Summary:  

How the TCP processing occurs within ControlMinder and suggests way to minimise or eliminate the impact of security policy on network performance.

Environment:  

OS : Windows

PIM 12.5 and higher

Instructions: 

When a TCP class rule is put on these types of systems you can get a heavy load on ControlMinder and the system performance can deteriorate.

Before implementing a TCP rule the system should be profiled.

1.         The typical CPU usage

2.         Review of the EVT logs to find existing errors and warnings

3.         Resolution or explanation of existing errors and warnings

4.         3rd party monitoring tool (Wireshark) to discover network utilisation for a 24 hour period. This tool should discover not only bandwidth but traffic times within the network stack.

5.         Document always running applications outside the OS and determine how to disable.

6.         Use of a VMware image to test and profile a system to avoid affecting the production system

Based upon the statistics from the profile you should decide if disabling TCP is the recommendation (i.e. not safe to use TCP) or use a SPECIALPGM with PGMTYPE of PBN or FULLBYPASS.

The SPECIALPGM would point to the .exe of the network application (Windows) or the daemon binary (UNIX)

The options to resolve such a situation are:

1.         Use a SPECIALPGM with bypass type of PBN or FULLBYPASS

2.         Disable TCP class

3.         Disable Interception at the Kernel level

SPECIALPGM policy

A SPECIALPGM can be implemented with different bypass types:

PBN:

er SPECIALPGM network_program.exe pgmtype(PBN)

or FULLBYPASS

er SPECIALPGM network_program.exe pgmtype(FULLBYPASS)

Disabling TCP class

The TCP class can be disabled by running a command with selang:

so class-(TCP)

Disabling Network Interception at kernel level

Networking interception can be disabled completely via registry by setting (create if required)  DisableNetworkInterception DWORD registry value to 1 under parameters section of drveng driver registry hive.