In addition to antivirus protection, you must protect the operating system against other threats from the network, such as DoS attacks. For these issues, Cisco provides Cisco Security Agent software to install on every Cisco CallManager system. The Cisco Security Agent implements the host-based intrusion prevention system (HIPS), which provides an additional layer of protection against known and unknown attacks. At the same time, CSA provides security services not offered by the host operating system. Examples of these services are personal firewall protection, software keylogger detection, and abnormal application behavior protection.
Cisco Security Agent is designed to protect the endpoint from network-borne attacks, and it enforces its protection rules on several levels. One of them is the protection of the underlying operating system from potentially hostile applications. Cisco Security Agent provides three basic areas of operating system protection:
Cisco Security Agent (CSA) operates independently of native operating system functions, providing an independent layer of protection that prevents attacks even when the native operating system access control methods are breached. You should never deploy the CSA in place of strong host security, but as an additional protective layer to provide protection methods not available in the host operating system.
The rationale behind the behavioral approach is that although the number of methods and exploits to attack a system is extremely large, the number of possible consequences of these attacks is relatively small. For example, a web server can be persuaded by the attacker to execute a local file or an executable attachment in an e-mail attempting to access the Windows Registry. CSA can recognize application behavior leading to or following an attack and prevent the malicious actions. This ability is also why CSA does not require constant updates; its policies need to be updated only if a completely different class of attacks is created, which is relatively rare.
CSA for IP telephony servers is available in two versions:
Caution
Do not use the headless agent when running Cisco CallManager with collocated applications, such as Cisco IPCC Express, Cisco IP IVR, or Cisco IP QM, because the fixed policy of the headless agent will not support these applications (and as a consequence they will not work properly).
Cisco Security Headless Agent
The free headless agent has a fixed security policy and no centralized reporting capabilities. For each type of IP telephony server, a different (predefined) agent kit is available for the headless agent. The headless agent is configured with appropriate policies and exceptions for a typical supported configuration of that server. The headless agent should be used in environments where centralized reporting is not required or practical and the IP telephony servers are aligned with Cisco specifications for installed software and system and application configuration and where they feature no add-ons that might conflict with the security rules of the headless agent.
Note
The headless agent is also commonly referred to as the standalone CSA agent on the Cisco website.
Cisco Security Managed Agent
The managed version of CSA uses CiscoWorks VPN/Security Management Solution (VMS) and CSA Management Center (MC) for centralized policy distribution and allows event correlation and reporting. As with the headless agent, which comes in different configurations for different types of IP telephony servers, CSA MC also allows the administrator to load predefined, application-specific policies for each IP telephony server type.
Note
Cisco offers a free, predefined policy for the CSA Managed Agent that deploys the same CallManager security standards as the standalone CSA.
The managed agent should be used in environments where centralized reporting is required, where servers do not use a typical configuration (for example, with nondefault TCP or UDP ports) or have special application requirements (for example, custom systems management software), or where the default policies need to be augmented with site-specific protection requirements.
Deployment of the managed agent also allows the use of CSA Profiler, an expert add-on tool that can, to a large extent, automate generation of custom application policies. This add-on would allow an expert CSA administrator to further enhance the built-in policies and confine every IP telephony application to a sandbox, similar to the functions that the built-in Restrictive MS IIS Module and Restrictive MS SQL Server Module provide for those two applications.
The CSA Profiler must be purchased separately, but it does not require any other software to be installed on the profiled servers.
CSA Supported Applications
CSA is available for Cisco CallManager Release 3.2(3), 3.3, and later. To use CSA for another Cisco IP telephony application, check the CSA administration manual to determine whether Cisco supports CSA for that particular application.
This is a list of software add-ons that are supported with CSA on the same server:
Note
The Cisco Security Agent headless agent and the Cisco Security Agent policies for the Cisco Security Agent MC are both available at http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des (Cisco CCO account required).
CSA Protection
The CSA default operating system protection rules for IP telephony servers provide basic operating system hardening and integrity protection and contain rule exceptions for supported add-on applications. In regard to local resource access control, these policies can be summarized as follows:
In addition to these basic rules, many other rule modules constitute the total CSA protection policy of a system.
CSA Guidelines
At the minimum, for each server, deploy the headless CSA, as shown in Figure 20-5. The built-in operating system protection policies are sound and generally do not require tuning for enhanced protection, except where dictated by the site policy.
Figure 20-5. Headless (or Standalone) CSA Interface
So-called "false positives," events that are erroneously classified as attacks, are very likely when using unsupported server add-ons, such as system management and unsupported antivirus software. To eliminate this erroneous behavior, deploy the managed agent and add the requested permissions for these applications so that CSA will not consider them to be malicious.
CSA also provides personal firewall functions by restricting network connections to the server. The headless agent has a fixed policy that allows all inbound connections to the server, and this cannot be changed. If you want to use CSA to control network connectivity to the server, you have to use the managed agent. Alternatively, you could use native Windows IP security filtering or rely solely on packet filtering by network devices, such as routers or firewalls.
CSA by default allows the agent service to be stopped by the local administrator (using the net stop csagent command). When using the managed version of CSA, you can apply an agent policy that blocks the local administrator from stopping the agent.
Tip
The CSA should be installed on the Cisco CallManager server after you have applied the security template. Otherwise, the CSA will think many security template modifications are attacks on the CallManager server.
Administrator Password Policy |
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Media Resources
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Monitoring Performance
Configuring Alarms and Traces
Configuring CAR
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions
Index