Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSA Poison Pill

I have to create a Poison Pill where CSA can essentially disable a system to the point that it is unusable and not recoverable.

I know there are several rules that can possibly do this by themselves, but I was wondering what would be the most effective where the system would have to be re-imaged in order to make it useable again.

I am running V5.0.0.229 agent on XP images.

I was thinking of not allowing services.exe to run anything.

What would you recommend?

Thank you,

4 REPLIES
Blue

Re: CSA Poison Pill

There may be a way to do this with less drastic measures but first, a couple of questions:

How would CSA enforce security if CSA was unable to run?

Do you prevent booting into safe mode?

Tom

Community Member

Re: CSA Poison Pill

Well... that is a good question...

I was about to try that on a laptop just to see what happens... But as you pointed out, if the service can't start CSA... then CSA couldn't apply the rules...

But then again... would the system start CSA but stop everything else from starting after CSA started once the rules are applied?

Anyway, the answer to your second question: Booting into safe mode has not been disabled.

Which brings me back to my question: What would be the most effect method to disable a system?

Or is booting into SafeMode allows the bypassing all of the CSA rules?

Blue

Re: CSA Poison Pill

I guess you should determine why you are doing this before you choose a what and how.

If you simply want to disable a system to protect other systems, the network quarantine feature should work.

If you want to make it so a system that triggers certain rules should be disabled so that no changes can be made to it, there are ways to do that too.

You would still be able to return system to a functioning state from the MC without reimaging it.

CSA needs the system functioning in order to be effective at enforcing rules.

Booting into safe mode will bypass CSA but there are ways to disable that as well.

Tom

Community Member

Re: CSA Poison Pill

Hi Dk,

Create a group that doesn't let any communication. CSA has a firewall built in.

Have the group priority deny any connection. Also play with the priority terminate.

What is the reason for this group ?

144
Views
10
Helpful
4
Replies
CreatePlease to create content