Cisco NAC Appliance: Enforcing Host Security with Clean Access
- By Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal
- Published Aug 6, 2007 by Cisco Press.
Book
- Sorry, this book is no longer in print.
- Copyright 2008
- Dimensions: 7-3/8" x 9-1/8"
- Pages: 576
- Edition: 1st
- Book
- ISBN-10: 1-58705-306-3
- ISBN-13: 978-1-58705-306-1
Cisco NAC Appliance
Enforcing Host Security with Clean Access
Authenticate, inspect, remediate, and authorize end-point devices using Cisco NAC Appliance
Jamey Heary, CCIE® No. 7680
Contributing authors: Jerry Lin, CCIE No. 6469,
Chad Sullivan, CCIE No. 6493, and Alok Agrawal
With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Few organizations are closed entities with well-defined security perimeters, which has led to the creation of perimeterless networks with ubiquitous access. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past.
Cisco® Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point.
Cisco NAC Appliance provides you with all the information needed to understand, design, configure, deploy, and troubleshoot the Cisco NAC Appliance solution. You will learn about all aspects of the NAC Appliance solution including configuration and best practices for design, implementation, troubleshooting, and creating a host security policy.
Jamey Heary, CCIE® No. 7680, is a security consulting systems engineer at Cisco, where he works with its largest customers in the northwest United States. Jamey joined Cisco in 2000 and currently leads its Western Security Asset team and is a field advisor for its U.S. Security Virtual team. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP®, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years.
- Understand why network attacks and intellectual property losses can originate from internal network hosts
- Examine different NAC Appliance design options
- Build host security policies and assign the appropriate network access privileges for various user roles
- Streamline the enforcement of existing security policies with the concrete measures NAC Appliance can provide
- Set up and configure the NAC Appliance solution
- Learn best practices for the deployment of NAC Appliance
- Monitor, maintain, and troubleshoot the Cisco NAC Appliance solution
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: End-Point Security
Online Sample Chapter
The Building Blocks in a Cisco NAC Appliance Design
Downloadable Sample Chapter
Download Chapter 3: The Building Blocks in a Cisco NAC Appliance Design
Table of Contents
Introduction xxii
Part I The Host Security Landscape 3
Chapter 1 The Weakest Link: Internal Network Security 5
Security Is a Weakest-Link Problem 6
Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risks 7
The Software Update Race: Staying Ahead of Viruses, Worms, and Spyware 9
Summary 10
Chapter 2 Introducing Cisco Network Admission Control Appliance 13
Cisco NAC Approaches 13
NAC as an Appliance 13
NAC as an Embedded Solution 15
Cisco NAC Integrated Implementation 16
Cisco NAC Appliance Overview 16
Cisco NAC Return on Investment 17
Summary 18
Part II The Blueprint: Designing a Cisco NAC Appliance Solution 21
Chapter 3 The Building Blocks in a Cisco NAC Appliance Design 23
Cisco NAC Appliance Solution Components 23
Cisco NAC Appliance Manager 24
Cisco NAC Appliance Server 25
Cisco Clean Access Agent 28
Cisco NAC Appliance Network Scanner 29
Cisco NAC Appliance Minimum Requirements 30
Cisco NAC Appliance Manager and Server Requirements 31
Cisco Clean Access Agent Requirements 32
Scalability and Performance of Cisco NAC Appliance 33
Summary 33
Chapter 4 Making Sense of All the Cisco NAC Appliance Design Options 35
NAC Design Considerations 35
Single-Sign-On Capabilities 36
In-Band Versus Out-of-Band Overview 36
Layer 2 Versus Layer 3 Client Adjacency Overview 37
Virtual Gateway Versus Real IP Gateway Overview 37
Deployment Options 38
How to Choose a Client/Server Adjacency Mode 39
Layer 2 Mode 40
Layer 3 Mode 40
Layer 2 Strict Mode for Clean Access Agent 41
How to Choose a Network Mode 42
Virtual Gateway Mode 42
Real IP Gateway Mode 43
In-Band Mode 43
The Certification Process in In-Band Mode 44
Certification Steps for Host with Clean Access Agent 44
Steps for Client to Acquire an IP Address 44
Clean Access Agent Authentication Steps 45
Clean Access Agent Host Security Posture Assessment Steps 45
Clean Access Agent Network Scanner Steps 46
Agent Post-Certification Steps 47
Login Steps for Host Using Web Login (No Clean Access Agent) 47
Web Login Authentication Steps 48
Web Login Network Scanning Steps 48
Post—Web Login Steps 50
Advantages of Using In-Band Mode 50
Disadvantages of Using In-Band Mode 51
Where You Can Use In-Band Mode 51
Out-of-Band Mode 52
How the Adjacency Mode Affects Out-of-Band Operation 56
Layer 3 Out-of-Band Traffic Control Methods 58
How the Network Mode Affects Out-of-Band Operation 65
Login Steps with OOB in L2 Adjacency, Virtual Gateway Mode 68
Initial Steps for OOB Clients 69
Clean Access Agent Authentication Steps in OOB 71
Agent Host Security Posture Assessment Steps for OOB 71
Agent Post-Certification Steps for OOB 72
Login Steps for OOB in L3 Adjacency, Real IP Mode 73
Initial Client Steps for L3 OOB 74
Steps to Obtain an IP Address in L3 OOB 74
Client Authentication and PBR Steps in L3 OOB 75
Client Certification and Post-Certification Steps in L3 OOB 76
Advantages of Using Out-of-Band Mode 77
Disadvantage of Using Out-of-Band Mode 78
Where You Can Use Out-of-Band Mode and Where You Cannot 78
Switches Supported by NAC Appliance Out-of-Band 78
Clean Access Agent and Web Login with Network Scanner 81
Summary 85
Chapter 5 Advanced Cisco NAC Appliance Design Topics 87
External Authentication Servers 87
Mapping Users to Roles Using Attributes or VLAN IDs 89
MAC Address Authentication Filters 92
Single Sign-On 93
Active Directory SSO 93
Active Directory SSO Prerequisites 94
How Active Directory SSO Works 94
VPN SSO 96
VPN SSO Prerequisites 96
How VPN SSO Works 96
Cisco Wireless SSO 99
Cisco Wireless SSO Prerequisites 99
How Cisco Wireless SSO Works 99
NAC Appliance and IP Telephony Integration 101
IP Telephony Best Practices for In-Band Mode 101
IP Telephony Best Practices for Out-of-Band Mode 102
High Availability and Load Balancing 104
High Availability 106
Stateful Failover of NAC Appliance Manager 107
Stateful Failover of NAC Appliance Server 108
Fallback Feature on NAC Appliance Server 109
Spanning Tree N+1 110
Load Balancing 112
Cisco Content Switching Module or Standalone Content Services Switch 113
NAC Appliance Server Load Balancing Using Policy-Based Routing 116
Summary 118
Part III The Foundation: Building a Host Security Policy 121
Chapter 6 Building a Cisco NAC Appliance Host Security Policy 123
What Makes Up a Cisco NAC Appliance Host Security Policy? 123
Host Security Policy Checklist 124
Involving the Right People in the Creation of the Host Security Policy 124
Determining the High-Level Goals for Host Security 126
Common High-Level Host Security Goals 127
Defining the Security Domains 129
Understanding and Defining NAC Appliance User Roles 132
Built-In User Roles 133
Unauthenticated Role 134
Normal Login Role 134
Temporary Role 134
Quarantine Role 135
Commonly Used Roles and Their Purpose 136
Establishing Acceptable Use Policies 138
Checks, Rules, and Requirements to Consider 143
Sample HSP Format for Documenting NAC Appliance Requirements 148
Common Checks, Rules, and Requirements 149
Method for Adding Checks, Rules, and Requirements 150
Research and Information 150
Establishing Criteria to Determine the Validity of a Security Check, Rule,
or Requirement in Your Organization 152
Method for Determining Which User Roles a Particular Security
Requirement Should Be Applied To 153
Method for Deploying and Enforcing Security Requirements 153
Defining Network Access Privileges 154
Enforcement Methods Available with NAC Appliance 155
Commonly Used Network Access Policies 156
Summary 160
Part IV Cisco NAC Appliance Configuration 163
Chapter 7 The Basics: Principal Configuration Tasks for the NAM and NAS 165
Understanding the Basic Cisco NAC Appliance Concepts 165
NAM Overview 166
NAM Hardware Installation Requirements 166
NAM Software Installation Requirements 166
How to Connect NAM 166
Performing Initial NAM Configurations 167
NAC Licensing 172
NAM GUI Description 173
NAS Overview 175
NAS Hardware Installation Requirements 175
NAS Software Installation Requirements 176
NAS Software License Requirement 176
How to Connect NAS 176
Performing Initial NAS Configurations 176
NAS GUI Description 179
Configuring NAS Deployment Mode 182
In-Band Deployment Options 182
Out-of-Band Deployment Options 186
Understanding NAS Management Within the NAM GUI 186
Global Versus Local Settings 187
Global Settings 187
Local NAS Settings 193
Adding Additional NAS Appliances 201
Summary 201
Chapter 8 The Building Blocks: Roles, Authentication, Traffic Policies, and User Pages 203
Configuring User Roles 203
Creating Custom Roles 203
Editing or Deleting a Custom Role 206
Configuring Role Assignment 207
Creating a Local User and Assigning a Role 207
Assigning a Role by VLAN 209
Assigning a Role by MAC and IP Address 213
Assigning a Role by Subnet 217
Assigning a Role by External Authentication Source Attributes 219
Role Mapping Summary 219
Configuring Authentication 220
Creating Admin Users and Groups 220
Creating an Admin Group 220
Creating an Admin User 222
Adding External Authentication Sources 222
Adding a RADIUS External Authentication Source 223
Adding an LDAP/AD External Authentication Source 224
Configuring and Creating Traffic Policies 226
IP-Based Traffic Control Policy 227
Host-Based Traffic Control Policy 229
Bandwidth Policies 230
Customizing User Pages and Guest Access 232
Login Pages 232
Guest Access 236
API for Guest Access 236
Summary 237
Chapter 9 Host Posture Validation and Remediation: Cisco Clean Access Agent and Network Scanner 239
Understanding Cisco NAC Appliance Setup 239
Cisco NAC Appliance Updates 240
General Setup 242
Web Login 242
Agent Login 243
Certified Devices 245
Certified List 245
Add Exempt Device 246
Add Floating Device 246
Timer 249
Cisco Clean Access Agent 250
Agent Installation Process 250
Sample Agent Installation 251
Agent Distribution 255
Alternative Agent Installation Methods 257
Agent Policy Enforcement 258
Requirements, Rules, and Checks 258
Creating and Enforcing a Requirement 258
Creating Checks 264
Creating a Custom Rule 266
Network Scanning 266
Nessus Plug-Ins 266
Scanning Setup 267
Vulnerability Handling 269
User Agreement Configuration 271
Testing the Scanning Setup 271
Summary 273
Chapter 10 Configuring Out-of-Band 275
Out-of-Band Overview and Design 275
User Access Method 275
Switch Support 275
Central Deployment Mode or Edge Deployment Mode 276
Layer 2 or Layer 3 276
Gateway Mode for NAC Appliance Server 276
Simple Network Management Protocol Trap to Trigger the NAC Process 277
Port-Based VLAN Assignment or User Role—Based VLAN Assignment 278
Sample Design and Configuration for Layer 2 Out-of-Band Deployment 278
Step 1: Configuring the Switch 279
Configuring VLAN Trunking Protocol and VLANs 279
Configuring SVIs 280
Configuring the Switch as a DHCP Server 281
Configuring Fa1/0/1–The Interface Connecting the NAC Appliance Manager
eth0 Port 282
Configuring Fa1/0/3–The Interface Connecting the Trusted Port (eth0) of
NAC Appliance Server 282
Configuring Fa1/0/4–The Interface Connecting the Untrusted Port (eth1) of
NAC Appliance Server 283
Configuring Fa1/0/5–The Interface Connecting the Host 283
Configuring Simple Network Management Protocol 283
Step 2: Configuring NAC Appliance Manager 284
Step 3: Configuring NAC Appliance Server 286
Step 4: Logging In to NAC Appliance Manager 288
Step 5: Adding NAC Appliance Server to NAC Appliance Manager 289
Step 6: Editing Network Settings on NAC Appliance Server 290
Step 7: Configuring VLAN Mapping 291
Step 8: Configuring Managed Subnets 292
Step 9: Configuring a Switch Group 293
Step 10: Configuring a Switch Profile 294
Step 11: Configuring a Port Profile 295
Step 12: Configuring the SNMP Receiver 296
Step 13: Adding a Switch to NAC Appliance Manager 297
Step 14: Configuring Ports to Be Managed by NAC 298
Step 15: Configuring User Roles 299
Step 16: Configuring User Authentication on the Local Database 303
Step 17: Testing Whether OOB and User Role—Based VLAN Assignment
Works 304
Sample Design and Configuration for Layer 3 Out-of-Band Deployment 310
Step 1: Configuring the Switches 311
Configuring the Central Switch 311
Configuring the Edge Switch 313
Step 2: Configuring NAC Appliance Manager 318
Step 3: Configuring NAC Appliance Server 319
Step 4: Logging In to NAC Appliance Manager 322
Step 5: Adding NAC Appliance Server to NAC Appliance Manager 322
Step 6: Editing Network Settings on NAC Appliance Server 323
Step 7: Configuring Static Routes 324
Step 8: Configuring a Switch Group 325
Step 9: Configuring a Switch Profile 326
Step 10: Configuring a Port Profile 326
Step 11: Configuring the SNMP Receiver 328
Step 12: Adding the Switch to NAC Appliance Manager 328
Step 13: Configuring Ports to Be Managed by NAC Appliance 330
Step 14: Configuring User Roles 331
Step 15: Configuring User Authentication on the Local Database 334
Step 16: Changing the Discovery Host 335
Step 17: Configuring the Web Login Page 336
Step 18: Testing Whether OOB and User Role—Based VLAN Assignment
Works 337
Additional Out-of-Band Considerations 342
Summary 343
Chapter 11 Configuring Single Sign-On 345
Active Directory Single Sign-On Overview 345
Supported Devices for AD SSO 345
Basic AD SSO Configuration Steps 346
Configuring Single Sign-On for Windows AD 347
NAM Configuration 348
NAS Configuration 349
Layer 3 3550 Core Switch Configuration 352
3500XL Edge Layer 2 Switch Configuration 354
Active Directory or Domain Controller Configuration 355
Beginning Overall Setup 356
Adding an AD Server as an AD SSO Auth Server 357
Configuring Traffic Policies and Ports in the Unauthenticated Role for AD Authentication 358
Configuring AD SSO Settings in NAS 359
Configuring the AD Server and Running the ktpass Command 360
Enabling Agent-Based Windows AD SSO 364
Enabling GPO Updates 364
(Optional) Adding LDAP Lookup Server to Map Users to Multiple Roles 366
LDAP Browser (Not Required but Very Helpful) 366
Configuring LDAP Lookup Server in NAM 368
User Attributes in Active Directory 370
Enabling DHCP in NAS 379
Enabling User Login Pages in NAM 382
NAC Agent Download and Login 382
Configuring Single Sign-On for VPN 386
ACS Setup 388
ASA-5510 VPN Setup 388
Configuring NAS to Support VPN SSO 393
Configuring Single Sign-On for Cisco Wireless LAN Controller 398
ACS Server Setup 399
WLC Setup 399
NAM/NAS Setup 402
Summary 403
Chapter 12 Configuring High Availability 405
High Availability on NAC Appliance Manager 405
High Availability on NAC Appliance Server 408
Example of a High Availability Configuration for NAC Appliance Manager and Server 411
Adding NAC Appliance Managers in High Availability Mode 412
Adding a CA-Signed Certificate to the Primary NAC Appliance Manager 413
Generating a Self-Signed Temporary Certificate on the Primary NAC
Appliance Manager 414
Adding a Certificate to the Secondary NAC Appliance Manager 415
Configuring High Availability for NAC Appliance Managers 416
Adding NAC Appliance Servers in High Availability Mode 418
Configuring the eth2 Interfaces 419
Configuring the Primary Server for High Availability 420
Configuring the Secondary Server for High Availability 429
Setting Up DHCP Failover on NAC Appliance Servers 438
Troubleshooting HA 440
Summary 440
Part V Cisco NAC Appliance Deployment Best Practices 443
Chapter 13 Deploying Cisco NAC Appliance 445
Pre-Deployment Phase 446
Executive Summary 447
Scope 447
Vision 448
NAC Appliance Overview (Diagram) 448
Host Security Policy 448
Business Drivers for Deployment 448
Deployment Schedule 449
Resources 449
New Equipment 451
Support Plan 451
Communication Plan 451
Cisco NAC Appliance Training 451
Deployment Plan Overview 452
Proof of Concept Phase 454
Pilot Phase 455
Production Deployment Phases 456
Production Deployment Phase 1: Initial Introduction to User Community 456
Production Deployment Phase 2: Implementing Host Security Policy Checks
Without Enforcement 457
Production Deployment Phase 3: Host Security Policy Enforcement 458
Summary 459
Part VI Cisco NAC Appliance Monitoring and Troubleshooting 461
Chapter 14 Understanding Cisco NAC Appliance Monitoring 463
Understanding the Various Monitoring Pages and Event Logs 463
Summary Page 463
Discovered Clients and Online Users Pages 465
Discovered Clients Page 466
Online Users Page 467
Event Logs 470
Understanding and Changing Logging Levels of NAC Appliance 474
SNMP 477
Understanding Monitoring of Web Login and Clean Access Agents 480
Clean Access Agent Reports 480
Certified List 484
Manually and Automatically Clearing the Certified List 486
Requiring Certification for Every Login 488
Summary of the Behavior of the Certified List 490
Monitoring the Status of NAC Appliance Manager and NAC Appliance Servers 490
Manager and Server Monitoring Using the Linux CLI 491
Manager and Server Monitoring Using the Web GUI 492
Summary 493
Chapter 15 Troubleshooting Cisco NAC Appliance 495
Licensing Issues 495
Adding NAS to NAM 496
Policy Issues 498
Agent Issues 500
Out-of-Band Issues 504
Single Sign-On Issues 509
AD SSO 509
VPN and Wireless SSO 512
High Availability Issues 513
Useful Logs 516
NAM Logs 516
NAS Logs 516
Additional Logs 517
Common Issues Encountered by the Help Desk in the First 30 Days 517
Users Not Being Able to Get a Web Login Page, or the NAC Appliance Agent Not Popping 518
Users Not Being Able to Authenticate 518
Users Getting Stuck in the Quarantine or Temporary Role 519
Users Not Being Put in the Correct VLAN or Not Getting Access to Certain Resources 520
Summary 521
Appendix Sample User Community Deployment Messaging Material 523
Sample NAC Appliance Requirement Change Notification E-Mail 523
Sample NAC Appliance Notice for Bulletin Board or Poster 524
Sample NAC Appliance Letter to Students 526
Index 528
Index
Introduction
Other Things You Might Like
- Securing Enterprise Networks with Cisco Meraki
- eBook $55.99
- Securing Enterprise Networks with Cisco Meraki
- Book $55.99