A few months ago I was contacted by several different people, all asking me to evaluate Cisco Security Agent (CSA). In my conversations with them, I became interested enough in CSA to put down "evaluate CSA" on my to-do list.
Soon thereafter my company was attacked by an Internet worm. This worm came in through e-mail and spread quickly, eventually deleting over 12,000 files from a shared file server. The worm was not caught by our antivirus software because we were not as up to date as we should have been with our virus definition file (called a DAT file with McAfee). The McAfee scheduler that retrieved our DAT file was broken, for some reason, and as a result we had to retrieve DAT files manually.
This new worm came out one day after we had just checked for a new file. By the morning after our latest update, we were already getting hit by the new worm. By noon, we were able to update all of our DAT files using McAfee ePolicy Orchestrater and remove all running instances of the worm. By the next morning, we were able to restore all lost files from backup tape. Nonetheless, this Internet worm had inconvenienced a great many users and processing had been slowed on many servers. Plus, there was the loss of productivity that my four-person IT staff suffered while working furiously to cure us of the virus.
Suddenly, "evaluate CSA" rose to the top of my to-do list, and I agreed to meet with a reseller/consulting firm to take a look at it.
Since our original worm attack, we have fixed our McAfee ePolicy Orchestrater scheduler and configured it to download new virus definitions each hour, began blocking files with .zip extensions (that is how the virus came in), and have installed Windows Software Update Services (SUS).)
Background info on CSA
Before the consultant came out, I did some of my own research on CSA. I found that Cisco agreed to purchase Okena, Inc. in January 2003. Okena originally created StormFront, the product that later became the Cisco Security Agent.
CSA is considered to be a host-based intrusion prevention system (HIPS)—not an intrusion detection system. Detection systems just identify intrusions and let you know when it is usually too late to do anything about them. Prevention systems prevent the intrusions from happening and let you know what they prevented. CSA works by using a behavior analysis of operating system calls to detect and stop malicious activities (based on its definitions of those activities).
This is quite unique when you compare it to other firewalls or host-based IDS systems that rely on blocking ports, keeping track of registered applications, or having a database of "attack signatures."
CSA is supposed to protect you from "zero-day" viruses/worms, malicious code, or unauthorized operating system modifications. As you may know, when a new virus or worm is circulated, the antivirus companies must first get a hold of it, create a signature that uniquely identifies that virus, and distribute that signature out to all of their customers. This process usually takes some time and, certainly, some systems will be infected before they can be protected. A product that protects you from "zero-day" infections claims to protect your network without the traditional process mentioned above. It sounds almost too good to be true, doesn’t it? That is what I thought when I first heard about it as well. I was skeptical and wanted to see it work for myself.
I want to take a second to mention that this is not an ad for CSA devices. I am simply providing my research and experience with CSA. I have not compared CSA to all other choices on the market, so I cannot make any claim that CSA is better or worse than the other options. This is simply one network analyst’s review of CSA.)
The reseller/consulting firm I had been working with came out for a demo. We discussed how many PCs and servers I had so that we could see how much CSA would cost. The reseller pointed out that there is no virus or worm ever invented, so far, that CSA has not been able to stop. Then, I watched the demo.
This demo consisted of a laptop running two VMware virtual machines—a server and a client. The server is called the CSA MC (management console) and it is now part of Ciscoworks VMS (VPN/Security Management Solution). The client runs the CSA agent, a tiny software program that is quickly installed. There is no "virus definition" file to be distributed. The agent is in contact with the server only to report events and to obtain the CSA policy. The policy tells the agent, basically, how strict to be.
The engineer doing the demo then executed a virus on the client PC. As soon as the virus was executed, it was stopped and a box popped up that there was a security compromise. This happened even without any antivirus software installed on the client. I was definitely impressed. After asking a few questions, I found that, yes, the client machine is "pingable" and, no, the end user is not asked "do you want to allow this program to access the Internet" whenever a new program attempts Internet access (like with ZoneAlarm).
The sales presentation stressed that, with CSA, machines on my network would be protected even if I didn’t install any more Microsoft security patches or antivirus updates. After saying that, the engineer also stressed that the more protection the better, and that most customers who purchase CSA do not stop updating machines with security patches nor do they throw out their antivirus software.
Another thing that I learned was that, unlike most antivirus software, Cisco Security Agent does not provide the ability to remove any worms or viruses. Once a machine has a worm or virus, you must either remove it manually or use an antivirus program to remove it. CSA will only stop the spread of the virus/worm from that machine and "contain it."
Since I use Citrix Metaframe and Microsoft Terminal Services for 350+ thin-client devices, I asked if I could just install a CSA server license on each of the servers or would I, somehow, have to buy a license for each of the PCs. The answer was, yes, I could just put a server license on each of the six servers and provide CSA for 350+ Windows thin-client devices. This was yet another great benefit to using thin-client devices rather than standard PCs.
CSA does come with "Sample Policies" for devices that have common functions, such as a Web server or an e-mail server. This makes the configuration of the CSA policy for those types of devices a little easier.
As for pricing, I received the proposal from the reseller for the implantation and software costs. They were offering a "special" of one server, 10 desktops, and full implementation services of the product for $5995. On top of that, they offered another 19 server agents and 75 desktop agents for $13,000. This got me to a total of 20 server agents and 85 desktops (as I said, I have 350+ thin-client devices as well but they are covered under the server licenses). Additionally, there were yearly software upgrades and support of about $5000. Cisco does offer a CSA Starter Kit. This includes one server and 10 desktops. I found it on the Web for as low as $2000. It is available through all the standard networking retailers on the Internet like CDW. Also, you can compare prices by putting in the part number "CSA-STARTER-K9=" in a shopping search engine like Froogle.
Cisco has an interesting ROI calculator on its Web site for CSA. You enter the number of employees, servers, and desktops in your company. It has prepopulated values (that you can change) for things like time spent evaluating and applying hot fixes, how many desktops need to be updated regularly, number of times your network has been infected with a virus/worm in the last 12 months, time lost due to the virus infection, etc. Based on my calculations (even telling it that I had never been infected with a virus), CSA would pay for itself in less than 24 months by eliminating the need to patch servers and desktops.
I have decided I will propose Cisco CSA with the caveat that this is a form of insurance to protect us against the unknown. Even if the proposal is turned down, just by proposing it, I am protecting my job should another Internet worm infect the company network. If that happened, at least I could say, "Well, I proposed CSA and that would have protected us, but it was not approved."
I feel that one of the negatives of CSA is the price. At close to $20,000 for only 85 Desktops and 20 servers, this is very expensive security insurance. I am fortunate that I wouldn’t have to purchase the desktop agent for each of my 350+ thin clients. If I did, I estimate it would cost me another $14,000. While I would like all the protection that I can get for my network, I must also take the business side into consideration and think, "If this were my business, would I spend $20,000 on this product?" If I had to answer, being the frugal person that I am, I would have to say no. However, if the product cost less, or if I worked at a company where I felt that security was imperative, I would have to reconsider. In terms of the product itself, I do think CSA is a unique solution that really does seem to work.
TechRepublic originally published this article on 21 May 2004.