Educause Security Discussion mailing list archives
Re: Cisco Security Agent and other HIPS
From: Dan Roberts <ddrobert () KENT EDU>
Date: Tue, 23 Jan 2007 12:59:17 -0500
We purchased CSA for use in our datacenter, and are currently running version 5.0. I'm impressed with its capabilities, but its been a long difficult implementation. Many of our problems stemmed from bugs in the software.. there were a lot of them, but the latest patch release seems to have ironed most of those out. Your deployment effort will be inversely proportional to the level of standardization in your environment, but I suspect that's the same for all available products. When we were evaluating products, CSA stood out as the ultimate in flexibility.. there are many knobs and switches you can adjust. To keep from becoming overwhelmed, you'll want a solid idea what you want to accomplish with the product before you get started. Download Cisco's 30-day trial.. a small deployment runs well in VMware. To the other schools who have had success with CSA: did you implement the Cisco delivered rules and tune them to your liking, or did you build custom rules from the ground up? -- Dan Roberts Office of Security and Compliance Kent State University On 1/20/07, John Turner <turner () brandeis edu> wrote:
We have been running CSA for about 3 years now and we have had some good and less than good experiences with it. We started at V4 (the first Cisco branded version) and are now on 5.2. It works VERY well on servers. It saved us once already from a potentially disastrous situation. We have been piloting it on workstations for about 2 years and have had mixed results. The product was built "correctly" in that it doesn't compromise on security, however it can become a user nuisance unless you work to build exceptions for applications you commonly run. If you tightly control the desktop then it would work as well as it does on servers. A feature in the system allows you to create profiles and export them as specific packages. So if you make exceptions for a specific product like an IM client you can export that and anyone can take it and import it into their system. The format is XML so it could be tweaked even before putting it in. I was really hoping that there would be an exchange where people could trade, or Cisco could post, profiles for new exceptions. But that hasn't happened yet. My guess is that to do it right you would need about 0.25 FTE devoted to this. We are working with the CSA product managers, who happen to be based down the road, to make the product better for the higher education market. John --- John W. Turner Director for Networks and Systems Brandeis University >>> flynngn () JMU EDU 01/11 3:30 PM >>> Anyone be willing to comment on experiences with Cisco Security Agent or other Host Intrusion Prevention software? I'd like to put it on things like domain controllers, authentication servers, management servers, and high value, internet facing servers. Of course, reliability is a significant concern with those applications. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Cisco Security Agent and other HIPS Gary Flynn (Jan 11)
- <Possible follow-ups>
- Re: Cisco Security Agent and other HIPS Jason Richardson (Jan 19)
- Re: Cisco Security Agent and other HIPS Dave Koontz (Jan 19)
- Re: Cisco Security Agent and other HIPS David Grisham (Jan 19)
- Re: Cisco Security Agent and other HIPS John Turner (Jan 20)
- Re: Cisco Security Agent and other HIPS Dan Roberts (Jan 23)