Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Cisco Security Agent and Mydoom Worm with Matt McConnon. Matt is a Cisco Security Agent Specialist. Matt works in the VSEC BU and assists the field with the Cisco Security Agent. Matt is a CISSP and is currently working towards a CCNA. Remember to use the rating system to let Matt know if youve received an adequate response.
Matt might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27. Visit this forum often to view responses to your questions and the questions of other community members.
The standard PIX study guide does not go in depth regarding creation of complex ACLs that would relate to specific packet types, like worms and viruses, meaning detailed signatures of the packet.
Is it possible to do such things with PIX? How would I go about doing it? Literature, white papers, etc?
Weber State University
This is not my area of expertise. Please post this question again on the PIX Firewalls discussion forum.
I would say you could only set the Pix to block the various ports on which the virus or worm operates. The firewall does not monitor to the extent of an IDS or content filtering device. Also bearing in mind that you sometimes need some of those ports for daily operation. In that case you should use a router to rate-limit and NBAR to classify packets. If you have the luxury of Intrusion detection you can have it reset or alarm if certain signatures appear on your network, then take the necassary action. Host IDS on your key servers is also very healthy!
James R. Yeo
Is it possible for my CSA to be monitored by 2 VMS servers, e.g one in main Network Operation Center and another one in my Disaster Recovery Center (DRC)?
This is to provide redundancy in case primary VMS server down.
It is not possible to have CS Agents monitored by 2 VMS servers at the same time due to certificate requirements. You can backup your CSA MC using the 'Backup Configuration' feature under the 'Maintenance' drop down menu. This allows you to backup the database, certificates and licenses onto a machine of your choice. If you would like to see detailed instructions please email me at: firstname.lastname@example.org.
What is the recommended solution to block the MyDoom virus using the PIX 525 Firewall. Currently, an access list entry blocking TCP port 3127 has been applied, but is this sufficient?
Links to recommended white papers and reading material relating to this issue and the general blocking of viruses would be appreciated.
Your question about the PIX 525 should be posted to the PIX Firewalls discussion forum.
The following link has a nice analysis of the Mydoom B variant which you may find helpful:
I recommend researching the Cisco Security Agent for the general blocking of viruses from:
How did Cisco Security Agent provide protection against Mydoom without having to update default security policies?
Cisco Security Agent does NOT rely on signature files to stop attacks. Instead, CSA ships with security policies that stop behavior exhibited by Trojan Horses, Worms, and other malicious programs. With this approach, Cisco Security Agent is able to prevent damage from new and unknown attacks on DAY ZERO.
Cisco Security Agent provided protection against Mydoom and the Mydoom-B variant at various levels. Specifically, CSA was able to do the following for the original Mydoom Worm:
1. Prevented Mydoom from creating a startup registry key
2. Detected and stopped Mydoom from reading downloaded content and establishing an SMTP connection
3. Detected and stopped Mydoom from editing/creating the shigmapi.dll and taskmon.exe in the system32 directory
The Cisco Security Agent default security policies provide protection at multiple layers and effectively prevented damage and propagation. As with many other high profile Worms and Trojan Horses, including Blaster, Slammer, Nimda, & Sobig(to name a few), CSA provided protection when Mydoom was first released into the wild.
Just a real world ditto here. CSA stopped Mydoom dead in its tracks. I had 2 users out in the field with laptops. They were working off-line and did not recive the anti-virus definition updates when they came out. Mydoom tried to attack their systems once they came on-;ine but CSA stopped it cold. I was/am using the default settings for the agent and have not had any problems. I am tuning the policies for tighter access control but this thing works pretty darn good out of the box.
P.S. I am not an employee of Cisco or any of it's affiliates nor have I been paid to make this statement. I'm not a doctor...but I play one on TV. Offer void where prohibited. Kids please get your parents permission before calling.
I'm just a simple end user trying to share some experiences.
How does CSA provide protection without signatures? You mention behavioral policies- how does CSA provide behavioral protection?
Cisco Security Agent intercepts a variety of system calls with interceptors that are built into our agents architecture. CS Agents are intercepting file system calls, registry system calls, COM Object system calls, network system calls, and a variety of other calls as well. Our default security policies are made up of many behavioral rules that utilize this architecture. Our default security policies provide protection for all of your applications and your operating system by eliminating avenues of attack. For example, we will detect and stop applications from trapping keystrokes. We therefore eliminate the possibility of a known(or more importantly a new or unknown) Trojan Horse from using an application to trap keystrokes and steal passwords or other sensitive information. This is just one of many rules that make up our default security policies. For more information on CSAs behavioral approach please visit:
What are the chances of getting a new category under the Security forums called "Intrusion Prevention Systems" for products like CSA? It would be nice to have one stop shopping for Q&A.
Cisco Security Agent is complimentary to your antivirus solution. Cisco recommends defense in depth for you networks and combining AV signatures with Cisco's best of breed behavioral solution(CSA) is the best practice.