CSA provides several more robust security features than a traditional antivirus or a personal firewall solution. The rich security features of CSA include:
•
Host intrusion prevention•
Protection against spyware•
Protection against buffer overflow attacks•
Distributed host firewall features•
Malicious mobile code protection•
Operating system integrity assurance•
Application inventory•
Extensive audit and logging capabilities•
Protection against file modification or deletion The CSA solution has two major components:•
Cisco Security Agent Management Center (CSA-MC):The management console where all groups, policies, and agent kits are configured•
Cisco Security Agent:The agent installed on end-user machinesThe CSA-MC is the central management system that allows you to define and distribute policies, provide software updates, and maintain communications to the CSAs installed in end-user machines and servers. CSA-MC comes with a list of predefined groups you can use to meet initial needs. A group is the only element required to build an agent kit. The use of groups eases the management of large numbers of agents. When using groups, you can consistently apply the same policy to numerous hosts.
Agent kits are the configuration and installation packages of the agent software to be deployed to end-user machines. You must associate agent kits with configured groups. Agents installed on end-user hosts are automatically placed into their assigned group or groups when they register with CSA-MC. The agents enforce the associated policies of each group.
NOTE Chapter 12, “Case Studies,” includes a case study showing the deployment of CSA. You can get more information and documentation at http://www.cisco.com/en/US/products/sw/ secursw/ps5057/index.html.
It is recommended that you place the CSAMC server on your management network (management VLAN). When doing this, you need to understand how the agents
communicate with CSAMC and vice versa. The agents communicate with CSAMC over TCP port 5401, with a fallback to TCP port 443 (if TCP port 5401 communication is not possible). By default, CSA Profiler uses TCP port 5402 to communicate with CSAMC; however, this is configurable. Make sure that any firewalls or filtering devices allow this communication. CSAMC should be reached by all systems that are running the agent. Another important factor is that the hardware running CSAMC must be sized appropriately. The current version of CSAMC is capable of managing up to 100,000 agents. However, it is recommended that you install and strategically deploy additional CSAMC servers depending on your network topology and geographical needs.
NOTE For a list of hardware requirements, refer to the release notes on the Cisco website at http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html.
During the lab test and pilot phases, it is recommended that you start by using the default CSA policies (depending on the type of system where the agent is installed). The default CSA policies provide a good level of protection to the end hosts. Tuning of these is recommended; however, these default policies are known for stopping new and unknown threats.
Always select at least one host per each distinct application environment during the initial testing phase. During the pilot, the test hosts should be a mirror sample of the production systems. In addition, you may want to use a test machine per each server type to ensure no negative impact from CSA agent software installation. It is also recommended that you create a group for each type of application environment that needs to be protected. Building and tuning of CSA policies is a continuous task; therefore, you must have the proper staff and procedures to minimize the administrative burden. The security staff is not only responsible for maintaining the CSAMC policies, but also for creating and organizing exception rules appropriately, and for monitoring user activity. You can organize the exception rules as follows:
•
Create a global exception policy to allow legitimate traffic and application behavior that is required on all the systems within the organization. Subsequently, add these global exception rules to this exception policy.•
Create one exception policy for each group.•
Apply these policies to their respective groups, and collect all necessary data to complete any additional tuning.When you start the deployment of the agent kits throughout the organization, always start by deploying the agents in test mode throughout your organization. It is a best practice to collect and analyze results and start policy tuning (as needed). After the initial tuning is done, enable protection mode.
NOTE Make sure that your security, operations, and engineering staff members are trained to support your deployment.
Network Admission Control
In Chapter 1, “Overview of Network Security Technologies,” you learned the concepts of Network Admission Control (NAC) and the differences between the appliance-based approach and the architecture-based framework solution. The architecture-based
framework solution is intended to use a collection of both Cisco networking and security technologies, as well as existing deployments of security and management solutions from other vendors. This section includes several best practices when implementing NAC within your environment. These best practices can be followed when preparing, designing, or implementing any of the NAC solutions (Framework or Appliance).
NOTE Chapter 12 includes a case study where NAC is deployed. The configuration of NAC
appliance and NAC Framework components is also in that chapter.