Table Of Contents
Introducing Cisco Incident Control Server
Cisco Incident Control Server Overview
Cisco ICS Technology
Incident Control System
About Cisco ICS Components
Understanding Network-based Threats
About Risk Ratings
Minimum System Requirements
Cisco ICS Server
Supported Cisco Devices
Syslog Servers
Cisco ICS Services, Ports, and Protocols
User Documentation
Introducing Cisco Incident Control Server
This chapter introduces Cisco Incident Control Server (Cisco ICS). It contains the following sections:
•
Cisco Incident Control Server Overview
• Cisco ICS Technology
• Minimum System Requirements
• Cisco ICS Services, Ports, and Protocols
• User Documentation
Cisco Incident Control Server Overview
Cisco Incident Control Server (Cisco ICS) is a server-based software application that helps you manage your incident control initiatives. Built on incident-control technology from Trend Micro, Cisco ICS gives you the means to protect your organization from newly discovered network-based threats.
•Use the Cisco ICS web console to manage the Cisco ICS server and perform the following tasks:
•Deploy policies to Cisco network devices to block the traffic and ports network-based threats use to propagate.
•Create reports about the tasks you create to address threats on your network.
•Use logs to analyze your protection.
•Configure notifications to alert you about threat-related events and Cisco ICS threat-protection updates.
•Clean up infected hosts to remove viruses and other threats.
Cisco ICS Technology
Cisco ICS helps protect your network by combining Cisco networking and security expertise with Trend Micro antivirus and incident-control technology.
This section describes the Cisco ICS and contains the following topics:
• Incident Control System
• About Cisco ICS Components
• Understanding Network-based Threats
• About Risk Ratings
Incident Control System
Cisco provides an incident control system—a means to control the outbreak of network-based threats on your network. The incident control system is managed by a central server, the Cisco ICS server, and uses threat-specific access control lists (ACLs) and signature files to help identify network threats and mitigate the effects of outbreaks. With these components, your Cisco network devices can become defense nodes against new outbreaks.
You can deploy Outbreak Prevention ACLs (OPACLs) and Outbreak Prevention Signatures (OPSigs) from the web console when you create items called outbreak management tasks or when you enable Cisco ICS to automate the creation of tasks. For an explanation of OPACLs and OPSigs, see About Cisco ICS Components. To understand how outbreak management tasks can help protect your network, see About Outbreak Management Tasks, page 6-1.
This section describes the elements of ICS and the ICS in action and contains the following topics:
• Elements of the Incident Control System
• The Incident Control System in Action
Elements of the Incident Control System
The following elements comprise the Cisco implementation of the incident control system:
•TrendLabs—The Trend Micro worldwide, real-time monitoring and signature-development infrastructure.
•Cisco Incident Control Server (Cisco ICS)—A product that delivers protection from viruses, worms, spyware, and other potential threats.
•Mitigation devices—Switches, routers, IPS appliances, and Cisco IOS IPS devices.
The Incident Control System in Action
Soon after TrendLabs discovers a new threat, the following sequence of events takes place:
1. TrendLabs releases an outbreak management task file that contains an OPACL to address the new threat.
2. As the Cisco ICS server polls the update source for new components, it discovers that the new outbreak management task is available.
3. Cisco ICS downloads the new outbreak management task file.
4. If Cisco ICS is enabled to deploy outbreak management tasks automatically, it activates a new task and deploys the OPACL to network devices.
5. Your Cisco network devices block the ports and the types of traffic specified in the OPACL until the OPACL expires.
6. Approximately 2 hours after TrendLabs releases the OPACL, it releases an OPSig, which enables IPS devices to detect the new threat as well as other threats TrendLabs discovered.
7. Cisco ICS downloads and deploys the OPSig to IPS devices. The OPACL for the threat expires on all devices when Cisco ICS deploys the OPSig.
8. While they scan network traffic, IPS devices use the OPSig to identify any threats that might attack the network.
9. If an IPS device detects a threat in network traffic from a certain host, Cisco ICS considers the host to be potentially infected and puts it on a watch list. You can view the watch list to see which hosts on your network need attention.
10. If you installed Damage Cleanup Services, you can run a Damage Cleanup scan on the potentially infected host to attempt to remove the threat.
Figure 1-1 provides a graphical overview.
Figure 1-1 Incident Control System Overview
About Cisco ICS Components
Cisco ICS downloads the following components from Trend Micro and uses them to block network traffic, scan for network-based threats, and clean infected hosts:
• Outbreak-threat Components
• Damage Cleanup Components
Outbreak-threat Components
The outbreak-threat components consist of the following:
•Outbreak Prevention ACL (OPACL)—An ACL that network devices use to block the ports and the types of traffic that threats use to propagate. The OPACL is associated with a task you create to block a specific threat for a limited period of time. The devices use the OPACL to block traffic, not scan traffic. For more information, see About Outbreak Management Tasks, page 6-1.
•Outbreak Prevention Signature (OPSig)—A file that helps IPS devices identify unique patterns of bits and bytes that signal the presence of a network-based threat. IPS devices can continually scan traffic and, when using an OPSig, can block a threat that is attacking your network or any host on your network.
Damage Cleanup Components
The Damage cleanup components consist of the following:
•Damage Cleanup engine—The engine that Damage Cleanup Services (DCS) uses to scan for and remove Trojans and Trojan processes and cleanup hosts.
•Damage Cleanup template—The file that the Damage Cleanup engine uses to help identify Trojan files and processes to be eliminated.
•Spyware cleanup pattern—The file that the Damage Cleanup engine uses to eliminate spyware and other intrusive code, known as grayware.
This section describes the component download and deployment and contains the following topics:
• Component Download
• Component Deployment
Component Download
Cisco ICS offers two methods for downloading components from the update source to the Cisco ICS server:
•Scheduled—Download all components according to a configurable schedule to automate the task of keeping your threat protection up-to-date.
•Manual—Download selected components on demand when a new threat appears and you do not want to wait for the next scheduled download.
Note The Cisco ICS server polls the update source and downloads components only if new versions are available. If the Cisco ICS versions are up-to-date, no download occurs.
For more information, see Downloading Components, page 5-2.
Component Deployment
The Cisco ICS server deploys the following components to different network devices at different times:
•OPACLs—Cisco ICS deploys the OPACL to Cisco switches, routers, and IPS devices. Automatic deployment takes place after outbreak management task creation.
•OPSigs and DCS components—Cisco ICS deploys the OPSig to IPS devices and the Damage Cleanup components to Damage Cleanup servers. Automatic deployment takes place after an updated component is downloaded, a new device is added, or the status of any device changes to online.
You can manually download and deploy components on demand at any time if you want to update your threat protection immediately without waiting for the next automatic update.
For more information, see Downloading Components, page 5-2, and Deploying Components, page 5-7.
Understanding Network-based Threats
Tens of thousands of threats exist, with more being created each day. Although once most common in DOS or Windows, threats today can cause a great amount of damage by exploiting vulnerabilities in corporate networks, email systems, and websites.
Most threats fall into the following categories:
•ActiveX malicious code—Resides in web pages that run ActiveX controls.
•Boot sector viruses—Infect the boot sector of a partition or a disk.
•COM and EXE file infectors—Viruses within executable programs that typically have a .com or .exe extension.
•Joke programs—Virus-like programs that often manipulate the appearance of things on a computer monitor.
•Java malicious code—Operating system-independent virus code written or embedded in Java.
•Macro viruses—Viruses encoded as application macros and often included in a document.
•Trojans—Executable programs that do not replicate but instead reside on systems to perform malicious acts, such as opening ports for hackers to enter. Trojans often use ports to gain access to computers.
•VBScript, JavaScript or HTML viruses—Viruses that reside in web pages and are downloaded through a browser.
•Worms—A self-contained program (or set of programs) that can spread functional copies of itself or its segments to other computer systems, often via email.
Network-based Threats
A virus spreading throughout a network is not, strictly speaking, a network-based threat. Only some of the threats mentioned previously, such as worms, qualify as network-based threats. Specifically, network-based threats use network protocols, such as TCP, FTP, UDP, HTTP, and email protocols to replicate. They often do not alter system files or modify the boot sectors of hard disks. Instead, they infect the memory of client machines, forcing them to flood the network with traffic, which can cause slowdowns and even complete network failures. Because network-based threats often remain in memory, they are often undetectable by conventional file I/O based scanning methods.
About Risk Ratings
Each threat is associated with a risk rating. TrendLabs, the global network of antivirus research and product support for Trend Micro, provides rapid response to any virus outbreak or urgent customer support issue. When it receives a case, TrendLabs immediately evaluates the threat and assigns a risk rating of low, medium, or high.
The TrendLabs Risk Rating Evaluation is also an early warning system backed by professional antivirus and security researchers. Information gathered from its various service centers and business units (BUs) is polled, analyzed, and redistributed with solutions to help network administrators and managers assess the vulnerability of their systems and advise them in securing their networks during an outbreak.
Overall Risk Rating Levels
TrendLabs determines risk rating levels using specific criteria and takes corresponding action. Table 1-1 provides an explanation of each risk rating.
Table 1-1 Risk Ratings
Risk Level
|
Criterion
|
Action
|
High
|
Several infection reports are received from each business unit (BU) about rapidly spreading malware. Gateways and email servers might need to be patched.
|
Trend Micro's Red Alert process is started: an official pattern release (OPR) is deployed with notification of its availability, any other relevant notices are sent, and fix tools and information regarding vulnerabilities are posted on the download pages.
|
Medium
|
Infection reports are received from several BUs as well as support calls confirming scattered instances. An official pattern release (OPR) is automatically pushed to deployment servers and made available for download.
|
In case of an email-spreading malware, content filtering rules, called outbreak prevention policies (OPPs), are sent out to automatically block related attachments on servers equipped with the product functionality.
|
Low
|
Single infection reports are received, and daily virus definitions, called controlled pattern releases (CPRs), are made available for download.
|
In some instances where a proof-of-concept malware is handled, media attention, or numerous support inquiries are received, TrendLabs might raise the risk level from very low to low and send out a corresponding notice together with an official pattern release (OPR).
|
Minimum System Requirements
This section describes the minimum requirements for Cisco ICS. It contains the following topics:
• Cisco ICS Server
• Supported Cisco Devices
• Syslog Servers
Cisco ICS Server
The Cisco ICS server has the following minimum requirements:
•Operating system (one of the following)
–Windows 2000 Server or Advanced Server with SP3
–Windows 2003 Server Standard Edition or Enterprise Edition (English)
•Web server (one of the following)
–IIS: Windows 2000 IIS 5.0 or Windows 2003 IIS 6.0
–Apache: 2.0
•Web browser (for web console access)
–Internet Explorer version 5.5 SP2
•Hardware
–866 MHz Intel Pentium III processor or equivalent
–512 MB of RAM
–350 MB of disk space
Supported Cisco Devices
Table 1-2 lists the devices that Cisco ICS can manage. For more information, see About Device Types, page 4-1, and About Device Licenses, page 9-9.
Table 1-2 Supported Cisco Devices
Device Type
|
Model
|
Minimum Software Version
|
Required License
|
Cisco switches
|
Cisco 3550 Series switches
|
12.1(22)EA5
|
ACL ICS service or IPS ICS service
|
Cisco Catalyst 6500 Series switches
|
12.2(18)SXD5
|
Cisco 7600 Series switches
|
12.2(17)SXB8
|
Cisco routers
|
Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3800, 7200 and 7301 Series routers
|
12.4(4)T second release
|
ACL ICS service or IPS ICS service
|
Cisco Integrated Services Routers
|
3800, 7200
|
12.4(4)T second release
|
IPS ICS service
|
Cisco 4200 Series Intrusion Prevention System Sensors
|
IPS 4200
|
5.1
|
IPS ICS service
|
Cisco Intrusion Detection System Service Module
|
IDSM2
|
5.1
|
IPS ICS service
|
Cisco ASA 5500 Series Adaptive Security Appliances with Advanced Inspection and Prevention Modules
|
ASA-5500-AIP
|
ASA 7.0
5.1 or greater on the AIP SSM
|
IPS ICS service
|
Syslog Servers
The following Syslog server is recommended:
•Cisco Monitoring, Analysis, and Response System (Cisco MARS)
Cisco ICS Services, Ports, and Protocols
The following ICS services, ports, and protocols are required:
•Services
–Cisco ICS Flexlm License Manager
–Cisco ICS Master Service
•Communication Ports and Protocols
–Telnet (port 23) and SSH (port 22) to communicate with switches and routers
–HTTP (port 80) and HTTPS (port 443) to communicate with the update source and IPS devices
User Documentation
Cisco ICS documentation set contains the following:
•Cisco Incident Control Server Administrator Guide—Helps you plan for and install the Cisco ICS server program and configure all features. The latest version of the administrator guide is available in electronic form at the following location:
http://www.cisco.com
•Online help—Helps you configure all features and is accessible from the web console.
•Readme—Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history.
For information about what kind of technical knowledge you should have before reading the documentation, see Audience, page -xvii.
