Solved: What is the minimal reqs to use Host-based IPS?

jimmyc_2 · ‎11-01-2012

I have several servers touching the internet, and one basic ASA-5510.

Aside from purchasing the AIP-SSM and upgrading the 5510 license, what else is required to have a host-based IPS?

Do I need to purchase MARS or other software?

How are the security-agents spec'ed?

Thanks.

Karsten Iwen · ‎11-03-2012

Some time ago Cisco had a really great host-based IPS, the Cisco Security Agent (CSA). This is end of life and you should look for a diferent vendor. Same for the central monitorig-system MARS which is also EOL.

Are you looking for Server-protection?
Using the AIP-SSM is one good solution, for protecting a HTTPS-Server, you should think about a reverse-proxy in the DMZ that terminates the SSL and sends pure HTTP to the original server. That can be inspected with a web-firewall on the proxy and also by the IPS in the ASA.

Sent from Cisco Technical Support iPad App

View solution in original post

Karsten Iwen · ‎11-03-2012

Some time ago Cisco had a really great host-based IPS, the Cisco Security Agent (CSA). This is end of life and you should look for a diferent vendor. Same for the central monitorig-system MARS which is also EOL.

Are you looking for Server-protection?
Using the AIP-SSM is one good solution, for protecting a HTTPS-Server, you should think about a reverse-proxy in the DMZ that terminates the SSL and sends pure HTTP to the original server. That can be inspected with a web-firewall on the proxy and also by the IPS in the ASA.

Sent from Cisco Technical Support iPad App

jimmyc_2 · ‎11-05-2012

That explains why the CSA textbooks were only $1.47.

I am very, very glad you responded, as I was about to present this as a solution.

Does Cisco recommend a Host-Based solution by a third party, like Trend Micro?

Or are we at the point where anti-virus software alone covers the hosts?

Thanks.

jc

Karsten Iwen · ‎11-05-2012

This is what Cisco is saying to that topic (from the EOL-page):

Cisco's network security product portfolio has complementary security technologies, such as Cisco Intrusion Prevention Systems,Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco IronPort Email and Web gateways. Please contact your Cisco account team for more information on these products. While there is no direct Cisco Security Agent replacement product from Cisco, many endpoint security products are available from a wide variety of third-party vendors. We expect that customers will want to do their own due diligence in choosing a replacement product that best meets their needs.

For Clients I would go for the typical security-packages every anti-virus-vendor has to offer. In addition with a web-filter the protection should be quite good. For Servers, network-based IPS together with filtering reverse-proxys and application-gateways do the work for me. But I really miss the CSA in some cases.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jimmyc_2 · ‎11-05-2012

Karsten, you are a good person. Appreciate the extra effort. jc

Karsten Iwen · ‎11-05-2012

no problem, thats what communities like these are for ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni