How does agent protection work for Solaris zones?
The Deep Security Agent can be deployed only on a Solaris global zone. If your Solaris environment uses any non-global zones, the protection that the agent can provide for the global zone and non-global zones will differ with each protection module:
See Install a Solaris agent For more on installing the Deep Security Agent on Solaris.
For information on protecting Solaris domains, see How does agent protection work for Solaris Control Domains and Logical Domains?.
Intrusion Prevention (IPS), Firewall, and Web Reputation
If your Solaris environment uses any non-global zones, the Intrusion Prevention, Firewall, and Web Reputation modules can only provide protection to specific traffic flows between the global zone, non-global zones and any external IP addresses. Which traffic flows the agent can protect depends on if the non-global zones use a shared-IP network interface or an exclusive-IP network interface.
Kernel zones use an exclusive-IP network interface and agent protection to traffic flows is limited to that network configuration.
Non-global zones use a shared-IP network interface
Agent protection to traffic flows in a shared-IP configuration is as follows:
Traffic Flow | Protected by agent |
---|---|
external address <-> non-global zone | Yes |
external address <-> global zone | Yes |
global zone <-> non-global zone | No |
non-global zone <-> non-global zone | No |
Non-global zones use an exclusive-IP network interface
Agent protection to traffic flows in a exclusive-IP configuration is as follows:
Traffic Flow | Protected by agent |
---|---|
external address <-> non-global zone | No |
external address <-> global zone | Yes |
global zone <-> non-global zone | Yes |
non-global zone <-> non-global zone | No |
Anti-Malware, Integrity Monitoring, and Log Inspection
The Anti-Malware, Integrity Monitoring and Log Inspection modules provides protection to the global zone. For non-global zones, any files or directories that are also visible to the global zone are protected. Files specific to a non-global zone are not protected.