Cisco Threat Defense IDS 4215/Cisco Security Agent Bundle

Cisco Threat Defense IDS 4215/Cisco Security Agent Bundle ... a self-contained worm such as SQL Slammer or Blaster, has increased dramatically with each attack. The difficulty in providing a complete network security solution with traditional tools such as firewalls and routers is that applications are becoming more decentralized. Today's total network security solution requires the ability to detect and prevent both known and unknown attacks. Network defense must change from a traditional reactive stance to a proactive stance, where the response to an attack can be initiated in a minimal amount of time.

The Code Red, Nimda, SQL Slammer, and Blaster worms had a dramatic impact on the Internet and on corporate LANs. Each found their way into the network and resulted in significant time lost while IT staff cleaned up and tried to mitigate the effects of these worms. And the next worm is just around the corner.

While enterprise networks dramatically felt the impact of these worms, small and medium-sized networks were hit equally hard and the time lost cleaning up was felt even more dramatically. Today, the technology to effectively mitigate these threats is mature and readily available to small and medium-sized businesses (SMBs) through the Cisco Systems Threat Defense Bundle of network intrusion detection system (NIDS) and host intrusion protection system (HIPS) software.

The IDS4215-CSA-BUN-K9 Cisco Threat Defense IDS 4215/Cisco Security Agent Bundle includes: one Cisco IDS 4215 appliance sensor, one Cisco Security Agent server, 10 Cisco Security Agent desktop agents, Cisco Threat Response software, and Cisco VMS-Basic.

The Cisco IDS 4215 can monitor up to 80 Mbps of traffic and is suitable for T1/E1 and T3 environments. Additionally, multiple sniffing interfaces are supported on the IDS-4215 which allows the ability to simultaneously protect multiple subnets, thereby delivering five sensors in a single unit.

At the endpoint, the deployment of a host intrusion prevention system can provide protection against both worms and viruses. The HIPS monitors processes on the host using a database of system policies. Rather than focusing exclusively on the attacks that are seen in the reconnaissance phases of network attacks, the Cisco Security Agent approaches the problem from the other direction. Cisco Security Agent prevents malicious activity on the host by focusing on behavior. By changing the focus to behavior, damaging activity can be detected and blocked - regardless of the attack.

Cisco Security Agent uses predefined and user-defined security policies to determine whether a particular action or behavior is permitted. These policies are stored on a central management console that is tightly integrated with the Cisco VPN/Security Management Solution (VMS), part of the CiscoWorks software suite. The Cisco Security Agent Management Console provides a central location where policies can be defined and downloaded by Cisco Security Agent when the manager is polled. By default, Cisco Security Agent ships with predefined policies that prevent most types of malicious activity from occurring. Malicious activity, always undesired, requires little or no environmental tuning of the Cisco Security Agent. For applications requiring access to system resources, the system calls are intercepted by Cisco Security Agent, which then compares them against a cached policy. The agent correlates this particular OS call with others made by that application or process, and correlates these events to detect malicious activity. If the request does not violate policy, it is passed to the kernel for execution. If the request does violate policy, it is blocked, an appropriate error message is passed back to the application, and an alert is generated and sent from the agent to the Cisco Security Agent Management Console.