CH A P T E R

Overview What Cisco Security Agent Does

Cisco Security Agents provides intrinsic, distributed security to your enterprise by deploying agents that defend against the proliferation of attacks across networks and systems. These Cisco Security Agents enforce a set of policies provided by Management Center for Cisco Security Agents and selectively applied to system nodes by the network administrator. Operating under the direction of assigned policies, Cisco Security Agents provide strong system resource protection, tying together the auditing and control of multiple system and network resources. This section contains the following topics.

The Lifecycle of an Attack, page 1-2 How Cisco Security Agents Protect Against Attacks, page 1-3 Deployment Overview, page 1-4
Network Architecture, page 1-5 Cisco Security Agent Architecture, page 1-6

Communicating Over Secure Channels, page 1-8 Distributing Policy Updates, page 1-9

Using Management Center for Cisco Security Agents 6.0 78-18652-01

1-1

Chapter 1 The Lifecycle of an Attack

Overview

The Lifecycle of an Attack

When your network is targeted for attack, an assault is typically launched in a series of steps. Each step of an attack often depends upon the previous step being successful. Table 1-1 displays the common evolution of an attack.
Table 1-1 Lifecycle of an Attack

Attack Action Probe

Network Manifestation

Penetrate

Persist

Propagate

Paralyze

ping server IP addresses run traceroute on IP addresses sniff passwords impersonate mail users email attachments Java applets and ActiveX controls buffer overflows backdoors and trojans weaken security settings install new services email Internet connections IRC FTP infected file shares reformat disks destroy or corrupt data drill security holes crash computers consume work cycles steal confidential data

Using Management Center for Cisco Security Agents 6.0

1-2

78-18652-01

Chapter 1

Overview How Cisco Security Agents Protect Against Attacks

How Cisco Security Agents Protect Against Attacks

The Cisco Security Agent differs from anti-virus and network firewall software in that it doesnt prevent users from accessing technologies they require. It assumes that users are going to put their systems at risk by making use of a wide range of Internet resources. Keeping this in mind, Cisco Security Agents install and work at the kernel level, controlling network actions, local file systems, and other system components, maintaining an inventory of what actions may be performed on the system itself. This way, malicious system actions are immediately detected and disabled while other actions are permitted. Both actions take place transparently, without any interruption to the user. If an encrypted piece of malicious code finds its way onto a system via email, for example, as it attempts to unexpectedly execute or alter Cisco Security Agent-protected system resources, it is immediately neutralized and a notification is sent to the network administrator. Cisco Security Agents use policies which network administrators configure and deploy to protect systems. These policies can allow or deny specific system actions. Cisco Security Agents must determine whether an action is allowed or denied before any system resources are accessed and acted upon. Specifically, rule policies enable administrators to control access to system resources based on the following parameters:

What resource is being accessed. What operation is being invoked. Which application is invoking the action.

The resources in question may be either system resources or network resources such as mail servers. When any system actions that are controlled by specific rules are attempted and allowed or denied accordingly, a system event is logged and sent to the administrator in the form of a configurable notification such as email, pager, or custom script.

Using Management Center for Cisco Security Agents 6.0 78-18652-01

1-3

Chapter 1 Deployment Overview

Overview

Deployment Overview
Management Center for Cisco Security Agents contains two components:

CSA MCinstalls on designated Windows 2003 systems and includes a configuration database server and a web-based user interface. Cisco Security Agent (the agent)installs on server and desktop systems across your enterprise network.

Using CSA MC, you assemble your network machines into specified groups and then attach security policies to those groups. All configuration is done through the web-based user interface and then deployed to the agents. The network example shown in Figure 1-1 illustrates a basic deployment scenario. CSA MC software is installed on a system which maintains all policy and host groups. The administration user interface is accessed securely using SSL (Secure Sockets Layer) from any machine on the network that can connect to the server and run a web browser. Use the web-based interface to deploy your policies from CSA MC to agents across your network.
Figure 1-1 Policy Deployment

Using Management Center for Cisco Security Agents 6.0

1-4

78-18652-01

Chapter 1

Overview Deployment Overview

Network Architecture
The CSA MC architecture model consists of a central management center which maintains a database of policies and system nodes, all of which have Cisco Security Agent software installed on their desktops and servers. Agents register with CSA MC. CSA MC checks its configuration database for a record of the system. When the system is found and authenticated, CSA MC deploys a configured policy for that particular system or grouping of systems. The Cisco Security Agent software now continually monitors local system activity and polls to the CSA MC at configurable intervals for policy updates. It also sends triggered event alerts to the CSA MCs global event manager. The global event manager examines system event logs and, based on that examination, may trigger an alert notification to the administrator or cause the agent to take a particular action. See Appendix B, System Components for detailed information on product architecture.

Note

Using Management Center for Cisco Security Agents 6.0 78-18652-01

1-5

Chapter 1 Deployment Overview

Overview

Figure 1-2

CSA MC Architecture
Report Generator

Database Server

Gui Page Generator

Web Server

Web Browser SSL

Configuration Manager Database

SSL

Cisco Security Agent

Alerts

Cisco Security Agent Architecture

The Cisco Security Agent software installs locally on each system node and intercepts operations of that system. A network application interceptor sits at the application level and intercepts all application operations. Other Cisco Security Agent mechanisms intercept network traffic, file actions, and system registry actions while the rule/event correlation engine controls all agent mechanisms watching for any events that trigger an agent policy. See Figure 1-3.

Using Management Center for Cisco Security Agents 6.0

1-6

78-18652-01

191453

Global Event Manager

Chapter 1

Overview Deployment Overview

Figure 1-3

Cisco Security Agent Software Architecture (Windows)

Cisco Security Agent Windows Architecture
Log and Event Notifications to CSA MC

Policies from CSA MC

Internet, Intranet

Cisco Security Agent

Agent Policy Manager

Data Filter

IIS/Apache

Install

Local Event Manager

Buffer Overflow/COM Component Interceptor

Network Application Interceptor

TCP/IP Policies

Rule/Event Correlation Engine Network Traffic Interceptor File Interceptor Registry Interceptor

NIC

Disk

System
191452

Events and Alerts

Using Management Center for Cisco Security Agents 6.0 78-18652-01

1-7

Chapter 1 Communicating Over Secure Channels

Overview

Figure 1-4

Cisco Security Agent Software Architecture (UNIX)

Cisco Security Agent UNIX Architecture
Log and Event Notifications to CSA MC

Policies from CSA MC

Internet, Intranet Cisco Security Agent

Agent Policy Manager

Data Filter

iPlanet/Apache

pkadd

Local Event Manager

Buffer Overflow Interceptor

Network Application Interceptor

TCP/IP Policies

Rule/Event Correlation Engine Network Traffic Interceptor File Interceptor System Call Interceptor

NIC

Disk

System
191451

Events and Alerts

Communicating Over Secure Channels

All communications between the Management Center for Cisco Security Agents server system and systems accessing the browser-based user interface are protected using SSL (Secure Sockets Layer). Administrator authentication is also provided via the required entry of a username and password to authenticate and initiate each management session. Additionally, communications between the management server and the agents are passed over SSL. See the Installation Guide for information on importing certificates and connecting securely over SSL.

Using Management Center for Cisco Security Agents 6.0

1-8

78-18652-01

Chapter 1

Overview Distributing Policy Updates

Distributing Policy Updates

At configurable time intervals, Cisco Security Agents on the network poll in to CSA MC to check for updated rule sets. See Chapter 3, Configuring Groups and Managing Hosts for details. When a rule is triggered on a system, the agent sends its event notifications to CSA MC. CSA MC identifies the agent, examines the event notifications presented by the agent and correlates this information.

Using Management Center for Cisco Security Agents 6.0 78-18652-01

1-9

Chapter 1 Distributing Policy Updates

Overview

Using Management Center for Cisco Security Agents 6.0

1-10

78-18652-01