Using Management Center for Cisco Security Agents 5.2 - Cisco Partner and Third Party Product Integration [Cisco Security Agent]

Table Of Contents

Cisco Partner and Third Party Product Integration

Overview

Cisco IPS Integration Support

Cisco VPN Client Support

Cisco MARS Integration Support

netForensics Integration Support

Cisco Partner and Third Party Product Integration

Overview

The Management Center for Cisco Security Agents provides integration with other third party products. This section provides information on supported third party integration applications.

In most cases, you are referred to the third party documentation for configuration information.

This section contains the following topics.

•Cisco IPS Integration Support

•Cisco MARS Integration Support

•netForensics Integration Support

Cisco IPS Integration Support

You can configure Management Center for Cisco Security Agents to send host posture events and quarantined IP address events to Cisco Intrusion Prevention System 6.0. Refer to the Cisco Intrusion Prevention System 6.0 documentation on Cisco.com (http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html) for configuration details for the IPS side of this integration.

To configure CSA MC to send information to IPS, do the following:

Step 1 Navigate to the CSA MC Events>Status Summary page. Click the No link beside Host history collection enabled in the Network Status section. A new pop-up window appears. Click the Enable button in this window.

Note that this enables host history collection globally for the system. This feature is disabled by default as the MC log file tends to fill quickly when it's turned on.

Step 2 Navigate to Systems>Groups and create a new group (with no hosts) to use in conjunction with administrator account you will next create.

Step 3 Create a new CSA MC Administrator account to provide IPS access to the MC system. Navigate to Maintenance>Administrators>Account Management. Create a new account with the role of Monitor. This maintains the security of the MC by not allowing this new account to have Configure privileges.

Note the username and password given to this administrator account as you will need them when you configure IPS.

Step 4 Navigate to Maintenance>Administrators>Access Control to further limit this administrator account. In the Access Control window, select the administrator you created previously and select the group you created previously. When you save this configuration, you have further limited the MC access of this new administrator account. Again, the purpose is to maintain security on CSA MC.

That is all the configuration needed for the CSA MC side of this integration.

Cisco VPN Client Support

The Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client, Release 4.0. For configuration
details, please refer to Chapter 1 of the Cisco VPN Client Administrator
Guide, in the section entitled "Configuring VPN Client Firewall Policy --
Windows Only."

Cisco MARS Integration Support

MARS is a Security Information Management (SIM) appliance. It delivers a range of information about your networks' health as seen through the "eyes" and "ears" of the reporting devices, sessionizes them across different devices, fires default rules for incidents, determines false positives, and delivers consolidated information through diagrams, charts, queries, reports and rules.

To integrate events generated by the Cisco Security Agent with the MARS appliance, refer to Chapter 3 of your MARS User Guide documentation.

netForensics Integration Support

netForensics is a Security Information Management application that can receive security events from multiple devices. This gives the administrator the convenience of having a single point from which to manage events from heterogeneous sources. netForensics presents the information in a real-time, web-based console so that these events can be managed across the network.

To integrate events generated by the Cisco Security Agent with the netForensics application, refer to your netForensics documentation.

	Using Management Center for Cisco Security Agents 5.2
	Cisco Partner and Third Party Product Integration
Using Management Center for Cisco Security Agents 5.2 Using Management Center for Cisco Security Agents 5.2 Preface Overview Management Center for Cisco Security Agents Administration Configuring Groups and Managing Hosts Building Policies Rule Module Configuration Available Rule Types Using Global Event Correlation Using Application Classes Configuring Variables Event Logging and Alerts Generating Reports Using Management Center for Cisco Security Agents Utilities Using Cisco Security Agent Analysis Cisco Partner and Third Party Product Integration Using the Scripting Interface (CSAAPI) Cisco Security Agent Overview System Components Open Source License Acknowledgements and Third Party Copyright Notices	Download this chapter Cisco Partner and Third Party Product Integration Download the complete book Using Management Center for Cisco Security Agents 5.2 (PDF - 11 MB) Table Of Contents Cisco Partner and Third Party Product Integration Overview Cisco IPS Integration Support Cisco VPN Client Support Cisco MARS Integration Support netForensics Integration Support Cisco Partner and Third Party Product Integration Overview The Management Center for Cisco Security Agents provides integration with other third party products. This section provides information on supported third party integration applications. In most cases, you are referred to the third party documentation for configuration information. This section contains the following topics. •Cisco IPS Integration Support •Cisco MARS Integration Support •netForensics Integration Support Cisco IPS Integration Support You can configure Management Center for Cisco Security Agents to send host posture events and quarantined IP address events to Cisco Intrusion Prevention System 6.0. Refer to the Cisco Intrusion Prevention System 6.0 documentation on Cisco.com (http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html) for configuration details for the IPS side of this integration. To configure CSA MC to send information to IPS, do the following: Step 1 Navigate to the CSA MC Events>Status Summary page. Click the No link beside Host history collection enabled in the Network Status section. A new pop-up window appears. Click the Enable button in this window. Note that this enables host history collection globally for the system. This feature is disabled by default as the MC log file tends to fill quickly when it's turned on. Step 2 Navigate to Systems>Groups and create a new group (with no hosts) to use in conjunction with administrator account you will next create. Step 3 Create a new CSA MC Administrator account to provide IPS access to the MC system. Navigate to Maintenance>Administrators>Account Management. Create a new account with the role of Monitor. This maintains the security of the MC by not allowing this new account to have Configure privileges. Note the username and password given to this administrator account as you will need them when you configure IPS. Step 4 Navigate to Maintenance>Administrators>Access Control to further limit this administrator account. In the Access Control window, select the administrator you created previously and select the group you created previously. When you save this configuration, you have further limited the MC access of this new administrator account. Again, the purpose is to maintain security on CSA MC. That is all the configuration needed for the CSA MC side of this integration. Cisco VPN Client Support The Cisco Security Agent is a supported configuration for the "Are You There?" feature of the Cisco VPN Client, Release 4.0. For configuration details, please refer to Chapter 1 of the Cisco VPN Client Administrator Guide, in the section entitled "Configuring VPN Client Firewall Policy -- Windows Only." Cisco MARS Integration Support MARS is a Security Information Management (SIM) appliance. It delivers a range of information about your networks' health as seen through the "eyes" and "ears" of the reporting devices, sessionizes them across different devices, fires default rules for incidents, determines false positives, and delivers consolidated information through diagrams, charts, queries, reports and rules. To integrate events generated by the Cisco Security Agent with the MARS appliance, refer to Chapter 3 of your MARS User Guide documentation. netForensics Integration Support netForensics is a Security Information Management application that can receive security events from multiple devices. This gives the administrator the convenience of having a single point from which to manage events from heterogeneous sources. netForensics presents the information in a real-time, web-based console so that these events can be managed across the network. To integrate events generated by the Cisco Security Agent with the netForensics application, refer to your netForensics documentation.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.