Белая книга для Cisco Cisco IPS 4255 Sensor
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 19
Integrating Cisco Security Agent with Cisco
Intrusion Prevention System
Intrusion Prevention System
Cisco
®
Security Agent and Cisco Intrusion Prevention System (IPS) are two key
components of Cisco’s Threat Control and Containment strategy, a fundamental piece
of the Cisco Self-Defending Network solution. The Cisco Security Agent provides unequal
protection to mission-critical servers and desktops by identifying threats and preventing
malicious endpoint behavior. Cisco IPS, implemented in a variety of platforms, offers
significant protection to the network by detecting, classifying, and stopping threats in real
time. Combined, the Cisco Security Agent and Cisco IPS build a true end-to-end threat
control and containment solution, providing protection that spans from the core of the
network infrastructure all the way to the endpoints.
Residing on servers and desktops, Cisco Security Agents have full visibility on the endpoints,
which allows them to gather information that no other security component in the network has
visibility to. The Cisco Security Agent software and Cisco IPS have been enhanced to allow the
sensor to use this valuable endpoint information. This collaboration helps Cisco IPS increase
its visibility on endpoints and global threats, extending as a result the overall threat control
and containment.
The collaboration between Cisco Security Agent and Cisco IPS has a series of benefits:
●
Ability to use Cisco Security Agent endpoint information to influence IPS actions: By using
the endpoint contextual information, Cisco IPS determines the appropriate severity of a
network threat and instructs the adequate response action.
●
Reduction of false positives and false negatives: Cisco Security Agent provides OS type
and other endpoint posture information that helps Cisco IPS determine the relevancy of a
threat, reducing the chances for false positives and false negatives.
●
Enhanced attack mitigation: Cisco IPS can use the Watch List maintained by Cisco
Security Agent. The Watch List helps Cisco IPS keep an eye on systems identified by
Cisco Security Agent as suspicious or malicious, and helps highlight any events associated
with these systems.
●
Dynamic host quarantine: Cisco IPS ability to dynamically block hosts that have been
identified by Cisco Security Agent as malicious. This extends the quarantine capabilities
from Cisco Security Agent to the IPS.
This document is a technical overview of the integration between Cisco Security Agent and Cisco
IPS. It describes how the collaborative architecture works, explains its benefits, and provides the
necessary guidelines for a successful deployment.