Free Delivery Over $100
|
|
|||
|
||||
OverviewCisco Network Admission Control Volume II: NAC Framework Deployment and Troubleshooting The self-defending network in action Jazib Frahim, CCIE® No. 5459 Omar Santos David White, Jr., CCIE No. 12,021 When most information security professionals think about threats to their networks, they think about the threat of attackers from the outside. However, in recent years the number of computer security incidents occurring from trusted users within a company has equaled those occurring from external threats. The difference is, external threats are fairly well understood and almost all companies utilize tools and technology to protect against those threats. In contrast, the threats from internal trusted employees or partners are often overlooked and much more difficult to protect against. Network Admission Control (NAC) is designed to prohibit or restrict access to the secured internal network from devices with a diminished security posture until they are patched or updated to meet the minimum corporate security requirements. A fundamental component of the Cisco® Self-Defending Network Initiative, NAC enables you to enforce host patch policies and to regulate network access permissions for noncompliant, vulnerable systems. Cisco Network Admission Control, Volume II, helps you understand how to deploy the NAC Framework solution and ultimately build a self-defending network. The book focuses on the key components that make up the NAC Framework, showing how you can successfully deploy and troubleshoot each component and the overall solution. Emphasis is placed on real-world deployment scenarios, and the book walks you step by step through individual component configurations. Along the way, the authors call out best practices and tell you which mistakes to avoid. Component-level and solution-level troubleshooting techniques are also presented. Three full-deployment scenarios walk you through application of NAC in a small business, medium-sized organization, and large enterprise. “To successfully deploy and troubleshoot the Cisco NAC solution requires thoughtful builds and design of NAC in branch, campus, and enterprise topologies. It requires a practical and methodical view towards building layered security and management with troubleshooting, auditing, and monitoring capabilities.” –Jayshree V. Ullal, Senior Vice President, Datacenter, Switching and Security Technology Group, Cisco Systems® Jazib Frahim, CCIE® No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He has more than 12 years of experience in secure data communications. David White, Jr., CCIE No. 12,021, has more than 10 years of networking experience with a focus on network security. He is currently an escalation engineer in the Cisco TAC, where he has been for more than six years. Effectively deploy the Cisco Trust Agent Configure Layer 2 IP and Layer 2 802.1x NAC on network access devices Examine packet flow in a Cisco IOS NAD when NAC is enabled, and configure Layer 3 NAC on the NAD Monitor remote access VPN tunnels Configure and troubleshoot NAC on the Cisco ASA and PIX security appliances Install and configure Cisco Secure Access Control Server (ACS) for NAC Install the Cisco Security Agent Manage-ment Center and create agent kits Add antivirus policy servers to ACS for external antivirus posture validation Understand and apply audit servers to your NAC solution Use remediation servers to automatically patch end hosts to bring them in compliance with your network policies Monitor the NAC solution using the Cisco Security Monitoring, Analysis, and Response System (MARS) This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Cisco Press–Security Covers: Network Admission Control Full Product DetailsAuthor: Jazib Frahim , Omar Santos , David C. WhitePublisher: Pearson Education (US) Imprint: Cisco Press Dimensions: Width: 18.60cm , Height: 3.30cm , Length: 23.10cm Weight: 1.002kg ISBN: 9781587052255ISBN 10: 1587052253 Pages: 624 Publication Date: 30 November 2006 Audience: College/higher education , Tertiary & Higher Education Format: Paperback Publisher's Status: Out of Print Availability: Out of stock  Table of ContentsIntroduction Part I NAC Overview Chapter 1 NAC Solution and Technology Overview Network Admission Control NAC: Phase I NAC: Phase II NAC Program Participants Components That Make Up the NAC Framework Solution Cisco Trust Agent Cisco Security Agent Network-Access Devices Cisco VPN 3000 Series Concentrator Cisco Secure Access Control Server Event Monitoring, Analysis, and Reporting Summary Review Questions Part II Configuration Guidelines Chapter 2 Cisco Trust Agent Preparing for Deployment of CTA Supported Operating Systems Deploying CTA in a Lab Environment CTA Windows Installation CTA Windows Installation with the 802.1X Wired Supplicant CTA Mac Installation CTA Linux Installation Installing the CA Certificate User Notifications Customizing CTA with the Optional ctad.ini File [main] Section [EAPoUDP] Section [UserNotifies] Section [ServerCertDNVerification] Distinguished Name-Matching Section [Scripting_Interface] Section Example ctad.ini CTA Scripting Interface Requirements for Using the Scripting Interface Executing the Scripting Interface CTA Logging Service Creating a ctalogd.ini File Using the clogcli Utility Deploying CTA in a Production Network Deploying CTA on Windows Deploying CTA on Mac OS X Deploying CTA on Linux Troubleshooting CTA Installation Issues Communication Issues System Logs CTA Client Fails to Receive a Posture Token CTA 802.1X Wired Client Client Is Disconnected (Suspended) Chapter Summary References Review Question Chapter 3 Cisco Secure Services Client Installing and Configuring the Cisco Secure Services Client Minimum System Requirements Installing the Cisco Secure Services Administrative Client Configuring the Cisco Secure Services Administrative Client Deploying the Cisco Secure Services Client in a Production Network End-User Client Deployment Installation Prerequisite Creating End-User Client-Configuration Files Creating the License File Deploying the End-User Client Viewing the Current Status of the Cisco Secure Services Client Windows Wireless Zero Configuration Troubleshooting the Cisco Secure Services Client System Report Utility Viewing the Client Logs and Connection Status in Real Time Client Icon Does Not Appear in System Tray Client GUI Does Not Start Client Does Not Prompt for Password Wireless Client Is Immediately Dissociated after 802.1X Authentication Client Is Disconnected (Suspended) Summary References Review Question Chapter 4 Configuring Layer 2 NAC on Network Access Devices NAC-L2-IP Architecture of NAC-L2-IP Configuring NAC-L2-IP Troubleshooting NAC-L2-IP NAC-L2-802.1X Architecture of NAC-L2-802.1X Configuring NAC-L2-802.1X MAC Authentication Bypass Troubleshooting NAC-L2-802.1X Configuring NAC-L2-802.1X on Cisco Wireless Access Points Summary Review Questions Chapter 5 Configuring Layer 3 NAC on Network Access Devices Architectural Overview of NAC on Layer 3 Devices Configuration Steps of NAC on Layer 3 Devices Step 1: Configuring AAA Authentication Step 2: Defining the RADIUS Server Step 3: Specifying the Interface Access Control List Step 4: Configuring the NAC Parameters Step 5: Defining the NAC Intercept Access Control List (Optional) Step 6: Setting Up the Exception Policies (Optional) Step 7: Configuring the Clientless Host Parameters (Optional) Step 8: Optimizing the NAC Parameters (Optional) Monitoring and Troubleshooting NAC on Layer 3 Devices Useful Monitoring Commands Troubleshooting NAC Summary Review Questions Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators Architectural Overview of NAC on Cisco VPN 3000 Concentrators Cisco Software Clients Microsoft L2TP over IPSec Clients Configuration Steps of NAC on Cisco VPN 3000 Concentrators VPN Configuration on the VPN 3000 Concentrator VPN Configuration on the Cisco VPN Client NAC Configuration on the VPN 3000 Concentrator Testing, Monitoring, and Troubleshooting NAC on Cisco VPN 3000 Concentrators Remote-Access IPSec Tunnel Without NAC Remote-Access IPSec Tunnel from an Agentless Client Remote-Access IPSec Tunnel from a CTA Client Summary Review Questions Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances Architectural Overview of NAC on Cisco Security Appliances Stateless Failover for NAC Per-Group NAC Exception List Configuration Steps of NAC on Cisco Security Appliances VPN Configuration on the Security Appliances VPN Configuration on the Cisco VPN Client NAC Configuration on the Cisco Security Appliances Testing, Monitoring, and Troubleshooting NAC on Cisco Security Appliances Remote-Access IPSec Tunnel Without NAC Remote-Access IPSec Tunnel from an Agentless Client Remote-Access IPSec Tunnel from a CTA Client Monitoring of NAC Sessions Summary Review Questions Chapter 8 Cisco Secure Access Control Server Installing ACS Installation Prerequisites Installing ACS on a Windows Server Upgrading from Previous Versions of ACS Server Post-Installation Tasks Initial ACS Configuration Configuring Network Device Groups (Optional) Adding Network Access Devices Configuring RADIUS Attributes and Advanced Options Installing Certificates Configuring Global Authentication Protocols Creating Network Access Profiles Using NAC Templates Posture Validation Internal Posture-Validation Policies External Posture Validation and Audit Servers Miscellaneous Posture-Validation Options Posture Enforcement Downloadable IP ACLs VLAN Assignment Policy-Based ACLs RADIUS Authorization Components Network Access Profiles Protocols Policy Authentication Policy Posture Validation Policy Authorization Policy Network Access Filtering NAC Agentless Hosts Centralized Agentless Host Policy for NAC-L3-IP and NAC-L2-IP Centralized Agentless Host Policy for NAC-L2-802.1X (MAC Authentication Bypass) Configuring the Agentless Host Policy on ACS User Databases Importing Vendor Attribute-Value Pairs Enabling Logging Configuring Failed Attempts Logging Configuring Passed Authentications Logging Configuring RADIUS Accounting Logging Replication Troubleshooting ACS Enabling Service Debug Logging Invalid Protocol Data RADIUS Posture-Validation Requests Are Not Mapped to the Correct NAP RADIUS Dictionaries Missing from the Interface Configuration Section Certificate Issues—EAP-TLS or PEAP Authentication Failed During SSL Handshake in Failed Attempts Log Summary Review Questions Chapter 9 Cisco Security Agent Cisco Security Agent Architecture CSA MC Rule Definitions Global Event Correlation Installing Cisco Security Agents Management Center Configuring CSA NAC-Related Features Creating Groups Creating Agent Kits System State and NAC Posture Changes Summary Review Questions Chapter 10 Antivirus Software Integration Supported Antivirus Software Vendors Antivirus Software Posture Plug-Ins Antivirus Policy Servers and the Host Credential Authorization Protocol (HCAP) Adding External Antivirus Policy Servers in Cisco Secure ACS Summary Review Questions Chapter 11 Audit Servers Options for Handling Agentless Hosts MAC Authentication Bypass Audit Servers Architectural Overview of NAC for Agentless Hosts Configuring Audit Servers Installation of QualysGuard Scanner Appliance Configuration of QualysGuard Scanner Appliance Configuration of CS-ACS Server Monitoring of Agentless Hosts Monitoring Agentless Hosts on QualysGuard Scanner Monitoring CS-ACS Logs Monitoring Agentless Hosts on a Cisco NAD Summary Review Questions Chapter 12 Remediation Altiris Altiris Network Discovery Importing Attribute Files to Cisco Secure ACS Setting External Posture Validation Audit Server on Cisco Secure ACS Installing the Altiris Network Access Agent and Posture Plug-In Exception Policies Creating Posture Policies on the Altiris Notification Server PatchLink Summary Review Questions Part III Deployment Scenarios Chapter 13 Deploying and Troubleshooting NAC in Small Businesses NAC Requirements for a Small Business Small Business Network Topology Configuring NAC in a Small Business Cisco Secure ACS End-User Clients Switches Web Server Troubleshooting NAC Deployment in a Small Business show Commands EAP over UDP Logging Cisco Secure ACS Logging Certificate Issues: EAP-TLS or PEAP Authentication Failed During SSL Handshake Incorrect Time or Date Summary Review Questions Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises Deployment Overview of NAC in a Medium-Size Enterprise The User Network The Management Network The Quarantine Network Business Requirements for NAC in a Medium-Size Enterprise Medium-Size Enterprise NAC Solution Highlights Enforcement Actions Steps for Configuring NAC in a Medium-Size Enterprise Catalyst 6500 CatOS Configuration VPN 3000 Concentrator Configuration Audit Server Configuration Altiris Quarantine Solution Configuration Trend Micro Policy Server Configuration Cisco Secure ACS Configuration CSA-MC Server Configuration End-User Clients Monitoring and Troubleshooting NAC in a Medium-Size Enterprise Diagnosing NAC on Catalyst 6500 Switch Diagnosing NAC on a VPN 3000 Concentrator Cisco Secure ACS Logging Summary Review Questions Chapter 15 Deploying and Troubleshooting NAC in Large Enterprises Business Requirements for Deploying NAC in a Large Enterprise Security Policies Enforcement Actions Design and Network Topology for NAC in a Large Enterprise Branch Office Regional Office Headquarters Configuring NAC in a Large Enterprise ACS End-User Clients Switches Troubleshooting NAC Deployment in a Large Enterprise show Commands debug Commands ACS Logs and CS-MARS Summary Review Questions Part IV Managing and Monitoring NAC Chapter 16 NAC Deployment and Management Best Practices A Phased Approach to Deploying NAC Framework Readiness Assessment Stakeholders Initial Lab Environment Test Plans Initial Tuning Final Deployment Strategy Provisioning of User Client Software CSA Management Maintaining NAC Policies Keeping Operating System Policies Up-to-Date Keeping Your Antivirus Policies Up-to-Date Maintenance of Remediation Servers and Third-Party Software Technical Support Education and Awareness End-User Education and Awareness Help-Desk Staff Training Engineering and Networking Staff Training Summary References Review Questions Chapter 17 Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System CS-MARS Overview Setting Up Cisco IOS Routers to Report to CS-MARS Defining the Cisco IOS Router as a Reporting Device within CS-MARS Configuring the Cisco IOS Router to Forward Events to CS-MARS Setting Up Cisco Switches to Report to CS-MARS Defining the Cisco Switch as a Reporting Device within CS-MARS Configuring the Cisco Switch to Forward Events to CS-MARS Configuring ACS to Send Events to CS-MARS Defining ACS as a Reporting Device within CS-MARS Configuring Logging on ACS Configuring 802.1X NADs in ACS to Report to CS-MARS Installing the pnlog Agent on ACS Configuring CSA to Send Events to CS-MARS Defining CSA-MC as a Reporting Device within CS-MARS Configuring CSA-MC to Forward Events to CS-MARS Configuring VPN 3000 Concentrators to Send Events to CS-MARS Defining the VPN 3000 Concentrator as a Reporting Device within CS-MARS Configuring the VPN 3000 Concentrator to Forward Events to CS-MARS Configuring the Adaptive Security Appliance and PIX Security Appliance to Send Events to CS-MARS Defining the ASA/PIX Appliance as a Reporting Device within CS-MARS Configuring the ASA/PIX Appliance to Forward Events to CS-MARS Configuring QualysGuard to Send Events to CS-MARS Generating Reports in CS-MARS NAC Report—Top Tokens NAC Report—Infected/Quarantine—Top Hosts NAC Report—Agentless (Clientless) Hosts Creating Scheduled NAC Reports Troubleshooting CS-MARS Events from a Specific Device Are Not Showing Up Events Are Showing Up from an Unknown Reporting Device Trouble Discovering a Monitored Device Summary Reference Review Questions Part V Appendix Appendix A Answers to Review Questions 1587052253 TOC 11/2/2006ReviewsAuthor InformationJazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than seven years. With a Bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer with the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers as a team leader in resolving complicated security and VPN technologies. Jazib is currently working as a Senior Network Security Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus in network security. He holds two CCIEs, one in Routing and Switching and the other in Security. He also authored the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1). Additionally, Jazib has written numerous Cisco online technical documents and has been an active member on Cisco’s online forum, NetPro. He has presented at Networkers on multiple occasions and has taught many onsite and online courses to Cisco customers, partners, and employees. Jazib is currently pursuing a Master of Business Administration (MBA) degree from North Carolina State University. Omar Santos is a Senior Network Security Consulting Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He has more than 12 years of experience in secure data communications. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and Department of Defense (DoD). He is also the author of the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1) and many Cisco online technical documents and configuration guidelines. Prior to his current role, he was a technical leader of Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within the organization. He is an active member of the InfraGard organization, a cooperative undertaking between the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law-enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers, partners, and other organizations. David White, Jr., CCIE No. 12021, has more than ten years of networking experience with a focus on network security. He is currently an Escalation Engineer in the Cisco TAC, where he has been for more than six years. In his role at Cisco, he is involved in new product design and implementation and is an active participant in Cisco documentation, both online and in print. David holds a CCIE in Security and is also NSA IAM certified. Before joining Cisco, David worked for the U.S. government, where he helped secure its worldwide communications network. He was born and raised in St. Petersburg, Florida, and received his Bachelor’s degree in computer engineering from the Georgia Institute of Technology. Tab Content 6Author Website:Countries AvailableAll regions |
||||
