The majority of network security products rely on regular downloads of anti-virus signatures and attack databases to keep up with each new threat as it is identified. This reactive approach may be reasonably well automated but the software will always be reliant on the reaction speeds of each vendor resulting in a small but potentially significant lag as defences are stiffened against the next attack. Another method that been around for many years is behavioral analysis which protects against known and unknown threats without the need for regular downloads.
Cisco Security Agent (CSA) is one such product that aims to provide a front-line defence against a range of threats including viruses, Trojans, worms, attacks such as SYN floods, and network intrusion attempts internally and externally. The agent component is loaded locally on each protected server and workstation and it installs itself beneath the API and system interface where it can validate all calls to the operating system’s kernel. This low-level mode of operation also allows it to offer some unique features such as preventing attacks that exploit buffer overflows. The agent relies entirely on policies which contain sets of rules that are used to determine what is permitted to run on each client.
Clearly, CSA has a wide range of uses and Cisco even suggests that laptops with the agent installed can do away with personal firewall software when connecting directly to the Internet. One notable point is that these types of security products are well established – CSA was originally launched as StormWatch by Okena Inc. way back in 1999 and the company was acquired by Cisco last year. Entercept is another example and the company was acquired by McAfee at around the same time.
CSA is managed from the CiscoWorks console which smaller networks less reliant on Cisco for their networking infrastructure will find a cumbersome beast, designed as it is to look after all of Cisco’s Threat Defense System family of products. Even so, the CSA component is easy enough to use and the interface provides swift access to all features. A good range of agent kits are provided and each has a full set of default rules that will cover most eventualities. However, if you want to restrict access to specific applications you’ll need to customize them and it’s here that CSA get complicated due to the sheer range the rules cover.
General rules for spotting port scans and the like are easy enough to set up but creating rules for specific applications will probably require the bundled agent profiler to be downloaded to a system. This can monitor all the files used and calls made by the software and create a set of rules to handle access.
We found the default rules tough enough as they spotted all attempts to install unauthorised software although they did allow users to override the warning so the default rules would probably need modifying. Port probes were spotted immediately and we were warned that an excessive number of port scans had been identified. We also tried to run a key logging utility but CSA knew exactly what is was and blocked access immediately.
When the agent kits are deployed you can specify that no user access is allowed and that they cannot be deactivated. Reporting tools are particularly good as the Monitor tab opens with a graph showing all alerts issued by the agents and each can be selected to find out which hosts sent them. The level of information provided is very detailed and you can easily see which rules were violated for any given alert. For more basic threats you can use a wizard which will either change the rules to accept the selected event or run the profiler to gather more information.
If you use the default policies CSA is generally very easy to set up and deploy. Although behavioral analysis security products are thin on the ground we’ve seen most of them at one time or another and CSA’s reporting and management facilities are amongst the best.
Products based on behavioral analysis have always a much lower market profile than standard security products as they are often viewed as being too complex. This may be true where extensive customization is required but CSA does provide a wide range of default policies for most common scenarios and its management and reporting facilities are some of the best we’ve seen for these types of products