Re: CSA & NMAP

badih_abifadel · ‎09-29-2004

I'm using NMAP to discover ports and OS from my laptop to another protected PC by CSA.

CSA is not preventing the discovery process, eventhough it is logging that "Possible Portscan" on the CSA MC.

I'm using default setting on the CSA MC (default Installation.

NB: I followed a document from Cisco "Cisco Security Agent V4.0 Evaluation Guide"

Any Advice

pcomeaux · ‎09-29-2004

The advice we can offer depends on what you are looking for. It sounds like CSA is doing it's job.

If you do not want the protected PC to accept any connections from any other PC on any port, then add a Network Access Control Rule as a High Priority Deny to block All Applications from Acting as a Server for All Protocols and Ports. This is relatively easy to do. Once you add this rule, NO application will accept any connections on the PC.

What impact, though, will this have on the PC? That depends on your environment. You have to make the decision if you want the PC locked down this far.

As you can see, the default policies remain quite open for PCs to accept inbound connections. This is normal and necessary in most corporate environments. If you try to take advantage of one of the ports that NMAP reports, you will see that CSA blocks the Suspicious Behaviour.

So tell us more about your goals and we can go into more detail about what you are seeing. From what you provided in your initial questions, yes - CSA is reporting the portscan and would most likely block any attempt to hack an open port.

Let us know,

peter

badih_abifadel · ‎09-29-2004

I added a Network Access Control Rule as a High Priority Deny and it worked.

Thanks