Implementing Outbreak Management with Cisco ICS

Previous page
Table of content
Next page

Cisco ICS is a centralized management product from Cisco that manages the automated IPS signature update service with Trend Micro for new security incidents. Cisco ICS can deploy a broad access control lists (ACLs) to stop the spread of a newly identified infection through the network. These ACLs are known as OPACLs.

After analysis of the new network incident by Trend Micro, Cisco ICS can also deploy a specific signature to mitigate a new network infection outbreak such as a worm. These signatures are known as OPSigs. OPSigs can be deployed to IOS routers with IPS signatures and other Cisco IPS systems.

The first step in the ICS system is the identification of a new network threat. After a network threat is identified, Trend Micro will post on its website the information required to mitigate or reduce the impact of the network attack. The typical list of events that transpires to control the network incident includes the following items:

1.

Trend Micro's TrendLabs identifies a new network threat or attack.

2.

Trend Micro's TrendLabs creates an outbreak management task file. This outbreak management task file contains a broad OPACL that will prevent the outbreak from spreading throughout the network.

3.

Cisco ICS can automatically download this outbreak management task file for the new network threat.

4.

The OPACL in the task file can be either automatically deployed or manually deployed after human intervention. There is also an exception list that will prevent Cisco ICS from applying an ACL for a specific port for common network traffic, such as HTTP (TCP Port 80).

5.

TrendLabs releases an OPSig to enable IPS devices to detect the new network threat. Typically the OPSig is released within a few hours of the release of the outbreak management task file with the OPACL.

6.

Cisco ICS downloads the OPSig, either automatically or manually.

7.

The original OPACL expires after the download of the OPSig.

8.

Cisco ICS uses IPS events to determine if a host is sending network traffic that is considered to be a network threat and could possibly be infected. If a host is determined to be infected, the infected host is added to the watch list in Cisco ICS.

Cisco ICS is a Windows server application, and the client GUI is a web browser. Internet Explorer is required as the web browser since ActiveX is used as part of the client GUI. The logon screen for the Cisco ICS is displayed in Figure 4-1.

Figure 4-1. Cisco ICS Logon


Outbreak Management Summary

The Cisco ICS summary page shown in Figure 4-2 provides a summary of the tasks to manage a network outbreak. The Outbreak Management Summary page is divided into the following areas:

  • Active Outbreak Management Tasks

  • Automatic Outbreak Management Tasks

  • OPACL

  • OPSigs

Figure 4-2. Cisco ICS Summary Page


Any new outbreak management tasks are highlighted at the top of the Active Outbreak Management Tasks. The location to select a new outbreak management task is displayed in Figure 4-3.

Figure 4-3. Selecting a New Outbreak Management Task


Selecting a new outbreak management task results in the display of network threats with the new threat or corresponding outbreak management task selected, as shown in Figure 4-4.

Figure 4-4. Selecting Name of Threat


Information and Statistics on Network Threats from Trend Micro

Each threat name contains a link to information about that threat from Trend Micro. Figure 4-5 provides an overview of the network threat from Trend Micro. The network threat information is displayed by selecting the name of the threat or incident.

Figure 4-5. Overview of Threat


The overview can also contain a behavior diagram of the network threat. A behavior diagram can contain actions, implications, and countermeasures for the network threat. Figure 4-6 provides an example of a behavior diagram from Trend Micro.

Figure 4-6. Behavior Diagram of Threat


The security information about the threat from Trend Micro can also contain technical details of the network threat. Figure 4-7 shows a technical details sample.

Figure 4-7. Technical Details of Threat


Statistics of the threat are also provided in the security information from Trend Micro. Information like the number of computers infected by the network threat and a one-day trend of how many computers are infected by the threat can be provided in the Statistics option. These statistics tend to be global and based upon aggregate information from Trend Micro. Figure 4-8 displays an example of statistics on a network threat.

Figure 4-8. Statistics of Threat


New Outbreak Management Task

Selecting Next from the New Outbreak Management Task list in Figure 4-4 displays information about the recommended OPACL deployment to stop the network attack. OPACL information includes the time or end date at which the OPACL should expire, the ability to configure a custom OPACL, and the ability to view the OPACL configuration. An example of a display of this OPACL information for a new outbreak management task is provided in Figure 4-9.

Figure 4-9. OPACL Information for Threat


The next step in setting up a new outbreak management task is defining the target devices that will receive the OPACL. The wizard, by default, will select a default set of devices with an option to change the set of target devices. An example of the target device configuration for the OPACL is provided in Figure 4-10.

Figure 4-10. Select Target Device for OPACL


Selecting the target devices and then clicking Finish will result in the running of a new outbreak management task. Figure 4-11 displays an example of a summary that indicates that a New Outbreak Management Task is now running.

Figure 4-11. New Outbreak Management Task Running


The network threat that was identified in the New Outbreak Management Task list should now be listed in the Outbreak Management Task List. Information for each network threat in the Outbreak Management Task List includes the following:

  • Task name

  • Hosts in watch list

  • Initiated date/time

  • OPACL end date/time

  • Action to stop task

You can stop an outbreak management task by clicking the Stop button in the Action column, as shown in Figure 4-12.

Figure 4-12. Stop Management Task


Cisco ICS features the ability to recommend an OPACL or to automatically deploy an OPACL in the event of a detected network threat. Cisco ICS enables the automatic deployment option to be configured by type of alert. These alerts can be divided into two classes: red and yellow. Red alerts are more mission-critical, whereas yellow alerts are less impactful.

Figure 4-13 displays how the task automation default status per red and yellow alert class is shown to the user.

Figure 4-13. Automated Outbreak Management Alert Level


Outbreak Settings

Specific parameters for outbreak settings include the following:

  • Automatically stop OPACL when OPSig has been deployed

  • Automatically overwrite OPACL settings for new OPACL

  • Enable automated outbreak management task for red and yellow alerts

  • End OPACL after a specific number of days

  • Default target devices for OPACL deployment

Figure 4-14 provides an example of the configurable outbreak settings for automated task deployment.

Figure 4-14. Automatic Outbreak Management Tasks Outbreak Settings



Previous page
Table of content
Next page
Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112
Authors: Duane De Capite
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Developing Tablet PC Applications (Charles River Media Programming)
Introduction to 80x86 Assembly Language and Computer Architecture
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy