About the Technical Reviewers

Darrin Miller is an engineer in Cisco's security technology group. Damn is responsible for systemlevel security architecture. He has worked primarily on policy-based admission and incident response programs within Cisco. Previous to that Darrin conducted security research in the areas of IPv6, SCADA, incident response, and trust models. This work has included protocol security analysis and security architectures for next-generation networks. Darrin has authored and contributed to several books...

Adding External Antivirus Policy Servers in Cisco Secure ACS

Before you add any external antivirus policy server to Cisco Secure ACS, you must import a NAC attribute definition file (ADF) provided by the antivirus vendor. To import the ADF to ACS, complete the following steps Step 1 Copy the ADF file to a directory accessible by the Cisco Secure ACS utility CSUtil.exe. Step 2 On the server running Cisco Secure ACS, open a command prompt and change directories to the directory containing CSUtil.exe. Step 3 Import the ADF to ACS using the command...

Altiris Network Discovery

The Altiris Network Discovery is a free plug-in component to the Notification Server that is used to discover all end-user machines connected to the network. NOTE For the Altiris Notification Server installation guidelines and minimum system requirements, refer to Altiris documentation at www.altiris.com. The Altiris Quarantine Solution does not require the use of Network Discovery to function however, it is recommended that you use Network Discovery to have an accurate database of end-user...

Antivirus Software Posture Plug Ins

Posture plug-ins enable Cisco Trust Agent (CTA) to retrieve posture credentials from third-party applications (such as antivirus software) installed on a client machine. NOTE Chapter 2, Cisco Trust Agent, covers the installation and configuration of CTA in detail. In most cases, two files make up a posture plug-in. For Windows-based systems, a posture plug-in consists minimally of the following A Dynamic Link Library (.dll) file An Information File (.inf) file On Linux-based systems, posture...

Architectural Overview of NAC for Agentless Hosts

The posture-validation process is crucial in determining the correct status of a network device. When CTA is not present on a device, the NAD can leverage an audit server when an end machine requests access to the network. Figure 11-2 provides a complete flow of the posture-validation process on a Cisco NAD. A Cisco switch is set up for NAC-L2-IP to validate an end host's posture before allowing access to the corporate network. Figure 11-2 Posture-Validation Process for a Host Figure 11-2...

Architectural Overview of NAC on Layer 3 Devices

The posture-validation process on a Layer 3 device starts when an end host requests access to the network. Figure 5-1 provides a complete flow of the posture-validation process on a Layer 3 NAD. A Cisco 3845 router is acting as the Layer 3 NAD to validate the end host's posture before allowing access to the corporate network. This assessment is checked against the policies defined on the Cisco Secure Access Control Server (Cisco Secure ACS). Figure 5-1 Layer 3 Posture-Validation Process for a...

Architecture of NACL2IP

NAC-L2-IP uses EAP over UDP (EoU) as the transport mechanism to complete the posture assessment of a device attempting to connect to the corporate network. This is similar to NAC Layer 3 however, the posture is done on a Layer 2 switch port. The posture assessment is triggered when the Cisco Catalyst switch receives a Dynamic Host Configuration Protocol (DHCP) or an Address Resolution Protocol (ARP) request from the device attempting to connect to the network. When the switch detects the DHCP...

Audit Servers

The third option, to support the agentless hosts in the NAC Framework environment, is to use an external audit server. An audit server collects information from the agentless machines and determines their compliance based on the security policies of an organization. The audit servers usually use well-known assessment methods, such as remote login, fingerprinting, scanning, and active probes. In some other implementations, user web sessions are redirected to an audit server for assessment....

Authorization Policy

The Authorization Policy in the NAP is where you apply authorization rules to limit an end host's access to the network, based on the system posture token returned from posture validation. Again, as with the posture validation rules you looked at in the last section, the authorization rules contain both a condition and an action. The condition consists of a user group and a system posture token. If the condition is met, the action can be to deny access or apply the selected shared RAC and...

C

CA certificates, CTA lab environment deployment, 46 post installation tasks, 47 Windows, 46-47 call centers, headquarter network topology, 458 catalyst switches, NADs (Network Access Devices), 17-20 CatOS (Cisco Catalyst switch), 130 medium enterprise configuration, 427-430 NAC-L2-802.1X configuration, 144 NAC-L2-IP configuration, 130-132 Cisco 5500 series Adaptive Security Appliances NADs (Network Access Devices), 21 Cisco Adaptive Security Appliances. See ASA Cisco Easy VPN Client, VPN...

Catalyst 6500 CatOS Configuration

To meet the requirements that SecureMe has listed for the NAC Framework solution, the following are the major configuration steps on the Catalyst 6500 switch running CatOS. The solution requires you to configure NAC-L2-IP because you do not have a requirement to authenticate the end users before granting them network access. This way you can rule out NAC-L2-801.X and configure the switch for NAC-L2-IP. Step 1 Configure the RADIUS server information on the switch. The RADIUS server in this...

Chapter

After adding any new monitored device into CS-MARS, what must be done before CS-MARS analyzes events sent from that device b. The Activate button must be clicked to synchronize the GUI to the back-end database. c. You must select the Analyze Events button, next to the device on the Report tab. d. Nothing needs to be done after adding the new device through the GUI. Answer B 2. What protocol port do Cisco IOS routers (by default) use to send NetFlow data to CS-MARS 3. What version(s) of NetFlow...

Cisco IOS Router

Cisco IOS routers first supported NAC in Cisco IOS Release 12.3(8)T, in the Advanced Security, Advanced IP Services, or Advanced Enterprise Services feature sets. Table 1-2 lists Cisco IOS routers by platform and current NAC capability. NOTE For the most up-to-date list of NAC-enabled routers, check online at http www.cisco.com go nac . Table 1-2 NAC Support in IOS Routers Table 1-2 NAC Support in IOS Routers 1701, 1711, 1712, 1721, 1751, 1751-V, 1760 When NAC is implemented on a router, this...

Cisco Secure Access Control Server

The Cisco Secure Access Control Server, hereafter referred to as ACS, is the central core component in the NAC Framework. Whereas switches, routers, concentrators, and access points are the brawns of NAC (limiting access and enforcing policy), ACS is the brains. It is responsible for receiving the posture credentials from the end hosts and validating them against the policies defined by the administrator. It then sends the authorization policy to the enforcement device where it is applied....

Cisco Security Agent

Cisco Security Agent (CSA) is the Cisco award-winning host-based intrusion-prevention system (HIPS) installed on a desktop or server PC that protects it from known and unknown threats. CSA adds a shim into the network layer and into the kernel layer (to watch both network traffic and API calls to kernel). This allows CSA to not only be a personal firewall, but also to protect against buffer-overflow attacks and spyware adware. In addition, it provides file protection, malicious application...

Cisco Security Agent Architecture

In the CSA solution architecture, a central management center maintains a database of policies and information about the workstations and servers that have the Cisco Security Agent software installed. Agents register with CSA MC. Subsequently, CSA MC checks its configuration database and deploys a configured policy for that particular system. NOTE Starting with CSA Version 5.1, the CSA MC is a standalone system. Before Version 5.1, CSA MC was part of the CiscoWorks VPN and Security Management...

Cisco VPN 3000 Series Concentrator

NAC support for the VPN 3000 series concentrators was first added in Release 4.7. The concentrator is a Layer 3 NAD and postures remote-access IPSec (or Layer 2 Tunneling Protocol L2TP over IPSec) clients. The posturing process is almost identical to that of NAC-L3-IP, described previously in the section NAC Phase I (refer to Figure 1-1). The only difference is that the router is replaced with a VPN 3000 concentrator, and an IPSec tunnel is first established to the concentrator before the...

Cisco Wireless Devices

NAC Framework support for wireless devices is available on autonomous Access Points (AP), lightweight access points running the Lightweight Access Point Protocol (LWAPP), and the Wireless LAN Services Module (WLSM) for the Catalyst 6500. Table 1-4 lists the wireless devices and minimum supported software. Table 1-4 NAC Support in Wireless Devices Table 1-4 NAC Support in Wireless Devices Aironet 1100, 1130AG, 1200, 1230AG, 1240AG, 1300 IOS-based access points Cisco IOS Release 12.3(7)JA or...

Configure Authorization Rules for NAPs

Complete the following steps to configure authorization rules for NAPs Step 1 Configure the authorization rules for the NAC-L2-IP profile by selecting the Authorization link next to the profile and configuring the rules according to Table 14-12. Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules (Continued) Table 14-12 L2-IP Authorization Rules (Continued) If a condition is not defined or there is no matched condition Step 2...

Configure Shared Components Profile

Complete the following steps to configure shared components on the Cisco Secure ACS server Step 1 Create the downloadable IP ACLs shown in Table 14-10. Remember that downloadable IP ACLs are under Shared Profile Components. These downloadable ACLs are mapped to the VPN sessions on the VPN 3000 concentrator. remark If host is Quarantine restrict network access remark Allow access to Quarantine network remark Allow access to Quarantine network Table 14-10 Downloadable IP ACLs (Continued) Table...

Configuring 8021X NADs in ACS to Report to CSMARS

Chapter 8, Cisco Secure Access Control Server, covered how to add the NADs as AAA clients in ACS. For NADs that are performing 802.1X authentication, CS-MARS needs to receive the incremental 802.1X update messages. Enable this within ACS under Network Configuration > AAA Clients. Select the specific AAA client and configure it to authenticate using the RADIUS (Cisco IOS PIX 6.0) or RADIUS (IETF) dictionary. In addition, make sure Log Update Watchdog Packets from This AAA Client is checked....

Configuring Csa Nacrelated Features

CSA MC comes with numerous predefined agent kits, groups, policies, and configuration variables that are designed to offer high-level security measures for end-user systems and servers. You can use these default agent kits, groups, policies, rule modules, and configuration variables as a baseline and then monitor for possible tuning to your environment. Cisco Trust Agent (CTA) can be bundled with CSA agent installations. This section guides you on how to configure an agent kit that will also...

Configuring Global Authentication Protocols

Out of the box, ACS will not authenticate NAC-enabled clients because the authentication protocols they use (PEAP or EAP-FAST) are not enabled by default. ACS provides the option of globally enabling or disabling authentication protocols from the System Configuration > Global Authentication Setup page. Later, in the Protocols Policy section, you will see that these protocols can also be selectively enabled or disabled on a per-profile basis. In this section, we walk you through the steps of...

Configuring Layer 2 NAC on Network Access Devices

The Cisco Catalyst switches are capable of enforcing device security policy compliance when local-area network (LAN) users attempt to access the network. Switches that support NAC Framework features are capable of denying access to noncompliant devices and placing them in a quarantined area and allowing restricted access to network resources for remediation purposes. This posture validation is done at the Layer 2 network edge using two different technologies NAC Layer 2 802.1X (NAC-L2-802.1X)...

Configuring NAC on Cisco VPN 3000 Series Concentrators

The Cisco VPN 3000 series concentrators provide a scalable, reliable, and flexible solution for the site-to-site as well as remote-access VPN tunnels. In the site-to-site IPSec tunnel, network professionals can reduce the high maintenance cost of point-to-point WAN links by connecting branch offices to the corporate network resources. The remote-access VPN tunnels provide a way to connect home and mobile users to the corporate network by leveraging dialup, wireless hotspots, digital subscriber...

Configuring NACL28021X

This section guides you on how to configure NAC-L2-802.1X on Cisco Catalyst switches. NAC-L2-802.1X Cisco IOS Configuration The following steps are necessary to configure NAC-L2-802.1X on a Cisco Catalyst switch running Cisco IOS. Step 1 VLAN assignment is the method used in NAC-L2-802.1X for policy enforcement. In this example, the following VLANs are used VLAN 10 Healthy Employees Configure the appropriate VLANs as follows 6503-A configure terminal Enter configuration commands, one per line....

Configuring Passed Authentications Logging

In this section, you will enable logging of passed authentications and add NAC-specific attributes to the Passed Authentications log. ACS logs all posture-validation credentials to this log unless access is strictly denied. In that case, ACS logs the result in the Failed Attempts log. Adding the posture attributes to this log enables you to see what posture credentials the end host is sending to ACS. This will help you further define your posture-validation rules. Complete these steps to...

Configuring Qualys Guard to Send Events to CSMARS

Qualys provides network security audits and vulnerability assessments of your network using the QualysGuard solution. When used with the NAC Framework, QualysGuard can receive messages from ACS to scan nonresponsive hosts to assist in determining their system posture token. If you have a subscription with QualysGuard, you can configure CS-MARS to connect to the QualysGuard API server and retrieve the vulnerability analysis reports. These reports are then parsed and inserted into the CS-MARS...

Configuring Radius Accounting Logging

Complete these steps to configure RADIUS accounting logging Step 1 From the navigation frame on the left, select System Configuration > Logging. Step 2 The Logging Configuration page appears. Click the Configure link in the CSV column for the RADIUS Accounting report. Step 3 Verify that the Log to CSV RADIUS Accounting Report check box is selected. Step 4 In the Select Columns to Log section, verify that the following attributes appear in the right column (Logged Attributes). If any item is...

Contents

Chapter 1 NAC Solution and Technology Overview 5 Network Admission Control 5 NAC Phase I 7 NAC Phase II 9 Periodic Revalidation 11 NAC Agentless Hosts 11 NAC Program Participants 12 Components That Make Up the NAC Framework Solution 12 Cisco Trust Agent 12 Cisco Security Agent 14 Network-Access Devices 15 Cisco IOS Router 16 Cisco Catalyst Switch Running Cisco IOS or CAT OS 17 Cisco VPN 3000 Series Concentrator 20 Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security...

Contents at a Glance

Chapter 1 NAC Solution and Technology Overview 5 Part II Configuration Guidelines 27 Chapter 3 Cisco Secure Services Client 91 Chapter 4 Configuring Layer 2 NAC on Network Access Devices 123 Chapter 5 Configuring Layer 3 NAC on Network Access Devices 155 Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators 175 Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances 211 Chapter 8 Cisco Secure Access Control Server 241 Chapter 9 Cisco Security Agent 323 Chapter 10 Antivirus...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales otuside the U.S. please contact International Sales international pearsoned.com Cisco Representative Cisco Press Program Manager Executive Editor Production Manager Development Editor Project Editor Copy Editor Technical Editors Publishing Coordinator Book...

Create Posture Validation Policies

Complete the following steps to create posture-validation policies Step 1 Navigate to Posture Validation > Internal Posture Validation Setup. Step 2 Edit the existing posture-validation policy, NAC-SAMPLE-CTA- POLICY, to check whether the version of CTA is greater than or equal to 2.0.0.30. Also rename the policy to just CTA-Policy. Step 3 Create a new internal posture-validation policy named Windows-SP-Policy that will checked if the latest service pack is installed for that OS. Add the...

Creating a ctalogdini File

The ctalogd.ini file defines the configuration of the logging service. It includes parameters for enabling disabling logging, log retention policies, and the logging levels for each CTA component. A sample ctalogd.ini file (named ctalogd.tmp) is created when CTA is installed and can be found in the Logging directory. Edit this file to meet your logging needs, and then save it as ctalogd.ini in the same directory. Example 2-6 shows a sample ctalogd.ini file with all options listed and all...

Creating a Customized Deployment Package

Before deploying the CTA 802.1X wired client to your network, you will most likely want to customize the client's policies. The option to edit the client's default policies is available only through the creation of a custom deployment package. However, before a custom deployment package can be created, you must decide which of the following authentication methods the client should support User authentication only The network connection is established only after the user logs on to the machine...

Creating a Network Profile

With the Administrative Client installed, follow these steps to create a network profile Step 1 Right-click the Cisco Secure Services Client tray icon and choose Open from the pop-up menu, as shown in Figure 3-1. Cisco Secure Services Client Tray Status Icon Step 2 You will see a screen similar to the one in Figure 3-2. However, you might see more or fewer networks listed, depending on the number of interfaces on your device and the number of wireless networks detected. Figure 3-2 Cisco Secure...

Creating a Policy to Check for a Specific Windows Hotfix

To reinforce what you have already learned, you will create one more policy to check for the presence of a specific Windows hotfix. Microsoft released hotfix KB912812 to protect against a critical remote code execution vulnerability in Internet Explorer. Your task is to create a Posture Validation policy to check for this specific hotfix. If the hotfix exists on the end host, return the Healthy posture token. Otherwise, return Quarantine. I encourage you to attempt this one on your own. When...

Creating Agent Kits

As previously mentioned, CSA MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA MC enables you to create custom agent kits to fit your specific requirements. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA MC console. Step 2 Click New at the bottom of the page displayed. A dialog box appears asking you which operating system this agent kit will be applied to, as shown in Figure 9-9....

Creating End User Client Configuration Files

When you are ready to create End-User Client configuration files, select the Create Deployment Package item from the Administration menu. This launches a wizard that walks you through the process. Along the way, you create client policies and network profiles, which you package into a distribution along with the End-User Client (supplicant). Follow these steps to create the client-configuration files Step 1 After selecting the Administration > Create Deployment Package option, the Enterprise...

Creating Groups

CSA MC comes with a list of predefined groups that you can use to meet initial needs. A group is the only element required to build an agent kit. Using groups eases the management of a large number of agents. When using groups, you can consistently apply the same policy to a number of hosts. Agent kits are the configuration and installation packages of the agent software to be deployed to end-user machines. Agent kits must be associated with configured groups. Agents installed on end-user hosts...

Creating Scheduled NAC Reports

Running these on-demand style reports is neat, but the real beauty is configuring CS-MARS to e-mail you the reports at the schedule you specify. For example, you might find it useful to receive a report every morning of the hosts that are Infected or in a Quarantine state. To create a scheduled report, follow these steps Step 1 Log in to the CS-MARS GUI and click the Query Reports tab at the top of the page. Step 2 In the Load Report as On-Demand Query with Filter section, choose System...

CSA Management

Chapter 9, Cisco Security Agent, discusses the installation and configuration of the Cisco Security Agent Management Center (CSA MC). This section provides a series of tips on how to plan, deploy, and maintain CSA MC and the agent software. CSA MC provides a central policy-management and distribution point for the CSA agent kits. It is recommended that you place the CSA MC server on your management network (management VLAN). When doing this, you need to understand how the agents communicate...

Csa Mc Rule Definitions

CSA MC takes a structured, hierarchical approach to applying rules to the agents. Individual rules are created and applied to a rule module. One or more rule modules are then applied to a policy. Policies are then attached to a group, which contains one or more agents. Figure 9-3 illustrates the hierarchical nature of CSA MC. Figure 9-3 Relationship Between Rules and Agents Olf Rule Any change to a rule is applied to any agent that is part of a group, to which a policy is attached, which...

CTA Scripting Interface

Vehicle Registration Number

CTA provides an optional Scripting Interface as a way for non-NAC-aware applications to provide CTA with posture information about that application. Cisco Secure ACS can then combine this additional posture information with the posture information received from NAC-aware applications and use it in determining the overall posture of the host. Although this is not a commonly used feature, it might be useful for companies that have a requirement to validate a specific attribute before making a...

CTA Wired Client System Report Utility

Troubleshooting issues with 802.1X authentication can be complicated. However, the CTA 802.1X wired client comes with a nice tool called System Report, found in the Cisco Trust Agent 802.1X wired client program group. When executed, this tool gathers the following information from the client *-networks.xml and *-policy.xml Network- and policy-configuration files The contents of the profiles directory Contains all the configuration files for the client log_current.txt CTA 802.1X wired client's...

Debug Commands

In previous chapters, you learned about the EoU logging capabilities on the Cisco IOS routers running NAC-L3-IP and Cisco Catalyst switches running NAC-L2-IP. EoU logging still applies when troubleshooting NAC-L3-IP and NAC-L2-IP in large organizations. However, in case of NAC-L2-802.1X, the debug dot1x events is a very useful command when troubleshooting 802.1X-related problems. Example 15-2 shows the output of the debug dot1x events for a quarantined host. Example 15-2 debug dotlx events...

Defining ACS as a Reporting Device within CSMARS

Before CS-MARS will analyze the events received from ACS, you must define ACS as a monitored device within CS-MARS. Follow these steps to accomplish this task Step 1 Log in to the CS-MARS GUI interface and select the Admin tab. Step 2 In the Device Configuration and Discovery Information section, click the Security and Monitor Devices link. Step 3 Click the Add box on the far right of the screen. Step 4 In the Device Type drop-down list, select Add SW Security Apps on New Host. Step 5 Under the...

Defining CSAMC as a Reporting Device within CSMARS

Network Admission Control

Before CS-MARS will analyze the events received from CSA-MC, you must define CSA- MC as a monitored device within CS-MARS. Follow these steps to accomplish this task Step 1 Log in to the CS-MARS GUI interface and select the Admin tab. Step 2 In the Device Configuration and Discovery Information section, click the Security and Monitor Devices link. Step 3 Click the Add box on the far right of the screen. Step 4 In the Device Type drop-down list, select Add SW Security Apps on New Host. Step 5 In...

Defining the Asapix Appliance as a Reporting Device within CSMARS

Before the ASA or PIX appliance can be imported as a reporting device within CS-MARS, you must bootstrap it. This is done by enabling SSH or Telnet access to the appliance for the IP address assigned to CS-MARS and defining an SNMP read-only community string. CS-MARS uses the SSH or Telnet access to import the appliance's configuration. The SNMP read-only community string is optional, but it allows CS-MARS to monitor the CPU, memory, and interface utilization of the appliance. Apply the...

Defining the Cisco IOS Router as a Reporting Device within CSMARS

Before you can begin to add the Cisco IOS router into CS-MARS, you need to bootstrap the router so that CS-MARS can discover and import it. CS-MARS discovers Cisco IOS routers through SNMP, SSH, Telnet, or a saved configuration on an FTP server. If the router has ACLs defined or NAT configured, it is recommended that you discover the router through either SSH or Telnet. In addition, you need to supply the SNMP Read-Only (RO) community string. The SNMP community string allows CS-MARS to query...

Defining the Cisco Switch as a Reporting Device within CSMARS

CS-MARS supports both Cisco IOS-based switches and CatOS-based Cisco switches. The procedure to add them into the CS-MARS GUI is exactly the same. The only difference is that for Cisco IOS-based switches, the Device Type is Cisco Switch-IOS 12.2 for CatOS-based switches, the Device Type is Cisco Switch-CatOS ANY. Before you can begin adding the switch into CS-MARS, you first need to bootstrap it so that CS-MARS can discover and import it. CS-MARS discovers switches through SNMP, SSH, Telnet, or...

Deploying and Troubleshooting NAC in Large Enterprises

In the previous two chapters, you learned the typical deployment scenarios in small and medium-size enterprises. This chapter demonstrates how to deploy NAC in a large enterprise, where most of the previous concepts still apply in a larger scheme. The typical large enterprise is an organization with more than 5,000 users, all located in different geographical locations. If your business resembles the one presented here, use this chapter, along with the previous two chapters, as your deployment...

Deploying and Troubleshooting NAC in Medium Size Enterprises

All companies, whether small, medium, or large, focus on securing their network infrastructure. This not only includes updating their security devices, but it also requires updating security policies to deal with new and emerging security threats. This chapter provides a detailed deployment scenario of the Cisco NAC solution for a medium-size enterprise. This chapter presents real-life examples of how the Cisco NAC solution can be deployed at a medium-size organization. It discusses the typical...

Deploying CTA in a Production Network

When you have thoroughly tested CTA in conjunction with the other components of NAC Framework in a lab environment and have decided on the configuration options for CTA, you can proceed with preparations for a production rollout. NOTE Before continuing, it is assumed that you have already read most of the remaining chapters in this book and have made a detailed, phased plan for a production rollout of CTA. You should have identified the ACS boxes you will be using for NAC and obtained the...

Deployment Scenarios

Chapter 13 Deploying and Troubleshooting NAC in Small Businesses Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises Chapter 15 Deploying and Troubleshooting NAC in Large Enterprises This chapter covers the following topics Defining the business requirements for deploying NAC in small businesses Reviewing the small businesses network topology Configuring NAC in a small business Troubleshooting the small businesses NAC deployment

Diagnosing NAC on a VPN 3000 Concentrator

As described earlier in the chapter, SecureMe provides VPN services to its employees and wants the VPN client machines to go through the posture-validation process after the IPsec tunnels are established. After establishing the IPsec SAs, the concentrator initiates the EAPoUDP process. If a response is received from the VPN client, the concentrator knows that the VPN client has an active CTA agent, as illustrated in Example 14-5. You can view the output of these logs under Monitoring >...

Downloadable IP ACLs

Both NAC Layer 2 IP and Layer 3 IP use downloadable IP ACLs as the enforcement mechanism. After the posture-validation process, the resultant SPT is mapped to a downloadable IP ACL (in the Authorization policy of the network access profile), which is then pushed out to the NAD. The NAD then appends this ACL to the top of the interface ACL to further restrict (or permit) access to the network. If the SPT returned for the endhost is Healthy, the downloaded ACL is generally permit ip any any....

EAP over UDP Logging

You enabled EAP over UDP (or EOU, for short) logging on the switch during its configuration. Therefore, when a host is postured, the switch generates the EOU logs, which can be viewed by enabling logging on the switch at Level 6 or higher. The logs are standard syslogs and can be viewed in the local buffer, on the console monitor session, or on the syslog server. Example 13-4 illustrates an example from an agentless (clientless) host connecting to the switch. Example 13-4 Clientless Host EOU...

Editing the Certificate Trust List

The certificate trust list (CTL) is a further security step that ACS uses to decide whether to trust the CA certificate that is already installed. ACS implicitly trusts the CA that created the ACS identity certificate. Therefore, in many cases, this step is optional however, for simplification, I recommend completing this step. Follow these steps to add the CA server to the ACS certificate trust list Step 1 From the navigation frame on the left, select System Configuration. Step 2 Select ACS...

Editing the Nacsamplectapolicy

Previously, we used ACS's built-in NAC templates to create network access profiles for NAC. In doing so, ACS automatically created a posture-validation policy titled NAC-SAMPLE-CTA-POLICY. You can take a look at this policy by clicking the Posture Validation button on the left and then selecting Internal Posture Validation Setup > NAC-SAMPLE-CTA-POLICY. Notice the two posture-validation rules. The first rule contains two condition elements within the condition set. The second is the default...

Event Monitoring Analysis and Reporting

Protecting the network from threats is the first step toward securing it. However, event monitoring, analysis, and reporting are also vital pieces in understanding the network's security posture Event monitoring The process of receiving events (or alerts) from the network and presenting them to the user in real time and in a meaningful way. This is usually provided with some sort of dashboard where new events are displayed as they come in. Analysis The process of taking the events received and...

How This Book Is Organized

Part I includes Chapter 1, which provides an overview of the NAC Framework solution and the technology and components used to implement it. The remainder of the book is divided into three parts. Part II encompasses Chapters 2 through 12 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the NAC solution. The chapters should be read in order, but if you are not using one of the components of the NAC solution in your network, you...

Importing Attribute Files to Cisco Secure ACS

For Cisco Secure ACS to communicate with the external Notification Server, you must import the Altiris attributes file. Complete the following steps to import the attributes file on Cisco Secure ACS Step 1 On the Notification Server, locate the Altiris_ACS_Attrs.txt file under Program Files Altiris Notification Server NSCap Quarantine. Step 2 Copy the Altiris_ACS_Attrs.txt file to the Cisco Secure ACS Server. Step 3 From a command prompt, run the CSUtil.exe utility using the following...

Installation Packages and Files

Cisco has created several installation packages for CTA, based on the host's operating system. All the Admin packages include a bundled CTA executable that can be installed interactively or silently on end-user machines. The silent option is useful if you plan to push CTA out to users using a software-distribution tool. This method also allows the distribution of CTA with customized configuration files and certificates. The interactive installation options perform noisy installs. With noisy...

Installing ACS on a Windows Server

Installing ACS on Windows is simple and straightforward. Like most Windows applications, ACS uses the Microsoft InstallShield installer. Therefore, you should be familiar with the process. To install ACS, complete these steps NOTE Installing ACS over Terminal Services (or Remote Desktop) is not supported. However, you can use VNC (Virtual Network Computing's remote desktop utility) to install ACS remotely. Step 1 Log in to the server using a local Administrator account. Step 2 Insert the ACS CD...

Installing Cisco Security Agents Management Center

This section includes an overview of the installation of CSA MC. CSA MC Version 5.1 and later are supported only on Windows 2003 R2 Standard and Enterprise operating systems. Refer to the CSA MC release notes at www.cisco.com go csa for the minimum system requirements for your CSA MC version. NOTE Before you install CSA throughout your network, it is important that you create a detailed deployment plan. Chapter 16, NAC Deployment and Management Best Practices, covers several best practices when...

Internal Posture Validation Policies

Creating posture-validation rules can be a little overwhelming in the beginning because many components link to create a policy. In this section, we walk you though those components and how they are linked. A posture-validation policy contains one or more posture-validation rules and returns an application posture token (APT, which is combined with other application posture tokens in the network access profile to determine the system posture token, SPT). A posture- validation rule contains one...

Launching the Acs Gui on Windows 2003

After installing ACS Server on a Windows 2003 default installation, you will not be able to access the ACS GUI from your web browser. This is because of the enhanced security features Microsoft has added to Internet Explorer. To resolve this, follow these steps Step 1 Double-click the ACS Admin icon on the desktop. This launches Internet Explorer to display the ACS GUI. Step 2 If you do not see the ACS GUI interface, select the Tools menu and choose Internet Options. Step 3 Select the Security...

Microsoft L2TP over IPSec Clients

When a Microsoft L2TP over an IPSec client is used to establish the VPN tunnel, the VPN 3000 concentrator can start the PV process as soon as the VPN tunnel is established. In the L2TP over IPSec tunnel, an IPSec tunnel is negotiated first to provide data protection. When the IPSec SAs are established, the VPN devices negotiate the L2TP tunnel within the IPSec tunnel. When the L2TP over IPSec tunnel is successfully established, the VPN devices go through the posture-validation process,...

Monitoring Agentless Hosts on a Cisco NAD

The NAC Framework solution enables you to check the state of an agentless machine on the NADs. When a new host is detected on the network, the NAD sends out the EAPoUDP hello packet, as shown in Example 11-2. This output was taken from a Cisco 6500 switch running CatOS. The agentless host IP address is 172.18.10.200, and the current state is hello. The host is connected to port 1 48 on the switch. Example 11-2 Output of the show eou all Command for EAPoUDP Hello Packet Example 11-2 Output of...

Monitoring Agentless Hosts on Qualys Guard Scanner

When the Qualys server scans an agentless machine, it generates the audit report. This audit report can be viewed from any machine on the network, as long as it specifies either the NAC session ID or the IP address of the agentless machine in the URL string. To view an audit report by the IP address of a host, the URL is https XXXX viewreport.cgi ip Y Y.Y.Y Here, X.X.X.X is the IP address of the Qualys scanner and Y. Y.Y.Y is the IP address of the agentless host. To view an audit report based...

Monitoring of NAC Sessions

You can use several show commands to monitor and report the state of NAC sessions. The show vpn-sessiondb remote command is one of the most commonly used because it displays IPSec as well as NAC statistics of all the VPN clients. As shown in Example 7-41, the session type is remote for remote-access tunnel, and the VPN username is ciscouser. The assigned IP address is 10.10.200.1 and the public IP address is 209.165.202.159. The security appliance has transmitted 15,790 bytes and has received...

N

Cisco Secure Access Control Server, 22 CSA (Cisco Security Agent), 14-15 CTA (Cisco Trust Agent), 12-14 monitoring, 23-24 NADs (Network Access Devices), 15-22 reporting, 23-24 NAC agentless host (NAH), 11 NAC Layer 2 802.1X agentless hosts, 299-300 architecture, 139-141 configuration CatOS, 144 Cisco IOS, 142-144 Mac authentication bypass, 144-145 troubleshooting, 145-147 wireless access point configuration, 147-150 NAC Layer 2 IP agentless hosts, 299 architecture, 123-125 configuration CatOS,...

NAC Framework Deployment and Troubleshooting

Jazib Frahim, CCIE No. 5459, Omar Santos, David White, Jr., CCIE No. 12021 All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Library of Congress Catalog Card Number 2004114756 Printed in the United States of America 1 2 3 4 5 6...

NAC Program Participants

Cisco Systems leads the NAC program, but is open to any vendor that wants to participate. To ensure interoperability, Cisco requires all vendors shipping NAC-enabled code to have it tested either by an independent third-party testing center or by Cisco Systems. At the time of publication, more than 75 vendors were enrolled in the NAC program. A current list of program participants is maintained by Cisco at http www.cisco.com web partners pr46 nac partners.html.

NAC Report Agentless Clientless Hosts

Another very useful piece of information to know during the rollout of NAC is the number of agentless (clientless) hosts in your network. These hosts represent users who have not installed the CTA agent. Before implementing any restrictive policy, you will want the number of agentless hosts to less than 10 percent. You can keep a close eye on this number by running the agentless hosts report with a small customization, as follows Step 1 Log in to the CS-MARS GUI and click the Query Reports tab...

NAC Report InfectedQuarantine Top Hosts

Another report you might to run is the Activity Security Posture NAC Infected Quarantine Top Hosts (Total View). This report shows you the number of hosts that are in an Infected or Quarantine state, along with the user logged into the host. The steps to generate this report are similar to the previous steps Step 1 Log in to the CS-MARS GUI and click the Query Reports tab at the top of the page. Step 2 In the Load Report as On-Demand Query with Filter section, choose System Security Posture...

NAC Report Top Tokens

One of the most important reports to run is the Activity Security Posture NAC Top Tokens (Total View), which shows you the overall security posture of your network. This report gives you a summary of the number of hosts at the various NAC posture states. Let us walk through an example to see how easy it is to generate this report. Step 1 Log in to the CS-MARS GUI and click the Query Reports tab at the top of the page. Step 2 In the Load Report as On-Demand Query with Filter section, choose...

NAC Solution and Technology Overview

One of the biggest challenges corporations face today is securing the internal network. When the words network security are mentioned, most people immediately associate this phrase with protecting their network from external threats. Few people think of the internal threats that already exist. Unpatched end-host systems, out-of-date antivirus signatures, and disabled or nonexistent personal firewalls all weaken the internal security of corporate networks and make them vulnerable to data theft...

Network Access Filtering

Using network access filters (NAFs) is one method of filtering inbound RADIUS requests to the correct NAP. The other two methods are filtering on protocol type and filtering on specific RADIUS attributes. Both were covered previously in the Network Access Profiles section. Using NAFs, you can filter the inbound RADIUS request on the network access device's IP. When configuring NAC, you can use NAFs to separate NAC-L3-IP devices from NAC-L2-IP devices, thus enabling you to apply a different...

Network Access Profiles

Before we look at network access profiles (NAPs) in more detail, let us review what we have done so far. Earlier, we created some NAP templates, which triggered the creation of a default posture-validation policy, along with default downloadable IP ACLs and RADIUS authorization components. Then we edited the CTA posture-validation policy and created some new ones for Windows. Likewise, we edited the downloadable IP ACL policies along with the RADIUS authorization components, which make up the...

Network Admission Control

Reports of data and identity theft have become hot topics in the news recently. Unfortunately, they have also become fairly common, often resulting in millions of dollars' worth of damage to the companies affected. Traditionally, network security professionals have focused much of their time securing the front door to their networked companies their Internet presence. Stateful firewalls often sit at the gateways, and, in most cases, these are supplemented with inline intrusion-prevention...

Policy Based ACLs

Policy-based ACLs are used exclusively on Catalyst 6500 switches running CatOS. They provide policy enforcement for NAC-L2-IP and provide additional enforcement (beyond VLAN assignment) for NAC-L2-802.1X. Unlike downloadable IP ACLs, policy-based ACLs are defined on the switch. NOTE Chapter 4, Configuring Layer 2 NAC on Network Access Devices, covers the steps required to configure policy-based ACLs on the switch. During the posture-validation process, ACS maps the resulting SPT to a RAC. The...

Posture Validation Policy

On the Posture Validation Policy page, contained within the NAP, you create posture-validation rules. Each rule comprises a condition and actions. If the condition is met, the actions are applied. Therefore, the condition can also be seen as a filter applied to the posture-validation policy. The condition is defined as the set of required credential types. Said another way, the condition is met if the posture credentials received in the RADIUS request match all the selected credentials in the...

Posture Validation Rule Ordering

As seen earlier, an internal policy can contain one or more rules. When ACS receives posture credentials from an end host, they are evaluated against the rules in order from top to bottom. The first rule that matches the APT is returned, and processing stops for that policy. This allows lower rules to encompass upper rules. Said another way, the lower rules can be less specific than the upper rules. However, if each rule in a policy is independent from one another, for best performance, place...

Preparing for Deployment of CTA

As a network administrator, you must make a few key decisions before starting the deployment of CTA. The first and most important is whether your NAC deployment will include IEEE 802.1X port-based authentication. 802.1X authentication is an optional component of NAC that provides end-user authentication. When deployed, it is typically done company-wide as part of an overall security architecture. Therefore, you first need to determine whether your security policy requires that all devices...

Regional Office

SecureMe's Chicago office has become a regional (medium-size) office, and the new office in New York is now the corporate headquarters. The topology at the Chicago office remains the same however, it is now connected through a site-to-site IPsec VPN tunnel to the New York office. Figure 15-3 illustrates this. Figure 15-3 Chicago's Regional Office Figure 15-3 Chicago's Regional Office CS-ACS CSA Server Trend Server Notification NAC Layer 3 is enabled at the VPN 3000 concentrator, and NAC-L2-IP...

Remote Access VPN

SecureMe's New York headquarters have a cluster of Cisco Adaptive Security Appliance (ASA) 5550s to terminate their remote access VPN connections. Four Cisco ASA 5550s have been configured for load balancing. They run WebVPN and IPsec VPN for remote users and telecommuters. However, NAC is applied only for IPsec VPN users. Figure 15-5 illustrates how the Cisco ASA appliances are configured within New York's headquarter offices. All Cisco ASA appliances outside public interfaces are directly...

Remote Access IPSec Tunnel from a CTA Client

In the last test scenario, a CTA agent is installed on the VPN client machine. The idea is to have the VPN client to go through the entire posture-validation process. After establishing the IPSec SAs, the concentrator initiates the EAPoUDP process. If a response is received from the VPN client, the concentrator knows that the VPN client has an active CTA agent, as illustrated in Example 6-13. Example 6-13 Log Output to Indicate VPN Client Sends an EAPoUDP Response 749 10 21 2005 02 07 39.630...

Remote Access IPSec Tunnel from an Agentless Client

If the test VPN tunnel establishes successfully, the next step is to configure NAC on the VPN 3000 concentrator and then connect from the same test VPN client without installing the CTA agent. This emulates an agentless VPN client scenario. As shown in Example 6-9, as soon as IKE Phase 2 negotiations are complete, the VPN 3000 concentrator initiates the NAC process. It applies a default ACL called Default-Filter in this setup. Example 6-9 Log Output to Display NAC Process Initiation 726 10 21...

Remote Access IPSec Tunnel Without NAC

If you are setting up a new group on the security appliance that will validate the posture on the VPN clients, follow the first two configuration stages, discussed earlier in the section Configuration Steps of NAC on Cisco Security Appliances. The next step is to make a VPN tunnel from a test VPN client machine to ensure that you do not run into any misconfigurations. If the IPSec tunnel is not working for some reason, make sure that you have the proper debug turned on. The following are the...

Review Questions

You can find the answers to the review questions in Appendix A, Answers to Review Questions. 1. True or false The Altiris Agent can be bundled with CTA's installation. 2. True or false Cisco recommends installing the Altiris Agent after installing CTA. 3. True or false The Altiris Network Discovery is a free plug-in component to the Notification Server that is used to discover all end-user machines connected to the network. 4. Which one of the following is not a Cisco NAC program remediation...

Set Up Qualys Guard Scanner

To add an audit server, navigate to Posture Validation > External Posture Validation Audit Setup. Click Add Server to add a new QualysGuard Scanner Appliance. Specify Qualys as the name and select Do Not Audit These Hosts. Specify the IP addresses of the printers and IP Phones that will not be audited. Select Qualys as the Audit Server Vendor under Use These Audit Servers and enable Primary Server Configuration. Specify the URL for the audit server to submit the audit request to. In our...

Show Commands

Show commands are useful in determining the current state and posture of an end host. However, they do not provide a historical reference of how (or why) the host ended up there. The two most useful show commands are show eou all and show eou ip ip-address. NOTE Cisco IOS uses eou commands to represent EAP over UDP, or what we generally refer to as EAPoUDP. All three EAP over UDP, EAPoUDP, and EOU are equivalent terms and can be used interchangeably. The show eou all command displays a table of...

Small Business Network Topology

The typical topology in a small business consists of one or more switches connected to a router, which, in turn, connects to the Internet. A dedicated firewall also might function between the Internet-facing router and the switches, or the router might have firewalling capabilities (one example is Cisco IOS Firewall running on a Cisco router). In this chapter, we use the topology shown in Figure 13-1 to represent the topology of a standard small business. The business is connected to the...

Step 1 Configuring AAA Authentication

The first step in configuring NAC on a Layer 3 Cisco IOS device is to enable AAA for posture validation. The NAC framework uses an external RADIUS server to validate the posture presented by the end hosts. Consequently, it is mandatory that the Cisco IOS NAD be set up to pass EAPoUDP sessions to the RADIUS server. A Cisco IOS NAD device can be set up for AAA by using the aaa new-model command, if it is not already configured to do so. This command enables the AAA process globally on a Cisco IOS...

Step 1 Create a Posture Data File

You can use any programming or scripting language you want to create a script that will generate a posture data file. The only requirement is that the posture data file must contain only ASCII text and that it must comply with the format shown in Example 2-2. Example 2-2 Sample Posture Data File Excerpt attribute-value Script posture_file_01 Example 2-2 Sample Posture Data File Excerpt (Continued) Each posture data file contains one or more posture-validation attribute definitions. Each...

Step 1 Group Configuration

The first step in configuring a remote-access IPSec VPN tunnel is to set up a group that the Cisco VPN client can connect to. A group, also known as user-group, can be created by navigating to Configuration > User Management > Group and clicking Add. The GUI shows the Identity tab, where a group name and a group password can be entered, as shown in Figure 6-5. The administrator has added NAC-Group as the group name and cisco123, shown as asterisks, as the group password. You can define the...

Step 10 Configuring the Crypto

The dynamic map is associated with a crypto map entry, which is eventually applied to the interface terminating the IPSec tunnels. Example 7-14 shows crypto map configuration on the CiscoASA security appliance. The crypto map name is IPSec_map, and the sequence number is 65535. Example 7-14 Crypto Map Configuration CiscoASA(config) crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap The Cisco security appliance limits you to one crypto map per interface. If there is a need to configure...

Step 2 Configuring NAC Authentication

For NAC posture validation, a RADIUS server must be defined under the tunnel group. The RADIUS server is available only for the remote-access tunnel groups IPSec and L2TP over IPSec. If you don't define at least one RADIUS server for the NAC posture-validation process, the sessions will not get authenticated. A RADIUS server is mapped to the tunnel group by using the nac-authentication-server-group command followed by the server tag name. In Example 7-22, a RADIUS server is mapped to a...