Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Cisco Security Agent and Mydoom Worm with Matt McConnon. Matt is a Cisco Security Agent Specialist. Matt works in the VSEC BU and assists the field with the Cisco Security Agent. Matt is a CISSP and is currently working towards a CCNA. Remember to use the rating system to let Matt know if you’ve received an adequate response.

Matt might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27. Visit this forum often to view responses to your questions and the questions of other community members.

19 REPLIES
New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

The standard PIX study guide does not go in depth regarding creation of complex ACLs that would relate to specific packet types, like worms and viruses, meaning detailed signatures of the packet.

Is it possible to do such things with PIX? How would I go about doing it? Literature, white papers, etc?

Thanks,

Senad P.

Network Specialist

Weber State University

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Hi Senad,

This is not my area of expertise. Please post this question again on the PIX Firewalls discussion forum.

Thanks,

Matt

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

I would say you could only set the Pix to block the various ports on which the virus or worm operates. The firewall does not monitor to the extent of an IDS or content filtering device. Also bearing in mind that you sometimes need some of those ports for daily operation. In that case you should use a router to rate-limit and NBAR to classify packets. If you have the luxury of Intrusion detection you can have it reset or alarm if certain signatures appear on your network, then take the necassary action. Host IDS on your key servers is also very healthy!

Kind regards

James R. Yeo

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Hi Matt,

Is it possible for my CSA to be monitored by 2 VMS servers, e.g one in main Network Operation Center and another one in my Disaster Recovery Center (DRC)?

This is to provide redundancy in case primary VMS server down.

Thanks.

Regards,

AK

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Mr. Kiprawih,

It is not possible to have CS Agents monitored by 2 VMS servers at the same time due to certificate requirements. You can backup your CSA MC using the 'Backup Configuration' feature under the 'Maintenance' drop down menu. This allows you to backup the database, certificates and licenses onto a machine of your choice. If you would like to see detailed instructions please email me at: mmcconno@cisco.com.

Matt

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

What is the recommended solution to block the MyDoom virus using the PIX 525 Firewall. Currently, an access list entry blocking TCP port 3127 has been applied, but is this sufficient?

Links to recommended white papers and reading material relating to this issue and the general blocking of viruses would be appreciated.

Thanks

Ian-Keith

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Hi Ian,

Your question about the PIX 525 should be posted to the PIX Firewalls discussion forum.

The following link has a nice analysis of the Mydoom B variant which you may find helpful:

http://isc.sans.org/presentations/MyDoom_B_Analysis.pdf

I recommend researching the Cisco Security Agent for the general blocking of viruses from:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

Thanks,

Matt

Silver

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Matt,

How did Cisco Security Agent provide protection against Mydoom without having to update default security policies?

Thanks

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Thomas,

Cisco Security Agent does NOT rely on signature files to stop attacks. Instead, CSA ships with security policies that stop behavior exhibited by Trojan Horses, Worms, and other malicious programs. With this approach, Cisco Security Agent is able to prevent damage from new and unknown attacks on ‘DAY ZERO.’

Cisco Security Agent provided protection against Mydoom and the Mydoom-B variant at various levels. Specifically, CSA was able to do the following for the original Mydoom Worm:

1. Prevented Mydoom from creating a startup registry key

2. Detected and stopped Mydoom from reading downloaded content and establishing an SMTP connection

3. Detected and stopped Mydoom from editing/creating the shigmapi.dll and taskmon.exe in the system32 directory

The Cisco Security Agent default security policies provide protection at multiple layers and effectively prevented damage and propagation. As with many other high profile Worms and Trojan Horses, including Blaster, Slammer, Nimda, & Sobig(to name a few), CSA provided protection when Mydoom was first released into the wild.

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Just a real world ditto here. CSA stopped Mydoom dead in its tracks. I had 2 users out in the field with laptops. They were working off-line and did not recive the anti-virus definition updates when they came out. Mydoom tried to attack their systems once they came on-;ine but CSA stopped it cold. I was/am using the default settings for the agent and have not had any problems. I am tuning the policies for tighter access control but this thing works pretty darn good out of the box.

P.S. I am not an employee of Cisco or any of it's affiliates nor have I been paid to make this statement. I'm not a doctor...but I play one on TV. Offer void where prohibited. Kids please get your parents permission before calling.

I'm just a simple end user trying to share some experiences.

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

How does CSA provide protection without signatures? You mention behavioral policies- how does CSA provide behavioral protection?

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Cisco Security Agent intercepts a variety of system calls with interceptors that are built into our agent’s architecture. CS Agents are intercepting file system calls, registry system calls, COM Object system calls, network system calls, and a variety of other calls as well. Our default security policies are made up of many behavioral rules that utilize this architecture. Our default security policies provide protection for all of your applications and your operating system by eliminating avenues of attack. For example, we will detect and stop applications from ‘trapping’ keystrokes. We therefore eliminate the possibility of a known(or more importantly a new or unknown) Trojan Horse from using an application to trap keystrokes and steal passwords or other sensitive information. This is just one of many rules that make up our default security policies. For more information on CSA’s behavioral approach please visit:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

Bronze

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Hi Matt,

How many Cisco Security Agents can be managed from a single CSA Management Console?

Frank

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Frank,

A single CSA Management Center can be configured to support up to 10,000 CS Agents.

Matt

Blue

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

What are the chances of getting a new category under the Security forums called "Intrusion Prevention Systems" for products like CSA? It would be nice to have one stop shopping for Q&A.

Thanks!

Tom S

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

A bit off topic but I agree. A forum dedicated to CSA and Intrusion Prevention would be nice.

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Tom,

I think this is a great idea. Hopefully this will happen!

Matt

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Hi Matt,

Can Cisco Security Agent be used as a replacement for my Antivirus solution?

Thanks

New Member

Re: ASK THE EXPERT- CISCO SECURITY AGENT AND MYDOOM WORM

Cisco Security Agent is complimentary to your antivirus solution. Cisco recommends defense in depth for you networks and combining AV signatures with Cisco's best of breed behavioral solution(CSA) is the best practice.

18
Views
0
Helpful
19
Replies
CreatePlease to create content