did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781587052057

Cisco Security Agent

by
  • ISBN13:

    9781587052057

  • ISBN10:

    1587052059

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2005-06-01
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $60.00
We're Sorry.
No Options Available at This Time.

Summary

Prevent security breaches by protecting endpoint systems with Cisco Security Agent, the Cisco host Intrusion Prevention System Secure your endpoint systems with host IPS Build and manipulate policies for the systems you wish to protect Learn how to use groups and hosts in the Cisco Security Agent architecture and how the components are related Install local agent components on various operating systems Explore the event database on the management system to view and filter information Examine Cisco Security Agent reporting mechanisms for monitoring system activity Apply Application Deployment Investigation to report on installed applications, hotfixes, and service packs Collect detailed information on processes and see how they use and are used by system resources Create and tune policies to control your environment without impacting usability Learn how to maintain the Cisco Security Agent architecture, including administrative access roles and backups Cisco Security Agentpresents a detailed explanation of Cisco Security Agent, illustrating the use of host Intrusion Prevention Systems (IPS) in modern self-defending network protection schemes. At the endpoint, the deployment of a host IPS provides protection against both worms and viruses. Rather than focusing exclusively on reconnaissance phases of network attacks a host IPS approaches the problem from the other direction, preventing malicious activity on the host by focusing on behavior. By changing the focus to behavior, damaging activity can be detected and blockedregardless of the attack. Cisco Security Agent is an innovative product in that it secures the portion of corporate networks that are in the greatest need of protectionthe end systems. It also has the ability to prevent a day-zero attack, which is a worm that spreads from system to system, taking advantage of vulnerabilities in networks where either the latest patches have not been installed or for which patches are not yet available. Cisco Security Agent utilizes a unique architecture that correlates behavior occurring on the end systems by monitoring clues such as file and memory access, process behavior, COM object access, and access to shared libraries as well as other important indicators. Cisco Security Agentis the first book to explore the features and benefits of this powerful host IPS product. Divided into seven parts, the book provides a detailed overview of Cisco Security Agent features and deployment scenarios. Part I covers the importance of endpoint security. Part II examines the basic components of the Cisco Security Agent architecture. Part III addresses agent installation and local use. Part IV discusses the Cisco Security Agent management consolers"s reporting and monitoring capabilities. Part V covers advanced Cisco Security Agent analysis features. Part VI covers Cisco Security Agent policy, implementation, and management. Part VII presents additional installation and management information. Whether you are evaluating host IPS in general or looking for a detailed deployment guide for Cisco Security Agent, this book will help you lock down your endpoint systems and prevent future attacks. "While there are still a lot of ways that security can go wrong, Cisco Security Agent provides a defense even when something is wrong. I remember the email that came around from our system administrator that said, ls"Therers"s someth

Author Biography

Chad Sullivan, CCIE No. 6493, is a consulting systems engineer for Cisco Systems® based out of Atlanta who specializes in security on the Advanced Technologies team. Chad has focused predominantly on security as a specialty for a number of years and has been a member of the Cisco® Security and VPN Virtual team for the last 5 years.

Table of Contents

Foreword xviii
Introduction xx
Part I The Need for Endpoint Security
3(30)
Introducing Endpoint Security
5(16)
The Early Days: Viruses and Worms
5(3)
Virus Emergence and Early Propagation Methods
5(1)
LAN Propagation
6(1)
The WAN and Internet
7(1)
The Network Worm
7(1)
The Single Environment and Its Consequences
8(1)
The Present: Blended Threats
8(4)
Delivery and Propagation Mechanisms
9(1)
The Bundled Exploit
9(1)
Persistence
10(1)
Paralyzing or Destructive Behavior
11(1)
The Global Implications
11(1)
Spyware
12(1)
The Insider
12(1)
Understanding Point Security Weaknesses
13(2)
Using Point Security Products
13(1)
Candy Shell Security
14(1)
Backdoor Attack Vectors
14(1)
Using Attack-Detection Methods
15(2)
Signature-Based Attack Detection
15(1)
Log File Scraping
15(1)
Application Fingerprinting
15(1)
Behavior-Based Attack Detection
16(1)
Automation
16(1)
Establishing a Security Policy
17(2)
Understanding the Need for a Security Policy
17(1)
Compliance Versus Enforcement
18(1)
Summary
19(2)
Introducing the Cisco Security Agent
21(12)
Intrusion Prevention and Intrusion Detection Technologies
22(1)
The Life Cycle of an Attack
23(1)
CSA Capabilities
24(3)
Globally Automated Correlation and Reaction
25(1)
Distributed Firewall
25(1)
Application Control
25(1)
File and Directory Protection
26(1)
Network Admission Control
26(1)
CSA Analysis
27(1)
CSA Components Overview
27(2)
Management Console
27(1)
Agent
28(1)
CSA Communication
29(2)
Necessary Protocols and Ports
29(1)
Pull Model
30(1)
Push/Hint Capability
30(1)
CSA's Role Within Safe
31(1)
Summary
31(2)
Part II Understanding the CSA Building Blocks
33(128)
Understanding CSA Groups and Hosts
35(26)
The Relationship Between Groups and Hosts
35(1)
Understanding CSA Groups
35(14)
Introducing the Group Types
35(1)
Mandatory Groups
36(1)
Predefined Groups
36(1)
Custom Groups
37(1)
Viewing Groups
38(2)
Creating a Custom Group
40(4)
Exploring Predefined Groups
44(1)
The Desktops--All Types Group
44(3)
Other Predefined Groups
47(1)
Viewing and Changing Group Membership
47(2)
Viewing Group--Associated Events
49(1)
Understanding CSA Hosts
49(9)
Viewing Host Configuration
50(1)
Polling Intervals
51(1)
Using Test Mode
52(1)
Working with Hosts
52(4)
Changing a Host's Group Membership
56(1)
Viewing Host-Associated Events
57(1)
Summary
58(3)
Understanding CSA Policies, Modules, and Rules
61(64)
The Relationship Between Policies, Modules, and Rules
61(1)
Establishing Acceptable Use Documents and Security Policies
62(1)
CSA Rules
63(48)
Understanding State Sets
63(1)
User State Sets
63(3)
System State Sets
66(4)
State Set Management
70(1)
Understanding Rule Actions
71(2)
Understanding Query Options
73(2)
Rule Precedence and Manipulation
75(1)
Other Common Rule Configuration Options
76(1)
CSA Rule Types
77(1)
Agent Service Control [W and U]
77(2)
Agent UI Control [W and U]
79(2)
Application Control [W and U]
81(1)
Clipboard Access Control [W]
82(1)
COM Component Access Control [W]
83(2)
Connection Rate Limit [W and U]
85(1)
Data Access Control [W and U]
86(2)
File Access Control [W and U]
88(2)
File Version Control [W]
90(1)
Kernel Protection [W]
91(2)
Network Access Control [W and U]
93(1)
Network Shield [W and U]
94(2)
NT Event Log [W]
96(2)
Registry Access Control [W]
98(1)
Service Restart [W]
99(2)
Sniffer and Protocol Detection [W]
101(1)
System API [W]
102(2)
Buffer Overflow [U]
104(2)
Network Interface Control [U]
106(1)
Resource Access Control [U]
107(1)
Rootkit/Kernel Protection [U]
108(1)
Syslog Control [U]
109(2)
CSA Rule Modules
111(8)
Working with Rule Modules
111(1)
Comparing Rule Modules
112(1)
Creating a Rule Module
113(3)
Using CSA Predefined Rule Modules
116(3)
CSA Policies
119(4)
Understanding Policy Settings
120(1)
Using CSA Predefined Policies
121(1)
Policy Relationship to Groups and Agents
122(1)
Mandatory Groups and Combined Rule Precedence
122(1)
Summary
123(2)
Understanding Application Classes and Variables
125(36)
Using Application Classes
125(16)
Purpose of CSA MC Built-In Application Classes
126(1)
Configuring Application Classes
127(4)
Built-In Application Classes
131(2)
Introducing Static and Dynamic Application Classes
133(1)
Creating a Static Application Class
133(2)
Configuring Dynamic Application Classes
135(5)
Managing Application Classes
140(1)
Controlling Shell Scripts
140(1)
System Processes
141(1)
Introducing Variables
141(18)
Network Address Sets
142(3)
Network Services Sets
145(2)
Data Sets
147(2)
File Sets
149(3)
Dynamically Quarantined Files and IP Addresses
152(1)
Query Settings
153(2)
COM Component Sets
155(3)
Registry Sets
158(1)
Summary
159(2)
Part III CSA Agent Installation and Local Agent Use
161(42)
Understanding CSA Components and Installation
163(22)
General CSA Agent Components Overview
163(1)
CSA Installation Requirements
164(4)
Software and Hardware Requirements
165(1)
Additional Installation Requirements
166(1)
CSA MC Server and Database
166(1)
Communication Security
167(1)
Agent Kits
168(15)
Creating an Agent Kit
168(2)
To Shim or Not to Shim?
170(1)
Installing Agent Kits
171(1)
Installing a Windows Agent Kit
171(6)
Installing a Solaris Agent Kit
177(1)
Installing a Linux Agent Kit
177(1)
Immediately Rebooting the System After Installation
178(1)
Scripted Installation
179(1)
Installing Software Updates
179(3)
Uninstalling an Agent Kit
182(1)
Summary
183(2)
Using the CSA User Interface
185(18)
Windows Agent Interface
185(15)
Windows Agent Tray Icon
186(1)
Windows System Tray Options Menu
186(1)
The CSA User GUI
187(1)
Windows Agent--Status
188(3)
Windows Agent--System Security
191(1)
Windows Agent--System Security > Untrusted Applications
192(1)
Local Firewall Settings
193(2)
CSA Audible Notifications
195(1)
Windows Programs Menu
196(2)
CSA Local Directories and Tools
198(1)
CSA User Interaction
198(1)
Stopping a CSA Agent
199(1)
Linux Agent Interface
200(1)
Solaris Agent Interface
200(1)
csactl Utility
201(1)
Stopping the Solaris Agent
201(1)
Summary
201(2)
Part IV Monitoring and Reporting
203(44)
Monitoring CSA Events
205(26)
Status Summary
206(4)
Network Status
207(1)
Event Counts per Day
208(2)
Refresh
210(1)
Event Log
210(9)
Filtering the Event Log
212(2)
Interpreting and Using the Event Log
214(2)
Understanding Event Field Information
216(1)
Details
216(1)
Rule Number
217(1)
Event Wizard
217(1)
Find Similar
218(1)
Event Monitor
219(4)
Event Log Management
223(2)
Event Insertion Tasks
223(1)
Auto-Pruning Tasks
224(1)
Event Sets
225(2)
Alerts
227(2)
Summary
229(2)
Using CSA MC Reports
231(16)
Audit Trail Reporting
232(3)
Event Reporting
235(4)
Events by Severity Reports
235(3)
Events by Group Reports
238(1)
Group Detail Reporting
239(1)
Host Detail Reporting
239(2)
Policy Detail Reporting
241(2)
Report Viewing
243(1)
Creating a Sample Report
243(2)
Summary
245(2)
Part V Analyzing CSA
247(62)
Application Deployment Investigation
249(26)
Using Application Deployment Investigation
250(12)
Group Settings
251(4)
Product Associations
255(4)
Unknown Applications
259(1)
Data Management
260(2)
Using Application Deployment Reports
262(11)
Antivirus Installations Report
262(1)
Installed Products Report
263(2)
Network Data Flows Report
265(2)
Network Server Applications Report
267(1)
Product Usage Report
268(2)
Unprotected Hosts Report
270(1)
Unprotected Products Report
271(2)
Summary
273(2)
Application Behavior Analysis
275(34)
Understanding Application Behavior Investigation Components
275(1)
Configuring Application Behavior Investigation
276(5)
Using Application Behavior Investigation on the Remote Agent
281(2)
Analyzing Log Data
283(2)
Viewing Behavior Reports
285(12)
File Events
286(1)
Directory Summary
286(1)
Individual File Summary
287(1)
All Events
288(1)
Registry Events
289(1)
Key Summary
289(1)
All Events
290(1)
COM Events
290(1)
Object Summary
291(1)
All Events
291(2)
Network Events
293(1)
Destination Port Summary
293(1)
All Events
294(1)
Summary Reports
295(1)
Behavior Summary
295(1)
Behavior Summary by Process
295(2)
Exporting the Behavior Analysis Report Data
297(2)
Analyzing UNIX Application Behavior
299(1)
Creating Behavior Analysis Rule Modules
300(6)
Importing the Behavior Policy
302(1)
Understanding Imported Rule Module Methodology
303(1)
Reviewing and Tuning the Imported Rule Module and Components
303(3)
Summary
306(3)
Part VI Creating Policy, Implementing CSA, and Maintaining the CSA MC
309(72)
Creating and Tuning Policy
311(26)
Creating Policy
311(14)
How Policy Relates to CSA
312(1)
The First Steps in Policy Creation
312(1)
Creating New Policies Versus Using Predefined CSA Policies
313(1)
Brief Review of Policy Component Hierarchy
313(2)
Where to Apply Policies
315(1)
Using Mandatory Groups
315(1)
Cloning CSA Components
315(2)
Creating a Simple CSA Policy
317(5)
Investigating Predefined Policies
322(1)
Base Operating System Protection--Windows Policy
323(1)
Microsoft Office Policy
323(1)
Instant Messenger Policy
324(1)
Tuning Policy
325(10)
Review of Key Features Impacting the Tuning Process
326(2)
Actively Tuning by Example
328(1)
Limiting the Event Log View
328(1)
Tuning from Event Log Entries
328(2)
Introducing the Event Management Wizard
330(1)
Using the Event Management Wizard
330(4)
Choosing Between the Event Log and Event Monitor
334(1)
Troubleshooting Tuning
335(1)
DMP and RTR Files
335(1)
Summary
335(2)
Developing a CSA Project Implementation Plan
337(18)
Planning for Success
337(1)
The Project Plan
338(1)
Outlining the Project Phases
338(15)
The Training Phase
339(1)
The Planning Phase
339(1)
The Testing Phase
339(2)
Gather Information
341(1)
Determine Test Bed Size and Components
342(1)
Install the Test CSA Management Architecture
343(1)
Create and Configure the Test CSA Hierarchy
343(3)
Configure CSA MC Administrative and Maintenance Settings
346(1)
Create the Base Test Policy
346(1)
Deploy the Test Policy
347(1)
Tune the Test Policy and Add Advanced Policies
348(1)
Place the Policy in Enforcement Mode
349(1)
Create Alerts
349(1)
Export, Report, and Document
349(1)
Train Staff and Users
349(1)
Verify Success Criteria
350(1)
The Pilot Phase
350(2)
The Implementation Phase
352(1)
Continued Evolution of the CSA Deployment
353(1)
Summary
353(2)
CSA MC Administration and Maintenance
355(26)
CSA Licensing
355(2)
CSA MC Registration Control
357(1)
CSA MC Component Sharing
358(4)
Exporting CSA MC Objects
358(3)
Importing CSA MC Objects
361(1)
CSA MC Role-Based Access Control
362(5)
Inherited VMS Administrative Rights
362(2)
CSA MC Administrative Control
364(1)
Administrative Preferences
365(2)
Other CSA MC Administrative Features
367(9)
CSA MC Search Menu
367(1)
Hosts
367(2)
Groups
369(1)
Policies
369(1)
Rule Modules
370(1)
Rules
371(1)
Variables
372(1)
Application Classes
372(2)
All Inclusive
374(1)
CSA MC Help Menu
374(2)
CSA MC Backup and Restore Procedures
376(3)
CSA MC Database Backup
376(2)
CSA MC Database Restoration
378(1)
Summary
379(2)
Part VII Appendixes
381(30)
Appendix A VMS and CSA MC 4.5 Installation
383(14)
Appendix B Security Monitor Integration
397(8)
Appendix C CSA MIB
405(6)
Index 411

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program