Cisco’s Self Defending Network

I went over to Cisco in Herndon this morning to see a presentation on Cisco’s self-defending network. The goal of this product seems to differ from what I had been thinking of. My goal had been endpoint compliancy, and their product doesn’t do that today at all. It may do it tomorrow or in a few months. I translate that into the 12th of never, or whenever we feel like it. I know they have the Cisco Trust Agent coming out in July-August timeframe, so at least they are working on it.
Infoexpress has a product called Cybergatekeeper Lan and Cybergatekeeper remote. It allows the administrator to require that everyone on the network have passed an audit. It can check for the presense of antivirus software (by looking at processes, file versions and config files), that the AV software is up-to-date and configured correctly. If they dont have a template for the AV software you use, you can create one for yourself. The same is true for requiring patches or any other software. You can also prohibit machines with specific executables. You might do this to keep a specific virus off the network.
The problem with the Infoexpess approach at present is that it is extremely manual. When Sasser came out on a Saturday, I needed to write a rule to look for systems with that EXE.
Cisco does not currently match up at all with the Infoexpress product. They are working on a product called the Cisco Trust Agent. They are partnering with the four leading antivirus companies to create a agent built into the AV product that will report to the cisco management device the status of the antivirus so the machine can be isolated if it is not up to snuff. Very little is available on this product as it is not released yet. However, I have been told that it does not do enforcement of other things like personal firewalls or patches. In fact we do not yet know what level of enforcement will be possible for the antivirus product. I like to require that all files be scanned for example.
Where Cisco gets interesting is in the IDS product. Generally IDSes have been something that you hang outside your firewall or just before your DMZ. This IDS goes on the core routers of the company. This way it can do enforcement on all internal traffic. So you may get infected because I cant force you to patch, but I can shut you down once you do get infected. Perhaps a reasonable accommodation to people who dont want me to have any control over their system.
Another part of this IDS is the Cisco Security Agent. This is a host based intersion prevention system. It is behavior based in that it looks for activity it wouldn’t expect for the role that you have assigned to the computer. If I say that a server is running IIS, the agent recognizes the correct behavior of IIS and will take action if IIS starts spinning out of control or contacting a bunch of other servers on port 80.
Another interesting security feature is 802.1x. If a user is authenticated, they are placed on the corporate lan. If they are not, then they drop into a restricted vlan that may have access to the Internet only (still restricted by websense and behind the corporate firewall).
A lot of products in a short period of time, but it is exciting to see what can be done to keep the network safe. Speaking of safe, time to see if we can crack open the safe to get some money to pay for this.