[. . . ] 4 Network Bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Secure Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Memory Consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Agent Required User Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3
Agent Profile
Agent Descriptions
Prior to installation, you must configure Sophos NAC Agent to use one of the following options: Continuous Agent: The Continuous Agent configuration assesses and verifies compliance with corporate security policy prior to gaining access to network resources and on a periodic basis during the user's session, requiring little or no user interaction. [. . . ] This reporting interval is configurable and can be specified per policy. There is a direct correlation between the size of the policy and the size of the report; therefore, if the policy is very large, the report will also become large. 4
Agent Profile
Average Bandwidth Generated per Profile
Patch: Each patch that is added to policy generates an average of . 33KB. Anti-Virus: Each anti-virus profile that is added to policy generates an average of 3. 4KB. Firewall: Each firewall profile that is added to policy generates an average of 1. 43KB.
Agent bandwidth usage breakdown: The following chart was based upon a policy with the following features: 25 Patches, 1 Sophos Assessment Application, 1 Sophos Anti-virus Profile. Agent Functions Registration: Retrieve Policy: Same Retrieve Policy: New Patch Definitions Set Compliance State Batch Create Agent Session Set Compliance State Batch Create Global Report Batch Create Agent Session Size (KB) 6. 7 7. 0 17. 3 488. 9 6. 4 6. 6 6. 7 7. 5 6. 6 Constant/Changing Constant Constant Changing (based on policy) Changing (based on policy)* Constant Constant Constant Changing (based on policy) Constant Interval Used None Policy Refresh Policy Refresh New Policy/Reboot Assess & Enforce Reporting Assess & Enforce Reporting Reporting
* The patch definitions file is pulled onto the application server nightly. When a new policy is created or an existing policy is updated, the Agent is forced to download the new patch file from the application server. (based on policy): The bandwidth usage decreases if a smaller policy is used and increases if a larger policy is used. Initial registration of Agent should generate the following actions: Registration 6. 7KB Fetch Policy: New 17. 3KB (based on policy size) Patch Definitions 488. 9KB Set Compliance State 6. 4KB Batch Create Agent Session 6. 5KB Batch Create Global Report 7. 5KB (based on policy size) -------------Total: 532. 3KB Each new or updated policy should generate the following actions based on Policy Refresh Interval: Fetch Policy: New 17. 3KB (based on policy size) Patch Definitions 488. 9KB (if Windows patches are in the policy) ---------------Total: 506. 2KB 5
Agent Profile Each login should generate the following actions: Retrieve Policy: New or Same 17. 3/7. 0KB (depending if new policy exists) Patch Definitions (if new policy) 488. 9KB Set Compliance State 6. 4KB Batch Create Global Report 7. 5KB (based on policy size) Batch Create Agent Session 6. 5KB ---------------Total: 525. 6KB (new policy) 26. 4KB (same policy)
Network Performance
The Quarantine Agent configuration inspects network packets coming from the endpoint to ensure the destination is valid according to the current assessment state and policy. To measure the effect on network performance, a series of FTP downloads was performed on 10MB and 75MB files from a local network address. Average download time for endpoints, both with and without the Quarantine Agent configuration installed, are noted in the following table: Agent No Agent Installed Quarantine Agent Installed 10MB file (seconds) 13. 4 16. 7 75MB file (seconds) 84. 3 88. 6
As the test indicates, overall network performance is only slightly affected due to the filter driver that is installed with the Agent.
Agent Disk Space Utilization
The Sophos NAC Agent 98 (for Windows 98) install file is 5. 5MB and the Agent NT (for all other Windows versions) is 6. 5MB. The base Sophos files that are installed with the Agent consume approximately 5. 3MB of disk space in the Sophos install directory. The following example includes a Quarantine Agent retrieving a policy that includes an Agent application, a firewall application, an anti-virus application, a service pack, and 50 patches. The following files were placed on the endpoint during the initial policy retrieval and assessment. File Policy cache Patch Assessment results Other Policy results Report Size (KB) 103 98 34 42
The encrypted report file is stored on the endpoint until the report interval, which is specified in policy, is reached. When this report interval is reached, the report file is sent to the application server for reporting, and the file is deleted from the endpoint. This report file grows by only a miniscule amount as long as the state of the endpoint remains unchanged. Also, the policy cache is stored in an encrypted format on the endpoint. [. . . ] Working Peak Working Bytes (MB) Set (MB) Set (MB) 14. 54 4. 11 8. 72 1. 98 3. 15 17. 56 4. 14 11. 00 3. 54 36. 19 17. 59 4. 29 13. 01 3. 60 38. 19 17. 35 3. 54 11. 68 3. 64 7. 10 17. 74 3. 66 14. 54 6. 25 9. 33 18. 06 5. 33 15. 27 5. 54 10. 61 17. 50 3. 60 11. 81 3. 73 25. 19 17. 78 3. 68 14. 74 6. 30 33. 80 18. 19 5. 40 15. 86 5. 73 35. 86 7
Agent Profile
Agent Required User Permissions
The Sophos NAC Agent operates under any user mode. The Agent does not require local administrator privileges to execute and operates normally in restricted user mode. Installing the Agent requires local administrative privileges, as do most MSI-based install programs. [. . . ]