Cisco Security Agent (CSA) is a software application used by Information Technology Services to protect networked servers and desktop computers at Eastern Illinois University from viruses and harmful downloads. A product of Cisco Systems, the company whose network electronics power the university’s new campus intranet, CSA identifies and prevents malicious behavior before it can occur, mitigating both known and unknown security risks. CSA provides intrusion prevention, firewall capabilities and protection against harmful code, and assures operating system integrity for Windows users.

When PC users at Eastern log onto the network, their transmission signatures are analyzed by a package of components tailored specifically for EIU. Called Virus Watchdog, this package determines if their computer is infected by a virus. If a virus is detected, their machine will be isolated from the network for five minutes to prevent a spread of the infection, and they will be directed to a Web site where they can download CSA software, which, along with Norton AntiVirus, will clean their computer and make it virus resistant. If their PC is disinfected, they will be able to access the network again; if the infection remains, the disconnection process will be repeated. CSA can also be downloaded without this prompt and should be installed on every PC and server to prevent virus infections from happening in the first place. CSA can be independently downloaded at http://ddt.eiu.edu.

CSA was installed to protect the new network when the network went on line in August 2004. Some operational problems were encountered initially, but those have since been rectified as the product has been customized successfully for use at Eastern.

CSA acts as an alarm to protect operating system files and kernels by warning PC users when a security threat occurs. For example, in the case of viruses, if an infected file is about to be downloaded to a machine, CSA will warn the user that the download is about to take place, giving him or her the option of aborting the download and preventing the infection. On the other hand, if a legitimate download is about to occur, CSA’s warning can be overridden and the transaction completed.

This early warning is key to CSA’s function and gives users anti-corruption protection beyond that of ordinary anti-virus programs such as Norton AntiVirus. Traditional anti-virus programs protect only against known viruses whose definitions are established; the program must know what to look for. CSA, on the other hand, flags any unknown program, including new, unrecognized viruses, giving users the opportunity to prevent the infection from occurring in the first place.

Computers and servers on which CSA is installed must be virus-free before the installation in order for the product to function properly. Before installation, you should scan your PC with the latest definitions of Norton AntiVirus and install all Windows Updates. Also, since the existence of other firewall products, even the proprietary firewall settings that come with operating systems such as Windows XP, can interfere with CSA, all other firewalls should be deactivated from your PC before CSA is installed.

To install CSA on a PC, go to http://ddt.eiu.eiu and click the “CSA” button on the upper left side of the page. CSA is licensed for use on campus computers only, therefore, this download page is not available off campus. (To install CSA on a server, do not download from the DDT page but instead contact Julie Wilson, ITS network specialist coordinator, at 581-7808 or e-mail at csjaw2@eiu.edu for support).

A security alert window will appear on your screen. Click the “yes” buttons when prompted to continue the download.

CSA will begin installation.

A Cisco CSA screen will appear, prompting further responses. Continue the download as directed by the prompts.

Before CSA becomes operational, you must restart your PC.

(The following information comes from the Cisco Systems Web site and ITS.)

• Offers protection against entire classes of attacks, including port scans, buffer overflows, Trojan horses, malformed packets, malicious HTML requests and e-mail worms.
• Provides protection from known and unknown attacks for Windows platforms.
• Provides application-specific protection for Web servers and databases.
• Offers an enterprise-scalable architecture.
• Provides integrated management with Cisco IDS security devices.

Q. What are the benefits of CSA?

A. CSA removes potential known and unknown “Day Zero” security risks that threaten enterprise networks and applications. Cisco Security Agent aggregates and extends multiple endpoint security functions by providing host intrusion prevention, distributed firewall capabilities, malicious code protection, operating system integrity assurance and audit log consolidation, all within a single product.

Q. How can CSA help at EIU?

A. By forestalling virus attacks. For example, a signature-based virus patch was not available before the Mydoom virus attack hit the campus network. Even if immediate access to a patch had been available, it would have taken many hours to deploy and by then the damage would have been done. If CSA had been installed on the university’s PCs and servers, Mydoom would not have been able to compromise Eastern’s PCs and overwhelm the network.

Q. Are anti-virus products still needed with CSA?

A. Anti-virus products are excellent for searching out and cleaning existing viruses from the network and are still necessary. Such tools and patches can help fix old problems that would continue to make PCs vulnerable. CSA eliminates the need to rush to test new patches and eases worries about new viruses appearing. With CSA, patching and updating will not end, but the application will provide peace of mind while patching takes place.

Q. CSA and IDS: What’s the difference?

A. Cisco Security Agent is just that – an agent that is installed on the client that allows for what is referred to as HIP (Host Intrusion Protection). HIP is a host protected from intrusion whether by virus, worm or other form of malicious attack. When you install CSA on your machine, you are alerted anytime someone or something tries to open or execute your system files. It will also alert you anytime someone or something tries to attach to your machine via a network port. As you are alerted, you are also given the option of allowing this to happen or not. At that point, who or what accesses your machine is in your hands. CSA is just a mechanism that will alert you that suspicious or potentially malicious activity is taking place on your machine. CSA records in your event viewer are all events that are detected so you can go back and reference them during troubleshooting, auditing, etc. These events also are recorded in the CSA management system, which allows network administrators to analyze events on all machines and determine whether the network is under attack, what type of attack it is and ultimately to come up with a solution before the attacker is allowed to bring down the network or your PC.

IDS is a detection system that scans and analyzes the packets flowing on the network and calls attention to those that are suspicious in nature. It then allows network administrators to send technicians to investigate the machine that is transmitting the suspicious traffic. It also allows network administrators to shut off the network port that the machine is connected to and force the user to clean viruses, etc., from the machine prior to letting it back on the network. IDS in no way protects a PC from becoming infected; it only detects the machine on the network after it has become infected.

Q. What is the Cisco Security Agent technology?

A. This technology is a distributed security software solution that helps prevent malicious behavior on servers and desktops ("endpoints"). The technology is composed of the following elements:
• Cisco Security Agents-Core software that resides on endpoints and autonomously enforces local policies that help prevent attacks.
• CiscoWorks Management Center for Cisco Security Agents - Core management software that provides a central means of defining and distributing policies, providing software updates, and maintaining communications to the agents.

Q. What is a Cisco Security Agent policy?

A. Cisco Security Agent policy is a collection of rules assigned to each server and desktop (or groups of servers and desktops). These application-centric access control rules provide safe access to required resources and help prevent malicious behavior. Cisco provides default policies that enterprises can implement or use as models for customized policy development. The agents poll the management console for policy updates.