Understanding Cisco Security Agent Interceptors

To help you understand how Cisco Security Agent interceptors work, we must first explore how applications access system resources. Each time an application needs access to system resources, it has to make an operating system call to the kernel. When this occurs, the Cisco Security Agent intercepts these operating system calls and compares them to the cached security policy. Figure 7-5 shows this process.

Key Topic

File System



Execution Space





->- Blocked Request

As long as the request does not violate the policy, it is passed to the kernel for execution. However, should the request violate the security policy, the Cisco Security Agent blocks the request and takes one of the following actions:

■ An appropriate error message is passed back to the application.

■ An alert is generated and sent to the Management Center for Cisco Security Agent.

To detect malicious activity, the Cisco Security Agent correlates the particular operating system call with the other calls made by that application or process. By correlating these events, it can see irregularities that denote malicious activity. This "behavior-based" manner of detection adds flexibility and removes the need to rely on signatures and signature updates.

Figure 7-5 Cisco Security Agent Interceptors


Endpoint protection is provided by the Cisco Security Agent through the deployment of four interceptors, as described in Table 7-9.

Table 7-9 Cisco Security Agent Interceptors



File System Interceptor

Responsible for intercepting all file read or write requests and either allowing or denying them based on the security policy.

Network Interceptor

Responsible for controlling Network Driver Interface Specification (NDIS) changes and for clearing network connections through the security policy. This also limits how many network connections are allowed within a specified time period to help prevent DoS attacks. Central to its role is providing hardening features such as SYN flood protection and port scan detection.

Configuration Interceptor

Responsible for intercepting read/write requests to the registry in Windows or to rc files on UNIX. Interception occurs because modifying the operating system configuration can have serious consequences. All read/write requests to the registry are tightly controlled for security by the Cisco Security Agent.




It is the responsibility of this interceptor to deal with maintaining the integrity of the dynamic runtime environment of each application. It does this by detecting and blocking requests to write to memory not owned by the requesting application.

In terms of practical application, when this form of attack occurs, the targeted service, such as SMTP, FTP, or TFTP, crashes. More importantly, the attacker's shell code is not launched successfully.

This also blocks attempts by an application to inject code (such as a shared library or dynamic link library [DLL]) into another. Buffer overflows attacks are also detected, helping maintain the integrity of dynamic resources such as the file system and configuration of web services. This also helps preserve the integrity of highly dynamic resources such as memory and network I/O.

The Cisco Security Agent, by intercepting communication between applications and the underlying system, combines the functionality of a number of traditional security approaches:

■ Distributed firewall: Through the network interceptor, the CSA performs the

^ / Key functions of a host firewall. \ Topic

■ HIPS: The network interceptor and the execution space interceptor combine to provide the alerting capability of a HIPS with the proactive enforcement of a security policy.

■ Application sandbox: The file system, configuration, and execution space interceptors act together to provide an application sandbox. Here you can run suspect programs with less than normal access to system resources for security purposes.

■ Network worm prevention: Worm protection is provided by the network and execution space interceptors without a need for updates.

■ File integrity monitor: The file system and the configuration interceptors work together to act as a file integrity monitor.

The Cisco Security agent is designed with a series of preconfigured policies that implement all these levels of protection without additional configuration. With the Cisco Security Agent, organizations have the flexibility to create or change policies if they like, to tailor them to their specific needs.

0 0

Post a comment