Re: [fw-wiz] CSA Question
- From: "Marcus Gavel \(mgavel\)" <mgavel@xxxxxxxxx>
- Date: Wed, 22 Aug 2007 12:21:50 -0400
There is no single checkbox to do what you describe.
Look at CSA as being able to observe system behavior and set a trigger
based on that.
Once the trigger is set, deny rules will be applied selectively to the
system.
Take care with this, as you can apply deny rule that are persistent.
Timing them out is tricky.
Kristian wrote an internal paper a couple years ago on how to implement
"Port Knocking" using CSA.
It has good methodology on how to implement triggers, apply alternate
rules and then time out those rules.
I'll see if I can get that posted up to the Cisco site.
In the mean time, look at User's guide for the system states of
High/Medium/Low as they apply to Rule Modules and the "Set" action
available in the majority of the rule types.
One implementation might be:
Rule Module 1 - (trigger)
- Connection Rate limit rule
- If greater than 500 connections in a minute, set system
state = high
Rule Module 2 - (enforce)
- If system state = high, apply rules in this module
- All other states and these rules are ignored.
- Rules:
- NACL (Network Access Control) deny all new TCP/UDP
server connections
- Netshield - drop all incoming ICMP traffic
On the CSAMC, configure a alert to email the admin when the last
to rules fire. This will ID the quarantined box.
Marcus Gavel
Cisco Security Agent - QA / Escalation Support
-----Original Message-----
From: Kristian Erik Hermansen [mailto:kristian.hermansen@xxxxxxxxx]
Sent: Tuesday, August 21, 2007 7:30 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Cc: Marcus Gavel (mgavel)
Subject: Re: CSA Question
On 8/21/07, Carric Dooley <carric@xxxxxxxxxxx> wrote:
I have been looking thru the Cisco site and I'm wondering if anyone
knows if you can configure the CSA to disable network interfaces, for
instance if it's attcked, or shut down.
I work on the Cisco Security Agent team, and I do know that there is a
"Network Lock" mode, which will disallow all new connections. I believe
we also added some new features for disabling wireless devices in a
recent release. I am unsure if there is a way to define a rule such as
"if rootkit is detected, disable all interfaces". I am cc'ing Marcus
Gavel who who should be able to get you an answer...
--
Kristian Erik Hermansen
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] CSA Question
- From: Kristian Erik Hermansen
- Re: [fw-wiz] CSA Question
- Prev by Date: Re: [fw-wiz] New to Cisco PIX/ ASA
- Next by Date: Re: [fw-wiz] Cisco ACS alternative
- Previous by thread: Re: [fw-wiz] CSA Question
- Index(es):
Relevant Pages
|
