Tải bản đầy đủ - 0 (trang)
Chapter 2. Introducing the Cisco Security Agent

Chapter 2. Introducing the Cisco Security Agent

Tải bản đầy đủ - 0trang

entries,COMobjectaccess,andinboundandoutboundnetworkconnections.

WhentheoriginalCSAdeveloperssetouttocreateasolutionforsecuring

endpoints,theywantedtocreateanewprevention-basedsystemthatwouldrely

onaproactivebehavioralmethodratherthantrytoimproveoldsignature-based

IntrusionDetectionSystemsthatrelyonmoretraditionalreactivetechnology.In

thepast,securingendsystemsmeantemployingoperatingsystempolicies,

deployingantivirussolutions,utilizingpersonalfirewalls,andhopingthatyour

userbasewouldadheretothewrittenacceptableusepolicieswhenusing

enterprisecomputingresources.Hopeshouldneverbepartofyourstrategy

whenprovidingsecurecomputingenvironments.

Althoughyoushouldcontinuetodevelopsuccessfulsecurityawareness

programsandacceptableusepolicies,youdonotneedtotrustthosepoliciesas

yoursolemethodforprotectingendsystems,norshouldittakeasmallarmyof

securitypersonneltomaintain,monitor,andmanagemultipleendpointsecurity

products.CSAenablesyoutoenforceyoursecuritypoliciesbasedonexplicit

ruledefinitionswhilereserving"hope"forotherpartsofyourorganization.This

chapterprovidesanoverviewoftheconceptsandtechnologiesintegraltoCSA,

includingthefollowing:

Thedifferencebetweenintrusionpreventionandintrusiondetection

Thelifecycleofanattack

CSAcapabilities

CSAarchitecturecomponents

CSAcomponentcommunication

CSAsrolewithintheCiscoSAFEarchitecture



IntrusionPreventionandIntrusionDetection

Technologies

CSAisaHostIntrusionPreventionSystem(HIPS).Theoldertechnology,which

previouslyattemptedtopreventintrusionsonnetworkendpoints,isknownasa

HostIntrusionDetectionSystem(HIDS).Thisdiscussionstartsbyexploringthe

basicsofeachtypeofsystem.

HIDSsevolvedoutofNetworkIntrusionDetectionSystems(NIDSs).ANIDSis

asecuritytechnologydeployedonnetworkinfrastructuresthatdetectsandalerts

basedonpassivelyidentifyingactiveattacks.NIDSisaninvaluabletechnology

creditedwithsavingenterprisesfromhavingtoenduredrasticoutagesdueto

activehackingattemptsordistributeddenial-of-service(DDoS)attacks.

ThemajorissueassociatedwithrunninganeffectiveNIDSistoensurethatthis

technologyiscontinuouslyupdatedwiththelatestsignaturedefinitionssuchthat

allcurrentlyknownattacksareidentifiedandtheappropriatealertsaresent.This

technologyisonlyaseffectiveasitslatestupdateandtheabilitytolimitthe

numberoffalsepositivealertsbeingsent.

Combinethelargenumberoffalsepositiveswiththelargenumberofpossible

realpositiveeventsloggedinanever-growingdatabase,andmanysecurity

teamsfindthemselvesburiedinlogdatatheycannotinterpretinatimely

fashion.Therefore,amoreactiveendpointtechnologysuchasHIDScan

complementtheNIDSinanenterpriseenvironmenttoensurereal-timesecurity

aswellascomprehensiveforensicswithinthelogs.HIDSsalsofunctionby

utilizingsignaturestoidentifyandpreventattacks,althoughtheyperformthis

actiontosecureindividualendsystemsbasedontheirlocalsignaturebaseof

knownattacks.

AHostIntrusionPreventionSystem(HIPS)differssignificantlyinitsapproach

tosecuringhosts.Itactivelymonitorsthebehaviorofapplications,locally

executingcodeandlocalnetworkconnectionsontheendsystemtodetermine

whethertheactionsshouldbeallowed.Anobviousbenefittoabehavior-based

systemisthatitdoesnotrequiresignatureupdatestoprovesuccessful.Tobetter

understandhowabehavior-basedsystemsuchasCSAcanbeeffectivein



preventingbothknownandunknownattacksfromcompromisingendsystems,it

isimportanttounderstandwhatyou,asasecurityexpert,aretryingtoprotect.



TheLifeCycleofanAttack

Virusesandwormshavebeenaroundformanyyearsandovertimehavetaken

advantageofnumerousvulnerabilitiesinbothoperatingsystemandapplication

code.Initially,newwormsandviruseswouldshowupeveryfewweeks.Over

time,thisbecameeveryfewdays.Today,newviruses,worms,andvariantsof

existingonesappeareveryfewhours.

Todaysprogramminglanguageshavemadeitincreasinglyeasytomakeminor

modificationstoexistingviruscodesothatthevariantisatleastasdestructiveas

theoriginal.Mostimportantly,thecodeismodifiedsuchthatexistingvirus

definitionsorsignaturesnolongermatch.Becausethesignaturenolonger

matchesthemaliciouscode,thesecuritymechanismutilizingthesignature

definitionisnotaneffectivedefensewithoutanupdatethatincludesthenew

signaturetomatchthealteredpatternwithinthemaliciouscode.Totakethis

conceptonestepfurther,virusdeveloperstodaywritedestructivecodethatis

distributedacrosstheInternetbundledwithadeveloperskitofsorts,soany

individualwithmaliciousintentandthecapabilitytorunacommand-line

executable(completewithbuilt-inhelpfiles)cancreatehisownundefined

variantinjustafewseconds.Armedwiththisknowledge,youmayaskyourself,

"HowdoIefficientlyandeffectivelydefendagainstconstantlymutatingcodein

timetoprotectmyenvironment?"

Toaddressthisconcern,CSAdiffersfromoldertechnologies.CSAdoesnotcare

whatthevirusorwormlookslikeorhowthebinary1sand0slinethemselvesup

tocreateadamagingpayload.CSAismorefocusedonthebehaviorofan

applicationanddefiningwhetherthebehavioris"good"or"bad"todecide

whethertheactionattemptingtooccurshouldbeallowedordenied.CSAs

internalmechanismsandimplementationofthecentrallydefinedrulesetdecide

whatisconsideredgoodandbadbehavior.Anexampleofabehavioraldecision

couldbethatacommandshellsuchascmd.exeisanormal"good"behaviorthat

isallowedonanagent-protectedsystemaslongasthecommandshellisstarted

byauserandnotbyaprocesslaunchedbydownloadedcontent.

Lookingbackoverthehistoryofmaliciouscode,apatternbeginstoform:All

maliciouscodeperformsthesamerootactions.Notallvirusesfollowthesame



stepsinexactlythesameorder,buttheydoattempttousethefollowing

processestobedefinedassuccessfulpenetrations:

ProbeLocateothersystemsviaanymethodsuchasping,traceroute,email,portscans,andsoon.

PenetrateGainaccesstothepreviouslylocatedorrandomlyselected

systemsthroughmechanismssuchase-mailattachments,downloaded

contentfromwebpages,bufferoverflows,orevenbackdoorssuchasthe

Windowshiddenshares(ADMIN$,C$,andsoon).

PersistMethodsbywhichthevirus/wormwillcontinuetobepresentonthe

infectedsystemafterdeletionorrebootsuchasinsertionintoregistryRun

keys,initializationfiles,orserviceinstallation.

PropagateMovefromsystemtosystemusingtransportssuchase-mail,

Trojanhorse-infectedfiles,andothervulnerablenetworkservices.

ParalyzeDestroyfilesorentirefilesystemsusingvariouscorruption,

deletion,orformattingprocedures.Otherpossibilitiesincludesimply

crashingthesystemcontinuouslysothatitisunusableortyingupCPU

cyclestomakethesystemunresponsivetouser-desiredfunctions.

Youcanseethatbecauseallvirusesandwormsbehavethesame,itcanbea

moresuccessfulstrategytomonitorandanalyzethebehaviorofanattackrather

thanattemptingtomatchittoasignature,whichmaynotyetexist.CSA

identifiesthecodeasmaliciousbyitsinappropriateinteractionwiththehost

systemandthereforecanpreventpreviouslyunknownday-zeroattacks.



CSACapabilities

BecauseCSAresidesontheendpointandobservesallsysteminteraction,itcan

beveryeffectiveinsecuringtheendpoint,controllinghowtheendpointinteracts

withsurroundingsystems,andcontrollinghowuserscaninteractwiththelocal

system.Uponinstallation,CSAbeginsmonitoringlocalsystemresourcesand

maintainsstatetablesofwhatishappeningonthesystemsothatthelocally

enforcedsecuritypolicyisnotviolated.Theagentmonitorsfileandapplication

accessandusage,networktransactions,registryaccess,operatingsystemkernel

usage,COMobjectaccess,andothersystemcomponentstoensurethestrict

enforcementofthedefinedsecuritypolicy.

Becauseofitsintimateknowledgeofwhatishappeninginrealtimeonthelocal

host,theCSAcancontrolwhatrequestedactionsareallowedordenied.This

occurswhethertheactionsareuserrequestedormaliciouscodeattemptingto

auto-execute.Whenthesystemdetectsarequestthatshouldnotbeallowed

accordingtothelocalsecuritypolicy,itstopstheactionfromoccurringand

sendsanalertregardingtheinappropriatebehavior.

Residingontheendpointandcloselymonitoringthesystemforanybehavior

thatisinconsistentwiththelocallyenforcedsecuritypolicy,CSAcanfillmany

securityrolesinasingleagentbeyondjustpreventingknownandunknown(or

day-zero)attacks,includingthefollowing:

Globallyautomatedcorrelationandreaction

Distributedfirewall

Applicationcontrol

Fileanddirectoryprotection

Networkadmissioncontrol

Applicationdeploymentandbehaviorinvestigation



Thissectiondescribeseachoftheserolesindetail.



GloballyAutomatedCorrelationandReaction

Withsecurityagentsthroughoutyourarchitecturereportingtoasingle

managementconsole,youcanleveragetheinformationconsolidatedinthis

centralizedrepository.TheCSAManagementConsole(MC)cancorrelateevents

suchase-mailwormpropagationeventsandvirusscannerlogeventsto

dynamicallycreatenewrules.Thesenewrulesaredistributedtoallsystemsin

thearchitecturethatmayormaynothaveseenthecorrelatedevent.These

dynamicallycreatedrulescanthenprovideafirst-leveldefenseagainstthe

maliciouscodebypreventingthemaliciousfilefromexecutingorthecorrelated

IPaddressfromcommunicatingwithanyagent-protectedsystem.



DistributedFirewall

CSAactivelywatchesinboundandoutboundconnectionstoandfromthelocal

host.Theagentcancontrolhowthenetworkconnectionisutilizedbasedonthe

currentlocalsecuritypolicythatyoudefined.Youcanapplyagreatnumberof

networkingcontrols.Theagentcancontrolwhichapplicationsonthelocal

systemcanactasaservertoremoteclients.Iftheagentisactingasaserver,you

candecidewhethertheapplicationshouldserviceconnectionsfromallremote

systemsorjustspecificremotesystemsandonspecificTCPports.Thesecurity

agentcanalsocontrolwhichlocalapplicationscanactasanetworkclienton

yournetwork.Thiscontrolprovesveryuseful,especiallywhentryingtolimit

whichapplicationsareallowedonworkstationswithinyoursecuritypolicy

parameters.Forexample,perhapsyouwanttorequireuserswantingtouse

Telnettouseonlytelnet.exelocatedinaspecificfolderontheendpointand

prohibittheTelnetprotocol(TCP/23)usinganyotherapplication.Bycontrolling

whichprocessesareallowednetworkaccess,youcanhelpstopwormsfrom

propagatingacrossyournetwork.CSAcanalsoconstantlymonitortheIP

networkstackforotherinconsistencies,suchasinvalidprotocolheaders,SYN

floods,portscans,andothermaliciouspacketsthroughtheuseofanoptionally

installednetworkshim.

AnotheradditioninCSA4.5istheabilityfortheenterprisesecurity



administratortodistributesomeofthepersonalfirewallcontroltotheendusers.

Youcanenableenduserstocontrolwhichapplicationsareallowednetwork

accessthroughappropriatelyansweringquerymessagesspawnedbythe

centrallydefinednetworkaccessrules.Theusercanalsoplacethelocalagent

personalfirewallinalearningmodetobuildthelistofallowednetwork

applications.Thepersonalfirewallrulesdonotoverrideanycentrallydefined

policiesbutratherfurtherlockdownthesystemandlimitthenumberoffuture

querymessagesausermayreceiveregardingnetworkusage.



ApplicationControl

Manycurrentcorporatesecuritypolicieslistspecificallynamedacceptable

applications.Unfortunately,inmostcases,theenforcementmechanismsare

nothingmorethansigneddocuments,andthelocaladministrativeteamtypically

hasverylittlecontroloverwhatusersactuallydousefromanapplication

standpoint.CSAcanhelpsolvethatproblem.

Applicationcontrolrulesenableyoutoenforceportionsofyoursecuritypolicy

byexplicitlystatingwhichapplicationscanrunonendsystems.Itcanalsobe

morespecificinthatyoucannamecertainapplicationsthatcannormallybe

invokedbutinspecificinstanceswillnotbeallowedtoexecute.Anexampleof

thisistonormallyallowalocalcommandshell,suchascmd.exeor

command.com,tobelaunched;however,whendownloadedcontentattemptsto

initiatealocalshell,theapplicationcontrolruleshouldpreventthis.

Anothertypeofapplicationcontrolcomesintheformofmultiplerulesand

policies.Ciscoprovidespreconfiguredpoliciesthathelpyoucontrolapplications

suchasinstantmessengersandpeer-to-peermusic-andfile-sharingutilities.

Thesepolicieshelpgranularlycontrolthespecifiedapplicationsandtheirusage

andrequiremultiplerulestoaccomplishthetask.



FileandDirectoryProtection

CSAprovidesawaytoprotectspecifieddirectoriesandfilesfrombeingdeleted,

modified,orcreated.Thelocalagentmonitorsfileusagesothatyourprotected

entriesarenotadverselyaffected.Theprotectedfilesanddirectoriescanbeon



thelocalharddrive,CD,floppy,removablemedia(suchaszipandUSB),or

evenonnetworkshares.

Withversion4.5,youcanalsoallowuserstocreatealocallistoffilesand

directoriesthatshouldnotbeaccessibleoveranynetworkconnection.This

functionalityenablesuserstoprotecttheirowninformationoutsideofwhatmay

alreadybeprotectedviaglobalenterprisefileanddirectorycontrolpolicies.Just

aswiththelocallyadministeredpersonalfirewall,anyaccessrulessetbythe

localuserdonotoverridethecentrallydefinedpolicies,butinsteadfurtherlock

downthesystem.



NetworkAdmissionControl

CSAplaysanimportantroleintheCiscoSelf-DefendingNetworkInitiative

(SDNI).ThefirstportionofSDNItobecomecommerciallyavailableisNetwork

AdmissionControl(NAC).WithinNAC,thereisarequirementthatendsystems

runacomponentknownastheCiscoTrustAgent(CTA).CTA,whichisbuiltin

toversion4.5oftheCiscoSecurityAgent,providesthenetworkamechanism

bywhichyoucancontrolaccessatLayer2orLayer3basedoninformation

CTAconveys.Insimpleterms,thenetworkmustlearnaboutthesecurityposture

oftheendpointbeforeitisgrantedaccess.Theinformationreportedaspartof

thispostureassessmentprocesscouldberegardingtheversionofthecurrent

virusdefinitionfileandotherposture-relatedinformation.



CSAAnalysis

Agentanalysisisanexcitingaddition,newinversion4.5,thatenablesCSAto

analyzetheendpoint,determinewhichapplicationsareinstalled,andreportwhat

aspecificapplicationisdoingwhenitexecutes.Theabilitytoinspectyour

endpointstoprovidedetailedinformationonwhichapplicationsarelocally

installediscalledapplicationdeploymentinvestigation.Withinthisfeature,you

canalsoseeapplicationsthatrunandhowoftentheyrun.Anothercrucial

componentofthisparticularanalysisfeatureistheabilitytoseewhich

applicationsareusingnetworkresources.Thisfunctionalityprovidesdetailed

reportingofprocessesrunningasclientorserversonendsystemssothatthe

administrativeteamcancreateaglobalreportofnetworkapplications.These



reportsenableyoutounderstandexactlywhichapplicationsareonyournetwork

sothatyoucanblockorremovetheonesthatviolatethecurrentwrittensecurity

policyorcreatesecurityagentpoliciesforcurrentlyunprotectedapplications.It

isveryimportantthatyouunderstandwhatisinstalledandexecutingonyour

systemswhenattemptingtoprotectthem.Afterall,itisnotnecessarilywhatyou

knowyouhaveinstalledthatisyourbiggestconcern,butratherwhatyoudonot

knowisinstalledthatposestherealsecuritythreattoyourorganization.

Applicationbehaviorinvestigationisanotheranalysisfunctionthathasbeen

addedinversion4.5.Thisfeatureshouldproveextremelyusefulforany

organization.Afteryouhavelocatedtheunprotectedorunknownapplicationon

ahost,youcancreateabehavioranalysisjobforthatapplicationanddeploythe

jobtotheCSAontheendpointthattheapplicationresides.Theagentwill

compileinformationontheassociatedapplication,suchasfile,COM,and

networkusage.Afteralltheinformationhasbeencompiled,youcanviewiton

theCSAMCand,ifdesired,createapolicytoprotecttheobservedbehaviorof

theapplicationthatcouldthenbedeployedtoallothernecessaryagents.



CSAComponentsOverview

CSAusesadistributedarchitectureconsistingoftwomajorcomponents:

ManagementConsole(MC)TheMCperformsmanyimportanttaskssuch

asagentconfiguration,policyconfiguration,andcentralizedreporting.

AgentsAgents,whichenforcelocalsecuritypolicies,resideonhosts

throughoutthenetwork.

Thenextsectionsprovideanoverviewofbothcomponents.



ManagementConsole

TheCSAMCrunsontopoftheMicrosoftWindows2000Serveroperating

systemusingeitheraMicrosoftDatabaseEngine(MSDE)bydefault,whichis

includedintheproductinstallation,orMicrosoftSQL2000whenyouneedto

scalebeyond500agents.TheCSAMCiswhereallmanagementfunctionsare

performed.AspartoftheCiscoWorksVPNManagementSolutions(VMS)

networkmanagementfamilyofproducts,theCSAMChasthesamelookand

feelastheothermanagementtoolsfromCisco,anditsconfigurationinterfaceis

accessibleviaawebbrowseroverasecureencryptedSecureSocketsLayer

(SSL)connection.Figure2-1providesatypicalCSAMCscreenyouwillsee

uponsuccessfullyloggingintotheCSAMCapplicationwithyourwebbrowser.

Figure2-1.CiscoSecurityAgentManagementConsole

[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 2. Introducing the Cisco Security Agent

Tải bản đầy đủ ngay(0 tr)

×