|
Cisco Network Admission Control: v. 2: NAC Deployment and Troubleshooting
Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only
to compliant and trusted end-point devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. The purpose of Cisco Network Admission Control Volume II is to provide a comprehensive guide on how to deploy and troubleshoot phase 2 of NAC to protect networks from attacks and threats and to ultimately create a self-defending network. By highlighting what protection NAC provides when a virus outbreak occurs, this book is a guide for any network professional who manages network security and monitors organizational infrastructure for day-zero threats.
Contents:
Introduction Part I NAC Overview Chapter 1 NAC Solution and Technology Overview Network Admission Control NAC: Phase I NAC: Phase II NAC Program Participants Components That Make Up the NAC Framework Solution Cisco Trust Agent Cisco Security Agent Network-Access Devices Cisco VPN 3000 Series Concentrator Cisco Secure Access Control Server Event Monitoring, Analysis, and Reporting Summary Review Questions Part II Configuration Guidelines Chapter 2 Cisco Trust Agent Preparing for Deployment of CTA Supported Operating Systems Deploying CTA in a Lab Environment CTA Windows Installation CTA Windows Installation with the 802.1X Wired Supplicant CTA Mac Installation CTA Linux Installation Installing the CA Certificate User Notifications Customizing CTA with the Optional ctad.ini File [main] Section [EAPoUDP] Section [UserNotifies] Section [ServerCertDNVerification] Distinguished Name-Matching Section [Scripting_Interface] Section Example ctad.ini CTA Scripting Interface Requirements for Using the Scripting Interface Executing the Scripting Interface CTA Logging Service Creating a ctalogd.ini File Using the clogcli Utility Deploying CTA in a Production Network Deploying CTA on Windows Deploying CTA on Mac OS X Deploying CTA on Linux Troubleshooting CTA Installation Issues Communication Issues System Logs CTA Client Fails to Receive a Posture Token CTA 802.1X Wired Client Client Is Disconnected (Suspended) Chapter Summary References Review Question Chapter 3 Cisco Secure Services Client Installing and Configuring the Cisco Secure Services Client Minimum System Requirements Installing the Cisco Secure Services Administrative Client Configuring the Cisco Secure Services Administrative Client Deploying the Cisco Secure Services Client in a Production Network End-User Client Deployment Installation Prerequisite Creating End-User Client-Configuration Files Creating the License File Deploying the End-User Client Viewing the Current Status of the Cisco Secure Services Client Windows Wireless Zero Configuration Troubleshooting the Cisco Secure Services Client System Report Utility Viewing the Client Logs and Connection Status in Real Time Client Icon Does Not Appear in System Tray Client GUI Does Not Start Client Does Not Prompt for Password Wireless Client Is Immediately Dissociated after 802.1X Authentication Client Is Disconnected (Suspended) Summary References Review Question Chapter 4 Configuring Layer 2 NAC on Network Access Devices NAC-L2-IP Architecture of NAC-L2-IP Configuring NAC-L2-IP Troubleshooting NAC-L2-IP NAC-L2-802.1X Architecture of NAC-L2-802.1X Configuring NAC-L2-802.1X MAC Authentication Bypass Troubleshooting NAC-L2-802.1X Configuring NAC-L2-802.1X on Cisco Wireless Access Points Summary Review Questions Chapter 5 Configuring Layer 3 NAC on Network Access Devices Architectural Overview of NAC on Layer 3 Devices Configuration Steps of NAC on Layer 3 Devices Step 1: Configuring AAA Authentication Step 2: Defining the RADIUS Server Step 3: Specifying the Interface Access Control List Step 4: Configuring the NAC Parameters Step 5: Defining the NAC Intercept Access Control List (Optional) Step 6: Setting Up the Exception Policies (Optional) Step 7: Configuring the Clientless Host Parameters (Optional) Step 8: Optimizing the NAC Parameters (Optional) Monitoring and Troubleshooting NAC on Layer 3 Devices Useful Monitoring Commands Troubleshooting NAC Summary Review Questions Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators Architectural Overview of NAC on Cisco VPN 3000 Concentrators Cisco Software Clients Microsoft L2TP over IPSec Clients Configuration Steps of NAC on Cisco VPN 3000 Concentrators VPN Configuration on the VPN 3000 Concentrator VPN Configuration on the Cisco VPN Client NAC Configuration on the VPN 3000 Concentrator Testing, Monitoring, and Troubleshooting NAC on Cisco VPN 3000 Concentrators Remote-Access IPSec Tunnel Without NAC Remote-Access IPSec Tunnel from an Agentless Client Remote-Access IPSec Tunnel from a CTA Client Summary Review Questions Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances Architectural Overview of NAC on Cisco Security Appliances Stateless Failover for NAC Per-Group NAC Exception List Configuration Steps of NAC on Cisco Security Appliances VPN Configuration on the Security Appliances VPN Configuration on the Cisco VPN Client NAC Configuration on the Cisco Security Appliances Testing, Monitoring, and Troubleshooting NAC on Cisco Security Appliances Remote-Access IPSec Tunnel Without NAC Remote-Access IPSec Tunnel from an Agentless Client Remote-Access IPSec Tunnel from a CTA Client Monitoring of NAC Sessions Summary Review Questions Chapter 8 Cisco Secure Access Control Server Installing ACS Installation Prerequisites Installing ACS on a Windows Server Upgrading from Previous Versions of ACS Server Post-Installation Tasks Initial ACS Configuration Configuring Network Device Groups (Optional) Adding Network Access Devices Configuring RADIUS Attributes and Advanced Options Installing Certificates Configuring Global Authentication Protocols Creating Network Access Profiles Using NAC Templates Posture Validation Internal Posture-Validation Policies External Posture Validation and Audit Servers Miscellaneous Posture-Validation Options Posture Enforcement Downloadable IP ACLs VLAN Assignment Policy-Based ACLs RADIUS Authorization Components Network Access Profiles Protocols Policy Authentication Policy Posture Validation Policy Authorization Policy Network Access Filtering NAC Agentless Hosts Centralized Agentless Host Policy for NAC-L3-IP and NAC-L2-IP Centralized Agentless Host Policy for NAC-L2-802.1X (MAC Authentication Bypass) Configuring the Agentless Host Policy on ACS User Databases Importing Vendor Attribute-Value Pairs Enabling Logging Configuring Failed Attempts Logging Configuring Passed Authentications Logging Configuring RADIUS Accounting Logging Replication Troubleshooting ACS Enabling Service Debug Logging Invalid Protocol Data RADIUS Posture-Validation Requests Are Not Mapped to the Correct NAP RADIUS Dictionaries Missing from the Interface Configuration Section Certificate Issues-EAP-TLS or PEAP Authentication Failed During SSL Handshake in Failed Attempts Log Summary Review Questions Chapter 9 Cisco Security Agent Cisco Security Agent Architecture CSA MC Rule Definitions Global Event Correlation Installing Cisco Security Agents Management Center Configuring CSA NAC-Related Features Creating Groups Creating Agent Kits System State and NAC Posture Changes Summary Review Questions Chapter 10 Antivirus Software Integration Supported Antivirus Software Vendors Antivirus Software Posture Plug-Ins Antivirus Policy Servers and the Host Credential Authorization Protocol (HCAP) Adding External Antivirus Policy Servers in Cisco Secure ACS Summary Review Questions Chapter 11 Audit Servers Options for Handling Agentless Hosts MAC Authentication Bypass Audit Servers Architectural Overview of NAC for Agentless Hosts Configuring Audit Servers Installation of QualysGuard Scanner Appliance Configuration of QualysGuard Scanner Appliance Configuration of CS-ACS Server Monitoring of Agentless Hosts Monitoring Agentless Hosts on QualysGuard Scanner Monitoring CS-ACS Logs Monitoring Agentless Hosts on a Cisco NAD Summary Review Questions Chapter 12 Remediation Altiris Altiris Network Discovery Importing Attribute Files to Cisco Secure ACS Setting External Posture Validation Audit Server on Cisco Secure ACS Installing the Altiris Network Access Agent and Posture Plug-In Exception Policies Creating Posture Policies on the Altiris Notification Server PatchLink Summary Review Questions Part III Deployment Scenarios Chapter 13 Deploying and Troubleshooting NAC in Small Businesses NAC Requirements for a Small Business Small Business Network Topology Configuring NAC in a Small Business Cisco Secure ACS End-User Clients Switches Web Server Troubleshooting NAC Deployment in a Small Business show Commands EAP over UDP Logging Cisco Secure ACS Logging Certificate Issues: EAP-TLS or PEAP Authentication Failed During SSL Handshake Incorrect Time or Date Summary Review Questions Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises Deployment Overview of NAC in a Medium-Size Enterprise The User Network The Management Network The Quarantine Network Business Requirements for NAC in a Medium-Size Enterprise Medium-Size Enterprise NAC Solution Highlights Enforcement Actions Steps for Configuring NAC in a Medium-Size Enterprise Catalyst 6500 CatOS Configuration VPN 3000 Concentrator Configuration Audit Server Configuration Altiris Quarantine Solution Configuration Trend Micro Policy Server Configuration Cisco Secure ACS Configuration CSA-MC Server Configuration End-User Clients Monitoring and Troubleshooting NAC in a Medium-Size Enterprise Diagnosing NAC on Catalyst 6500 Switch Diagnosing NAC on a VPN 3000 Concentrator Cisco Secure ACS Logging Summary Review Questions Chapter 15 Deploying and Troubleshooting NAC in Large Enterprises Business Requirements for Deploying NAC in a Large Enterprise Security Policies Enforcement Actions Design and Network Topology for NAC in a Large Enterprise Branch Office Regional Office Headquarters Configuring NAC in a Large Enterprise ACS End-User Clients Switches Troubleshooting NAC Deployment in a Large Enterprise show Commands debug Commands ACS Logs and CS-MARS Summary Review Questions Part IV Managing and Monitoring NAC Chapter 16 NAC Deployment and Management Best Practices A Phased Approach to Deploying NAC Framework Readiness Assessment Stakeholders Initial Lab Environment Test Plans Initial Tuning Final Deployment Strategy Provisioning of User Client Software CSA Management Maintaining NAC Policies Keeping Operating System Policies Up-to-Date Keeping Your Antivirus Policies Up-to-Date Maintenance of Remediation Servers and Third-Party Software Technical Support Education and Awareness End-User Education and Awareness Help-Desk Staff Training Engineering and Networking Staff Training Summary References Review Questions Chapter 17 Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System CS-MARS Overview Setting Up Cisco IOS Routers to Report to CS-MARS Defining the Cisco IOS Router as a Reporting Device within CS-MARS Configuring the Cisco IOS Router to Forward Events to CS-MARS Setting Up Cisco Switches to Report to CS-MARS Defining the Cisco Switch as a Reporting Device within CS-MARS Configuring the Cisco Switch to Forward Events to CS-MARS Configuring ACS to Send Events to CS-MARS Defining ACS as a Reporting Device within CS-MARS Configuring Logging on ACS Configuring 802.1X NADs in ACS to Report to CS-MARS Installing the pnlog Agent on ACS Configuring CSA to Send Events to CS-MARS Defining CSA-MC as a Reporting Device within CS-MARS Configuring CSA-MC to Forward Events to CS-MARS Configuring VPN 3000 Concentrators to Send Events to CS-MARS Defining the VPN 3000 Concentrator as a Reporting Device within CS-MARS Configuring the VPN 3000 Concentrator to Forward Events to CS-MARS Configuring the Adaptive Security Appliance and PIX Security Appliance to Send Events to CS-MARS Defining the ASA/PIX Appliance as a Reporting Device within CS-MARS Configuring the ASA/PIX Appliance to Forward Events to CS-MARS Configuring QualysGuard to Send Events to CS-MARS Generating Reports in CS-MARS NAC Report-Top Tokens NAC Report-Infected/Quarantine-Top Hosts NAC Report-Agentless (Clientless) Hosts Creating Scheduled NAC Reports Troubleshooting CS-MARS Events from a Specific Device Are Not Showing Up Events Are Showing Up from an Unknown Reporting Device Trouble Discovering a Monitored Device Summary Reference Review Questions Part V Appendix Appendix A Answers to Review Questions 1587052253 TOC 11/2/2006
Brief Description:
Network Admission Control (NAC) is designed to prohibit or restrict access to the secured internal network from devices with a diminished security posture until they are patched or updated to meet the minimum corporate security requirements. This work helps you understand how to deploy the NAC Framework solution and build a self-defending network.
|
