© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA Introducing CSA

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Objectives At the end of this lesson, you will be able to meet these objectives: Describe the Cisco SDN strategy Describe the role of CSA in the Cisco SDN strategy Describe the CSA architecture Describe how CSA handles system resource calls to the kernel Describe the progression of a network attack and the CSA response List the features of CSA Identify the various components of CSA MC

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Cisco SDN strategy includes these security components: Cisco Virtual Private Network (VPN) Network Security Perimeter Appliances Cisco Intrusion Prevention System (IPS) Cisco Security Agent (CSA) Cisco Security Monitoring, Analysis, and Response System (CS-MARS) Network Admission Control (NAC) Distributed Denial of Service (DDoS) Protection Services Cisco IOS Authentication, Authorization, and Accounting (AAA) What Is the Cisco SDN Strategy?

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v CSA in the Multilayered Cisco SDN Strategy VPN CSA

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Host Intrusion Protection System Application CSA Calls for System Resources Requests Allowed by Policy CSA compares application calls for system resources to the security policy. Application Software Operating System

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The CSA Architecture Administrator Workstation CSA MC with Internal or External Database Server Protected by CSA Alerts SSL Events Security Policy Pager

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v CSA Interceptors Application Request Blocked File System Network Configuration Execution Space Interceptor Interceptor Interceptor Interceptor Rules Engine State Rules and Policies Correlation Engine Request Allowed

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v CSA Interceptors (Cont.) Security Application Network Interceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed firewall X Host intrusion detection XX Application sandbox XXX Network worm prevention X X File integrity monitor XX

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Anatomy of an Attack Network Server Probe phase: Vulnerable targets identified –Ping scans –Port scans Penetrate phase: Transfer exploit code to target –Buffer overflow – attachment Persist phase: Code becomes resident on target –Install new code –Modify configuration Propagate phase: Attack extended to neighbors –Attack other targets Paralyze phase: Damage done to system –Erase files –Crash system –Steal data

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Real-time protection decisions Defense-in-depth approach –Intercepts communication between applications and the kernel –Protects system from attacks at all phases Ease of deployment –Deploys with default policies in 30 minutes –Custom policies easily configured Broad platform support CSA Features Windows or UNIX (Solaris and Linux) Servers and desktops

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v CSA Features (Cont.) Real-time correlation at Agent and enterprise-wide Ease of administration –No need for constant review of logs –No updates: Day Zero ready –Manage from any web browser Centralized event management – , pager, SNMP alerts controlled at CSA MC –Logging and report generating capability Enforce and Detect Rule Organization Internationalization and Localization for Windows Agents Integrated with Cisco Trust Agent

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v CSA MC Building Blocks CSA MC Agent Kit Group Agent Kit Policy Group Policy Rule module Variables Application Classes Actions Rule module Rules

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Summary The Cisco SDN strategy offers a logical and in-depth defense mechanism by using a layered deployment to enhance network security. CSA MC allows the administrator to divide network hosts into groups and then configures the security policy for these groups. CSA is installed on the host systems to constantly monitor local system activity and analyze the operations of that system. CSA intercepts operating system calls and compares them with the cached security policy, and detects malicious activity. A malicious attack on the network happens in a logical progression from the Probe phase to the Penetrate phase, Persist phase, Propagate phase, and Paralyze phase. CSA offers secure features to protect networks from malicious attacks. It provides features such as real-time protection decisions, a defense-in-depth approach, ease of deployment, and centralized event management.

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v