As outlined in previous chapters, the PIX Firewall provides the first three layers of defense in depth:
These layers take several steps and mitigate many known and unknown attacks. However, in today's security environment, where valid data and protocol are used as the basis for an attack, behavior-based host intrusion prevention (CSA) is the final step in providing a complete and secure network defense. The current attack paradigm comprises five phases:
CSA defends against this attack paradigm at all levels, providing defense in depth within the device it is protecting. It does this with three rules-based engines:
The CSA Management Console also has a function that helps mitigate against worms, viruses, pings, and probes. The Management Console uses data provided from the agents to determine whether a host is exhibiting behavior similar to a worm or virus or is pinging or probing devices on the network. If it finds a host behaving this way, it puts that device in a global quarantine list and creates a rule that will be downloaded by hosts or servers to restrict traffic from the infected host. A step-by-step overview is provided so that you can understand the effort necessary to deploy CSA in your business or enterprise. It's suggested that you duplicate your production environment in a lab and run CSA on the lab devices in Test mode. With CSA in Test mode, you can look at the alarms on the CSA Management Console and use a wizard to generate rules that will allow your applications to run securely and error-free. Finally, it is recommended that CSA run with reputable antivirus software to ensure that you have additional defense in depth on the host. The antivirus software also cleans up any files that it recognizes as malware that might have been downloaded on the device via e-mail. The remaining steps to fully deploy defense in depth in your network are covered in Chapter 11, "Deploying VPNs," and Appendix A, "Deploying Effective Security Management." |