Firewall Wizards mailing list archives

Re: CSA Question

From: "Marcus Gavel \(mgavel\)" <mgavel () cisco com>
Date: Wed, 22 Aug 2007 12:21:50 -0400

 
There is no single checkbox to do what you describe. 

Look at CSA as being able to observe system behavior and set a trigger
based on that. 
Once the trigger is set, deny rules will be applied selectively to the
system. 
Take care with this, as you can apply deny rule that are persistent.
Timing them out is tricky. 

Kristian wrote an internal paper a couple years ago on how to implement
"Port Knocking" using CSA.
It has good methodology on how to implement triggers, apply alternate
rules and then time out those rules.

I'll see if I can get that posted up to the Cisco site.

In the mean time, look at User's guide for the system states of
High/Medium/Low as they apply to Rule Modules and the "Set" action
available in the majority of the rule types. 

One implementation might be:
      Rule Module 1 - (trigger)
          - Connection Rate limit rule
            - If greater than 500 connections in a minute, set system
state = high
      Rule Module 2 - (enforce)
          - If system state = high, apply rules in this module
          - All other states and these rules are ignored.
          - Rules:
               - NACL (Network Access Control) deny all new TCP/UDP
server connections
               - Netshield - drop all incoming ICMP traffic
      On the CSAMC, configure a alert to email the admin when the last
to rules fire. This will ID the quarantined box.
      

Marcus Gavel
Cisco Security Agent - QA / Escalation Support 

-----Original Message-----
From: Kristian Erik Hermansen [mailto:kristian.hermansen () gmail com] 
Sent: Tuesday, August 21, 2007 7:30 PM
To: firewall-wizards () listserv cybertrust com
Cc: Marcus Gavel (mgavel)
Subject: Re: CSA Question

On 8/21/07, Carric Dooley <carric () com2usa com> wrote:

I have been looking thru the Cisco site and I'm wondering if anyone 
knows if you can configure the CSA to disable network interfaces, for 
instance if it's attcked, or shut down.


I work on the Cisco Security Agent team, and I do know that there is a
"Network Lock" mode, which will disallow all new connections.  I believe
we also added some new features for disabling wireless devices in a
recent release.  I am unsure if there is a way to define a rule such as
"if rootkit is detected, disable all interfaces".  I am cc'ing Marcus
Gavel who who should be able to get you an answer...
--
Kristian Erik Hermansen
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: CSA Question bobw () avantsystems com (Aug 22)
- <Possible follow-ups>
- Re: CSA Question Kristian Erik Hermansen (Aug 22)
  - Re: CSA Question Marcus Gavel (mgavel) (Aug 22)