CiscoSecurityAgent
ByChadSullivan
...............................................
Publisher:CiscoPress
PubDate:June01,2005
ISBN:1-58705-205-9
Pages:456
TableofContents|Index
PreventsecuritybreachesbyprotectingendpointsystemswithCiscoSecurityAgent(CSA),
theCiscohostIntrusionPreventionSystemLearnthebasicsofendpointsecurityandwhyitis
soimportantintoday'ssecuritylandscapeProtectendpointsystemsfromhackers,viruses,
andwormswithhostintrusionpreventionsecurityPrevent"Day-Zero"attackswiththefirst
bookonCSAdeploymentEndpointsystems,beingthepointofexecutionforthemalicious
code,iswherethemosteffectivecounter-intrusionmechanismsshouldbeplaced.Cisco
SecurityAgent(CSA)isanimportantpartofthenetworksecuritypuzzlethatcanhelp
organizationssecuretheirendsystems.Itsmanycapabilitiesincludepreventing"DayZero"
wormattacks,endsystemvirusattacks,andTrojanhorses;actingasadistributedfirewall;
performinganoperatingsystemlockdown;andperformingapplicationcontrol.Withthevast
arrayoffeatures,capabilities,andcomplexitiesassociatedwithCSA,usersneedexpert
guidancetohelpthemimplementandmaintainthisimportantnewsecuritydeviceanduseit
tomaximumeffect.ThisbookpresentsadetailedexplanationofCSA,illustratingtheuseof
theproductinastep-by-stepfashion.CiscoSecurityAgentpresentsacompleteviewofhost
intrusionpreventionwithCSA,includingbasicconcepts,installations,tuning,andmonitoring
andmaintenance.PartIdiscussestheneedforendpointsecurity.PartIIhelpsreaders
understandCSAbuildingblocks.PartIIIdelvesintotheprimaryconcernofnewcustomers,
thatbeinginstallation.PartIVcoversmonitoringandreportingissues.PartVcoversCSA
analysisfeatures.PartVIdiscussescreatingpoliciesandCSAprojectimplementationplans.
MaintenanceiscoveredinPartVII.
CiscoSecurityAgent
ByChadSullivan
...............................................
Publisher:CiscoPress
PubDate:June01,2005
ISBN:1-58705-205-9
Pages:456
TableofContents|Index
Copyright
AbouttheAuthor
AbouttheTechnicalReviewers
Acknowledgments
ThisBookIsSafariEnabled
Foreword
CommandSyntaxConventions
Introduction
WhoShouldReadThisBook?
HowThisBookIsOrganized
PartI.TheNeedforEndpointSecurity
Chapter1.IntroducingEndpointSecurity
TheEarlyDays:VirusesandWorms
ThePresent:BlendedThreats
TheInsider
UnderstandingPointSecurityWeaknesses
UsingAttack-DetectionMethods
EstablishingaSecurityPolicy
Summary
Chapter2.IntroducingtheCiscoSecurityAgent
IntrusionPreventionandIntrusionDetectionTechnologies
TheLifeCycleofanAttack
CSACapabilities
CSAComponentsOverview
CSACommunication
CSA'sRoleWithinSAFE
Summary
PartII.UnderstandingtheCSABuildingBlocks
Chapter3.UnderstandingCSAGroupsandHosts
TheRelationshipBetweenGroupsandHosts
UnderstandingCSAGroups
UnderstandingCSAHosts
Summary
Chapter4.UnderstandingCSAPolicies,Modules,andRules
TheRelationshipBetweenPolicies,Modules,andRules
EstablishingAcceptableUseDocumentsandSecurityPolicies
CSARules
CSARuleModules
CSAPolicies
Summary
Chapter5.UnderstandingApplicationClassesandVariables
UsingApplicationClasses
IntroducingVariables
Summary
PartIII.CSAAgentInstallationandLocalAgentUse
Chapter6.UnderstandingCSAComponentsandInstallation
GeneralCSAAgentComponentsOverview
CSAInstallationRequirements
AgentKits
Summary
Chapter7.UsingtheCSAUserInterface
WindowsAgentInterface
LinuxAgentInterface
SolarisAgentInterface
Summary
PartIV.MonitoringandReporting
Chapter8.MonitoringCSAEvents
StatusSummary
EventLog
EventMonitor
EventLogManagement
EventSets
Alerts
Summary
Chapter9.UsingCSAMCReports
AuditTrailReporting
EventReporting
GroupDetailReporting
HostDetailReporting
PolicyDetailReporting
ReportViewing
CreatingaSampleReport
Summary
PartV.AnalyzingCSA
Chapter10.ApplicationDeploymentInvestigation
UsingApplicationDeploymentInvestigation
UsingApplicationDeploymentReports
Summary
Chapter11.ApplicationBehaviorAnalysis
UnderstandingApplicationBehaviorInvestigationComponents
ConfiguringApplicationBehaviorInvestigation
UsingApplicationBehaviorInvestigationontheRemoteAgent
AnalyzingLogData
ViewingBehaviorReports
ExportingtheBehaviorAnalysisReportData
AnalyzingUNIXApplicationBehavior
CreatingBehaviorAnalysisRuleModules
Summary
PartVI.CreatingPolicy,ImplementingCSA,andMaintainingtheCSAMC
Chapter12.CreatingandTuningPolicy
CreatingPolicy
TuningPolicy
Summary
Chapter13.DevelopingaCSAProjectImplementationPlan
PlanningforSuccess
TheProjectPlan
OutliningtheProjectPhases
Summary
Chapter14.CSAMCAdministrationandMaintenance
CSALicensing
CSAMCRegistrationControl
CSAMCComponentSharing
CSAMCRole-BasedAccessControl
OtherCSAMCAdministrativeFeatures
CSAMCBackupandRestoreProcedures
Summary
PartVII.Appendixes
AppendixA.VMSandCSAMC4.5Installation
VMSv2.3Components
Installation
Summary
AppendixB.SecurityMonitorIntegration
AddingtheCSAMCtotheSecurityMonitor
ConfiguringtheSecurityMonitor
VerifyingConnectivity
ViewingEventsintheSecurityMonitor
Summary
AppendixC.CSAMIB
CSAMCMIBDefinitions
Index
Copyright
Copyright©2005CiscoSystems,Inc.
Publishedby
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedortransmittedinany
formorbyanymeans,electronicormechanical,includingphotocopying,
recording,orbyanyinformationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbriefquotationsina
review.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingJune2005
LibraryofCongressCataloging-in-PublicationNumber:2004106254
WarningandDisclaimer
ThisbookisdesignedtoprovideinformationaboutCiscoSecurityAgent.Every
efforthasbeenmadetomakethisbookascompleteandasaccurateaspossible,
butnowarrantyorfitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthor,CiscoPress,and
CiscoSystems,Inc.,shallhaveneitherliabilitynorresponsibilitytoanyperson
orentitywithrespecttoanylossordamagesarisingfromtheinformation
containedinthisbookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorandarenotnecessarily
thoseofCiscoSystems,Inc.
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobetrademarksorservice
markshavebeenappropriatelycapitalized.CiscoPressorCiscoSystems,Inc.,
cannotattesttotheaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofanytrademarkorservice
mark.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhenorderedinquantityfor
bulkpurchasesorspecialsales.
Formoreinformationpleasecontact:U.S.CorporateandGovernment
Sales1-800-382-3419
ForsalesoutsidetheU.S.pleasecontact:International
Sales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksofthehighest
qualityandvalue.Eachbookiscraftedwithcareandprecision,undergoing
rigorousdevelopmentthatinvolvestheuniqueexpertiseofmembersfromthe
professionaltechnicalcommunity.
Readersfeedbackisanaturalcontinuationofthisprocess.Ifyouhaveany
commentsregardinghowwecouldimprovethequalityofthisbook,or
otherwisealterittobettersuityourneeds,youcancontactusthroughe-mailat
PleasemakesuretoincludethebooktitleandISBN
inyourmessage.
Wegreatlyappreciateyourassistance.
Credits
Publisher
JohnWait
Editor-in-Chief
JohnKane
ExecutiveEditor
BrettBartow
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgramManager
NannetteM.Noble
ProductionManager
PatrickKanouse
AcquisitionsEditor
MichelleGrandin
DevelopmentEditor
DaynaIsley
CopyEditorandIndexer
KeithCline
TechnicalEditors
JeffAsherandDavidMarsh
TeamCoordinator
TammiBarnett
CoverDesigner
LouisaAdair
Composition
InteractiveCompositionCorporation
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.Cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowingcountriesandregions.
Addresses,phonenumbers,andfaxnumbersarelistedontheCisco.comWeb
siteatwww.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•Canada•Chile•ChinaPRC•Colombia•
CostaRica•Croatia•CzechRepublic•Denmark•Dubai,UAE•Finland•France•Germany•Greece•
HongKongSAR•Hungary•India•Indonesia•Ireland•Israel•Italy•Japan•Korea•Luxembourg•
Malaysia•Mexico•TheNetherlands•NewZealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•Singapore•Slovakia•Slovenia•SouthAfrica
•Spain•Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•UnitedKingdom•UnitedStates•
Venezuela•Vietnam•Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCffi,CCSP,the
CiscoArrowlogo,theCiscoPoweredNetworkmark,theCiscoSystems
Verifiedlogo,CiscoUnity,FollowMeBrowsing,FormShare,iQNetReadiness
Scorecard,NetworkingAcademy,andScriptSharearetrademarksofCisco
Systems,Inc.;ChangingtheWayWeWork,Live,Play,andLearn,TheFastest
WaytoIncreaseYourInternetQuotient,andiQuickStudyareservicemarksof
CiscoSystems,Inc.;andAironet,ASIST,BPX,Catalyst,CCDA,CCDP,CCffi,
CCNA,CCNP,Cisco,theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,
theCiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystemsCapital,the
CiscoSystemslogo,EmpoweringtheInternetGeneration,Enterprise/Solver,
EtherChannel,EtherSwitch,FastStep,GigaStack,InternetQuotient,IOS,IP/TV,
iQExpertise,theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,RateMUX,
Registrar,SlideCast,SMARTnet,StrataViewPlus,Stratm,SwitchProbe,
TeleRouter,TransPath,andVCOareregisteredtrademarksofCiscoSystems,
Inc.and/oritsaffiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsitearethepropertyof
theirrespectiveowners.Theuseofthewordpartnerdoesnotimplyapartnership
relationshipbetweenCiscoandanyothercompany.(0303R)
PrintedintheUSA
Dedications
Thisbookisdedicated...
TomywifeJenniferforherpatienceandencouragement.
TomythreelittleangelsAvery,Brielle,andCelinefortheiramazingabilityto
learnandtheircontinuouschallengeformetodothesame.
AndtoGod,forprovidingmetheabilitytoidentifythemanyopportunitiesto
succeedthathavecrossedmypath.
AbouttheAuthor
ChadSullivanisaconsultingsystemsengineerforCiscoSystemsbasedoutof
AtlantawhospecializesinsecurityontheAdvancedTechnologiesTeam.Heis
highlycertifiedandcurrentlyholdsthreeCCIEs(Security,Routing&Switching,
andSNA/IP),CiscoCCSP,andCiscoINFOSEC,aswellasaCISSPandCHSP
fromISC2.Chadhasfocusedpredominantlyonsecurityasaspecialtyfora
numberofyearsandhasbeenamemberoftheCiscoSecurityandVPNVirtual
Teamforthepastfiveyearsaswellasamemberofseveralsecurityprofessional
societies.
AbouttheTechnicalReviewers
JeffAsherisanetworksystemsengineer/securityengineeringpracticemanager
atInternetworkEngineeringinCharlotte,NorthCarolina,whereheiscurrently
deployingendpointsecuritysystemstoanenterprisenetworkofmorethan6000
workstationsand350servers.Jeffhasearnedseveralcertifications,including
MicrosoftCertifiedSystemEngineerandCCNP.Heearnedabachelorofarts
degreefromVirginiaPolytechnicInstituteandStateUniversity.
DavidMarshisasecurityconsultantfortheCiscoSystemsWorldWide
SecurityPracticeandlivesinAtlanta.Hehasfocusedonsecurityforanumber
ofyearsandholdsCiscocertificationssuchasCCNP,CCDP,andCCSPaswell
asindustrycertificationssuchasCISSP,MCNE,andMCSE.DavidhasanMBA
fromGeorgiaStateUniversityandislookingatpursuingtheGIACGSEafterhe
wrapsuphisCCIE(Security).Heiscurrentlyengagedinsecurityarchitecture
consultingforsomeofthetopCiscocustomersandhasnosparetime.
Acknowledgments
IfirstwanttothankDebraMalver,whoconstantlyprovidedanyandall
informationandassistanceIrequired.IwanttothankeveryoneatCiscoPress
whowasinvolvedinthecreationofthisbook,includingMichelleGrandin,Brett
Bartow,DaynaIsley,andTammiBarnett.(Icannotsaythankyouenoughto
DaynaIsley,whohasshapedthisbookmorethananyonewilleverknow.)
SpecialthankstoDavidMarshandJeffAsherforreviewingthecontentofthe
manuscriptandensuringitsaccuracy.Also,toDavidMarsh,thanksforhis
friendshipandforconstantlychallengingmetothinkdifferently.Tothedriving
forcesofthe"DreamTeam"forcontinuingtochallengemetodriveharder,
faster,andfurtherthatIbelievedpossible,includingTylerPomerhn,Mike
Purcell,andMasonHarris.ToDaveSwinkforhispracticalCSAinsightand
implementationguidance.ToLamarTulleyandSethJudd,whoaremorethe
samethantheyrealize.ToTylerDurdenforprovidinganescapewhenitwas
needed.ToallofmyCiscocoworkers,whohavehadtolistentomyrants
regardingthetrialsandtribulationsduringmywritingcycle,includingJoe
Stinson,SteveGyurindak,JohnDodson,JameyHeary,PaulOstrowski,and
anyoneandeveryoneelsewhohascrossedmypathduringthepastyear.ToJeff
Wells,whoplayedagreatroleintheearlystagesofthisbooksdevelopmentand
inshapingChapter1.TotheCiscoCSATeam,includingTedDoty,JeffMitchell,
MarcusGavel,JohnathanHogue,andJoshHustonforprovidingassistancewhen
needed,bothdirectlyandindirectly.Toafriendandformermanager,Dan
Zatyko,whohelpedshapemycareerinmorewaysthanhemayknow.Tomy
motherandfatherforbelievinginmypotentialandkeepingmefocusedeven
whenIpusheditaway.Tomysister,Ashley,whodrivesmetosucceedin
competitiontohercontinuedsuccess.Tomyin-laws,RoyceandPhyllisLynn,
forprovidingspiritualguidance.ToKevinMahlerforhelpingmetounderstand
thewritingprocessandforprovidingmanyneededcontactstofurthermycareer.
Andfinally,totheAcademy...(Themusicplays,andIamusheredoffstage.)
ThisBookIsSafariEnabled
TheSafari®Enabledicononthecoverofyourfavoritetechnologybookmeans
thebookisavailablethroughSafariBookshelf.Whenyoubuythisbook,youget
freeaccesstotheonlineeditionfor45days.
SafariBookshelfisanelectronicreferencelibrarythatletsyoueasilysearch
thousandsoftechnicalbooks,findcodesamples,downloadchapters,andaccess
technicalinformationwheneverandwhereveryouneedit.
Togain45-daySafariEnabledaccesstothisbook:
Goto />Completethebriefregistrationform
Enterthecouponcode1111-1111-1111-1111-1111
IfyouhavedifficultyregisteringonSafariBookshelforaccessingtheonline
edition,pleasee-mail
Foreword
Iencounteredcomputerandnetworksecurityveryearlyinmycareer.Myfirst
joboutofcollegeintheearly1980swaswiththeNationalSecurityAgency,and
twothingsimmediatelybecameclear.First,thegovernmentandespeciallythe
DefenseDepartmentwereabouttheonlypeoplewhowereremotelyinterestedin
computersecurity.Second,therewerealotofwaysthatsecuritycouldgo
wrong.
Somethingshavechangeddramaticallysincethen.Everyoneisawareof
computersecurityissuestosomedegreenow,evenifthisawarenessisonly
aboutvirusesandspyware.Itisbothgratifyingandconcerningtonowbeableto
explainmyjobtomymotherin10seconds("Youknowthehackers?Were
tryingtostopthem").
However,somethingshavenotchangedmuch,ifatalltherearestillalotof
waysthatsecuritycangowrong.Wevetriedmanyapproachestostopping
attacks,butmostofthesehavestruggledtokeepupwiththerateofchangein
technology.Whenweblockports,applicationsuseport80(web).Whenwe
inspectthepackets,theapplicationsuseSSL.Therateofchangeisaccelerating,
andsinceattackscanfitthemselvesintoanyofthesenooksandcrannies,it
remainseasytomisssomething.
ThiswaswhytheOkenaStormwatchagent(nowtheCiscoSecurityAgent
[CSA])issuchashocktopeoplewhohavebeeninvolvedinsecurityforalong
time.Inmanyways,itseemstoviolateeverythingthatwevelearnedabouthow
toprotectyoursystems.No,youdontneedtoupdateittogetthelatest
protection.Yes,yourapplicationsverywellmaybevulnerable,butCSAwill
keepthemfrombeingexploited.Yes,itwillindeedstopanattackthatitsnever
seenbefore.Inasense,oneofthehardestthingsaboutCSAisthementalshift
fromwhatwehavebeenusedto.
However,oncethatshifthappens,thecurrenthustleandbustleofour
livesgettingtheupdate,testingtheupdate,lookingatthenewexploitbecomes
muchsimpler.Whiletherearestillalotofwaysthatsecuritycangowrong,CSA
providesadefenseevenwhensomethingiswrong.Irememberthee-mailthat
camearoundfromoursystemadministratorthatsaid,"Theressomething
attackingourwebserver.Werenotsurewhatitis,butStormwatchisblocking
it."ThatwastheNimdawormthefirstofalonglineofattacksstoppedbyCSA.
ThisbookprovidesgreatdetailonhowtouseCSA,butalsoprovides
backgroundonhowCSAworks.AnyoneinterestedinCSA,andespecially
anyonewhousesitdaytoday,willfindthisbooktobeindispensable.
TedDoty
ProductManage
SecurityTechnologyGroup
CiscoSystems,Inc.
May2005
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbookarethesame
conventionsusedintheIOSCommandReference.TheCommandReference
describestheseconventionsasfollows:
Boldfaceindicatescommandsandkeywordsthatareenteredliterallyas
shown.
Italicsindicateargumentsforwhichyousupplyactualvalues.
Verticalbars(|)separatealternative,mutuallyexclusiveelements.
Squarebrackets[]indicateoptionalelements.
Braces{}indicatearequiredchoice.
Braceswithinbrackets[{}]indicatearequiredchoicewithinanoptional
element.
Introduction
Endpointprotectionhasquicklybecomea"musthave"ratherthana"niceto
have"securitymechanismintodaysfast-pacedworld.Numerousworms,
viruses,Trojanhorses,bots,andothersecuritymalwarecirculateandgrowon
theInternetatanalarmingrate,andyouneedtocountertheseeffectivelywith
appropriatetechnologies.Theendpoint,beingthepointofexecutionforthe
maliciouscode,iswhereyoushouldplacethemosteffectivecounter
mechanisms.Thisrealityhaspromptedtheindustrytounderstandtheneedfor
suchsoftwaretobedeveloped.TheCiscoSecurityAgent(CSA)software
providestheprotectionnecessarytocombatthesethreats.Virusesandwormsare
nolongersimplyviewedasanuisance,butratherastheftandvandalism.The
threatsarereal,andtheprotectivemechanismsrequiredneedtobemorerobust
thanthoseusedpreviously.
WhoShouldReadThisBook?
ThisbookisdesignedtoenablereaderstodiscovertheCSAproductwithor
withouthavingarunningproductinfrontofthem.Thisbookfirstintroducesthe
architectureandcomponentsofthesystemandthenexaminestheconfiguration
ofrulesandpolicy.AnyonewhoisinvestigatingtheCSAproductorendpoint
protectioningeneralwillgaininsightintotheproductfromthisbook.Those
involvedinaproductionrolloutwillfindtheinformationcontainedhereina
valuableongoingreference.
HowThisBookIsOrganized
Thisbookisstructuredtoallowthereadertoproceedfromcovertocoverina
naturallearninganddiscoveryprocess.Thebookisorganizedinto7major
sectionscomposedof14chaptersand3appendixes.
PartI"TheNeedforEndpointSecurity,"coversthebasicsofwhy
endpointsecurityissoimportanttotodaysrapidlychangingsecurity
landscape.
Chapter1,"IntroducingEndpointSecurity,"discussesendpoint
securityandtheneedforthistechnology.
Chapter2,"IntroducingtheCiscoSecurityAgent,"discussesCSA
andthesecuritymechanismsthatcanbedeployedasprotectionfora
computingenvironment.
PartII,"UnderstandingtheCSABuildingBlocks,"coversthebasic
componentsyoumustthoroughlyunderstandwhenattemptingtodeploythe
CSAarchitecture.
Chapter3,"UnderstandingCSAGroupsandHosts,"discusses
usinggroupsandhostsintheCSAarchitectureandhowthetwo
componentsarerelated.
Chapter4,"UnderstandingCSAPolicies,Modules,andRules,"
describesthecomponentsnecessarytobuildandmanipulatepolicyfor
thesystemsyouwanttoprotect.Thesebuildingblocksarebroken
downintoindividualrulessothatyoucanbetterunderstandwhat
controlmechanismsareavailableandhowtousethem.
Chapter5,"UnderstandingApplicationClassesandVariables,"
discussessomeoftheCSAobjectsthatsimplifyongoingmaintenance
andusabilityofthesoftwarethroughtheuseofreusableelements.
PartIII,"CSAAgentInstallationandLocalAgentUse,"coversthe
agentsthemselves,howyoucanimplementthem,andhowtheusercan
interactwiththeagentlocally.
Chapter6,"UnderstandingCSAComponentsandInstallation,"
discussesthelocalagentcomponentsandinstallationprocesson
variousoperatingsystemplatforms.
Chapter7,"UsingtheCSAUserInterface,"discusseshowusers
shouldusethelocalagentinterfacethatmaybeavailabletothemas
definedbythecentralsecuritypolicy.
PartIV,"MonitoringandReporting,"coverstheCSAManagement
Consolesreportingandmonitoringcapabilites.
Chapter8,"MonitoringCSAEvents,"explorestheeventdatabase
onthemanagementserverandhowyoucanviewandfilterthe
information.
Chapter9,"UsingCSAMCReports,"discussesthereport
mechanismsavailabletotheCSAadministrator.Thesereportsprovide
detailedinformationfortheCSAarchitecturecomponents.
PartV,"AnalyzingCSA,"coverstheadvancedCSAanalysisfeatures
addedinthe4.5versionoftheproduct.
Chapter10,"ApplicationDeploymentInvestigation,"exploresthe
newApplicationDeploymentInvestigationfeaturecapableof
providingreportsregardingallinstalledapplications,hotfixes,service
packs,andapplicationsconnectingtothenetworkasaclientorserver.
Chapter11,"ApplicationBehaviorAnalysis,"discussesthenew
capabilityoftheCSAagenttocollectdetailedinformationregardinga
specificprocessandhowitusesandisusedbysystemresources.
PartVI,"CreatingPolicy,ImplementingCSA,andMaintainingthe
CSAMC,"coverspolicyasawholecomprisedofthevariousbuilding
blocksandamethodologythatthecompanyshouldfollowwhenattempting
toimplementCSA.Youalsolearnaboutinformationrequiredtokeepa
CSAdeploymentrunningefficientlyandhowtoprovidethenecessarylevel
ofbackuprequiredincaseofasystemfailure
Chapter12,"CreatingandTuningPolicy,"examinesthemethods
usedtotunepolicysuchthatitcontrolsyourenvironmentwithout
impactingusability.
Chapter13,"DevelopingaCSAProjectImplementationPlan,"
laysoutadetailedimplementationplanthattakesyouthroughthe
variousstagesandstepsofaCSAdeployment.
Chapter14,"CSAMCAdministrationandMaintenance,"
discussesadministeringandmaintainingtheCSAarchitecture,
includingadministrativeaccessrolesandbackups.
PartVII,"Appendixes,"coversadditionalinstallationandmanagement
information.
AppendixA,"VMSandCSAMC4.5Installation,"discussesbasic
single-serverinstallationoftheCiscoWorksVMSproductalongwith
theCSAMC.
AppendixB,"SecurityMonitorIntegration,"discussesintegrating
theCSAMCwiththeSecurityMonitorcomponentofCiscoWorks
VMS.
AppendixC,"CSAMIB,"introducestheCSAMIBthatcanbeused
withvariousSNMPmanagementsystems.
PartI:TheNeedforEndpointSecurity
Chapter1IntroducingEndpointSecurity
Chapter2IntroducingtheCiscoSecurityAgent
Chapter1.IntroducingEndpointSecurity
Thischaptercoversthefollowingtopics:
Theearlydays:virusesandworms
Thepresent:blendedthreats
Theinsider
Understandingpointsecurityweaknesses
Usingattack-detectionmethods
Establishingasecuritypolicy
Computerviruses,worms,andspywarehavechangedthefaceofcomputing
overitslonghistory.Injustthepastfewyears,theworldhaswitnessedan
accelerationofthenumberofexploitsreleasedandthenumberofendpointsthat
canbecompromisedinagiventime.Thesedamagingtrendshavecausedthe
networkingcommunitytorenewtheirfocusonsecurity.
Thenewexploitsandrapidpropagationtechniquesseentodayarenottheonly
reasonssecurityispushingtothetopofmanyorganizationslistofconcerns.
Changesintheworldspoliticallandscape,theever-growingconcernof
corporateespionage,cyber-attacksorcyber-warfare,andthedramaticincreasein
identitytheftarealldrivingthisnewsecurityawareness.
Inthischapter,youexploretheevolutionandgeneraleffectofviruses,worms,
andspywarealongwithaviewtowheretheymaybeheading.Inaddition,you
learnaboutotherimportantsecurityissuesontheendpoint.