Cisco Security Agent
暫譯: Cisco 安全代理

Description:

Prevent security breaches by protecting endpoint systems with Cisco Security Agent, the Cisco host Intrusion Prevention System

• Secure your endpoint systems with host IPS
• Build and manipulate policies for the systems you wish to protect
• Learn how to use groups and hosts in the Cisco Security Agent architecture and how the components are related
• Install local agent components on various operating systems
• Explore the event database on the management system to view and filter information
• Examine Cisco Security Agent reporting mechanisms for monitoring system activity
• Apply Application Deployment Investigation to report on installed applications, hotfixes, and service packs
• Collect detailed information on processes and see how they use and are used by system resources
• Create and tune policies to control your environment without impacting usability
• Learn how to maintain the Cisco Security Agent architecture, including administrative access roles and backups

Cisco Security Agent presents a detailed explanation of Cisco Security Agent, illustrating the use of host Intrusion Prevention Systems (IPS) in modern self-defending network protection schemes. At the endpoint, the deployment of a host IPS provides protection against both worms and viruses. Rather than focusing exclusively on reconnaissance phases of network attacks a host IPS approaches the problem from the other direction, preventing malicious activity on the host by focusing on behavior. By changing the focus to behavior, damaging activity can be detected and blocked–regardless of the attack.

 

Cisco Security Agent is an innovative product in that it secures the portion of corporate networks that are in the greatest need of protection–the end systems. It also has the ability to prevent a day-zero attack, which is a worm that spreads from system to system, taking advantage of vulnerabilities in networks where either the latest patches have not been installed or for which patches are not yet available. Cisco Security Agent utilizes a unique architecture that correlates behavior occurring on the end systems by monitoring clues such as file and memory access, process behavior, COM object access, and access to shared libraries as well as other important indicators.

 

Cisco Security Agent is the first book to explore the features and benefits of this powerful host IPS product. Divided into seven parts, the book provides a detailed overview of Cisco Security Agent features and deployment scenarios. Part I covers the importance of endpoint security. Part II examines the basic components of the Cisco Security Agent architecture. Part III addresses agent installation and local use. Part IV discusses the Cisco Security Agent management console’s reporting and monitoring capabilities. Part V covers advanced Cisco Security Agent analysis features. Part VI covers Cisco Security Agent policy, implementation, and management. Part VII presents additional installation and management information.

 

Whether you are evaluating host IPS in general or looking for a detailed deployment guide for Cisco Security Agent, this book will help you lock down your endpoint systems and prevent future attacks.

 

“While there are still a lot of ways that security can go wrong, Cisco Security Agent provides a defense even when something is wrong. I remember the email that came around from our system administrator that said, ‘There’s something attacking our web server. We’re not sure what it is, but Stormwatch is blocking it.’ That was the Nimda worm–the first of a long line of attacks stopped by Cisco Security Agent.”

–Ted Doty, Product Manager, Security Technology Group, Cisco Systems®

 

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

 

Table of Contents:

 

Foreword

Introduction

Part I   The Need for Endpoint Security

Chapter 1   Introducing Endpoint Security

The Early Days: Viruses and Worms

Virus Emergence and Early Propagation Methods

LAN Propagation

The WAN and Internet

The Network Worm

The Single Environment and Its Consequences

The Present: Blended Threats

Delivery and Propagation Mechanisms

The Bundled Exploit

Persistence

Paralyzing or Destructive Behavior

The Global Implications

Spyware

The Insider

Understanding Point Security Weaknesses

Using Point Security Products

Candy Shell Security

Backdoor Attack Vectors

Using Attack-Detection Methods

Signature-Based Attack Detection

Log File Scraping

Application Fingerprinting

Behavior-Based Attack Detection

Automation

Establishing a Security Policy

Understanding the Need for a Security Policy

Compliance Versus Enforcement

Summary

Chapter 2   Introducing the Cisco Security Agent

Intrusion Prevention and Intrusion Detection Technologies

The Life Cycle of an Attack

CSA Capabilities

Globally Automated Correlation and Reaction

Distributed Firewall

Application Control

File and Directory Protection

Network Admission Control

CSA Analysis

CSA Components Overview

Management Console

Agent

CSA Communication

Necessary Protocols and Ports

Pull Model

Push/Hint Capability

CSA’s Role Within SAFE

Summary

Part II   Understanding the CSA Building Blocks

Chapter 3   Understanding CSA Groups and Hosts

The Relationship Between Groups and Hosts

Understanding CSA Groups

Introducing the Group Types

Mandatory Groups

Predefined Groups

Custom Groups

Viewing Groups

Creating a Custom Group

Exploring Predefined Groups

The Desktops—All Types Group

Other Predefined Groups

Viewing and Changing Group Membership

Viewing Group-Associated Events

Understanding CSA Hosts

Viewing Host Configuration

Polling Intervals

Using Test Mode

Working with Hosts

Changing a Host’s Group Membership

Viewing Host-Associated Events

Summary

 

Chapter 4   Understanding CSA Policies, Modules, and Rules

The Relationship Between Policies, Modules, and Rules

Establishing Acceptable Use Documents and Security Policies

CSA Rules

Understanding State Sets

User State Sets

System State Sets

State Set Management

Understanding Rule Actions

Understanding Query Options

Rule Precedence and Manipulation

Other Common Rule Configuration Options

CSA Rule Types

Agent Service Control [W and U]

Agent UI Control [W and U]

Application Control [W and U]

Clipboard Access Control [W]

COM Component Access Control [W]

Connection Rate Limit [W and U]

Data Access Control [W and U]

File Access Control [W and U]

File Version Control [W]

Kernel Protection [W]

Network Access Control [W and U]

Network Shield [W and U]

NT Event Log [W]

Registry Access Control [W]

Service Restart [W]

Sniffer and Protocol Detection [W]

System API [W]

Buffer Overflow [U]

Network Interface Control [U]

Resource Access Control [U]

Rootkit/Kernel Protection [U]

Syslog Control [U]

CSA Rule Modules

Working with Rule Modules

Comparing Rule Modules

Creating a Rule Module

Using CSA Predefined Rule Modules

CSA Policies

Understanding Policy Settings

Using CSA Predefined Policies

Policy Relationship to Groups and Agents

Mandatory Groups and Combined Rule Precedence

Summary

Chapter 5   Understanding Application Classes and Variables

Using Application Classes

Purpose of CSA MC Built-In Application Classes

Configuring Application Classes

Built-In Application Classes

Introducing Static and Dynamic Application Classes

Creating a Static Application Class

Configuring Dynamic Application Classes

Managing Application Classes

Controlling Shell Scripts

System Processes

Introducing Variables

Network Address Sets

Network Services Sets

Data Sets

File Sets

Dynamically Quarantined Files and IP Addresses

Query Settings

COM Component Sets

Registry Sets

Summary

Part III   CSA Agent Installation and Local Agent Use

Chapter 6   Understanding CSA Components and Installation

General CSA Agent Components Overview

CSA Installation Requirements

Software and Hardware Requirements

Additional Installation Requirements

CSA MC Server and Database

Communication Security

Agent Kits

Creating an Agent Kit

To Shim or Not to Shim?

Installing Agent Kits

Installing a Windows Agent Kit

Installing a Solaris Agent Kit

Installing a Linux Agent Kit

Immediately Rebooting the System After Installation

Scripted Installation

Installing Software Updates

Uninstalling an Agent Kit

Summary

Chapter 7   Using the CSA User Interface

Windows Agent Interface

Windows Agent Tray Icon

Windows System Tray Options Menu

The CSA User GUI

Windows Agent—Status

Windows Agent—System Security

Windows Agent—System Security > Untrusted Applications

Local Firewall Settings

CSA Audible Notifications

Windows Programs Menu

CSA Local Directories and Tools

CSA User Interaction

Stopping a CSA Agent

Linux Agent Interface

Solaris Agent Interface

csactl Utility

Stopping the Solaris Agent

Summary

Part IV   Monitoring and Reporting

Chapter 8   Monitoring CSA Events

Status Summary

Network Status

Event Counts per Day

Refresh

Event Log

Filtering the Event Log

Interpreting and Using the Event Log

Understanding Event Field Information

Details

Rule Number

Event Wizard

Find Similar

Event Monitor

Event Log Management

Event Insertion Tasks

Auto-Pruning Tasks

Event Sets

Alerts

Summary

Chapter 9   Using CSA MC Reports

Audit Trail Reporting

Event Reporting

Events by Severity Reports

Events by Group Reports

Group Detail Reporting

Host Detail Reporting

Policy Detail Reporting

Report Viewing

Creating a Sample Report

Summary

Part V   Analyzing CSA

Chapter 10    Application Deployment Investigation

Using Application Deployment Investigation

Group Settings

Product Associations

Unknown Applications

Data Management

Using Application Deployment Reports

Antivirus Installations Report

Installed Products Report

Network Data Flows Report

Network Server Applications Report

Product Usage Report

Unprotected Hosts Report

Unprotected Products Report

Summary

Chapter 11    Application Behavior Analysis

Understanding Application Behavior Investigation Components

Configuring Application Behavior Investigation

Using Application Behavior Investigation on the Remote Agent

Analyzing Log Data

Viewing Behavior Reports

File Events

Directory Summary

Individual File Summary

All Events

Registry Events

Key Summary

All Events

COM Events

Object Summary

All Events

Network Events

**描述：**
透過使用 Cisco Security Agent，這款 Cisco 主機入侵防護系統來保護端點系統，以防止安全漏洞。

- 使用主機 IPS 來保護您的端點系統
- 建立和操作您希望保護的系統的政策
- 學習如何在 Cisco Security Agent 架構中使用群組和主機，以及這些組件之間的關係
- 在各種作業系統上安裝本地代理組件
- 探索管理系統上的事件資料庫，以查看和過濾資訊
- 檢查 Cisco Security Agent 的報告機制，以監控系統活動
- 應用應用程式部署調查來報告已安裝的應用程式、熱修補程式和服務包
- 收集有關進程的詳細資訊，並查看它們如何使用系統資源以及被系統資源使用
- 創建和調整政策，以控制您的環境而不影響可用性
- 學習如何維護 Cisco Security Agent 架構，包括管理存取角色和備份

《Cisco Security Agent》詳細說明了 Cisco Security Agent，展示了主機入侵防護系統 (IPS) 在現代自我防護網路保護方案中的應用。在端點上，部署主機 IPS 可提供對蠕蟲和病毒的保護。主機 IPS 不僅專注於網路攻擊的偵查階段，而是從另一個方向解決問題，通過專注於行為來防止主機上的惡意活動。通過將焦點轉向行為，可以檢測和阻止有害活動——無論攻擊的形式如何。

Cisco Security Agent 是一款創新的產品，因為它保護了企業網路中最需要保護的部分——端系統。它還能防止零日攻擊，這是一種從系統到系統傳播的蠕蟲，利用尚未安裝最新修補程式或尚未提供修補程式的網路中的漏洞。Cisco Security Agent 利用獨特的架構，通過監控文件和記憶體存取、進程行為、COM 物件存取以及對共享庫的存取等線索，來關聯端系統上發生的行為。

《Cisco Security Agent》是第一本探討這款強大主機 IPS 產品的特性和優勢的書籍。該書分為七個部分，詳細概述了 Cisco Security Agent 的特性和部署場景。第一部分涵蓋了端點安全的重要性。第二部分檢視了 Cisco Security Agent 架構的基本組件。第三部分討論了代理的安裝和本地使用。第四部分探討了 Cisco Security Agent 管理控制台的報告和監控能力。第五部分涵蓋了進階的 Cisco Security Agent 分析功能。第六部分涵蓋了 Cisco Security Agent 的政策、實施和管理。第七部分提供了額外的安裝和管理資訊。

無論您是一般評估主機 IPS，還是尋找 Cisco Security Agent 的詳細部署指南，本書都將幫助您鎖定端點系統並防止未來的攻擊。

“雖然安全仍然有很多可能出錯的地方，但 Cisco Security Agent 即使在出現問題時也提供了防禦。我記得我們的系統管理員發來的電子郵件，上面寫著：‘有東西正在攻擊我們的網頁伺服器。我們不確定那是什麼，但 Stormwatch 正在阻止它。’那是 Nimda 蠕蟲——第一個被 Cisco Security Agent 阻止的長期攻擊之一。”
– Ted Doty，Cisco Systems® 安全技術組產品經理

這本安全書籍是 Cisco Press® 網路技術系列的一部分。Cisco Press 的安全書籍幫助網路專業人員保護關鍵數據和資源，防止和減輕網路攻擊，並建立端到端的自我防護網路。

**目錄：**
- 前言
- 介紹
- 第一部分 端點安全的必要性
- 第1章 介紹端點安全
- 早期的日子：病毒和蠕蟲
- 病毒的出現和早期傳播方法
- LAN 傳播
- WAN 和互聯網
- 網路蠕蟲
- 單一環境及其後果
- 現在：混合威脅
- 傳遞和傳播機制
- 打包利用
- 持久性
- 癱瘓或破壞性行為
- 全球影響
- 間諜軟體
- 內部人員
- 理解端點安全弱點
- 使用端點安全產品
- Candy Shell 安全
- 後門攻擊向量
- 使用攻擊檢測方法