Step1: Understand the Product


Before you implement the product, you should learn as much as possible about it. It's tempting to dive right in without taking the time for research, but during your deployment, you have to make important decisions about how to use the product. If you are well-informed, you are more likely to make good decisions. Product documentation, reviews in trade magazines, and reports from research organizations are a good places to start. If those are not enough, you should consider instructor-led training.

Therefore, the first phase of ACME's CSA deployment is to learn about the product. ACME is already familiar with the fundamental components and capabilities of an Intrusion Prevention System (IPS). The goal for its research was to identify which of those components and capabilities CSA has.

Components

ACME wants to be sure it identifies all of CSA's functions, so it divides the product into parts and chooses to examine each part individually. As with most HIPS, CSA has endpoint agent and management components.

Cisco Security Agents

ACME starts with the endpoint agents. Chapter 6, "HIPS Components," illustrates the access control process that HIPS agents apply to the hosts on which they are installed. ACME is familiar with the phases in the process, so it chooses to list the phases and determine how CSA operates at each stage. ACME determines that CSA does the following:

  1. Identifies these types of resources that are accessed Network, memory, application execution, files, system configuration, operating system kernel, operating system events, the Windows clipboard, COM components, devices, and symbolic links.

  2. Gathers data about the operation CSA uses system call interception and network traffic analysis.

  3. Determines these system states Location, user, and system.

  4. Consults these types of security policy Atomic rule-based and behavioral.

  5. Can take action by Permit, deny, log event, drop packet, query the user, and terminate the process.

For example, a web page can contain malicious code that causes the browser to infect the computer with a virus when the browser accesses the page. If a user opens such a web page, CSA intercepts the system calls that are initiated by the browser. In this case, the malicious code forces the browser (c:\windows\explorer.exe) to write to a file called c:\windows\system32\virus.dll. It then determines the state of the computer and compares the activity and state with the defined policy. The policy contains an atomic rule that denies all applications from writing executable files and .dlls to the Windows system folders, so CSA denies the operation.

CSA Management

After ACME feels that it has a sufficient grasp of the endpoint agent components, it moves on to the management. The CSA documentation shows that CSA is a centrally managed product. The management model shown in Figure 9-1 can be single-server or tiered, and the policies are distributed using a pull or push/pull communications mechanism. The management infrastructure is accessed using a web browser interface.

If any of the terms in this section are not familiar to you, please refer to Chapter 6.

Figure 9-1. CSA Management Architecture


Capabilities

ACME used the CSA documentation it had, what it gathered from its sales team, and what it learned about CSA's components to make a list of CSA's capabilities. It checked to ensure that CSA has all of the capabilities required of a HIPS product:

  • Block malicious code actions

  • Not disrupt normal operations

  • Distinguish between attacks and normal events

  • Stop new and unknown attacks

  • Protect flaws in permitted applications

Next, ACME made a high-level list of the CSA's capabilities:

  • Stop new and unknown attack

  • Patch relief

  • Internal attack propagation prevention

  • Policy enforcement

  • Regulatory requirements

For more information about IPS capabilities, please refer to Chapter 5, "Host Intrusion Prevention Overview."




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net