ebook img

Securing Hosts Using Cisco Security Agent. Volume 2. Student Guide PDF

294 Pages·4.488 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Securing Hosts Using Cisco Security Agent. Volume 2. Student Guide

HIPS Securing Hosts Using Cisco Security Agent Volume 2 Version 3.0 Student Guide Text Part Number: 97-2341-01 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe © 2006 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Table of Contents Volume 2 Configuring Rules 4-1 Overview 4-1 Module Objectives 4-1 Rule Basics 4-3 Overview 4-3 Objectives 4-3 Types of Rules 4-4 Example: Enforcement Rules 4-5 Example: Detection Rules 4-6 Rule Action List 4-7 Example: Automatic Rule Ordering 4-9 The Set Action 4-10 Example: Differentiated Service Code Point and Per-Hop-Behavior 4-13 Variables Used with Different Rule Types 4-15 Summary 4-16 References 4-16 Configuring Rules Common to Windows and UNIX 4-17 Overview 4-17 Objectives 4-17 Rules Common to Windows and UNIX Hosts 4-18 How to Configure the Agent Service Control Rule 4-19 Configuring the Agent Service Control Rule 4-20 How to Configure the Agent UI Control Rule 4-23 Configuring the Agent UI Control Rule 4-24 Hiding the Agent UI 4-26 How to Configure the Application Control Rule 4-27 Configuring the Application Control Rule 4-28 How to Configure the Connection Rate Limit Rule 4-31 Configuring the Connection Rate Limit Rule 4-32 How to Configure the Data Access Control Rule 4-35 Configuring the Data Access Control Rule 4-36 How to Configure the File Access Control Rule 4-39 Configuring the File Access Control Rule 4-40 Practice: Configuring the File Access Control Rule Using the Set Action 4-43 Activity Objective 4-43 How to Configure the Network Access Control Rule 4-45 Configuring the Network Access Control Rule 4-46 Example: Building a Dynamic Application Class Using a Rule 4-50 Practice: Configuring an Application-Builder Rule 4-52 Activity Objective 4-52 Summary 4-54 Configuring Windows-Only Rules 4-55 Overview 4-55 Objectives 4-55 Windows-Only Rules 4-56 How to Configure the Clipboard Access Control Rule 4-58 Configuring the Clipboard Access Control Rule 4-59 How to Configure the COM Component Access Control Rule 4-61 Configuring the COM Component Access Control Rule 4-62 Practice: Configuring the COM Component Access Control Rule 4-65 Activity Objective 4-65 How to Configure the File Version Control Rule 4-67 Configuring the File Version Control Rule 4-69 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Practice: Configuring the File Version Control Rule 4-71 Activity Objective 4-71 How to Configure the Kernel Protection Rule 4-73 Configuring the Kernel Protection Rule 4-74 How to Configure the NT Event Log Rule 4-77 Configuring the NT Event Log Rule 4-78 How to Configure the Registry Access Control Rule 4-81 Configuring the Registry Access Control Rule 4-82 How to Configure the Service Restart Rule 4-85 Configuring the Service Restart Rule 4-86 How to Configure the Sniffer and Protocol Detection Rule 4-88 Configuring the Sniffer and Protocol Detection Rule 4-90 Summary 4-92 Configuring UNIX-Only Rules 4-93 Overview 4-93 Objectives 4-93 UNIX-Only Rules 4-94 How to Configure the Network Interface Control Rule 4-95 Configuring the Network Interface Control Rule 4-96 How to Configure the Resource Access Control Rule 4-98 Configuring the Resource Access Control Rule 4-99 How to Configure the Rootkit/Kernel Protection Rule 4-101 Configuring the Rootkit/Kernel Protection Rule 4-102 How to Configure the Syslog Control Rule 4-105 Configuring the Syslog Control Rule 4-106 Summary 4-108 Configuring System Correlation Rules 4-109 Overview 4-109 Objectives 4-109 System Correlation Rules 4-111 How to Configure the System API Control Rule 4-113 Practice: Configuring the System API Control Rule 4-118 Activity Objective 4-118 How to Configure the Network Shield Rule 4-120 How to Configure the Buffer Overflow Rule 4-125 The E-mail Worm Protection Module 4-129 E-mail Worm Event Correlation 4-131 The Installation Applications Policy 4-132 How to Configure Global Event Correlation 4-134 Configuring Global Event Correlation 4-135 Summary 4-138 Module Summary 4-139 References 4-139 Module Self-Check 4-140 Module Self-Check Answer Key 4-142 Administering Events and Generating Reports 5-1 Overview 5-1 Objectives 5-1 Managing Events 5-3 Overview 5-3 Objectives 5-3 What Is Logging? 5-4 Using the Verbose Logging Mode 5-5 Logging Deny Actions 5-6 How to View Events Using the Event Log 5-7 How to View Events Using the Event Monitor 5-12 ii Securing Hosts Using Cisco Security Agent (HIPS) v3.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Event Log Management 5-16 Configuring Global Event Insertion Threshold Parameters 5-17 Configuring an Event Auto-Pruning Task 5-18 The Event Management Wizard 5-20 Configuring an Exception Rule 5-22 Configuring a Logging Exception Rule 5-29 Performing an Application Behavior Analysis 5-35 Configuring Event Suppression 5-39 How to Configure an Event Set 5-41 How to Configure an Alert 5-44 How to View System Summary Information 5-46 Summary 5-47 Generating Reports 5-49 Overview 5-49 Objectives 5-49 Types of Reports 5-50 Types of Report Viewers 5-50 How to Generate an Events by Severity Report 5-53 Generating an Events by Severity Report 5-54 Example: Events by Severity Report 5-56 How to Generate an Events by Group Report 5-57 Generating an Events by Group Report 5-58 .Example: Events by Group Report 5-58 Example: Events by Group Report 5-59 How to Generate a Group Detail Report 5-60 Generating a Group Detail Report 5-61 Example: Group Detail Report 5-62 How to Generate a Host Detail Report 5-63 Generating a Host Detail Report 5-64 Example: Host Detail Report 5-65 How to Generate a Policy Detail Report 5-66 Generating a Policy Detail Report 5-67 Example: Policy Detail Report 5-68 How to View the Audit Trail 5-69 Summary 5-71 Module Summary 5-72 Module Self-Check 5-73 Module Self-Check Answer Key 5-74 Using CSA Analysis 6-1 Overview 6-1 Module Objectives 6-1 Configuring Application Deployment Investigation 6-3 Overview 6-3 Objectives 6-3 Application Deployment Investigation 6-4 How to Configure Group Settings 6-5 Configuring Group Settings 6-6 How to Configure Product Associations 6-8 Configuring Product Associations 6-9 How to Configure Unknown Applications 6-11 Configuring Unknown Applications 6-12 How to Configure Data Management 6-14 Configuring Data Management 6-15 Summary 6-17 © 2006 Cisco Systems, Inc. Securing Hosts Using Cisco Security Agent (HIPS) v3.0 iii The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Generating Application Deployment Reports 6-19 Overview 6-19 Objectives 6-19 Application Deployment Reports 6-20 How to Generate an Antivirus Installations Report 6-21 Example: Antivirus Installations Report 6-24 How to Generate an Installed Products Report 6-25 Example: Installed Products Report 6-27 How to Generate an Unprotected Hosts Report 6-28 Example: Unprotected Hosts Report 6-30 How to Generate an Unprotected Products Report 6-31 Example: Unprotected Products Report 6-33 How to Generate a Product Usage Report 6-34 Example: Product Usage Report 6-36 How to Generate a Network Data Flows Report 6-37 Example: Network Data Flows Report 6-41 How to Generate a Network Server Applications Report 6-42 Example: Network Server Applications Report 6-44 Summary 6-45 Configuring Application Behavior Investigation 6-47 Overview 6-47 Objectives 6-47 Application Behavior Investigation 6-48 Behavior Analysis 6-50 How to Configure Behavior Analysis 6-51 Monitoring the Behavior Analysis 6-56 Analyzing Behavior Analysis Data 6-57 Importing the Rule Module 6-58 Behavior Analysis Rule Modules 6-58 Reviewing the Rule Module 6-59 Summary 6-60 Generating Behavior Analysis Reports 6-61 Overview 6-61 Objectives 6-61 Behavior Analysis Reports 6-62 How to View Behavior Analysis Reports 6-63 File Event Reports 6-64 Registry Event Reports 6-65 COM Event Reports 6-66 Network Event Reports 6-67 Summary Reports 6-68 Summary 6-69 Module Summary 6-70 References 6-70 Module Self-Check 6-71 Module Self-Check Answer Key 6-72 iv Securing Hosts Using Cisco Security Agent (HIPS) v3.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Module 4 Configuring Rules Overview Network security is the most crucial part of network management. The enterprise network is accessible by all employees from all over the globe. Voice and video take up a lot of bandwidth and this can add up to the woes of an administrator, especially if the streaming data requires high security. Rules make your job easier. You can control the network resources by creating rules that deny access to unauthorized applications. Module Objectives Upon completing this module, you will be able to configure rules in CSA MC. This ability includes being able to meet these objectives: (cid:132) Describe the basics of rule construction and functionality in CSA MC (cid:132) Configure rules common to Windows and UNIX hosts (cid:132) Configure Windows-only rules (cid:132) Configure UNIX-only rules (cid:132) Configure system correlation rules The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. 4-2 Securing Hosts Using Cisco Security Agent (HIPS) v3.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Lesson 1 Rule Basics Overview Rules determine the nature and functionality of various applications. Rules form the basis for all types of actions, such as managing files, registry keys, COM components, network access, and protocols. The rules configured in the Management Center for Cisco Security Agents (CSA MC) prioritize every action, such as Priority Terminate, Set, and Monitor, and provide a particular order in which the rules must be processed. This priority controls the way in which rules are given precedence. Objectives Upon completing this lesson, you will be able to describe the types of rules and their functions. This ability includes being able to meet these objectives: (cid:132) Identify the various types of CSA MC rules and their functions (cid:132) Identify the order in which rules are processed The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. Types of Rules This topic describes the various types of CSA MC rules and their functions. Types of CSA MC Rules Rules Enforcement Rules Detection Rules ©2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-3 CSA MC includes rules for file management, network access, registry control, and application management. Rules can be broadly categorized into these two types: (cid:132) Enforcement rules: Enforcement rules are used to prevent attacks before they happen. You can customize your network policy to prevent denial-of-service (DoS) attacks or attacks by worms. You can set up your network to check for the Agent user interface and for older versions of files being accessed by the employees. (cid:132) Detection rules: Detection rules are used to detect network security breaches. Detection rules also correlate similar events that enable you to create a combined policy to avoid future breaks in network security. 4-4 Securing Hosts Using Cisco Security Agent (HIPS) v3.0 © 2006 Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.