Cisco Security Agent capabilities

pambosch · ‎06-30-2004

we are installing Cisco Security Agent (CSA) v4.x on windows machines in order to provide end-user protection and security. We would like to have the following functionality: If the Antivirus program installed on the user PC, or the Windows OS, are not updated with their latest patches etc, then CSA should take an action (either alarm or prevent the user from accessing the network). Has anyone implemented similar functionality? Is there something similar we can implement using CSA?

I would appreciate any feedback on this issue.

Thanks

travis-dennis_2 · ‎07-01-2004

Well...all things being equal my experience with CSA has shown that it has the ability to stop every last major worm/trojan/virus out there thus far by using the default policies. Now, that being said and with my being a huge fan of CSA (as opposed to being PO'ed at Cisco for some actions they have taken on the voice side.....but I digress) I would never ever run a box w/o A/V software running in conjunction with CSA. I tend to use a layered approach to security with layer 1 overlapping layer 2 funtionality and layer 2 overlapping layer 3 functionality. Perhaps "layered" is not the right term as it may cause people to think about packet flow instead but I am no no sleep so that's the best I got.

CSA is a perfect complement to any good A/V policy and in the scenario you mentioned should a users A/V definitions be out of date then CSA will pick up the slack.

The best use of CSA for viruses is at the critical time when a virus first appears in the wild and there are no definitions available yet. "Zero Day" or "Day Zero" depending on who you talk to is where CSA shines. For example, if you have mobile users and they are out on the road connected and "Super Worm" pops up and is trying to erase hard drives CSA should and the key word is should catch it.

I have yet to see a CERT advisory that I don't think CSA would not be able to stop but you have to take into account potential items such as misconfiguration, glitches, end user interference, etc. If you lock down your end-users tight enough they won't be able to do too much harm but then there is Murphy's law.

It is an amazing product but like IDS requires tuning and monitoring to work at its best. Huge tip: Once you have your baseline on what should be allowed take away end users ability to click "Yes" to allow whatever action when CSA picks something up. It is for their own good. End users need to be protected......from themselves. If I have to compose one more e-mail about not opening attachments that you are not sure of the source AND that you are expecting I am gonna SCREAM!!!!

Hope that helps.

Please remember to rate all replies.

pambosch · ‎07-01-2004

dear Travis,

Thanks a lot for the reply.Which A/V do you prefer by the way? (always in co-operation with CSA)

pambosch · ‎07-01-2004

dear Travis,

Thanks a lot for the reply.Which A/V do you prefer by the way? (always in co-operation with CSA)

travis-dennis_2 · ‎07-01-2004

Personally I like Symantec Anti-Virus Corporate Edition. Very flexible and easy to install/use. Cisco has recently announed a partnerships with Trend Micro though. You may want to look at them. I feel like Network Admission Control is going to be huge. I have heard rumors that they are going to do the same with other A/V vendors but chose Trend first because they do not offer many/any competing products. Symantec and others offer security produtcs that compete with some Cisco offerings and who wants to help bolster the competition right? :)

http://newsroom.cisco.com/dlls/2004/prod_062104b.html