Procedure
The infrastructure administrator learns that security risks have been detected through email notifications or by checking the system log of the server on which the Resource Orchestrator manager operates.
Note
If the antivirus software coordinating with Resource Orchestrator is the following, information regarding detected security risks will not be output to the system log of the Resource Orchestrator manager server.
Symantec Endpoint Protection
The Resource Orchestrator manager responds to a notification from one of the following servers and automatically switches the network of L-Servers on which security risks have occurred, transferring them to the quarantine network in accordance with the settings for quarantining.
OfficeScan 11.0 server
OfficeScan XG server
Symantec Endpoint Protection Manager
McAfee ePolicy Orchestrator server
The infrastructure administrator confirms that all of the following conditions are satisfied:
From the GUI (ROR console), confirm that the network of the L-Servers has been switched to the quarantine network and the IP addresses of the quarantined L-Servers.
No error messages are displayed on the GUI (ROR console)
The Resource Orchestrator manager has not been stopped
If any of the above conditions are not satisfied, perform the following operations:
Switch the connected network
For virtual PCs
Use the virtualization management software to switch the network that the virtual NICs of virtual PCs are connected to over to the quarantine network.
For SBC servers
Operate (change the VLAN of) the switches adjacent to the physical servers to switch the network that the physical servers are connected to over to the quarantine network.
Switch over to the quarantine network
Execute the rcxadm avmgr quarantine command on the corresponding L-Servers to perform switchover to the quarantine network.
Note
If "3.2.1 Operation When Security Risks Have Been Removed [Trend Micro VB] [Symantec] [McAfee]" is performed before the above operation, discrepancies may occur in network information between the following:
Management information of virtual PCs and Resource Orchestrator
Management information of SBC servers and Resource Orchestrator
When switching SBC servers over to the quarantine network, the statuses of those servers on the GUI (ROR console) will become "unknown".
Information
If an error occurs during the network switchover operation of this function, the behavior will differ depending on the status of the corresponding virtual PCs or SBC servers.
For virtual PCs
When the virtual NICs of the virtual PCs have been switched to the quarantine network
To prevent the spread of infection, the virtual NICs of virtual PCs remain connected to the quarantine network. The network of the NICs of the virtual L-Servers is switched back to the operation network.
When the virtual NICs of the virtual PCs have not been switched to the quarantine network
The network of the NICs of the virtual L-Servers is switched back to the operation network.
For SBC servers
When the NICs of the SBC servers have been switched to the quarantine network
To prevent the spread of infection, the NICs of the SBC servers remain connected to the quarantine network. The network of the NICs of the physical L-Servers is switched back to the operation network.
When the NICs of the SBC servers have not been switched to the quarantine network
The network of the NICs of the physical L-Servers is switched back to the operation network.
Environments on which security risks have been detected can no longer be used.
In virtual PC environments, users of quarantined virtual PCs can access other virtual PCs by making requests to the infrastructure administrator.
The infrastructure administrator opens the consoles of the virtual PCs and SBC servers on which security risks have been detected, and performs the following quarantine processing:
Modify the network settings of the OS based on the L-Server IP addresses and the network information confirmed in step 3.
Perform corrective actions according to the manual for the antivirus software and then perform a virus scan. Confirm that no viruses are detected.
