Management Center for Cisco Security Agents


Cisco Security Agents are configured and deployed from the Management Center to the end-station desktop. The Cisco Security Agent Management Center can manage up to 100,000 Cisco Security Agents. The Management Center for Cisco Security Agents is a standalone management product and, like Cisco Incident Control Server (Cisco ICS), is not included in the Cisco Security Manager.

A web browser is used as the GUI to the Management Center. Configuration between the Management Center and the Cisco Security Agent is secured with HTTPS/SSL. The homepage for the Management Center for Cisco Security Agents is displayed in Figure 8-1.

Figure 8-1. Management Center for Cisco Security Agent Homepage


The Management Center allows the configuration of security policy rules for device groups. The Management Center provides default device groups, such as Linux servers. Hosts or end stations that contain a Cisco Security Agent are included in at least one device group. Security policies are composed of individual rules and are applied to hosts in a device group. Managing the security policies on the Cisco Security Agents can involve the following processes, which are discussed in the following sections:

  • Deploying the Cisco Security Agent kit to the end station

  • Displaying the end-station hostname in the device group

  • Reviewing the security policy for a device group

  • Attaching rules to the security policy

  • Generating rules and deploying to device groups

  • Using event monitor and viewing the event log

  • Running application analysis

Deploying Cisco Secure Agent Kits

The Management Center can create a Cisco Security Agent Kit for a device or device groups. These agent kits are deployed onto end stations and install the Cisco Security Agent directly on the desktop. The agent kits create a deployment URL, and a user at the end station can type this URL into a web browser to install the Cisco Secure Agent on the endstation desktop. You can create an agent kit by selecting Systems > Agent Kits from the Management Center homepage, as shown in Figure 8-2. Agent kits can also be installed on an end station with the agent kit zip file on a USB key or CD-ROM. Agent kits can also be bundled and distributed by patch management and application distribution products like SMS or Altiris.

Figure 8-2. Cisco Security Agent Kits


Displaying the End-Station Hostname in the Device Groups

The hostname of the end station must be associated with a device group. A hostname is automatically associated with a device group as indicated in the Cisco Security Agent kit. A hostname can also be added to additional device groups. The ability to associate a hostname, such as a Windows workstation name, with a device group enables common security policies to be deployed to different end stations, including Solaris Web Server, SAP Servers, teleworkers, and so on. For example, a Linux web server in New York City for business-to-business (B2B) can be part of the Linux device group, Web Server device group, New York City data center device group, and the B2B server device group.

The ability to include a host in a device group and apply a security policy to a device group enables common configurations to multiple end stations to be deployed with a common security policy for the device group. A device group can have multiple security policies applied to the device group. The same security policy can also be applied to multiple device groups. Figure 8-3 displays an example of several of the device groups including the auto-enrollment group for Linux and the default group for systems that install the Desktop agent kit.

Figure 8-3. Device Groups


Reviewing Policies

Policies contain the set of security rules that will be attached to a device group. Several default policies are provided to help get users started. These default policies contain a baseline that protects end stations against many day-zero attacks. You can copy and modify default policies or customize your own. Examples of these default policies include a Common Security Module and the Cisco VPN Client Module. The Management Center for Cisco Security Agent also includes support for the following default policy groups:

  • Generic Server

  • Generic Desktop

  • Microsoft IIS v4.0 and v5.0

  • Apache v1.3

  • Microsoft SQL Server

  • Microsoft Exchange

  • Sendmail

  • Domain Name Server (DNS) servers

  • DHCP servers

  • Network Time Protocol (NTP) servers

  • Domain Controllers

  • Distributed Firewall

  • Browser protection

  • Instant Messenger control

  • Microsoft Office protection

  • Data theft prevention

Figure 8-4 displays the Management Center with a sample of default policies.

Figure 8-4. Policies


Attaching Rules to a Policy

A policy is composed of individual rules. A collection of rules is named a rule module. Rule modules are generally specific to a particular OS. Rules define each component of the specific security posture in the rule module, which can be attached to a security policy. Rules can also refer to an application class to indicate which applications or processes are policed by the rule. Rules can also be composed with variables, so common information between rules can be defined once and referenced multiple times. Example of variables in rules includes event sets, query settings, file sets, network address sets, network services, registry sets, COM component sets, and data sets. Figure 8-5 displays some the rules that compose the Common Web Server Security Module default policy.

Figure 8-5. Rules of the Common Web Server Security Module Policy


Generating and Deploying Rules

Updating the security policy on an end station requires that the new rules be generated and distributed to the end station. The Management Center for Cisco Security Agents GUI displays the option to Generate Rules at the bottom of the screen and informs the user of the number of new rules that have been configured, but have not yet been generated into a deployable security policy. The Generate Rules process also informs the user of any policies that have been configured but are not associated or attached to any device group.

The Cisco Security Agent on the end station will automatically receive the new security policy from the Generate Rules process during the next automated or manual update cycle. An example of how to initiate the Generate Rules process is provided in Figure 8-6. The end station can elect to poll the Management Center to manually receive the new security policy by selecting the update option directly from the Cisco Security Agent icon on the end-station desktop.

Figure 8-6. Generate Rules


The Management Center for Cisco Security Agents also features the ability to force connected workstations to poll in and get the latest policy using the "send polling hint" capability. If the user configures the send polling hint on the Management Center for Cisco Security Agents, a User Datagram Protocol (UDP) message can be sent from the Management Center to the host when there is a change in the policy for the host. This UDP message instructs the Cisco Security Agent on the host to download the new security policy prior to the next scheduled polling period.

Using Event Monitor

The Management Center provides an event monitor and event log to view and record significant events that occur at the end-station Cisco Security Agents. It is often advantageous to filter out some of these event logs to reduce false positives and provide a quick mechanism to view a specific event log of interest. Figure 8-7 displays the event monitor in the Management Center, and Figure 8-8 displays the window to configure an event filter to restrict the number of Event Logs that are viewed in the Event Monitor and Event Log.

Figure 8-7. Event Monitor


Figure 8-8. Event Filter


Running Cisco Security Agent Analysis

Cisco Security Agent contains support for an optional application profiler known as Cisco Security Agent Analysis. This application profiler is enabled with a separate license for the Cisco Security Agent Management Center. This feature enables the Management Center and the Cisco Security Agent to determine what applications are deployed on a PC, laptop, or server with the Cisco Security Agent installed on that end station. This feature also enables the Management Center to determine the use pattern of these detected applications on the end stations.

Application analysis is enabled on a per-device group basis and will analyze all hosts in that device group. Application analysis is initiated by selecting the Application Deployment Investigation option under Analysis in the Management Center. Application Deployment Investigation includes a list of reports to display information gained from the application profiling process. The information in the reports that are generated by the Profiler contains statistics about how often an application is used. The reports generated from the analysis also contain network data statistics, including network source, destination, and service traffic patterns. Information in the reports about how applications are used on an end system can provide valuable input into the construction of effective rules and security policies for device groups. Reports that are generated by the application analysis include the following:

  • Anti-Virus Installations Report (Norton and McAfee)

  • Installed Products Report

  • Unprotected Hosts Report (No associated Policy Groups)

  • Unprotected Products Report (No Policy to protect that Product)

  • Product Usage Report

  • Network Data Flows Report, which includes the following information:

    - Number of unique source/destination combinations

    - Number of client hosts

    - Number of server hosts

    - Filter report by source, destination, protocol

  • Network Server Application Report, which includes the following information:

    - Associates the application with open service ports

    - Identifies which service ports are not used or are lightly used

Application Deployment Investigation is an optional feature of the Management Center for Cisco Security Agents. The Management Center also contains a feature called Learn Mode. Learn Mode is used as a mechanism to eliminate query-responses for common application and service use on the desktop with the Cisco Security Agent. The Cisco Security Agent will often query the user when a new application is running and ask the user if this is the expected behavior. Learn Mode enables the Cisco Security Agent to learn the normal application and service use on a desktop without having a query-response pop up to the user for each application or service. The Cisco Security Agent is placed in Learn Mode during the first 72 hours of deployment of the Cisco Security Agent on the desktop.

In addition to Learn Mode, there is also an optional Test Mode for a security policy. Test Mode is designed for policies and will log any activity from the policy but will not query or deny network activity, based upon a policy in Test Mode. Test Mode is designed to inform what the effect of a new security policy would be on a host before actually enforcing the new security policy on the end station.

The Analysis module also contains an Application Behavior Investigation feature in addition to Application Deployment Investigation. The user must select the specific application, the time to end the analysis, the application, and the specific host in the Management Center to investigate the behavior of that application. The Management Center will allow the selection of an application class for analysis on a particular host. However, it is recommended that analysis only occur for one specific application at a time on a particular host. The Application Behavior Investigation feature can create a recommended rule module to increase security, based upon the analyzed application behavior on the end station. This rule module generation feature of Application Behavior Investigation will create a new application class in the created rule module for the analyzed application.



Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net