Firewall Wizards mailing list archives
Re: CSA Question
From: "Marcus Gavel \(mgavel\)" <mgavel () cisco com>
Date: Wed, 22 Aug 2007 12:21:50 -0400
There is no single checkbox to do what you describe. Look at CSA as being able to observe system behavior and set a trigger based on that. Once the trigger is set, deny rules will be applied selectively to the system. Take care with this, as you can apply deny rule that are persistent. Timing them out is tricky. Kristian wrote an internal paper a couple years ago on how to implement "Port Knocking" using CSA. It has good methodology on how to implement triggers, apply alternate rules and then time out those rules. I'll see if I can get that posted up to the Cisco site. In the mean time, look at User's guide for the system states of High/Medium/Low as they apply to Rule Modules and the "Set" action available in the majority of the rule types. One implementation might be: Rule Module 1 - (trigger) - Connection Rate limit rule - If greater than 500 connections in a minute, set system state = high Rule Module 2 - (enforce) - If system state = high, apply rules in this module - All other states and these rules are ignored. - Rules: - NACL (Network Access Control) deny all new TCP/UDP server connections - Netshield - drop all incoming ICMP traffic On the CSAMC, configure a alert to email the admin when the last to rules fire. This will ID the quarantined box. Marcus Gavel Cisco Security Agent - QA / Escalation Support -----Original Message----- From: Kristian Erik Hermansen [mailto:kristian.hermansen () gmail com] Sent: Tuesday, August 21, 2007 7:30 PM To: firewall-wizards () listserv cybertrust com Cc: Marcus Gavel (mgavel) Subject: Re: CSA Question On 8/21/07, Carric Dooley <carric () com2usa com> wrote:
I have been looking thru the Cisco site and I'm wondering if anyone knows if you can configure the CSA to disable network interfaces, for instance if it's attcked, or shut down.
I work on the Cisco Security Agent team, and I do know that there is a "Network Lock" mode, which will disallow all new connections. I believe we also added some new features for disabling wireless devices in a recent release. I am unsure if there is a way to define a rule such as "if rootkit is detected, disable all interfaces". I am cc'ing Marcus Gavel who who should be able to get you an answer... -- Kristian Erik Hermansen _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: CSA Question bobw () avantsystems com (Aug 22)
- <Possible follow-ups>
- Re: CSA Question Kristian Erik Hermansen (Aug 22)
- Re: CSA Question Marcus Gavel (mgavel) (Aug 22)