Csa Rns

Release Notes for Management
Center for Cisco Security Agents 4.0
Note
Since the release of this document, Cisco Security Agent update 4.0.1 has been
made available. Although the information contained in this document remains
valid, additional information, some which may supersede this document, is
provided in a readme file available with the 4.0.1 update. Please refer to the 4.0.1
readme file in addition to this document. You should also review the Cisco
Security Agent documentation on Cisco.com for any updates.
These release notes are for use with Management Center for Cisco Security
Agents (CSA MC) 4.0. The following information is provided:
File Integrity Check Instructions, page 2
New Features, page 3
Documentation Roadmap, page 6
Obtaining a License Key, page 6
IDS Host Sensor Incompatibility, page 7
System Requirements (CSA MC), page 8
System Requirements (Agent), page 10
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright 2003 Cisco Systems, Inc. All rights reserved.
File Integrity Check Instructions
Upgrade Support, page 12
Duplicate Configuration Naming Convention, page 12
Cisco Security Agent Policies, page 13
CSA MC Local Agent and Policies, page 13
RME Gatekeeper Remote Access Issue, page 15
Cisco VPN Client Support, page 16
Known Issues, page 16
Obtaining Documentation, page 26
Obtaining Technical Assistance, page 27
Obtaining Additional Publications and Information, page 30
File Integrity Check Instructions

For users who have a CCO account on Cisco.com, you can perform integrity
checks on the files provided on the Startup Disk. Go to
http://www.cisco.com/kobayashi/sw-center/cw2000/vms-planner.shtml to
securely obtain a verify_digests.exe file. Use verify_digests.exe to check the MD5
hashes of the files you received on your product CD.
Caution
When you download the digest file, make sure your browser has transitioned to
https mode for a secure download.
Step 1
Once you've downloaded the program verify_digests.exe, run it to display the

precomputed valid MD5 hashes for the Startup Disk files.
Step 2
The verify_digests.exe program then prompts you for the directory of the files.
Specify the Startup Disk location, press Enter and verify_digests.exe will
validate each file.
Note
Note that you can enter the CD drive letter and check the files on the CD itself or
you can copy the files to your system and check them from the directory to which
they were copied.
Release Notes for Management Center for Cisco Security Agents 4.0
78-15603-02
New Features
The following output is displayed:
The output displays "OK" if the hashes match and the files are valid.
If the hashes do not match, "Failure" is displayed. Contact Cisco if this

occurs.
If the digest program cannot locate a file, "File not found" is displayed. Check
the location of the files.
New Features
This release contains the following new features:
Buffer Overflow Pattern Exclusion
Use the Wizard from the Event log message in question to exclude a
particular pattern when you are seeing buffer overflow events you believe are
harmless.
Bulk Transfer of Hosts
Use the Bulk Transfer feature to easily move or copy all hosts from a group
you select into the Group you are currently viewing. This is an efficient way
to move large numbers of hosts between groups.
Cisco VPN Client Support
The Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client Release 4.0. For configuration
details, please refer to the Cisco VPN Client documentation.
CSA Profiler Integrated with CSA MC
Cisco Security Agent Profiler capability is integrated and installed with CSA
MC. Cisco Security Agent Profiler software works with CSA MC and Cisco
Security Agent, serving as a data analysis and policy creation tool for
administrators who are deploying policies across systems and networks.
Configurable Downloaded Content Application Class
CSA MC ships with a pre-configured application class called <Processes
executing downloaded content>. This class includes any downloaded
executable or any process that is interpreting downloaded content. If
necessary, you can edit any of these downloaded content fields and make any
78-15603-02
New Features
necessary exclusions to change the global definition of downloaded content.

You may want to do this if you are experiencing false positives due to an
application being seen as downloaded content
Connection Rate Limiting Rule
Use the connection rate limit rule to control the number of network
connections that can be sent or received by systems within a specified time
frame. This is useful in preventing attacks aimed at bringing down system
services, for example, denial of service attacks (server connection rate
limiting). This is also useful in preventing the propagation of denial of service
attacks (client connection rate limiting).
Data FilteringData Access Control Rule
Use data access control rules on web servers to detect clients making
malformed web server requests where such requests could crash or hang the
server. A malformed request could also be an attempt by an outside client to
retrieve configuration information from the web server or to run exploited
code on the server.
Dynamic Application tagging in Application Control Rule
Creating dynamic application classes from the Application control rule is a
bit different than creating them from other rule types. Because this rule has
two application class fields, you can choose to add the current application to
the dynamic class or choose to add the new application that is invoked by the
first application to the dynamic class.
Expanded Wizard Functionality
Use the Event Management Wizard to change the action of a rule that
triggered a specific event. Through the wizard, you can automatically
generate an "exception" allow rule which takes the application class and
resource information in the event and creates an allow rule to counteract the
rule that caused the deny.
MSDE Service Pack 3 Update
The Management Center for Cisco Security Agents now installs Microsoft
SQL Server Desktop Engine with Service Pack 3. This is the latest version of
MSDE. Optionally, you can install your own version of SQL Server 2000 with
Service Pack 3.
78-15603-02
New Features
Network Shield System Startup Security Checks

Through this rule, you can prevent non-essential network connections during
system startup. This protects the system from network-based attacks at
boot-time before the agent service has started.
Rule Precedence Manipulation
In addition to ordering rules within a policy by action type, CSA MC uses the
selected logging type as a way to suborder similar rules within a policy.
Logging automatically takes precedence over disabled logging if the action
type is the same for multiple rules in a policy. Therefore, for rules of a given
priority, for example, Allow, a Log rule will be evaluated before a No Log
rule.
Security Monitor Event Integration
Security Monitor can receive events from CSA MC. Refer to your Security
Monitor documentation for details.
VMS Integration
CSA MC is a component of the CiscoWorks VPN/Security Management
Solution (VMS). You must have CiscoWorks and VMS 2.2 installed on the
system on which you are installing CSA MC.
Windows Kernel Protection
Use the Kernel protection rule to detect unauthorized access to the operating
system. In effect, this rule detects and logs drivers dynamically loading after
boot time. Through this rule page, you can also cause the system in question
to lose network connectivity when unauthorized modules are detected. This
essentially quarantines the system from the network until you investigate
whether the module is harmful.
78-15603-02
Documentation Roadmap
Documentation Roadmap
Note
Although every effort has been made to validate the accuracy of the information
in the printed and electronic documentation, you should also review the Cisco
Security Agent documentation on Cisco.com for any updates.
The following documents are provided as PDF files on your Product CD:
Installing Management Center for Cisco Security Agents
Using Management Center for Cisco Security Agents
These files are available in the top level directory of the product CD in the
Documentation folder. After installation, they are also available in the
CSAMC\doc subdirectory.
Note
You must use Adobe Acrobat Reader (version 4.0 or later) to view these files. You
can download a free Acrobat reader from www.adobe.com.
Obtaining a License Key

Before installing Management Center for Cisco Security Agents, you should
obtain a license key from Cisco. To receive your license key, you must use the
Product Authorization Key (PAK) label affixed to the claim certificate for CSA
MC located in the separate licensing envelope.
Caution
Management Center for Cisco Security Agents does not run on the 90-day
evaluation license that other Common Services applications use. You must
register CSA MC and provide the PAK to obtain a valid CSA MC license.
To obtain a production license, register your software at one of the following web
sites.
If you are a registered user of Cisco.com, use this website:
78-15603-02
IDS Host Sensor Incompatibility
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl.
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl.
After registration, the software license will be sent to the email address that you
provided during the registration process. Retain this document with your VMS
bundle product software records.
IDS Host Sensor Incompatibility

Any system on which you are installing CSA MC or the Cisco Security Agent
must not have the Cisco IDS Host Sensor Console or the Cisco IDS Host Sensor
installed on it. If CSA MC or the agent installer detects any Cisco IDS Host
Sensor software on the system, the installation will abort.
Because there may be incompatibilities between Cisco IDS Host Sensor software
and CSA MC or agent software, you must uninstall the Cisco IDS Host Sensor and
Cisco IDS Host Sensor Console software before installing CSA MC or agent
software. Documentation for uninstalling Cisco IDS Host Sensor software can be
found at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/host/host25/install
/hidsch2.htm#1024883.
78-15603-02
System Requirements (CSA MC)

CSA MC is a component of the VPN/Security Management Solution (VMS).
For information on all bundle features and their requirements, see
CiscoWorks2000 VPN/Security Management Solution Quick Start Guide.
Table 1 shows VMS bundle server requirements for Windows 2000 systems.
Table 1
Server Requirements
System Component
Hardware
Requirement
IBM PC-compatible computer
Color monitor with video card capable of

16-bit
Processor
1 GHz or faster Pentium processor
Operating System
Windows 2000 Server or Advanced Server

(Service Pack 3)
Note
Terminal services are not supported on

Server and Advanced Server running
CSA MC.
File System
NTFS
Memory
1 GB minimum memory
Virtual Memory
2 GB virtual memory
Hard Drive Space
9 GB minimum available disk drive space

Note
The actual amount of hard drive space

required depends upon the number of
CiscoWorks Common Services client
applications you are installing and the
number of devices you are managing
with the client applications.
Pager alerts require a Hayes Compatible Modem.
For optimal viewing of the CSA MC UI, you should set your display to a
resolution of 1024 x 768 or higher.
78-15603-02
Caution
On a system where CSA MC has never been installed, the CSA MC setup
program first installs MSDE with Service Pack 3. If the CSA MC installation
detects any other database type attached to an existing installation of MSDE,
the installation will abort. This database configuration is not supported.
SQL Server Desktop Engine Installation

As part of the installation process on a system where CSA MC has not previously
been installed, the setup program first installs MSDE. When the MSDE
installation completes, it may prompt you to reboot the system. In that case, you
must reboot the system before restarting the CSA MC setup program. If the
MSDE installation does not prompt you to reboot the system, you may restart the
setup program without rebooting the system.
If the CSA MC installation detects any other database type attached to an existing
installation of MSDE, the CSA MC installation will abort. This database
configuration is not supported by Cisco. (Installation process aborts if any
databases other than those listed here are found: master, tempdb, model, msdb,
pubs, Northwind, profiler and AnalyzerLog.)
For installations exceeding 500 agents, we recommend that you install Microsoft
SQL Server 2000 instead of installing the MSDE that is provided with the
product. MSDE has a 2 GB limit. Note that SQL Server 2000 must be licensed
separately and it must be installed on the system before you begin the CSA MC
installation.
We also recommend that you format the disk to which you are installing CSA MC
as NTFS. FAT32 limits all file sizes to 4 GB.
78-15603-02
System Requirements (Agent)

To run Cisco Security Agent on your Windows XP, Windows 2000 or Windows
NT 4.0 servers and desktop systems, the requirements are as follows:
Table 2
Agent Requirements (Windows)
System Component
Requirement
Processor
Intel Pentium 200 MHz or higher

Note
Operating Systems
Uni-processor, dual processor, and quad

processor systems are supported.
Windows XP (Professional English128 bit)

Service Pack 0 or 1
Windows 2000 (Professional, Server or

Advanced Server) with Service Pack 0, 1, 2,
or 3
Windows NT (Workstation, Server or

Enterprise Server) with Service Pack 5 or
later
Note
Citrix Metaframe and Citrix XP are

supported. Terminal Services are
supported on Windows XP and Windows
2000. (Terminal Services are not
supported on Windows NT.)
Memory
128 MB minimumall supported Windows

platforms
Hard Drive Space
15 MB or higher
Note
Network
This includes program and data.
Ethernet or Dial up
Note
Maximum of 64 IP addresses supported

on a system.
10
78-15603-02
Note
Cisco Security Agent uses approximately 20 MB of memory. This applies to

agents running on all supported Microsoft and UNIX platforms.
To run Cisco Security Agent on your Solaris server systems, the requirements are
as follows:
Table 3
Agent Requirements (UNIX)
System Component
Requirement
Processor
UltraSPARC 500 MHz or higher

Note
Operating Systems
Uni-processor, dual processor, and quad

processor systems are supported.
Solaris 8, 64 bit
Note
If you have the minimal Sun Solaris 8

installation (Core group) on the system
to which you are installing the agent, the
Solaris machine will be missing certain
libraries and utilities the agent requires.
Before you install the agent, you must
install the "SUNWlibCx" library which
can be found on the Solaris 8 Software
disc (1 of 2) in the /Solaris_8/Product
directory. Install using the pkgadd -d .
SUNWlibCx command.
Memory
256 MB minimum
Hard Drive Space
15 MB or higher
Note
Network
This includes program and data.
Ethernet
Note
Maximum of 64 IP addresses supported

on a system.
78-15603-02
11
Upgrade Support
Caution
On UNIX systems running Cisco Security Agents, if you add a new type of
Ethernet interface to the system, you must reboot that system twice for the agent
to detect it and apply rules to it accordingly.
Upgrade Support
Upgrading StormWatch versions 3.0 and earlier to Cisco Security Agent V4.0 is
not supported.
See Installing Management Center for Cisco Security Agents provided as a PDF
file on the product CD for product upgrade and installation instructions.
Duplicate Configuration Naming Convention

When you upgrade CSA MC, existing configurations (policies, groups, etc.) are
preserved. Because CSA MC ships with preconfigured items, new items may be
added to the preserved ones. This occurs when the upgrade process checks the
existing database. If a matching item is found, the new configuration data is not
copied over the existing data; rather the existing item is left as is.
If the upgrade process finds an item with the same name as a new one, but with
different configuration components (for example, variables), the existing item is
renamed by appending the version number (V3.2, for example) to the name. The
new version is then copied into the database with no version number so that both
items can co-exist in the database. Therefore, for any partial configuration item
duplications that may exist after an upgrade, the item with no version number
appended to its name is always the most recent version.
12
78-15603-02
Cisco Security Agent Policies
Cisco Security Agent Policies

CSA MC default agent kits, groups, policies, and configuration variables provide
a high level of security coverage for desktops and servers. These default agent
kits, groups, policies, and configuration variables cannot anticipate all possible
local security policy requirements specified by your organization's management,
nor can they anticipate all local combinations of application usage patterns. We
recommend deploying agents using the default configurations and then
monitoring for possible tuning to your environment.
CSA MC Local Agent and Policies

When you install CSA MC, an agent containing the policies necessary to protect
CSA MC and other CiscoWorks daemons and operations is automatically
installed as well. The policies that are enforced by this agent protect CSA MC,
other VMS products, and general CiscoWorks operations.
If you are only running CSA MC and Security Monitor as part of your VMS
bundle on the CiscoWorks system, you can secure that system with a more
restrictive policy that is also shipped with CSA MC but not attached to the
CiscoWorks group by default. To do this, you should create a group and attach the
following policies to that new group: CiscoWorks Restrictive VMS Module,
CiscoWorks VMS Module, and the CiscoWorks Base Security Module. Then
make the CSA MC host a member of the new group (in addition to the default
group to which it already belongs). This restrictive policy puts tighter restrictions
on the system because it does not have to account for other VMS bundle products
that might be running on the system.
Caution
If you are using the default policy to protect your VMS system (not the more
restrictive policy described above) you should be aware of a specific vulnerability
present in Windows 2000 SP3 that the default policy does not protect against. That
vulnerability is described in Microsoft article Q326830. For interoperability
reasons, it is by design that the default policy protecting the VMS system does not
protect against this vulnerability. To protect your VMS system against a possible
denial of service or other attack using this known vulnerability, you can either
deploy the more restrictive VMS policy or install Microsoft hotfix Q326830.
78-15603-02
13
CSA MC Local Agent and Policies
Caution
If you are installing or uninstalling various VMS components, and you have a
Cisco Security Agent protecting the VMS bundle, you should disable the agent
service before you install or uninstall of any other VMS component. (You do not
have to do this when installing or uninstalling CSA MC.) To disable the agent
service, from a command prompt type net stop Cisco Security
Agent. (You may receive a prompt asking if you want to stop the agent service.
You should clickYes.) To enable the service, type, net start Cisco
Security Agent.
If you do not disable the agent service and you attempt to alter a CiscoWorks
system configuration, the agent may disallow the action or it may display multiple
queries to which you must respond.
14
78-15603-02
RME Gatekeeper Remote Access Issue
RME Gatekeeper Remote Access Issue

Remote access to the CiscoWorks RME Gatekeeper daemon is not required for
correct operation of any of the components in the VMS bundle. Therefore, remote
client access to this daemon is normally disabled through a deny rule in the
"CiscoWorks VMS module" policy.
If other products that require the RME Gatekeeper daemon to be accessed
remotely, such as Campus Manager or ACLM, are installed on the same system
as the VMS bundle, the CSAMC "CiscoWorks VMS module" policy protecting
the VMS system should be modified as follows:
Step 1
Login to CSAMC and navigate to the "CiscoWorks VMS module" policy. The
policy is accessible from Configuration>Policies in the menu bar.
Step 2
Once you locate the policy, click the <#>rules link to access the policy rules list.
Step 3
Change the Allow rule "CiscoWorks RME Gatekeeper daemon, server for TCP
and UDP services" from Disabled to Enabled. (Select the checkbox beside the rule
and click the Enable button in the footer frame of CSAMC. Remember to save
your changes.)
Step 4
Generate rules.
Step 5
Optionally, force polling on the agent to download the rule change.
78-15603-02
15

Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client, Release 4.0. For configuration
details, please refer to Chapter 1 of the Cisco VPN Client Administrator
Guide, in the section entitled "Configuring VPN Client Firewall
PolicyWindows Only."
Known Issues
Table 4 provides information on known issues found in this release.
Table 4
Known Issues in Cisco Security Agent 4.0
Platform
Summary
Explanation
Windows and
UNIX
Allowed return UDP traffic
Return traffic for permitted UDP connections will

be permitted even when there is a deny rule
present for UDP traffic in that direction. This is
because return UDP traffic is associated with the
original allowed request.
Windows XP
Frozen agent flag
Periodically, the agent flag may stop waving or

may appear to be frozen in a tilted position until
the next event is received. This is the result of a
known Microsoft Windows XP issue. Refer to
Microsoft Article Q323328. (This issue is purely
cosmetic and the agent is continuing to function
normally.)
Windows
CMF Self Test Fails for ODBC

Versions
The CMF self test produces an error in the odbc.pl

part of the test. This occurs because the test does
not have knowledge of the MSDE SP3 ODBC
drivers installed by CSA MC. MSDE SP3 drivers
are dated later than those expected by the CMF
self test.
Windows
ActiveX Reports and CSA MC

name resolution
CSA MC ActiveX report types use the CSA MC

server system name to access the ActiveX control.
Therfore, ActiveX reports will not work if name
resolution on the CSA MC server does not work.
16
78-15603-02
Known Issues
Table 4
Known Issues in Cisco Security Agent 4.0 (continued)
Platform
Summary
Explanation
Windows
SYN flood protection and

potential firewall conflict
You should only apply SYN flood protection to

servers that are external to your network and not
protected by a firewall. Firewalls generally
provide this protection. Additionally, if you apply
SYN flood protection to a system that is behind a
firewall, some firewalls may interfere with the
CSA SYN flood connectivity algorithm. If the
firewall interferes with the CSA MC algorithm,
the agent will not permit the incoming connection
to be established. In this case, we recommend that
you disable this rule on the agent and ensure that
it is enabled on your firewall.
Windows
Automatic agent software updates You should not schedule Automatic software
for dial-up users
updates for dial-up users. Because dial-up users
have connections of varying speeds and due to
download bandwidth needs, automatic software
updates may fail or time out. Better to schedule
non-automatic updates and allow dial-up users to
download when they are either in the office or
when they can dedicate bandwidth to the
download.
Windows
Automatic Windows platform

update triggers query rule
Windows XP and Windows 2000 provide a

mechanism for automatic and user transparent
software updates. These updates are prevented
from installing by an agent Query User rule. The
rule asks the user if software is being installed.
Because the automatic update install occurs
transparently, the user will likely believe that they
are not installing software and will answer No. In
this case, the automatic update will fail. This is not
necessarily an undesired behavior and this agent
rule is in place for a specific security reason.
78-15603-02
17
Known Issues
Table 4
Platform
Summary
Explanation
Windows
Upgrading operating systems with When upgrading operating systems, uninstall the
agent present
agent first. When the new operating system is in
place, you can install a new agent kit. When
applying a service pack, you can disable the agent,
apply the service pack, and enable the agent.
Windows
Do not support HPNA home

phoneline network adapter
Although Microsoft supports networking

computers using a home phoneline network
adapter (HPNA), we have not tested this
configuration and therefore do not officially
support it.
Windows
Deploying file sharing rules
If you are deploying rules controlling existing file

share access, these rules will not apply until the
machine offering the file share is rebooted. A file
share, previously mapped by a user, is a persistent
connection. The status of this access does not
change for this persistent, pre-existing connection
when a agent rule is applied. When the next reboot
occurs, all rules pertaining to the file share are
correctly applied.
Windows
Connectivity issues
If you encounter problems connecting to systems

running the agent, you can put those agents into
Test mode. Then check for connectivity again and
refer to the Event log. (Also make sure the agents
do not have the Cloak mode check box enabled in
the Network shield rule. It is enabled in shipped
default policies. Systems with Cloak mode
enabled do not respond to pings.)
18
78-15603-02
Known Issues
Table 4
Platform
Summary
Explanation
Windows
Configuring Registry sets
If you attempt to create your own Registry sets to

include in a rule, you should note that the ability
to restrict Registry access is a powerful tool.
Critical applications may not function as a result
of a misconfigured Registry restriction. Therefore,
Registry values should be as specific as possible.
All rules restricting Registry access should first be
run in Test Mode to ensure that no unintended
restrictions have been configured.
Windows
Event level log limits
There are limitations on the number of events for

each event level that the database can contain.
Those default limitations are located in the
sysvars.cf file found in the CSAMC\cfg directory.
An event is logged when these limitations are
imminent. You are advised by CSA MC to purge
events at that time.
UNIX
Data filter installation
On Solaris platforms, in order to use Data access

control rules (on Apache or IPlanet servers) you
must install the data filter manually after you
install Cisco Security Agent. Unlike Windows, the
Solaris installation does not detect web server
software and does not install the data filter with
the agent. You must always manually install it.
78-15603-02
19
Known Issues
Table 4
Platform
Summary
Explanation
UNIX
Required platform libraries and

utilities
If you have the minimal Sun Solaris 8 installation

(Core group) on the system to which you are
installing the agent, the Solaris machine will be
missing certain libraries and utilities the agent
requires. Before you install the agent, you must
install the "SUNWlibCx" library, which can be
found on the Solaris 8 Software disk (1 of 2) in the
/Solaris_8/Product directory. Install using the
pkgadd -d . SUNWlibCx command. If you are not
sure whether you have the necessary libraries
installed on your Solaris system, you can check
the /usr/lib/sparcv9 directory for the following
library "libCrun.so.1". If it is not there, you must
install the SUNWlibCx library before installing
the agent.
UNIX
Network scans appear to reveal

vulnerabilities
A network port scan of a UNIX system running an

agent may indicate that certain services offered by
inetd are available on the system and are therefore
vulnerable to various attacks. However, network
access control rules which deny or reset the
connection in question are applied when the
incoming connection attempts to pass any data.
Because the connection was technically accepted,
the service may appear to be vulnerable to a scan,
when, in fact, it is not: no data will pass, and the
connection is dropped. Enabling Cloak mode in
the Network Shield rule stops the system from
responding to requests on ports where no service
is listening or for ports 0-1023, where the request
is always denied even when a service is listening.
(Therefore, ports 0-1023 do not appear vulnerable
with Cloak mode enabled.)
20
78-15603-02
Known Issues
Table 4
Platform
Summary
Explanation
UNIX
Remote file sharing issue
Remote file sharing implementations, such as

NFS, may cache files on the client side and briefly
operate on them without contacting the server. The
agent correctly enforces access rules for the
Remote Clients application class (NFS accesses)
on the server; however, client-side operations
might briefly appear to succeed in violation of the
rules. Avoid such appearances by changing an
NFS server's Remote Clients app class-related
rules only when clients' access to remote file
systems is minimal.
UNIX
Script interpretation issue
The agent views all scripts that use the same

interpreter on UNIX systems as the same
application class. For example, for Application
control rules, a /bin/sh shell script is seen as a
/bin/sh command.
UNIX
Use resolved links rather than

symbolic links
We recommend that you write File access control

rules using resolved names rather than symbolic
link names.
UNIX
Systems files always accessible to Read access to /usr/lib/*, /usr/bin/*, and

root
usr/sbin/* is always allowed to root. Any rules you
may write to block this access will be ignored for
users with root access. The system requires access
to these files to operate.
UNIX
Agent installation path not

changeable
Changing the default installation directory path

for the UNIX agent will not work. The agent must
always be installed in the following directory:
/opt/CSCOcsa
UNIX
Certain applications cannot kill

the agent process
The default policies restrict the ability to kill the

agent process to specifically defined application
classes. See the User Guide for details.
UNIX
Snooping data
Snoop sees all data sent to and from the network.
78-15603-02
21
Known Issues
Table 4
Platform
Summary
Explanation
UNIX
Network rules and IPV6 addresses Network rules work only with IPV4 addresses.
(Note the following exception:Using @local or
explicitly using the address range 0 255.255.255.255 will include IPV6 addresses.)
UNIX
Adding a new Ethernet interface
If you add a new type of Ethernet interface to a

UNIX system running an agent, you must reboot
that system twice for the agent to detect it and
apply current policies to it.
UNIX
Default mapping for remote

superuser
The default mapping for a remote superuser

application accessing a machine via NFS is to an
"unknown" user (and not the local superuser).
Although NFS shares can be configured to
override this default setting, we strongly
recommend that the default setting not be
overridden. Enabling such a mapping would
potentially permit a remote application to
impersonate the local operating system itself and
bypass agent policies.
UNIX
Inadvertently blocking access to a You can inadvertently block all access to a device,
device
such as your keyboard, with a File access control
rule. If this occurs, to recover, fix or delete the rule
in question and generate rules. If the agent can
download the new rules, your system may or may
not recover immediately depending on how
gracefully the service for the device failed. If rules
were downloaded and the service is still not fixed,
a reboot should allow the system to recover. If the
agent cannot download the new rules, boot the
machine into single user mode [boot -s] and enter
system maintenance mode by typing in the
superuser password. Then delete the current rule
set by typing [rm/opt/CSCOcsa/cfg/agent.rul].
Then exit. The system will come up with the agent
downloading the new "good" rule set that you have
fixed.
22
78-15603-02
Known Issues
Table 4
Platform
Summary
Explanation
UNIX
Encountering duplicate instance

error during agent upgrade
If you are upgrading the UNIX agent and you

encounter the following error, "There is already an
instance of the package and you cannot install due
to administrator rules", you must edit the file
/var/sadm/install/admin/default. Change
"instance=unique" to "instance=overwrite" and
then proceed with the upgrade.
UNIX
Buffer overflow libraries loading

order may cause conflict with
Binary Compatibility Package
In order to protect applications, the buffer

overflow libraries have been built in a way which
causes them to be loaded before other libraries,
including libc. Applications which depend upon
BCP (Binary Compatibility Package) versions of
libc may not work. Specifically, the three SunOS
4.* (not Solaris) a.out executables resident in
/usr/sbin which provide multi-byte codepage
support for Japanese, Chinese, Chinese-Taiwan,
and Korean are known not to function. If support
for SunOS multi-byte codepage applications is
required, the behavior of the buffer overflow
libraries can be relaxed. Additional information
regarding this issue is available from the TAC.
78-15603-02
23
Known Issues
Table 5
List of Known Bugs in Cisco Security Agent 4.0
Bug ID
Summary
Additional Information
CSCin47432
FQDN is required to connect to

CiscoWorks
On a CiscoWorks installation, when CSAMC is

installed, it updates the conf file to use a fully
qualified domain name. None of the MC's,
including CSA MC, will launch unless the fully
qualified domain name is resolvable from the
client and used to connect to CiscoWorks.
CSA MC does not require a FQDNs. It will work
in an environment where the CSA MC hostname is
resolvable via DNS or windows computing
environment (WINS). Note, the environment must
be consistently DNS or WINS. Mixed DNS/WINS
environments are problematic. The reason FQDNs
is recommended is so that agents can reach the
CSA MC from anywhere (internal or external
networks).
CSCin47547
Uninstall issue when SQL server is During the CSA MC uninstall, a number of SQL
not running
server queries are performed. If the SQL server is
not running, then these queries cause the uninstall
to fail.
To prevent this uninstall issue, you should not
remove or stop the SQL server before uninstalling
CSA MC.
24
78-15603-02
Known Issues
Table 5
List of Known Bugs in Cisco Security Agent 4.0
Bug ID
Summary
Additional Information
CSCin47564
Install issue when SQL server is

not running
During the CSA MC install, a number of SQL

server queries are performed. If the SQL server is
not running, then these queries cause the install to
fail.
To prevent this install issue, you should not stop
the SQL server before installing CSA MC.
CSCin45700
also see
Bug ID
CSCeb18384
In certain install configurations,

the Event Viewer's session to the
server times out.
This occurs when the Security Monitor is installed

on the same server with certain other CiscoWorks
applications (e.g. RME) that require the
SSLInitializer plugin. The presence of the
SSLInitializer plugin causes connections from
Java applets to the server to be made outside of the
context of the rest of the client's (browser's)
connection space. This causes connection
validation attempts to fail. When the server cannot
validate the Event Viewer's connection, it will not
proceed to allow that applet to update its activity
flags. Thus, when the Event Viewer applet is open
on the screen for longer than the timeout period
(on the order of 2 hours), it cannot update its
session activity flags, and it will time out.
78-15603-02
25
Obtaining Documentation
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and
other technical resources. These sections explain how to obtain technical
information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentation CD-ROM package, which may have shipped with your product.
The Documentation CD-ROM is updated regularly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or
through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product
number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_t
ool_launch.html
All users can order monthly or quarterly subscriptions through the online
Subscription Store:
http://www.cisco.com/go/subscription
26
78-15603-02
Obtaining Technical Assistance
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters
(California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco
Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center
(TAC) website, as a starting point for all technical assistance. Customers and
partners can obtain online documentation, troubleshooting tips, and sample
78-15603-02
27
configurations from the Cisco TAC website. Cisco.com registered users have
complete access to the technical support resources on the Cisco TAC website,
including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access
Cisco information, networking solutions, services, programs, and resources at any
time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these
tasks:
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com

at this URL:
http://tools.cisco.com/RPF/register/register.do
Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a
Cisco product, technology, or solution. Two types of support are available: the
Cisco TAC website and the Cisco TAC Escalation Center. The type of support that
you choose depends on the priority of the problem and the conditions stated in
service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
Priority level 4 (P4)You need information or assistance concerning Cisco

product capabilities, product installation, or basic product configuration.
There is little or no impact to your business operations.
28
78-15603-02
Priority level 3 (P3)Operational performance of the network is impaired,

but most business operations remain functional. You and Cisco are willing to
commit resources during normal business hours to restore service to
satisfactory levels.
Priority level 2 (P2)Operation of an existing network is severely degraded,

or significant aspects of your business operations are negatively impacted by
inadequate performance of Cisco products. You and Cisco will commit
full-time resources during normal business hours to resolve the situation.
Priority level 1 (P1)An existing network is down, or there is a critical

impact to your business operations. You and Cisco will commit all necessary
resources around the clock to resolve the situation.
Cisco TAC Website

The Cisco TAC website provides online documents and tools to help troubleshoot
and resolve technical issues with Cisco products and technologies. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have
complete access to the technical support resources on the Cisco TAC website.
Some services on the Cisco TAC website require a Cisco.com login ID and
password. If you have a valid service contract but do not have a login ID or
password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical
issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases online
so that you can fully describe the situation and attach any necessary files.
Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2
issues. These classifications are assigned when severe network degradation
significantly impacts business operations. When you contact the TAC Escalation
Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
78-15603-02
29
Obtaining Additional Publications and Information
To obtain a directory of toll-free Cisco TAC telephone numbers for your country,
go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the
Cisco support services to which your company is entitled: for example,
SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When
you call the center, please have available your service agreement number and your
product serial number.

Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.
The Cisco Product Catalog describes the networking products offered by

Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
Cisco Press publishes a wide range of networking publications. Cisco

suggests these titles for new and experienced users: Internetworking Terms
and Acronyms Dictionary, Internetworking Technology Handbook,
Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press
online at this URL:
http://www.ciscopress.com
Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/go/packet
iQ Magazine is the Cisco bimonthly publication that delivers the latest

information about Internet business strategies for executives. You can access
iQ Magazine at this URL:
30
78-15603-02
http://www.cisco.com/go/iqmagazine
Internet Protocol Journal is a quarterly journal published by Cisco Systems

for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_
protocol_journal.html
TrainingCisco offers world-class networking training. Current offerings in

network training are listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training
_list.html
This document is to be used in connjunction with the documents listed in the Documentation Roadmap section.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing,
FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and
Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA,
CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the
iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy,
Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast,
SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other
countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)
Copyright 2003, Cisco Systems, Inc.
All rights reserved.
78-15603-02
31
32
78-15603-02

Csa Rns

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Csa Rns

Загружено:

Авторское право:

Доступные форматы

Release Notes for Management

Center for Cisco Security Agents 4.0

File Integrity Check Instructions, page 2

New Features, page 3

Documentation Roadmap, page 6

Obtaining a License Key, page 6

IDS Host Sensor Incompatibility, page 7

System Requirements (CSA MC), page 8

System Requirements (Agent), page 10

File Integrity Check Instructions

Upgrade Support, page 12

Duplicate Configuration Naming Convention, page 12

Cisco Security Agent Policies, page 13

CSA MC Local Agent and Policies, page 13

RME Gatekeeper Remote Access Issue, page 15

Cisco VPN Client Support, page 16

Known Issues, page 16

Obtaining Documentation, page 26

Obtaining Technical Assistance, page 27

Obtaining Additional Publications and Information, page 30

File Integrity Check Instructions

Once you've downloaded the program verify_digests.exe, run it to display the

The following output is displayed:

If the hashes do not match, "Failure" is displayed. Contact Cisco if this

necessary exclusions to change the global definition of downloaded content.

Network Shield System Startup Security Checks

Installing Management Center for Cisco Security Agents

Using Management Center for Cisco Security Agents

Obtaining a License Key

IDS Host Sensor Incompatibility

IDS Host Sensor Incompatibility

System Requirements (CSA MC)

System Requirements (CSA MC)

IBM PC-compatible computer

Color monitor with video card capable of

1 GHz or faster Pentium processor

Windows 2000 Server or Advanced Server

Terminal services are not supported on

Hard Drive Space

9 GB minimum available disk drive space

The actual amount of hard drive space

Pager alerts require a Hayes Compatible Modem.

System Requirements (CSA MC)

SQL Server Desktop Engine Installation

System Requirements (Agent)

System Requirements (Agent)

Agent Requirements (Windows)

Intel Pentium 200 MHz or higher

Uni-processor, dual processor, and quad

Windows XP (Professional English128 bit)

Windows 2000 (Professional, Server or

Windows NT (Workstation, Server or

Citrix Metaframe and Citrix XP are

128 MB minimumall supported Windows

Hard Drive Space

This includes program and data.

Maximum of 64 IP addresses supported

System Requirements (Agent)

Cisco Security Agent uses approximately 20 MB of memory. This applies to

Agent Requirements (UNIX)

UltraSPARC 500 MHz or higher

Uni-processor, dual processor, and quad

If you have the minimal Sun Solaris 8

Systems files always accessible to Read access to /usr/lib/, /usr/bin/, and