Using Management Center for Cisco Security Agents 5.2
Available Rule Types
Download this chapter
Available Rule TypesAvailable Rule Types
Download the complete book
Using Management Center for Cisco Security Agents 5.2Using Management Center for Cisco Security Agents 5.2 (PDF - 11 MB)
give_us_feedback

Table Of Contents

Available Rule Types

Overview

Rules Common to Windows and UNIX

Agent Service Control

Agent UI Control

Hiding the agent UI

Application Control

Connection Rate Limit

Data Access Control

File Access Control

Network Access Control

Network Shield Rule

Windows Only Rules

Clipboard Access Control

COM Component Access Control

File Version Control

Kernel Protection

NT Event Log

Registry Access Control

Service Restart

Sniffer and Protocol Detection

System API Control Rule

Replicate Feature

UNIX Only Rules

Buffer Overflow Rule

Network Interface Control

Resource Access Control

Rootkit / kernel Protection

Syslog Control

General Syslog rule configuration examples


Available Rule Types

Overview

Rule modules contain various types of rules. Each rule type is intended to control a different set of system resources. For example, there is a rule type that controls access to files and directories and another rule type that controls network accesses. It is through the combining of the many available rule types that a rule module provides overall security to the entire system. This chapter provides information on each rule type.

This section contains the following topics.

Rules Common to Windows and UNIX

Agent Service Control

Agent UI Control

Application Control

Connection Rate Limit

Data Access Control

File Access Control

Network Access Control

Network Shield Rule

Windows Only Rules

Clipboard Access Control

COM Component Access Control

File Version Control

Kernel Protection

NT Event Log

Registry Access Control

Service Restart

Sniffer and Protocol Detection

System API Control Rule

UNIX Only Rules

Network Interface Control

Resource Access Control

Rootkit / kernel Protection

Syslog Control

Rules Common to Windows and UNIX

The following rule types are available for both Windows and UNIX policies.

Agent Service Control

Use the Agent service control rule to control whether administrators are allowed to stop agent security (This is via a net stop command on Windows or via /etc/init.d/ciscosec stop on UNIX. See Chapter 12, "Using Management Center for Cisco Security Agents Utilities," for details) and whether end users can disable security via the agent UI security slide bar. Stopping agent security disables all rules until security is manually resumed or the system is rebooted.

If you use this rule to deny agent service stops, the agent service cannot be stopped on the system in question and therefore agents cannot be uninstalled.

Note Although agents cannot be uninstalled by administrative users if this rule denies the stopping of the agent service, this rule does not prevent agent software updates from occurring.

You can also use this rule to monitor, terminate, or tag a process that attempts to modify the agent configuration.

These instructions are a continuation of Configuring Rule Modules, page 5-5.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Agent service control rule. This takes you to the configuration view for this rule type (see Figure 6-1).

Step 3 In the Agent service control rule configuration view, enter the following information:

Description—Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

Step 4 Take the following action—(Note that not all action types are available for this rule on Windows platforms.) Select an action type from the pulldown list. For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 when

Applications in any of the following selected classes

Select one or more preconfigured application classes.
Note that the entry, <All Applications>, is selected by default. You can use this default or you can unselect it and create your own application classes. For application class configuration details, see Chapter 8, "Using Application Classes".

Note On UNIX systems, anyone with root access can stop the agent service. To prevent this, while still allowing administrators to stop the agent service, you would configure an Agent service control rule to Deny <All Applications> from stopping the service. Then configure another Agent service control rule which Allows only a UNIX Secured Management application class to stop the service.

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

attempt to disable agent security

This checkbox controls whether users with administrator privileges can stop the agent service from the Service Control Manager or by running net stop "Cisco Security Agent" from a command prompt on Windows or via /etc/init.d/ciscosec stop on UNIX.

Note This also controls whether the "Off" setting on the agent security level slidebar allows the end user to turn agent security off. If you do not allow the stopping of the agent service, the Off level, if available, is ineffective. See Agent UI Control for more information.

attempt to modify local agent configuration

The Cisco Security Agent has built-in global security policies which protect agent binaries and data. (Note that this protection is only offered when the agent service is running and is not stopped or in Test Mode.) While you cannot turn these non-logged, built-in rules off while the agent is active, you can use this rule to monitor, terminate, or tag a process that attempts to modify the agent configuration.

Step 7 Click the Save button.

Figure 6-1 Agent Service Control Rule (Windows)

Agent UI Control

Note This rule only applies to Windows and Linux platforms. The agent UI is not supported on Solaris systems.
Also note that Test Mode does not apply to this rule type.

Use the Agent UI rule to control how the agent user interface is displayed to end users. See Figure 6-2. In the absence of this rule, end users have no visible agent UI. If this rule is present in a module, you can select to display the agent UI and one or more controls to the end user. These controls give the user the ability to change certain aspects of their agent security. Optional controls are as follows:

Allow user to reset agent UI default settings—On Windows, this is available from the Start>Programs>Cisco Systems menu. On Linux, this is available from System Menu>Cisco Security Agent. By selecting this option, users can reset agent UI functionality to the original factory default settings All user set controls are lost and all persistent query responses are removed. This is useful on Windows platforms where different users with varying user agent permission settings may log into the same machine.

Allow user interaction—Selecting this checkbox causes the end user to have a visible and accessible agent UI, including a red flag in the system tray. With no other subsequent checkboxes selected, the agent UI contains a status view, a messages page to view agent events, and the ability to clear persistent and temporary query user responses. (If this rule is present in a module, but this checkbox is not selected, the end user will have no visible agent UI. In the presence of two or more Agent UI control rules, these rules are combined and selected checkboxes take precedence over unselected checkboxes.)

Add one or more additional controls as follows:

Allow user access to agent configuration and contact information: Selecting this checkbox allows the end user to enter Contact information into the agent UI. They also have access to a Poll button which allows them to force a manual polling of the MC.

Allow user to modify agent security settings: Selecting this checkbox provides the end user with the ability to alter their security level by moving a slidebar between Off, Low, Medium, and High (in accordance with policies) and to manage the classification of untrusted content.

This checkbox provides an Off control on the agent UI. This Off control works in combination with the Agent service control rule (see Agent Service Control). You must both provide this slidebar to the end user and have an Agent service control rule in place which allows the agent security to be disabled in order for the Off setting to actually turn security off.

Allowing this action (moving the slidebar to Off) permits all users (including non-administrative users) to disable all rules on the agent until they are re-enabled by the user. (Note that if there is no agent UI present, agent security cannot be turned off.)

Allow user to modify agent personal firewall settings—Selecting this checkbox provides the end user with the ability to dictate which applications are allowed network access. They also gain a file protection capability by which they can enter the names of local files that network applications are not allowed to access on their system. Note that if a user is allowed to configure personal firewall settings, resource access attempts on the system must pass both policy rules and firewall settings. (If you select this checkbox, you are providing the end user with controls that you have limited access to. Firewall queries and other information will not log to the CSA MC event log.)

Hiding the agent UI

Not enabling the Allow user interaction checkbox in this rule has the following effects.

Software updates

There are no effects. Hiding the agent UI and Software updates are independent features. You can provide a software update prompt when an agent UI is not present.

Queries

When there is no agent UI present, there are no query user pop-up boxes displayed. The default is immediately taken on all query user rules and heuristics that are present in the assigned polices. (Note that this does not apply to cases where the end user manually exits the agent UI. Only the administrator controlled agent UI rule can affect query pop-up displays on the end user system.)

Unavailable end user features

No messages to inform user that actions have been denied and why.

No ability to clear cache or re-enable logging.

No fast polling ability.

No end user contact information can be sent to CSA MC.

Hidden agent UI feature notes

If a host belongs to multiple groups with multiple policies, having a visible agent UI setting, if present in any group for which the host is a member, takes precedence over a no user interaction agent UI setting.

Whether or not an end user system is going to have a visible agent UI or a hidden one, the end user (or administrator) must download and install the agent kit on the system. The initial installation of an agent kit cannot be done automatically (unless you have written your own script to do so, see Scripted Agent Installs and Uninstalls, page 3-23).

When there is no agent UI present, there are no query user pop-up boxes displayed. The default is immediately taken on all query user rules and heuristics that are present in the assigned polices.

If an end user system already has an agent UI installed, when you unselect the Allow user interaction checkbox and generate rules, the agent UI disappears when the new rules are downloaded.

Figure 6-2 Agent UI Control Rule

Application Control

Use Application control rules to control what applications can run on designated agent systems. This rule type does not control what application can access what resources as do other access control rules. This rule type can stop selected applications from running on systems. If you deny an application class (in total) in this rule, users cannot use any application in that class.

With this rule, you can also prevent an application from running only if that application was invoked by another application you specify. This way, you could prevent a command prompt from running on a system if it is invoked by an application that has downloaded content from the network.

Note These instructions are a continuation of Configuring Rule Modules, page 5-5.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Application Control rule. This takes you to the configuration view for this rule type (see Figure 6-3).

Step 3 In the Application control rule configuration view, enter the following information:

Description—Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the policy and it will not be distributed to groups.

Step 4 Take the following action—Select an action type from the pulldown list. For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Note Creating dynamic application classes from the Application control rule is a bit different than creating them from other rule types. Because this rule has two application class fields, you can choose to add the current application to the dynamic class or choose to add the new application that is invoked by the first application to the dynamic class.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 when

Current applications in any of the following selected classes—If you want to control an application (allow or deny) running on a system no matter how it is in invoked, allow "All Applications" to remain selected by default. (Then you will select the application you want to control from the second Application class list.)

If you want to control which application(s) can invoke other applications, select one or more preconfigured application classes here to indicate the application that is doing the invoking (such as Network Applications).

(When your rule is configured, currently selected application classes appear at the top of the list. See Configuring Static Application Classes, page 8-8 for configuration details.)

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

attempt to run

New applications in any of the following selected classes—If you are controlling which applications can invoke other applications, this second field indicates the application class that you do not want to run when invoked by the application you chose in the top field.

If you selected "All Applications" in the top application field, you cannot select All Applications in this second field. If you did so, all applications would be completely prevented from running on systems if this is a deny rule.

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

Note Most dynamic application classes are not available in this second application class inclusion field.

Step 7 When you are finished configuring your Application control rule, click the Save button.

Figure 6-3 Application Control Rule

Connection Rate Limit

Use the connection rate limit rule to control the number of network connections that can be sent or received by applications within a specified time frame. This is useful in preventing attacks aimed at bringing down system services, e.g. denial of service attacks (server connection rating limiting). This is also useful in preventing the propagation of denial of service attacks (client connection rate limiting).

Note Multiple instances of the same application are counted together with respect to this rule. E.g. If a machine has several instances of Apache web server running, all Apache connections are counted together when applying this rule.

Note These instructions are a continuation of Configuring Rule Modules, page 5-5.

Click the Modify rules link at the top of the Rule Module page to go to the Rules page.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Connection rate limit rule. This takes you to the configuration view for this rule type.

Step 3 Enter the following information for the rule:

Description—Enter a description of this rule.
This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.)
By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

Log—Use this checkbox to enable logging within the module.

Step 4 Take the following action—Select an action type from the pulldown list. For further details on rule action types, see Rules: Action Options and Precedence, page 5-38. (Note that you cannot configure Query User Connection rate limit rules. Also note that if you select the Set action for marking a host as untrusted, you can only configure the rule for servers and for specific hosts.)

Step 5 When Applications in any of the following selected classes

Select one or more preconfigured application classes here to indicate the application(s) whose connection rate access you want to exercise control over.
Note that the entry, <All Applications>, is selected by default. You can use this default or you can unselect it and create your own application classes. For application class configuration details, see Chapter 8, "Using Application Classes".

But not in the following class—Optionally, selection application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

Note When your rule is configured, currently selected application classes appear at the top of the list.

Step 6 Attempt to act as a—Select server, client, or "client or server"

From the pulldown menu, select server, client, or client or server depending on the direction of the connection you are controlling.
If you are limiting a server's connection limit, select server here. If you are limiting a client connection, select client here.

Step 7 Communicating with—Select specific hosts, different hosts, or all hosts

When the rate limit set here is reached, you can determine whether all subsequent service requests are dropped or only those received or sent by a specific host. If you select a "specific" host, this indicates that the host in question exceeded the rate limit. If you select all hosts, this indicates that the sum total of to and from all hosts exceeds the limit and all hosts are blocked. Selecting the "different" hosts option would be beneficial for controlling outgoing connections. For example, if a system on your network has been infected by a network worm, you could control the worm replication by tracking how many different hosts the infected system is trying to connect to and setting a limit to those connections. If you only tracked all host connections in this case, you may cut the system off from legitimate server access, for example.

Step 8 Using these local interfaces - The default entry here is <all>, indicating all addresses. Generally, you should not have to change this. Note that you cannot enter a "literal" in this field. You must select a preconfigured variable from the Insert Network Interfaces Set link if you want to change the default here.

In this field, you could select the network address(es) for the local system addresses you want to control (i.e. control clients making connections from or control servers making connections to). The addresses or address ranges you enter here can be used to control the host initiating the network connection. For example, you could write a Network access control rule which would only allow laptop users to connect to an internal network database if their connection is coming through a VPN (i.e. machine using an allowed/disallowed address to make a connection, incoming or outgoing). If the connection attempt comes in through an ISP-assigned address that is not part of this rule, it would not be allowed.

Step 9 Over/Under a limit <100> network connections

in <5> minutes

Reasonable values are entered into these fields by default. They define the number of connections that can normally be expected during a time frame from either specific hosts or all hosts.

If you select an action type of "deny" or "terminate", and the limit is exceeded (Over) in this time frame (abnormal amount of connections that could represent an attack of the system), subsequent connection requests are dropped. (The dropped connections can be those received to/from individual "specific" hosts or to/from all hosts. This setting is configured at the bottom of the page.)

If you configure this as an "allow" rule, you are setting a limit Under which the number of connections must remain for the subsequent connections to be explicitly allowed.

Step 10 When you are finished configuring your connection rate limit rule, click the Save button.

Figure 6-4 Connection Rate Limit Rule

Data Access Control

Use data access control rules on Web servers to detect clients making malformed web server requests where such requests could crash or hang the server. A malformed request could also be an attempt by an outside client to retrieve configuration information from the web server or to run exploited code on the server. This rule detects and stops such web server attacks by examining the URI portion of the HTTP request.

An HTTP request consists of:

the request method (a "get" or a "post")

the request URI (Uniform Resource Identifier—This includes the URL and related request parameters and arguments)

the HTTP version (for example, HTTP/1.0)

the HTTP header

The Data access control rule examines patterns in the URI portion of the HTTP request. The pre-configured Data sets (see Data Sets, page 9-7) group patterns to match based upon

functional associations of meta-characters (e.g. "(" and ")")

examples of known classes of attacks

Web server specific exploits

Use the data access control rule to allow or deny specified underlying network data requests for the following web servers and platforms:

Microsoft IIS (Windows platforms, version 4.0 or higher)

Apache (Windows and UNIX platforms, versions 1.3, 2.0)

Caution On Windows platforms, if you install Web server software (IIS or Apache) after you install the Cisco Security Agent on the server system, or if you have installed the Web server in a directory other than the default, you must manually install the Cisco Security Agent data filter in order to use Data access control rules on the system in question.
If your Web server software is already installed (in its default directory) when you install the agent on Windows, the server software is detected by the agent and the data filter capability is automatically installed with the agent.

On Solaris (Apache servers) and Linux (Apache servers), in order to use Data access control rules you must install the data filter manually after you install the Cisco Security Agent. Unlike Windows, the Solaris and Linux installations do not detect Web server software and do not install the data filter with the agent. You must always manually install it.
See Manual Agent Data Filter Installation, page 12-12 for instructions.

Note These instructions are a continuation of Configuring Rule Modules, page 5-5.

Click the Modify rules link at the top of the Rule Module page to go to the Rules page.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Data access control rule. This takes you to the configuration view for this rule type.

Step 3 Enter the following information for the rule:

Description—Enter a description of this rule.
This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.)
By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

Step 4 Take the following action—Select an action type from the pulldown list.
For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate policy rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 When—Applications in any of the following selected classes

Select one or more preconfigured application classes here to indicate the application(s) whose access to the listed data sets you want to exercise control over.
Note that the entry, <All Applications>, is selected by default. You can use this default or you can unselect it and create your own application classes. For application class configuration details, see Chapter 8, "Using Application Classes".

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

Note When your rule is configured, currently selected application classes appear at the top of the list.

Step 7 Attempt to access these data sets

Click the Insert Data Set link to enter a pre-configured data set here. When you click this link, a list of the Data Sets you've configured appears here, allowing you to select one or more. Instead of data sets, you can list the literal data strings you want to protect. You can use a wildcard designation.

For information on configuring Data Sets, see page 9-7.

Step 8 When you are finished configuring your Data access control rule, click the Save button.

Note If you specify an application here other than IIS, Apache, or iPlanet, this rule is ignored.

Figure 6-5 Data Access Control Rule

File Access Control

Use file access control rules to allow or deny what operations (read, write) selected applications can perform on files. You should understand that file protection encompasses read/write access. Directory protection encompasses directory deletes, renames, and new directory creation.

Note These instructions are a continuation of Configuring Rule Modules, page 5-5.

Click the Modify rules link at the top of the Policy page to go to the Rules page.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the File access control rule. This takes you to the configuration view for this rule type.

Step 3 Enter the following information for the rule:

Description—Enter a description of this rule.
This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.)
By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

Step 4 Take the following action—Select an action type from the pulldown list.
For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 When—Applications in any of the following selected classes

Select one or more preconfigured application classes here to indicate the application(s) whose access to the listed files you want to exercise control over.
Note that the entry, <All Applications>, is selected by default. You can use this default or you can unselect it and create your own application classes. For application class configuration details, see Chapter 8, "Using Application Classes".

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

Note When your rule is configured, currently selected application classes appear at the top of the list.

Step 7 Attempt the following operations

Select the operations Read and/or Write you are allowing/denying on the files named in the Files field. For directory protection, the actions you are allowing/denying are Create, Delete, and Rename. Refer to File and Directory protection in Using the Correct Syntax, page 2-35.

Caution Directory protection ignores the file portion of the specified path and only matches the directory portion of the path. If the directory portion is not well specified, the protection will be overly broad. For example, if you select to protect a directory in a deny rule and enter the directory path as follows: **\Program Files\**Outlook.exe, then no directories can be modified under Program Files. That is an overly broad protection to specify and would likely result in system instability. If you choose to protect directories, be sure to get very specific in your path string and understand the resulting behavior.

Step 8 On any of these files

Click the Insert File Set link to enter a pre-configured file set here. When you click this link, a list of the File Sets you've configured appears here, allowing you to select one or more. Instead of file sets, you can list the literal files you want to protect, using the file paths (including wildcards).

For information on entering file path literals here rather than using pre-configured File Sets, see Using the Correct Syntax, page 2-35.

For local system paths, you must specify the disk drive. You can use a wildcard designation. When protecting directory creates, in particular, you should note that directory creation applies to an exact directory path match, but directory write and rename protection applies to all directories explicitly named in a path. If a directory name is completely wildcarded \**\, no protections exist for that particular component of the directory. For example:

Windows: 

*:\Program Files\winnt\* 
or @system\** (this indicates all files below the system directory)

UNIX: 

/etc/passwd


For network machines (Windows only), enter 

\\<machine name>\<share>\<path>\<filename>

For example: *:\Program Files\winnt\* You can enter more than one file path, but each entry must appear on its own line. For File Set configuration details, see page 9-10.

Caution Symbolic Links and Hard Links: For UNIX, if you create a File access control rule to protect a symbolic link, ONLY that symbolic link is protected. The underlying resource, unless also specified, is NOT protected. For example, a File access control rule written for /etc/hosts does not protect /etc/inet/hosts. Similarly, a File access control rule written for /etc/inet/hosts does not protect
/etc/hosts. If you want to protect a symbolic link and its underlying resource, both must be specified in the rule.

Also note that on UNIX systems, if you attempt to create a hard link to an agent-protected file, that action is seen as a write attempt on the file.

Note Use @dynamic in the File set text field to indicate all files that have been quarantined by CSA MC as a result of correlated email worm events, correlated virus scanner log messages, or files that were added manually by the administrator. This list updates automatically (dynamically) as logged quarantined files are received.

To view the files that are added to the dynamically quarantined files list and to manually add files to be quarantined, click the Manage dynamically quarantined files link on the Global Event Correlation page. See Manage Dynamically Quarantined Files and IP Addresses, page 7-8 for more information.

Step 9 When you are finished configuring your File access control rule, click the Save button.

This rule is now part of your new policy. It takes effect when the policy is attached to a group and then downloaded by an agent on the network.

Caution In order to distribute rules to the correct hosts, you must associate policies with groups and then Generate rules. See page 5-35 for instructions.

Figure 6-6 File Access Control Rule

Network Access Control

Use network access control rules to control access to specified network services and network addresses. You can also use this rule type to listen for applications attempting to offer unknown or not sanctioned services.

Note The following instructions are a continuation of Configuring Rule Modules, page 5-5.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Network Access Control rule. This takes you to the configuration view for this rule type.

Step 3 Enter the following information:

Description—Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the policy and it will not be distributed to groups.

Step 4 Take the following action—Select an action type from the pulldown list.
For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 When—Applications in any of the following selected classes

Select one or more preconfigured application classes here to indicate the application(s) whose access to the listed services and addresses you want to exercise control over.
Note that the entry, <All Applications>, is selected by default. You can use this default or you can unselect it and create your own application classes. For application class configuration details, see Chapter 8, "Using Application Classes".

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. Note that the entry <None> is selected by default.

Step 7 Attempt to act as a—Select server or client or both, or select listener

From the pulldown menu, select server, client, client or server, or listener (see page 31 for more information on the listener option) depending on the direction or type of connection you are controlling or listening for.
If you are limiting a server's contact with clients, select server here and enter the client(s) address in the host addresses field. If you are limiting a client's contact with a server, select client here and enter the server(s) address in the host addresses field.

Step 8 for network services

Enter the literal protocol/port number combination for the service you want to control access to or click the Insert Network Service link to enter a pre-configured network service variable here. When you click this link, a list of the Network Service Variables you've configured appears here, allowing you to select one or more.
This field refers to either a server providing this service or a client accessing this service. For Network Service configuration details, see page 9-18.

Step 9 Communicating with host addresses

Enter the literal network address(es) for the client/servers you want to control access to or click the Insert Network Address Set link to enter a pre-configured network address set variable here.
If you select server in the previous pulldown list, you enter client addresses here. If you select client in the previous pulldown list, you enter server addresses here. Note that you can use Network Address Set variables.

You also can use the following "short hand" entry in Network Address Sets and in Network Access Control rules to indicate all local addresses on the agent system in question. The @symbol must appear at the start of the short hand name.

Use @local to indicate all local addresses on the agent system. You would want to use this if you are allowing different applications on a single system to talk to each other without opening these applications up to network access.

Refer to Using the Correct Syntax, page 2-35 for more valid @ entries that can be used in this rule type.

Step 10 Using these local interfaces

Step 11 The default entry here is <all>, indicating all addresses. Generally, you should not have to change this. Note that you cannot enter a "literal" in this field. You must select a preconfigured variable from the Insert Network Interfaces Set link if you want to change the default here.

In this field, you could select the network address(es) for the local system addresses you want to control (i.e. control clients making connections from or control servers making connections to). The addresses or address ranges you enter here can be used to control the host initiating the network connection. For example, you could write a Network access control rule which would only allow laptop users to connect to an internal network database if their connection is coming through a VPN (i.e. machine using an allowed/disallowed address to make a connection, incoming or outgoing). If the connection attempt comes in through an ISP-assigned address that is not part of this rule, it would not be allowed.

You could also use this field to impose a restriction that only trusted addresses can read an internal server. If the connection is received from an internal system or via a VPN from a fixed, trusted address, it is allowed.

Use @dynamic in the Addresses set field to indicate untrusted hosts that have been quarantined by CSA MC. Addresses are added to this list when they are seen as an untrusted host. (The built-in "Processes Communicating with Untrusted Hosts" is triggered in a rule.) This list updates automatically (dynamically) as logged quarantined addresses are received.

Step 12 When you are finished configuring your Network access control rule, click the Save button.

This rule is now part of your rule module. It takes effect when the policy is attached to a group and then downloaded by an agent on the network. You should note that new rules only apply to new connections. See Preserving Application Process Classes, page 8-8 for details.

Caution In order to distribute rules to the correct hosts, you must associate policies with groups and then Generate rules. See page 5-35 for instructions.

Note No network access control rule denial events are logged for any UDP port resulting from multicast packet signals. (If a collection of hosts have the same network access control rule and a broadcast such as UDP/138 were denied, then event messages would inundate CSA MC.)

Note When the system accepts a network connection on behalf on an application, the system requires an immediate answer to allow or deny the connection. Therefore, resource requests which trigger network access control server queries will immediately choose the query default. The user is still queried and the response will be cached for future connections.

What is the "listener" option for?

You can use the listener option in a Network access control rule to indicate what applications have the ability to be a server before they are allowed to accept a server connection. This is in contrast to the "server" option which offers real-time per connection control. The listener option can be used in a monitoring capacity to reveal any applications that are attempting to offer a network service. For example, if a system is already infected with a Trojan, that Trojan may be listening on a high numbered port for a network server connection. A NACL listener rule would detect this occurring before a server connection is achieved. You could then craft a subsequent NACL rule to deny the server connection.

Figure 6-7 Network Access Control Rule

Network Shield Rule

The Network shield rule provides network protocol stack hardening capabilities.

Note The information provided in this manual, in this section especially, assumes a basic knowledge of TCP/IP. A good source for further reading on the topic is the book Internetworking with TCP/IP, Douglas R. Comer and David L. Stevens, Prentice Hall, Inc.

Step 1 In the Network shield rule configuration view, enter the following information:

Description—Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

Step 2 Take the following action—(Note that only Priority Deny, Allow, Deny, Monitor, and Add process action types are available for this rule. You can choose to add the system process to the Processes communicating with Untrusted Hosts application class which causes the remote host IP address to be sent to the MC for global correlation. This may result in the address being added to the @dynamic address list for quarantining. Also see Correlation, page 7-6 for details on quarantining IP addresses.) Select an action type from the pulldown list. For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Note Because IP addresses can be spoofed, we don't recommend using this capability for this rule type. It is more applicable for NACL-based rules where you are sure you are communicating with the address. (i.e. an established TCP connection.)

Step 3 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 4 when detecting (Select one or more of the checkboxes described here. Please note any address and/or state condition restrictions that are called out beside each check.)

Caution You cannot use network shield rules in rule modules that have user state conditions set. If you attempt to attach a user state to a rule module that contains a network shield rule, you will be notified of a configuration error.

IP Security checks

Invalid IP header

Enabling this feature causes the Cisco Security Agent to perform an integrity check on the IP packet header. This includes performing a consistency check on the IP header, on the length of the IP header, and on the number of bytes in the packet. If you configure this as a Deny rule, the following occurs: if any of these checks fail, the packet is dropped, if an IP checksum fails, the packet is dropped, IP options and IP fragments are validated as well and dropped if they are found to be invalid. (This defeats attacks such as Teardrop, Boink, and Ping of Death.)

Invalid IP address

IP addresses are determined to be invalid for several reasons: if the source address is a multicast address, if the TCP connection is to a broadcast address. You can select this checkbox as part of a Deny rule to protect against these types of attacks.

Source routed packet

This detects IP options which control explicit routing instructions for packets. With IP source routing (an IP header option) the originator of a packet can try to partially or completely control the path through the network to the destination.

Trace route

This detects the mapping of network topology via trace route.

Transport Security checks

Invalid TCP/UDP/ICMP header

This check ensures that transport headers are the proper length and that they are consistent (have enough data in the packet for them to fit). This includes verifying that certain fields have valid values and that certain combinations of TCP flags are legal. This defeats attacks such as a Christmas Tree scan.

TCP SYN floods

SYN flooding is a type of denial of service attack. It occurs when a TCP/IP connection request is received from a return address that is not in use (i.e. a non-existent host for a spoofed address) resulting in a half open connection. An abundance of half open states on a server can prevent legitimate connections from being established. Detecting and preventing SYN floods stops this attack from succeeding.

Servers that are external to your network and not protected by a firewall should be protected against SYN floods. Firewalls generally provide this protection.

Note If you enable the "TCP SYN floods" and the "TCP blind session spoofing attempts" checkboxes, you cannot enter address restrictions into the address field for this rule. You must use all addresses.

TCP blind session spoofing attempts

If you configure this as a Deny rule, this check causes agents to make TCP sequence numbers unpredictable.

A server accepting connections using predictable TCP sequence numbers may be tricked into accepting a connection from a malicious source that is spoofing a trusted host. This prevents that vulnerability.

(This rule type is not available for UNIX policies as the UNIX OS already provides this protection.)

Note If you make any changes to the "TCP blind session spoofing attempts" feature, these changes are not enforced until after the agent system(s) is rebooted.

TCP/UDP port scan

Port scanning is a common method for finding weaknesses at a site by determining what network services are being run. An attacker attempts to connect to port after port on a target system, mapping ports to identify network services and machine type vulnerabilities. Configure this rule to log an event when an attempt is made to scan the system for an open port. Information is also gathered on the number of different source IP addresses perpetrating the scan and it reveals the source. In most cases, you should apply port scan detection to servers and end-user systems in your enterprise.

Configure this rule as a Deny rule to prevent unauthorized port scans, effectively cloaking a system on the network. Denying port scans causes a system to not respond to connectivity tests and to not respond to service requests with connectivity error messages.

A system generally sends out error messages when a remote machine sends a request for a service which is not running on the system. Often, this is how remote machines locate other systems and obtain network information about the system in an attempt to target it for an attack. By not responding, this prevents both UDP and TCP-based port scans of the system and basically hides it on the network.

If you are running an allowed service on a system and you are denying port scans, connection requests to this service are honored and your machine is viewable for the service you're offering.

Note If you select the network scans correlation checkbox in the Global Event Correlation page (see Correlation, page 7-6), when scans are detected and denied across several machines, CSA MC correlates these events and generates an additional event to warn of this correlation. Note that this correlation only occurs when Deny rules are triggered.

ICMP ping message

This check works similar to the TCP/UDP port scan feature, but for ping scans. See the port scan description for information.

ICMP configuration message

If you configure this rule as a Deny, this feature restricts messages which can change the configuration of a machine. For example, a redirect can be used to cause routing tables to be updated.

ICMP information message

Some ICMP messages may be used to gather information about a machine in an attempt to attack it. This data, when obtained, can be used to gather system information which can be used to exploit the system. If you configure this rule as a Deny, this feature restricts messages which report back on system or network configuration.

ICMP covert channel

Configuring this rule as a Deny, causes agents to drop unsolicited echo responses.

The Cisco Security Agent validates that the echo response data matches the echo request data. This way, ping cannot be used as a transport for communications.

Malicious packet

Configuring this rule as a Deny causes agents to block packets which are technically legal but are known exploits against protocol stacks (e.g. UDP packet storm or RF poison).

System Startup Security checks

Unrestricted network connectivity during boot

Configuring this feature as a Deny, prevents non-essential network connections during system startup. This check is automatically disabled when the agent service starts and policies (including those which govern allowed network connections) are enforced. This protects the system from network-based attacks at boot-time before the agent service has started.

(This rule type is not available for UNIX policies.)

Note If you enable the Unrestricted network connectivity during boot checkbox, you cannot enter address restrictions into the address field for this rule. You must use all addresses.

Note You cannot use a rule that has the Unrestricted network connectivity during boot checkbox selected in policies with rule modules that have system and/or user state conditions set.

Step 5 and Communicating with host addresses

Optionally, you can enter specific addresses here for those checkbox features in this rule that support addressing parameters.

Step 6 Using these local interfaces

Step 7 By default, this field indicates all local addresses on the agent system. You would want to use this to identify specific network interfaces, if necessary. Note that you cannot enter a "literal" in this field. You must select a preconfigured variable from the Insert Network Interfaces Set link if you want to change the default here.

Step 8 Click Save when finished.

Figure 6-8 Network Shield Rule

Note Refer to Replicate Feature for details on easily propagating the changes you make to one Network shield rule to other Network shield rules in other policies.

Windows Only Rules

The following rules are only available for Windows Rule Modules.

Clipboard Access Control

Use the clipboard access control rule to dictate which applications can access information that is written to the clipboard. When writing security policies, you may want to protect information from being accessed by other applications or network processes. To fully protect this information, you must consider preventing other applications from accessing protected information that may have been written to the clipboard.

This rule works in the following manner. When a process belonging to an application class specified in a clipboard rule writes to the clipboard, the data is marked as protected. Only processes which also match the specified application classes are allowed to read the data from the clipboard. When a process that does not belong to the application class specified writes to the clipboard, the data is marked as unprotected. Any process is allowed to read from the clipboard then.

For example, if Microsoft Excel (which is part of the Microsoft Office application class) saves data to the clipboard, other Microsoft Office applications will be able to read the clipboard data to allow cut and paste functionality between Office applications. Non-Office applications would be prevented from reading this clipboard data.

These instructions are a continuation of Configuring Rule Modules, page 5-5.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the Clipboard access control rule. This takes you to the configuration view for this rule type. See Figure 6-9.

Step 3 Enter the following information for the rule:

Description—Enter a description of this rule. This description appears in the list view for the module.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups

Step 4 Take the following action: Prevent all other applications from reading clipboard data written by:

Applications in any of the following selected classes—Select one or more preconfigured application classes here to indicate the application(s) whose data you want to exercise control over. Note that the entry <All Applications> is selected by default. You can use this default or you can unselect it and create your own application classes.

When your rule is configured, currently selected application classes appear at the top of the list.

But not in the following class—Optionally, select application classes here to exclude from the application class(es) you've selected in the included applications field. For example, if you only want a subset of applications in the selected application class to apply to this rule (i.e. dynamic or behavioral based tags that may get widely applied via a dynamic application class builder rules) you would use the But not field to select those application exclusions. Note that the entry <None> is selected by default.

Step 5 When you are finished configuring your Clipboard access control rule, click the Save button.

Note If you are using the Clipboard rule to restrict applications from accessing data on the clipboard, the system Print Screen functionality is also automatically disabled.

Figure 6-9 Clipboard Access Control Rule

COM Component Access Control

Use COM component access control rules to allow or deny applications from accessing specified COM components. COM is the Microsoft Component Object Model, the technology that allows objects to interact across process and machine boundaries as easily as within a single process. Each of the Microsoft Office applications (Word, Excel, Powerpoint, etc.)
exposes an "Application" COM component which can be used to create macros or utility scripts. While this is useful functionality, it can be used
maliciously by an inadvertently downloaded Visual Basic script.

An example would be the Mydoom virus, which propagated by using the "Outlook.Application" COM component to send itself to each entry in the local address book. Using the COM component access control rule, you can protect specific COM components. For example, you could create a rule which limits access to Office components (Word.*, Outlook.*, Excel.*, etc.)only to the Office applications themselves. Non-Office applications (such as the Visual Basic scripting engine) would therefore be denied access to these components.

Note CSA MC provides a COM component import utility which installs with each Cisco Security Agent. Running this utility extracts all COM component PROGID's and CLSID's for software running on the system in question. See Using the COM Extract Utility, page 12-11 for information.

These instructions are a continuation of Configuring Rule Modules, page 5-5.

Step 1 To add rules to your module, click the Add rule link at the bottom of the rule list. A pop-up list of the available rule types appears.

Step 2 Select the COM component access control rule. This takes you to the configuration view for this rule type (see Figure 6-14).

Step 3 Enter the following information

Description—Enter a description of this rule.
This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

Enabled—Use this checkbox to enable this rule within the module. (It is enabled by default.)
By not selecting this checkbox, you can save this rule, but it will not be active in the policy and it will not be distributed to groups.

Step 4 Take the following action—Select an action type from the pulldown list.
For further details on rule action types, see Rules: Action Options and Precedence, page 5-38.

Step 5 and

Log—Enable this checkbox to turn logging on for this rule. Generally, you will want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.

Take precedence over other <action type> rules—Enable this checkbox to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally NOT require this checkbox. Do not use it without understanding how it works. See Rules: Manipulating Precedence, page 5-42 for details.

Step 6 When—Applications in any of the following selected classes