Cisco Security Agent By Chad Sullivan Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456 Table of Contents | Index Prevent security breaches by protecting endpoint systems with Cisco Security Agent (CSA), the Cisco host Intrusion Prevention System Learn the basics of endpoint security and why it is so important in today's security landscape Protect endpoint systems from hackers, viruses, and worms with host intrusion prevention security Prevent "Day-Zero" attacks with the first book on CSA deploymentEndpoint systems, being the point of execution for the malicious code, is where the most effective counter-intrusion mechanisms should be placed Cisco Security Agent (CSA) is an important part of the network security puzzle that can help organizations secure their end systems Its many capabilities include preventing "Day Zero" worm attacks, end system virus attacks, and Trojan horses; acting as a distributed firewall; performing an operating system lockdown; and performing application control With the vast array of features, capabilities, and complexities associated with CSA, users need expert guidance to help them implement and maintain this important new security device and use it to maximum effect This book presents a detailed explanation of CSA, illustrating the use of the product in a step-by-step fashion.Cisco Security Agent presents a complete view of host intrusion prevention with CSA, including basic concepts, installations, tuning, and monitoring and maintenance Part I discusses the need for end point security Part II helps readers understand CSA building blocks Part III delves into the primary concern of new customers, that being installation Part IV covers monitoring and reporting issues Part V covers CSA analysis features Part VI discusses creating policies and CSA project implementation plans Maintenance is covered in Part VII Cisco Security Agent By Chad Sullivan Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456 Table of Contents | Index Copyright About the Author About the Technical Reviewers Acknowledgments This Book Is Safari Enabled Foreword Command Syntax Conventions Introduction Who Should Read This Book? How This Book Is Organized Part I The Need for Endpoint Security Chapter 1 Introducing Endpoint Security The Early Days: Viruses and Worms The Present: Blended Threats The Insider Understanding Point Security Weaknesses Using Attack-Detection Methods Establishing a Security Policy Summary Chapter 2 Introducing the Cisco Security Agent Intrusion Prevention and Intrusion Detection Technologies The Life Cycle of an Attack CSA Capabilities CSA Components Overview CSA Communication CSA's Role Within SAFE Summary Part II Understanding the CSA Building Blocks Chapter 3 Understanding CSA Groups and Hosts The Relationship Between Groups and Hosts Understanding CSA Groups Understanding CSA Hosts Summary Chapter 4 Understanding CSA Policies, Modules, and Rules The Relationship Between Policies, Modules, and Rules Establishing Acceptable Use Documents and Security Policies CSA Rules CSA Rule Modules CSA Policies Summary Chapter 5 Understanding Application Classes and Variables Using Application Classes Introducing Variables Summary Part III CSA Agent Installation and Local Agent Use Chapter 6 Understanding CSA Components and Installation General CSA Agent Components Overview CSA Installation Requirements Agent Kits Summary Chapter 7 Using the CSA User Interface Windows Agent Interface Linux Agent Interface Solaris Agent Interface Summary Part IV Monitoring and Reporting Chapter 8 Monitoring CSA Events Status Summary Event Log Event Monitor Event Log Management Event Sets Alerts Summary Chapter 9 Using CSA MC Reports Audit Trail Reporting Event Reporting Group Detail Reporting Host Detail Reporting Policy Detail Reporting Report Viewing Creating a Sample Report Summary Part V Analyzing CSA Chapter 10 Application Deployment Investigation Using Application Deployment Investigation Using Application Deployment Reports Summary Chapter 11 Application Behavior Analysis Understanding Application Behavior Investigation Components Configuring Application Behavior Investigation Using Application Behavior Investigation on the Remote Agent Analyzing Log Data Viewing Behavior Reports Exporting the Behavior Analysis Report Data Analyzing UNIX Application Behavior Creating Behavior Analysis Rule Modules Summary Part VI Creating Policy, Implementing CSA, and Maintaining the CSA MC Chapter 12 Creating and Tuning Policy Creating Policy Tuning Policy Summary Chapter 13 Developing a CSA Project Implementation Plan Planning for Success The Project Plan Outlining the Project Phases Summary Chapter 14 CSA MC Administration and Maintenance CSA Licensing CSA MC Registration Control CSA MC Component Sharing CSA MC Role-Based Access Control Other CSA MC Administrative Features CSA MC Backup and Restore Procedures Summary Part VII Appendixes Appendix A VMS and CSA MC 4.5 Installation VMS v2.3 Components Installation Summary Appendix B Security Monitor Integration Adding the CSA MC to the Security Monitor Configuring the Security Monitor Verifying Connectivity Viewing Events in the Security Monitor Summary Appendix C CSA MIB CSA MC MIB Definitions Index Copyright Copyright © 2005 Cisco Systems, Inc Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing June 2005 Library of Congress Cataloging-in-Publication Number: 2004106254 Warning and Disclaimer This book is designed to provide information about Cisco Security Agent Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The author, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the U.S please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Credits Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Cisco Representative Anthony Wolfenden Cisco Press Program Manager Nannette M Noble Production Manager Patrick Kanouse Acquisitions Editor Michelle Grandin Development Editor Dayna Isley Copy Editor and Indexer Keith Cline Technical Editors Jeff Asher and David Marsh Team Coordinator Tammi Barnett Cover Designer Louisa Adair Composition Interactive Composition Corporation Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.Cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright â 2003 Cisco Systems, Inc All rights reserved CCffi, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCffi, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, Strata View Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0303R) Printed in the USA Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] ODBC DSN OLE_LINK1 Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] Partners (Cisco) payloads damaging payloads permissions persistence 2nd blended threats 2nd pilot phase 2nd 3rd planning planning phase 2nd success criteria policies agent policy manager availability confidentiality fine-tuning DMP/RTR files integrity Policy Detail reports 2nd predefined policies test beds testing tuning tuning updating Policy Detail reports 2nd policy documents policy rules polling intervals (hosts) 2nd pop-up messages port scans ports ephemeral ports precedence (rules) predefined event sets predefined groups project implementation [See implementation] Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] quiet install Windows quiet installs Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] RBAC (role-based access control) reactive detection Red Hat refresh rates 2nd registry pop-up messages Remote Procedure Call [See RPC] reports ActiveX Frame 2nd Reports ActiveX Frame reports Audit Trail reports audit trails 2nd filtering 2nd 3rd configuring creating 2nd event sets events 2nd by group reports 2nd by severity 2nd 3rd 4th Group Detail reports 2nd Host Detail reports 2nd HTML Frame 2nd 3rd Policy Detail reports 2nd Reports menu sorting options viewing Reports menu Event by Severity option Group Details reports Host Detail reports Policy Detail reports request traces files [See RTR files] role-based access control [See RBAC] RPC RTR (request trace) files RTR files rule modules test beds rule sets rule/event correlation engine rules access control data sets 2nd network address sets 2nd network services sets 2nd conflicts detect rules Event Monitor Event Wizard exception rules 2nd locks precedence rule modules cloning test beds rule sets rule/event correlation engine user interfaces Run key RunOnce key Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] scope creep Secure Shell [See worms;SSH] Secure Sockets Layer [See SSL] security communication security 2nd IDSs point security 2nd security policies 2nd 3rd compliance vs enforcement 2nd security levels security policies compliance vs enforcement servers using groups workstations (versus sets Short Polling groups signature-based attack detection signatures Slammer worm 2nd sneakernet 2nd software updating Software Update groups Solaris agent components agent interface csactl utility 2nd stopping arguments 2nd mandatory groups spyware 2nd SQL server SSL () state sets user static application classes creating 2nd status summary 2nd event counts per day 2nd 3rd network 2nd refresh 2nd success criteria 2nd planning phase summaries event counts per day 2nd 3rd refresh 2nd status 2nd network 2nd system tray options 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] tasks auto-pruning 2nd event insertion 2nd test beds Test Mode 2nd events logging verbose logging Test Mode groups testing phase 2nd adding advanced policies 2nd creating alerts 2nd creating base test policy 2nd creating/configuring administrative/maintenance settings 2nd creating/configuring test hierarchy 2nd 3rd deploying test policy 2nd determining test bed size and components 2nd exporting/reporting/documenting gathering information 2nd installing management architecture installing test management architecture placing policy in Enforcement Mode 2nd training staff/users 2nd tuning test policy 2nd verifying success timeframes rules training 2nd training phase Transmission Control Protocol TCP tray icon 2nd troubleshooting event logs 2nd isolated breaches using Short Polling groups Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] UDP blended threats UDP () ephemeral ports UNIX shell scripts controlling 2nd updates 2nd hosts policies software Software Update groups User Datagram Protocol [See UDP] user interaction user state sets users implementation plan Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] verbose logging 2nd viruses e-mail encryption floppy disks 2nd global implications payload testing system protection 2nd WANS zip files VMS server 2nd Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] warning events websites Cisco.com 2nd wide-area networks [See viruses;WANs] wildcards directories files Windows Agent Control Panel Contact Information Messages Status 2nd System Security 2nd Untrusted Applications User Query Responses 2nd agent interface Agent Control Panel 2nd 3rd 4th 5th audible notifications 2nd directories 2nd firewalls 2nd GUI 2nd 3rd 4th 5th Programs menu 2nd 3rd stopping 2nd system tray options 2nd tools 2nd tray icon 2nd user interaction 2nd agent kits installing 2nd 3rd auto-start mechanisms directories default installation mandatory groups workstations defense in depth servers (versus) worms e-mail encryption global implications 2nd history 2nd 3rd 4th 5th Morris worm payloads persistence single environment SSH ... Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCffi, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver,.. .Cisco Security Agent By Chad Sullivan Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456 Table of Contents | Index... Part I: The Need for Endpoint Security Chapter 1 Introducing Endpoint Security Chapter 2 Introducing the Cisco Security Agent Chapter 1 Introducing Endpoint Security This chapter covers the following topics: