Summary

As outlined in previous chapters, the PIX Firewall provides the first three layers of defense in depth:

• Chapter 7, "Deploying Authentication"

• Chapter 8, "Deploying Perimeter Protection"

• Chapter 9, "Deploying Network Intrusion Prevention"

These layers take several steps and mitigate many known and unknown attacks. However, in today's security environment, where valid data and protocol are used as the basis for an attack, behavior-based host intrusion prevention (CSA) is the final step in providing a complete and secure network defense.

The current attack paradigm comprises five phases:

• Probe phase Finds out the components and applications in the network

• Penetrate Compromises the system

• Persist Installs the malware so that it can be re-executed on the devices, or configures the device so that the hacker can regain access at will

• Propagate Looks for other hosts to infect

• Paralyze Crashes the device, steals secrets, or takes down the network

CSA defends against this attack paradigm at all levels, providing defense in depth within the device it is protecting. It does this with three rules-based engines:

• Behavior engine Stops bad behavior such as code executing off of the stack, writes to the system directory, or writes to the system registry.

• Application engine Stops applications from bad behavior. For example, in general, a browser needs to access web pages, execute some scripts, and write history files and cookies to hard drives. If an application attempts to do things that it shouldn't, the application engine stops the behavior.

• Firewall engine Filters traffic, rate limits during DoS attacks, and can mitigate against some probe phase behaviors.

The CSA Management Console also has a function that helps mitigate against worms, viruses, pings, and probes. The Management Console uses data provided from the agents to determine whether a host is exhibiting behavior similar to a worm or virus or is pinging or probing devices on the network. If it finds a host behaving this way, it puts that device in a global quarantine list and creates a rule that will be downloaded by hosts or servers to restrict traffic from the infected host.

A step-by-step overview is provided so that you can understand the effort necessary to deploy CSA in your business or enterprise. It's suggested that you duplicate your production environment in a lab and run CSA on the lab devices in Test mode. With CSA in Test mode, you can look at the alarms on the CSA Management Console and use a wizard to generate rules that will allow your applications to run securely and error-free.

Finally, it is recommended that CSA run with reputable antivirus software to ensure that you have additional defense in depth on the host. The antivirus software also cleans up any files that it recognizes as malware that might have been downloaded on the device via e-mail.

The remaining steps to fully deploy defense in depth in your network are covered in Chapter 11, "Deploying VPNs," and Appendix A, "Deploying Effective Security Management."