General CSA Agent Components Overview

Previous page
Table of content
Next page
 < Day Day Up > 

You have access to several "under-the-hood" components that are built in to CSA. To fully understand how CSA works, it is best to get at least a high-level understanding of a few of the key components and their interaction on the local agent system.

When rules are changed, edited, added, or removed on the CSA MC that pertain to the particular rules and policies running on your agent, you need to update your local policies with the necessary changes. To do this, your local security agent software communicates with the CSA MC via HTTPS (443) to retrieve the new information. If you recall from an earlier discussion in Chapter 2, "Introducing the Cisco Security Agent," the CSA architecture uses a pull model whereby the agent requests information regarding possible policy changes at a set interval, which by default is 10 minutes. CSA version 4.5 includes a signed UDP hint message that can "nudge" the remote agents into polling earlier than the predetermined time so that they will receive the update ahead of schedule. This feature is very convenient, especially in environments where you have changed the default polling interval to a higher time value and you need the ability to push (that is, request a pull) a change quicker than the typical poll cycle.

The agent policy manager is the agent component that receives the policies from the CSA MC server and forwards them to another agent component known as the rule/event correlation engine. This engine reviews the old and new rules and replaces or updates whatever is necessary to form the new local rule set.

Another component in the CSA is known as interceptors. Interceptors proxy actions that are attempted and verify how to proceed against the rules in the rule/event correlation engine. Some of the interceptors are as follows:

  • Network Traffic interceptor Use for SYN flood and port scan protection.

  • Network Applications interceptor Limit or allow individual applications to access the network via specific protocols and networks addressing parameters.

  • File interceptor Limit an application s ability to read and write to specific files and directories.

A final noteworthy component is the local event manager. The local event manager locally stores events that are generated by the rules that have been triggered and set to log. Once stored and cached locally, the events that are to be logged are sent to the CSA MC for administrative review and global event correlation capabilities. If the CSA MC is not available, the agent stores the events and transmits the next time the agent can communicate with the CSA MC server with the appropriate time stamps attached.

All of the previously mentioned agent components also reside in the UNIX agents, although they are implemented through different programming methods available to those operating system architectures.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
    The .NET Developers Guide to Directory Services Programming
    Developing Tablet PC Applications (Charles River Media Programming)
    Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
    Programming .Net Windows Applications
    Digital Character Animation 3 (No. 3)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy