Product Reviews

The majority of network security products on the market today take a reactive approach to prevention, making them potentially vulnerable in the early stages of an attack. Anti-virus systems require regular signature updates, anti-spam tools want fingerprints, while intrusion prevention software often needs attack lists to tell it what to look for. CSA (Cisco Security Agent) takes a more proactive approach to intrusion prevention. It uses behavioural analysis to decide whether an attack is taking place, and doesn't require regular downloads to keep it ahead of the latest threats.

CSA started life in 1999 as StormWatch from Okena Inc, prior to the company's acquisition by Cisco last year. The basic concept of the software hasn't changed much, nor does it need to as it's designed to sit between the OS kernel and applications. From here, it controls access to system and network resources plus calls to files, the Registry, COM objects and so on. CSA uses access policies comprising sets of rules that determine what's acceptable application behaviour, allowing it to grant or deny access to specific resources. The software comprises two main components - the Manager and Agent, with the former designed to provide centralised management and easy deployment of agents and policies. Agents comprise a collection of interceptors that watch for key activities on the host system including network traffic, network applications, Registry activity and file access. They then deny or allow access depending on the policies assigned to them.

Installation starts at the designated management server, which must be running Windows 2000 Server since Server 2003 isn't yet supported. However, at the time of writing Cisco had just released an agent for the latter OS that we included in the testing. Agent deployment is simple enough, as you email users with a URL pointing to the relevant page on the management server where they just select the appropriate package. All access to CSA is from the Java-based CiscoWorks interface, which provides a central repository for managing just about every type of Cisco product. The CSA interface is easy to use and provides plenty of information about Agent activity.

ADVERTISEMENT

The Monitor tab shows a simple graph with warnings and alerts or you can delve deeper and see the hosts that generated the alerts, the reasons, which rule triggered the alert and the responses from the user. Before deploying the Agent it would be advisable to take time out and decide what policies you want to apply. The default policies cover most areas but CSA offers a huge range of rules that can be configured for virtually any scenario. Hosts that have registered with the CSA Manager can be placed into groups to streamline deployment and new policies, and updates will be automatically sent to them.

For testing we used a variety of attacks including NMAP, IP port scans using Ipswitch's WhatsUp Gold and the SilentLog key-logging tool. Suffice to say that CSA spotted them all and logged plenty of details about each one. For the port scans it noted that, as an unusual number of port probes had been detected in a relatively short space of time, it was possible that some nefarious activity was taking place. SilentLog didn't stand a chance, as when we tried to run it the CSA Agent warned us that it had detected an attempt to capture all keystrokes and offered options for allowing the process to continue or terminate it. Even our screen-capture utility fell foul of CSA, as the capture activation process was also considered to be a keystroke logging activity.

Any program installations also received short shrift and were blocked every time by the Agent. The key-logger utility activated the CSA trojan rule and from the monitor screen we could drill down and see how many times this had triggered alerts on the network. You can then decide from drop-down lists which types of application classes are to be made exempt. CSA gets even smarter as an event-management wizard is provided for each alert. This allows you to create an exception that will permit the action, or you can leave the agent profiler to analyse the event and suggest a course of action. This is a handy tool as you can deploy it to specific hosts where it monitors selected applications and creates custom policies for allowing or denying access to certain programs.

The proactive approach to network security is clearly becoming more desirable - the MailGate from Tumbleweed (see p200) is another good example that uses intent analysis rather than signatures files. The Cisco Security Agent will require a lot more initial configuration work as the policies and rules will probably need customising. The management interface is also geared up for Cisco-centric networks. However, it does offer tough security measures plus extremely good reporting. The fact that it doesn't require updates to be regularly downloaded and deployed network-wide will reduce the administrative burden significantly, too.