Cisco Security Agent
In addition to antivirus protection, you must protect the operating system against other threats from the network, such as DoS attacks. For these issues, Cisco provides Cisco Security Agent software to install on every Cisco CallManager system. The Cisco Security Agent implements the host-based intrusion prevention system (HIPS), which provides an additional layer of protection against known and unknown attacks. At the same time, CSA provides security services not offered by the host operating system. Examples of these services are personal firewall protection, software keylogger detection, and abnormal application behavior protection.
Cisco Security Agent is designed to protect the endpoint from network-borne attacks, and it enforces its protection rules on several levels. One of them is the protection of the underlying operating system from potentially hostile applications. Cisco Security Agent provides three basic areas of operating system protection:
- Protection of operating system integrity Cisco Security Agent policy rules always prohibit access to sensitive system files and Registry settings. For example, no application can change files in the Windows system folder.
- Prevention or restriction of application misbehavior resulting from injection of hostile code or other network attacks Several policy rules are dynamic and allow or disallow local resource access based on the behavior of the application and, hence, its potential "hostility." For example, if a client application accesses the network, it is automatically considered less trusted and its access to local resources is further restricted.
- Endpoint, or "personal" firewalls Cisco Security Agent can allow or deny network access to any local application, and, hence, minimize access to and from the system, enforcing the least-privilege rule.
Cisco Security Agent (CSA) operates independently of native operating system functions, providing an independent layer of protection that prevents attacks even when the native operating system access control methods are breached. You should never deploy the CSA in place of strong host security, but as an additional protective layer to provide protection methods not available in the host operating system.
The rationale behind the behavioral approach is that although the number of methods and exploits to attack a system is extremely large, the number of possible consequences of these attacks is relatively small. For example, a web server can be persuaded by the attacker to execute a local file or an executable attachment in an e-mail attempting to access the Windows Registry. CSA can recognize application behavior leading to or following an attack and prevent the malicious actions. This ability is also why CSA does not require constant updates; its policies need to be updated only if a completely different class of attacks is created, which is relatively rare.
CSA for IP telephony servers is available in two versions:
- Headless agent This version comes with a set of rules for a specific server platform, such as Cisco CallManager; no further configuration is necessary.
- Managed agent This version has to be configured with rules for the appropriate IP telephony servers. Predefined rules can be downloaded from Cisco.com.
Caution
Do not use the headless agent when running Cisco CallManager with collocated applications, such as Cisco IPCC Express, Cisco IP IVR, or Cisco IP QM, because the fixed policy of the headless agent will not support these applications (and as a consequence they will not work properly).
Cisco Security Headless Agent
The free headless agent has a fixed security policy and no centralized reporting capabilities. For each type of IP telephony server, a different (predefined) agent kit is available for the headless agent. The headless agent is configured with appropriate policies and exceptions for a typical supported configuration of that server. The headless agent should be used in environments where centralized reporting is not required or practical and the IP telephony servers are aligned with Cisco specifications for installed software and system and application configuration and where they feature no add-ons that might conflict with the security rules of the headless agent.
Note
The headless agent is also commonly referred to as the standalone CSA agent on the Cisco website.
Cisco Security Managed Agent
The managed version of CSA uses CiscoWorks VPN/Security Management Solution (VMS) and CSA Management Center (MC) for centralized policy distribution and allows event correlation and reporting. As with the headless agent, which comes in different configurations for different types of IP telephony servers, CSA MC also allows the administrator to load predefined, application-specific policies for each IP telephony server type.
Note
Cisco offers a free, predefined policy for the CSA Managed Agent that deploys the same CallManager security standards as the standalone CSA.
The managed agent should be used in environments where centralized reporting is required, where servers do not use a typical configuration (for example, with nondefault TCP or UDP ports) or have special application requirements (for example, custom systems management software), or where the default policies need to be augmented with site-specific protection requirements.
Deployment of the managed agent also allows the use of CSA Profiler, an expert add-on tool that can, to a large extent, automate generation of custom application policies. This add-on would allow an expert CSA administrator to further enhance the built-in policies and confine every IP telephony application to a sandbox, similar to the functions that the built-in Restrictive MS IIS Module and Restrictive MS SQL Server Module provide for those two applications.
The CSA Profiler must be purchased separately, but it does not require any other software to be installed on the profiled servers.
CSA Supported Applications
CSA is available for Cisco CallManager Release 3.2(3), 3.3, and later. To use CSA for another Cisco IP telephony application, check the CSA administration manual to determine whether Cisco supports CSA for that particular application.
This is a list of software add-ons that are supported with CSA on the same server:
- BMC PATROL
- Concord eHealth Monitor
- Diskeeper Server Standard Edition 8.0.478.0
- HP OpenView Operations Agent 7.1
- HP OpenView Performance Manager 3.3
- Integrated Research PROGNOSIS
- McAfee VirusScan 7.0
- Micromuse Netcool
- NAI ePolicy Agent
- NetIQ Vivinet Manager
- RealVNC VNC
- Symantec AntiVirus Corporate Edition 8.0
- Trend Micro AntiVirus
- Windows Terminal Services
Note
The Cisco Security Agent headless agent and the Cisco Security Agent policies for the Cisco Security Agent MC are both available at http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des (Cisco CCO account required).
CSA Protection
The CSA default operating system protection rules for IP telephony servers provide basic operating system hardening and integrity protection and contain rule exceptions for supported add-on applications. In regard to local resource access control, these policies can be summarized as follows:
- Allow specific actions required by basic operating system processes
- Protect the integrity of the system binaries and other sensitive files from local applications
- Protect the integrity of the system Registry from local applications
- Allow all other actions (including network access and access to local files as dictated by the native security of the local host, for example, file ACLs in Windows)
In addition to these basic rules, many other rule modules constitute the total CSA protection policy of a system.
CSA Guidelines
At the minimum, for each server, deploy the headless CSA, as shown in Figure 20-5. The built-in operating system protection policies are sound and generally do not require tuning for enhanced protection, except where dictated by the site policy.
Figure 20-5. Headless (or Standalone) CSA Interface
So-called "false positives," events that are erroneously classified as attacks, are very likely when using unsupported server add-ons, such as system management and unsupported antivirus software. To eliminate this erroneous behavior, deploy the managed agent and add the requested permissions for these applications so that CSA will not consider them to be malicious.
CSA also provides personal firewall functions by restricting network connections to the server. The headless agent has a fixed policy that allows all inbound connections to the server, and this cannot be changed. If you want to use CSA to control network connectivity to the server, you have to use the managed agent. Alternatively, you could use native Windows IP security filtering or rely solely on packet filtering by network devices, such as routers or firewalls.
CSA by default allows the agent service to be stopped by the local administrator (using the net stop csagent command). When using the managed version of CSA, you can apply an agent policy that blocks the local administrator from stopping the agent.
Tip
The CSA should be installed on the Cisco CallManager server after you have applied the security template. Otherwise, the CSA will think many security template modifications are attacks on the CallManager server.
Administrator Password Policy
|