You are previewing Advanced Host Intrusion Prevention with CSA.
O'Reilly logo
Advanced Host Intrusion Prevention with CSA

Book Description

Protecting systems within an enterprise has proven as important to overall security as securing the enterprise perimeter. Over the past few years, the number of vulnerabilities stemming from weaknesses in applications and operating systems has grown dramatically. In direct correlation with the number of weaknesses discovered, the number of viruses, worms, and security attacks has also exploded across the Internet. To add to the typical virus issues that businesses have had to confront, there are also malicious programs infiltrating organizations today in the form of spyware and adware.

  • Prevent day-zero attacks

  • Enforce acceptable-use policies

  • Develop host-IPS project implementation plans

  • Evaluate management hierarchy installation options, including single-server, multiserver, and built-in database usage

  • Learn about CSA agents and manual and scripted installation options

  • Understand policy components and custom policy creation

  • Use and filter information from CSA event logs

  • Troubleshoot CSA deployments with agent and management server logs and built-in troubleshooting tools

  • Protecting systems where the private data and intellectual property resides is no longer considered a function of perimeter defense systems but has instead become the domain of endpoint protection software, such as host Intrusion Prevention Systems (IPS). Cisco® Security Agent (CSA) is the Cisco Systems® host-IPS solution. CSA provides the security controls that corporations need to deal with threats to host and desktop computing resources.

    Advanced Host Intrusion Prevention with CSA is a practical guide to getting the most out of CSA deployments. Through methodical explanation of advanced CSA features and concepts, this book helps ease the fears of security administrators seeking to install and configure a host IPS. This book explains in detail such topics as installation of the management servers, installation of the agents for mass deployment, granular agent policy creation, advanced policy creation, real-world troubleshooting techniques, and best practices in implementation methodology. This guide also provides a practical installation framework taken from the actual installation and support experience of the authors.

    This book helps you implement host IPS appropriately, giving your organization better protection from the various threats that are impacting your business while at the same time enabling you to comply with various legal requirements put forth in such legislation as HIPAA, SOX, SB1386, and VISA PCI.

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Author
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Command Syntax Conventions
    6. Introduction
      1. Who Should Read This Book?
      2. How This Book Is Organized
    7. I. CSA Overview
      1. 1. The Problems: Malicious Code, Hackers, and Legal Requirements
        1. Malicious Code
          1. Viruses
          2. Worms
          3. Trojans
          4. Bots
          5. Adware
          6. Spyware
        2. Hackers
          1. Script Kiddies
          2. Targeted Espionage
          3. Insiders
        3. Legislation
          1. HIPAA
          2. Sarbanes-Oxley
          3. SB-1386
          4. Visa PCI
        4. Summary
      2. 2. Cisco Security Agent: The Solution
        1. Capabilities
        2. CSA Component Architecture
          1. Security Agent Software
          2. Security Agent Management Console Software
            1. Agent Communication Components
            2. Configuration Management and Event Reporting GUI
            3. Configuration and Event Database
          3. Agent and CSA MC Communication
        3. CSA Hosts and Groups
          1. Mandatory Groups
          2. Creative Group Usage
        4. Policy Implementation
          1. Rules
          2. Rule Modules and Policy Hierarchy
            1. Rule Precedence
          3. Advanced Features
            1. Application Deployment Investigation
            2. Application Behavior Investigation
        5. Summary
    8. II. CSA Project Planning and Implementation
      1. 3. Information Gathering
        1. Defining Purpose
          1. Why Implement the Product?
          2. Phases
        2. Understanding the Environment
          1. Network
          2. Servers
          3. Desktops/Laptops
            1. Desktop/Laptop Operating System Support
            2. Applications
          4. Beyond Known Applications
        3. Important Individuals
          1. Project Team
          2. Executive Sponsor
          3. Project Manager
          4. Support Team
        4. Summary
      2. 4. Project Implementation Plan
        1. Timeline
          1. Example 1: The “Not in a Hurry” Deployment Timeline
          2. Example 2: The “How Fast Can We See This Work” Timeline
        2. Contributors
        3. Pre-Planning
          1. What Is Success?
          2. Who Defines Success?
          3. Defining Metrics
            1. Implementation Timeline
            2. Number of Hosts
            3. Helpdesk Tickets
            4. User Interaction and Queries
          4. ROI
          5. Phased Approach
          6. Training Requirements
            1. What Does Training Encompass?
        4. Pilot
          1. Defining Inclusion
          2. Support Model
          3. Common Mistakes
            1. Policies Not Matching a Well-Defined Security Policy or Plan
            2. Not Using the “Application Deployment Investigation” Features
            3. Not Using TESTMODE to Your Advantage
            4. Not Sizing Hardware Appropriately for the Pilot/Deployment
            5. Not Documenting Policies and Rules to Allow Good Management
            6. Not Setting Event-Log Thresholds Appropriately
            7. Not Backing Up the Pilot Server and Database
          4. Testing Methods
          5. Success Criteria
        5. Production Implementation
        6. Documentation
        7. Ongoing Support
          1. Backups
          2. Database Maintenance
          3. VMS and CSA MC Log Maintenance
          4. Policy Exports
          5. Event Logs
          6. Policy Updates
        8. Summary
      3. 5. Integration into Corporate Documentation
        1. Security Policy Document
        2. Change Control Documentation
          1. Auditing Changes to Cisco Security Agent Policies
        3. Quality Assurance
          1. Quality Assurance Debugging
            1. Hardware Platform Testing Documentation
        4. Contacts and Support Escalation
        5. Summary
    9. III. CSA Installation
      1. 6. CSA MC Server Installation
        1. Implementation Options
          1. Option 1: Single-Server CSA MC Deployment
          2. Option 2: Two-Server CSA MC Deployment
          3. Option 3: Three-Server CSA MC Deployment
        2. CSA MC Server Hardware Requirements
        3. CSA MC Server Installation
          1. Single-Server Installations
            1. Installation of a Single-Server CSA MC with MSDE
          2. Upgrading a CSA MC MSDE Installation to MS SQL 2000
            1. Installation of a Single CSA MC with MS SQL 2000
          3. Multiple Server Installations
            1. Single CSA MC and an Additional Server for MS SQL 2000
            2. Two CSA MC and an Additional Server for MS SQL 2000
        4. Summary
      2. 7. CSA Deployment
        1. Agent Installation Requirements
        2. Agent Installer
          1. Creating an Agent Kit
          2. Agent Kit Retrieval
          3. Agent Kit Dissection
        3. Installation Parameters and Examples for SETUP.EXE
          1. Command-Line Parameters
          2. Command-Line Installation Examples
          3. Allowing Scripted Uninterrupted Uninstall
        4. Summary
    10. IV. CSA Policy
      1. 8. Basic Policy
        1. Policy Requirements
        2. Purpose of Policy
          1. Audit Trail
          2. Acceptable Use Policy/Security and Best Practice Enforcement
          3. Protection from Local and Remote User
          4. Protecting Systems and Information from Application/System Vulnerability
          5. Protection of Application or System Vulnerability from Exploitation
        3. Policy Application and Association
        4. Builtin Policy Details
          1. Automatically Applied Builtin Applied Policies
          2. Builtin Desktop and Server Policies
            1. Windows
            2. Linux
            3. Solaris
        5. Application Policies
          1. Web Server—Microsoft IIS—Windows
          2. Web Server—iPlanet—Solaris
          3. Web Server—Apache
          4. Microsoft SQL Server 2000—Windows
        6. Other Builtin Policies
        7. Summary
      2. 9. Advanced Custom Policy
        1. Why Write Custom Policies?
          1. The Normal Tuning Process
          2. Custom Application Control Policies
          3. Forensic Data Gathering
        2. Preparing for the CSA Tuning Process
          1. Understanding Rule Capabilities
          2. Discovering State Sets
            1. User-State Sets Overview
            2. System State Sets Overview
          3. Discovering Dynamic Application Classes
        3. Best Practices for Tuning
          1. Understanding Importing and Upgrading
          2. Variable and Application Class Usage
        4. Sample Custom Policies
          1. State-Based Policies
            1. Install Technician Agent Control
            2. Remote Registry Access
          2. Securing the System When Away from Home
          3. NAC Policy
        5. Using Dynamic Application Classes
        6. Forensics
          1. Monitor Rules
          2. Application Behavior Investigation
        7. Summary
    11. V. Monitoring and Troubleshooting
      1. 10. Local Event Database and Event Correlation
        1. CSA MC Event Database
          1. The Event Log
            1. Filtering the Event Log Using Change Filter
            2. Filtering by Eventset
            3. Filtering the Event Log Using Find Similar
          2. The Event Monitor
        2. Automated Filtering from Directed Links
        3. Additional Event Correlation
        4. Summary
      2. 11. Troubleshooting Methodology
        1. Common Issues
          1. Licensing
          2. Name Resolution
          3. Network Shim
            1. Windows
            2. UNIX / Linux
        2. NOC Troubleshooting Tools
          1. Event Logs
            1. NT System and Application Logs
            2. UNIX and Linux Messages File
            3. SQL Server Logs
            4. CSAMC45-install.log
            5. CSAgent-install.log
          2. Remote Control
            1. Terminal Services
            2. Telnet/SSH
            3. VNC
          3. Remote Access, Reachability, and Network Tools
            1. Ping
            2. Traceroute
            3. Pathping (Windows 2000 and Later Only)
            4. Ethereal
            5. NetCat
            6. NMAP
        3. Agent Troubleshooting Tools
          1. CSA Installed Troubleshooting Tools
            1. ICCPING.EXE (Windows Only)
            2. RTRFORMAT.EXE
            3. CSACTL for Solaris/Linux
            4. CSA Diagnostics
            5. Log Files
            6. Service Control
        4. SQL Troubleshooting
          1. SQL Server Basics
            1. Basic Queries
            2. Processor Utilization
            3. Memory
            4. ODBC Connection to Remote Database Server
          2. Deleting Events and Shrinking Database Size
            1. Pruning Events from the Database
            2. DBCC Shrinkfile
        5. Cisco TAC
        6. licensing@cisco.com
        7. Summary
    12. A. Best Practices Deployment Guidelines
      1. Overview
      2. Gathering Information
        1. Security Policy
        2. Acceptable Use Policy
        3. Security Problems
          1. Past Incidents
          2. Calculate Single Loss Occurrence Costs
          3. Calculate ALE Costs
          4. Ongoing Issues
        4. Inventory
          1. Classify Critical Assets
          2. Applications Used
          3. Number and Type of Agents
        5. Determine Goals
          1. Applications/Systems/Processes Protected
          2. Organizational Impact
          3. Patch Cycle Extension
          4. System Stability
          5. Specific Vulnerabilities
      3. Pilot Phase
        1. Determine Scope
          1. Pilot Applications
          2. Pilot Systems
        2. Determine Conditions
          1. User Agent Interaction
          2. Allow User to Stop Agent
          3. Interval and Polling Hints
        3. Create the CSA Base Policy
        4. Deploy Agents in Test Mode
          1. Create a Communication Plan
          2. Build Groups
          3. Build Agent Kits
          4. Install Agents
        5. Test Applications and Review Logs
          1. Create Basic Exception Policies, Modules, and Rules
          2. Test Applications
          3. Review Logs
        6. Convert Agents to Protect Mode
          1. Test Applications
          2. Review Logs and Build Exceptions as Required
          3. Test Agent Protection Capabilities
        7. Documentation
          1. Document CSA Configuration
          2. Document Host Configurations
          3. Document Test Procedures
      4. General Deployment Phase: Test Mode
        1. Create a Deployment Schedule and Phased Installation Plan
        2. Deploy Agents and Monitor Progress Against System Inventory
          1. Create Application Investigation Jobs and Run Application Deployment Reports
          2. Place Machines in Proper Application Groups
        3. Test CSA MC Functionality and Response
      5. General Deployment Phase: Protect Mode
        1. Convert Selected Hosts to Protect Mode
        2. Monitor Logs and System Activity
        3. Review Security Policy and Acceptable Use Policies and Build Appropriate Exceptions
      6. Operational Maintenance
        1. Database Maintenance
        2. System Backups
        3. Test System Patches in Lab
        4. Test Non-CSA Application Upgrades in Lab
        5. Run Application Deployment Unprotected Hosts Report to Find Machines Without CSA
        6. CSA Upgrades
          1. Upgrading MC
        7. Upgrading Agents
    13. B. Cisco Security Agent 5.0
      1. Operating System Support
      2. System Warnings
      3. Status Summary Screen
        1. Network Status
        2. Most Active
      4. Event Log Changes
      5. Group Level Changes
      6. Hosts
        1. Recycle Bin
        2. Host Management Tasks
        3. Combined Policy State Set Notation
      7. Rule Modules
      8. Rules
        1. Actions
        2. New Set Action
      9. Searching
        1. Hosts Search
        2. Rules Search
      10. Agent Diagnostics
      11. Database Maintenance Information
      12. Resetting the Security Agent
      13. Summary