Security Enforcement
Security enforcement works only if you integrate Threat Mitigator with an enforcement device.
In security enforcement, Threat Mitigator issues a set of security assessment rules to Threat Management Agent, the endpoint-based program that assesses the endpoint’s compliance against the rules and reports non-compliance to Threat Mitigator. When an endpoint is non-compliant, Threat Mitigator initiates any of two actions - Quarantine and Log Only.
If the action is Quarantine, Threat Mitigator notifies an enforcement device to quarantine the endpoint. A quarantined endpoint will have limited or no access to the Internet and network resources. The endpoint will automatically be released from quarantine when compliance is achieved.
If the action is Log Only, Threat Mitigator only records non-compliance in the logs.
Security enforcement also adds another level of protection during threat mitigation. If there are unresolved threats after post-assessment cleanup, Threat Mitigator notifies an enforcement device to quarantine the endpoint. For details about threat mitigation and post-assessment cleanup, see Threat Mitigation.
An enforcement device sits between Threat Mitigator and Threat Management Agents. Using a set of SNMP commands, the device controls the same network switch from which Threat Discovery Appliance mirrors network traffic.
An enforcement device hosts the following programs:
TMAgent Proxy: Since there is no direct connection between Threat Mitigator and the Threat Management Agent (the enforcement device is positioned between them), a program in the enforcement device called TMAgent Proxy was designed to bridge the connection. TMAgent Proxy relays messages between Threat Mitigator and Threat Management Agent.
Enforcement agent: The enforcement agent points Threat Management Agent to the correct enforcement device. The enforcement agent, together with Threat Management Agent, is deployed by the enforcement device to each endpoint. Unlike the Threat Management Agent, the enforcement agent is not visible to endpoint users.
See also: