|
Cisco Security Agent
Prevent security breaches by protecting endpoint systems with Cisco Security Agent, the Cisco host Intrusion Prevention System
* Secure your endpoint systems with host IPS
* Build and manipulate policies for the systems you wish to protect
* Learn how to use groups and hosts in the Cisco Security Agent architecture and how the
components are related
* Install local agent components on various operating systems
* Explore the event database on the management system to view and filter information
* Examine Cisco Security Agent reporting mechanisms for monitoring system activity
* Apply Application Deployment Investigation to report on installed applications, hotfixes, and service packs
* Collect detailed information on processes and see how they use and are used by system resources
* Create and tune policies to control your environment without impacting usability
* Learn how to maintain the Cisco Security Agent architecture, including administrative access roles and backups
Cisco Security Agent presents a detailed explanation of Cisco Security Agent, illustrating the use of host Intrusion Prevention Systems (IPS) in modern self-defending network protection schemes. At the endpoint, the deployment of a host IPS provides protection against both worms and viruses. Rather than focusing exclusively on reconnaissance phases of network attacks a host IPS approaches the problem from the other direction, preventing malicious activity on the host by focusing on behavior. By changing the focus to behavior, damaging activity can be detected and blocked??regardless of the attack.
Cisco Security Agent is an innovative product in that it secures the portion of corporate networks that are in the greatest need of protection??the end systems. It also has the ability to prevent a day-zero attack, which is a worm that spreads from system to system, taking advantage of vulnerabilities in networks where either the latest patches have not been installed or for which patches are not yet available. Cisco Security Agent utilizes a unique architecture that correlates behavior occurring on the end systems by monitoring clues such as file and memory access, process behavior, COM object access, and access to shared libraries as well as other important indicators.
Cisco Security Agent is the first book to explore the features and benefits of this powerful host IPS product. Divided into seven parts, the book provides a detailed overview of Cisco Security Agent features and deployment scenarios. Part I covers the importance of endpoint security. Part II examines the basic components of the Cisco Security Agent architecture. Part III addresses agent installation and local use. Part IV discusses the Cisco Security Agent management console??s reporting and monitoring capabilities. Part V covers advanced Cisco Security Agent analysis features. Part VI covers Cisco Security Agent policy, implementation, and management. Part VII presents additional installation and management information.
Whether you are evaluating host IPS in general or looking for a detailed deployment guide for Cisco Security Agent, this book will help you lock down your endpoint systems and prevent future attacks.
??While there are still a lot of ways that security can go wrong, Cisco Security Agent provides a defense even when something is wrong. I remember the email that came around from our system administrator that said, ??There??s something attacking our web server. We??re not sure what it is, but Stormwatch is blocking it.?? That was the Nimda worm??the first of a long line of attacks stopped by Cisco Security Agent.?
??Ted Doty, Product Manager, Security Technology Group, Cisco Systems
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
CONTENTS:
Foreword
Introduction
Part I The Need for Endpoint Security
Chapter 1 Introducing Endpoint Security
The Early Days: Viruses and Worms
Virus Emergence and Early Propagation Methods
LAN Propagation
The WAN and Internet
The Network Worm
The Single Environment and Its Consequences
The Present: Blended Threats
Delivery and Propagation Mechanisms
The Bundled Exploit
Persistence
Paralyzing or Destructive Behavior
The Global Implications
Spyware
The Insider
Understanding Point Security Weaknesses
Using Point Security Products
Candy Shell Security
Backdoor Attack Vectors
Using Attack-Detection Methods
Signature-Based Attack Detection
Log File Scraping
Application Fingerprinting
Behavior-Based Attack Detection
Automation
Establishing a Security Policy
Understanding the Need for a Security Policy
Compliance Versus Enforcement
Summary
Chapter 2 Introducing the Cisco Security Agent
Intrusion Prevention and Intrusion Detection Technologies
The Life Cycle of an Attack
CSA Capabilities
Globally Automated Correlation and Reaction
Distributed Firewall
Application Control
File and Directory Protection
Network Admission Control
CSA Analysis
CSA Components Overview
Management Console
Agent
CSA Communication
Necessary Protocols and Ports
Pull Model
Push/Hint Capability
CSA??s Role Within SAFE
Summary
Part II Understanding the CSA Building Blocks
Chapter 3 Understanding CSA Groups and Hosts
The Relationship Between Groups and Hosts
Understanding CSA Groups
Introducing the Group Types
Mandatory Groups
Predefined Groups
Custom Groups
Viewing Groups
Creating a Custom Group
Exploring Predefined Groups
The Desktops??All Types Group
Other Predefined Groups
Viewing and Changing Group Membership
Viewing Group-Associated Events
Understanding CSA Hosts
Viewing Host Configuration
Polling Intervals
Using Test Mode
Working with Hosts
Changing a Host??s Group Membership
Viewing Host-Associated Events
Summary
Chapter 4 Understanding CSA Policies, Modules, and Rules
The Relationship Between Policies, Modules, and Rules
Establishing Acceptable Use Documents and Security Policies
CSA Rules
Understanding State Sets
User State Sets
System State Sets
State Set Management
Understanding Rule Actions
Understanding Query Options
Rule Precedence and Manipulation
Other Common Rule Configuration Options
CSA Rule Types
Agent Service Control [W and U]
Agent UI Control [W and U]
Application Control [W and U]
Clipboard Access Control [W]
COM Component Access Control [W]
Connection Rate Limit [W and U]
Data Access Control [W and U]
File Access Control [W and U]
File Version Control [W]
Kernel Protection [W]
Network Access Control [W and U]
Network Shield [W and U]
NT Event Log [W]
Registry Access Control [W]
Service Restart [W]
Sniffer and Protocol Detection [W]
System API [W]
Buffer Overflow [U]
Network Interface Control [U]
Resource Access Control [U]
Rootkit/Kernel Protection [U]
Syslog Control [U]
CSA Rule Modules
Working with Rule Modules
Comparing Rule Modules
Creating a Rule Module
Using CSA Predefined Rule Modules
CSA Policies
Understanding Policy Settings
Using CSA Predefined Policies
Policy Relationship to Groups and Agents
Mandatory Groups and Combined Rule Precedence
Summary
Chapter 5 Understanding Application Classes and Variables
Using Application Classes
Purpose of CSA MC Built-In Application Classes
Configuring Application Classes
Built-In Application Classes
Introducing Static and Dynamic Application Classes
Creating a Static Application Class
Configuring Dynamic Application Classes
Managing Application Classes
Controlling Shell Scripts
System Processes
Introducing Variables
Network Address Sets
Network Services Sets
Data Sets
File Sets
Dynamically Quarantined Files and IP Addresses
Query Settings
COM Component Sets
Registry Sets
Summary
Part III CSA Agent Installation and Local Agent Use
Chapter 6 Understanding CSA Components and Installation
General CSA Agent Components Overview
CSA Installation Requirements
Software and Hardware Requirements
Additional Installation Requirements
CSA MC Server and Database
Communication Security
Agent Kits
Creating an Agent Kit
To Shim or Not to Shim?
Installing Agent Kits
Installing a Windows Agent Kit
Installing a Solaris Agent Kit
Installing a Linux Agent Kit
Immediately Rebooting the System After Installation
Scripted Installation
Installing Software Updates
Uninstalling an Agent Kit
Summary
Chapter 7 Using the CSA User Interface
Windows Agent Interface
Windows Agent Tray Icon
Windows System Tray Options Menu
The CSA User GUI
Windows Agent??Status
Windows Agent??System Security
Windows Agent??System Security > Untrusted Applications
Local Firewall Settings
CSA Audible Notifications
Windows Programs Menu
CSA Local Directories and Tools
CSA User Interaction
Stopping a CSA Agent
Linux Agent Interface
Solaris Agent Interface
csactl Utility
Stopping the Solaris Agent
Summary
Part IV Monitoring and Reporting
Chapter 8 Monitoring CSA Events
Status Summary
Network Status
Event Counts per Day
Refresh
Event Log
Filtering the Event Log
Interpreting and Using the Event Log
Understanding Event Field Information
Details
Rule Number
Event Wizard
Find Similar
Event Monitor
Event Log Management
Event Insertion Tasks
Auto-Pruning Tasks
Event Sets
Alerts
Summary
Chapter 9 Using CSA MC Reports
Audit Trail Reporting
Event Reporting
Events by Severity Reports
Events by Group Reports
Group Detail Reporting
Host Detail Reporting
Policy Detail Reporting
Report Viewing
Creating a Sample Report
Summary
Part V Analyzing CSA
Chapter 10 Application Deployment Investigation
Using Application Deployment Investigation
Group Settings
Product Associations
Unknown Applications
Data Management
Using Application Deployment Reports
Antivirus Installations Report
Installed Products Report
Network Data Flows Report
Network Server Applications Report
Product Usage Report
Unprotected Hosts Report
Unprotected Products Report
Summary
Chapter 11 Application Behavior Analysis
Understanding Application Behavior Investigation Components
Configuring Application Behavior Investigation
Using Application Behavior Investigation on the Remote Agent
Analyzing Log Data
Viewing Behavior Reports
File Events
Directory Summary
Individual File Summary
All Events
Registry Events
Key Summary
All Events
COM Events
Object Summary
All Events
Network Events
Destination Port Summary
All Events
Summary Reports
Behavior Summary
Behavior Summary by Process
Exporting the Behavior Analysis Report Data
Analyzing UNIX Application Behavior
Creating Behavior Analysis Rule Modules
Importing the Behavior Policy
Understanding Imported Rule Module Methodology
Reviewing and Tuning the Imported Rule Module and Components
Summary
Part VI Creating Policy, Implementing CSA, and Maintaining the CSA MC
Chapter 12 Creating and Tuning Policy
Creating Policy
How Policy Relates to CSA
The First Steps in Policy Creation
Creating New Policies Versus Using Predefined CSA Policies
Brief Review of Policy Component Hierarchy
Where to Apply Policies
Using Mandatory Groups
Cloning CSA Components
Creating a Simple CSA Policy
Investigating Predefined Policies
Base Operating System Protection??Windows Policy
Microsoft Office Policy
Instant Messenger Policy
Tuning Policy
Review of Key Features Impacting the Tuning Process
Actively Tuning by Example
Limiting the Event Log View
Tuning from Event Log Entries
Introducing the Event Management Wizard
Using the Event Management Wizard
Choosing Between the Event Log and Event Monitor
Troubleshooting Tuning
DMP and RTR Files
Summary
Chapter 13 Developing a CSA Project Implementation Plan
Planning for Success
The Project Plan
Outlining the Project Phases
The Training Phase
The Planning Phase
The Testing Phase
Gather Information
Determine Test Bed Size and Components
Install the Test CSA Management Architecture
Create and Configure the Test CSA Hierarchy
Configure CSA MC Administrative and Maintenance Settings
Create the Base Test Policy
Deploy the Test Policy
Tune the Test Policy and Add Advanced Policies
Place the Policy in Enforcement Mode
Create Alerts
Export, Report, and Document
Train Staff and Users
Verify Success Criteria
The Pilot Phase
The Implementation Phase
Continued Evolution of the CSA Deployment
Summary
Chapter 14 CSA MC Administration and Maintenance
CSA Licensing
CSA MC Registration Control
CSA MC Component Sharing
Exporting CSA MC Objects
Importing CSA MC Objects
CSA MC Role-Based Access Control
Inherited VMS Administrative Rights
CSA MC Administrative Control
Administrative Preferences
Other CSA MC Administrative Features
CSA MC Search Menu
Hosts
Groups
Policies
Rule Modules
Rules
Variables
Application Classes
All Inclusive
CSA MC Help Menu
CSA MC Backup and Restore Procedures
CSA MC Database Backup
CSA MC Database Restoration
Summary
Part VII Appendixes
Appendix A VMS and CSA MC 4.5 Installation
Appendix B Security Monitor Integration
Appendix C CSA MIB
Index
|
