Cisco® Security Agent security software provides threat protection for server and desktop computing systems, also known as endpoints. The Cisco Security Agent goes beyond conventional endpoint security solutions by identifying and preventing malicious behavior before it can occur, thereby removing potential known and unknown security risks that threaten enterprise networks and applications. Cisco Security Agent mitigates new and evolving threats without requiring reconfigurations or updates on endpoints, providing robust protection with reduced operational costs.
Network Integrated Features Table
Table 1 lists the network integration features of Cisco Security Agent.
Table 1. Network Integration Features
Intrusion Prevention System Integration
Cisco Security Agent integrates with Cisco network IPS devices to increase the effectiveness of identifying attacks within the network. Cisco Security Agent provides crucial endpoint security information to Cisco IPS 4200 Series appliances and the IPS modules for the Cisco ASA 5500 and the Cisco Catalyst 6500/7600 Series to provide a complete end to end security solution
Trusted Quality of Service (QoS)
Cisco Security Agent provides the capability at the endpoint to apply QoS markings to application network traffic as specified by Cisco Security Agent policy rules. These markings can be used by Cisco IOS devices upstream in the enterprise network to classify the packets and apply QoS service policies such as policing and queuing. Cisco NAC Framework and Cisco Clean Access, NAC Appliance deployments are used to ensure the validity of the QoS markings from hosts that are running Cisco Security Agent. Trusted QoS can improve the delivery of mission-critical traffic when the network is under heavy load.
Network Admission Control (NAC) integration
In a NAC Framework deployment, the integration of Cisco Security Agent with NAC performs a bidirectional information exchange to affect the posture of the endpoint. Cisco Security Agent can perform dynamic policy updates on the endpoint to change the NAC posture. Hosts that are running Cisco Security Agent can be identified and trusted to have full network access. Nonconforming hosts can be quarantined until remediation is performed and they are brought into compliance. This enhances the self-defending nature of the enterprise network by providing mitigation against denial of service (DoS) and malware attacks.
Cisco Security MARS event integration
Cisco Security Agent provides important endpoint information to the Cisco Security Monitoring, Analysis, and Response System (MARS), that enhances the MARS capabilities of threat identification and investigation across the network.
• The ability to aggregate and extend multiple endpoint security functions-intrusion prevention, distributed firewall, malicious mobile code protection, operating system integrity assurance, and audit log consolidation-all within a single agent
• Preventive protection against entire classes of attacks, including port scans, buffer overflows, Trojan horses, malformed packets, malicious HTML requests, and e-mail worms
• Zero update prevention for known and unknown attacks; no emergency patching required
• Industry-leading protection for servers and desktops
• Application-specific protection for Web servers and databases
• An open and extensible architecture that can define and enforce security according to corporate policy
• An enterprise-scalable architecture; up to 100,000 agents per manager
• Integrated solution architecture with Cisco NAC Framework and Cisco Clean Access, NAC Appliance
• Integration with Cisco VPN devices to provide endpoint security for IP security (IPSec) and Secure Sockets Layer (SSL) VPN deployments
Combating New and Unknown Attacks
Figure 1 shows the lifecycle of a network attack.
Figure 1. Network Attack Lifecycle
The Cisco Security Agent Solution
Cisco Security Agent consists of host-based agents, deployed on mission-critical desktops and servers that report to the Cisco Management Center for Cisco Security Agents. The Management Center runs as a standalone application performing configuration of Cisco Security Agent deployments. The agents use HTTP and 128-bit SSL for the management interface, and for communication between agents and the Management Center. Alerts can be integrated with alerts from other Cisco security products via Cisco Security MARS.
Cisco Security Agent resides between the applications and the kernel, enabling maximum application visibility with minimal impact to the stability and performance of the underlying operating system. The software's unique architecture intercepts all operating system calls to file, network, and registry sources, as well as to dynamic run-time resources such as memory pages, shared library modules, and COM objects. The agent applies unique intelligence to correlate the behaviors of these system calls, based on rules that define inappropriate or unacceptable behavior for a specific application or for all applications. This correlation and subsequent understanding of an application's behavior is what allows the software, as directed by the security staff, to prevent new intrusions.
When an application attempts an operation, the Cisco Security Agent checks the operation against the application's security policy, making a real-time allow or deny decision on its continuation and determining if logging the request is appropriate. Security policies are collections of rules that IT and/or security administrators assign to protected servers and desktops individually or across an enterprise. These rules provide safe application access to required resources. By combining security policies implementing distributed firewall, operating system lockdown and integrity assurance, malicious mobile code protection, and audit event collection capabilities in default policies for servers and desktops, Cisco Security Agent provides defense-in-depth protection for exposed corporate systems.
Because protection is based on blocking malicious behavior, the default policies stop both known and unknown attacks without needing updates. Correlation is performed both on the agent and the Management Center console. Agent-based correlation results in dramatically increased accuracy, identifying actual attacks or misuse without blocking legitimate activity; correlation on the Management Center identifies global attacks such as network worms or distributed scans.
The Management Center for Cisco Security Agents provides all management functions for all agents in a centralized manner. Its role-based, Web browser access makes it easy for administrators to create agent software distribution packages, create or modify security policies, monitor alerts, or generate reports. The Management Center ships with more than 20 fully configured default policies, making it easy for administrators to deploy thousands of agents across the enterprise. It also allows customers to deploy agents in "IDS mode", where activity is alerted but not blocked.
The Management Center offers simple but powerful customization capabilities that allow administrators to quickly fit default policies to their environments. Administrators can easily modify rules or create entirely new rules to meet custom needs and requirements. To aid audit compliance requirements, the Explain Rules feature allows the administrator to print out a human-language description of the function of specified rules or policies.
Agents are deployed to servers and desktops directly from the Management Center, and are controlled and updated from this manager. Each agent operates autonomously if communication with the manager is not possible (for example, if a remote laptop user has not yet connected via the VPN), the agent continues to enforce the security policy. All security alerts are cached by the agent and uploaded to the manager when communication is restored.
® also offers a suite of analysis reporting tools from the Management Center. The Deployment Analysis feature provides details on the applications that are installed across all agents, as well as information about usage of those applications. The Behavior Analysis feature is a comprehensive data analysis tool for custom or unknown applications and environments. It provides detailed reports of application behavior, allowing customers to understand any application, even extremely complex ones that have been highly customized to an individual customer's environment.
Cisco Security Agent is a core component of a Cisco Self-Defending Network solution. By investing in endpoint and network components that collaborate with each other, customers can enable new critical security services that are not possible with disparate systems.
Trusted QoS is a new security service that allows customer to protect the data flows of mission-critical applications when the network is under heavy load . With Trusted QoS, Cisco Security Agent can identify and classify critical application flows at the endpoint. In collaboration with the network infrastructure, the mission-critical data is given a higher service level as it crosses through the network. This end-to-end application awareness and protection is only possible with an adaptive, collaborative, and integrated solution that incorporates the network and its endpoints.
Table 2 lists product specifications for Cisco Security Agent Version 5.1.
Table 2. Product Specifications
Software compatibility for Cisco Security Server Agents
• Windows 2003 (Standard, Enterprise, Web, or Small Business Editions)
• Windows 2000 Server and Advanced Server
• Windows NT 4.0 Server and Enterprise Server (SP 6a)
• Solaris 8 SPARC architecture (64-bit kernel)
• Solaris 9 SPARC architecture (64-bit kernel)
• Red Hat Enterprise Linux 3.0 ES and AS
Software compatibility for Cisco Security Desktop Agents
• Windows XP Professional
• Windows XP Tablet Edition
• Windows 2000 Professional
• Windows NT 4.0 Workstation (SP 6a)
• Red Hat Enterprise Linux 3.0 WS
Hardware compatibility for Cisco Security Agents (Windows OS minimum requirements)
• 200-MHz x86 processor
• 25 MB hard drive space
• 128 MB RAM
• Ethernet or dialup network connection
Hardware compatibility for Cisco Security Agents (Solaris OS minimum requirements)
• UltraSPARC 400-MHz processor
• 25 MB hard drive space
• 256 MB RAM
• Ethernet network connection
Hardware compatibility for Cisco Security Agents (Linux OS minimum requirements)
• 500-MHz x86 processor
• 25 MB hard drive space
• 256 MB RAM
• Ethernet network connection
Software compatibility for Management Center for Cisco Security Agents
• Windows 2003 R2 Server
Hardware compatibility for Management Center for Cisco Security Agents (minimum requirements)
• 1-GHz x86 processor
• 1 GB RAM
• 2 GB virtual memory
• Support for English (United States) and international (except Arabic and Hebrew) Windows operating systems
• Localized user interface for Windows operating systems running English (United States), Chinese (Simplified), French, German, Italian, Japanese, Korean, and Spanish
• Support for English (United States) Linux and Solaris operating systems only
The Cisco Security Agent solution consists of two main components: Cisco Security Agents (desktop and server agents) and the Management Center. A management center is required to run agents, and agents cannot be licensed to an unlicensed console. The Management Center for Cisco Security Agents is provided in the Cisco Security Agent starter bundle.
Tables 3 and 4 provide Cisco Security Agent product and maintenance part numbers, respectively.
Table 3. Ordering Information for Cisco Security Agents
Cisco Security Agent starter bundle for Version 5.1 (Includes Management Center for Cisco Security Agents, 1 server agent, and 10 desktop agents)
Cisco Security Server Agent (Windows, Linux, and Solaris), 1 agent
Cisco Security Server Agent (Windows, Linux, and Solaris), 10-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 25-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 50-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 100-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 500-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 1000-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 2500-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 5000-agent bundle
Cisco Security Server Agent (Windows, Linux, and Solaris), 10,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 25-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 100-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 250-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 500-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 1000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 2500-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 5000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 10,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 25,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 50,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 75,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 100,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 200,000-agent bundle
Cisco Security Desktop Agent (Windows and Linux), 300,000-agent bundle
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see
Cisco Technical Support Services or
Cisco Advanced Services.
Table 4. Ordering Information for Cisco Security Agent Maintenance
Software Application Support plus Upgrades (SASU) for the Cisco Security Agent starter bundle
SASU for 1 server agent (Windows, Linux, and Solaris)
SASU for 10 server agents (Windows, Linux, and Solaris)
SASU for 25 server agents (Windows, Linux, and Solaris)
SASU for 50 server agents (Windows, Linux, and Solaris)
SASU for 100 server agents (Windows, Linux, and Solaris)
SASU for 250 server agents (Windows, Linux, and Solaris)
SASU for 500 server agents (Windows, Linux, and Solaris)
SASU for 1000 server agents (Windows, Linux, and Solaris)
SASU for 2500 server agents (Windows, Linux, and Solaris)
SASU for 5000 server agents (Windows, Linux, and Solaris)
SASU for 10,000 server agents (Windows, Linux, and Solaris)
SASU for 25-desktop agent bundle (Windows and Linux)
SASU for 100-desktop agent bundle (Windows and Linux)
SASU for 250-desktop agent bundle (Windows and Linux)
SASU for 500-desktop agent bundle (Windows and Linux)
SASU for 1000-desktop agent bundle (Windows and Linux)
SASU for 2500-desktop agent bundle (Windows and Linux)
SASU for 5000-desktop agent bundle (Windows and Linux)
SASU for 10,000-desktop agent bundle (Windows and Linux)
SASU for 25,000-desktop agent bundle (Windows and Linux)
SASU for 50,000-desktop agent bundle (Windows and Linux)
SASU for 75,000-desktop agent bundle (Windows and Linux)
SASU for 100,000-desktop agent bundle (Windows and Linux)
SASU for 200,000-desktop agent bundle (Windows and Linux)
SASU for 300,000-desktop agent bundle (Windows and Linux)