ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How the TCP processing occurs within ControlMinder and suggests way to minimize or eliminate the impact of security policy on network performance.

book

Article ID: 41737

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Summary:  

How the TCP processing occurs within ControlMinder and suggests way to minimise or eliminate the impact of security policy on network performance.


Environment: 
 

OS : Windows

PIM 12.5 and higher

Instructions: 

When a TCP class rule is put on these types of systems you can get a heavy load on ControlMinder and the system performance can deteriorate.

Before implementing a TCP rule the system should be profiled.

1.         The typical CPU usage

2.         Review of the EVT logs to find existing errors and warnings

3.         Resolution or explanation of existing errors and warnings

4.         3rd party monitoring tool (Wireshark) to discover network utilisation for a 24 hour period. This tool should discover not only bandwidth but traffic times within the network stack.

5.         Document always running applications outside the OS and determine how to disable.

6.         Use of a VMware image to test and profile a system to avoid affecting the production system

Based upon the statistics from the profile you should decide if disabling TCP is the recommendation (i.e. not safe to use TCP) or use a SPECIALPGM with PGMTYPE of PBN or FULLBYPASS.

The SPECIALPGM would point to the .exe of the network application (Windows) or the daemon binary (UNIX)

The options to resolve such a situation are:

1.         Use a SPECIALPGM with bypass type of PBN or FULLBYPASS

2.         Disable TCP class

3.         Disable Interception at the Kernel level

SPECIALPGM policy

A SPECIALPGM can be implemented with different bypass types:

PBN:

er SPECIALPGM network_program.exe pgmtype(PBN)

or FULLBYPASS

er SPECIALPGM network_program.exe pgmtype(FULLBYPASS)

 

Disabling TCP class

The TCP class can be disabled by running a command with selang:

so class-(TCP)

Disabling Network Interception at kernel level

 

Networking interception can be disabled completely via registry by setting (create if required)  DisableNetworkInterception DWORD registry value to 1 under parameters section of drveng driver registry hive.

Environment

Release: ACP1M005900-12.6-Privileged Identity Manager
Component: