Overview of CSA MC and Agent

CSA Agent is centrally administered, with a distributed, autonomous policy enforcement reference monitor for desktop, laptop, and server computers running operating systems such as Windows NT, Windows 2000, Windows XP, and Solaris 8. CSA MC is the management segment of the CSA Agent that configures Agents and also retrieves events from the Agents to display for the users. CSA Agent adapts defenses based upon the correlation of events from different hosts. It is very effective against existing and previously unseen attacks. An important point to note is that CSA Agents stopped Nimda and Code Red viruses unseen with out-of-the-box policies. Figure 21-1 shows the major components of Cisco Security Agent.

Figure 21-1. CSAgents Architecture Components

Management Model for CSAgent

As shown in Figure 21-1, many components go into the architecture of the CSAgent. Figure 21-2 shows a more detailed view of the CSA components.

Figure 21-2. CSA Components

This section looks into the details of these different components:

  • Security administrators Security administrators are responsible for configuring the system via a browser connected to the Management Console. The jobs of the security administrators include reviewing security events, reports, and alerts, and modifying security policies. They can configure, deploy, and monitor roles.

  • Management Center Management Center is a server that runs the CSA MC (integrated with Common Services). As CSA MC is the data repository for the Agents, it is important to physically secure this server. Following are the some of the functions of the CSA MC server:

    - Holds the configuration and event databases (SQL server)

    - Distributes agent software to hosts

    - Deploys security policies to hosts

    - Receives events from agents and performs correlations

    - Sends alerts to administrators

  • Hosts Agents are deployed on hosts that have the following characteristics:

    - Are protected by Cisco Security Agents

    - Are members of one or more group

    - Obtain their security policies from the Management Center

    - Send security events to the Management Console

  • Groups Groups are used to organize logical collections of hosts. Examples of groups are IIS Servers, Executive Desktops, or SQL Servers.

  • Policies Policies are composed of logical collections of rules. They are attached to zero or more groups. Examples of policies are Common Security Module, or Microsoft Office Module.

  • Rules In Rules, security functions are specified and attached to policies. You may enable specific heuristics.

CSA MC Directory Structure

The default installation directory for CSA MC is program files\CSCOpx\CSAMC. This section discusses all the directories and files that make the CSA MC and Agent function correctly:

  • BIN This directory has a list of following files:

    - The Web Server (Apache) components

    - Physical location of the Agent Kits (deploy_kits)

    - Physical location of the agent upgrade executable (software_kits)

    - Physical location of import/export files

    - Physical location of the help guides

  • CFG This directory has the list of following files:

    - Configuration files for the CSA MC

    - SSL Certificates, license file (*.lic), kleidia, *.sql files, sysvars.cf

  • LOG This directory has a list of following files:

    - csalog.txt Records Management Console transactions

    - AgentInstallInfo.txt Record of the Management Console installation

  • DB This directory contains all the database-related files which are listed as follows:

    - CSA MC.mdf CSA MC database

    - CSA MC_log.ldf CSA MC database

    - CSA MC_volatile_data.ndf Database for Stormtracker/tracker

  • Other directories Following is the list of other CSA MC directories:

    - Cr Runtime version of Crystal Reports

    - Doc User guide and install guide in PDF format And location of the SNMPv2.MIB

    - Perl perl files

    - Policies Profiler policies are stored here

    - Samples Not used

    - Tmp Not used

Communication Architecture

As mentioned before, network machines are assembled into specified groups and then security policies are attached to those groups in the CSA MC. All configuration is done through the Web-based user interface and then deployed to the agents. CSA MC Software is installed on a system, which maintains all policy and host groups. The administration user interface is accessed securely using Secure Sockets Layer (SSL) from any machine on the network that can connect to the server and run a Web browser. Use the Web-based interface to deploy your policies from CSA MC to the agents across your network.

Agents register with CSA MC. CSA MC checks its configuration database for a record of the system. When the system is found and authenticated, CSA MC deploys a configured policy for that particular system or grouping of systems. From then on, the Cisco Security Agent software continually monitors local system activity and polls to the CSA MC at configurable intervals for policy updates. It also sends triggered event alerts to the CSA MC's global event manager. The global event manager examines system event logs and, based on that examination, may trigger an alert notification to the administrator or cause the agent to take a particular action.

The Cisco Security Agent software installs locally on each system node and intercepts the operations of that system. A network application interceptor sits at the application level and intercepts all application operations. Other Cisco Security Agent mechanisms intercept network traffic, file actions, and system registry actions. At the same time, the rule/event correlation engine controls all agent mechanisms watching for any events that trigger an agent policy.

All communications between the Management Center for Cisco Security Agents server system and systems accessing the browser-based user interface are protected using SSL. Administrator authentication is also provided via the required entry of a username and password to authenticate and initiate each management session. Additionally, communications between the management server and the agents are passed over SSL.

How Cisco Security Agents Protect Against Attacks

Unlike anti-virus and network firewall software, Cisco Security Agent does not prevent you from accessing applications that you may require. Rather, it assumes that you are going to put the systems at risk by making use of a wide range of Internet resources. Based on this assumption, Cisco Security Agents install and work at the kernel level, controlling network actions, local file systems, and other system components, maintaining an inventory of actions that may be performed on the system itself. This way, malicious system actions are immediately detected and disabled, while other actions are allowed. Both actions take place transparently, without any interruption to the user. If an encrypted piece of malicious code finds its way onto a system via e-mail, for example, as it attempts to unexpectedly execute or alter Cisco Security Agent-protected system resources, it is immediately neutralized and a notification is sent to the network administrator.

The Cisco Security Agents protect systems using policies, which you as network administrators configure and deploy. These policies can allow or deny specific system actions. The Cisco Security Agents must check whether an action is allowed or denied before any system resources are accessed and acted upon. Specifically, rule policies allow administrators to control access to system resources based on the following parameters:

  • What resource is being accessed?

  • What operation is being invoked?

  • Which application is invoking the action?

The resources in question here may be either system resources or network resources, such as mail servers. When any system actions that are controlled by specific rules are attempted and allowed or denied accordingly, a system event is logged and sent to the administrator in the form of a configurable notification type such as e-mail, pager or custom script.

Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net