CSA Agent is centrally administered, with a distributed, autonomous policy enforcement reference monitor for desktop, laptop, and server computers running operating systems such as Windows NT, Windows 2000, Windows XP, and Solaris 8. CSA MC is the management segment of the CSA Agent that configures Agents and also retrieves events from the Agents to display for the users. CSA Agent adapts defenses based upon the correlation of events from different hosts. It is very effective against existing and previously unseen attacks. An important point to note is that CSA Agents stopped Nimda and Code Red viruses unseen with out-of-the-box policies. Figure 21-1 shows the major components of Cisco Security Agent.
Figure 21-1. CSAgents Architecture Components
Management Model for CSAgent
As shown in Figure 21-1, many components go into the architecture of the CSAgent. Figure 21-2 shows a more detailed view of the CSA components.
Figure 21-2. CSA Components
This section looks into the details of these different components:
CSA MC Directory Structure
The default installation directory for CSA MC is program files\CSCOpx\CSAMC. This section discusses all the directories and files that make the CSA MC and Agent function correctly:
As mentioned before, network machines are assembled into specified groups and then security policies are attached to those groups in the CSA MC. All configuration is done through the Web-based user interface and then deployed to the agents. CSA MC Software is installed on a system, which maintains all policy and host groups. The administration user interface is accessed securely using Secure Sockets Layer (SSL) from any machine on the network that can connect to the server and run a Web browser. Use the Web-based interface to deploy your policies from CSA MC to the agents across your network.
Agents register with CSA MC. CSA MC checks its configuration database for a record of the system. When the system is found and authenticated, CSA MC deploys a configured policy for that particular system or grouping of systems. From then on, the Cisco Security Agent software continually monitors local system activity and polls to the CSA MC at configurable intervals for policy updates. It also sends triggered event alerts to the CSA MC's global event manager. The global event manager examines system event logs and, based on that examination, may trigger an alert notification to the administrator or cause the agent to take a particular action.
The Cisco Security Agent software installs locally on each system node and intercepts the operations of that system. A network application interceptor sits at the application level and intercepts all application operations. Other Cisco Security Agent mechanisms intercept network traffic, file actions, and system registry actions. At the same time, the rule/event correlation engine controls all agent mechanisms watching for any events that trigger an agent policy.
All communications between the Management Center for Cisco Security Agents server system and systems accessing the browser-based user interface are protected using SSL. Administrator authentication is also provided via the required entry of a username and password to authenticate and initiate each management session. Additionally, communications between the management server and the agents are passed over SSL.
How Cisco Security Agents Protect Against Attacks
Unlike anti-virus and network firewall software, Cisco Security Agent does not prevent you from accessing applications that you may require. Rather, it assumes that you are going to put the systems at risk by making use of a wide range of Internet resources. Based on this assumption, Cisco Security Agents install and work at the kernel level, controlling network actions, local file systems, and other system components, maintaining an inventory of actions that may be performed on the system itself. This way, malicious system actions are immediately detected and disabled, while other actions are allowed. Both actions take place transparently, without any interruption to the user. If an encrypted piece of malicious code finds its way onto a system via e-mail, for example, as it attempts to unexpectedly execute or alter Cisco Security Agent-protected system resources, it is immediately neutralized and a notification is sent to the network administrator.
The Cisco Security Agents protect systems using policies, which you as network administrators configure and deploy. These policies can allow or deny specific system actions. The Cisco Security Agents must check whether an action is allowed or denied before any system resources are accessed and acted upon. Specifically, rule policies allow administrators to control access to system resources based on the following parameters:
The resources in question here may be either system resources or network resources, such as mail servers. When any system actions that are controlled by specific rules are attempted and allowed or denied accordingly, a system event is logged and sent to the administrator in the form of a configurable notification type such as e-mail, pager or custom script.