RE: Cisco CSA

["Dante Mercurio" <Dante () webcti com>]

Cherian,

We're a Cisco reseller, and after a few demos of CSA decided to embrace
it as our point IDS/IPS solution. We had in the past sold Symantec and
variations of Snort. For our customer base, the traditional IDS was a
hard sell as they don't have resources to dedicate to reviewing and
adjusting logs. They want something that helps adjust policy.

CSA sets up very easy. The longest part is getting the management system
CiscoWorks:VMS up and running. It states it needs a minimum of 1 gig of
memory, and they aren't kidding. We ran it on a test bed system with 256
megs, and you could nap while it loaded. Once up and running however, it
functions very smoothly.

Our experience has been the best methodology is to roll it out in a test
bed mode with the desktop, laptop, or server defaults, and monitor the
results over the next few days. You'll see a number of applications
doing some weird stuff that you will need to allow. Adjusting the
triggered rule is as easy as looking in the log and running a wizard
link on it.

Rolling out the client isn't as automated as I would like. I'd love to
see a .msi package or a push out like anti-virus. Right now, the client
is distributed via a web link to the management station. You can set it
up to run transparently if you like.

Per Cisco: The default CSA 4.0 server and desktop policies stop
successful execution of Sasser attack on devices with CSA installed.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns441/c664/cdcco
nt_0900aecd800f613b.pdf

Beware the wording above. If you are not running the default
configuration because you adjusted it in some way, then you may be
vulnerable.

Hope this info helps,

M. Dante Mercurio
dante () webcti com
Consulting Group Manager
Continental Technologies, Inc
www.webcti.com

-----Original Message-----
From: Cherian Palayoor [mailto:securinet2004 () yahoo ca] 
Sent: Tuesday, May 25, 2004 7:35 PM
To: security-basics () securityfocus com
Subject: Cisco CSA


Hi,
 
Can anyone give me some feedback on the Cisco Security
Agent. This product claims to stop malicious behaviour
on machines infected by any malware.
 
We were recently hit pretty hard by Sasser. Cisco has
since been trying to sell us this product as a
heuristic solution to malicious activity on the
network. The product does not depend on any signature
updates and is entirely behavioural.
 
Cisco puports to have successfully stopped Sasser from
doing any damage.
 
Can anyone confirm this to be a fact. The product does
not come cheap.
 
Thanks in advance.
 
Regards
 
Cherian


______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------