CSA Capabilities

Previous page
Table of content
Next page
 < Day Day Up > 

Because CSA resides on the endpoint and observes all system interaction, it can be very effective in securing the endpoint, controlling how the endpoint interacts with surrounding systems, and controlling how users can interact with the local system. Upon installation, CSA begins monitoring local system resources and maintains state tables of what is happening on the system so that the locally enforced security policy is not violated. The agent monitors file and application access and usage, network transactions, registry access, operating system kernel usage, COM object access, and other system components to ensure the strict enforcement of the defined security policy.

Because of its intimate knowledge of what is happening in real time on the local host, the CSA can control what requested actions are allowed or denied. This occurs whether the actions are user requested or malicious code attempting to auto-execute. When the system detects a request that should not be allowed according to the local security policy, it stops the action from occurring and sends an alert regarding the inappropriate behavior.

Residing on the endpoint and closely monitoring the system for any behavior that is inconsistent with the locally enforced security policy, CSA can fill many security roles in a single agent beyond just preventing known and unknown (or day-zero) attacks, including the following:

  • Globally automated correlation and reaction

  • Distributed firewall

  • Application control

  • File and directory protection

  • Network admission control

  • Application deployment and behavior investigation

This section describes each of these roles in detail.

Globally Automated Correlation and Reaction

With security agents throughout your architecture reporting to a single management console, you can leverage the information consolidated in this centralized repository. The CSA Management Console (MC) can correlate events such as e-mail worm propagation events and virus scanner log events to dynamically create new rules. These new rules are distributed to all systems in the architecture that may or may not have seen the correlated event. These dynamically created rules can then provide a first-level defense against the malicious code by preventing the malicious file from executing or the correlated IP address from communicating with any agent-protected system.

Distributed Firewall

CSA actively watches inbound and outbound connections to and from the local host. The agent can control how the network connection is utilized based on the current local security policy that you defined. You can apply a great number of networking controls. The agent can control which applications on the local system can act as a server to remote clients. If the agent is acting as a server, you can decide whether the application should service connections from all remote systems or just specific remote systems and on specific TCP ports. The security agent can also control which local applications can act as a network client on your network. This control proves very useful, especially when trying to limit which applications are allowed on workstations within your security policy parameters. For example, perhaps you want to require users wanting to use Telnet to use only telnet.exe located in a specific folder on the endpoint and prohibit the Telnet protocol (TCP/23) using any other application. By controlling which processes are allowed network access, you can help stop worms from propagating across your network. CSA can also constantly monitor the IP network stack for other inconsistencies, such as invalid protocol headers, SYN floods, port scans, and other malicious packets through the use of an optionally installed network shim.

Another addition in CSA 4.5 is the ability for the enterprise security administrator to distribute some of the personal firewall control to the end users. You can enable end users to control which applications are allowed network access through appropriately answering query messages spawned by the centrally defined network access rules. The user can also place the local agent personal firewall in a learning mode to build the list of allowed network applications. The personal firewall rules do not override any centrally defined policies but rather further lock down the system and limit the number of future query messages a user may receive regarding network usage.

Application Control

Many current corporate security policies list specifically named acceptable applications. Unfortunately, in most cases, the enforcement mechanisms are nothing more than signed documents, and the local administrative team typically has very little control over what users actually do use from an application standpoint. CSA can help solve that problem.

Application control rules enable you to enforce portions of your security policy by explicitly stating which applications can run on end systems. It can also be more specific in that you can name certain applications that can normally be invoked but in specific instances will not be allowed to execute. An example of this is to normally allow a local command shell, such as cmd.exe or command.com, to be launched; however, when downloaded content attempts to initiate a local shell, the application control rule should prevent this.

Another type of application control comes in the form of multiple rules and policies. Cisco provides preconfigured policies that help you control applications such as instant messengers and peer-to-peer music- and file-sharing utilities. These policies help granularly control the specified applications and their usage and require multiple rules to accomplish the task.

File and Directory Protection

CSA provides a way to protect specified directories and files from being deleted, modified, or created. The local agent monitors file usage so that your protected entries are not adversely affected. The protected files and directories can be on the local hard drive, CD, floppy, removable media (such as zip and USB), or even on network shares.

With version 4.5, you can also allow users to create a local list of files and directories that should not be accessible over any network connection. This functionality enables users to protect their own information outside of what may already be protected via global enterprise file and directory control policies. Just as with the locally administered personal firewall, any access rules set by the local user do not override the centrally defined policies, but instead further lock down the system.

Network Admission Control

CSA plays an important role in the Cisco Self-Defending Network Initiative (SDNI). The first portion of SDNI to become commercially available is Network Admission Control (NAC). Within NAC, there is a requirement that end systems run a component known as the Cisco Trust Agent (CTA). CTA, which is built in to version 4.5 of the Cisco Security Agent, provides the network a mechanism by which you can control access at Layer 2 or Layer 3 based on information CTA conveys. In simple terms, the network must learn about the security posture of the endpoint before it is granted access. The information reported as part of this posture assessment process could be regarding the version of the current virus definition file and other posture-related information.

CSA Analysis

Agent analysis is an exciting addition, new in version 4.5, that enables CSA to analyze the endpoint, determine which applications are installed, and report what a specific application is doing when it executes. The ability to inspect your endpoints to provide detailed information on which applications are locally installed is called application deployment investigation. Within this feature, you can also see applications that run and how often they run. Another crucial component of this particular analysis feature is the ability to see which applications are using network resources. This functionality provides detailed reporting of processes running as client or servers on end systems so that the administrative team can create a global report of network applications. These reports enable you to understand exactly which applications are on your network so that you can block or remove the ones that violate the current written security policy or create security agent policies for currently unprotected applications. It is very important that you understand what is installed and executing on your systems when attempting to protect them. After all, it is not necessarily what you know you have installed that is your biggest concern, but rather what you do not know is installed that poses the real security threat to your organization.

Application behavior investigation is another analysis function that has been added in version 4.5. This feature should prove extremely useful for any organization. After you have located the unprotected or unknown application on a host, you can create a behavior analysis job for that application and deploy the job to the CSA on the endpoint that the application resides. The agent will compile information on the associated application, such as file, COM, and network usage. After all the information has been compiled, you can view it on the CSA MC and, if desired, create a policy to protect the observed behavior of the application that could then be deployed to all other necessary agents.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Documenting Software Architectures: Views and Beyond
    C++ How to Program (5th Edition)
    Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
    Microsoft VBScript Professional Projects
    File System Forensic Analysis
    VBScript in a Nutshell, 2nd Edition
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy