Cisco Network Admission

Cisco Network Admission Control http://www.dropshippers.co.za/

Volume II: NAC Framework Deployment and Troubleshooting http://www.dropshippers.co.za/

The self-defending network in action http://www.dropshippers.co.za/

Jazib Frahim, CCIE® No. 5459 http://www.dropshippers.co.za/

Omar Santos http://www.dropshippers.co.za/

David White, Jr., CCIE No. 12,021 http://www.dropshippers.co.za/

When most information security professionals think about threats to their networks, they think about the threat of attackers from the outside. However, in recent years the number of computer security incidents occurring from trusted users within a company has equaled those occurring from external threats. The difference is, external threats are fairly well understood and almost all companies utilize tools and technology to protect against those threats. In contrast, the threats from internal trusted employees or partners are often overlooked and much more difficult to protect against. http://www.dropshippers.co.za/

Network Admission Control (NAC) is designed to prohibit or restrict access to the secured internal network from devices with a diminished security posture until they are patched or updated to meet the minimum corporate security requirements. A fundamental component of the Cisco® Self-Defending Network Initiative, NAC enables you to enforce host patch policies and to regulate network access permissions for noncompliant, vulnerable systems. http://www.dropshippers.co.za/

Cisco Network Admission Control, Volume II, helps you understand how to deploy the NAC Framework solution and ultimately build a self-defending network. The book focuses on the key components that make up the NAC Framework, showing how you can successfully deploy and troubleshoot each component and the overall solution. Emphasis is placed on real-world deployment scenarios, and the book walks you step by step through individual component configurations. Along the way, the authors call out best practices and tell you which mistakes to avoid. Component-level and solution-level troubleshooting techniques are also presented. Three full-deployment scenarios walk you through application of NAC in a small business, medium-sized organization, and large enterprise. http://www.dropshippers.co.za/

“To successfully deploy and troubleshoot the Cisco NAC solution requires thoughtful builds and design of NAC in branch, campus, and enterprise topologies. It requires a practical and methodical view towards building layered security and management with troubleshooting, auditing, and monitoring capabilities.” http://www.dropshippers.co.za/

—Jayshree V. Ullal, Senior Vice President, Datacenter, Switching and Security Technology Group, Cisco Systems® http://www.dropshippers.co.za/

Jazib Frahim, CCIE® No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. http://www.dropshippers.co.za/

Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He has more than 12 years of experience in secure data communications. http://www.dropshippers.co.za/

David White, Jr., CCIE No. 12,021, has more than 10 years of networking experience with a focus on network security. He is currently an escalation engineer in the Cisco TAC, where he has been for more than six years. http://www.dropshippers.co.za/

• Effectively deploy the Cisco Trust Agent
• Configure Layer 2 IP and Layer 2 802.1x NAC on network access devices
• Examine packet flow in a Cisco IOS NAD when NAC is enabled, and configure Layer 3 NAC on the NAD
• Monitor remote access VPN tunnels
• Configure and troubleshoot NAC on the Cisco ASA and PIX security appliances
• Install and configure Cisco Secure Access Control Server (ACS) for NAC
• Install the Cisco Security Agent Manage-ment Center and create agent kits
• Add antivirus policy servers to ACS for external antivirus posture validation
• Understand and apply audit servers to your NAC solution
• Use remediation servers to automatically patch end hosts to bring them in compliance with your network policies
• Monitor the NAC solution using the Cisco Security Monitoring, Analysis, and Response System (MARS)
http://www.dropshippers.co.za/

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. http://www.dropshippers.co.za/

Category: Cisco Press—Security http://www.dropshippers.co.za/

Covers: Network Admission Control http://www.dropshippers.co.za/

$60.00 USA / $75.00 CAN http://www.dropshippers.co.za/

Table of Contents

• Introduction
http://www.dropshippers.co.za/

Part I NAC Overview

Chapter 1

NAC Solution and Technology Overview http://www.dropshippers.co.za/

• Network Admission Control
• NAC: Phase I
• NAC: Phase II
• NAC Program Participants
• Components That Make Up the NAC Framework Solution
• Cisco Trust Agent
• Cisco Security Agent
• Network-Access Devices
• Cisco VPN 3000 Series Concentrator
• Cisco Secure Access Control Server
• Event Monitoring, Analysis, and Reporting
• Summary
• Review Questions
• Part II Configuration Guidelines
http://www.dropshippers.co.za/

Chapter 2

Cisco Trust Agent http://www.dropshippers.co.za/

• Preparing for Deployment of CTA
• Supported Operating Systems
• Deploying CTA in a Lab Environment
• CTA Windows Installation
• CTA Windows Installation with the 802.1X Wired Supplicant
• CTA Mac Installation
• CTA Linux Installation
• Installing the CA Certificate
• User Notifications
• Customizing CTA with the Optional ctad.ini File
• [main] Section
• [EAPoUDP] Section
• [UserNotifies] Section
• [ServerCertDNVerification] Distinguished Name-Matching Section
• [Scripting_Interface] Section
• Example ctad.ini
• CTA Scripting Interface
• Requirements for Using the Scripting Interface
• Executing the Scripting Interface
• CTA Logging Service
• Creating a ctalogd.ini File
• Using the clogcli Utility
• Deploying CTA in a Production Network
• Deploying CTA on Windows
• Deploying CTA on Mac OS X
• Deploying CTA on Linux
• Troubleshooting CTA
• Installation Issues
• Communication Issues
• System Logs
• CTA Client Fails to Receive a Posture Token
• CTA 802.1X Wired Client
• Client Is Disconnected (Suspended)
• Chapter Summary
• References
• Review Question
http://www.dropshippers.co.za/

Chapter 3

Cisco Secure Services Client http://www.dropshippers.co.za/

• Installing and Configuring the Cisco Secure Services Client
• Minimum System Requirements
• Installing the Cisco Secure Services Administrative Client
• Configuring the Cisco Secure Services Administrative Client
• Deploying the Cisco Secure Services Client in a Production Network
• End-User Client Deployment Installation Prerequisite
• Creating End-User Client-Configuration Files
• Creating the License File
• Deploying the End-User Client
• Viewing the Current Status of the Cisco Secure Services Client
• Windows Wireless Zero Configuration
• Troubleshooting the Cisco Secure Services Client
• System Report Utility
• Viewing the Client Logs and Connection Status in Real Time
• Client Icon Does Not Appear in System Tray
• Client GUI Does Not Start
• Client Does Not Prompt for Password
• Wireless Client Is Immediately Dissociated after 802.1X Authentication
• Client Is Disconnected (Suspended)
• Summary
• References
• Review Question
http://www.dropshippers.co.za/

Chapter 4

Configuring Layer 2 NAC on Network Access Devices http://www.dropshippers.co.za/

• NAC-L2-IP
• Architecture of NAC-L2-IP
• Configuring NAC-L2-IP
• Troubleshooting NAC-L2-IP
• NAC-L2-802.1X
• Architecture of NAC-L2-802.1X
• Configuring NAC-L2-802.1X
• MAC Authentication Bypass
• Troubleshooting NAC-L2-802.1X
• Configuring NAC-L2-802.1X on Cisco Wireless Access Points
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 5

Configuring Layer 3 NAC on Network Access Devices http://www.dropshippers.co.za/

• Architectural Overview of NAC on Layer 3 Devices
• Configuration Steps of NAC on Layer 3 Devices
• Step 1: Configuring AAA Authentication
• Step 2: Defining the RADIUS Server
• Step 3: Specifying the Interface Access Control List
• Step 4: Configuring the NAC Parameters
• Step 5: Defining the NAC Intercept Access Control List (Optional)
• Step 6: Setting Up the Exception Policies (Optional)
• Step 7: Configuring the Clientless Host Parameters (Optional)
• Step 8: Optimizing the NAC Parameters (Optional)
• Monitoring and Troubleshooting NAC on Layer 3 Devices
• Useful Monitoring Commands
• Troubleshooting NAC
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 6

Configuring NAC on Cisco VPN 3000 Series Concentrators http://www.dropshippers.co.za/

• Architectural Overview of NAC on Cisco VPN 3000 Concentrators
• Cisco Software Clients
• Microsoft L2TP over IPSec Clients
• Configuration Steps of NAC on Cisco VPN 3000 Concentrators
• VPN Configuration on the VPN 3000 Concentrator
• VPN Configuration on the Cisco VPN Client
• NAC Configuration on the VPN 3000 Concentrator
• Testing, Monitoring, and Troubleshooting NAC on Cisco VPN 3000 Concentrators
• Remote-Access IPSec Tunnel Without NAC
• Remote-Access IPSec Tunnel from an Agentless Client
• Remote-Access IPSec Tunnel from a CTA Client
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 7

Configuring NAC on Cisco ASA and PIX Security Appliances http://www.dropshippers.co.za/

• Architectural Overview of NAC on Cisco Security Appliances
• Stateless Failover for NAC
• Per-Group NAC Exception List
• Configuration Steps of NAC on Cisco Security Appliances
• VPN Configuration on the Security Appliances
• VPN Configuration on the Cisco VPN Client
• NAC Configuration on the Cisco Security Appliances
• Testing, Monitoring, and Troubleshooting NAC on Cisco Security Appliances
• Remote-Access IPSec Tunnel Without NAC
• Remote-Access IPSec Tunnel from an Agentless Client
• Remote-Access IPSec Tunnel from a CTA Client
• Monitoring of NAC Sessions
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 8

Cisco Secure Access Control Server http://www.dropshippers.co.za/

• Installing ACS
• Installation Prerequisites
• Installing ACS on a Windows Server
• Upgrading from Previous Versions of ACS Server
• Post-Installation Tasks
• Initial ACS Configuration
• Configuring Network Device Groups (Optional)
• Adding Network Access Devices
• Configuring RADIUS Attributes and Advanced Options
• Installing Certificates
• Configuring Global Authentication Protocols
• Creating Network Access Profiles Using NAC Templates
• Posture Validation
• Internal Posture-Validation Policies
• External Posture Validation and Audit Servers
• Miscellaneous Posture-Validation Options
• Posture Enforcement
• Downloadable IP ACLs
• VLAN Assignment
• Policy-Based ACLs
• RADIUS Authorization Components
• Network Access Profiles
• Protocols Policy
• Authentication Policy
• Posture Validation Policy
• Authorization Policy
• Network Access Filtering
• NAC Agentless Hosts
• Centralized Agentless Host Policy for NAC-L3-IP and NAC-L2-IP
• Centralized Agentless Host Policy for NAC-L2-802.1X (MAC Authentication Bypass)
• Configuring the Agentless Host Policy on ACS
• User Databases
• Importing Vendor Attribute-Value Pairs
• Enabling Logging
• Configuring Failed Attempts Logging
• Configuring Passed Authentications Logging
• Configuring RADIUS Accounting Logging
• Replication
• Troubleshooting ACS
• Enabling Service Debug Logging
• Invalid Protocol Data
• RADIUS Posture-Validation Requests Are Not Mapped to the Correct NAP
• RADIUS Dictionaries Missing from the Interface Configuration Section
• Certificate Issues—EAP-TLS or PEAP Authentication Failed During SSL Handshake in Failed Attempts Log
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 9

Cisco Security Agent http://www.dropshippers.co.za/

• Cisco Security Agent Architecture
• CSA MC Rule Definitions
• Global Event Correlation
• Installing Cisco Security Agents Management Center
• Configuring CSA NAC-Related Features
• Creating Groups
• Creating Agent Kits
• System State and NAC Posture Changes
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 10

Antivirus Software Integration http://www.dropshippers.co.za/

• Supported Antivirus Software Vendors
• Antivirus Software Posture Plug-Ins
• Antivirus Policy Servers and the Host Credential Authorization Protocol (HCAP)
• Adding External Antivirus Policy Servers in Cisco Secure ACS
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 11

Audit Servers http://www.dropshippers.co.za/

• Options for Handling Agentless Hosts
• MAC Authentication Bypass
• Audit Servers
• Architectural Overview of NAC for Agentless Hosts
• Configuring Audit Servers
• Installation of QualysGuard Scanner Appliance
• Configuration of QualysGuard Scanner Appliance
• Configuration of CS-ACS Server
• Monitoring of Agentless Hosts
• Monitoring Agentless Hosts on QualysGuard Scanner
• Monitoring CS-ACS Logs
• Monitoring Agentless Hosts on a Cisco NAD
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 12

Remediation http://www.dropshippers.co.za/

• Altiris
• Altiris Network Discovery
• Importing Attribute Files to Cisco Secure ACS
• Setting External Posture Validation Audit Server on Cisco Secure ACS
• Installing the Altiris Network Access Agent and Posture Plug-In
• Exception Policies
• Creating Posture Policies on the Altiris Notification Server
• PatchLink
• Summary
• Review Questions
http://www.dropshippers.co.za/

Part III Deployment Scenarios

Chapter 13

Deploying and Troubleshooting NAC in Small Businesses http://www.dropshippers.co.za/

• NAC Requirements for a Small Business
• Small Business Network Topology
• Configuring NAC in a Small Business
• Cisco Secure ACS
• End-User Clients
• Switches
• Web Server
• Troubleshooting NAC Deployment in a Small Business
http://www.dropshippers.co.za/

show

Commands http://www.dropshippers.co.za/

• EAP over UDP Logging
• Cisco Secure ACS Logging
• Certificate Issues: EAP-TLS or PEAP Authentication Failed During SSL Handshake
• Incorrect Time or Date
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 14

Deploying and Troubleshooting NAC in Medium-Size Enterprises http://www.dropshippers.co.za/

• Deployment Overview of NAC in a Medium-Size Enterprise
• The User Network
• The Management Network
• The Quarantine Network
• Business Requirements for NAC in a Medium-Size Enterprise
• Medium-Size Enterprise NAC Solution Highlights
• Enforcement Actions
• Steps for Configuring NAC in a Medium-Size Enterprise
• Catalyst 6500 CatOS Configuration
• VPN 3000 Concentrator Configuration
• Audit Server Configuration
• Altiris Quarantine Solution Configuration
• Trend Micro Policy Server Configuration
• Cisco Secure ACS Configuration
• CSA-MC Server Configuration
• End-User Clients
• Monitoring and Troubleshooting NAC in a Medium-Size Enterprise
• Diagnosing NAC on Catalyst 6500 Switch
• Diagnosing NAC on a VPN 3000 Concentrator
• Cisco Secure ACS Logging
• Summary
• Review Questions
http://www.dropshippers.co.za/

Chapter 15

Deploying and Troubleshooting NAC in Large Enterprises http://www.dropshippers.co.za/

• Business Requirements for Deploying NAC in a Large Enterprise
• Security Policies
• Enforcement Actions
• Design and Network Topology for NAC in a Large Enterprise
• Branch Office
• Regional Office
• Headquarters
• Configuring NAC in a Large Enterprise
• ACS
• End-User Clients
• Switches
• Troubleshooting NAC Deployment in a Large Enterprise
http://www.dropshippers.co.za/

show

Commands http://www.dropshippers.co.za/

debug

Commands http://www.dropshippers.co.za/

• ACS Logs and CS-MARS
• Summary
• Review Questions
http://www.dropshippers.co.za/

Part IV Managing and Monitoring NAC

Chapter 16

NAC Deployment and Management Best Practices http://www.dropshippers.co.za/

• A Phased Approach to Deploying NAC Framework
• Readiness Assessment
• Stakeholders
• Initial Lab Environment
• Test Plans
• Initial Tuning
• Final Deployment Strategy
• Provisioning of User Client Software
• CSA Management
• Maintaining NAC Policies
• Keeping Operating System Policies Up-to-Date
• Keeping Your Antivirus Policies Up-to-Date
• Maintenance of Remediation Servers and Third-Party Software
• Technical Support
• Education and Awareness
• End-User Education and Awareness
• Help-Desk Staff Training
• Engineering and Networking Staff Training
• Summary
• References
• Review Questions
http://www.dropshippers.co.za/

Chapter 17

Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System http://www.dropshippers.co.za/

• CS-MARS Overview
• Setting Up Cisco IOS Routers to Report to CS-MARS
• Defining the Cisco IOS Router as a Reporting Device within CS-MARS
• Configuring the Cisco IOS Router to Forward Events to CS-MARS
• Setting Up Cisco Switches to Report to CS-MARS
• Defining the Cisco Switch as a Reporting Device within CS-MARS
• Configuring the Cisco Switch to Forward Events to CS-MARS
• Configuring ACS to Send Events to CS-MARS
• Defining ACS as a Reporting Device within CS-MARS
• Configuring Logging on ACS
• Configuring 802.1X NADs in ACS to Report to CS-MARS
• Installing the pnlog Agent on ACS
• Configuring CSA to Send Events to CS-MARS
• Defining CSA-MC as a Reporting Device within CS-MARS
• Configuring CSA-MC to Forward Events to CS-MARS
• Configuring VPN 3000 Concentrators to Send Events to CS-MARS
• Defining the VPN 3000 Concentrator as a Reporting Device within CS-MARS
• Configuring the VPN 3000 Concentrator to Forward Events to CS-MARS
• Configuring the Adaptive Security Appliance and PIX Security Appliance to Send Events to CS-MARS
• Defining the ASA/PIX Appliance as a Reporting Device within CS-MARS
• Configuring the ASA/PIX Appliance to Forward Events to CS-MARS
• Configuring QualysGuard to Send Events to CS-MARS
• Generating Reports in CS-MARS
• NAC Report—Top Tokens
• NAC Report—Infected/Quarantine—Top Hosts
• NAC Report—Agentless (Clientless) Hosts
• Creating Scheduled NAC Reports
• Troubleshooting CS-MARS
• Events from a Specific Device Are Not Showing Up
• Events Are Showing Up from an Unknown Reporting Device
• Trouble Discovering a Monitored Device
• Summary
• Reference
• Review Questions
http://www.dropshippers.co.za/

Part V Appendix

Appendix A

Answers to Review Questions http://www.dropshippers.co.za/

• 1587052253 TOC 11/2/2006
http://www.dropshippers.co.za/