,
you define which host attributes you are interested in monitoring
and/or using for policy enforcement by creating HIP objects and
HIP profiles on the gateway(s):
HIP Objects—The matching criteria used to filter
out the host information you are interested in using to enforce
policy from the raw data reported by the app. For example, while
the raw host data may include information about several antivirus
packages that are installed on the endpoint, you may only be interested
in one particular application that you require within your organization.
In this case, you would create a HIP object to match the specific
application you are interested in enforcing.
The best way
to determine what HIP objects you need is to determine how you will
use the host information you collect to enforce policy. Keep in
mind that the HIP objects themselves are merely building blocks
that allow you to create the HIP profiles that are used in your
security policies. Therefore, you may want to keep your objects
simple, matching on one thing, such as the presence of a particular
type of required software, membership in a specific domain, or the
presence of a specific endpoint OS. By doing this, you have the
flexibility to create a very granular (and very powerful) HIP-augmented
policy.
HIP Profiles—A collection of HIP objects that are
evaluated together, either for monitoring or for security policy
enforcement. When you create your HIP profiles, you can combine
the HIP objects you previously created (as well as other HIP profiles)
using Boolean logic, such that when a traffic flow is evaluated
against the resulting HIP profile, it either matches or does not
match. If there is a match, the corresponding policy rule is enforced.
If there is no match, the flow is evaluated against the next rule,
as with any other policy matching criteria.
Unlike a traffic log—which only creates a log entry if there
is a policy match—the HIP Match log generates an entry whenever
the raw data submitted by an app matches a HIP object and/or a HIP
profile you have defined. This makes the HIP Match log a good resource
for monitoring the state of the endpoints in your network over time—before
attaching your HIP profiles to security policies—in order to help
you determine exactly what policies you believe need enforcement.
See
Configure
HIP-Based Policy Enforcement for details on how to create HIP
objects and HIP profiles and use them as policy match criteria.