Вы находитесь на странице: 1из 32

Release Notes for Management

Center for Cisco Security Agents 4.0

Note

Since the release of this document, Cisco Security Agent update 4.0.1 has been
made available. Although the information contained in this document remains
valid, additional information, some which may supersede this document, is
provided in a readme file available with the 4.0.1 update. Please refer to the 4.0.1
readme file in addition to this document. You should also review the Cisco
Security Agent documentation on Cisco.com for any updates.
These release notes are for use with Management Center for Cisco Security
Agents (CSA MC) 4.0. The following information is provided:

File Integrity Check Instructions, page 2

New Features, page 3

Documentation Roadmap, page 6

Obtaining a License Key, page 6

IDS Host Sensor Incompatibility, page 7

System Requirements (CSA MC), page 8

System Requirements (Agent), page 10

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright 2003 Cisco Systems, Inc. All rights reserved.

File Integrity Check Instructions

Upgrade Support, page 12

Duplicate Configuration Naming Convention, page 12

Cisco Security Agent Policies, page 13

CSA MC Local Agent and Policies, page 13

RME Gatekeeper Remote Access Issue, page 15

Cisco VPN Client Support, page 16

Known Issues, page 16

Obtaining Documentation, page 26

Obtaining Technical Assistance, page 27

Obtaining Additional Publications and Information, page 30

File Integrity Check Instructions


For users who have a CCO account on Cisco.com, you can perform integrity
checks on the files provided on the Startup Disk. Go to
http://www.cisco.com/kobayashi/sw-center/cw2000/vms-planner.shtml to
securely obtain a verify_digests.exe file. Use verify_digests.exe to check the MD5
hashes of the files you received on your product CD.

Caution

When you download the digest file, make sure your browser has transitioned to
https mode for a secure download.

Step 1

Once you've downloaded the program verify_digests.exe, run it to display the


precomputed valid MD5 hashes for the Startup Disk files.

Step 2

The verify_digests.exe program then prompts you for the directory of the files.
Specify the Startup Disk location, press Enter and verify_digests.exe will
validate each file.

Note

Note that you can enter the CD drive letter and check the files on the CD itself or
you can copy the files to your system and check them from the directory to which
they were copied.

Release Notes for Management Center for Cisco Security Agents 4.0

78-15603-02

New Features

The following output is displayed:

The output displays "OK" if the hashes match and the files are valid.

If the hashes do not match, "Failure" is displayed. Contact Cisco if this


occurs.

If the digest program cannot locate a file, "File not found" is displayed. Check
the location of the files.

New Features
This release contains the following new features:
Buffer Overflow Pattern Exclusion
Use the Wizard from the Event log message in question to exclude a
particular pattern when you are seeing buffer overflow events you believe are
harmless.
Bulk Transfer of Hosts
Use the Bulk Transfer feature to easily move or copy all hosts from a group
you select into the Group you are currently viewing. This is an efficient way
to move large numbers of hosts between groups.
Cisco VPN Client Support
The Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client Release 4.0. For configuration
details, please refer to the Cisco VPN Client documentation.
CSA Profiler Integrated with CSA MC
Cisco Security Agent Profiler capability is integrated and installed with CSA
MC. Cisco Security Agent Profiler software works with CSA MC and Cisco
Security Agent, serving as a data analysis and policy creation tool for
administrators who are deploying policies across systems and networks.
Configurable Downloaded Content Application Class
CSA MC ships with a pre-configured application class called <Processes
executing downloaded content>. This class includes any downloaded
executable or any process that is interpreting downloaded content. If
necessary, you can edit any of these downloaded content fields and make any

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

New Features

necessary exclusions to change the global definition of downloaded content.


You may want to do this if you are experiencing false positives due to an
application being seen as downloaded content
Connection Rate Limiting Rule
Use the connection rate limit rule to control the number of network
connections that can be sent or received by systems within a specified time
frame. This is useful in preventing attacks aimed at bringing down system
services, for example, denial of service attacks (server connection rate
limiting). This is also useful in preventing the propagation of denial of service
attacks (client connection rate limiting).
Data FilteringData Access Control Rule
Use data access control rules on web servers to detect clients making
malformed web server requests where such requests could crash or hang the
server. A malformed request could also be an attempt by an outside client to
retrieve configuration information from the web server or to run exploited
code on the server.
Dynamic Application tagging in Application Control Rule
Creating dynamic application classes from the Application control rule is a
bit different than creating them from other rule types. Because this rule has
two application class fields, you can choose to add the current application to
the dynamic class or choose to add the new application that is invoked by the
first application to the dynamic class.
Expanded Wizard Functionality
Use the Event Management Wizard to change the action of a rule that
triggered a specific event. Through the wizard, you can automatically
generate an "exception" allow rule which takes the application class and
resource information in the event and creates an allow rule to counteract the
rule that caused the deny.
MSDE Service Pack 3 Update
The Management Center for Cisco Security Agents now installs Microsoft
SQL Server Desktop Engine with Service Pack 3. This is the latest version of
MSDE. Optionally, you can install your own version of SQL Server 2000 with
Service Pack 3.

Release Notes for Management Center for Cisco Security Agents 4.0

78-15603-02

New Features

Network Shield System Startup Security Checks


Through this rule, you can prevent non-essential network connections during
system startup. This protects the system from network-based attacks at
boot-time before the agent service has started.
Rule Precedence Manipulation
In addition to ordering rules within a policy by action type, CSA MC uses the
selected logging type as a way to suborder similar rules within a policy.
Logging automatically takes precedence over disabled logging if the action
type is the same for multiple rules in a policy. Therefore, for rules of a given
priority, for example, Allow, a Log rule will be evaluated before a No Log
rule.
Security Monitor Event Integration
Security Monitor can receive events from CSA MC. Refer to your Security
Monitor documentation for details.
VMS Integration
CSA MC is a component of the CiscoWorks VPN/Security Management
Solution (VMS). You must have CiscoWorks and VMS 2.2 installed on the
system on which you are installing CSA MC.
Windows Kernel Protection
Use the Kernel protection rule to detect unauthorized access to the operating
system. In effect, this rule detects and logs drivers dynamically loading after
boot time. Through this rule page, you can also cause the system in question
to lose network connectivity when unauthorized modules are detected. This
essentially quarantines the system from the network until you investigate
whether the module is harmful.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

Documentation Roadmap

Documentation Roadmap
Note

Although every effort has been made to validate the accuracy of the information
in the printed and electronic documentation, you should also review the Cisco
Security Agent documentation on Cisco.com for any updates.
The following documents are provided as PDF files on your Product CD:

Installing Management Center for Cisco Security Agents

Using Management Center for Cisco Security Agents

These files are available in the top level directory of the product CD in the
Documentation folder. After installation, they are also available in the
CSAMC\doc subdirectory.

Note

You must use Adobe Acrobat Reader (version 4.0 or later) to view these files. You
can download a free Acrobat reader from www.adobe.com.

Obtaining a License Key


Before installing Management Center for Cisco Security Agents, you should
obtain a license key from Cisco. To receive your license key, you must use the
Product Authorization Key (PAK) label affixed to the claim certificate for CSA
MC located in the separate licensing envelope.

Caution

Management Center for Cisco Security Agents does not run on the 90-day
evaluation license that other Common Services applications use. You must
register CSA MC and provide the PAK to obtain a valid CSA MC license.
To obtain a production license, register your software at one of the following web
sites.
If you are a registered user of Cisco.com, use this website:

Release Notes for Management Center for Cisco Security Agents 4.0

78-15603-02

IDS Host Sensor Incompatibility

http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl.
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl.
After registration, the software license will be sent to the email address that you
provided during the registration process. Retain this document with your VMS
bundle product software records.

IDS Host Sensor Incompatibility


Any system on which you are installing CSA MC or the Cisco Security Agent
must not have the Cisco IDS Host Sensor Console or the Cisco IDS Host Sensor
installed on it. If CSA MC or the agent installer detects any Cisco IDS Host
Sensor software on the system, the installation will abort.
Because there may be incompatibilities between Cisco IDS Host Sensor software
and CSA MC or agent software, you must uninstall the Cisco IDS Host Sensor and
Cisco IDS Host Sensor Console software before installing CSA MC or agent
software. Documentation for uninstalling Cisco IDS Host Sensor software can be
found at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/host/host25/install
/hidsch2.htm#1024883.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

System Requirements (CSA MC)

System Requirements (CSA MC)


CSA MC is a component of the VPN/Security Management Solution (VMS).
For information on all bundle features and their requirements, see
CiscoWorks2000 VPN/Security Management Solution Quick Start Guide.
Table 1 shows VMS bundle server requirements for Windows 2000 systems.
Table 1

Server Requirements

System Component
Hardware

Requirement

IBM PC-compatible computer

Color monitor with video card capable of


16-bit

Processor

1 GHz or faster Pentium processor

Operating System

Windows 2000 Server or Advanced Server


(Service Pack 3)
Note

Terminal services are not supported on


Server and Advanced Server running
CSA MC.

File System

NTFS

Memory

1 GB minimum memory

Virtual Memory

2 GB virtual memory

Hard Drive Space

9 GB minimum available disk drive space


Note

The actual amount of hard drive space


required depends upon the number of
CiscoWorks Common Services client
applications you are installing and the
number of devices you are managing
with the client applications.

Pager alerts require a Hayes Compatible Modem.

For optimal viewing of the CSA MC UI, you should set your display to a
resolution of 1024 x 768 or higher.

Release Notes for Management Center for Cisco Security Agents 4.0

78-15603-02

System Requirements (CSA MC)

Caution

On a system where CSA MC has never been installed, the CSA MC setup
program first installs MSDE with Service Pack 3. If the CSA MC installation
detects any other database type attached to an existing installation of MSDE,
the installation will abort. This database configuration is not supported.

SQL Server Desktop Engine Installation


As part of the installation process on a system where CSA MC has not previously
been installed, the setup program first installs MSDE. When the MSDE
installation completes, it may prompt you to reboot the system. In that case, you
must reboot the system before restarting the CSA MC setup program. If the
MSDE installation does not prompt you to reboot the system, you may restart the
setup program without rebooting the system.
If the CSA MC installation detects any other database type attached to an existing
installation of MSDE, the CSA MC installation will abort. This database
configuration is not supported by Cisco. (Installation process aborts if any
databases other than those listed here are found: master, tempdb, model, msdb,
pubs, Northwind, profiler and AnalyzerLog.)
For installations exceeding 500 agents, we recommend that you install Microsoft
SQL Server 2000 instead of installing the MSDE that is provided with the
product. MSDE has a 2 GB limit. Note that SQL Server 2000 must be licensed
separately and it must be installed on the system before you begin the CSA MC
installation.
We also recommend that you format the disk to which you are installing CSA MC
as NTFS. FAT32 limits all file sizes to 4 GB.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

System Requirements (Agent)

System Requirements (Agent)


To run Cisco Security Agent on your Windows XP, Windows 2000 or Windows
NT 4.0 servers and desktop systems, the requirements are as follows:
Table 2

Agent Requirements (Windows)

System Component

Requirement

Processor

Intel Pentium 200 MHz or higher


Note

Operating Systems

Uni-processor, dual processor, and quad


processor systems are supported.

Windows XP (Professional English128 bit)


Service Pack 0 or 1

Windows 2000 (Professional, Server or


Advanced Server) with Service Pack 0, 1, 2,
or 3

Windows NT (Workstation, Server or


Enterprise Server) with Service Pack 5 or
later

Note

Citrix Metaframe and Citrix XP are


supported. Terminal Services are
supported on Windows XP and Windows
2000. (Terminal Services are not
supported on Windows NT.)

Memory

128 MB minimumall supported Windows


platforms

Hard Drive Space

15 MB or higher
Note

Network

This includes program and data.

Ethernet or Dial up
Note

Maximum of 64 IP addresses supported


on a system.

Release Notes for Management Center for Cisco Security Agents 4.0

10

78-15603-02

System Requirements (Agent)

Note

Cisco Security Agent uses approximately 20 MB of memory. This applies to


agents running on all supported Microsoft and UNIX platforms.
To run Cisco Security Agent on your Solaris server systems, the requirements are
as follows:
Table 3

Agent Requirements (UNIX)

System Component

Requirement

Processor

UltraSPARC 500 MHz or higher


Note

Operating Systems

Uni-processor, dual processor, and quad


processor systems are supported.

Solaris 8, 64 bit
Note

If you have the minimal Sun Solaris 8


installation (Core group) on the system
to which you are installing the agent, the
Solaris machine will be missing certain
libraries and utilities the agent requires.
Before you install the agent, you must
install the "SUNWlibCx" library which
can be found on the Solaris 8 Software
disc (1 of 2) in the /Solaris_8/Product
directory. Install using the pkgadd -d .
SUNWlibCx command.

Memory

256 MB minimum

Hard Drive Space

15 MB or higher
Note

Network

This includes program and data.

Ethernet
Note

Maximum of 64 IP addresses supported


on a system.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

11

Upgrade Support

Caution

On UNIX systems running Cisco Security Agents, if you add a new type of
Ethernet interface to the system, you must reboot that system twice for the agent
to detect it and apply rules to it accordingly.

Upgrade Support
Upgrading StormWatch versions 3.0 and earlier to Cisco Security Agent V4.0 is
not supported.
See Installing Management Center for Cisco Security Agents provided as a PDF
file on the product CD for product upgrade and installation instructions.

Duplicate Configuration Naming Convention


When you upgrade CSA MC, existing configurations (policies, groups, etc.) are
preserved. Because CSA MC ships with preconfigured items, new items may be
added to the preserved ones. This occurs when the upgrade process checks the
existing database. If a matching item is found, the new configuration data is not
copied over the existing data; rather the existing item is left as is.
If the upgrade process finds an item with the same name as a new one, but with
different configuration components (for example, variables), the existing item is
renamed by appending the version number (V3.2, for example) to the name. The
new version is then copied into the database with no version number so that both
items can co-exist in the database. Therefore, for any partial configuration item
duplications that may exist after an upgrade, the item with no version number
appended to its name is always the most recent version.

Release Notes for Management Center for Cisco Security Agents 4.0

12

78-15603-02

Cisco Security Agent Policies

Cisco Security Agent Policies


CSA MC default agent kits, groups, policies, and configuration variables provide
a high level of security coverage for desktops and servers. These default agent
kits, groups, policies, and configuration variables cannot anticipate all possible
local security policy requirements specified by your organization's management,
nor can they anticipate all local combinations of application usage patterns. We
recommend deploying agents using the default configurations and then
monitoring for possible tuning to your environment.

CSA MC Local Agent and Policies


When you install CSA MC, an agent containing the policies necessary to protect
CSA MC and other CiscoWorks daemons and operations is automatically
installed as well. The policies that are enforced by this agent protect CSA MC,
other VMS products, and general CiscoWorks operations.
If you are only running CSA MC and Security Monitor as part of your VMS
bundle on the CiscoWorks system, you can secure that system with a more
restrictive policy that is also shipped with CSA MC but not attached to the
CiscoWorks group by default. To do this, you should create a group and attach the
following policies to that new group: CiscoWorks Restrictive VMS Module,
CiscoWorks VMS Module, and the CiscoWorks Base Security Module. Then
make the CSA MC host a member of the new group (in addition to the default
group to which it already belongs). This restrictive policy puts tighter restrictions
on the system because it does not have to account for other VMS bundle products
that might be running on the system.

Caution

If you are using the default policy to protect your VMS system (not the more
restrictive policy described above) you should be aware of a specific vulnerability
present in Windows 2000 SP3 that the default policy does not protect against. That
vulnerability is described in Microsoft article Q326830. For interoperability
reasons, it is by design that the default policy protecting the VMS system does not
protect against this vulnerability. To protect your VMS system against a possible
denial of service or other attack using this known vulnerability, you can either
deploy the more restrictive VMS policy or install Microsoft hotfix Q326830.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

13

CSA MC Local Agent and Policies

Caution

If you are installing or uninstalling various VMS components, and you have a
Cisco Security Agent protecting the VMS bundle, you should disable the agent
service before you install or uninstall of any other VMS component. (You do not
have to do this when installing or uninstalling CSA MC.) To disable the agent
service, from a command prompt type net stop Cisco Security
Agent. (You may receive a prompt asking if you want to stop the agent service.
You should clickYes.) To enable the service, type, net start Cisco
Security Agent.
If you do not disable the agent service and you attempt to alter a CiscoWorks
system configuration, the agent may disallow the action or it may display multiple
queries to which you must respond.

Release Notes for Management Center for Cisco Security Agents 4.0

14

78-15603-02

RME Gatekeeper Remote Access Issue

RME Gatekeeper Remote Access Issue


Remote access to the CiscoWorks RME Gatekeeper daemon is not required for
correct operation of any of the components in the VMS bundle. Therefore, remote
client access to this daemon is normally disabled through a deny rule in the
"CiscoWorks VMS module" policy.
If other products that require the RME Gatekeeper daemon to be accessed
remotely, such as Campus Manager or ACLM, are installed on the same system
as the VMS bundle, the CSAMC "CiscoWorks VMS module" policy protecting
the VMS system should be modified as follows:
Step 1

Login to CSAMC and navigate to the "CiscoWorks VMS module" policy. The
policy is accessible from Configuration>Policies in the menu bar.

Step 2

Once you locate the policy, click the <#>rules link to access the policy rules list.

Step 3

Change the Allow rule "CiscoWorks RME Gatekeeper daemon, server for TCP
and UDP services" from Disabled to Enabled. (Select the checkbox beside the rule
and click the Enable button in the footer frame of CSAMC. Remember to save
your changes.)

Step 4

Generate rules.

Step 5

Optionally, force polling on the agent to download the rule change.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

15

Cisco VPN Client Support

Cisco VPN Client Support


Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client, Release 4.0. For configuration
details, please refer to Chapter 1 of the Cisco VPN Client Administrator
Guide, in the section entitled "Configuring VPN Client Firewall
PolicyWindows Only."

Known Issues
Table 4 provides information on known issues found in this release.
Table 4

Known Issues in Cisco Security Agent 4.0

Platform

Summary

Explanation

Windows and
UNIX

Allowed return UDP traffic

Return traffic for permitted UDP connections will


be permitted even when there is a deny rule
present for UDP traffic in that direction. This is
because return UDP traffic is associated with the
original allowed request.

Windows XP

Frozen agent flag

Periodically, the agent flag may stop waving or


may appear to be frozen in a tilted position until
the next event is received. This is the result of a
known Microsoft Windows XP issue. Refer to
Microsoft Article Q323328. (This issue is purely
cosmetic and the agent is continuing to function
normally.)

Windows

CMF Self Test Fails for ODBC


Versions

The CMF self test produces an error in the odbc.pl


part of the test. This occurs because the test does
not have knowledge of the MSDE SP3 ODBC
drivers installed by CSA MC. MSDE SP3 drivers
are dated later than those expected by the CMF
self test.

Windows

ActiveX Reports and CSA MC


name resolution

CSA MC ActiveX report types use the CSA MC


server system name to access the ActiveX control.
Therfore, ActiveX reports will not work if name
resolution on the CSA MC server does not work.

Release Notes for Management Center for Cisco Security Agents 4.0

16

78-15603-02

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

Windows

SYN flood protection and


potential firewall conflict

You should only apply SYN flood protection to


servers that are external to your network and not
protected by a firewall. Firewalls generally
provide this protection. Additionally, if you apply
SYN flood protection to a system that is behind a
firewall, some firewalls may interfere with the
CSA SYN flood connectivity algorithm. If the
firewall interferes with the CSA MC algorithm,
the agent will not permit the incoming connection
to be established. In this case, we recommend that
you disable this rule on the agent and ensure that
it is enabled on your firewall.

Windows

Automatic agent software updates You should not schedule Automatic software
for dial-up users
updates for dial-up users. Because dial-up users
have connections of varying speeds and due to
download bandwidth needs, automatic software
updates may fail or time out. Better to schedule
non-automatic updates and allow dial-up users to
download when they are either in the office or
when they can dedicate bandwidth to the
download.

Windows

Automatic Windows platform


update triggers query rule

Windows XP and Windows 2000 provide a


mechanism for automatic and user transparent
software updates. These updates are prevented
from installing by an agent Query User rule. The
rule asks the user if software is being installed.
Because the automatic update install occurs
transparently, the user will likely believe that they
are not installing software and will answer No. In
this case, the automatic update will fail. This is not
necessarily an undesired behavior and this agent
rule is in place for a specific security reason.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

17

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

Windows

Upgrading operating systems with When upgrading operating systems, uninstall the
agent present
agent first. When the new operating system is in
place, you can install a new agent kit. When
applying a service pack, you can disable the agent,
apply the service pack, and enable the agent.

Windows

Do not support HPNA home


phoneline network adapter

Although Microsoft supports networking


computers using a home phoneline network
adapter (HPNA), we have not tested this
configuration and therefore do not officially
support it.

Windows

Deploying file sharing rules

If you are deploying rules controlling existing file


share access, these rules will not apply until the
machine offering the file share is rebooted. A file
share, previously mapped by a user, is a persistent
connection. The status of this access does not
change for this persistent, pre-existing connection
when a agent rule is applied. When the next reboot
occurs, all rules pertaining to the file share are
correctly applied.

Windows

Connectivity issues

If you encounter problems connecting to systems


running the agent, you can put those agents into
Test mode. Then check for connectivity again and
refer to the Event log. (Also make sure the agents
do not have the Cloak mode check box enabled in
the Network shield rule. It is enabled in shipped
default policies. Systems with Cloak mode
enabled do not respond to pings.)

Release Notes for Management Center for Cisco Security Agents 4.0

18

78-15603-02

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

Windows

Configuring Registry sets

If you attempt to create your own Registry sets to


include in a rule, you should note that the ability
to restrict Registry access is a powerful tool.
Critical applications may not function as a result
of a misconfigured Registry restriction. Therefore,
Registry values should be as specific as possible.
All rules restricting Registry access should first be
run in Test Mode to ensure that no unintended
restrictions have been configured.

Windows

Event level log limits

There are limitations on the number of events for


each event level that the database can contain.
Those default limitations are located in the
sysvars.cf file found in the CSAMC\cfg directory.
An event is logged when these limitations are
imminent. You are advised by CSA MC to purge
events at that time.

UNIX

Data filter installation

On Solaris platforms, in order to use Data access


control rules (on Apache or IPlanet servers) you
must install the data filter manually after you
install Cisco Security Agent. Unlike Windows, the
Solaris installation does not detect web server
software and does not install the data filter with
the agent. You must always manually install it.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

19

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

UNIX

Required platform libraries and


utilities

If you have the minimal Sun Solaris 8 installation


(Core group) on the system to which you are
installing the agent, the Solaris machine will be
missing certain libraries and utilities the agent
requires. Before you install the agent, you must
install the "SUNWlibCx" library, which can be
found on the Solaris 8 Software disk (1 of 2) in the
/Solaris_8/Product directory. Install using the
pkgadd -d . SUNWlibCx command. If you are not
sure whether you have the necessary libraries
installed on your Solaris system, you can check
the /usr/lib/sparcv9 directory for the following
library "libCrun.so.1". If it is not there, you must
install the SUNWlibCx library before installing
the agent.

UNIX

Network scans appear to reveal


vulnerabilities

A network port scan of a UNIX system running an


agent may indicate that certain services offered by
inetd are available on the system and are therefore
vulnerable to various attacks. However, network
access control rules which deny or reset the
connection in question are applied when the
incoming connection attempts to pass any data.
Because the connection was technically accepted,
the service may appear to be vulnerable to a scan,
when, in fact, it is not: no data will pass, and the
connection is dropped. Enabling Cloak mode in
the Network Shield rule stops the system from
responding to requests on ports where no service
is listening or for ports 0-1023, where the request
is always denied even when a service is listening.
(Therefore, ports 0-1023 do not appear vulnerable
with Cloak mode enabled.)

Release Notes for Management Center for Cisco Security Agents 4.0

20

78-15603-02

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

UNIX

Remote file sharing issue

Remote file sharing implementations, such as


NFS, may cache files on the client side and briefly
operate on them without contacting the server. The
agent correctly enforces access rules for the
Remote Clients application class (NFS accesses)
on the server; however, client-side operations
might briefly appear to succeed in violation of the
rules. Avoid such appearances by changing an
NFS server's Remote Clients app class-related
rules only when clients' access to remote file
systems is minimal.

UNIX

Script interpretation issue

The agent views all scripts that use the same


interpreter on UNIX systems as the same
application class. For example, for Application
control rules, a /bin/sh shell script is seen as a
/bin/sh command.

UNIX

Use resolved links rather than


symbolic links

We recommend that you write File access control


rules using resolved names rather than symbolic
link names.

UNIX

Systems files always accessible to Read access to /usr/lib/*, /usr/bin/*, and


root
usr/sbin/* is always allowed to root. Any rules you
may write to block this access will be ignored for
users with root access. The system requires access
to these files to operate.

UNIX

Agent installation path not


changeable

Changing the default installation directory path


for the UNIX agent will not work. The agent must
always be installed in the following directory:
/opt/CSCOcsa

UNIX

Certain applications cannot kill


the agent process

The default policies restrict the ability to kill the


agent process to specifically defined application
classes. See the User Guide for details.

UNIX

Snooping data

Snoop sees all data sent to and from the network.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

21

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

UNIX

Network rules and IPV6 addresses Network rules work only with IPV4 addresses.
(Note the following exception:Using @local or
explicitly using the address range 0 255.255.255.255 will include IPV6 addresses.)

UNIX

Adding a new Ethernet interface

If you add a new type of Ethernet interface to a


UNIX system running an agent, you must reboot
that system twice for the agent to detect it and
apply current policies to it.

UNIX

Default mapping for remote


superuser

The default mapping for a remote superuser


application accessing a machine via NFS is to an
"unknown" user (and not the local superuser).
Although NFS shares can be configured to
override this default setting, we strongly
recommend that the default setting not be
overridden. Enabling such a mapping would
potentially permit a remote application to
impersonate the local operating system itself and
bypass agent policies.

UNIX

Inadvertently blocking access to a You can inadvertently block all access to a device,
device
such as your keyboard, with a File access control
rule. If this occurs, to recover, fix or delete the rule
in question and generate rules. If the agent can
download the new rules, your system may or may
not recover immediately depending on how
gracefully the service for the device failed. If rules
were downloaded and the service is still not fixed,
a reboot should allow the system to recover. If the
agent cannot download the new rules, boot the
machine into single user mode [boot -s] and enter
system maintenance mode by typing in the
superuser password. Then delete the current rule
set by typing [rm/opt/CSCOcsa/cfg/agent.rul].
Then exit. The system will come up with the agent
downloading the new "good" rule set that you have
fixed.

Release Notes for Management Center for Cisco Security Agents 4.0

22

78-15603-02

Known Issues

Table 4

Known Issues in Cisco Security Agent 4.0 (continued)

Platform

Summary

Explanation

UNIX

Encountering duplicate instance


error during agent upgrade

If you are upgrading the UNIX agent and you


encounter the following error, "There is already an
instance of the package and you cannot install due
to administrator rules", you must edit the file
/var/sadm/install/admin/default. Change
"instance=unique" to "instance=overwrite" and
then proceed with the upgrade.

UNIX

Buffer overflow libraries loading


order may cause conflict with
Binary Compatibility Package

In order to protect applications, the buffer


overflow libraries have been built in a way which
causes them to be loaded before other libraries,
including libc. Applications which depend upon
BCP (Binary Compatibility Package) versions of
libc may not work. Specifically, the three SunOS
4.* (not Solaris) a.out executables resident in
/usr/sbin which provide multi-byte codepage
support for Japanese, Chinese, Chinese-Taiwan,
and Korean are known not to function. If support
for SunOS multi-byte codepage applications is
required, the behavior of the buffer overflow
libraries can be relaxed. Additional information
regarding this issue is available from the TAC.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

23

Known Issues

Table 5

List of Known Bugs in Cisco Security Agent 4.0

Bug ID

Summary

Additional Information

CSCin47432

FQDN is required to connect to


CiscoWorks

On a CiscoWorks installation, when CSAMC is


installed, it updates the conf file to use a fully
qualified domain name. None of the MC's,
including CSA MC, will launch unless the fully
qualified domain name is resolvable from the
client and used to connect to CiscoWorks.
CSA MC does not require a FQDNs. It will work
in an environment where the CSA MC hostname is
resolvable via DNS or windows computing
environment (WINS). Note, the environment must
be consistently DNS or WINS. Mixed DNS/WINS
environments are problematic. The reason FQDNs
is recommended is so that agents can reach the
CSA MC from anywhere (internal or external
networks).

CSCin47547

Uninstall issue when SQL server is During the CSA MC uninstall, a number of SQL
not running
server queries are performed. If the SQL server is
not running, then these queries cause the uninstall
to fail.
To prevent this uninstall issue, you should not
remove or stop the SQL server before uninstalling
CSA MC.

Release Notes for Management Center for Cisco Security Agents 4.0

24

78-15603-02

Known Issues

Table 5

List of Known Bugs in Cisco Security Agent 4.0

Bug ID

Summary

Additional Information

CSCin47564

Install issue when SQL server is


not running

During the CSA MC install, a number of SQL


server queries are performed. If the SQL server is
not running, then these queries cause the install to
fail.
To prevent this install issue, you should not stop
the SQL server before installing CSA MC.

CSCin45700
also see
Bug ID
CSCeb18384

In certain install configurations,


the Event Viewer's session to the
server times out.

This occurs when the Security Monitor is installed


on the same server with certain other CiscoWorks
applications (e.g. RME) that require the
SSLInitializer plugin. The presence of the
SSLInitializer plugin causes connections from
Java applets to the server to be made outside of the
context of the rest of the client's (browser's)
connection space. This causes connection
validation attempts to fail. When the server cannot
validate the Event Viewer's connection, it will not
proceed to allow that applet to update its activity
flags. Thus, when the Event Viewer applet is open
on the screen for longer than the timeout period
(on the order of 2 hours), it cannot update its
session activity flags, and it will time out.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

25

Obtaining Documentation

Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and
other technical resources. These sections explain how to obtain technical
information from Cisco Systems.

Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentation CD-ROM package, which may have shipped with your product.
The Documentation CD-ROM is updated regularly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or
through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product
number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_t
ool_launch.html
All users can order monthly or quarterly subscriptions through the online
Subscription Store:
http://www.cisco.com/go/subscription

Release Notes for Management Center for Cisco Security Agents 4.0

26

78-15603-02

Obtaining Technical Assistance

Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local


account representative by calling Cisco Systems Corporate Headquarters
(California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).

Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco
Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Obtaining Technical Assistance


Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center
(TAC) website, as a starting point for all technical assistance. Customers and
partners can obtain online documentation, troubleshooting tips, and sample

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

27

Obtaining Technical Assistance

configurations from the Cisco TAC website. Cisco.com registered users have
complete access to the technical support resources on the Cisco TAC website,
including TAC tools and utilities.

Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access
Cisco information, networking solutions, services, programs, and resources at any
time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these
tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com


at this URL:
http://tools.cisco.com/RPF/register/register.do

Technical Assistance Center


The Cisco TAC is available to all customers who need technical assistance with a
Cisco product, technology, or solution. Two types of support are available: the
Cisco TAC website and the Cisco TAC Escalation Center. The type of support that
you choose depends on the priority of the problem and the conditions stated in
service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:

Priority level 4 (P4)You need information or assistance concerning Cisco


product capabilities, product installation, or basic product configuration.
There is little or no impact to your business operations.

Release Notes for Management Center for Cisco Security Agents 4.0

28

78-15603-02

Obtaining Technical Assistance

Priority level 3 (P3)Operational performance of the network is impaired,


but most business operations remain functional. You and Cisco are willing to
commit resources during normal business hours to restore service to
satisfactory levels.

Priority level 2 (P2)Operation of an existing network is severely degraded,


or significant aspects of your business operations are negatively impacted by
inadequate performance of Cisco products. You and Cisco will commit
full-time resources during normal business hours to resolve the situation.

Priority level 1 (P1)An existing network is down, or there is a critical


impact to your business operations. You and Cisco will commit all necessary
resources around the clock to resolve the situation.

Cisco TAC Website


The Cisco TAC website provides online documents and tools to help troubleshoot
and resolve technical issues with Cisco products and technologies. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have
complete access to the technical support resources on the Cisco TAC website.
Some services on the Cisco TAC website require a Cisco.com login ID and
password. If you have a valid service contract but do not have a login ID or
password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical
issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases online
so that you can fully describe the situation and attach any necessary files.

Cisco TAC Escalation Center


The Cisco TAC Escalation Center addresses priority level 1 or priority level 2
issues. These classifications are assigned when severe network degradation
significantly impacts business operations. When you contact the TAC Escalation
Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

29

Obtaining Additional Publications and Information

To obtain a directory of toll-free Cisco TAC telephone numbers for your country,
go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the
Cisco support services to which your company is entitled: for example,
SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When
you call the center, please have available your service agreement number and your
product serial number.

Obtaining Additional Publications and Information


Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by


Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of networking publications. Cisco


suggests these titles for new and experienced users: Internetworking Terms
and Acronyms Dictionary, Internetworking Technology Handbook,
Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press
online at this URL:
http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/go/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest


information about Internet business strategies for executives. You can access
iQ Magazine at this URL:

Release Notes for Management Center for Cisco Security Agents 4.0

30

78-15603-02

Obtaining Additional Publications and Information

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems


for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_
protocol_journal.html

TrainingCisco offers world-class networking training. Current offerings in


network training are listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training
_list.html

This document is to be used in connjunction with the documents listed in the Documentation Roadmap section.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing,
FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and
Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA,
CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the
iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy,
Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast,
SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other
countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)
Copyright 2003, Cisco Systems, Inc.
All rights reserved.

Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02

31

Obtaining Additional Publications and Information

Release Notes for Management Center for Cisco Security Agents 4.0

32

78-15603-02