Last week we looked at the way in which Traps detects and prevents exploits and other malicious activity. Continuing on from that, we’re going to take a brief look at the technical architecture behind Traps, followed by an overview of the Traps Endpoint Agent.

Technical Architecture

Optimised for maximum availability, flexibility and scalability, the technical architecture of Traps consists of any number of Traps endpoint agents, managed through a central ESM (Endpoint Security Manager). The ESM implements a three tier architecture consisting of an ESM Console, Central Policy Database and any number of ESM Communication Servers.

Organisations can deploy multiple ESM Consoles, each of them can reside on either physical or virtual systems. The ESM Console runs on IIS (Internet Information Services) for Windows. As the administrative interface for Traps, the ESM Console provides access to the Central Policy Database of Traps.

The Policy Database is the central repository of all the information that’s necessary to configure, maintain and operate Traps. Some examples of the information contained within include; activity and forensic logs, ESM and agent configurations, prevention policies and settings and WildFire interface configurations.

The role of the ESM Communication Servers is to act as proxies between Traps agents and the ESM Policy Database. The Communication Servers do not store data and as a result, can be easily added and removed from the environment as required, ensuring the required needs for graphical coverage and redundancy can be easily met. ESM Servers can be installed on Windows Servers deployed on both physical and virtual machines.

The Traps Endpoint Agent

The Traps Endpoint Agent is an impressively lightweight agent consisting of various drivers and services.Just to give you an idea of what I mean by impressively lightweight, the Traps Endpoint Agent uses just 0.1% CPU, 50MB RAM and 250MB Disk Space. Once deployed to the endpoints, system administrators have complete control over all Traps agents within the environment via the ESM Console.

The Traps Endpoint Agent is designed to be streamlined with a focus on avoiding information overload. Traps can be configured to notify a user of security events as they occur, to display custom notification messages or to hide the notifications altogether. Traps regularly communicates the status of the endpoint and transmits any data related to any security events to the Endpoint Security Manager.

The Traps Console is a simple user interface that provides visibility into processes, event history and current security policy rules. It is typically accessible from the notification area on an endpoint, although it can be hidden or disabled by an admin if required. Most of the time a user won’t need to look at the Traps Console but the information it provides may be useful when investigating a security event.

On the main console screen, you will see a list of active or inactive services. Each service is accompanied by either a tick or a cross to indicate their activity status. Other information is displayed such as which server Traps is connected to and the last time it checked in. By default, Traps will check in on an hourly basis or when a security event occurs.

Additional tabs are available which will display more information on past Security Events that have occurred on the device, processes that are currently running on the device which Traps is protecting, information on security policy changes and access to a settings menu. Although some configuration is available within the Traps Console, the bulk of the management takes place within the ESM Console which we’ll look into in the near future.

Next week we’re going to delve into the ESM Console, how Traps is managed and also take a further look at System Requirements and Platform Support.

If you missed Part One of our Palo Alto Networks Traps series then head over here to check it out.

Part Three is also now available here.

If this article has sparked your interest on Traps and you’d like to give it a try, please get in touch with us to arrange an interactive demonstration where you can get hands-on with Traps and the rest of the Palo Alto Networks range.

Tesrex also offers a range of Assessment Services where we will give you an in-depth analysis and report on your Network Environment, your Security or your Unified Collaboration eligibility/solution. Contact us to arrange a consultation and to find out more about how our Assessments can help you understand where you are and how to get to where you want to be.