Re: Cisco Security Agent and other HIPS

[Dan Roberts <ddrobert () KENT EDU>]

We purchased CSA for use in our datacenter, and are currently running
version 5.0.  I'm impressed with its capabilities, but its been a long
difficult implementation.  Many of our problems stemmed from bugs in the
software.. there were a lot of them, but the latest patch release seems to
have ironed most of those out.  Your deployment effort will be inversely
proportional to the level of standardization in your environment, but I
suspect that's the same for all available products.  When we were evaluating
products, CSA stood out as the ultimate in flexibility.. there are many
knobs and switches you can adjust.  To keep from becoming overwhelmed,
you'll want a solid idea what you want to accomplish with the product before
you get started.  Download Cisco's 30-day trial.. a small deployment runs
well in VMware.

To the other schools who have had success with CSA: did you implement the
Cisco delivered rules and tune them to your liking, or did you build custom
rules from the ground up?

--
Dan Roberts
Office of Security and Compliance
Kent State University


On 1/20/07, John Turner <turner () brandeis edu> wrote:
> We have been running CSA for about 3 years now and we have had some good
> and
> less than good experiences with it. We started at V4 (the first Cisco
> branded version) and are now on 5.2.
>
> It works VERY well on servers. It saved us once already from a potentially
> disastrous situation.
>
> We have been piloting it on workstations for about 2 years and have had
> mixed results. The product was built "correctly" in that it doesn't
> compromise on security, however it can become a user nuisance unless you
> work to build exceptions for applications you commonly run. If you tightly
> control the desktop then it would work as well as it does on servers.
>
> A feature in the system allows you to create profiles and export them as
> specific packages. So if you make exceptions for a specific product like
> an
> IM client you can export that and anyone can take it and import it into
> their system. The format is XML so it could be tweaked even before putting
> it in. I was really hoping that there would be an exchange where people
> could trade, or Cisco could post, profiles for new exceptions.  But that
> hasn't happened yet.
>
> My guess is that to do it right you would need about 0.25 FTE devoted to
> this.
>
> We are working with the CSA product managers, who happen to be based down
> the road, to make the product better for the higher education market.
>
> John
> ---
> John W. Turner
> Director for Networks and Systems
> Brandeis University
> >>> flynngn () JMU EDU 01/11 3:30 PM >>>
> Anyone be willing to comment on experiences with Cisco Security
> Agent or other Host Intrusion Prevention software?
>
> I'd like to put it on things like domain controllers, authentication
> servers, management servers, and high value, internet facing servers.
>
> Of course, reliability is a significant concern with those
> applications.
>
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security