Re: [fw-wiz] CSA Question

There is no single checkbox to do what you describe.

Look at CSA as being able to observe system behavior and set a trigger
based on that.
Once the trigger is set, deny rules will be applied selectively to the
Take care with this, as you can apply deny rule that are persistent.
Timing them out is tricky.

Kristian wrote an internal paper a couple years ago on how to implement
"Port Knocking" using CSA.
It has good methodology on how to implement triggers, apply alternate
rules and then time out those rules.

I'll see if I can get that posted up to the Cisco site.

In the mean time, look at User's guide for the system states of
High/Medium/Low as they apply to Rule Modules and the "Set" action
available in the majority of the rule types.

One implementation might be:
Rule Module 1 - (trigger)
- Connection Rate limit rule
- If greater than 500 connections in a minute, set system
state = high
Rule Module 2 - (enforce)
- If system state = high, apply rules in this module
- All other states and these rules are ignored.
- Rules:
- NACL (Network Access Control) deny all new TCP/UDP
server connections
- Netshield - drop all incoming ICMP traffic
On the CSAMC, configure a alert to email the admin when the last
to rules fire. This will ID the quarantined box.

Marcus Gavel
Cisco Security Agent - QA / Escalation Support

-----Original Message-----
From: Kristian Erik Hermansen [mailto:kristian.hermansen@xxxxxxxxx]
Sent: Tuesday, August 21, 2007 7:30 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Cc: Marcus Gavel (mgavel)
Subject: Re: CSA Question

On 8/21/07, Carric Dooley <carric@xxxxxxxxxxx> wrote:
I have been looking thru the Cisco site and I'm wondering if anyone
knows if you can configure the CSA to disable network interfaces, for
instance if it's attcked, or shut down.

I work on the Cisco Security Agent team, and I do know that there is a
"Network Lock" mode, which will disallow all new connections. I believe
we also added some new features for disabling wireless devices in a
recent release. I am unsure if there is a way to define a rule such as
"if rootkit is detected, disable all interfaces". I am cc'ing Marcus
Gavel who who should be able to get you an answer...
Kristian Erik Hermansen
firewall-wizards mailing list

Relevant Pages

  • Re: Authentication options with SS2005
    ... This trigger prevents from 'AuditLogin' login having more that one ... If there are more than one connections, ... Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx ...
  • Re: ADP code hangs while running the same query in query analyser works
    ... trigger again, and realised that I did force to trigger to run only if the ... > think that much of this trigger is running when you run this script in the ... Otherwise, ADP ... > be two different connections instead. ...
  • Re: Odd ssh attacks?
    ... connect count is 10 or more, TARPIT all tcp connections ... Spam is handled slightly differently. ... The trigger for spam comes from ...
  • Re: xup virtex2 pro
    ... for chipscope debugging.After you add and open the new .cdc file to the ... 1.Trigger parameters.2.Capture parameters.3.Net connections. ... 1.In the trigger parameters window you can take the signals,that you ... data.Trigger width specifies the maximum number of trigger signals. ...