Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Cisco Security Agent and other HIPS
From: Dan Roberts <ddrobert () KENT EDU>
Date: Tue, 23 Jan 2007 12:59:17 -0500

We purchased CSA for use in our datacenter, and are currently running
version 5.0.  I'm impressed with its capabilities, but its been a long
difficult implementation.  Many of our problems stemmed from bugs in the
software.. there were a lot of them, but the latest patch release seems to
have ironed most of those out.  Your deployment effort will be inversely
proportional to the level of standardization in your environment, but I
suspect that's the same for all available products.  When we were evaluating
products, CSA stood out as the ultimate in flexibility.. there are many
knobs and switches you can adjust.  To keep from becoming overwhelmed,
you'll want a solid idea what you want to accomplish with the product before
you get started.  Download Cisco's 30-day trial.. a small deployment runs
well in VMware.

To the other schools who have had success with CSA: did you implement the
Cisco delivered rules and tune them to your liking, or did you build custom
rules from the ground up?

--
Dan Roberts
Office of Security and Compliance
Kent State University


On 1/20/07, John Turner <turner () brandeis edu> wrote:

We have been running CSA for about 3 years now and we have had some good
and
less than good experiences with it. We started at V4 (the first Cisco
branded version) and are now on 5.2.

It works VERY well on servers. It saved us once already from a potentially
disastrous situation.

We have been piloting it on workstations for about 2 years and have had
mixed results. The product was built "correctly" in that it doesn't
compromise on security, however it can become a user nuisance unless you
work to build exceptions for applications you commonly run. If you tightly
control the desktop then it would work as well as it does on servers.

A feature in the system allows you to create profiles and export them as
specific packages. So if you make exceptions for a specific product like
an
IM client you can export that and anyone can take it and import it into
their system. The format is XML so it could be tweaked even before putting
it in. I was really hoping that there would be an exchange where people
could trade, or Cisco could post, profiles for new exceptions.  But that
hasn't happened yet.

My guess is that to do it right you would need about 0.25 FTE devoted to
this.

We are working with the CSA product managers, who happen to be based down
the road, to make the product better for the higher education market.

John
---
John W. Turner
Director for Networks and Systems
Brandeis University
>>> flynngn () JMU EDU 01/11 3:30 PM >>>
Anyone be willing to comment on experiences with Cisco Security
Agent or other Host Intrusion Prevention software?

I'd like to put it on things like domain controllers, authentication
servers, management servers, and high value, internet facing servers.

Of course, reliability is a significant concern with those
applications.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]