Cisco Security Agent 4

The majority of network security products on the market today take a reactive approach to prevention, making them potentially vulnerable in the early stages of an attack. Anti-virus systems require regular signature updates, anti-spam tools want fingerprints, while intrusion prevention software often needs attack lists to tell it what to look for. CSA (Cisco Security Agent) takes a more proactive approach to intrusion prevention. It uses behavioural analysis to decide whether an attack is taking place, and doesn't require regular downloads to keep it ahead of the latest threats.

CSA started life in 1999 as StormWatch from Okena Inc, prior to the company's acquisition by Cisco last year. The basic concept of the software hasn't changed much, nor does it need to as it's designed to sit between the OS kernel and applications. From here, it controls access to system and network resources plus calls to files, the Registry, COM objects and so on. CSA uses access policies comprising sets of rules that determine what's acceptable application behaviour, allowing it to grant or deny access to specific resources. The software comprises two main components - the Manager and Agent, with the former designed to provide centralised management and easy deployment of agents and policies. Agents comprise a collection of interceptors that watch for key activities on the host system including network traffic, network applications, Registry activity and file access. They then deny or allow access depending on the policies assigned to them.

Installation starts at the designated management server, which must be running Windows 2000 Server since Server 2003 isn't yet supported. However, at the time of writing Cisco had just released an agent for the latter OS that we included in the testing. Agent deployment is simple enough, as you email users with a URL pointing to the relevant page on the management server where they just select the appropriate package. All access to CSA is from the Java-based CiscoWorks interface, which provides a central repository for managing just about every type of Cisco product. The CSA interface is easy to use and provides plenty of information about Agent activity. The Monitor tab shows a simple graph with warnings and alerts or you can delve deeper and see the hosts that generated the alerts, the reasons, which rule triggered the alert and the responses from the user. Before deploying the Agent it would be advisable to take time out and decide what policies you want to apply. The default policies cover most areas but CSA offers a huge range of rules that can be configured for virtually any scenario. Hosts that have registered with the CSA Manager can be placed into groups to streamline deployment and new policies, and updates will be automatically sent to them.

For testing we used a variety of attacks including NMAP, IP port scans using Ipswitch's WhatsUp Gold and the SilentLog key-logging tool. Suffice to say that CSA spotted them all and logged plenty of details about each one. For the port scans it noted that, as an unusual number of port probes had been detected in a relatively short space of time, it was possible that some nefarious activity was taking place. SilentLog didn't stand a chance, as when we tried to run it the CSA Agent warned us that it had detected an attempt to capture all keystrokes and offered options for allowing the process to continue or terminate it. Even our screen-capture utility fell foul of CSA, as the capture activation process was also considered to be a keystroke logging activity.