Cisco Security Agent
Eric Vanderburg
May 3, 2006

Eric Vanderburg – Cisco Security Agent
Cisco Security Agent (CSA)
• Host based Intrusion prevention system
• Enforces policies on hosts based on specific
rules
•...
Supported Hosts
Server Agent

Desktop Agent

• Windows Server 2003
• Windows 2000 Server
• Windows NT 4 Server
(SP6)
• Sol...
System Requirements
• Windows
– Pentium 200MHz
– 128MB RAM
– 25MB free hard drive space

• Solaris
– UltraSPARC 400 MHz
– ...
Advantages
•
•
•
•
•
•

Monitoring
Central reaction
Distributed Firewall
Application Control
File Protection
Restrict by P...
Monitoring
• Monitors the following to see whether or
not actions should be allowed:
– OS kernel usage
– Resources
– Regis...
Interceptors
• Track actions and compare against the
rules database for appropriate response
– Network Traffic interceptor...
Central reaction
• Agents report to a single
management console
• Events are logged to the
management console so
that new ...
Distributed firewall
• Control which applications can act as a
server to remote clients and vice versa
• Learning mode: bu...
Application control
• Restrict access to certain programs
– Restrict by user or system account

• Restrict the actions app...
File protection
• Files can be flagged as not available to
any network connection
• Can stop files from being deleted,
mod...
Trust
• Hosts must be trusted before they will be
allowed network access.
• Given a posture of quarantined until
trusted
•...
Management Console
•
•
•
•

Agent Configuration
Policy Configuration
Centralized reporting
Similar interface to other Cisc...
Management Console
• Access via web browser (IE and Firefox
only) using 128-bit SSL, port 443
• URL: http://<management ce...
Database
• Local Database - MSDE (Microsoft Database Engine) is
used for setups less than 500 agents and under 2GB
(packag...
Agent
• Installed per host
– Admin rights
– Through software deployment solution

• Messages - shows denied actions since ...
Agent
• Local Firewall Settings
– Learning Mode
– Enable / Disable
– Firewall permissions
•
•
•
•

Email network permissio...
Communication
• PC to MC: SSL TCP 1741 & 1742
• MC to PC: SSL TCP 443 & 5401
– Signed with MC Certificate

• Updates retri...
Cisco Security Agent
• Locally enforced, centrally managed
• Multiple vendors supported
• Settings can run in test mode be...
Questions?

• Contact info: evanderburg@gmail.com
• Blog: http://spaces.msn.com/professornova

Eric Vanderburg – Cisco Sec...
Upcoming SlideShare
Loading in...5
×

Cisco Security Agent - Eric Vanderburg

163

Published on

An overview of the Cisco Security Agent (CSA)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
163
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cisco Security Agent - Eric Vanderburg

  1. 1. Cisco Security Agent Eric Vanderburg May 3, 2006 Eric Vanderburg – Cisco Security Agent
  2. 2. Cisco Security Agent (CSA) • Host based Intrusion prevention system • Enforces policies on hosts based on specific rules • Version 5.1 is the newest • Called StormWatch in 1999. Purchased by Cisco in 2003. • A license is required for the management console and for all agents – purchased in bundles from 10-10,000 or individually – Licenses reside on the Management Console machine • Spans a variety of platforms Eric Vanderburg – Cisco Security Agent
  3. 3. Supported Hosts Server Agent Desktop Agent • Windows Server 2003 • Windows 2000 Server • Windows NT 4 Server (SP6) • Solaris 8 SPARC architecture (64-bit) • Solaris 9 SPARC architecture (64-bit) • Red Hat Enterprise Linux 3.0 ES and AS • Windows NT 4 Workstation (SP6) • Windows 2000 Pro • Windows XP Pro • Windows XP Tablet Edition • Red Hat Enterprise Linux 3.0 WS Eric Vanderburg – Cisco Security Agent
  4. 4. System Requirements • Windows – Pentium 200MHz – 128MB RAM – 25MB free hard drive space • Solaris – UltraSPARC 400 MHz – 256MB RAM – 25MB free hard drive space • Linux – 500 MHz or faster x86 processor (32-bit only) – 256MB RAM – 25MB free hard drive space • No support available yet for Macintosh Eric Vanderburg – Cisco Security Agent
  5. 5. Advantages • • • • • • Monitoring Central reaction Distributed Firewall Application Control File Protection Restrict by Posture Eric Vanderburg – Cisco Security Agent
  6. 6. Monitoring • Monitors the following to see whether or not actions should be allowed: – OS kernel usage – Resources – Registry entries (Windows) – COM object access – Inbound and outbound network connections Eric Vanderburg – Cisco Security Agent
  7. 7. Interceptors • Track actions and compare against the rules database for appropriate response – Network Traffic interceptor - Use for SYN flood and port scan protection. – Network Applications interceptor - Limit or allow individual applications to access the network via specific protocols and networks addressing parameters. – File interceptor - Limit an application's ability to read and write to specific files and directories. Eric Vanderburg – Cisco Security Agent
  8. 8. Central reaction • Agents report to a single management console • Events are logged to the management console so that new rules can be dynamically created. – If the management console is unavailable, they are stored until connection is restored Eric Vanderburg – Cisco Security Agent
  9. 9. Distributed firewall • Control which applications can act as a server to remote clients and vice versa • Learning mode: builds a list of allowed applications based on usage – Only adds to the policy. Does not override the central policy from the management console • Disables the Windows firewall when installed Eric Vanderburg – Cisco Security Agent
  10. 10. Application control • Restrict access to certain programs – Restrict by user or system account • Restrict the actions applications can take Eric Vanderburg – Cisco Security Agent
  11. 11. File protection • Files can be flagged as not available to any network connection • Can stop files from being deleted, modified, or created Eric Vanderburg – Cisco Security Agent
  12. 12. Trust • Hosts must be trusted before they will be allowed network access. • Given a posture of quarantined until trusted • Trusted hosts – Virus free & updated – Accessing from an appropriate medium – Adhering to policies – MAC and IP address are on an approved list Eric Vanderburg – Cisco Security Agent
  13. 13. Management Console • • • • Agent Configuration Policy Configuration Centralized reporting Similar interface to other Cisco management tools • Alerts can be integrated with alerts from other Cisco security products via the Cisco Security Monitoring, Analysis, and Response System Eric Vanderburg – Cisco Security Agent
  14. 14. Management Console • Access via web browser (IE and Firefox only) using 128-bit SSL, port 443 • URL: http://<management center system hostname>.<domain> Eric Vanderburg – Cisco Security Agent
  15. 15. Database • Local Database - MSDE (Microsoft Database Engine) is used for setups less than 500 agents and under 2GB (packaged with install) • Remote Database - SQL Server is used for setups with more than 500 agents Eric Vanderburg – Cisco Security Agent
  16. 16. Agent • Installed per host – Admin rights – Through software deployment solution • Messages - shows denied actions since last reboot • User Query Responses - stored answers (Yes, No, Terminate) • System Security - Slide bar for off, low, med, high settings & resume from install mode • Untrusted apps - selected by user after prompt Eric Vanderburg – Cisco Security Agent
  17. 17. Agent • Local Firewall Settings – Learning Mode – Enable / Disable – Firewall permissions • • • • Email network permission HTTP network permission Network client permission Network server permission • File Protection • Solaris agent is not a GUI app. The CLI utility csactl is used. • No queries either Eric Vanderburg – Cisco Security Agent
  18. 18. Communication • PC to MC: SSL TCP 1741 & 1742 • MC to PC: SSL TCP 443 & 5401 – Signed with MC Certificate • Updates retrieved through pull model at specified interval (default 10 minutes) • Push method: Hints Eric Vanderburg – Cisco Security Agent
  19. 19. Cisco Security Agent • Locally enforced, centrally managed • Multiple vendors supported • Settings can run in test mode before implementation • Safeguard nodes, files, attack avenues, and stop virus propagation. Eric Vanderburg – Cisco Security Agent
  20. 20. Questions? • Contact info: evanderburg@gmail.com • Blog: http://spaces.msn.com/professornova Eric Vanderburg – Cisco Security Agent
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×