Cisco Network Admission Control, Volume II: NAC Framework Deployment and Troubleshooting
Customer Reviews: 1 Average Customer Rating:  Write a Review and tell the world about this title! People who purchase this book frequently purchase: - Cisco Network Admission Control, Volume I: NAC Architecture and Design; Denise Helfrich, et al, $42.50, 23% Off!
- Security Threat Mitigation and Response: Understanding Cisco Security MARS; Dale Tesch, et al, $42.50, 23% Off!
- Cisco Voice Gateways and Gatekeepers (CCVP 642-452 GWGK); David Mallory, et al, $54.50, 22% Off!
- Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance; Omar Santos, et al, $61.95, 23% Off!
Books on similar topics, in best-seller order:Books from the same publisher, in best-seller order:
When most information security professionals think
about threats to their networks, they think about the threat of attackers
from the outside. However, in recent years the number of computer security
incidents occurring from trusted users within a company has equaled those
occurring from external threats. The difference is, external threats are
fairly well understood and almost all companies utilize tools and technology
to protect against those threats. In contrast, the threats from internal
trusted employees or partners are often overlooked and much more difficult
to protect against.
Network Admission Control (NAC) is designed to prohibit
or restrict access to the secured internal network from devices with a diminished
security posture until they are patched or updated to meet the minimum corporate
security requirements. A fundamental component of the Cisco Self-Defending
Network Initiative, NAC enables you to enforce host patch policies and to
regulate network access permissions for noncompliant, vulnerable systems.
Cisco Network Admission Control, Volume II, helps
you understand how to deploy the NAC Framework solution and ultimately build
a self-defending network. The book focuses on the key components that make
up the NAC Framework, showing how you can successfully deploy and troubleshoot
each component and the overall solution. Emphasis is placed on real-world
deployment scenarios, and the book walks you step by step through individual
component configurations. Along the way, the authors call out best practices
and tell you which mistakes to avoid. Component-level and solution-level
troubleshooting techniques are also presented. Three full-deployment scenarios
walk you through application of NAC in a small business, medium-sized organization,
and large enterprise.
"To successfully deploy and troubleshoot the Cisco NAC solution requires
thoughtful builds and design of NAC in branch, campus, and enterprise topologies.
It requires a practical and methodical view towards building layered security
and management with troubleshooting, auditing, and monitoring capabilities."
-- Jayshree V. Ullal, Senior Vice President, Datacenter, Switching and Security
Technology Group, Cisco Systems
- Effectively deploy the Cisco Trust Agent
- Configure Layer 2 IP and Layer 2 802.1x NAC on network access devices
- Examine packet flow in a Cisco IOS NAD when NAC is enabled, and configure
Layer 3 NAC on the NAD
- Monitor remote access VPN tunnels
- Configure and troubleshoot NAC on the Cisco ASA and PIX security appliances
- Install and configure Cisco Secure Access Control Server (ACS) for NAC
- Install the Cisco Security Agent Manage-ment Center and create agent
kits
- Add antivirus policy servers to ACS for external antivirus posture validation
- Understand and apply audit servers to your NAC solution
- Use remediation servers to automatically patch end hosts to bring them
in compliance with your network policies
- Monitor the NAC solution using the Cisco Security Monitoring, Analysis,
and Response System (MARS)
This security book is part of the Cisco Press Networking
Technology Series. Security titles from Cisco Press help networking professionals
secure critical data and resources, prevent and mitigate network attacks,
and build end-to-end self-defending networks.
Table of Contents
Introduction
Part I NAC Overview
Chapter 1 NAC Solution and Technology Overview
Network Admission Control
NAC: Phase I
NAC: Phase II
NAC Program Participants
Components That Make Up the NAC Framework Solution
Cisco Trust Agent
Cisco Security Agent
Network-Access Devices
Cisco VPN 3000 Series Concentrator
Cisco Secure Access Control Server
Event Monitoring, Analysis, and
Reporting
Summary
Review Questions
Part II Configuration Guidelines
Chapter 2 Cisco Trust Agent
Preparing for Deployment of CTA
Supported Operating Systems
Deploying CTA in a Lab Environment
CTA Windows Installation
CTA Windows Installation with the
802.1X Wired Supplicant
CTA Mac Installation
CTA Linux Installation
Installing the CA Certificate
User Notifications
Customizing CTA with the Optional ctad.ini File
[main] Section
[EAPoUDP] Section
[UserNotifies] Section
[ServerCertDNVerification]
Distinguished Name-Matching Section
[Scripting_Interface] Section
Example ctad.ini
CTA Scripting Interface
Requirements for Using the Scripting
Interface
Executing the Scripting Interface
CTA Logging Service
Creating a ctalogd.ini File
Using the clogcli Utility
Deploying CTA in a Production Network
Deploying CTA on Windows
Deploying CTA on Mac OS X
Deploying CTA on Linux
Troubleshooting CTA
Installation Issues
Communication Issues
System Logs
CTA Client Fails to Receive a Posture
Token
CTA 802.1X Wired Client
Client Is Disconnected (Suspended)
Chapter Summary
References
Review Question
Chapter 3 Cisco Secure Services Client
Installing and Configuring the Cisco Secure Services
Client
Minimum System Requirements
Installing the Cisco Secure Services
Administrative Client
Configuring the Cisco Secure Services
Administrative Client
Deploying the Cisco Secure Services Client in a Production
Network
End-User Client Deployment Installation
Prerequisite
Creating End-User Client-Configuration
Files
Creating the License File
Deploying the End-User Client
Viewing the Current Status of the Cisco Secure Services
Client
Windows Wireless Zero Configuration
Troubleshooting the Cisco Secure Services Client
System Report Utility
Viewing the Client Logs and Connection
Status in Real Time
Client Icon Does Not Appear in
System Tray
Client GUI Does Not Start
Client Does Not Prompt for Password
Wireless Client Is Immediately
Dissociated after 802.1X Authentication
Client Is Disconnected (Suspended)
Summary
References
Review Question
Chapter 4 Configuring Layer 2 NAC on Network
Access Devices
NAC-L2-IP
Architecture of NAC-L2-IP
Configuring NAC-L2-IP
Troubleshooting NAC-L2-IP
NAC-L2-802.1X
Architecture of NAC-L2-802.1X
Configuring NAC-L2-802.1X
MAC Authentication Bypass
Troubleshooting NAC-L2-802.1X
Configuring NAC-L2-802.1X on Cisco
Wireless Access Points
Summary
Review Questions
Chapter 5 Configuring Layer 3 NAC on Network
Access Devices
Architectural Overview of NAC on Layer 3 Devices
Configuration Steps of NAC on Layer 3 Devices
Step 1: Configuring AAA Authentication
Step 2: Defining the RADIUS Server
Step 3: Specifying the Interface
Access Control List
Step 4: Configuring the NAC Parameters
Step 5: Defining the NAC Intercept
Access Control List (Optional)
Step 6: Setting Up the Exception
Policies (Optional)
Step 7: Configuring the Clientless
Host Parameters (Optional)
Step 8: Optimizing the NAC Parameters
(Optional)
Monitoring and Troubleshooting NAC on Layer 3 Devices
Useful Monitoring Commands
Troubleshooting NAC
Summary
Review Questions
Chapter 6 Configuring NAC on Cisco VPN 3000
Series Concentrators
Architectural Overview of NAC on Cisco VPN 3000 Concentrators
Cisco Software Clients
Microsoft L2TP over IPSec Clients
Configuration Steps of NAC on Cisco VPN 3000 Concentrators
VPN Configuration on the VPN 3000
Concentrator
VPN Configuration on the Cisco
VPN Client
NAC Configuration on the VPN 3000
Concentrator
Testing, Monitoring, and Troubleshooting NAC on Cisco
VPN 3000 Concentrators
Remote-Access IPSec Tunnel Without
NAC
Remote-Access IPSec Tunnel from
an Agentless Client
Remote-Access IPSec Tunnel from
a CTA Client
Summary
Review Questions
Chapter 7 Configuring NAC on Cisco ASA and
PIX Security Appliances
Architectural Overview of NAC on Cisco Security Appliances
Stateless Failover for NAC
Per-Group NAC Exception List
Configuration Steps of NAC on Cisco Security Appliances
VPN Configuration on the Security
Appliances
VPN Configuration on the Cisco
VPN Client
NAC Configuration on the Cisco
Security Appliances
Testing, Monitoring, and Troubleshooting NAC on Cisco
Security Appliances
Remote-Access IPSec Tunnel Without
NAC
Remote-Access IPSec Tunnel from
an Agentless Client
Remote-Access IPSec Tunnel from
a CTA Client
Monitoring of NAC Sessions
Summary
Review Questions
Chapter 8 Cisco Secure Access Control Server
Installing ACS
Installation Prerequisites
Installing ACS on a Windows Server
Upgrading from Previous Versions
of ACS Server
Post-Installation Tasks
Initial ACS Configuration
Configuring Network Device Groups
(Optional)
Adding Network Access Devices
Configuring RADIUS Attributes and
Advanced Options
Installing Certificates
Configuring Global Authentication
Protocols
Creating Network Access Profiles
Using NAC Templates
Posture Validation
Internal Posture-Validation Policies
External Posture Validation and
Audit Servers
Miscellaneous Posture-Validation
Options
Posture Enforcement
Downloadable IP ACLs
VLAN Assignment
Policy-Based ACLs
RADIUS Authorization Components
Network Access Profiles
Protocols Policy
Authentication Policy
Posture Validation Policy
Authorization Policy
Network Access Filtering
NAC Agentless Hosts
Centralized Agentless Host Policy
for NAC-L3-IP and NAC-L2-IP
Centralized Agentless Host Policy
for NAC-L2-802.1X (MAC Authentication Bypass)
Configuring the Agentless Host
Policy on ACS
User Databases
Importing Vendor Attribute-Value Pairs
Enabling Logging
Configuring Failed Attempts Logging
Configuring Passed Authentications
Logging
Configuring RADIUS Accounting Logging
Replication
Troubleshooting ACS
Enabling Service Debug Logging
Invalid Protocol Data
RADIUS Posture-Validation Requests
Are Not Mapped to the Correct NAP
RADIUS Dictionaries Missing from
the Interface Configuration Section
Certificate Issues—EAP-TLS or
PEAP Authentication Failed During SSL Handshake in Failed Attempts Log
Summary
Review Questions
Chapter 9 Cisco Security Agent
Cisco Security Agent Architecture
CSA MC Rule Definitions
Global Event Correlation
Installing Cisco Security Agents Management Center
Configuring CSA NAC-Related Features
Creating Groups
Creating Agent Kits
System State and NAC Posture Changes
Summary
Review Questions
Chapter 10 Antivirus Software Integration
Supported Antivirus Software Vendors
Antivirus Software Posture Plug-Ins
Antivirus Policy Servers and the Host Credential Authorization
Protocol (HCAP)
Adding External Antivirus Policy
Servers in Cisco Secure ACS
Summary
Review Questions
Chapter 11 Audit Servers
Options for Handling Agentless Hosts
MAC Authentication Bypass
Audit Servers
Architectural Overview of NAC for Agentless Hosts
Configuring Audit Servers
Installation of QualysGuard Scanner
Appliance
Configuration of QualysGuard Scanner
Appliance
Configuration of CS-ACS Server
Monitoring of Agentless Hosts
Monitoring Agentless Hosts on QualysGuard
Scanner
Monitoring CS-ACS Logs
Monitoring Agentless Hosts on a
Cisco NAD
Summary
Review Questions
Chapter 12 Remediation
Altiris
Altiris Network Discovery
Importing Attribute Files to Cisco
Secure ACS
Setting External Posture Validation
Audit Server on Cisco Secure ACS
Installing the Altiris Network
Access Agent and Posture Plug-In
Exception Policies
Creating Posture Policies on the
Altiris Notification Server
PatchLink
Summary
Review Questions
Part III Deployment Scenarios
Chapter 13 Deploying and Troubleshooting NAC
in Small Businesses
NAC Requirements for a Small Business
Small Business Network Topology
Configuring NAC in a Small Business
Cisco Secure ACS
End-User Clients
Switches
Web Server
Troubleshooting NAC Deployment in a Small Business
show Commands
EAP over UDP Logging
Cisco Secure ACS Logging
Certificate Issues: EAP-TLS or
PEAP Authentication Failed During SSL Handshake
Incorrect Time or Date
Summary
Review Questions
Chapter 14 Deploying and Troubleshooting NAC
in Medium-Size Enterprises
Deployment Overview of NAC in a Medium-Size Enterprise
The User Network
The Management Network
The Quarantine Network
Business Requirements for NAC in a Medium-Size Enterprise
Medium-Size Enterprise NAC Solution Highlights
Enforcement Actions
Steps for Configuring NAC in a Medium-Size Enterprise
Catalyst 6500 CatOS Configuration
VPN 3000 Concentrator Configuration
Audit Server Configuration
Altiris Quarantine Solution Configuration
Trend Micro Policy Server Configuration
Cisco Secure ACS Configuration
CSA-MC Server Configuration
End-User Clients
Monitoring and Troubleshooting NAC in a Medium-Size
Enterprise
Diagnosing NAC on Catalyst 6500
Switch
Diagnosing NAC on a VPN 3000 Concentrator
Cisco Secure ACS Logging
Summary
Review Questions
Chapter 15 Deploying and Troubleshooting NAC
in Large Enterprises
Business Requirements for Deploying NAC in a Large
Enterprise
Security Policies
Enforcement Actions
Design and Network Topology for NAC in a Large Enterprise
Branch Office
Regional Office
Headquarters
Configuring NAC in a Large Enterprise
ACS
End-User Clients
Switches
Troubleshooting NAC Deployment in a Large Enterprise
show Commands
debug Commands
ACS Logs and CS-MARS
Summary
Review Questions
Part IV Managing and Monitoring NAC
Chapter 16 NAC Deployment and Management Best
Practices
A Phased Approach to Deploying NAC Framework
Readiness Assessment
Stakeholders
Initial Lab Environment
Test Plans
Initial Tuning
Final Deployment Strategy
Provisioning of User Client Software
CSA Management
Maintaining NAC Policies
Keeping Operating System Policies
Up-to-Date
Keeping Your Antivirus Policies
Up-to-Date
Maintenance of Remediation Servers
and Third-Party Software
Technical Support
Education and Awareness
End-User Education and Awareness
Help-Desk Staff Training
Engineering and Networking Staff
Training
Summary
References
Review Questions
Chapter 17 Monitoring the NAC Solution Using
the Cisco Security Monitoring, Analysis, and Response System
CS-MARS Overview
Setting Up Cisco IOS Routers to Report to CS-MARS
Defining the Cisco IOS Router as
a Reporting Device within CS-MARS
Configuring the Cisco IOS Router
to Forward Events to CS-MARS
Setting Up Cisco Switches to Report to CS-MARS
Defining the Cisco Switch as a
Reporting Device within CS-MARS
Configuring the Cisco Switch to
Forward Events to CS-MARS
Configuring ACS to Send Events to CS-MARS
Defining ACS as a Reporting Device
within CS-MARS
Configuring Logging on ACS
Configuring 802.1X NADs in ACS
to Report to CS-MARS
Installing the pnlog Agent on ACS
Configuring CSA to Send Events to CS-MARS
Defining CSA-MC as a Reporting
Device within CS-MARS
Configuring CSA-MC to Forward Events
to CS-MARS
Configuring VPN 3000 Concentrators to Send Events
to CS-MARS
Defining the VPN 3000 Concentrator
as a Reporting Device within CS-MARS
Configuring the VPN 3000 Concentrator
to Forward Events to CS-MARS
Configuring the Adaptive Security Appliance and PIX
Security Appliance to Send Events to CS-MARS
Defining the ASA/PIX Appliance
as a Reporting Device within CS-MARS
Configuring the ASA/PIX Appliance
to Forward Events to CS-MARS
Configuring QualysGuard to Send Events to CS-MARS
Generating Reports in CS-MARS
NAC Report—Top Tokens
NAC Report—Infected/Quarantine—Top
Hosts
NAC Report—Agentless (Clientless)
Hosts
Creating Scheduled NAC Reports
Troubleshooting CS-MARS
Events from a Specific Device Are
Not Showing Up
Events Are Showing Up from an Unknown
Reporting Device
Trouble Discovering a Monitored
Device
Summary
Reference
Review Questions
Part V Appendix
Appendix A Answers to Review Questions
About the Authors
Jazib Frahim, CCIE No. 5459, is a senior network security engineer in
the Worldwide Security Services Practice of the Cisco Advanced Services for
Network Security team. He is responsible for guiding customers in the design
and implementation of their networks with a focus on network security.
Omar Santos is a senior network security engineer in the Worldwide Security
Services Practice of the Cisco Advanced Services for Network Security team.
He has more than 12 years of experience in secure data communications.
David White, Jr., CCIE No. 12,021, has more than 10 years of networking
experience with a focus on network security. He is currently an escalation engineer
in the Cisco TAC, where he has been for more than six years.
Customer Reviews
Customer Reviews: 1 Average Customer Rating: Mar 7, 2007 Martin from Los Angeles
Are you ready to NAC?
The first volume for Cisco Network Admission Control series explains the architecture, design and components for NAC Framework. The second volume explains the production deployment as well as troubleshooting NAC Framework to build a self-defending network.
I found the second volume more helpful and practical as it provides technical configuration and implementation guidelines. The book is basically divided into four parts: NAC Framework solution Overview, Configuration Guidelines, Deployment Scenarios and finally Managing and Monitoring NAC.
I think that the first chapter is the most important as it explains the NAC Framework solution overview and the components needed to support it. It shows which Cisco network access devices and which Cat or Cisco IOS version support this feature. It explains the difference among NAC-L3-IP, NAC-L2-IP and NAC-L2-802.1X. The chapter includes Cisco online reference so readers can research each device in details and get the most up-to-date list of all Cisco NAC-enabled devices.
The next 11 chapters cover installation, configuration and brief troubleshooting tips for each component: Cisco Trust Agent, VPN Concentrator, ASA and PIX firewall, Cisco Security Agents and even some brief introductions for third party vendor appliances such as QualysGuard Scanner for audit servers.
The following 3 chapters describe the deployment scenario for NAC in small, medium and large businesses. These chapters offer 3 interesting scenarios but all of them are just recaps of configuration mentioned in previous chapters.
The last 2 chapters explain the NAC deployment best practices and NAC monitoring using Cisco CsMARS. The best practices provide guidelines to roll this NAC deployment successfully by completing a readiness assessment of the current infrastructure, identifying responsible party, building lab and test plans as well as tuning and post deployment monitoring. Having experiences in deploying security projects, I believe that they should also add organization security policy which is approved by top management for NAC deployment best practices. This policy will help to remove any major obstacles encountered from end users.
I found this book very helpful in explaining Cisco NAC Framework. The book is definitely not for beginners as understanding of Cisco configuration and familiarity with Cisco products are needed to understand this.
NAC Framework is not for everyone. If you run a Cisco centric shop with the latest hardware and software, this NAC Framework is for you to build the self-defending network on top of your Cisco network and host based IPS, firewall, 802.1X enabled network access devices and others. If not, a much simpler Cisco Clean Access or other third party NAC appliance can probably do the job with less complicated configuration and upfront investment.
The book does not mention anything about Cisco NAC Framework integration or configuration with the new Microsoft NAP (Network Access Protection) although Cisco has officially provided the plan to do this in its web site.
In conclusion, the author has provided a very concise and understandable reading with the few number of pages provided. Each chapter goes straight to the topics, explains in an easy to follow manner, provides a lot of configuration examples and screenshots and closes with online references.
I liked this book a lot and certainly will recommend others to read this. I gave the book five out of five stars.
|
