cisco security agent (csa) network admission control (nac)
TRANSCRIPT
![Page 1: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/1.jpg)
1© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Cisco Security Agent (CSA)Network Admission Control (NAC)
Pascal DelpratSecurity ConsultantCisco France
Vincent BieriMarketing Manager, SecurityEMEA Technology Marketing Organisation
![Page 2: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/2.jpg)
222© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Agenda
• CSA and NAC Presentation (30’) –vincent bieri
• CSA Demo (20’) – pascal delprat
• Q&A / Discussions (10’) – all
![Page 3: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/3.jpg)
Cisco Security Agent (CSA)
333© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
![Page 4: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/4.jpg)
4© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Agenda – CSA
• Overview of Cisco Security Agent• Management Model• CSA Implementation and Architecture • Security Functions• Performance Impact• Integration with Other Security Technologies• Roadmap CSA 4.5
![Page 5: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/5.jpg)
555© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
What is Cisco Security Agent?
• A security software for desktop, laptop, & server computers that minimizes patch and security problems with behavior-based OS kernel wrappers
• Centrally administered, with distributed, autonomous policy enforcement
Scales well & also works with intermittently connected hostsCan also adapt defenses based upon correlation of events from different hosts
• Effective against existing & previously unseen attacks
Stopped nimda, code red, slammer, blaster with out-of-the-box policies
![Page 6: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/6.jpg)
666© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
JPEG (GDI+) OVERFLOW
![Page 7: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/7.jpg)
777© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Cisco Security Agent (CSA) Components
Management Server—deploys Security Policies, Receives and Stores Events in SQL Database, Alerts Administrators, Deploys Software, Part of Cisco VPN and Security Management System
Cisco Security Agents—Enforce Security Policy Received from Management Server, Sends Events Immediately, Interacts with User (If Necessary), Protects Itself, Poll for Policy Updates, Run on Windows and Solaris
CSA Management Console—Web Browser Interface, Policy Configuration Tool, Event Views
![Page 8: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/8.jpg)
888© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Management Architecture
Remote Users or Branch Offices
DMZ
Campus
Management Server• Events are pushed to it• Configuration is pulled
from it
![Page 9: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/9.jpg)
999© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Hosts are Attached to a Group that includes a set of Policies defined by Rules
GROUPWeb Servers
POLICIESIIS Module
Windows Module
HOSTSWeb1.cisco.comWeb2.cisco.com
![Page 10: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/10.jpg)
101010© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Groups
• Used to Organize Logical Collections of Hosts
e.g. “IIS Servers”, “Executive Desktops”, or “SQL Servers”
![Page 11: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/11.jpg)
111111© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Policies
• Are attached to zero or more groups
• Are composed of logical collections of rules
![Page 12: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/12.jpg)
121212© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Rules
• Are attached to policies
• Are where security functions are specified
• May enable specific heuristics
![Page 13: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/13.jpg)
131313© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
CSA Security Functions
• System hardeningSyn-flood protectionMalformed packet protectionRestart of failed services
• Resource protectionFile access controlNetwork access controlRegistry access controlCOM component access control
• Control of executable contentProtection against email wormsProtection against automatic execution of downloaded files or ActiveX controls
• Application-relatedApplication run controlExecutable file version controlProtection against code injectionProtection of process memoryProtection against buffer overflowsProtection against keystroke logging
• DetectionPacket sniffers and unauthorized protocolsNetwork scansMonitoring of OS event logs
• Network firewalling
![Page 14: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/14.jpg)
141414© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
CSA Implementation Approaches
• Call InterceptionIntercept system calls between applications and the operating system
• Security policyPre-defined rules
Heuristics
Combination of methods
• System “state” monitoringApplication behavior—What are the running applications doing?
![Page 15: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/15.jpg)
151515© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
CSA Architecture Overview
Application
Allowed request
Blocked request
File system Network Configuration Execution space interceptor interceptor interceptor interceptor
Kernel
Rules engine
State Rules & policies
Correlation
engine
![Page 16: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/16.jpg)
161616© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Performance Impact
• Windows CPU usage: 1-5%• Solaris CPU usage: 3-10%• Memory usage: 7–10MB, up to 20• Network impact:
Policy download: 35-70kEvent: ~3kPoll: ~2.5kPolling interval change: ~3kSoftware update: Varies
• Transactions per second is a very good way to measure latency
![Page 17: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/17.jpg)
171717© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Performance: Transactions per Second
Note: Performed on W2K SP3 Running IIS 5.0; Single 2Ghz P4 CPU, 1Gbps NIC, Non-hyperthreaded, 533Mhz System Bus
![Page 18: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/18.jpg)
181818© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
CSA Integration other Security Technologies
• VPN “Are You There”Requires version 4.0 of Cisco VPN client and concentratorAlso supported in Checkpoint VPN-1
• Network Admission Control (NAC)• Complement NIDS and AV
Combining signature detection and behavioral protectionNeed AV to eradicate a virus, worm, or trojan
• Log Collectors and Correlators• Windows Event Viewer and AV logs into CSA
events
![Page 19: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/19.jpg)
191919© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Cisco Security Agent Roadmap
New Agent Platforms – ver 4.5•Windows Clusters•RedHat Enterprise Linux 3.0
•Enterprise Server, Workstation•Advanced Server (Stretch Goal)
•Windows XP Home Edition
New Features – version 4.5
•MC Scalable to 100,000 agents•Antivirus DAT version checking•Application/patch tracking•Location-based policies•User-based profiles•Agent Internationalization & Localization•Policies based on NAC status•Security Enhancements
NewAgentPlatforms
Q2CY05
Q1CY05
Apr May Jun Jul Aug Sep Oct Nov Dec
NewFeatures
RTM: 13 Dec 2004CCO Download: 13 Dec 2004
New Agent Platforms – ver 4.0.3
•Windows 2003 Server•Windows XP SP2
RTM: 22 July 2004CCO Download: 22 July 2004FCS: 22 July 2004
![Page 20: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/20.jpg)
Network Admission Control (NAC)
202020© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
![Page 21: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/21.jpg)
21© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Agenda – NAC
• Overview of Network Admission Control
• NAC Phase 1 (Current) Model and Components
• NAC Credentials
• NAC Phase 2 (Future) Model and Components
![Page 22: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/22.jpg)
22© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Network Admission Control (NAC) preventing non-compliant host
Desktop
• Access Granted• Access Denied• Quarantine Remediation
Authentication and policy check of client
Quarantine VLANQuarantine VLANCisco Trust Agent
Corporate Net
Client attempts connection
SiSi
![Page 23: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/23.jpg)
23© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
NAC Phase 1 Logical ComponentsJune 2004
Network AccessDevice
AAA Server
CTA
Vendor Server
Plug-ins
CTA
SecurityApp
CTA
Cisco Trust Agent (NT, 2000, XP)
Routers (83x-72xx)
Cisco Secure ACS
CiscoWorks SIMS
Cisco Security Agent
McAfee VirusScan
Symantec SAV & SCS (EDAP customers only)
Trend Micro OfficeScan
RADIUSEAPoUDP HCAP
Monitoring & Reporting Trend Micro Control
Manager
Host
![Page 24: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/24.jpg)
24© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Credentials Available
• NAC credentials characterize the state of an asset, and compliment ID credentials for the asset and user
• Credentials form the basis for policy expressions for network admission control
• Below are most of the initial credentials available at NAC phase 1 ship• Vendors will add new credentials often and at any time
FROM CISCO AGENTS• CTA 1.0
CTA versionOperating system nameOperating system version
• CSA 4.0.2Installed Service PacksInstalled hotfixesCSA versionCSA enabled or disabledFQDN of CSA-MC (VMS)CSA statusLast poll of CSA-MC (VMS)
FROM VENDORS• Anti-Virus
AV software name or identifierSoftware versionScan engine versionDAT/pattern file versionAV enabled or notOn-access scan enabledDAT/pattern file release date
• Other SoftwareVaries by vendorE.g. SYMC SCS 2.0 includes FW and HIDS
![Page 25: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/25.jpg)
25© 2004 Cisco Systems, Inc. All rights reserved.Security With CSA and NAC
Network AccessDevice
AAA Server
CTA
Vendor Server
Plug-ins
CTA
SecurityApp
CTA RADIUSEAPoUDPEAPo802.1x HCAP
NAC Phase 2 Logical Components
Non-responsive Audit Server
Main AV Vendors
Build NR System & API
Broad API License
EAPoUDP RADIUS
Broad API License
Main AV Vendors
EAPo802.1x
Routers (83x-72xx)
Switches (2900-6500)
VPN 3000
IOS Switches
Linux, Solaris, 2003
NT, XP, 2000
Phase 2
Phase 1
Cisco Secure ACS
Host
Broad API License
![Page 26: Cisco Security Agent (CSA) Network Admission Control (NAC)](https://reader031.vdocuments.site/reader031/viewer/2022020702/61fb20942e268c58cd5a773d/html5/thumbnails/26.jpg)