Re: Cisco Security Agent and other HIPS

[John Turner <turner () BRANDEIS EDU>]

We have been running CSA for about 3 years now and we have had some good and
less than good experiences with it. We started at V4 (the first Cisco
branded version) and are now on 5.2.

It works VERY well on servers. It saved us once already from a potentially
disastrous situation.

We have been piloting it on workstations for about 2 years and have had
mixed results. The product was built "correctly" in that it doesn't
compromise on security, however it can become a user nuisance unless you
work to build exceptions for applications you commonly run. If you tightly
control the desktop then it would work as well as it does on servers.

A feature in the system allows you to create profiles and export them as
specific packages. So if you make exceptions for a specific product like an
IM client you can export that and anyone can take it and import it into
their system. The format is XML so it could be tweaked even before putting
it in. I was really hoping that there would be an exchange where people
could trade, or Cisco could post, profiles for new exceptions.  But that
hasn't happened yet.

My guess is that to do it right you would need about 0.25 FTE devoted to
this.

We are working with the CSA product managers, who happen to be based down
the road, to make the product better for the higher education market.

John
---
John W. Turner
Director for Networks and Systems
Brandeis University
> > > flynngn () JMU EDU 01/11 3:30 PM >>>
Anyone be willing to comment on experiences with Cisco Security
Agent or other Host Intrusion Prevention software?

I'd like to put it on things like domain controllers, authentication
servers, management servers, and high value, internet facing servers.

Of course, reliability is a significant concern with those
applications.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security