cisco security agent - eric vanderburg
Post on 19-Oct-2014
213 views
DESCRIPTION
An overview of the Cisco Security Agent (CSA)TRANSCRIPT
Eric Vanderburg – Cisco Security Agent
Cisco Security Agent
Eric VanderburgMay 3, 2006
Eric Vanderburg – Cisco Security Agent
Cisco Security Agent (CSA)• Host based Intrusion prevention system• Enforces policies on hosts based on specific
rules• Version 5.1 is the newest• Called StormWatch in 1999. Purchased by
Cisco in 2003. • A license is required for the management
console and for all agents – purchased in bundles from 10-10,000 or individually– Licenses reside on the Management Console
machine• Spans a variety of platforms
Eric Vanderburg – Cisco Security Agent
Supported HostsServer Agent
• Windows Server 2003• Windows 2000 Server • Windows NT 4 Server
(SP6)• Solaris 8 SPARC
architecture (64-bit)• Solaris 9 SPARC
architecture (64-bit)• Red Hat Enterprise Linux
3.0 ES and AS
Desktop Agent
• Windows NT 4 Workstation (SP6)
• Windows 2000 Pro• Windows XP Pro• Windows XP Tablet
Edition• Red Hat Enterprise Linux
3.0 WS
Eric Vanderburg – Cisco Security Agent
System Requirements• Windows
– Pentium 200MHz– 128MB RAM– 25MB free hard drive space
• Solaris– UltraSPARC 400 MHz – 256MB RAM– 25MB free hard drive space
• Linux– 500 MHz or faster x86 processor (32-bit only)– 256MB RAM– 25MB free hard drive space
• No support available yet for Macintosh
Eric Vanderburg – Cisco Security Agent
Advantages• Monitoring• Central reaction• Distributed Firewall• Application Control• File Protection• Restrict by Posture
Eric Vanderburg – Cisco Security Agent
Monitoring• Monitors the following to see whether or
not actions should be allowed:– OS kernel usage– Resources– Registry entries (Windows)– COM object access– Inbound and outbound network connections
Eric Vanderburg – Cisco Security Agent
Interceptors• Track actions and compare against the
rules database for appropriate response– Network Traffic interceptor - Use for SYN
flood and port scan protection. – Network Applications interceptor - Limit or
allow individual applications to access the network via specific protocols and networks addressing parameters.
– File interceptor - Limit an application's ability to read and write to specific files and directories.
Eric Vanderburg – Cisco Security Agent
Central reaction• Agents report to a single
management console• Events are logged to the
management console so that new rules can be dynamically created. – If the management
console is unavailable, they are stored until connection is restored
Eric Vanderburg – Cisco Security Agent
Distributed firewall• Control which applications can act as a
server to remote clients and vice versa• Learning mode: builds a list of allowed
applications based on usage– Only adds to the policy. Does not override
the central policy from the management console
• Disables the Windows firewall when installed
Eric Vanderburg – Cisco Security Agent
Application control• Restrict access to certain programs
– Restrict by user or system account• Restrict the actions applications can take
Eric Vanderburg – Cisco Security Agent
File protection• Files can be flagged as not available to
any network connection• Can stop files from being deleted,
modified, or created
Eric Vanderburg – Cisco Security Agent
Trust• Hosts must be trusted before they will be
allowed network access. • Given a posture of quarantined until
trusted• Trusted hosts
– Virus free & updated– Accessing from an appropriate medium– Adhering to policies– MAC and IP address are on an approved list
Eric Vanderburg – Cisco Security Agent
Management Console• Agent Configuration• Policy Configuration• Centralized reporting• Similar interface to other Cisco
management tools• Alerts can be integrated with alerts from
other Cisco security products via the Cisco Security Monitoring, Analysis, and Response System
Eric Vanderburg – Cisco Security Agent
Management Console• Access via web browser (IE and Firefox
only) using 128-bit SSL, port 443• URL: http://<management center system
hostname>.<domain>
Eric Vanderburg – Cisco Security Agent
Database• Local Database - MSDE (Microsoft Database Engine) is
used for setups less than 500 agents and under 2GB (packaged with install)
• Remote Database - SQL Server is used for setups with more than 500 agents
Eric Vanderburg – Cisco Security Agent
Agent• Installed per host
– Admin rights– Through software deployment solution
• Messages - shows denied actions since last reboot
• User Query Responses - stored answers (Yes, No, Terminate)
• System Security - Slide bar for off, low, med, high settings & resume from install mode
• Untrusted apps - selected by user after prompt
Eric Vanderburg – Cisco Security Agent
Agent• Local Firewall Settings
– Learning Mode– Enable / Disable– Firewall permissions
• Email network permission• HTTP network permission• Network client permission• Network server permission
• File Protection• Solaris agent is not a
GUI app. The CLIutility csactl is used.
• No queries either
Eric Vanderburg – Cisco Security Agent
Communication• PC to MC: SSL TCP 1741 & 1742• MC to PC: SSL TCP 443 & 5401
– Signed with MC Certificate• Updates retrieved through pull model at
specified interval (default 10 minutes)• Push method: Hints
Eric Vanderburg – Cisco Security Agent
Cisco Security Agent• Locally enforced, centrally managed• Multiple vendors supported• Settings can run in test mode before
implementation• Safeguard nodes, files, attack avenues,
and stop virus propagation.
Eric Vanderburg – Cisco Security Agent
Questions?
• Contact info: [email protected]• Blog: http://spaces.msn.com/professornova