Summary

The Cisco Security Agent is often the last line of defense in a self-defending network. The Cisco Security Agent sits on the user's desktop and monitors OS kernel activity for suspicious behavior. The Cisco Security Agent can be self-defending, as the Cisco Security Agent can ask user permission or block suspicious activity on the desktop and defend against a network attack. The Cisco Security Agent can prevent "day-zero" attacks because it looks for symptoms of an attack rather than a unique signature of the attack. Cisco Security Agents are a good complement to other signature-based defenses, such as IPS, in a layered self-defending network. The Cisco Security Agent is considered to be a Host IPS (HIPS) product that complements Network IPS and other self-defending components within the network fabric.

The Management Center for Cisco Security Agents is the centralized management product to manage the agents. A Management Center can manage up to 100,000 agents. A host that contains a Cisco Security Agent is placed into a device group in the Management Center. A host can belong to more than one device group. Security policies are attached to device groups and contain a definition of the security policy that is monitored or enforced on the end station. Multiple security policies can be attached to a single device group, and a single security policy can be attached to multiple device groups. Security policies or policy groups are composed of rule modules. A rule module can be applied to multiple security policies. A rule module is fundamentally a named collection or container of individual rules.