Cover image for Advanced host intrusion prevention with CSA
Advanced host intrusion prevention with CSA
Personal Author:
Publication Information:
Indianapolis, IN : Cisco Press, 2006


Item Barcode
Call Number
Material Type
Item Category 1
30000010104980 TK5105.59 S94 2006 Open Access Book Book

On Order



Maximize end-point security with Cisco Security Agent. This book: eases the complexity of CSA installation and management; helps users maximize their CSA investment and the security of their end-point systems; provides a structured approach to host IPS planning and installation; includes hard-to-find information on advanced CSA feature deployment; and presents real-world expertise gathered from field installations. Advanced Host Intrusion Prevention with CSA is a practical guide to getting the most out of CSA deployments. This book helps ease the fears of security administrators seeking to install and configure a host IPS through methodical explanation of the advanced CSA features and concepts. Real-world best practices taken from actual installation and support experience of the authors provide an installation framework. The book will help administrators and security engineers implement CSA appropriately, giving their organizations better protection from the various threats that are impacting their business and enabling them to comply with various legal requirements put forth by such legislature as: HIPAA, SOX, SB1386, and VISA PCI. support teams have and build upon that foundation solid CSA implementation knowledge to guarantee success. The book will consist of 5 major sections covering several advanced concepts in detail and will require basic product knowledge. Part 1 presents an overview of host IPS and CSA. Part 2 discusses project planning and CSA installation. Part 3 covers CSA installation, including server installation and agent deployment. Part 4 addresses CSA policy. Part 5 talks about monitoring and troubleshooting methodologies. Chad Sullivan is a Senior Security Engineer and Owner of Priveon, Inc. which provides leading security solutions to customers across the United Stated. Prior to starting Priveon, Chad wrote the previous Cisco Security Agent title from Cisco Press and worked as a Security Consulting Systems Engineer at Cisco Systems, Inc. Chad is recognized within the industry as one of the leading implementers of the Cisco Security Agent product. Jeff Asher has worked as a Network Systems Consultant for the last 4 years with Information Security as his primary focus. at Cisco Systems based out of San Jose, CA.

Author Notes

Chad Sullivan, CCIE No. 6493, is a founder and senior security consultant with Priveon, Inc.
Jeff Asher is a network systems consultant with Internetwork Engineering (IE) in Charlotte, North Carolina
Paul S. Mauvais currently holds the position of senior security architect working in the Cisco Corporate Security Programs Organization

Table of Contents

Introductionp. xix
Part I CSA Overviewp. 2
Chapter 1 The Problems: Malicious Code, Hackers, and Legal Requirementsp. 4
Malicious Codep. 5
Hackersp. 9
Legislationp. 10
Summaryp. 13
Chapter 2 Cisco Security Agent: The Solutionp. 14
Capabilitiesp. 15
CSA Component Architecturep. 16
CSA Hosts and Groupsp. 19
Policy Implementationp. 21
Summaryp. 25
Part II CSA Project Planning and Implementationp. 26
Chapter 3 Information Gatheringp. 28
Defining Purposep. 29
Understanding the Environmentp. 35
Important Individualsp. 42
Summaryp. 45
References in This Chapterp. 45
Chapter 4 Project Implementation Planp. 46
Timelinep. 47
Contributorsp. 50
Pre-Planningp. 50
Pilotp. 65
Production Implementationp. 73
Documentationp. 75
Ongoing Supportp. 75
Summaryp. 78
Chapter 5 Integration into Corporate Documentationp. 80
Security Policy Documentp. 81
Change Control Documentationp. 89
Quality Assurancep. 93
Contacts and Support Escalationp. 100
Summaryp. 101
Part III CSA Installationp. 104
Chapter 6 CSA MC Server Installationp. 106
Implementation Optionsp. 107
CSA MC Server Hardware Requirementsp. 109
CSA MC Server Installationp. 110
Summaryp. 128
Chapter 7 CSA Deploymentp. 130
Agent Installation Requirementsp. 131
Agent Installerp. 133
Installation Parameters and Examples for SETUP.EXEp. 142
Summaryp. 148
Part IV CSA Policyp. 150
Chapter 8 Basic Policyp. 153
Policy Requirementsp. 153
Purpose of Policyp. 154
Policy Application and Associationp. 157
Builtin Policy Detailsp. 159
Summaryp. 170
Chapter 9 Advanced Custom Policyp. 172
Why Write Custom Policies?p. 173
Preparing for the CSA Tuning Processp. 175
Best Practices for Tuningp. 180
Sample Custom Policiesp. 182
Using Dynamic Application Classesp. 191
Forensicsp. 196
Summaryp. 197
Part V Monitoring and Troubleshootingp. 198
Chapter 10 Local Event Database and Event Correlationp. 200
CSA MC Event Databasep. 201
Automated Filtering from Directed Linksp. 212
Additional Event Correlationp. 214
Summaryp. 215
Chapter 11 Troubleshooting Methodologyp. 216
Common Issuesp. 217
NOC Troubleshooting Toolsp. 221
Agent Troubleshooting Toolsp. 228
SQL Troubleshootingp. 233
Cisco TACp. 240
licensing@cisco.comp. 242
Summaryp. 242
Appendix A Best Practices Deployment Scenariop. 244
Overviewp. 245
Gathering Informationp. 246
Security Policyp. 247
Acceptable Use Policyp. 247
Security Problemsp. 248
Inventoryp. 249
Determine Goalsp. 250
Pilot Phasep. 252
Determine Scopep. 252
Determine Conditionsp. 253
Create the CSA Base Policyp. 254
Deploy Agents in Test Modep. 255
Test Applications and Review Logsp. 256
Convert Agents to Protect Modep. 258
Documentationp. 259
General Deployment Phase: Test Modep. 260
Create a Deployment Schedule and Phased Installation Planp. 261
Deploy Agents and Monitor Progress Against System Inventoryp. 261
Test CSA MC Functionality and Responsep. 262
General Deployment Phase: Protect Modep. 262
Convert Selected Hosts to Protect Modep. 262
Monitor Logs and System Activityp. 262
Review Security Policy and Acceptable Use Policies and Build Appropriate Exceptionsp. 262
Operational Maintenancep. 263
Database Maintenancep. 263
System Backupsp. 263
Test System Patches in Labp. 263
Test Non-CSA Application Upgrades in Labp. 264
Run Application Deployment Unprotected Hosts Report to Find Machines Without CSAp. 264
CSA Upgradesp. 264
Upgrading MCp. 264
Upgrading Agentsp. 265
Appendix B Cisco Security Agent 5.0p. 266
Operating System Supportp. 267
System Warningsp. 267
Status Summary Screenp. 268
Network Statusp. 268
Most Activep. 269
Event Log Changesp. 271
Group Level Changesp. 272
Hostsp. 273
Recycle Binp. 275
Host Management Tasksp. 275
Combined Policy State Set Notationp. 276
Rule Modulesp. 276
Rulesp. 277
Actionsp. 277
New Set Actionp. 278
Searchingp. 281
Hosts Searchp. 281
Rules Searchp. 282
Agent Diagnosticsp. 283
Database Maintenance Informationp. 284
Resetting the Security Agentp. 285
Summaryp. 286
Indexp. 288