Cisco Security Agent and Host Based IDS

CSA provides threat protection for servers and PCs. CSA identifies and prevents malicious behavior, thereby eliminating known and unknown security risks. Typically, devices with antivirus software do not detect the latest worms or code violations. CSA fills in this gap by triggering an alert to the system or the management server any time an application or packet tries to use the kernel inside a Windows-based system. CSA also blocks the attack. CSA can be installed as a standalone client or in a client/server-based model.

CSA is best defined as a set of predefined rules that protect a host-based system such as a PC or server. CSA is a host-based intrusion prevention system (HIPS) that provides a third layer of depth to any network defense by ensuring that security measures in place actually behave as required by the defined security policy. The following features enable CSA to stop attacks missed at other levels of security:

■ CSA proactively blocks intrusive attacks.

■ CSA is not dependent upon signatures and does not require updates to stop the latest viruses or worms.

■ CSA effectively reduces the number of false positives within a network. Figure 6-7 displays how CSA intercepts system calls to the operating system kernel.

Figure 6-7 displays the CSA architecture model, whereby the Management Center for Cisco Security Agents (CSA MC) allows the administrator to divide network hosts into groups by function and security requirements. The CSA software is installed on the client PC and continually monitors local system activity and ensures proper analysis is made of the end workstation. The administrative workstation ensures that all communication to the client is secured by using the SSL protocol. CSA is supported on Windows- and UNIX-based platforms.

Figure 6-7 HIPS and CSA

Requests Allowed or Denied by

CSA Client )

CSA Client )

Calls Made to System for Allocated Resource

As a HIPS application, CSA provides host intrusion prevention, distributed firewall capabilities, malicious mobile code protection, operating system integrity assurance, and audit log consolidation.

CSA relies on analyzing all types of behavior rather than on signature matching. Typically that is what antivirus tools rely on. Hence, any unknown behavior is denied automatically.

For example, Code Red and SQL Slammer worms have penetrated many systems, resulting in network outages, as widely reported in the press. Traditional defense mechanisms have proven to be insufficient against these worms. CSA would have stopped these worms from malicious activity by denying the application access to any resources on the host and terminating the program immediately.

Typically a new worm tries to accomplish an attack with a five-staged approach:

1. Probe

2. Penetrate

3. Persist

4. Propagate

5. Paralyze

The types of attacks that can be stopped by CSA are numerous. The following points demonstrate how CSA responds to the stages and what countermeasures it uses:

■ Probes—CSA prevents scanning of ports and ping packets.

■ Penetration—CSA prevents unauthorized mail attachments from running, buffer overflows, ActiveX controls, network installs, backdoors, guessing passwords, and guessing of mail users.

■ Persist—CSA prevents new file creation, modification of existing files, and register trap doors.

■ Propagate—CSA prevents mail clients from sending out e-mails to propagate the attack, web connections, FTP, and infecting file shares.

■ Paralyze—CSA does not permit deletion or modification of files and prevents drilling of security holes (opening new doors to provide an opening into your network or device).

Figure 6-8 displays a client PC running CSA. The agent runs in the background and cannot be suspended or terminated unless permitted to do so by the CSA management station.

Figure 6-8 CSA Agent in System Tray

Figure 6-8 CSA Agent in System Tray

When a suspicious activity occurs, a balloon message or pop-up window appears on the client and requests action, if it is not already defined on the management station. Figure 6-9 displays a suspicious activity for which a message appears.

Figure 6-9 CSA Preventative Action

Figure 6-9 CSA Preventative Action

Figure 6-10 CSA Balloon Message

Figure 6-10 displays CSA in action after a suspicious application is launched by the client host (the balloon message is displayed by right-clicking the CSA icon in the system tray). If the action required is suspicious, the end user should deny the request, at which time CSA will ensure that the application is terminated. CSA will not permit the same application to run again and sends an alert to the host management station for action by your security team. A log message is also saved locally.

Cisco training has a very good course on HIPS named "Securing Hosts by Using CSA." Go to and search by the course name for more details. This is a good course for those interested in deploying this tool across a large or medium IP network.

Cisco has recently released Cisco Trust Agent (CTA) as part of its self-defending network strategy. CTA allows Network Admission Control (NAC) to determine if CSA or antivirus software is installed and current, and can determine current OS version and patch levels. For more details on CTA and Cisco self-defending solutions, go to

0 0

Post a comment