Phased Approach to Deploying NAC Framework

Every organization faces its own challenges and pitfalls when deploying new technologies, products, and tools. The NAC Framework introduces new technologies that leverage existing network infrastructure. It is important that you create a clear and detailed test and implementation plan to overcome these challenges. Network and security best-practice procedures strongly recommend that any new technology or product be tested first in a lab environment. Subsequently, a pilot within a limited...

About the Technical Reviewers

Darrin Miller is an engineer in Cisco's security technology group. Damn is responsible for systemlevel security architecture. He has worked primarily on policy-based admission and incident response programs within Cisco. Previous to that Darrin conducted security research in the areas of IPv6, SCADA, incident response, and trust models. This work has included protocol security analysis and security architectures for next-generation networks. Darrin has authored and contributed to several books...

Acknowledgments

We would like to thank the technical editors, John Stuppi and Damn Miller, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. Special thanks go to Jay Biersbach for reviewing this book before final editing. We would like to thank the Cisco Press team, especially Brett Bartow and Andrew Cupp, for their patience, guidance, and consideration. Their efforts are greatly appreciated. Additionally, special...

Adding External Antivirus Policy Servers in Cisco Secure ACS

Before you add any external antivirus policy server to Cisco Secure ACS, you must import a NAC attribute definition file (ADF) provided by the antivirus vendor. To import the ADF to ACS, complete the following steps Step 1 Copy the ADF file to a directory accessible by the Cisco Secure ACS utility CSUtil.exe. Step 2 On the server running Cisco Secure ACS, open a command prompt and change directories to the directory containing CSUtil.exe. Step 3 Import the ADF to ACS using the command...

Altiris Network Discovery

The Altiris Network Discovery is a free plug-in component to the Notification Server that is used to discover all end-user machines connected to the network. NOTE For the Altiris Notification Server installation guidelines and minimum system requirements, refer to Altiris documentation at www.altiris.com. The Altiris Quarantine Solution does not require the use of Network Discovery to function however, it is recommended that you use Network Discovery to have an accurate database of end-user...

Altiris Quarantine Solution Configuration

SecureMe wants to ensure that it has a database of all the end-host machines that exist in its network. Even though the Altiris Quarantine solution is already deployed, SecureMe wants to take advantage of its Network Discovery feature. To enable this feature, consult Chapter 12, Remediation, and follow the steps described in the Altiris Network Discovery section. The Altiris Notification Server determines whether end-user machines are running a specific version of software before being granted...

Antivirus Software Posture Plug Ins

Posture plug-ins enable Cisco Trust Agent (CTA) to retrieve posture credentials from third-party applications (such as antivirus software) installed on a client machine. NOTE Chapter 2, Cisco Trust Agent, covers the installation and configuration of CTA in detail. In most cases, two files make up a posture plug-in. For Windows-based systems, a posture plug-in consists minimally of the following A Dynamic Link Library (.dll) file An Information File (.inf) file On Linux-based systems, posture...

Architectural Overview of NAC for Agentless Hosts

The posture-validation process is crucial in determining the correct status of a network device. When CTA is not present on a device, the NAD can leverage an audit server when an end machine requests access to the network. Figure 11-2 provides a complete flow of the posture-validation process on a Cisco NAD. A Cisco switch is set up for NAC-L2-IP to validate an end host's posture before allowing access to the corporate network. Figure 11-2 Posture-Validation Process for a Host Figure 11-2...

Architectural Overview of NAC on Layer 3 Devices

The posture-validation process on a Layer 3 device starts when an end host requests access to the network. Figure 5-1 provides a complete flow of the posture-validation process on a Layer 3 NAD. A Cisco 3845 router is acting as the Layer 3 NAD to validate the end host's posture before allowing access to the corporate network. This assessment is checked against the policies defined on the Cisco Secure Access Control Server (Cisco Secure ACS). Figure 5-1 Layer 3 Posture-Validation Process for a...

Architecture of NACL28021X

The NAC-L2-802.1X feature enables you to perform a security posture assessment of a host using 802.1X proven technologies on a Layer 2 switch port. NAC-L2-802.1X uses EAP-FAST as the transport mechanism to carry identity and security posture information within a Transport Layer Security (TLS) tunnel. Consequently, an 802.1X supplicant that supports EAP-FAST is needed for NAC-L2-802.1X. NOTE The embedded supplicant included with CTA supports EAP-FAST. It also supports EAP-GTC, EAP-MSCHAPv2, and...

Architecture of NACL2IP

NAC-L2-IP uses EAP over UDP (EoU) as the transport mechanism to complete the posture assessment of a device attempting to connect to the corporate network. This is similar to NAC Layer 3 however, the posture is done on a Layer 2 switch port. The posture assessment is triggered when the Cisco Catalyst switch receives a Dynamic Host Configuration Protocol (DHCP) or an Address Resolution Protocol (ARP) request from the device attempting to connect to the network. When the switch detects the DHCP...

Audit Servers

The third option, to support the agentless hosts in the NAC Framework environment, is to use an external audit server. An audit server collects information from the agentless machines and determines their compliance based on the security policies of an organization. The audit servers usually use well-known assessment methods, such as remote login, fingerprinting, scanning, and active probes. In some other implementations, user web sessions are redirected to an audit server for assessment....

Authorization Policy

The Authorization Policy in the NAP is where you apply authorization rules to limit an end host's access to the network, based on the system posture token returned from posture validation. Again, as with the posture validation rules you looked at in the last section, the authorization rules contain both a condition and an action. The condition consists of a user group and a system posture token. If the condition is met, the action can be to deny access or apply the selected shared RAC and...

Branch Office

The branch office topology is the same described in Chapter 13 for the small business. It consists of one or more switches connected to a router, which, in turn, connects to the New York corporate headquarters through a site-to-site IPsec VPN tunnel. Figure 15-2 shows the topology. The branch office is connected to the Internet through the GW_Router and to SecureMe's New York headquarters through the site-to-site IPsec VPN tunnel. This is done to avoid the use of expensive leased lines and to...

C

CA certificates, CTA lab environment deployment, 46 post installation tasks, 47 Windows, 46-47 call centers, headquarter network topology, 458 catalyst switches, NADs (Network Access Devices), 17-20 CatOS (Cisco Catalyst switch), 130 medium enterprise configuration, 427-430 NAC-L2-802.1X configuration, 144 NAC-L2-IP configuration, 130-132 Cisco 5500 series Adaptive Security Appliances NADs (Network Access Devices), 21 Cisco Adaptive Security Appliances. See ASA Cisco Easy VPN Client, VPN...

Catalyst 6500 CatOS Configuration

To meet the requirements that SecureMe has listed for the NAC Framework solution, the following are the major configuration steps on the Catalyst 6500 switch running CatOS. The solution requires you to configure NAC-L2-IP because you do not have a requirement to authenticate the end users before granting them network access. This way you can rule out NAC-L2-801.X and configure the switch for NAC-L2-IP. Step 1 Configure the RADIUS server information on the switch. The RADIUS server in this...

Chapter

After adding any new monitored device into CS-MARS, what must be done before CS-MARS analyzes events sent from that device b. The Activate button must be clicked to synchronize the GUI to the back-end database. c. You must select the Analyze Events button, next to the device on the Report tab. d. Nothing needs to be done after adding the new device through the GUI. Answer B 2. What protocol port do Cisco IOS routers (by default) use to send NetFlow data to CS-MARS 3. What version(s) of NetFlow...

Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security Appliance

The NAC implementation on the Cisco 5500 series Adaptive Security Appliances (ASA) and PIX 500 series security appliances is identical to the implementation on the VPN 3000 concentrators. NAC-L3-IP is supported starting with Version 7.2(1) on all IPSec and L2TP over IPSec remote-access tunnels. Posture enforcement is provided by way of a downloadable ACL from Cisco Secure ACS. Additionally, just as with the VPN 3000, remote-access clients can be exempted from NAC posture validation based on OS...

Cisco IOS Router

Cisco IOS routers first supported NAC in Cisco IOS Release 12.3(8)T, in the Advanced Security, Advanced IP Services, or Advanced Enterprise Services feature sets. Table 1-2 lists Cisco IOS routers by platform and current NAC capability. NOTE For the most up-to-date list of NAC-enabled routers, check online at http www.cisco.com go nac . Table 1-2 NAC Support in IOS Routers Table 1-2 NAC Support in IOS Routers 1701, 1711, 1712, 1721, 1751, 1751-V, 1760 When NAC is implemented on a router, this...

Cisco Secure Access Control Server

The Cisco Secure Access Control Server (ACS) for Windows is another core required component of NAC. Cisco Secure ACS first supported NAC in Version 3.3, which was launched concurrently with Phase I in the summer of 2004. Cisco Secure ACS 4.0, released in the fall of 2005, added support for NAC Phase II, including all the NADs listed in the previous section. Cisco Secure ACS is the central controller for all NAC policy decisions. It receives posture credentials from all agents and either...

Cisco Secure Services Client

In Chapter 2, Cisco Trust Agent, we covered CTA and its included 802.1X wired supplicant. In this chapter, we look at the Cisco Secure Services Client. This is a full-featured 802.1X supplicant for wired and wireless interfaces that integrates natively with NAC. This is important because the integration allows the posture validation to take place in the 802.1X exchange itself, within the authentication phase. Thus, posture information can be used along with authentication credentials for VLAN...

Cisco Security Agent

Cisco Security Agent (CSA) is the Cisco award-winning host-based intrusion-prevention system (HIPS) installed on a desktop or server PC that protects it from known and unknown threats. CSA adds a shim into the network layer and into the kernel layer (to watch both network traffic and API calls to kernel). This allows CSA to not only be a personal firewall, but also to protect against buffer-overflow attacks and spyware adware. In addition, it provides file protection, malicious application...

Cisco Security Agent Architecture

In the CSA solution architecture, a central management center maintains a database of policies and information about the workstations and servers that have the Cisco Security Agent software installed. Agents register with CSA MC. Subsequently, CSA MC checks its configuration database and deploys a configured policy for that particular system. NOTE Starting with CSA Version 5.1, the CSA MC is a standalone system. Before Version 5.1, CSA MC was part of the CiscoWorks VPN and Security Management...

Cisco VPN 3000 Series Concentrator

NAC support for the VPN 3000 series concentrators was first added in Release 4.7. The concentrator is a Layer 3 NAD and postures remote-access IPSec (or Layer 2 Tunneling Protocol L2TP over IPSec) clients. The posturing process is almost identical to that of NAC-L3-IP, described previously in the section NAC Phase I (refer to Figure 1-1). The only difference is that the router is replaced with a VPN 3000 concentrator, and an IPSec tunnel is first established to the concentrator before the...

Cisco Wireless Devices

NAC Framework support for wireless devices is available on autonomous Access Points (AP), lightweight access points running the Lightweight Access Point Protocol (LWAPP), and the Wireless LAN Services Module (WLSM) for the Catalyst 6500. Table 1-4 lists the wireless devices and minimum supported software. Table 1-4 NAC Support in Wireless Devices Table 1-4 NAC Support in Wireless Devices Aironet 1100, 1130AG, 1200, 1230AG, 1240AG, 1300 IOS-based access points Cisco IOS Release 12.3(7)JA or...

Client Does Not Prompt for Password

One common reason the user is never presented with a password dialogue box is if the ACS server is not in the Trusted Server list or if none of the rules can validate ACS's certificate. When this happens, if the user clicks the Connect button in the client GUI, the connection fails and the icon changes to red. In addition, in the bottom of the client window reads the message Connection failed The server is not trusted. If you see this message, follow the instructions in the Defining Trusted...

Client GUI Does Not Start

If you receive an error when attempting to start the client GUI, run the System Report utility. In the .zip archive that it creates, open the clientDebug_current.txt file and scroll down to the bottom to read the most current events. Most errors are printed in plain English (not encoded hex strings) and are therefore straightforward to understand and diagnose. Note that installation of the client over Remote Desktop (RDC) is not supported. If attempted, upon reboot and logon via RDC, the client...

Configuration Steps of NAC on Cisco Security Appliances

Figure 7-1 illustrates a network topology in which a Cisco ASA 5500 appliance is terminating VPN client sessions from Cisco VPN clients. The public IP address of the appliance is 209.165.202.130 the private IP address is 10.10.0.2. The security appliance leverages a Cisco Secure ACS server for user authentication. The Cisco Secure ACS also participates in the client's posture validation and applies appropriate policies. The appliance is set up with a pool of addresses from the 10.10.200.0 24...

Configuration Steps of NAC on Cisco VPN 3000 Concentrators

Figure 6-4 illustrates a network topology in which a Cisco VPN 3000 concentrator is terminating VPN sessions from Cisco VPN clients. The public IP address of the concentrator is 209.165.201.2, and the private IP address is 172.18.0.2. The concentrator leverages a Cisco Secure Access Control Server (CS-ACS) for user authentication. The CS-ACS also participates in the client's posture validation and applies appropriate policies. The concentrator is set up with a pool of addresses from the...

Configuration Steps of NAC on Layer 3 Devices

Figure 5-2 illustrates a network topology in which a Cisco IOS 3845 router is acting as a NAD. Two Cisco Secure ACS servers are connected to the GigabitEthernet0 0 interface. These servers are used for EAPoUDP sessions and posture validation. On the GigabitEthernet0 1 interface, two end machines are connected. One is running the Cisco Trust Agent (CTA) the other acts as an agentless machine. Figure 5-2 Network Topology for Layer 3 NAC Figure 5-2 Network Topology for Layer 3 NAC The...

Configure Authorization Rules for NAPs

Complete the following steps to configure authorization rules for NAPs Step 1 Configure the authorization rules for the NAC-L2-IP profile by selecting the Authorization link next to the profile and configuring the rules according to Table 14-12. Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules (Continued) Table 14-12 L2-IP Authorization Rules (Continued) If a condition is not defined or there is no matched condition Step 2...

Configure Posture Validation Rules for NAPs

Complete the following steps to configure posture-validation rules for NAPs Step 1 Configure the posture-validation rules for the NAC-L2-IP profile by selecting the appropriate link under Network Access Profiles. Step 2 No modifications are needed for the required credential types. In the Action section, select the following internal posture-validation policies CTA-Policy, Windows-SP-Policy, and Windows-Hotfix-Policy. Step 3 Under Select External Posture Validation Server, select Altiris. As a...

Configure Shared Components Profile

Complete the following steps to configure shared components on the Cisco Secure ACS server Step 1 Create the downloadable IP ACLs shown in Table 14-10. Remember that downloadable IP ACLs are under Shared Profile Components. These downloadable ACLs are mapped to the VPN sessions on the VPN 3000 concentrator. remark If host is Quarantine restrict network access remark Allow access to Quarantine network remark Allow access to Quarantine network Table 14-10 Downloadable IP ACLs (Continued) Table...

Configuring 8021X NADs in ACS to Report to CSMARS

Chapter 8, Cisco Secure Access Control Server, covered how to add the NADs as AAA clients in ACS. For NADs that are performing 802.1X authentication, CS-MARS needs to receive the incremental 802.1X update messages. Enable this within ACS under Network Configuration > AAA Clients. Select the specific AAA client and configure it to authenticate using the RADIUS (Cisco IOS PIX 6.0) or RADIUS (IETF) dictionary. In addition, make sure Log Update Watchdog Packets from This AAA Client is checked....

Configuring Audit Servers

The NAC Framework solution supports a number of audit servers QualysGuard Scanner Appliance Altiris SecurityExpressions This chapter focuses on the configuration of QualysGuard Scanner Appliance because it is the most commonly used audit server in the NAC Framework environments. The integration of QualysGuard Scanner Appliance into CS-ACS server can be divided into three stages Step 1 Installation of QualysGuard Scanner Appliance Step 2 Configuration of QualysGuard Scanner Appliance Step 3...

Configuring Csa Nacrelated Features

CSA MC comes with numerous predefined agent kits, groups, policies, and configuration variables that are designed to offer high-level security measures for end-user systems and servers. You can use these default agent kits, groups, policies, rule modules, and configuration variables as a baseline and then monitor for possible tuning to your environment. Cisco Trust Agent (CTA) can be bundled with CSA agent installations. This section guides you on how to configure an agent kit that will also...

Configuring Global Authentication Protocols

Out of the box, ACS will not authenticate NAC-enabled clients because the authentication protocols they use (PEAP or EAP-FAST) are not enabled by default. ACS provides the option of globally enabling or disabling authentication protocols from the System Configuration > Global Authentication Setup page. Later, in the Protocols Policy section, you will see that these protocols can also be selectively enabled or disabled on a per-profile basis. In this section, we walk you through the steps of...

Configuring Layer 2 NAC on Network Access Devices

The Cisco Catalyst switches are capable of enforcing device security policy compliance when local-area network (LAN) users attempt to access the network. Switches that support NAC Framework features are capable of denying access to noncompliant devices and placing them in a quarantined area and allowing restricted access to network resources for remediation purposes. This posture validation is done at the Layer 2 network edge using two different technologies NAC Layer 2 802.1X (NAC-L2-802.1X)...

Configuring Logging on ACS

In this section, we walk through the steps needed to configure the logging attributes on ACS that CS-MARS needs to monitor the NAC implementation. Keep in mind that you will most likely want to log additional attributes (other than those mentioned here) to the log files to assist in troubleshooting client connectivity issues. CS-MARS can receive these additional attributes without any issues. NOTE If you are using an ACS appliance, the following steps apply to the Remote Agent logging...

Configuring NAC in a Small Business

In this section, we cover the configuration needed to meet the requirements listed in the section NAC Requirements for a Small Business. However, before you can start configuring the individual components, you must decide on the type of NAC to deploy NAC-L3-IP, NAC-L2-IP, or NAC-L2-802.1X. Because you do not have a requirement to authenticate the end users before granting them network access, you can rule out NAC-L2-801.X. Now the choice remains between NAC-L3-IP and NAC-L2-IP. This is actually...

Configuring NAC on Cisco VPN 3000 Series Concentrators

The Cisco VPN 3000 series concentrators provide a scalable, reliable, and flexible solution for the site-to-site as well as remote-access VPN tunnels. In the site-to-site IPSec tunnel, network professionals can reduce the high maintenance cost of point-to-point WAN links by connecting branch offices to the corporate network resources. The remote-access VPN tunnels provide a way to connect home and mobile users to the corporate network by leveraging dialup, wireless hotspots, digital subscriber...

Configuring NACL28021X

This section guides you on how to configure NAC-L2-802.1X on Cisco Catalyst switches. NAC-L2-802.1X Cisco IOS Configuration The following steps are necessary to configure NAC-L2-802.1X on a Cisco Catalyst switch running Cisco IOS. Step 1 VLAN assignment is the method used in NAC-L2-802.1X for policy enforcement. In this example, the following VLANs are used VLAN 10 Healthy Employees Configure the appropriate VLANs as follows 6503-A configure terminal Enter configuration commands, one per line....

Configuring Passed Authentications Logging

In this section, you will enable logging of passed authentications and add NAC-specific attributes to the Passed Authentications log. ACS logs all posture-validation credentials to this log unless access is strictly denied. In that case, ACS logs the result in the Failed Attempts log. Adding the posture attributes to this log enables you to see what posture credentials the end host is sending to ACS. This will help you further define your posture-validation rules. Complete these steps to...

Configuring Qualys Guard to Send Events to CSMARS

Qualys provides network security audits and vulnerability assessments of your network using the QualysGuard solution. When used with the NAC Framework, QualysGuard can receive messages from ACS to scan nonresponsive hosts to assist in determining their system posture token. If you have a subscription with QualysGuard, you can configure CS-MARS to connect to the QualysGuard API server and retrieve the vulnerability analysis reports. These reports are then parsed and inserted into the CS-MARS...

Configuring Radius Accounting Logging

Complete these steps to configure RADIUS accounting logging Step 1 From the navigation frame on the left, select System Configuration > Logging. Step 2 The Logging Configuration page appears. Click the Configure link in the CSV column for the RADIUS Accounting report. Step 3 Verify that the Log to CSV RADIUS Accounting Report check box is selected. Step 4 In the Select Columns to Log section, verify that the following attributes appear in the right column (Logged Attributes). If any item is...

Configuring the Cisco Switch to Forward Events to CSMARS

With the switch added to CS-MARS, the next step is to configure the switch to forward events to CS-MARS. First, configure the switch to send syslogs to CS-MARS by adding the following commands logging source-interface interface set logging server severity level NOTE To be most effective, CS-MARS needs to receive a high level of logging. This corresponds to a logging level of 6 (Informational) on the switch. The last step is to enable the generation of NAC L2-IP and L3-IP specific events. They...

Configuring the VPN 3000 Concentrator to Forward Events to CSMARS

With the VPN 3000 concentrator added in CS-MARS, the next task is to configure it to send syslog events to CS-MARS. Follow these steps to accomplish this Step 1 Log in to the VPN 3000 GUI interface and navigate to Configuration > System > Events > General. Step 2 Set the Save Log Format to Multiline. Step 3 Set Syslog Format to Original. Step 4 Under Events to Log, select Severities 1-5. Step 5 Under Events to Syslog, select Severities 1-5. Step 6 Under Events to Trap, select Severities...

Contents

Chapter 1 NAC Solution and Technology Overview 5 Network Admission Control 5 NAC Phase I 7 NAC Phase II 9 Periodic Revalidation 11 NAC Agentless Hosts 11 NAC Program Participants 12 Components That Make Up the NAC Framework Solution 12 Cisco Trust Agent 12 Cisco Security Agent 14 Network-Access Devices 15 Cisco IOS Router 16 Cisco Catalyst Switch Running Cisco IOS or CAT OS 17 Cisco VPN 3000 Series Concentrator 20 Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security...

Contents at a Glance

Chapter 1 NAC Solution and Technology Overview 5 Part II Configuration Guidelines 27 Chapter 3 Cisco Secure Services Client 91 Chapter 4 Configuring Layer 2 NAC on Network Access Devices 123 Chapter 5 Configuring Layer 3 NAC on Network Access Devices 155 Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators 175 Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances 211 Chapter 8 Cisco Secure Access Control Server 241 Chapter 9 Cisco Security Agent 323 Chapter 10 Antivirus...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales otuside the U.S. please contact International Sales international pearsoned.com Cisco Representative Cisco Press Program Manager Executive Editor Production Manager Development Editor Project Editor Copy Editor Technical Editors Publishing Coordinator Book...

Create Posture Validation Policies

Complete the following steps to create posture-validation policies Step 1 Navigate to Posture Validation > Internal Posture Validation Setup. Step 2 Edit the existing posture-validation policy, NAC-SAMPLE-CTA- POLICY, to check whether the version of CTA is greater than or equal to 2.0.0.30. Also rename the policy to just CTA-Policy. Step 3 Create a new internal posture-validation policy named Windows-SP-Policy that will checked if the latest service pack is installed for that OS. Add the...

Creating a ctalogdini File

The ctalogd.ini file defines the configuration of the logging service. It includes parameters for enabling disabling logging, log retention policies, and the logging levels for each CTA component. A sample ctalogd.ini file (named ctalogd.tmp) is created when CTA is installed and can be found in the Logging directory. Edit this file to meet your logging needs, and then save it as ctalogd.ini in the same directory. Example 2-6 shows a sample ctalogd.ini file with all options listed and all...

Creating a Customized Deployment Package

Before deploying the CTA 802.1X wired client to your network, you will most likely want to customize the client's policies. The option to edit the client's default policies is available only through the creation of a custom deployment package. However, before a custom deployment package can be created, you must decide which of the following authentication methods the client should support User authentication only The network connection is established only after the user logs on to the machine...

Creating a Network Profile

With the Administrative Client installed, follow these steps to create a network profile Step 1 Right-click the Cisco Secure Services Client tray icon and choose Open from the pop-up menu, as shown in Figure 3-1. Cisco Secure Services Client Tray Status Icon Step 2 You will see a screen similar to the one in Figure 3-2. However, you might see more or fewer networks listed, depending on the number of interfaces on your device and the number of wireless networks detected. Figure 3-2 Cisco Secure...

Creating a Policy to Check for a Specific Windows Hotfix

To reinforce what you have already learned, you will create one more policy to check for the presence of a specific Windows hotfix. Microsoft released hotfix KB912812 to protect against a critical remote code execution vulnerability in Internet Explorer. Your task is to create a Posture Validation policy to check for this specific hotfix. If the hotfix exists on the end host, return the Healthy posture token. Otherwise, return Quarantine. I encourage you to attempt this one on your own. When...

Creating a Policy to Validate the Windows Service Pack

Now that you have modified an existing policy, you go one step further by creating a new policy to check to make sure the hosts running Windows have the latest service packs installed. Complete this task by following these steps Step 1 From the navigation frame on the left, select Posture Validation. Step 2 The Posture Validation Components Setup page appears. Click the Internal Posture Validation Setup button and then Add Policy. Step 3 In the Name field, type Windows-SP-Policy. Optionally,...

Creating Agent Kits

As previously mentioned, CSA MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA MC enables you to create custom agent kits to fit your specific requirements. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA MC console. Step 2 Click New at the bottom of the page displayed. A dialog box appears asking you which operating system this agent kit will be applied to, as shown in Figure 9-9....

Creating End User Client Configuration Files

When you are ready to create End-User Client configuration files, select the Create Deployment Package item from the Administration menu. This launches a wizard that walks you through the process. Along the way, you create client policies and network profiles, which you package into a distribution along with the End-User Client (supplicant). Follow these steps to create the client-configuration files Step 1 After selecting the Administration > Create Deployment Package option, the Enterprise...

Creating Groups

CSA MC comes with a list of predefined groups that you can use to meet initial needs. A group is the only element required to build an agent kit. Using groups eases the management of a large number of agents. When using groups, you can consistently apply the same policy to a number of hosts. Agent kits are the configuration and installation packages of the agent software to be deployed to end-user machines. Agent kits must be associated with configured groups. Agents installed on end-user hosts...

Creating Scheduled NAC Reports

Running these on-demand style reports is neat, but the real beauty is configuring CS-MARS to e-mail you the reports at the schedule you specify. For example, you might find it useful to receive a report every morning of the hosts that are Infected or in a Quarantine state. To create a scheduled report, follow these steps Step 1 Log in to the CS-MARS GUI and click the Query Reports tab at the top of the page. Step 2 In the Load Report as On-Demand Query with Filter section, choose System...

CSA Management

Chapter 9, Cisco Security Agent, discusses the installation and configuration of the Cisco Security Agent Management Center (CSA MC). This section provides a series of tips on how to plan, deploy, and maintain CSA MC and the agent software. CSA MC provides a central policy-management and distribution point for the CSA agent kits. It is recommended that you place the CSA MC server on your management network (management VLAN). When doing this, you need to understand how the agents communicate...

Csa Mc Rule Definitions

CSA MC takes a structured, hierarchical approach to applying rules to the agents. Individual rules are created and applied to a rule module. One or more rule modules are then applied to a policy. Policies are then attached to a group, which contains one or more agents. Figure 9-3 illustrates the hierarchical nature of CSA MC. Figure 9-3 Relationship Between Rules and Agents Olf Rule Any change to a rule is applied to any agent that is part of a group, to which a policy is attached, which...

CTA Logging Service

CTA includes its own logging service, ctalogd, for recording events and troubleshooting issues with CTA and posture plug-ins. Because CTA is designed to be a silent application on the end host, logging is disabled by default. However, logging can be enabled through one of two methods Creating a ctalogd.ini file With logging enabled, CTA saves the log files in the following directories by default Windows C Program Files Cisco Systems CiscoTrustAgent Logging Logs Mac and Linux var log...

CTA Scripting Interface

CTA provides an optional Scripting Interface as a way for non-NAC-aware applications to provide CTA with posture information about that application. Cisco Secure ACS can then combine this additional posture information with the posture information received from NAC-aware applications and use it in determining the overall posture of the host. Although this is not a commonly used feature, it might be useful for companies that have a requirement to validate a specific attribute before making a...

CTA Wired Client System Report Utility

Troubleshooting issues with 802.1X authentication can be complicated. However, the CTA 802.1X wired client comes with a nice tool called System Report, found in the Cisco Trust Agent 802.1X wired client program group. When executed, this tool gathers the following information from the client *-networks.xml and *-policy.xml Network- and policy-configuration files The contents of the profiles directory Contains all the configuration files for the client log_current.txt CTA 802.1X wired client's...

Debug Commands

In previous chapters, you learned about the EoU logging capabilities on the Cisco IOS routers running NAC-L3-IP and Cisco Catalyst switches running NAC-L2-IP. EoU logging still applies when troubleshooting NAC-L3-IP and NAC-L2-IP in large organizations. However, in case of NAC-L2-802.1X, the debug dot1x events is a very useful command when troubleshooting 802.1X-related problems. Example 15-2 shows the output of the debug dot1x events for a quarantined host. Example 15-2 debug dotlx events...

Defining ACS as a Reporting Device within CSMARS

Before CS-MARS will analyze the events received from ACS, you must define ACS as a monitored device within CS-MARS. Follow these steps to accomplish this task Step 1 Log in to the CS-MARS GUI interface and select the Admin tab. Step 2 In the Device Configuration and Discovery Information section, click the Security and Monitor Devices link. Step 3 Click the Add box on the far right of the screen. Step 4 In the Device Type drop-down list, select Add SW Security Apps on New Host. Step 5 Under the...

Defining CSAMC as a Reporting Device within CSMARS

Before CS-MARS will analyze the events received from CSA-MC, you must define CSA- MC as a monitored device within CS-MARS. Follow these steps to accomplish this task Step 1 Log in to the CS-MARS GUI interface and select the Admin tab. Step 2 In the Device Configuration and Discovery Information section, click the Security and Monitor Devices link. Step 3 Click the Add box on the far right of the screen. Step 4 In the Device Type drop-down list, select Add SW Security Apps on New Host. Step 5 In...

Defining the Asapix Appliance as a Reporting Device within CSMARS

Before the ASA or PIX appliance can be imported as a reporting device within CS-MARS, you must bootstrap it. This is done by enabling SSH or Telnet access to the appliance for the IP address assigned to CS-MARS and defining an SNMP read-only community string. CS-MARS uses the SSH or Telnet access to import the appliance's configuration. The SNMP read-only community string is optional, but it allows CS-MARS to monitor the CPU, memory, and interface utilization of the appliance. Apply the...

Defining the Cisco IOS Router as a Reporting Device within CSMARS

Before you can begin to add the Cisco IOS router into CS-MARS, you need to bootstrap the router so that CS-MARS can discover and import it. CS-MARS discovers Cisco IOS routers through SNMP, SSH, Telnet, or a saved configuration on an FTP server. If the router has ACLs defined or NAT configured, it is recommended that you discover the router through either SSH or Telnet. In addition, you need to supply the SNMP Read-Only (RO) community string. The SNMP community string allows CS-MARS to query...

Defining the Cisco Switch as a Reporting Device within CSMARS

CS-MARS supports both Cisco IOS-based switches and CatOS-based Cisco switches. The procedure to add them into the CS-MARS GUI is exactly the same. The only difference is that for Cisco IOS-based switches, the Device Type is Cisco Switch-IOS 12.2 for CatOS-based switches, the Device Type is Cisco Switch-CatOS ANY. Before you can begin adding the switch into CS-MARS, you first need to bootstrap it so that CS-MARS can discover and import it. CS-MARS discovers switches through SNMP, SSH, Telnet, or...

Defining the VPN 3000 Concentrator as a Reporting Device within CSMARS

Before the VPN 3000 concentrator can be imported as a reporting device within CS-MARS, you must bootstrap it. This is done by enabling SNMP and setting a read-only community string. Follow these below to accomplish this task Step 1 Enable SNMP by navigating to Configuration > System > Management Protocols > SNMP. Check the Enable box and click Step 2 Next, set the SNMP community string by navigating to Configuration > System > Management Protocols > SNMP Communities. Click the Add...

Deploying and Troubleshooting NAC in Large Enterprises

In the previous two chapters, you learned the typical deployment scenarios in small and medium-size enterprises. This chapter demonstrates how to deploy NAC in a large enterprise, where most of the previous concepts still apply in a larger scheme. The typical large enterprise is an organization with more than 5,000 users, all located in different geographical locations. If your business resembles the one presented here, use this chapter, along with the previous two chapters, as your deployment...

Deploying and Troubleshooting NAC in Medium Size Enterprises

All companies, whether small, medium, or large, focus on securing their network infrastructure. This not only includes updating their security devices, but it also requires updating security policies to deal with new and emerging security threats. This chapter provides a detailed deployment scenario of the Cisco NAC solution for a medium-size enterprise. This chapter presents real-life examples of how the Cisco NAC solution can be deployed at a medium-size organization. It discusses the typical...

Deploying and Troubleshooting NAC in Small Businesses

This is the first of three chapters devoted to helping you deploy NAC in your business. In the previous chapters, we covered all the individual pieces that make up the NAC Framework. Now we bring together all those components to demonstrate how to deploy NAC in a small business. In this chapter, we examine the typical small business with fewer then 100 employees, all located in the same building. If your business resembles the one presented here, use this chapter as your deployment template....

Deploying CTA in a Production Network

When you have thoroughly tested CTA in conjunction with the other components of NAC Framework in a lab environment and have decided on the configuration options for CTA, you can proceed with preparations for a production rollout. NOTE Before continuing, it is assumed that you have already read most of the remaining chapters in this book and have made a detailed, phased plan for a production rollout of CTA. You should have identified the ACS boxes you will be using for NAC and obtained the...

Deploying CTA on Linux

As indicated earlier in this section, you need to create a custom distribution package that contains the cta-linux-version.i386.rpm file, along with the root CA certificate (located in the certs subdirectory) and, optionally, ctad.ini and ctalogd.ini, plus any third-party plugins (in the plugins subdirectory) you plan to use. With the custom distribution package created, follow the steps below to install CTA on Linux client machines. Step 1 Deploy the custom distribution package to your end...

Deploying CTA on Mac OS X

Earlier in this chapter, we extracted the cta-darwin-version.dmg disk image from the CTA admin installation file. The disk image includes the CiscoTrustAgent.mpkg package, which is used to install CTA. The disk image can also be customized by adding configuration .ini files, as well as the root CA certificate. Follow these steps to customize the disk image and install CTA on end clients Step 1 Locate the cta-darwin-version.dmg disk image file in Finder and rename it to indicate that is has been...

Deployment Overview of NAC in a Medium Size Enterprise

In this chapter, we discuss the deployment scenario of NAC in a fictitious company called SecureMe, Inc. This company, based in Chicago, has around a thousand employees and is looking to provide admissions control for the users logging in to the network. Figure 14-1 shows the network topology of SecureMe, Inc. NOTE Preparing your end users for NAC is the best way to avoid problems after deployment. Besides the typical messaging (e-mails, announcements, and so on), you can deploy NAC with a...

Deployment Scenarios

Chapter 13 Deploying and Troubleshooting NAC in Small Businesses Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises Chapter 15 Deploying and Troubleshooting NAC in Large Enterprises This chapter covers the following topics Defining the business requirements for deploying NAC in small businesses Reviewing the small businesses network topology Configuring NAC in a small business Troubleshooting the small businesses NAC deployment

Diagnosing NAC on a VPN 3000 Concentrator

As described earlier in the chapter, SecureMe provides VPN services to its employees and wants the VPN client machines to go through the posture-validation process after the IPsec tunnels are established. After establishing the IPsec SAs, the concentrator initiates the EAPoUDP process. If a response is received from the VPN client, the concentrator knows that the VPN client has an active CTA agent, as illustrated in Example 14-5. You can view the output of these logs under Monitoring >...

Disabling Automatic Local Logins

With an administrator account created, it is time to secure access to ACS from the local machine by disabling automatic local logins. First, verify the new administrator account by logging in to ACS from a remote machine. Open a browser to http ACS_Server_IP 2002 and log in with the administrator account. (The 2002 after the ACS server's IP address tells the browser to connect to TCP port 2002, which is where the ACS web server is listening.) When you have successfully logged in, disable...

Downloadable IP ACLs

Both NAC Layer 2 IP and Layer 3 IP use downloadable IP ACLs as the enforcement mechanism. After the posture-validation process, the resultant SPT is mapped to a downloadable IP ACL (in the Authorization policy of the network access profile), which is then pushed out to the NAD. The NAD then appends this ACL to the top of the interface ACL to further restrict (or permit) access to the network. If the SPT returned for the endhost is Healthy, the downloaded ACL is generally permit ip any any....

EAP over UDP Logging

You enabled EAP over UDP (or EOU, for short) logging on the switch during its configuration. Therefore, when a host is postured, the switch generates the EOU logs, which can be viewed by enabling logging on the switch at Level 6 or higher. The logs are standard syslogs and can be viewed in the local buffer, on the console monitor session, or on the syslog server. Example 13-4 illustrates an example from an agentless (clientless) host connecting to the switch. Example 13-4 Clientless Host EOU...

Editing the Certificate Trust List

The certificate trust list (CTL) is a further security step that ACS uses to decide whether to trust the CA certificate that is already installed. ACS implicitly trusts the CA that created the ACS identity certificate. Therefore, in many cases, this step is optional however, for simplification, I recommend completing this step. Follow these steps to add the CA server to the ACS certificate trust list Step 1 From the navigation frame on the left, select System Configuration. Step 2 Select ACS...

Editing the Nacsamplectapolicy

Previously, we used ACS's built-in NAC templates to create network access profiles for NAC. In doing so, ACS automatically created a posture-validation policy titled NAC-SAMPLE-CTA-POLICY. You can take a look at this policy by clicking the Posture Validation button on the left and then selecting Internal Posture Validation Setup > NAC-SAMPLE-CTA-POLICY. Notice the two posture-validation rules. The first rule contains two condition elements within the condition set. The second is the default...

End User Education and Awareness

Some organizations already have extensive security-awareness programs that can be leveraged to provide much of the end-user education. Other organizations do not have these types of activities. It is highly recommended that you at least make your end users aware of what the impact might be when you start the deployment of NAC within your organization. This avoids confusion and might reduce the number of calls to your help-desk groups. Some of the awareness activities that can be leveraged...

Event Monitoring Analysis and Reporting

Protecting the network from threats is the first step toward securing it. However, event monitoring, analysis, and reporting are also vital pieces in understanding the network's security posture Event monitoring The process of receiving events (or alerts) from the network and presenting them to the user in real time and in a meaningful way. This is usually provided with some sort of dashboard where new events are displayed as they come in. Analysis The process of taking the events received and...

Events Are Showing Up from an Unknown Reporting Device

If you run a Raw Event Query and see events arriving from an Unknown Reporting Device, but the IP matches one that you have defined on a monitored device, pat yourself on the back. You have just made the number one mistake that every CS-MARS owner hits about ten times in the first week. You forgot to click the Activate button in the upper-right corner of the page. The GUI front end is aware of the monitored device you configured. However, the database back end has not been made aware of it....

Events from a Specific Device Are Not Showing Up

You can determine whether CS-MARS is receiving events from a given device in two ways Submit an inline query for all raw messages Use tcpdump to display packets from that device Submitting an Inline Query for All Raw Messages The easiest way to determine whether events are arriving to CS-MARS from a specified device is to submit an inline query for all raw messages that CS-MARS is receiving. To do this, click the Query Reports tab. In the middle of the page, the query type Event Types ranked by...

Example ctadini

This section closes with a sample ctad.ini file. Example 2-1 shows a sample ctad.ini file that can be used as a template for Windows, Mac, or Linux systems. All attributes listed are shown at their default values, with the exception of the distinguished name matching section. Lines proceeded by a semicolon are commented out. The following apply to Windows and MAC only The following apply to Windows, MAC and Linux The following apply to MAC and Linux only (default) BrowserPath usr bin firefox...

Exception Policies

Exception policies specify what devices should be exempt of posture validation. When you configure exception policies in the Altiris Notification Server, the status of the device running the policy is set to Healthy, granting it access to the network. You can alternatively create exception lists on the network access devices or Cisco Secure ACS. Complete the following steps to configure exception policies in the Altiris Notification Server Step 1 Access the Altiris Notification Server Console...

Executing the Scripting Interface

When all these steps are complete, the only remaining task is to have your script run the ctasi executable file to import the policy data file into the policy database. On a Windows box, the ctasi.exe file is located in the following directory C Program Files Common Files PostureAgent On Mac and Linux, it is located here ctasi will accept two variables passed in. The first is required. It must be the full path to the posture data file. The second is optional and represents whether the script...

External Posture Validation and Audit Servers

In the Posture Validation section, you can optionally configure both external posture-validation servers (antivirus servers) and external audit servers. When these servers are configured, ACS waits for the APT results from the external posture validation before combining it with the APTs from the internal posture validation to derive the SPT. Chapters 10, Antivirus Software Integration, and 11, Audit Servers, cover the required steps to configure ACS for external posture validation.

Generating Reports in CSMARS

Up until now in this chapter, we have talked about how to configure CS-MARS to receive events from your NADs. However, what you really want to know about is how CS-MARS can help you monitor your network for NAC-specific events and map those to your company's overall security policies. This is where CS-MARS really shines. It takes in all the events generated by the various devices in your network and correlates, consolidates, rules out false positives, and alerts you to what is important to you....

Help Desk Staff Training

The help desk is the organization that will receive the first phone call when a user cannot connect or has limited access to the network. Part of the training that needs to be supplied to the help-desk staff is how to determine whether the issue is related to NAC. This training includes guidance on how to get the posture status of the end host, what the policy applied is, and what the remediation steps are. The help desk should also understand where the remediation systems are located and how...

How This Book Is Organized

Part I includes Chapter 1, which provides an overview of the NAC Framework solution and the technology and components used to implement it. The remainder of the book is divided into three parts. Part II encompasses Chapters 2 through 12 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the NAC solution. The chapters should be read in order, but if you are not using one of the components of the NAC solution in your network, you...

Human Resources Finance and Sales Departments

Most of SecureMe's sales representatives are now at branch offices. However, several sales representatives reside at the fourth floor in the New York office. The human resources and finance departments are also on the same floor. Role-based authentication is important for these areas because each group should not have access to the others' data. NAC-L2-802.1X is configured to authenticate all users at these segments. SecureMe uses Microsoft Windows Active Directory for the user database. Cisco...

Importing Attribute Files to Cisco Secure ACS

For Cisco Secure ACS to communicate with the external Notification Server, you must import the Altiris attributes file. Complete the following steps to import the attributes file on Cisco Secure ACS Step 1 On the Notification Server, locate the Altiris_ACS_Attrs.txt file under Program Files Altiris Notification Server NSCap Quarantine. Step 2 Copy the Altiris_ACS_Attrs.txt file to the Cisco Secure ACS Server. Step 3 From a command prompt, run the CSUtil.exe utility using the following...

Importing Vendor Attribute Value Pairs

By default, ACS includes only Cisco-specific vendor attributes for NAC, which are used in the posture-validation process. If you have a partner application installed on the end hosts and you want to validate the state of that application (as in the current virus definition file), the vendor's Attribute Definition File (ADF) must be imported into ACS. The ADF contains multiple attribute value pairs (AVPs) that define the attributes that ACS can query for posture compliance. When this process is...