cisco security agent - eric vanderburg

Eric Vanderburg – Cisco Security Agent

Cisco Security Agent

Eric VanderburgMay 3, 2006


Cisco Security Agent (CSA)• Host based Intrusion prevention system• Enforces policies on hosts based on specific

rules• Version 5.1 is the newest• Called StormWatch in 1999. Purchased by

Cisco in 2003. • A license is required for the management

console and for all agents – purchased in bundles from 10-10,000 or individually– Licenses reside on the Management Console

machine• Spans a variety of platforms


Supported HostsServer Agent

• Windows Server 2003• Windows 2000 Server • Windows NT 4 Server

(SP6)• Solaris 8 SPARC

architecture (64-bit)• Solaris 9 SPARC

architecture (64-bit)• Red Hat Enterprise Linux

3.0 ES and AS

Desktop Agent

• Windows NT 4 Workstation (SP6)

• Windows 2000 Pro• Windows XP Pro• Windows XP Tablet

Edition• Red Hat Enterprise Linux

3.0 WS


System Requirements• Windows

– Pentium 200MHz– 128MB RAM– 25MB free hard drive space

• Solaris– UltraSPARC 400 MHz – 256MB RAM– 25MB free hard drive space

• Linux– 500 MHz or faster x86 processor (32-bit only)– 256MB RAM– 25MB free hard drive space

• No support available yet for Macintosh


Advantages• Monitoring• Central reaction• Distributed Firewall• Application Control• File Protection• Restrict by Posture


Monitoring• Monitors the following to see whether or

not actions should be allowed:– OS kernel usage– Resources– Registry entries (Windows)– COM object access– Inbound and outbound network connections


Interceptors• Track actions and compare against the

rules database for appropriate response– Network Traffic interceptor - Use for SYN

flood and port scan protection. – Network Applications interceptor - Limit or

allow individual applications to access the network via specific protocols and networks addressing parameters.

– File interceptor - Limit an application's ability to read and write to specific files and directories.


Central reaction• Agents report to a single

management console• Events are logged to the

management console so that new rules can be dynamically created. – If the management

console is unavailable, they are stored until connection is restored


Distributed firewall• Control which applications can act as a

server to remote clients and vice versa• Learning mode: builds a list of allowed

applications based on usage– Only adds to the policy. Does not override

the central policy from the management console

• Disables the Windows firewall when installed


Application control• Restrict access to certain programs

– Restrict by user or system account• Restrict the actions applications can take


File protection• Files can be flagged as not available to

any network connection• Can stop files from being deleted,

modified, or created


Trust• Hosts must be trusted before they will be

allowed network access. • Given a posture of quarantined until

trusted• Trusted hosts

– Virus free & updated– Accessing from an appropriate medium– Adhering to policies– MAC and IP address are on an approved list


Management Console• Agent Configuration• Policy Configuration• Centralized reporting• Similar interface to other Cisco

management tools• Alerts can be integrated with alerts from

other Cisco security products via the Cisco Security Monitoring, Analysis, and Response System


Management Console• Access via web browser (IE and Firefox

only) using 128-bit SSL, port 443• URL: http://<management center system

hostname>.<domain>


Database• Local Database - MSDE (Microsoft Database Engine) is

used for setups less than 500 agents and under 2GB (packaged with install)

• Remote Database - SQL Server is used for setups with more than 500 agents


Agent• Installed per host

– Admin rights– Through software deployment solution

• Messages - shows denied actions since last reboot

• User Query Responses - stored answers (Yes, No, Terminate)

• System Security - Slide bar for off, low, med, high settings & resume from install mode

• Untrusted apps - selected by user after prompt


Agent• Local Firewall Settings

– Learning Mode– Enable / Disable– Firewall permissions

• Email network permission• HTTP network permission• Network client permission• Network server permission

• File Protection• Solaris agent is not a

GUI app. The CLIutility csactl is used.

• No queries either


Communication• PC to MC: SSL TCP 1741 & 1742• MC to PC: SSL TCP 443 & 5401

– Signed with MC Certificate• Updates retrieved through pull model at

specified interval (default 10 minutes)• Push method: Hints


Cisco Security Agent• Locally enforced, centrally managed• Multiple vendors supported• Settings can run in test mode before

implementation• Safeguard nodes, files, attack avenues,

and stop virus propagation.


Questions?

• Contact info: [email protected]• Blog: http://spaces.msn.com/professornova

mailto:[email protected]

http://spaces.msn.com/professornova

cisco security agent - eric vanderburg

Technology

management

500 agents

bit

http

sp6

limit

user

setups