Before you implement the product, you should learn as much as possible about it. It's tempting to dive right in without taking the time for research, but during your deployment, you have to make important decisions about how to use the product. If you are well-informed, you are more likely to make good decisions. Product documentation, reviews in trade magazines, and reports from research organizations are a good places to start. If those are not enough, you should consider instructor-led training. Therefore, the first phase of ACME's CSA deployment is to learn about the product. ACME is already familiar with the fundamental components and capabilities of an Intrusion Prevention System (IPS). The goal for its research was to identify which of those components and capabilities CSA has. ComponentsACME wants to be sure it identifies all of CSA's functions, so it divides the product into parts and chooses to examine each part individually. As with most HIPS, CSA has endpoint agent and management components. Cisco Security AgentsACME starts with the endpoint agents. Chapter 6, "HIPS Components," illustrates the access control process that HIPS agents apply to the hosts on which they are installed. ACME is familiar with the phases in the process, so it chooses to list the phases and determine how CSA operates at each stage. ACME determines that CSA does the following:
For example, a web page can contain malicious code that causes the browser to infect the computer with a virus when the browser accesses the page. If a user opens such a web page, CSA intercepts the system calls that are initiated by the browser. In this case, the malicious code forces the browser (c:\windows\explorer.exe) to write to a file called c:\windows\system32\virus.dll. It then determines the state of the computer and compares the activity and state with the defined policy. The policy contains an atomic rule that denies all applications from writing executable files and .dlls to the Windows system folders, so CSA denies the operation. CSA ManagementAfter ACME feels that it has a sufficient grasp of the endpoint agent components, it moves on to the management. The CSA documentation shows that CSA is a centrally managed product. The management model shown in Figure 9-1 can be single-server or tiered, and the policies are distributed using a pull or push/pull communications mechanism. The management infrastructure is accessed using a web browser interface. If any of the terms in this section are not familiar to you, please refer to Chapter 6. Figure 9-1. CSA Management ArchitectureCapabilitiesACME used the CSA documentation it had, what it gathered from its sales team, and what it learned about CSA's components to make a list of CSA's capabilities. It checked to ensure that CSA has all of the capabilities required of a HIPS product:
Next, ACME made a high-level list of the CSA's capabilities:
For more information about IPS capabilities, please refer to Chapter 5, "Host Intrusion Prevention Overview." |