As many of you are already aware, Cisco Systems recently announced that their main endpoint Host Intrusion Protection System (HIPS) product – Cisco Security Agent (CSA) – is being discontinued. This blog will focus on some (purely speculated) reasons behind this as well as some product background.
Historically, Cisco positioned CSA product as complement to their main Network Intrusion Detection System (NIDS) – now more commonly known as IPS (Intrusion Prevention System). Where NIDS has been signature-based, the CSA provided behavior-based detection and protection through the use of a “kernel intercept” approach where file, registry, and network resource access policies can be monitored and restricted.
The marketable advantage of this “behavior based” approach was that zero-day attacks (ones where no recognizable signature pattern has been captured and published yet) could be stopped, in contrast to NIDS systems which have largely been defenseless. The drawback, however, is that with the advent of additional software like Network Admission Control (Clean Access) and SSL VPNs (Cisco Secure Desktop) some modifications to CSA policy were required for successful endpoint assessment.
There have been significant vulnerabilities documented for the CSA in the past 3 years. Both of these relate to improper input handling of TCP packets causing denial-of-service. Customers needed to upgrade to a newer version to not only mitigate these, but also to support its use on the newer Microsoft OS platforms such as Vista and Windows 7.
Despite some negative reviews in the “blog-o-sphere”, CSA developed a rather faithful following and there is an often-quoted extensive write-up of a case history implementation of the product for incident handling on the SANS website. Cisco recently introduced the concept of an External Product Interface for the IPS sensor whereby attackers could be identified by the Management Center (now Cisco Security Manager) and added to the sensor watch list, an indication of a greater threat.
As for my personal speculations as to why EOL this product, there are two factors which immediately come to mind. First, the market for host-based IPS is more competitive than when Cisco first acquired the product from Okena. McAfee is a vendor frequently mentioned as a likely eventual migration target. Second, Cisco has been gradually migrating away from Windows-based software solutions to those based on Linux (witness the Unified Communications and Access Control Server areas). It remains to be seen if Cisco will eventually acquire a similar product to fill its HIPS void.
Author: Doug McKillip