Page 1: Building A Network
Front cover Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Covering Cisco Network Admission Control Framework and Appliance Automated remediation of noncompliant workstations Advanced security compliance notification Axel Buecker Richard Abdullah Markus Belkin Mike Dougherty Wlodzimierz Dymaczewski...
Page 3 International Technical Support Organization Building a Network Access Control Solution with IBM Tivoli and Cisco Systems January 2007 SG24-6678-01...
Page 4 This edition applies to Tivoli Security Compliance Manager V5.1, Tivoli Configuration Manager V4.2.3, and Cisco Secure ACS V4.0. © Copyright International Business Machines Corporation 2005, 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Page 6 4.2.1 Network infrastructure ........79 4.2.2 IBM Integrated Security Solution for Cisco Networks lab ..80 4.2.3 Application security infrastructure .
Page 7 6.3.1 Cisco Trust Agent ........190 6.3.2 IBM Tivoli Security Compliance Manager client ....199 6.4 Conclusion.
Page 8 How to get IBM Redbooks ........
Page 9: Notices
IBM representative for information about the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.
Page 10: Trademarks
Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. viii Building a Network Access Control Solution with IBM Tivoli and Cisco Systems DB2 Universal Database™ DB2®...
Page 11: Preface
In February of 2004, IBM® announced that it would be joining Cisco’s Admission Control offering for the Cisco NAC program in the form of the IBM Tivoli® compliance and remediation solution. In June of 2005 the first edition of this IBM Redbook was published.
Page 12: The Team That Wrote This Redbook
Workstation and Systems Management, Network Computing, and e-business Solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 13 Software Group in Poland. Before joining the Tivoli Technical Sales team in 2002 he worked for four years in IBM Global Services where he was a technical leader for several Tivoli deployment projects. He has almost 13 years of experience in systems management, recently specializing in security.
Page 14: Become A Published Author
Cisco Systems, Inc. Become a published author Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You’ll team with IBM technical professionals, IBM Business Partners, and/or customers.
Page 15: Comments Welcome
Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an e-mail to: redbook@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 xiii...
Page 16 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 17: Summary Of Changes
This edition may also include minor corrections and editorial changes that are not identified. Summary of Changes for SG24-6678-01 for Building a Network Access Control Solution with IBM Tivoli and Cisco Systems as created or updated on January 16, 2007. January 2007, Second Edition This revision reflects the addition, deletion, or modification of new and changed information described below.
Page 18 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 19: Part 1. Architecture And Design
Part and design In this part we discuss the overall business context of the IBM Integrated Security Solution for Cisco Networks. We then describe how to technically architect the overall solution into an existing environment, and introduce the logical and physical components on both the IBM Tivoli and Cisco side.
Page 20 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 21: Chapter 1. Business Context
Enterprises must defend their IT infrastructure continuously and keep themselves protected from intruders. One infected server or workstation can potentially bring the whole corporate network to its knees if it does not comply with corporate security policies. © Copyright IBM Corp. 2005, 2007. All rights reserved.
Page 22: The Security Compliance And Remediation Concept
1.1 The security compliance and remediation concept IBM and Cisco are working together on this new concept that offers a solution to companies to defend their network. This solution is called the...
Page 23: Why We Need This
This IBM and Cisco integration, depicted in an overview in Figure 1-1, is a true enabler for the on demand self-defending and security compliance strategy. Endpoint Protected client Trusted identity Figure 1-1 IBM and Cisco integration strategy...
Page 24 Customers should consult their relevant government regulatory bodies to learn more about the applicable laws in their respective countries. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Sarbanes-Oxley Act (SOX), . More guidelines may emerge over...
Page 25: Does This Concept Help Our Mobile Users
IBM does not provide legal, accounting, or auditing advice, or represent or warrant that its products or services ensure that the customer is in compliance with any law.
Page 26: Corporate Security Policy Defined
Best practices include: Protect the corporate network from malicious attackers. Keep authorized users compliant with corporate security policy. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 27: Achievable Benefits For Being Compliant
Enable an automated remediation process that eases the process of regaining compliancy for all authorized users on the corporate network. Provide partners and visitors access to the Internet but not the corporate intranet. 1.6 Achievable benefits for being compliant How do organizations benefit from compliance with corporate security policies? Corporate security policies and controls are established to enforce consistent rules that centrally secure access to IT resources across the organization.
Page 28: Conclusion
Production losses and inefficiencies, and therefore substantial financial losses, have resulted from noncompliance. Laws and government regulations such as Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Policy Development and Assurance Asset protection, privacy and reputation protection,...
Page 29 The IBM Integrated Security Solution for Cisco Networks delivers corporate compliance at a reduced cost. The IBM Integrated Security Solution for Cisco Networks enables organizations to identify users, monitor their compliance, offer them an easy and centralized remediation capability in case of noncompliance, and easily route them into appropriate network zones based on their credentials.
Page 30 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 31: Chapter 2. Architecting The Solution
Architecting the solution Chapter 2. In this chapter we discuss the solution architecture of the IBM Integrated Security Solution for Cisco Networks with its compliance-based Network Admission Control system. We provide an overview of the key modules and their relationship, and describe an approach for introducing this additional security layer into the enterprise IT environment.
Page 32: Solution Architectures, Design, And Methodologies
Validation Server Policy Enforcement Device Admission Control Client Figure 2-1 IBM Integrated Security Solution for Cisco Network components overview Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Compliance Compliance Server Compliance Client (Posture plug-in) Remediation Remediation...
Page 33: Network Admission Control
In general, the IBM Integrated Security Solution for Cisco Networks consists of three subsystems or logical components, as shown in Figure 2-1 on page 14: Network Admission Control (NAC) subsystem based on Cisco technology Compliance subsystem based on IBM Tivoli Security Compliance Manager...
Page 34 Layer 2 NAC or EOU. In transported on 802.1x frames and is called EAPoverLAN or EAPOL. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Cisco Self-Defending Network – All of the access methods that hosts use to...
Page 35 Compliance Manager server has a built-in reporting engine that can be used to produce standard reports as required by security officers. It can also utilize external report generators such as IBM DB2® Alphablox or Crystal Reports for ad hoc reporting.
Page 36 More information about Tivoli Security Compliance Manager can be found in the IBM Redbook Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems when the security compliance data is collected and which clients...
Page 37: Architectural Terminology
Security policies can be applied to one or more client groups. The security policy uses a version attribute, which is required for the IBM Integrated Security Solution for Cisco Networks. Read more about these attributes in “Establishing the policy collector parameters” on page 104.
Page 38 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems performs the functions of communicating with the validates the client’s health (posture) based on predefined...
Page 39 If the client is not Security Compliance Manager policy–enabled, it is access to the corporate network and may be allowed only denied access the Internet or may be When a client is quarantined, the user is given a choice to either manually using the provided instructions or to use an process by clicking a button on the pop-up window (if the Tivoli Configuration Manager infrastructure exists).
Page 40 IEEE 802.1x is an identity-based network authentication protocol used at Layer 2 level to allow or disallow a specific user to connect to the network based on user or machine credentials. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems NAC- enabled...
Page 41 The IEEE 802.1x standard addresses the need to authenticate the user or client trying to connect to the particular network. Point-to-Point Protocol (PPP) can be used in a basic dial-up scenario, but it limits the authentication process to checking only user and password matching. The Extensible Authentication Protocol (EAP) was designed to provide transport for other authentication methods.
Page 42 NAC solution makes no differentiation between who the clients belong to or who is actually trying to connect to the network. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems authentication is a software agent residing on the client capable of...
Page 43 , either HTML-assisted or automated, is an integral part of the IBM Integrated Security Solution for Cisco Networks. The role of this process is to provide the noncompliant client with a means to become compliant again and thus providing access to the network.
Page 44: Definition Of A Network Admission Control Project
Network administrators responsible for configuration of network devices Administrators responsible for everyday PC configuration and maintenance It is essential to follow these steps in the implementation of the IBM Tivoli Security Compliance Manager and Cisco Network Admission Control: Creation of the policies to meet the business requirements and needs...
Page 45 Figure 2-5 illustrates a possible NAC deployment scenario. Branch Office EAP/UDP Branch Router Edge Router Internet EAP/UDP Mobile Users Figure 2-5 NAC deployment scenario Typical candidates for NAC protection are networks (both wireless and wired) used by the mobile users to connect to the intranet while visiting the office [1], as well as the dial-up and VPN networks used to connect remotely [2,3].
Page 46: Design Process
4. Document conceptual security architecture. We now walk through these steps. 2.3.1 Security compliance management business process Figure 2-6 illustrates the which is described in detail in the redbook Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450. System System...
Page 47 2. Check control settings and compare to security policy. The audit team periodically checks the systems to be sure their settings are in compliance with the policy. The audit team creates a report listing all controlled systems and the violated controls. Periodically the list also has to contain the complete security control settings and the systems that are controlled.
Page 48: Security Policy Life Cycle Management
Security policy creation is an ongoing process; all policies require constant review and amendment as necessary to suit the organization’s business model. If for some Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 49 This process is described in detail in the IBM Redbook Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450. Implementation Establishing and implementing the policy in the environment typically are two separate processes involving different business units.
Page 50: Solution Objectives
The solution objectives will eventually drive most of the architectural decisions in the design process. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems policy version is the first...
Page 51: Network Design Discussion
2.3.4 Network design discussion In this section we discuss the following network design factors for the IBM Integrated Security Solution for Cisco Networks: Network segmentation via VLANs and downloadable IP ACLs Performance Adding new components that may not have been required previously...
Page 52 (Healthy, Quarantined, Checkup, Infected, or Unknown). If the Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Defines how often the whole NAC procedure will be repeated for clients that are already connected.
Page 53: Implementation Flow
30 seconds. 2.4 Implementation flow IBM best practice in implementation of this concept in an enterprise-wide deployment has been identified by the following project phases that would assist...
Page 54 3.1, “Logical components” on page 40. If an organization has already deployed a Cisco Secure ACS v3.3 server for TACACS+ use, the same server can be utilized for the IBM Integrated Security Solution for Cisco Networks concept, thus safeguarding the existing investment.
Page 55: Conclusion
Part 2, “Customer environment” on page 75, details a comprehensive deployment scenario. 2.6 Conclusion In this chapter, we discussed the architecture and design principles for the IBM Integrated Security Solution using Cisco Networks. The overall architecture encompasses several components from IBM and Cisco, with integrated systems that complement each other by providing the first industry compliance-based Network Admission Control system with automated remediation capabilities.
Page 56 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 57: Chapter 3. Component Structure
Component structure Chapter 3. This chapter introduces the logical and physical components of the IBM Integrated Security Solution for Cisco Networks. The final section of this chapter talks about the logical data flow among the various components to better understand dependencies and component placement within the network.
Page 58: Logical Components
This solution is an integration of products from IBM and Cisco. The IBM products focus on the aspects of compliance and remediation, and the Cisco products provide the Network Admission Control (NAC) and policy validation components.
Page 59: Network Admission Control
The logical components are: Network Admission Control Compliance Remediation The following sections provide function and architecture details for each component. 3.1.1 Network Admission Control Network Admission Control (NAC) is the Cisco component of the solution that provides enforcement by restricting traffic based on the client's posture. Cisco NAC can be implemented via NAC Framework or NAC Appliance.
Page 60 Figure 3-2 ACS architecture Here are brief explanations for the ACS services: CSAdmin CSAuth CSDBSync CSlog CSTacacs CSRadius CSMon Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Service CSAdmin CSAuth CSDBSync CSlog CSTacacs CSRadius CSMon Provides an HTML interface for administration of ACS...
Page 61 NAC-compliant applications that are installed on network clients and reports the posture information to a posture validation server, which is the Cisco Secure ACS. For the IBM Integrated Security Solution for Cisco Networks, the posture information is provided by the Tivoli Security Compliance Manager client.
Page 62 Figure 3-3 Cisco Trust Agent architecture Cisco Trust Agent service Responds to network requests for client system Logging service Posture plug-in EXT-Posture plug-in Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Client Application (EXT-Service) Application supplied Posture Credential...
Page 63 EAP methods Provide a mechanism to authenticate the application or device requesting the host credentials, and encrypts or decrypts that information. Network Admission Control Appliance The Network Admission Control Appliance consists of the following subcomponents: Clean Access Manager (CAM) Clean Access Server (CAS) Clean Access Agent (CAA) Clean Access Policy Updates Clean Access Manager (CAM)
Page 64: Compliance
Storing the security compliance data received from the clients and providing the available data to users through the administration console and administration commands Providing security violation details as a basis for the compliance report components Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 65 Collector Collector Collector Windows Registry Configuration File Executable Figure 3-4 IBM Tivoli Security Compliance Manager logical component architecture Figure 3-4 shows: Administration components Consist of a graphical user interface and a Data collection component Compliance reporting Compliance Report Components Operational...
Page 66 Compliance evaluation Note: You can find more details about these components in the IBM Redbook Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450. Compliance client The client consists of modules that run on the endpoint to collect compliance information and report it to the Security Compliance Manager server. In the IBM...
Page 67 The compliance client component (Figure 3-5) consists of the following modules: Policy collector Posture collector Posture cache Posture plug-in Default remediation handler SCM Client Collector Posture Posture Cache Collector Posture Collector Policy Collector Posture Remediation Plug-in Handler Figure 3-5 Compliance client logical component Posture collector A collector is a Java language-based software module, packaged as a Java Archive (JAR) file, that collects specific information from a client system.
Page 68 In the IBM Integrated Security Solution for Cisco Networks, the collector is called posture collector posture status determination. The posture data collection part of a posture collector is the same as in a regular Security Compliance Manager collector, but the posture status determination part of a posture collector is an extension to the standard model.
Page 69: Remediation
In the IBM Integrated Security Solution for Cisco Networks, requests for the required corrections are initiated by the client, Chapter 3. Component structure...
Page 70: Physical Components
3.2 Physical components The discussion so far has been focused on the various logical components that make up the IBM Integrated Security Solution for Cisco Networks. In this section we map the logical components into physical components that make up the IBM Integrated Security Solution for Cisco Networks.
Page 71 Cisco Trust Agent The Cisco Trust Agent is Cisco client software that is required to pass posture credentials and validation results between the Cisco NAC solution and the IBM Security Compliance Manager client. Security Compliance Manager client The Security Compliance Manager client is a software component that is physically installed on the network client.
Page 72: Network Access Infrastructure
The Security Compliance Manager server is an IBM-developed solution for the complex problem of deploying and checking enterprise polices. The server provides a platform for the creation of various client compliance policies that can Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 73: Solution Data And Communication Flow
be deployed to the clients. The server is also used for administration and for providing reports about client compliance to deployed policies. Tivoli Configuration Manager servers There are two Tivoli Configuration Manager servers used for remediation. Tivoli Configuration Manager Software Distribution Server is used to create remediation objects and publish them to the Tivoli Configuration Manager Web Gateway Server, where they are made available to clients requesting remediation.
Page 74 The first step in the data flow is the creation and deployment of a policy. If a Tivoli Configuration Manager server is used for remediation, a corresponding Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Server...
Page 75 remediation object should also be provided. Details of the policy creation and deployment process are discussed here: Remediation object creation and publishing (1a) remediation object that can remediate violations must be provided. The naming and creation of these objects is dependent on the corresponding Security Compliance Manager posture collectors and certain naming conventions.
Page 76 Cisco Trust Agent when it queries the Security Compliance Manager client. The policy collector passes the posture credentials to the Cisco Trust Agent using a posture plug-in. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Network Access Profiles posture criteria...
Page 77 NAC-compliant applications (in this case, Security Compliance Manager client). The security posture credentials are requested and received through posture plug-ins provided by IBM. When the Cisco Trust Agent queries for posture credentials, the Security Compliance Manager client component responds with the posture credentials that were collected in 2b.
Page 78 RADIUS Access Control set or a downloadable IP ACL filter. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems pointing to the Configuration Manager server.
Page 79 Remediation (flow 4) Two cases should be considered for the remediation process: one where the organization has a Tivoli Configuration Manager server with an automatic remediation implementation, and the other where the organization will use manual methods for remediation using a Web server or alternative methods. Manual remediation could be provided with a Web server where a user can download the required software to meet the software compliance requirements and manually comply to configuration requirements.
Page 80: Secure Communication
EAPoRADIUS Policy Enforcement Device (NAD) EAPoUDP/ EAPonLAN Cisco Trust Agent Client Figure 3-7 Secure communication between components Building a Network Access Control Solution with IBM Tivoli and Cisco Systems CA Server Server Certificate Server Certificate Compliance Server (SCM) Root Certificate...
Page 81: Component Placement
IBM Integrated Security Solution for Cisco Networks can fit into in an enterprise network. 3.4.1 Security zones As per IBM MASS (Method for Architecting Secure Solutions), networks can be divided into five major security zones. Uncontrolled zone/Internet, external networks...
Page 82 Network client machines represent the users of corporate resources. Clients access these resources using various access methods such as LAN, wireless, WAN, and Internet access. Clients using these access methods mostly enter the Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Business Partner Connections...
Page 83 Figure 3-9. This discussion can help customers visualize the practical deployment scenarios of the IBM Integrated Security Solution for Cisco Networks in their organization. Dialup...
Page 84 However, in general, the principles discussed here may be translated easily into appropriate architectures for such environments. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems , semi-trusted network zone is called the DMZ. It provides a buffer controlled zone.
Page 85: Policy Enforcement Points
3.4.2 Policy enforcement points The IBM Integrated Security Solution for Cisco Networks employs the Cisco NAC solution to restrict access to users depending on the compliance level of the client. The NAC solution requires network access devices (NAD) to be deployed at various network points to enforce the policy.
Page 86 The NAC Framework can work in IP Communications environments. For 802.1x environments, Cisco IP Phones must be used. For EAP/UDP environments, both Cisco and Non-Cisco IP Phones may be used. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 87 Branch Office Compliance (Campus Ingress Enforcement) Corporate Headquarters Data Center A A A Server Internet Posture Enforcement Points Router Site-to-Site VPN Users Figure 3-11 Campus ingress enforcement Chapter 3. Component structure...
Page 88 Figure 3-12. This will also be the practical deployment option for clients who are using Port Address Translation to access corporate resources. SOHO Compliance (PAT access protection) Figure 3-12 SOHO compliance Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Corporate Headquarters Data Center Internet...
Page 89 Extranet compliance Organizations could have WAN connections to share information with partners. This would require partner systems connecting to the parent organization to comply with the policies laid down by the parent organization. The policy enforcement device can be deployed appropriately to ensure that these partner systems comply to the parent organization’s policies (Figure 3-13).
Page 90 Figure 3-14 shows a lab policy enforcement scenario. Figure 3-14 Lab compliance Building a Network Access Control Solution with IBM Tivoli and Cisco Systems LAB Compliance A A A...
Page 91 Data Center protection The Data Center is the site where organizations host business-critical systems that require maximum protection. Compliance can be checked for client systems before they are provided connections to the resources at the Data Center (Figure 3-15). Data Center Protection A A A A A A A A A...
Page 92: Conclusion
3.5 Conclusion The IBM Integrated Security Solution for Cisco Networks is an integration of products from IBM and Cisco. New components have been added to each of the individual product sets so they can work in unison. The components in this chapter have been described with integration being the prime objective.
Page 93: Part 2. Customer Environment
Customer Part environment Part 2 discusses how the IBM Integrated Security Solution for Cisco Networks might be used in customer situations. We use a well-know customer scenario, the Armando Banking Brothers Corp. In our last encounter in the IBM Redbook Deployment Guide Series: IBM Tivoli Security Compliance Manager, SG24-6450, they successfully deployed the Tivoli Security Compliance Manager solution for their distributed server environment.
Page 94 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 95: Chapter 4. Armando Banking Brothers Corporation
ABBC’s business profile, their current IT architecture, and their medium-term business vision and objectives. Note: All names and references for company, personnel, and other business institutions used in this chapter are fictional; any match with real entities is coincidental. © Copyright IBM Corp. 2005, 2007. All rights reserved.
Page 96: Company Profile
Currently ABBC is leveraging the existing IBM product solutions of the IBM Tivoli Identity Manager and the IBM Tivoli Access Manager to manage and enforce its authentication and authorization policies. Like many companies, ABBC has found that traditional hacker attempts to gain unauthorized access are only part of the security threat factor.
Page 97: Current It Architecture
Next we describe the logical network components that make up the ABBC network (Figure 4-1). ABBC has developed the network and application security infrastructure in line with the IBM MASS security model. The network has the following major security zones:...
Page 98: Ibm Integrated Security Solution For Cisco Networks Lab
NAC L2 802.1x, or NAC L3 IP. It utilizes Cisco routers, switches, VPN Concentrators, and Adaptive Security Appliances. Cisco Secure ACS is an integral component of NAC Framework. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 99 Figure 4-2 is representative of the ITSO Lab Environment used for L2Dot1x NAC deployment. VLAN-11 Healthy Sales VLAN in the Core network. This VLAN hosts those users that have been authenticated by IEEE 802.1x as members of the Sales Group and have been posture validated as Healthy. VLAN-12 Healthy Engineering VLAN in the Core network.
Page 100 NAC functionality on non-Cisco based networks. NAC Appliance can be virtual deployed in a variety of ways. In this example, it has been deployed as a out-of-band gateway. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 101 Figure 4-3 on page 84 is representative of the ITSO Lab environment used for NAC Appliance deployment. VLAN 20 This is the Access VLAN for a Healthy user. All DHCP addresses are provided from VLAN 20, regardless of whether a user is compliant or noncompliant.
Page 102 SNMP-write to the user’s switch, changing the switch membership from VLAN 120 back to VLAN 20. The user, now compliant, has access to the core network, bypassing the CAS. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 103: Application Security Infrastructure
General management and the IT department are aware of the need for a solid basis to implement their future goals. The current environment with multiple systems is complex; the introduction of IBM Tivoli Access Manager for e-business in a previous project deployment provided a centralized, solid, and easy-to-manage security architecture to help control access to ABBC’s...
Page 104: Middleware And Application Infrastructure
The diagram in Figure 4-4 provides a high-level graphical overview of the existing ABBC security infrastructure. We see that ABBC is using the IBM Tivoli Access Manager best-practice deployment methodology by incorporating dual multiple firewalls to secure the core network from external and internal users.
Page 105: Corporate Business Vision And Objectives
Manager solution to all of its server systems; this deployment provided monitoring and management of security compliance postures. Next, ABBC plans to extend the IBM Security Compliance Manager down to the workstation level, followed by the enforcement of security compliance postures through integration with Network Admission Control–enabled network hardware.
Page 106 Table 4-1 High-level project overview Action Part I - Security compliance server Tivoli Security Compliance Manager setup. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Notes Reference Detailed steps for a 6.1, “Tivoli Security Security Compliance...
Page 107 In a true deployment, the proper forethought, establishment of process, and policy are major keys to success. Install compliance client This includes both the IBM software. client components and the Cisco Trust Agent software. Part II - Networking infrastructure NAC Framework...
Page 108 Configuration Manager. Install Tivoli Configuration Manager Web Gateway. Install and configure remediation package Web server. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Notes Reference Highlights the steps for 7.2.1, “Installing CCA installing the Clean Access Agent”...
Page 109: Conclusion
IT infrastructure. More recently, in the face of growing concerns over threats, compliance-related risk, and government regulations, ABBC installed the IBM Security Compliance Manager product and uses it to proactively monitor compliance of their servers. As the next major undertaking, ABBC is extending the Security Compliance Manager coverage to include the workstation systems of their internal and mobile workforce.
Page 110 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 111: Chapter 5. Solution Design
125. Part 2, “Customer environment” on page 75, primarily involves adding posture compliance-based Network Admission Control components (servers and enforcement points) to the existing infrastructure. The detailed technical © Copyright IBM Corp. 2005, 2007. All rights reserved.
Page 112 Part 3, “Appendixes” on page 439, builds on this infrastructure and adds automatic remediation functionality. The detailed technical implementation of Part 3, “Appendixes” on page 439, is described in Chapter 8, “Remediation subsystem implementation” on page 355. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 113: Business Requirements
As described in Chapter 4, “Armando Banking Brothers Corporation” on page 77, Armando Banking Brothers Corporation (ABBC) is well vested in the IBM Tivoli Identity, Access, and Compliance management solutions. With the emergence of the Network Admission Control program, as sponsored by Cisco Systems, it is ABBC’s direction to introduce a Network Admission Control...
Page 114: Functional Requirements
Uniform security policies, no matter where a user tries to connect from. The traditional perimeter defense is no longer sufficient because the perimeter is very porous in today’s business environment. Locating and isolating noncompliant systems consumes time and resources. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 115: Remediation Requirements
5.2.4 Solution functional requirements ABBC has well-defined security policies for their servers, as well as the existing infrastructure to measure and track compliance via the IBM Tivoli Security Compliance Manager product. However, ABBC lacks a technical method to check security compliance of the users’ workstations, which are known to contain a lot of the company’s sensitive data.
Page 116 Utilizing the existing Tivoli Security Compliance Manager and Tivoli Configuration Manager software minimizes training and maintenance costs, thereby addressing the fiscal business requirement. Note that the Network Admission Control methodology is being extended only to workstations. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 117 ABBC will institute posture-based network admission. Systems deemed in noncompliance will be quarantined and allowed to access only the remediation network. Figure 5-1 shows a conceptualized view of the functional requirements. Workstation -Tivoli SCM Client -Cisco NAC Agent Remediation Tivoli Configuration Manager Figure 5-1 NAC solution conceptual functional requirements...
Page 118 It must be noted that the Network Admission Control (NAC) system is not intended to be a replacement for traditional workstation life cycle management. As documented in 2.3.2, “Security policy life cycle management” on page 30, we Building a Network Access Control Solution with IBM Tivoli and Cisco Systems remediation...
Page 119: Implementation Architecture
The deployment of the NAC, along with the IBM Integrated Solution for Cisco Networks, enables ABBC to noncompliant systems after the expiration of this grace period.
Page 120: Logical Components
IBM Tivoli Configuration Manager refer to the product documentation IBM Tivoli Configuration Manager Version 4.2.3 Planning and Installation Guide, GC23-4702-03. Here we focus on extending the infrastructure Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Compliance Remediation...
Page 121 The IISSCN_TCM_v2.00_WinXP.pol policy bundle, which is available from the IBM Tivoli Security Compliance Manager 5.1 Utilities Web page (see “Online resources” on page 484), is used as our initial reference policy. This policy bundle contains the posture collectors that are used to make client-side compliance decisions.
Page 122 See “Compliance client” on page 48 for more about these client components. Tip: Other terms used to describe the unique nature of the policy collector management collector include Building a Network Access Control Solution with IBM Tivoli and Cisco Systems SCM Client Posture Collector Posture...
Page 123 appears Although the policy collector to be at a peer level with the posture collectors in Figure 5-5, it is actually a hierarchical relationship, as shown in Figure 5-4 on page 104. Figure 5-5 Security Compliance Manager policy collector - edit collector parameters The Tivoli Security Compliance Manager policy collector parameters are set exactly the same way the posture policies are set.
Page 124 Figure 5-7 Setting the posture cache maximum data age Building a Network Access Control Solution with IBM Tivoli and Cisco Systems parameter (Figure 5-6) establishes the version level...
Page 125 For ABBC we set the parameter to 60 seconds. Effectively this forces the posture status to refresh itself at every challenge. Figure 5-8 shows the conceptual control flow for this parameter. P o s tu re C a c h e R e fre s h C a c h e d D a ta Figure 5-8 MAX_DATA_AGE_SECS conceptual flow N e tw o rk A c c e s s D e v ic e...
Page 126 Java class to call to handle the remediation process. This field is a simple string and should have the value of: com.ibm.scm.nac.tcmremed.client.TCMRemediator Figure 5-10 Setting the remediation handler class name Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 127 JAR file is located for the remediation Java class specified in the REMEDIATION_CLASS attribute. This field is a simple string and should have the value of: collectors/com.ibm.scm.nac.tcmremed.client.TCMRemed.jar Figure 5-11 Setting the remediation handler JAR classpath The value of the POLICY_VERSION parameter must then be handed over to the networking team.
Page 128 Enhancements may be seen in future releases, including finer-grained posture data transmission. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Policy Client Sends posture status Network Access...
Page 129 In the posture validation policies, we check that a client has the correct minimum supported version of CTA installed and is running the correct version of the Security Compliance Manager policy (Figure 5-13). Figure 5-13 Posture validation policies For detailed information about the creation and configuration of the Cisco Secure Access Control Server reference see 7.1.1, “Configuring the Cisco Secure ACS for NAC L2 802.1x”...
Page 130 When Jim logs on, he successfully authenticates to IEEE 802.1x. His posture assessment is (VLAN 12). Should Jim pass his IEEE 802.1x authentication, but receive a Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Healthy , so Jim is mapped to the Healthy_Engineering_RAC what is connecting to our networks.
Page 131 Figure 5-14 Shared RADIUS Authorization Components In our scenario, we list the Cisco Trust Agent (Cisco:PA) and the Security Compliance Manager agent (IBM Corporation:SCM) as our posture validation policies. Thus in all, three pieces of information are used to make the access decision: IEEE 802.1x authentication (User Group Mapping)
Page 132 NAD, in our case a Layer-3 capable Cisco 3750 switch. Switched Virtual Interfaces (SVIs) were defined, and the access lists were bound to these Building a Network Access Control Solution with IBM Tivoli and Cisco Systems The endpoint device complies with the currently required credentials so you do not have to restrict this device.
Page 133 SVIs. Each Shared RADIUS Authorization Component had a corresponding ACL defined on the NAD. The example below shows the configuration used for the Healthy Engineering VLAN and the Quarantine Sales VLAN. access-list 120 remark **Healthy Engineering VLAN ACLs** access-list 120 deny ip any 192.168.13.0 0.0.0.255 access-list 120 deny ip any 192.168.14.0 0.0.0.255 access-list 120 deny ip any 192.168.15.0 0.0.0.255 access-list 120 permit ip any any...
Page 134: Physical Components
See 8.4, “Building the remediation workflows” on page 417, for information about the creation of the workflows for the IBM Integrated Security Solution for Cisco Networks. Remediation handler HTML pages The remediation process does not link back to a central compliance posture and the Access Control Server posture token and access control list.
Page 135 IA32 platform Red Hat AS/ES 4.0 for IA32 This list may change as new platforms and versions are being certified for support. For the latest list check the IBM Support Web site at: http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Supported_Platforms .html Lists of the hardware requirements for all of the different hardware architecture types are also available on the support Web page at: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.
Page 136 Access Control Server The IBM Integrated Security Solution for Cisco Networks requires Version 4.0 of the Cisco Secure ACS. Detailed specifications follow. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 137 Operating system requirements for ACS V4.0 are: Windows 2000 Server Windows 2000 Advanced Server with the following conditions: – Service Pack 4 installed – Without any feature specific to Windows 2000 Advanced Server enabled or without Microsoft clustering service enabled Windows Server®...
Page 138 Cisco 850 Series Router Cisco 870 Series Router Cisco 1700 Series Router Cisco 1800 Series Router Building a Network Access Control Solution with IBM Tivoli and Cisco Systems NAC Layer 2 IEEE 802.1x authentication and validation NAC Layer 2 IP validation...
Page 139 Cisco 2600XM Series Router Cisco 2691 Multiservice Platform Cisco 2800 Series Router Cisco 3640 Multiservice Platform Cisco 3660-ENT Series Router Cisco 3725 and 3745 Multiservice Access Routers Cisco 3800 Series Router Cisco 7200 Series Router For the most up-to-date information refer to: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900 aecd8040bc84.pdf Cisco Trust Agent...
Page 140 The resulting multitude of combinations is well beyond the scope of this book. While we wrote this book, the current version of the remediation server was 4.2.3. For the list of supported operating systems types consult the IBM Support Web site at: http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Supported_Platforms...
Page 141: Conclusion
EAR file. This application must be installed on the same WebSphere Application Server as the Web Gateway component. Remediation handler In the current release of the solution, the remediation handler is delivered in the form of the Security Compliance Manger collector JAR file and is automatically downloaded to the client workstation together with the compliance policy.
Page 142 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 143: Chapter 6. Compliance Subsystem Implementation
Compliance subsystem Chapter 6. implementation This chapter describes the IBM Tivoli Security Compliance Manager part of the Network Admission Control (NAC) solution, where the main concern is the establishment of security policy. We describe the process of setting up the compliance components, which...
Page 144: Tivoli Security Compliance Manager Setup
Copy the installation files to the local drive instead. 1. To start the installation move to the directory where you have copied the binaries and run the setup file db2setup.exe. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 145 2. After a little while you are presented with the Welcome window, as shown in Figure 6-1. Click the Install Product selection on the left. Figure 6-1 DB2 installation welcome window Chapter 6. Compliance subsystem implementation...
Page 146 Figure 6-2. Depending on the media installation you use there may be more than one option presented. Select DB2 UDB Enterprise Server Edition and click Next. Figure 6-2 DB2 version selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 147 4. Next the welcome window is displayed, as presented in Figure 6-3. Click Next. Figure 6-3 Setup wizard welcome window Chapter 6. Compliance subsystem implementation...
Page 148 5. On the next dialog you are presented with the standard license agreement (Figure 6-4). Accept the license and click Next. Figure 6-4 License agreement window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 149 6. In the Installation type selection window (Figure 6-5) leave all of the default Typical values (which is installation) and click Next. Figure 6-5 Installation type selection window Chapter 6. Compliance subsystem implementation...
Page 150 If you plan to perform multiple installations you may mark the second check box. Otherwise, click Next. Figure 6-6 Installation action selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Which is selected by default Which will save your selections to a response file,...
Page 151 8. In the next window, shown in Figure 6-7, you must select the installation destination folder. Make sure that there is enough space on the selected drive and click Next. Figure 6-7 Installation folder selection window Chapter 6. Compliance subsystem implementation...
Page 152 Make sure that you have written this down, as you will need this password several times during the installation of the other components. Then click Next. Figure 6-8 User information dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 153 10.In the next dialog, depicted in Figure 6-9, you are presented with the administration contact configuration options, where you may specify names of the users who should be notified by the database if something goes wrong. If you leave the defaults and click Next you will be presented with the additional warning that Notification SMTP server information has not been specified, which you can ignore by clicking OK.
Page 154 TCP/IP, and the database instance is instructed to start automatically when you boot the system. We recommend that you leave the defaults and click Next. Figure 6-10 DB2 Instance configuration window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 155 12.As we do not need to use any DB2 tools on the next dialog, shown in Figure 6-11, click Next. Figure 6-11 DB2 Tools selection dialog Chapter 6. Compliance subsystem implementation...
Page 156 Select the option to Defer this task until after installation is complete and click Next. Figure 6-12 Administrator contact selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 157 14.In the next window, shown in Figure 6-13, you are given a last chance to review your selected options. If everything is as you want, click Install. Figure 6-13 Installation options summary Chapter 6. Compliance subsystem implementation...
Page 158: Installation Of Tivoli Security Compliance Manager Server
1. To start the installation move to the folder where you have copied the installation files and run the scmserver_win32.exe file. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems , which you may safely close by clicking Exit First Steps in...
Page 159 2. The usual language selection box is presented, as shown on Figure 6-15. English Accept and click Next. Figure 6-15 Language selection dialog 3. Click Next on the Tivoli Security Compliance Manager Welcome window, which is presented next. There will be a license agreement window displayed, as shown in Figure 6-16.
Page 160 Administration Utilities Server Database Configuration Building a Network Access Control Solution with IBM Tivoli and Cisco Systems When this option is selected the graphical user interface will be installed as well as the command line utilities for managing the server.
Page 161 For this installation we must have all three components installed, so select the second option Server, as presented on Figure 6-18, and click Next. Figure 6-18 Setup type selection window Chapter 6. Compliance subsystem implementation Tivoli Security Compliance Manager server installation.
Page 162 If you do not have the SMTP server name available put any name there. You can easily change these values later in the server.ini configuration file. Then click Next. Figure 6-19 E-mail server configuration dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 163 7. In the next window, shown on Figure 6-20, the installation wizard asks for the communication ports the server uses to communicate with the clients. We strongly recommend leaving the defaults. Click Next. Figure 6-20 Server Communication Configuration window Chapter 6. Compliance subsystem implementation...
Page 164 Security Compliance Manager server. In the next four fields provide the passwords (and password confirmations) to access the keystore files generated during the installation. Then click Next. Figure 6-21 Server Security Configuration Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 165 9. In the next window, presented in Figure 6-22, select the location for your database. If you installed DB2 as described in 6.1.1, “Installation of DB2 database server” on page 126, select The database is on the local system option and click Next. Figure 6-22 Database Location selection window Chapter 6.
Page 166 Figure 6-23. Enter the username and password for the DB2 administrator you have provided in step 9 on page 134. Leave the other fields with the default values and click Next. Figure 6-23 Database configuration information Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 167 11.In the next dialog, shown in Figure 6-24, you are asked whether the database should be created during this installation. Make sure that the check box is marked and click Next. Figure 6-24 Database creation choice window Chapter 6. Compliance subsystem implementation...
Page 168 This user Id is created in the Tivoli Security Compliance Manager database and does not need to be a system account. Click Next to continue. Figure 6-25 Administrator User ID Configuration window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 169 13.Finally you are presented with the installation selection summary, as shown in Figure 6-26. Click Next to start the actual installation. Figure 6-26 Installation options summary window Chapter 6. Compliance subsystem implementation...
Page 170: Configuration Of The Compliance Policies
As an example we are using Symantec Antivirus software, but the solution can include rules for different antivirus software as well. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Do not close this window. When the...
Page 171: Posture Collectors
The information that is collected by the posture collectors is cached on the client system and can be used by the com.ibm.scm.nac.posture.PolicyCollector collector (or policy collector, for short) running on the client to make a security posture policy decision without contacting the Tivoli Security Compliance Manager server.
Page 172: Policy Collector
Building a Network Access Control Solution with IBM Tivoli and Cisco Systems The data collection was successful, and the security posture of the selected item matches the required value.
Page 173: Installation Of Posture Collectors
remediation subsystem, such as a Tivoli Configuration Manager. After the remediation has been performed, the remediation subsystem communicates to the policy collector to obtain updated status and, if necessary, perform additional remediation. 6.2.3 Installation of posture collectors The compliance policies are defined on the Tivoli Security Compliance Manager server and are sets of rules verifying whether the data collected on the client meets the security policy criteria.
Page 174 4. If it is the first time you start the Administration Console you may be prompted to accept the new server identity, as shown on Figure 6-29. Just click Accept Forever. Figure 6-29 New Server Identity warning Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 175 5. You are presented with the default Message of the day window, which by default contains only the information about the Tivoli Security Compliance Manager version. Click OK. On the main Administrative Console window, as shown on Figure 6-30, switch to the Policies tab. Figure 6-30 Tivoli Security Compliance Manager Administration Console 6.
Page 176 8. In the next dialog, presented in Figure 6-33, you can change the default policy name. We recommend that you leave the default name unless you have this policy already imported and click Next. Figure 6-33 Policy name dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 177 9. In the next step the import wizard performs a validation of the signatures of the collectors included with the policy. When it is completed, as shown in Figure 6-34, click Next. Figure 6-34 Collectors signature validation Chapter 6. Compliance subsystem implementation...
Page 178 If you are just following this book, there will be no warnings and you will be presented with the Policy Installation Summary, as shown in Figure 6-35. Click Finish to close the Import policy wizard. Figure 6-35 Policy installation summary Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 179: Customization Of Compliance Policies
11.After the wizard is closed you will see the imported policy in the Administrative Console, as shown in Figure 6-36. Figure 6-36 Compliance Policy view To import the additional two sample policies named IISSCN_TCM_v2.00_winXP.pol and IISSCN_TCM_v2.00_win2000.pol, repeat steps 6 to 10, selecting the correct files accordingly. 6.2.4 Customization of compliance policies To begin with the process of building customized polices for your environment we first need to explain the role of the policies imported in the previous section.
Page 180 1. To start the customization open the Tivoli Security Compliance Manager Administration Console and log in as admin. Then move to the Policies tab and select the IISSCN_TCM_v2.00_winXP policy, as shown in Figure 6-37. Figure 6-37 Policies view Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 181 2. In the right pane click the Collectors tab and select the Symantec Antivirus collector, as shown on Figure 6-38. Figure 6-38 Collectors configuration view 3. The collector responsible for the Symantec Antivirus policy check is named nac.win.any.nav.PostureNavV2, and it is capable of checking three conditions regulated by the parameters specified on the Parameters dialog, shown in Figure 6-39.
Page 182 PASS_VERSION WARN_VERSIONS VERSION_WF FAIL_LAST_SCAN_OVER WARN_LAST_SCAN_OVER SCAN_WF FAIL_DEFS_OLDER_THAN Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Parameter type Description Operational A list of acceptable Symantec/Norton Antivirus product versions. This list may consist of one or more entries.
Page 183 Parameter name WARN_DEFS_OLDER_THAN DEFS_WF To adjust the parameters to your need modify the operational parameters, selecting the appropriate tabs. To add additional values to the parameter click the plus (+) sign. To remove a value click the minus (-) sign. Do not change the default names of the remediation workflows.
Page 184 These parameters accept only one integer value, so do not add multiple values and also do not change the default names of the remediation workflows. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Parameter type Description...
Page 185 When you are done editing click Save. 5. The next policy we customize is the one that checks for the appropriate operating system service pack level installed on the client workstation. Back at the list of the collectors right-click the Windows Service Pack collector.
Page 186 The full list of parameters is described in Table 6-3. Table 6-3 Parameter information for nac.win.any.oslevel.PostureOSLevelV2 Parameter name PASS_WINDOWS_NT WARN_WINDOWS_NT PASS_WINDOWS_2000 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Parameter type Description Operational List of accepted service packs for the Microsoft Windows NT operating...
Page 187 Parameter name Parameter type WARN_WINDOWS_2000 Operational PASS_WINDOWS_2003 Operational WARN_WINDOWS_2003 Operational PASS_WINDOWS_XP Operational WARN_WINDOWS_XP Operational SERVICE_PACK_WF Workflow The operational parameters listed above accept multiple values, so edit the appropriate parameters by selecting the proper tabs and adding all the versions accepted in your environment. To add additional values to the parameter click the plus (+) sign.
Page 188 To remove the value click the minus sign. Do not change the name of the workflow. When you are done editing click Save. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Parameter type Description Operational Parameter used to specify which Microsoft hotfixes are suggested.
Page 189 8. The next policy we configure checks whether the personal firewall is installed and running. Since we are using the generic posture collectors, this policy was implemented as two separate policies, one for checking the registry if the firewall is installed and the second to check the services if it is running. As an example we have chosen to check for the ZoneLabs firewall, but you can easily adjust these policies for any other personal firewall.
Page 190 VALUE Operational NO_VALUE_RULE Operational Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Description Used to determine the status of the registry key existence check if the registry key specified in KEY is not found. No more than one parameter value should be provided. If more than one parameter value is provided, only the first parameter value will be used.
Page 191 Parameter name Parameter type VALUE_DATA_RULES Operational DEFAULT_RULE Operational KEY_WF Workflow VALUE_WF Workflow VALUE_DATA_WF Workflow The way this collector works depends on the data you have provided as parameters. It first checks for the key existence if one is specified. Then it checks if the value is specified.
Page 192 Table 6-6 Valid rule operators Operator < <= > >= <> Building a Network Access Control Solution with IBM Tivoli and Cisco Systems true is called a , or cannot be evaluated, is called a String context Equal Not equal...
Page 193 There are some limitations on numeric context evaluations. The collector initially receives all values from the underlying utilities as strings. For example, even though the registry type might be REG_DWORD and the value is set to 0x00000630, the collector will receive this value as the string 1584. Numeric checks are only run if both the value in the registry and the value in the rule can be converted to a 32-bit integer.
Page 194 Since you need the remediation only in case the value exists and is set to 0 you must specify only one workflow parameter VALUE_DATA_WF to, for example, TCRFirewallForcedOff. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 195 When you are done with editing the parameters for the nac.win.any.regkey.PostureRegKeyV2 collector click Save. 1. The second part of the firewall policy is meant to check whether the firewall service is running. This policy is checked using the generic nac.win.service.PostureServiceV2 collector. To open the parameter edition dialog shown in Figure 6-45, right-click the ZoneAlarm Firewall Active collector in the policy collector view and click Edit collector parameters from the pop-up menu.
Page 196 REQ_DISABLED and SERVICE_DISABLED_WF fields. The summary of the settings for this policy is presented below: – SERVICE_REQ equal to TrueVector Internet Monitor – REQ_RUNNING equal to 1 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Parameter type Description Operational...
Page 197 – SERVICE_RUNNING_WF equal to TCRZLSoftwareRunning – REQ_DISABLED not set – SERVICE_DISABLED_WF not set When you are done editing click Save. 2. According to our security policy outlined in “Security compliance criteria” on page 100 we must add one more policy checking for the status of the Messenger service, which must be disabled.
Page 198 Select IISSCN_TCM_v2.00_winXP, which is also the source for this compliance query, and click OK. Figure 6-47 Destination policy selection dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 199 There cannot be two compliance queries with the same name in one policy, so the copy of the compliance query is automatically renamed. It received an added _0 suffix. We must rename our new compliance query. Right-click the new ZoneAlarm Firewall Active_0 compliance query and select Rename compliance query, as shown in Figure 6-48.
Page 200 OK. Then, in the right pane, modify the description of the compliance query, as shown on Figure 6-49, and click the Save button on the right. Figure 6-49 Compliance query description modification Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 201 Next select the Compliance SQL tab on the right pane and modify the violation message generated by the compliance check, as shown in Figure 6-50. There is no need to change the SQL compliance query itself, as it does not refer to any values other than the number of violations, which is generic for all services.
Page 202 A small dialog window is displayed asking you for the new name of the collector instance. Enter Messenger Service Disabled, as shown in Figure 6-52, and click OK. Figure 6-52 New collector instance name dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 203 Now we must change the parameters for the new collector instance. Right-click the Messenger Service Disabled collector instance and click Edit collector parameters from the pop-up menu. The parameters were described in Table 6-7 on page 177. Provide the following parameter values: –...
Page 204: Assigning The Policy To The Clients
Then when any new client is added to the group it will be automatically assigned with the latest policy version. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 205 The steps are: 1. When logged into the Tivoli Security Compliance Manager Administration Console with administrative privileges select the Clients tab and click the Actions → Group → Create Group menu item, as shown in Figure 6-55. Figure 6-55 Create group action selection 2.
Page 206 4. The Select a policy window is displayed, as shown in Figure 6-58. Select the IISSCN_TCM_v2.00_winXP policy (the one we changed in 6.2, “Configuration of the compliance policies” on page 152) and click OK. Figure 6-58 Policy selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 207: Deploying The Client Software
5. An informational dialog is displayed, as shown in Figure 6-59, showing the successful completion. To close it click OK. Figure 6-59 Operation complete dialog 6. Repeat steps 3 to 5 to select the TCMCLI policy this time. When you have your group selected in the left pane and you click the Policies tab in the right pane you should see a window similar to the one presented in Figure 6-60.
Page 208: Cisco Trust Agent
Cisco Trust Agent communication on port 21862/udp if using L2/L3 IP NAC. for NAC L2Dot1X. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems with a dot1x supplicant, and the Cisco Trust Agent for Windows...
Page 209 Note: The following section is an excerpt from the Administrator Guide for Cisco Trust Agent 2.0, which is available at (requires CCO login): http://www.cisco.com/en/US/partner/products/ps5923/products_maintenance_ guide_book09186a008059a40e.html For Cisco Secure ACS to establish a secure PEAP session with Cisco Trust Agent, you must install the root certificate for the Cisco Secure ACS certificate on the network client.
Page 210 1. Start the installation process by double-clicking the setup file or typing the command: ctasetup-supplicant-win-2.0.0.30.exe 2. After starting the setup file, the welcome window opens (Figure 6-62). Click Next. Figure 6-62 Cisco Trust Agent installation wizard Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 211 3. The license agreement is presented, as shown in Figure 6-63. Select I accept the license agreement and click Next. Figure 6-63 License agreement for Cisco Trust Agent Chapter 6. Compliance subsystem implementation...
Page 212 4. Accept the defaults (Figure 6-64) and click Next. Figure 6-64 Cisco Trust Agent destination folder selection Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 213 5. Accept the default depicted in Figure 6-65 and click Next. Figure 6-65 Cisco Trust Agent installation type Chapter 6. Compliance subsystem implementation...
Page 214 6. Click Next (Figure 6-66). Figure 6-66 Ready to install the Cisco Trust Agent application Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 215 7. If the certificate file was copied into the Certs directory, the window in Figure 6-67 is presented during the installation. Click OK. Remember, this step is optional and will only be presented if you have copied the certificate file to the Certs directory. Figure 6-67 Confirmation of the certificate import Chapter 6.
Page 216 /add "<path to the certificate file>" /store "Root" For more information about the utility refer to the Administrator Guide for Cisco Trust Agent 2.0, which is available at (requires CCO login): http://www.cisco.com/en/US/partner/products/ps5923/products_maintenance_guide_ book09186a008059a40e.html Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 217: Ibm Tivoli Security Compliance Manager Client
In our scenario this element is installed automatically during the Security Compliance Manager client setup. 6.3.2 IBM Tivoli Security Compliance Manager client In this section we describe the installation of Tivoli Security Compliance Manager client. It is a requirement to have the Cisco Trust Agent already installed before starting the Tivoli Security Compliance Manager client installation.
Page 218 Java virtual machine, the language selection box opens (Figure 6-70). Select your preferred language for the installation wizard and click OK. Figure 6-70 Language selection Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 219 2. The Security Compliance Manager welcome screen appears momentarily (Figure 6-71). Figure 6-71 The welcome window Chapter 6. Compliance subsystem implementation...
Page 220 3. The Client Installation Utility window appears, as depicted in Figure 6-72. After carefully reading all of the required information, click Next. Figure 6-72 Client Installation Utility window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 221 4. The license agreement window is displayed (Figure 6-73). Select I accept the terms in the license agreement and click Next. Figure 6-73 License agreement for IBM Tivoli Security Compliance Manager Chapter 6. Compliance subsystem implementation...
Page 222 5. Accept the default destination folder, shown in Figure 6-74, and click Next. Figure 6-74 Directory selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 223 6. Accept the default client installation (Figure 6-75) and click Next. Figure 6-75 Setup type window Chapter 6. Compliance subsystem implementation...
Page 224 7. In the IBM Security Solution for Cisco Networks window (Figure 6-76), ensure that the box Select the checkbox to install IBM Integrated Security Solution for Cisco Networks is checked, then click Next Figure 6-76 The IBM Integrated Security Solution for Cisco Networks window 8.
Page 225 Figure 6-77 Client connection window Chapter 6. Compliance subsystem implementation...
Page 226 IP address, as this results in the generation of a 16-byte unique identifier (fingerprint) for the client. When you are done, click Next. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems This is mandatory for clients using...
Page 227 10.If you selected the DHCP option in the previous step, you will see the client DHCP configuration dialogue, as in Figure 6-79. In the DHCP client alias field, provide the alias name for the client. This name will be shown on the Security Compliance Manager server during client registration, and the client will be referenced by this name in the Security Compliance Manager GUI.
Page 228 11.Finally, the installation summary window is displayed (Figure 6-80). Click Next. Figure 6-80 Security Compliance Manager client installation summary window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 229 12.The Security Compliance Manager client is successfully installed. Click Finish to close the window shown in Figure 6-81 to complete this step of the process. Figure 6-81 Successful completion window Chapter 6. Compliance subsystem implementation...
Page 230: Conclusion
The remediation team must know the the policy. In the next chapters we describe the processes for these two teams. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems policy name to set up the policy on the...
Page 231: Chapter 7. Network Enforcement Subsystem Implementation
Chapter 6, “Compliance subsystem implementation” on page 125. The detailed instructions for setting up the CTA client can be found in 6.3.1, “Cisco Trust Agent” on page 190. © Copyright IBM Corp. 2005, 2007. All rights reserved.
Page 232: Configuring Nac Framework Components
16.Configuring external user databases 17.Unknown user policy 18.Clientless user The User Guide for Cisco Secure ACS for Windows 4.0 documentation can be found at (requires CCO login): http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_ guide_book09186a0080533dd8.html Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 233: Installing Cisco Secure Acs
Installing Cisco Secure ACS To install Cisco Secure ACS Version 4.0 software on a machine running a supported operating system, run the setup.exe program provided with the Cisco Secure ACS installation software. When you install Cisco Secure ACS, the setup program uninstalls any previous version of Cisco Secure ACS before it installs the new version.
Page 234: Configuring The Administrative Interface To Cisco Secure Acs
Shared Profile Components and Group Setup interfaces. These are used to cause Cisco Secure ACS to send dynamic access control lists to the NAD to be applied on a client undergoing NAC. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 235 Note: Group-level downloadable ACLs are not yet supported for L2Dot1x. They are only supported for NAC L2/L3 IP. It is Cisco’s stated intention that future releases of IOS for switches will support downloadable ACLs for NAC L2 802.1x. Access restriction for NAC L2 802.1x should be configured as an access-list bound to the SVI on the L3 device closest to the end user.
Page 236: Allowing Administrator Access Via Http (Optional)
1. Click Administration Control on the Cisco Secure ACS main menu. This opens the window shown in Figure 7-4. Click Add Administrator. Figure 7-4 Administration control Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 237: Cisco Secure Acs Certificate Setup
2. Fill in the user name and password fields, and click Grant All to give all configuration rights to the administrator. If desired, an administrator’s privileges can be limited to individual groups and components in order to have separate administrators for different parts of the network and network policies.
Page 238: Using An Acs Self-Signed Certificate
Using an ACS self-signed certificate With Cisco Secure ACS Version 4.0 you can generate a self-signed certificate, which is useful when no CA or other trust authority is required. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 239 To use a self-signed certificate, perform the following steps: 1. Click Generate Self-Signed Certificate in the Cisco Secure ACS Certificate Setup window (Figure 7-6). Figure 7-6 Generating self-signed certificate 2. Fill in the blanks with the appropriate information according to your own installation.
Page 240 4. Restart the Cisco Secure ACS (Figure 7-7). Figure 7-7 Restart Cisco Secure ACS Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 241: Importing Ibm Security Compliance Manager Attributes
Cisco Trust Agent, or install the certificate file manually using ctaCert.exe on each client. Importing IBM Security Compliance Manager attributes New Security Compliance Manager attributes must be imported to the Cisco Secure ACS. This enables these new attributes to be utilized as part of the ACS policy rules checking as well as the ACS logging subsystem.
Page 242 If you install Cisco Secure ACS in the default location, the CSUtil.exe is located in the C:\Program Files\CiscoSecure ACS v4.0\Utils directory. 3. Add the Security Compliance Manager attributes to ACS by running: csutil.exe -addavp filename Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 243 filename is the name of the file in which you want CSUtil.exe to write all attribute definitions. Example 7-2 shows the execution of this command. Example 7-2 Import Security Compliance Manager attribute C:\Program Files\CiscoSecure ACS v4.0\Utils>CSUtil -addavp c:\Temp\avplist.txt Attribute 2:50:1 (Application-Posture-Token) automatically added to registry Attribute 2:50:2 (System-Posture-Token) automatically added to registry [attr#0]: Attribute 2:50:10 (Action) added to registry...
Page 244: Configuring Logging
Figure 7-9 Logging configuration 4. Enable the Log to CSV Passed Authentications report (Figure 7-10 on page 227) and in the Select Columns To Log list, select the attributes (fields) Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 245 that you wish to include in the log file. Scroll down and change the file management settings if desired. We recommend that you include the following fields in Logged Attribute: – Network Access Profile Name – Shared RAC – Application Posture Token –...
Page 246 4 on page 226, selecting the items you wish to log. A selection is shown in Figure 7-11. Figure 7-11 Failed attempts logging 7. Click System Configuration again on the Cisco Secure ACS main menu, and click Service Control. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 247: Configuring A Network Device Group In Cisco Secure Acs
8. In the window in under Services Log File Configuration (Figure 7-12) change Level of Detail to Full, and increase the file size from 2048 Kb as necessary. Click Restart to apply the new configuration. Figure 7-12 Log file management Configuring a network device group in Cisco Secure ACS To make Cisco Secure ACS interact with a Network Access Device (router, switch, VPN concentrator, and so on), you must configure Cisco Secure ACS to...
Page 248 To do this, the use of NDGs must first be enabled: 1. Click Interface Configuration from the main menu (Figure 7-13). Figure 7-13 Interface Configuration screen for the creation of NDGs Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 249 2. Select Advanced Options (Figure 7-13 on page 230). Ensure that Network Device Groups is checked (Figure 7-14). Figure 7-14 Network Device Group check box Chapter 7. Network enforcement subsystem implementation...
Page 250 5. (Optional) Add the name of the NDG you wish to use (for example, switches) and the RADIUS key used by the AAA clients that makes up this NDG (for example, cisco123). Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 251 6. From the Network Configuration screen, select the hyperlink under Network Device Groups. If you did not assign a name in step 5, you will see Not Assigned as the name (Figure 7-15 on page 232). By clicking this link, you will see the AAA Clients (Figure 7-16).
Page 252 Server IP address and RADIUS key. A better option may be to define NDGs based on subnet information, such as 192.168.10.*, which will retain some scalability and security. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 253 8. You should now see the newly defined AAA clients (Figure 7-18). Figure 7-18 AAA Clients Chapter 7. Network enforcement subsystem implementation...
Page 254: Configuring Radius Attributes
After selecting just these items, click Submit. This will take you back to the screen shown in Figure 7-13 on page 230. Note: 64, 65, and 81 are required for VLAN assignment. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 255: Configuring Groups
2. From the Interface Configuration menu, select RADIUS (Cisco IOS/PIX 6.0) (Figure 7-20). Figure 7-20 Cisco IOS/PIX 6.0 RADIUS attributes For L2Dot1x NAC, you must select [026/009/001] cisco-av-pair. 3. After selecting this item, click Submit. Configuring groups The group setup and configuration portion of the Cisco Secure ACS requires careful thought and planning.
Page 256 This is where the VLAN assignments and RADIUS attributes for the groups are defined. 3. Click Submit + Restart after completing the group configuration. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 257: Configuring Users
Configuring users Now that the groups have been defined, we can create our users and then add them to their relevant group. 1. From the main menu select User Setup, as shown in Figure 7-22. Figure 7-22 User setup 2. In the User field, type the name of the user to be added, then click Add/Edit. Chapter 7.
Page 258 The list of groups available will be a direct result of those you configured in Figure 7-21 on page 238. Figure 7-23 User-to-Group mappings Building a Network Access Control Solution with IBM Tivoli and Cisco Systems user’s real name user setup details...
Page 259: Global Authentication Setup
Global authentication setup The Cisco Secure ACS supports many types of protocols for securely transferring credentials from the host to the Cisco Secure ACS for authentication and authorization. Note: We highly recommend that you enable all protocols globally. You will have the opportunity to limit the actual protocol options later when you create the Network Access Profiles for NAC.
Page 260 Retired Master Key TTL Tunnel PAC TTL Client Initial Message Authority ID Info Allow anonymous in-band PAC provisioning Accept client on authenticated provisioning Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Condition Checked One month Three months One week <nil>...
Page 261 EAP-FAST configuration Require client certificate for provisioning Allow Machine Authentication Machine PAC TTL Allow Stateless Session Resume Authorization PAC TTL Allow inner methods EAP-GTC EAP-MSCHAPv2 EAP-TLS Select one or more of the following EAP-TLS comparison methods: Certificate SAN comparison Certificate CN comparison Certificate Binary comparison EAP-TLS Session timeout (minutes) EAP-FAST Master Server...
Page 262: Configuring Posture Validation
Configuring posture validation To do this: 1. Select Posture Validation from the Main Menu (Figure 7-26). Figure 7-26 Posture Validation Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 263 2. Select Internal Posture Validation. The screen show in Figure 7-27 will be displayed. 3. Click Add Policy (Figure 7-27). Figure 7-27 Posture Validation Policies Chapter 7. Network enforcement subsystem implementation...
Page 264 4. In this example, we have entered the name of the first policy as CTA with the description Cisco Trust Agent. Then click Submit (Figure 7-28). Figure 7-28 CTA Posture Validation Policy Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 265 5. Click Add Rule (Figure 7-29). Figure 7-29 Posture Validation for CTA Chapter 7. Network enforcement subsystem implementation...
Page 266 6. Click Add Condition Set (Figure 7-30). Figure 7-30 Condition sets for CTA policy Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 267 7. From the Attribute drop-down list (Figure 7-31), select Cisco:PA:PA-Version. The operator value should be set to >= and the value set to 2.0.0.0. This simply means that we are setting up a check for the Cisco Trust Agent to be present on the endpoint, and that it must be running version 2.0.0.0 or later.
Page 268 8. Figure 7-32 shows that if this condition is satisfied, that an Application Posture Token (APT) of Figure 7-33 on page 251. Figure 7-32 Posture validation rule creation for CTA check Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Healthy is returned. Clicking Submit here takes us to...
Page 269 9. Next we need to modify the default action, which is the action to be taken if the condition we just created is not met. You will notice that there is a default condition, which we will modify for this purpose. Click Default under Condition (Figure 7-33).
Page 270 The URL can be changed depending on where the remediation software packages are stored. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Quarantine , as shown in Figure 7-34. In the notification string,...
Page 271 11.Click Submit and you will find yourself back in the dialog shown in Figure 7-35. Figure 7-35 Completed posture validation for CTA 12.Click Done. Chapter 7. Network enforcement subsystem implementation...
Page 272 13.Click Apply and Restart, as shown in Figure 7-36. Figure 7-36 CTA posture validation policy 14.Next we must repeat the process to create a posture check for the IBM:SCM. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 273 15.Click Add Policy (Figure 7-37). Figure 7-37 Repeating the process for Security Compliance Manager Chapter 7. Network enforcement subsystem implementation...
Page 274 16.In this example, we use TSCM in the Name field and IBM Security Compliance in the Description field, as shown in Figure 7-38. Figure 7-38 IBM TSCM policy creation Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 275 17.After entering the name and description, click Submit and you will see the dialog shown in Figure 7-39. Figure 7-39 IBM TSCM policy creation Chapter 7. Network enforcement subsystem implementation...
Page 276 We also discovered that if you set the operator value to an equals sign (=), the check will fail even though the end user is running the correct version of the policy. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 277 20.From the Attribute drop-down menu, select IBMCorporation:SCM:PolicyViolation. From the Operator menu select and for the Value enter 0. Then click Enter (Figure 7-41). Figure 7-41 TSCM policy components 21.Click Submit. Chapter 7. Network enforcement subsystem implementation...
Page 278 Figure 7-42 Completed posture validation check for Security Compliance Manager 23.Click Submit. 24.Next we must modify the default condition. Click Default, as shown in Figure 7-39 on page 257. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 279 25.The posture token should be set to the value should be set to same as we discussed in step 10 on page 252 of this section: http://tcmweb/SoftwarePackageServerWeb/SPServlet Figure 7-43 Security Compliance Manager Default condition modification 26.Click Submit. Chapter 7. Network enforcement subsystem implementation IBMCorporation:SCM Quarantine .
Page 280 27.Click Done (Figure 7-44). Figure 7-44 Completed Security Compliance Manager posture validation Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 281 28.Click Apply and Restart (Figure 7-45). Figure 7-45 Completed posture validation rules Chapter 7. Network enforcement subsystem implementation...
Page 282 1. Click Shared Profile Components from the main menu. This brings you to the dialog shown in Figure 7-46. Figure 7-46 Shared Profile Components 2. Click RADIUS Authorization Components. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 283 Note: In the scenario detailed in this book, we have two groups defined: sales and engineering. When creating the RACs, we define a Healthy Sales RAC, a Quarantine Sales RAC, a Healthy Engineering RAC, and a Quarantine engineering RAC. We also define a Default Quarantine RAC to address the situation where a condition may not be defined or there is no matched condition.
Page 284 9. Repeat this procedure, clicking Add next to Cisco IOS/PIX 6.0 and add the values as per Table 7-2 on page 265 for the Cisco IOS/PIX 6.0 requirements. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 285 10.Repeat the same procedure for the IETF attributes, first selecting the relevant field from the drop-down menu, then clicking Add (Figure 7-48). Use the values in Table 7-2 on page 265. Figure 7-48 IETF drop-down menu Chapter 7. Network enforcement subsystem implementation...
Page 286 Table 7-3 Healthy Engineering RAC attributes Vendor Cisco IOS/PIX 6.0 Cisco IOS/PIX 6.0 IETF IETF IETF IETF Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Attribute Value cisco-av-pair (1) status-query-timeout=30 cisco-av-pair (1) sec:pg=healthy_hosts Session-Timeout (27) 3600...
Page 287 Vendor Attribute IETF Tunnel-Private-Group-ID (81) Table 7-4 Quarantine Sales RAC attributes Vendor Attribute Cisco IOS/PIX 6.0 cisco-av-pair (1) Cisco IOS/PIX 6.0 cisco-av-pair (1) IETF Session-Timeout (27) IETF Termination-Action (29) IETF Tunnel-Type (64) IETF Tunnel-Medium-Type (65) IETF Tunnel-Private-Group-ID (81) Table 7-5 Quarantine Engineering RAC attributes Vendor Attribute Cisco IOS/PIX 6.0...
Page 288 Entering the command show dot1x interface fa1/0/x detail shows that the reauthentication timers are the ACS. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Attribute Value Termination-Action (29)
Page 289 Configuring Network Access Profiles We have now configured all of the individual components to be in a position to bring them together and create the Network Access Profiles, which determine what to check and what action to take based on the results of those checks. Again, we have deleted all of the pre-configured sample configs to create our own from scratch.
Page 290 Note: Be careful in the selection of Grant access using global authentication when no profile matches our example, we use Building a Network Access Control Solution with IBM Tivoli and Cisco Systems authentication posture validation, Deny access when no profile matches Grant access...
Page 291 5. Click Authentication. Click the tab Populate from Global and ensure that Posture Validation - Required Internal Database (Figure 7-52). Figure 7-52 Authentication configuration for RAC 6. Click Submit. This will take you back to the screen in Figure 7-51 on page 272, where you will need to click Apply and Restart.
Page 292 8. From the screen shown in Figure 7-53, click Add Rule. Figure 7-53 Posture validation rule creation 9. Add a name in the Name field. In our example we used NAC_IISSCN_Posture_Profile. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 293 10.Under Condition → Required Credential Types, there is a list of available credentials. Select IBMCorporation:SCM, then click the arrow ( →) to move this to the column for selected credentials, as shown in Figure 7-54. Repeat this process for Cisco:PA (Figure 7-53 on page 274). Figure 7-54 Partial configuration of posture validation Chapter 7.
Page 294 Select (Figure 7-55). Figure 7-55 Selecting CTA and TSCM policies 12.(Optional) Under syntax in the <img border="0" src="c:\healthy.jpg"></html> Building a Network Access Control Solution with IBM Tivoli and Cisco Systems System Posture Token Configuration Healthy PA message , add the following...
Page 295 An example of the CTA Healthy pop-up is shown in Figure 7-56. Figure 7-56 Example of CTA Healthy pop-up System Posture Token Configuration 13.(Optional) Under Quarantine PA message syntax in the on page 278): <img border="0" src="c:\quarantine.jpg"></html> An example of the CTA Quarantine pop-up is shown in Figure 7-57. Figure 7-57 Example of CTA Quarantine pop-up Chapter 7.
Page 296 Note that the .jpegs referenced here must be installed in the root of the C: drive of the end user’s machine. This is also customizable. 14.Click Submit. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems pop-up notification on the...
Page 297 Figure 7-59 Completed posture validation for NAC_IISSCN 15.Click Done. This will take you back to the screen shown in Figure 7-50 on page 271. Click Apply and Restart. Chapter 7. Network enforcement subsystem implementation...
Page 298 18.For this example, from the drop-down list under User Group, select Sales. 19.From the System Posture Token drop-down list, select Healthy. 20.From the Shared RAC drop-down list, select Healthy_Sales_RAC. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 299 21.Click Submit (Figure 7-61). Figure 7-61 Healthy Sales SPT creation Note: Remember that this scenario is for NAC L2 802.1x. As mentioned previously, NAC L2 802.1x does not yet support downloadable ACLs. Downloadable ACL Therefore, the you were configuring NAC L2/L3 IP this field would be used. At the time that this book was written, support for NAC L2 802.1x downloadable ACLs was something to be included in future releases of Cisco IOS.
Page 300 Figure 7-62 Completed Authorization RAC configuration 24.Click Submit. 25.This will take you back to the screen in Figure 7-51 on page 272. Click Apply and Restart. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems System posture token Shared RAC Quarantine...
Page 301: Configuring The Cisco Secure Acs For Nac L2/L3 Ip
External User Database One of the most common methods of deploying an ACS is to use an external user database, such as Active Directory, or using a token server, for user and machine authentication. We did not use this method in the writing of this book. However, should you require information about how to do this, please refer to the following URL: http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_...
Page 302 3. We have deleted all the sample ACLs to go through the process of creating them from scratch (Figure 7-63). Figure 7-63 Downloadable ACL creation 4. Click Add. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 303 5. Add a name and description in the Name and Description fields as appropriate (Figure 7-64). After this has been done, click Add. Figure 7-64 Naming of ACL Chapter 7. Network enforcement subsystem implementation...
Page 304 6. Enter the name of the ACL and the ACL definition (Figure 7-65). Figure 7-65 Quarantine ACL definitions 7. Click Submit. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 305 8. Note that there is an option of binding the ACL just created to a network access filter (Figure 7-66). This allows for different ACLs to be applied to different items. We are not using network filtering, so we leave the default (All-AAA-Clients).
Page 306 The syntax of the ACL must be identical also. We suggest using extended access lists. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems instead of the values listed previously, as opposed...
Page 307 Configuring Network Access Profiles We have now configured all the individual components to be in a position to bring them together and create the Network Access Profiles, which determine what to check and what action to take based on the results of those checks. Again, we have deleted all the pre-configured sample configs to create our own from scratch.
Page 308 Figure 7-68 L2IP Healthy Authorization rule 7. Click Add Rule. 8. From User Group, select Any. 9. From System Posture Token, select Quarantine. 10.From Shared RAC, select Quarantine_L2IP_RAC. 11.From Downloadable ACL, select Quarantine_ACL. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 309: Deployment Of The Network Infrastructure
12.For this scenario, we selected the Quarantine_L2IP_RAC and Quarantine_ACL as the Shared RAC and Downloadable ACL to be applied in case a condition is not defined or there is no matched condition (Figure 7-69). Figure 7-69 Completed L2IP Authorization rules 13.Click Submit.
Page 310 192.168.9.22 auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key cisco123 radius-server vsa send authentication Building a Network Access Control Solution with IBM Tivoli and Cisco Systems SW Version 12.2(25)SEE2 NAC L2/L3 IP (no support for EoU). Another example is support NAC L2 802.1x...
Page 311 <output omitted> interface FastEthernet1/0/5 description **Connected to CARE-SYSTEM Workstation** switchport mode access dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x reauthentication dot1x guest-vlan 15 spanning-tree portfast <output omitted> The Access Controls Lists (ACLs) that we used in our scenario are listed below: access-list 110 remark **Healthy Sales VLAN ACLs** access-list 110 deny ip any 192.168.13.0 0.0.0.255 access-list 110 deny ip any 192.168.14.0 0.0.0.255...
Page 312 VLAN that you are in, other than the Security Compliance Manager and Tivoli Configuration Manager. We did, however, Building a Network Access Control Solution with IBM Tivoli and Cisco Systems locked out of the console when you exit.
Page 313 allow Web access and DNS access in case of manual remediation requirements or access to the intranet Web pages for help. On the 3750 switch, enter the following verification command: show dot1x interface fa1/0/5 detail nac3750sa#sho dot1x interface fa1/0/5 detail Dot1x Info for FastEthernet1/0/5 ----------------------------------- = AUTHENTICATOR...
Page 314 192.168.9.22 eq 21862 permit icmp any host 192.168.9.220 permit icmp any host 192.168.104.10 permit ip any host 192.168.9.220 permit ip any host 192.168.104.10 permit tcp any any eq www Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 315 permit tcp any any eq domain deny ip any any ip access-list extended initial-acl permit udp any any eq domain permit udp any any eq bootpc permit udp any any eq bootps permit icmp any any permit udp any any eq 21862 radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server host 192.168.9.22 auth-port 1645 acct-port 1646...
Page 316 NAD, which includes these steps: 1. Configuring AAA EOU Authentication Protocols and Authentication Proxy Authorization Protocols, AAA Setup, RADIUS Server Host and Key Building a Network Access Control Solution with IBM Tivoli and Cisco Systems : 000000005222BFF40000001BC0A80B33 : Quarantine...
Page 317 2. Configuring Admission Control EOU 3. Configuring an Exception List Configuration for Clientless Hosts 4. Configuring Clientless User Policy 5. Configuring EAP over UDP Timers 6. Configuring the Interfaces and Intercept ACL 7. Configuring the HTTP Server 8. Enabling EOU Logging For more information, see the Cisco IOS Software Release 12.3(8)T new features documentation specific to NAC at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/1...
Page 318 NAD attempts to posture without receiving a valid EOU response. Router(config)# eou clientless username clientless Router(config)# eou clientless password password Router(config)# eou allow clientless Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 319 The Cisco Secure ACS then issues a token according to the group in which a user with the clientless user name is placed. This configuration is useful for PCs and workstations that receive their IP addresses through DHCP and do not have the posture agents installed.
Page 320 ----------------------------------------- Interface FastEthernet0/0 No interface specific configuration Router# show eou all ------------------------------------------------------------------ Address ------------------------------------------------------------------ Building a Network Access Control Solution with IBM Tivoli and Cisco Systems = 0x5566 = Enabled = Disabled = Enabled = 3 Seconds = 180 Seconds...
Page 321: Configuring Nac Appliance Components
10.3.3.30 10.3.3.31 Router# 7.2 Configuring NAC Appliance components There are various components that make up the NAC Appliance solution. They are: Clean Access Manager (CAM) - The administrative server for Clean Access deployment. The secure Web console of the Clean Access Manager is the single point of management for up to 20 Clean Access Servers in a deployment.
Page 322: Installing Cca Agent
See Appendix C, “Additional material” on page 481, for more details on how to obtain this file. 1. Click CCAAgent_Setup.exe. Click Next in the screen shown in Figure 7-71. Figure 7-71 Installation wizard Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 323 2. Accept the default installation folder and click Next, as shown in Figure 7-72. Figure 7-72 Default install directory 3. Click Install to begin the installation (Figure 7-73). Figure 7-73 Beginning the installation Chapter 7. Network enforcement subsystem implementation...
Page 324: Configuring A Cca Oob Vg Server
CAS and the CAM (bi-directional) on the ports shown in Table 7-10. Table 7-10 TCP port requirements for firewalls CCA version 3.6(x) 3.5(x) Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Required ports TCP ports 80, 443, 1099, 8995, 8996 TCP ports 80, 443, 1099, 32768–61000...
Page 325 The steps are: 1. Open a Web browser and enter the IP address of the CAM. There is no specific port required. 2. Enter the administrator name and password, then click Login (Figure 7-75). Figure 7-75 CAM login page Chapter 7. Network enforcement subsystem implementation...
Page 326 3. The Clean Access Summary window will be displayed (Figure 7-76). Figure 7-76 CAM summary window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 327 4. From the Main Menu, select Device Management → CCA Servers (Figure 7-77). Figure 7-77 Device Management Chapter 7. Network enforcement subsystem implementation...
Page 328 5. Select New Server. Add the server IP address and server location, and from the drop-down list, select Out-Of-Band Virtual Gateway (Figure 7-78). Figure 7-78 Adding a new CAS 6. Click Add Clean Access Server. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 329 7. The CAS should now be visible under List of Servers, shown in Figure 7-79. Figure 7-79 Successful CAS addition Note: If you intend to configure the CAS in Virtual Gateway Mode (in-band or out-of-band), you must leave the untrusted interface (eth1) disconnected until after you have added the CAS to the CAM and completed the VLAN mappings.
Page 330 8. Click the Manage icon for the CAS just added. This takes you to the dialog shown in Figure 7-80. Figure 7-80 CAS Status screen Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 331 9. Select Device Management → CCA Servers → Network. Check that your screen resembles Figure 7-81. Figure 7-81 Network IP screen 10.Select Device Management → CCA Servers → Advanced → Managed Subnet. 11.Enter IP addresses from the authentication VLANs) in the IP Address field. These IP addresses should be static, outside of the DHCP scope, and be neither the network number nor broadcast address of the managed VLAN (for example, 192.168.120.0 or 192.168.120.255).
Page 332 Enter the VLAN ID for the untrusted network VLAN and the VLAN ID for the trusted network VLAN. Add a description if desired. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems main subnet is added by default.
Page 333 14.Click Add Mapping. Confirmation of the successful mapping will appear (Figure 7-83). Figure 7-83 VLAN mapping example Note: In our example, the client’s port is initially set to VLAN 20. By using VLAN mapping, the client will receive a VLAN 20 (access VLAN) IP address from DHCP.
Page 334 Figure 7-84 Login page Configuring a Switch Group To configure a switch group follow these steps. 1. Select Switch Management → Profiles → Group → New. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems . This will...
Page 335 2. Enter the group name and description (Figure 7-85). Figure 7-85 Switch Group creation 3. Click Add. Chapter 7. Network enforcement subsystem implementation...
Page 336 4. Verify your new switch group (Figure 7-86). Figure 7-86 Switch Group verification Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 337 Configuring a switch profile To configure a switch profile follow these steps: Switch Management 1. From New (Figure 7-87). Figure 7-87 New switch profile 2. Fill in the fields as appropriate. In our scenario we used: Profile Name Switch Model SNMP Port Description SNMP Read Settings...
Page 338 There are three types of port profiles for switch ports: uncontrolled, controlled, and controlled using role settings. Switch ports should use Clients connections should use Building a Network Access Control Solution with IBM Tivoli and Cisco Systems uncontrolled port profiles. controlled...
Page 339 When a client connects to a controlled port, the port is assigned to the authentication VLAN. After the client has been successfully authenticated, the port is assigned to the Access VLAN specified in the port profile or the role settings. 1.
Page 340 4. Under Options: Device Disconnect, check the box Remove out-of-band online user when SNMP link-down is received (Figure 7-90). Figure 7-90 Managed profile creation Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 341 5. Click Add. The configured switch profiles will be displayed (Figure 7-91). Figure 7-91 Configured switch profiles Configuring SNMP receiver SNMP receiver setup provides settings for the SNMP receiver running on the CAM, which receives the mac-notification/link-down SNMP trap notifications from the controlled switches and sets the VLAN value on the corresponding switch ports.
Page 342 1. Select Switch Management → Devices → Switches → New. 2. 3750 should be selected from the Switch Profile drop-down list, Switch Group should be left as default, Default Port Profile should be left as uncontrolled, Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 343 the IP address of the switch should be entered in the description entered in the Description field (Figure 7-93). Figure 7-93 Manually adding a switch to be managed 3. Click Add. 4. The switch can been seen by selecting Switch Management → Devices → List.
Page 344 5. As seen in Figure 7-94, click the Ports icon. Figure 7-94 Managed switch Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 345 6. Under Profile, use the drop-down list to configure the ports as appropriate. Our client was installed on port fa1/0/12, (Figure 7-95) so the profile was set to Control_20. Figure 7-95 Applying profiles to ports. Note port fa1/0/12 Note: An audit of what is attached to each switchport should be conducted before setting the profile.
Page 346 (Figure 7-96). Figure 7-96 Defining a user role 3. Click Save Role when completed. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems . Select the options as appropriate. The fields of main Normal Login Role VLAN ID 20...
Page 347 4. The new role should be visible under Figure 7-97 List of Roles Creating traffic policies For new installations of Cisco NAC Appliance, the default allows all traffic from the trusted network to the untrusted network, and to block all traffic from the untrusted network to the trusted network.
Page 348 3. The action should be 4. Repeat step 2, this time selecting Untrusted → Trusted from the second drop-down menu. Click Submit. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems . In the second drop-down menu, select Trusted → AllowAll...
Page 349 Allow 5. The action should be Figure 7-99 Rules for untrusted to trusted 6. Select the group you created ( Select Untrusted → Trusted from the second drop-down menu. Click Add Policy. 7. This rule will be to allow access from the Auth VLAN to the Security Compliance Manager.
Page 350: Creating Local Users
RADIUS, LDAP, Active Directory SSO, and so on. For the purposes of this book, we use local database authentication. 1. Click User Management → Local Users → New Local User. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems → Trusted rule creation...
Page 351 user name password 2. Add the drop-down menu, select which role this user should be mapped to (Figure 7-101). Figure 7-101 Creating a new user 3. Click Create User. Chapter 7. Network enforcement subsystem implementation description , and as appropriate. From the Role...
Page 352 Clean Access Agent follow these steps: 1. Click Device Management → Clean Access → Clean Access Agent → Rules → New Check. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Launch that can be configured to trigger the Tivoli Security...
Page 353 2. Select the following options (Figure 7-103): – From the Check Category drop-down menu, select Service Check. The screen will refresh and the Check Type should be set to Service Status. – Check Name should be set to SCM_Service. – Service Name should be set to jacservice. –...
Page 354 – Check Description should be set to CCA_Compliance. – Operating System should have Windows XP checked (Figure 7-104). Figure 7-104 CCA version compliance check 5. Click Add Check. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 355 6. These two checks should now be displayed (Figure 7-105). Figure 7-105 Rules check list check Chapter 7. Network enforcement subsystem implementation...
Page 356 Figure 7-106 New rule 8. Enter the following information: Rule Name Rule Description Operating System Rule Expression® 9. Click Save Rule. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems SCM_Service Tivoli SCM Service Windows XP checked SCM_Service...
Page 357 10.Repeat steps 7 and 8, entering the following information (Figure 7-107): Rule Name CCA_Compliance Rule Description Cisco Clean Access Agent version Operating System Windows XP Rule Expression CCA_Compliance Figure 7-107 CCA Compliance rule definition 11.Click Add Rule. Chapter 7. Network enforcement subsystem implementation...
Page 358 12.The newly defined rules will be displayed (Figure 7-108). Figure 7-108 New rules Validity 13.Note that both the rules have a blue tick under Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 359 14.Click Requirements → New Requirements (Figure 7-109). Figure 7-109 Requirements 15.Enter the following information: – From the Requirement Type drop-down menu, select IBM Tivoli SCM. – Set the Priority to 1. – For Requirement Name, enter IBM Tivoli SCM. – For Description, enter Click [Update] to activate Tivoli SCM remediation and click [Next] after remediation has completed.
Page 360 – For Requirement Name, enter CCA_Compliance. – For Description, enter CCA Version compliance. – Operating System should be set to Windows XP. Figure 7-110 CCA Agent update 18.Click Add Requirement. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 361 19.The Requirement List window should appear similar to Figure 7-111. Figure 7-111 Requirements list 20.Click Requirement Rules. 21.Enter the following information: – From Requirement Name, select SCM_Service. – From Operating System, select Windows XP. – From Rules for Selected Operating System, check the box SCM_Service. –...
Page 362 – From Rules for Selected Operating System, check the box CCA_Compliance. – Click Update. Figure 7-112 CCA Compliance Requirement rule 23.Click Role-Requirements. 24.From Role-Type, select Normal Login Role, and from User-Role select AllowAll. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 363 25.From “Select requirements to associate with the role,” select both SCM_Service and CCA_Compliance (Figure 7-113). Figure 7-113 Role requirements 26.Click Update. Chapter 7. Network enforcement subsystem implementation...
Page 364 Discovered clients To check that the Clean Access Solution is working properly, select View Online Users → Out-of-Band (Figure 7-114). Figure 7-114 Viewing online users Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 365 Logging on as a client To log on as a client follow these steps. 1. Once the CCA Agent software has been installed on the client machine, the user will be prompted for their user name and password (Figure 7-115). Figure 7-115 Client log-in screen 2.
Page 366 7. The user is disconnected from the network, and then reconnected, forcing him to log back in to CCA. The user enters the credentials as per Figure 7-115 on page 347, and clicks Login. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 367 8. The user is advised of their temporary access (Figure 7-118), and clicks Continue. Figure 7-118 Temporary access notification 9. User clicks Update (Figure 7-119). Figure 7-119 Required software notification screen Chapter 7. Network enforcement subsystem implementation...
Page 368 Figure 7-120 Security Compliance Manager Compliance Report window 11.User clicks Fix Now. 12.A remediation pop-up window informs the user that the remediation has finished, and the user clicks OK (Figure 7-121). Figure 7-121 Remediation notification Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 369 13.The user clicks Close on the Security Compliance Manager Compliance Report window, which shows all items in a state of (Figure 7-122). Figure 7-122 Security Compliance Manager Compliance Report window - all compliant 14.The user clicks Next from the screen shown in Figure 7-119 on page 349. Chapter 7.
Page 370: Deployment Of The Network Infrastructure
Example interface configuration for a NAC Appliance client: interface FastEthernet1/0/12 description **Test CCA Client port** switchport access vlan 20 switchport mode access snmp trap mac-notification added spanning-tree portfast Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 371 Example of interface configuration for CAM interface: interface FastEthernet1/0/18 description **CAM Interface** switchport access vlan 9 switchport mode access spanning-tree portfast Example of interface configuration for Untrusted CAS interface: interface FastEthernet1/0/4 description **Untrusted Interface CCA Server** switchport trunk encapsulation dot1q switchport trunk native vlan 998 switchport trunk allowed vlan 120,998 switchport mode trunk...
Page 372: Conclusion
At this point we have finished the setup of the basic compliance and network enforcement subsystem. The configuration of the remediation subsystem is covered in Chapter 8, “Remediation subsystem implementation” on page 355. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 373: Chapter 8. Remediation Subsystem Implementation
Remediation subsystem Chapter 8. implementation This chapter describes the IBM Tivoli Configuration Manager part of the Network Admission Control (NAC) solution, where the main concern is the remediation of the noncompliant clients. The remediation process can be either manual, done by the user who follows provided instructions, or automated, where the user only clicks the Fix Now button in the provided user interface.
Page 374 – Installation of the software package utilities – Creating remediation workflows that matches Security Compliance Manager policies with the suitable remediation workflow names and parameters Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 375: Automated Remediation Enablement
SSH protocol was used, this release of the IBM Integrated Security Solution for Cisco Networks relies on the HTTP protocol to download remediation packages from the remediation server.
Page 376: Remediation Server Software Setup
For Tivoli Configuration Manager Web Gateway installation: – WebSphere Application Server 5.1 or later – Tivoli Configuration Manager Web Gateway 4.2.3 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems package at the IBM Tivoli Security has to be configured with the...
Page 377: Tivoli Configuration Manager
Version 4.2.3: Planning and Installation Guide, GC23-4702-03, handy. Important: We emphasize one general note about obtaining the latest fix packs and upgrades: Always check the latest Deployment Guide for the IBM Integrated Security Solution for Cisco Networks to verify the correct software status.
Page 378: Preparing For The Installation
Installation of the Web infrastructure, which is WebSphere Application Server and IBM HTTP server. In our lab we used the versions provided with the Tivoli Configuration Manager software and updated them with the latest fix packs. Creation of a user account for database access.
Page 379 The steps to install the minimal required version of Web infrastructure are: 1. To start the installation go the directory where you have your installation media for WebSphere Application Server 5.1 to the \win subdirectory and run the file LaunchPad.bat. 2.
Page 380 3. The WebSphere Application Server Installation wizard is displayed, as shown in Figure 8-2. Click Next. Figure 8-2 WebSphere Installation Wizard window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 381 4. In the next window, the standard license agreement is presented, as shown in Figure 8-3. Accept the license and click Next. Figure 8-3 Software License Agreement window Chapter 8. Remediation subsystem implementation...
Page 382 – Application Server – Administration • Scripted Administration • Administration Console – IBM HTTP Server Version 1.3.28 – Web server plug-ins • Plug-in for IBM HTTP Server v1.3 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 383 This is shown in Figure 8-5. Click Next. Figure 8-5 Component selection dialog Important: If you have the Internet Information Server installed on the machine where you are performing WebSphere installation there may be a port conflict on port 80. To prevent this configure your World Wide Web Publishing Service not to start automatically, or even to the disabled state.
Page 384 7. In the next window, shown in Figure 8-6, you may specify the directories where the software components will be installed. Leave the default values and click Next. Figure 8-6 Destination folder selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 385 8. In the next window you must specify the node name and host name for the Application Server to use. Both fields will be filled in with your server host name by default, as shown in Figure 8-7. We recommend that you leave the defaults and click Next.
Page 386 For our lab we decided to run the service using the administrator account. When you are done click Next. Figure 8-8 Run as a service selection window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 387 Figure 8-9 Installation options summary 11.The installation progress is shown in another dialog. The process has several phases: – Installation of WebSphere Application Server – Installation of IBM HTTP Server – Installation of three Web applications Chapter 8. Remediation subsystem implementation...
Page 388 It may take a few minutes to complete the installation. Then you are presented with the online registration window, as shown in Figure 8-10. Uncheck “Register this product now” and click Next. Figure 8-10 Online registration dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 389 12.Finally, there remain two open windows. One of them is the First Steps dialog you can just exit. The second one, shown in Figure 8-11, presents the Installation status summary. To close the wizard click Finish. Figure 8-11 Installation status summary window Now you are ready to update your environment with the latest fixes.
Page 390 3. Make sure that the IBM HTTP server is not running (look for the Apache.exe or httpd processes). If it is running it can be stopped using the Services panel or with the following commands: net stop “IBM HTTP Administration 1.3.28”...
Page 391 b. The Install fix packs option is selected, as shown in Figure 8-13. Figure 8-13 Installation option selection Chapter 8. Remediation subsystem implementation...
Page 392 DB2ADMNS on Windows. To create this user account issue as a administrative user the following commands: net user dmsadmin <password> /add net localgroup DB2ADMNS dmsadmin /add Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 393 Now you can continue with the Tivoli Configuration Manager Web Gateway installation. Installation of Tivoli Configuration Manager Web Gateway In this section we detail the steps for Tivoli Configuration Manager Web Gateway. To install this component you need the Tivoli Configuration Manager Web Gateway CD, which is included with your Tivoli Configuration Manager installation bundle.
Page 394 3. The welcome window is presented (Figure 8-16). Click Next. Figure 8-16 Welcome window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 395 4. In the next window (Figure 8-17), the standard license agreement is shown. Accept the license and click Next. Figure 8-17 License agreement window Chapter 8. Remediation subsystem implementation...
Page 396 5. The component selection is displayed, as shown in Figure 8-18. Make sure that all three options are selected and click Next. Figure 8-18 Component selection Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 397 6. The installation directory selection window is displayed (Figure 8-19). Accept the default path but make sure that the drive has at least 510 MB of free space and click Next. Figure 8-19 Installation directory selection window Chapter 8. Remediation subsystem implementation...
Page 398 DB2 administration user and the dmsadmin user you have created according to the procedure described in “Creating the necessary user account” on page 374 and click Next. Figure 8-20 Database configuration window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 399 8. The Web infrastructure configuration window is displayed (Figure 8-21). Check whether the right paths are entered (usually these are the defaults for the selected platform) and click Next. Figure 8-21 Web infrastructure configuration window 9. If there was no Tivoli Endpoint installed on the server, you are presented with the Endpoint configuration dialog.
Page 400 If your Tivoli Configuration Manager is a single node installation this would be localhost, as shown in the Figure 8-22. Then click Next. Figure 8-22 Endpoint configuration window Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 401 10.The Secure access configuration window is presented, as shown in Figure 8-23. Since we are not using Tivoli Access Manager in our environment accept the default ( Figure 8-23 Secure access configuration Chapter 8. Remediation subsystem implementation Enable security False ) and click Next.
Page 402 11.The summary of the selected installation options is presented, as shown in Figure 8-24. Click Next to proceed with the installation. Figure 8-24 Summary of installation options Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 403: Configuration Of The Remediation Server
12.The installation can take a while depending on the configuration of your system. You can follow the progress of the installation in the dialog window. Figure 8-25 shows the final status. To finish the Web Gateway installation click Finish. Figure 8-25 Installation status window Now that all of the prerequisites are installed and configured, you can proceed with the remediation server configuration.
Page 404 Tivoli Configuration Manager Web Gateway. The Software Package Web Server code is located in the file posted on the IBM Web page, as described in “Preparing for the installation” on page 360, and must be deployed into the WebSphere Application Server.
Page 405 3. If you have followed the installation of WebSphere Application Server as described in this book you should have no security turned on and you will see the standard login screen, as shown in Figure 8-26. Enter any name and click Figure 8-26 WebSphere administrative console login Chapter 8.
Page 406 Figure 8-27 Install new application 5. In the Local path field enter the path to the SoftwarePackageServer.ear file located in the temporary directory created in step 1 and click Next. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 407 6. The Preparing for the application installation window is displayed (Figure 8-28). Accept the defaults and click Next. Figure 8-28 Preparing for the application installation Chapter 8. Remediation subsystem implementation...
Page 408 The button may be hidden in the lower part of the window, depending on the resolution of your display. In this case scroll down using the scroll bar on the right. Figure 8-29 Installation option summary dialog Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 409 8. The installation may take a few seconds or few minutes depending on your server configuration. In the window that displays the installation results, find and click the Save to Master Configuration link. Figure 8-30 Installation status window Chapter 8. Remediation subsystem implementation...
Page 410 9. In the next window, shown in Figure 8-31, select Save to save the configuration changes to the master configuration file. Figure 8-31 Saving the configuration changes Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 411 10.When you click the Enterprise Application link under Applications in the left pane you should see a window similar to the one presented in Figure 8-32. Figure 8-32 Enterprise Applications window Configuration of the Software Package Web Server The steps necessary to properly configure the Software Package Web Server are: 1.
Page 412: Installation Of The Software Package Utilities
3. Configure the WorkflowPostureCollectorMapping.properties file. You can copy and use the sample properties file provided by entering the following commands: cd %BINDIR% cd tcmremed\cfg copy WorkflowPostureCollectorMapping.properties.sample \ WorkflowPostureCollectorMapping.properties Building a Network Access Control Solution with IBM Tivoli and Cisco Systems contains some...
Page 413 This file contains the mapping between the remediation workflows and the posture collector parameters used in the compliance policies defined on the Tivoli Security Compliance Manager server. 4. Edit the WorkflowPostureCollectorMapping.properties file and provide the content that will be relevant to the policies you have defined in the 6.2.4, “Customization of compliance policies”...
Page 414 Most of them can be used as is, but a few must be edited. There is also a file missing for SERVICE_DISABLED_WF, so we have to create one named nac.win.any.services.PostureServices_SERVICE_DISABLED_WF.DefaultCo nfig.properties. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 415: Creating Remediation Instructions For The Users
In Example 8-2 and Example 8-3 we present the final content required for the files that must be changed or added. Example 8-2 nac.win.any.services.PostureServices_SERVICE_RUNNING_WF.Defa ultConfig.properties file content # SPUtil default config file for nac.win.any.services.PostureServices_SERVICE_RUNNING_WF #PostureCollectorName=nac.win.any.services.PostureServices #PostureCollectorParameterName=SERVICE_RUNNING_WF PackageName.input=NULLABLE PackageName.format=${WorkflowName} #EnableLogging=true TmfWebUIPublicName.input=NULL TmfWebUIPublicName.format=/${WorkflowName}/${PostureCollectorName}/${Postur eCollectorParameterName}/latest Example 8-3 nac.win.any.services.PostureServices_SERVICE_DISABLED_WF.Def...
Page 416: Locating Html
The intention of these instructions is to guide the user to remediate the situation. As a part of the IBM Integrated Security Solution for Cisco Networks deployment guide, several example HTML pages are included in the acme3.zip file. The guide is located at: http://www.ibm.com/support/docview.wss?uid=swg24007082...
Page 417 The checks defined by the particular compliance objects within the policy relate to the data gathered by one posture collector. This means that the individual violations are collector-related, and this determines the way the HTML pages are organized. Figure 8-33 shows the directory structure that is required for the pages to be displayed properly.
Page 418 HTML in the following order of preference: scripts/{collector}/{lang}/{instance}/default.html scripts/{collector}/{lang}/default.html scripts/{collector}/{DEFAULT_LANG}/{instance}/default.html scripts/{collector}/{DEFAULT_LANG}/default.html Building a Network Access Control Solution with IBM Tivoli and Cisco Systems pl_PL . The default language and local Definition Hard-coded to en_US. Preferred ISO language/locale code as detected by Java, for examples, pl_PL or en_AU.
Page 419 If none of these locations contain a valid page, the user interface falls back to the method used to locate the base HTML page. HTML pages example Assume that a policy wants to ensure that the ZoneAlarm and Remote Desktop services are running, and that several other services are not running.
Page 420: Variables And Variable Tags
The type of tag is followed by a colon (:) and an identifier. The entire tag is enclosed in the angle braces. A closing tag or slash (/) is not required or supported. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Displayed page relative to scripts/nac.win.any.services.PostureServicesV2/ en_US/default.html...
Page 421 The wfattribute tag The simplest variables are workflow attributes. When a posture collector performs a check that fails, it will often associate a element. The workflow object may contain one or more named lists of These attributes may be accessible using the wfattribute tag. When a workflow tag refers to a list with more than one item, the items are listed separated by commas.
Page 422 Some attributes are generated by the Tivoli Security Compliance Manager client, and the others come from either the local handlers.properties file or from the HANDLERS_ATTRIBUTES parameter of the policy collector. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Description Example...
Page 423 Table 8-7, cannot be overridden by user settings. Table 8-7 Innate remattribute tag usage Attribute Example client.alias scmclient client.dhcp false client.fingerprint a3:55:e5:62:2a:db:52:93: 3b:c2:22:38:44:53:bf:02 client.id client.root C:\PROGRA~1\IBM\SC M\client os.arch os.name Windows 2000 os.version win.build 2195 win.product Microsoft Windows 2000 win.sp Service Pack 4 win.version All other attributes come from either the HANDLER_ATTRIBUTES parameter of the policy collector or the local handlers.properties file.
Page 424: Debug Attributes
HANDLER_ATTRIBUTES parameter of the policy collector. Logging available attributes To enable logging of the attributes available for use with remattribute tags, the following attribute should be set: remediationdialog.logAttributes=true Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 425 Attribute: win.build -> 2600 Attribute: win.product -> Microsoft Windows XP Attribute: os.name -> Windows XP Attribute: os.version -> 5.1 Attribute: client.root -> C:\PROGRA~1\IBM\SCM\client Attribute: win.sp -> Service Pack 2 Attribute: win.version -> 5.1 Attribute: client.id -> 2 Attribute: client.alias -> scmxp...
Page 426 Pack\PASS.html ==> found This concludes the general HTML authoring principle section. In the next sections we describe the actual content created for the ABBC environment. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems `--PostureElement |-name : Last Scan...
Page 427: Creating Html Pages For Abbc Policy
8.3.4 Creating HTML pages for ABBC policy Figure 8-34 summarizes the directory structure for the HTML remediation pages used in our example. Figure 8-34 Sample directory structure for ABBC The following three steps build meaningful HTML examples for the policies described in “Security compliance criteria”...
Page 428 Example 8-4 HTML source for password policy settings page <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <script type="text/javascript"></script> <style type="text/css" media="all"> @import "file:/c:/Progra~1/IBM/SCM/client/scripts/com.ibm.scm.nac.posture.PolicyCol lector/sentry.css"; </style> <title> </title> </head> <body> Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 429 This page uses a style defined in the separate sentry.css file, which was copied to the directory c:\Program Files\IBM\SCM\client\scripts\com.ibm.scm.nac.posture.PolicyColl ector along with any custom graphic files used on all the HTML pages, such as the company’s logo. Example 8-5 shows the content of the CSS file.
Page 430 The collector we use as an example supports two checks: – Minimum password length – Maximum password age Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 431 “Variables and variable tags” on page 402. Example 8-6 HTML source for password length policy details page <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <script type="text/javascript"></script> <style type="text/css" media="all"> @import "file:/c:/Program Files/IBM/SCM/client/scripts/com.ibm.scm.nac.posture.PolicyCollector/sentry .css"; </style> <title> Chapter 8. Remediation subsystem implementation...
Page 432 You may also click <b>Fix Now</b> button to correct the settings automatically<br> For further support or assistence call the Helpdesk 444-444-4444<br> <!-- END ITEM DETAIL TEXT --/> </div> </body> </html> Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 433 Example 8-7 HTML source for password age policy details page <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <script type="text/javascript"></script> <style type="text/css" media="all"> @import "file:/c:/Program Files/IBM/SCM/client/scripts/com.ibm.scm.nac.posture.PolicyCollector/sentry .css"; </style> <title> </title> </head> <body> Chapter 8. Remediation subsystem implementation...
Page 434 OS version-dependent user instructions on a separate Web server, and to provide the user with a direct link to the patch file required for particular operating system levels. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 435: Building The Remediation Workflows
You can build similar pages for all of the compliance checks described in your policy. In the next section we provide the detailed steps to build the remediation workflows called when the user clicks the Fix Now button on the remediation user interface.
Page 436 Framework, and start bash. Then create a directory for the workflow files. To do this issue the following commands: cmd /k %SystemRoot%\system32\drivers\etc\Tivoli\setup_env.cmd bash cd $BINDIR/tcmremed/download mkdir TCRNavScan cd TCRNavScan Building a Network Access Control Solution with IBM Tivoli and Cisco Systems workflow was defined in the SCAN_WF parameter in the...
Page 437 2. In the next step we create the Windows script that will perform the actual job. We can reuse the one provided with the samples in the sample_TCRNavScan directory named NavScanMessage_en.wsf (Windows Script File format) or create a new one using the source code provided in Example 8-8. Copy the file to the new directory that you created in the previous step.
Page 438 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Equals the name of the workflow that matches the value of the SCAN_WF parameter in the policy.
Page 439 As a result you should see the output presented below: Region Disp Flags Port 1406765930 5. Run the sputil.sh command to create the software package block and publish it on the Web Gateway. To achieve this run the following commands: cd $BINDIR/tcmremed/download cd TCRNavScan $BINDIR/tcmremed/bin/sputil.sh -p Sample.properties...
Page 440 Figure 8-38, click the Fix Now button. Figure 8-38 Remediation handler interface with the warning Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Software package definition file. This is a text meta file containing all of the package configuration information.
Page 441 The remediation process window is displayed and the proper software package block is downloaded and executed. You are presented with the instructions shown in Figure 8-39. Figure 8-39 Result of running NavScanMessage_en.wsf When you click OK the final remediation handler window should look Figure 8-40.
Page 442 Example 8-10 Sample.properties file for TCRNavVirusDefUpdate workflow WorkflowName=TCRNavVirusDefUpdate RegistryKeyForExePathName.arrayLength=2 ExeName.arrayLength=2 ExeArg.arrayLength=2 RegistryKeyForExePathName[0]=HKEY_LOCAL_MACHINE\\Software\\Symantec\\Instal ledApps\\SAV Install Directory ExeName[0]=vpdn_lu.exe ExeArg[0].arrayLength=1 ExeArg[0][0]=/s RegistryKeyForExePathName[1]=HKEY_LOCAL_MACHINE\\Software\\Symantec\\Instal ledApps\\SAV Install Directory ExeName[1]=vpdn_lu.exe ExeArg[1].arrayLength=1 ExeArg[1][0]=/s #RebootNowFlag=false #RebootLaterFlag=false #RebootRetryNumber=1 TmfWebUIEndpoint=tcmweb Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 443 3. Run the sputil.sh command to create the software package block and publish it on the Web Gateway. To achieve this run the following commands: cd $BINDIR/tcmremed/download cd TCRNavVirusDefUpdate $BINDIR/tcmremed/bin/sputil.sh -p Sample.properties 4. Verify the result of running the tool with the following command: wlookup -ar SoftwarePackage | grep TCRNavVirusDefUpdate If the package was created the result will look like below (the number in the middle of the resulting string will be different in your environment as it is...
Page 444 Windows Hotfixes policy to be used when the compliance check generated a FAIL or WARNING status. The purpose of the workflow is to install Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 1406765930.1.848#SoftwarePackage::Spo#...
Page 445 the missing hotfixes. As this policy checks for multiple hotfixes in parallel, the missing ones must be passed back to the remediation workflow as a parameter. You must build the remediation package separately for each hotfix you have specified in the policy. As an example we used hotfix KB896423. Follow the steps described below, modifying the hotfix name according to the name you are using: 1.
Page 446 6. Verify the result of running the tool with the following command: wlookup -ar SoftwarePackage | grep TCRMSPatchesInstallWinXP_KB896423 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems must match the name of the hotfix. To notice the...
Page 447 If the package was created the result will look like below (the number in the middle of the resulting string will be different in your environment as it is meant to be unique and is associated with Tivoli Management Region number): TCRMSPatchesInstallWinXP_KB896423^1.0 1406765930.1.849#SoftwarePackage::Spo#...
Page 448 TCRMSServicePackInstallWinXpSp2 directory and edit it with the text editor to match the content specified in Example 8-13. Example 8-13 Sample.properties file for TCRMSServicePackInstallWinXpSp2 workflow WorkflowName=TCRMSServicePackInstallWinXpSp2 AddRegistryValuesBeforeExecFlag=true AddRegistryValueBeforeExecParentKey.arrayLength=2 AddRegistryValueBeforeExecKey.arrayLength=2 AddRegistryValueBeforeExecName.arrayLength=2 AddRegistryValueBeforeExecType.arrayLength=2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 449 AddRegistryValueBeforeExecData.arrayLength=2 AddRegistryValueBeforeExecParentKey[0]=HKEY_LOCAL_MACHINE\\SOFTWARE\\Polici es\\Microsoft\\WindowsFirewall AddRegistryValueBeforeExecKey[0]=DomainProfile AddRegistryValueBeforeExecName[0]=EnableFirewall AddRegistryValueBeforeExecType[0]=dword AddRegistryValueBeforeExecData[0]=0 AddRegistryValueBeforeExecParentKey[1]=HKEY_LOCAL_MACHINE\\SOFTWARE\\Polici es\\Microsoft\\WindowsFirewall AddRegistryValueBeforeExecKey[1]=StandardProfile AddRegistryValueBeforeExecName[1]=EnableFirewall AddRegistryValueBeforeExecType[1]=dword AddRegistryValueBeforeExecData[1]=0 SourceFilename.arrayLength=1 ExeArg.arrayLength=1 SourceFilename[0]=WindowsXP-KB835935-SP2-ENU.exe ExeArg[0].arrayLength=2 ExeArg[0][0]=/passive ExeArg[0][1]=/norestart RunQchainFlag=false TmfWebUIEndpoint=tcmweb 4. Run the sputil.sh command to create the software package block and publish it on the Web Gateway. To achieve this run the following commands: cd $BINDIR/tcmremed/download cd TCRMSServicePackInstallWinXpSp2 $BINDIR/tcmremed/bin/sputil.sh -p Sample.properties...
Page 450 Pro trial or you are in possession of a fully licensed installation image, copy the installation package to the TCRZLSoftwareInstalled directory. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems workflow is also very similar to the ones described...
Page 451 3. Create the configuration file for the sputil.sh utility containing the instructions on how to build the package. Copy the Sample.properties file from the sample_TCRZLSoftwareInstalled directory to the TCRZLSoftwareInstalled directory and edit it with the text editor to match the content specified in Example 8-14.
Page 452 Example 8-15. Example 8-15 Sample.properties file for TCRZLSoftwareRunning workflow WorkflowName=TCRZLSoftwareRunning CorequisiteFilesFlag=true SourceFilename.arrayLength=1 ExeArg.arrayLength=1 SourceFilename[0]=startupTrueVectorService.bat ExeArg[0].arrayLength=0 TmfWebUIEndpoint=tcmweb Building a Network Access Control Solution with IBM Tivoli and Cisco Systems workflow was defined in the...
Page 453 4. Run the sputil.sh command to create the software package block and publish it on the Web Gateway. To achieve this run the following commands: cd $BINDIR/tcmremed/download cd TCRZLSoftwareRunning $BINDIR/tcmremed/bin/sputil.sh -p Sample.properties 5. Verify the result of running the tool with the following command: wlookup -ar SoftwarePackage | grep TCRZLSoftwareRunning If the package was created the result will look like below (the number in the middle of the resulting string will be different in your environment as it is...
Page 454: Modification Of The Remediation Packages
In order to modify the package you must remove it and then create and publish a new one. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 1406765930.1.855#SoftwarePackage::Spo#...
Page 455: Conclusion
In order to remove the package for the TCRMessengerDisabled remediation workflow: 1. Open a command prompt, import the environment variables for the Tivoli Framework, and start bash. Then go the directory for the TCRMessengerDisabled workflow. To do this issue the following commands: cmd /k %SystemRoot%\system32\drivers\etc\Tivoli\setup_env.cmd bash cd $BINDIR/tcmremed/download...
Page 456 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 457: Part 3
Appendixes Part In the following two appendixes we take a closer look at these topics: General hints and tips for everything around the IBM Integrated Security Solution for Cisco Networks A generic introduction to the Cisco Network Admission Control initiative (provided by Cisco) ©...
Page 458 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 459: Appendix A. Hints And Tips
Appendix A. This appendix contains hints, tips, and other useful information that can help the implementer to have a better understanding of the IBM Integrated Security Solution for Cisco Networks. It also describes the NAC Appliance offering and presents a working prototype for integration with the NAC Appliance offering.
Page 460: Deployment Overview
In Figure A-1 on page 443, the shadowed boxes represent files or content that is imported or modified to change the behavior of the deployment. The heavily lined boxes represent software that is installed as part of the deployment. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems ViolationCount policy on the client that is of interest.
Page 461 Figure A-1 TRC-specific objects and relationship Appendix A. Hints and tips...
Page 462: Top-Level Sequence Of Events
The Fix Now button initiates the automated remediation process. The sequence diagram shown in Figure A-2 on page 445 shows the sequence of events for the automated remediation process at the highest level. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Quarantine Healthy...
Page 463 Figure A-2 ISSCN top-level sequence diagram Appendix A. Hints and tips...
Page 464: Security Compliance Manager And Nac Compliance Subsystem
SCM Agent Collector Scheduler Posture Collector A Posture Collector B Posture Collector C Posture Collector D Figure A-3 The compliance subsystem Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Cisco Trust Agent Query Process Process Posture Posture...
Page 465: Cisco Nac Sequence Of Events
Cisco NAC sequence of events The NAC process is initiated by the network. Whenever access to a protected network is detected, the Network Access Device queries the endpoint for its posture. In addition, there are two polling cycles that control what requests are sent to the client by the network and when.
Page 466: Fault Isolation
PostureQuery to the client. Fault isolation Now that the overall sequence of events is understood, it should be straightforward to isolate any fault to one of the subsystems or interfaces and Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 467 then to determine the actual problem based on the expected behavior of the solution. Assuming that all of the software has been installed and is running, when the client first tries to connect to a protected network, it should receive a pop-up message from the Cisco Trust Agent stating either that the client is healthy or that the client has been quarantined.
Page 468: Security Compliance Manager Server And Client
1950. Similarly, communication from a push client to the server is initiated by the client on port 1951. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Push Client TCP 1951...
Page 469: Communication Port Usage
Communication port usage Tivoli Security Compliance Manager server and client communicate only with temporary connections. A persistent connection is not required because the Security Compliance Manager/NAC concept can function without the Security Compliance Manager server after the client policies are deployed. Communications among Tivoli Security Compliance Manager components are secured using 128-bit Secure Sockets Layer (SSL) encryption.
Page 470 Auth BEND SM Stat = IDLE Port Status ReAuthPeriod ReAuthAction Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Shows eou (EAPoverUDP) settings including polling cycle timeouts. Shows current eou cache data. Turns on eou logging output.
Page 471: Tools And Tricks For The Client
Manager plug-in displayed in the list. Select the IBM plug-in and click the Posture Button. The attributes and values that are passed to the network by the IBM plug-in are displayed in the lower window. Make sure that these values are the expected values.
Page 472 The pnotify <REM_URL> command starts the remediation handler, with <REM_URL> being the URL of the remediation listener that can be called to handle the remediation request. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 0.0.0.0:0 LISTENING;...
Page 473: Nac Appliance Details
Client logging can be turned on by setting the debug property to true in the %SCM_HOME%\client\client.pref file. When turned on, a file called client.log is created and updated in the %SCM_HOME/client directory. This file displays any notification received from the network. Remediation handler When the Security Compliance Manager client is started, it automatically starts the remediation handler.
Page 474 Once the user's device has successfully logged on, its traffic then bypasses the Clean Access Server and traverses the switch port directly. In the Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 475: Nac Appliance Integration
meantime, the Clean Access Manager provides port-level or role-level control by assigning ports to specific VLANs, assigning users to specific roles that map to specific VLANs, and providing a time-based session time out per role. Cisco Clean Access out-of-band is most appropriate for high-throughput, highly routed environments such as campuses, branch offices, and extranets.
Page 476 HTTPS request to the NAC Appliance Manager that terminates the client’s admission session and forces the client to restart the admission process. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems that will eliminate the need for the...
Page 477 A high-level overview of this design is depicted in Figure 8-42. NAC Appliance Start Authentication (TSCM Client Running) && (Compliance Semaphore File Exists)? Allow Host into production network Figure 8-42 High-level overview Integration components The following components are to be considered prototypes for use in labs, demos, training classes, and similar purposes.
Page 478 This specially built policy collector has been modified to update the state of the compliance semaphore file and to terminate the client’s session if the client is admitted to the network and compliance violations are found. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 479 Security Compliance Manager Client’s handler.properties file. All of the components assume that the Security Compliance Manager Client is installed in the c:\Program Files\IBM\SCM\Client directory, which is the default location. Scheduler A platform-specific task scheduler (EG Windows Task Scheduler or Cron on UNIX) is configured to run the Security Compliance Manager Client’s...
Page 480 Whenever a system with this prototype collector is updated with a production version, the installer will be warned that the new version is lower than Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 481 This collector includes a “Network_Enforcement” parameter, which should have the value “cca” added to enable the NAC Appliance integration. TSCMAgent.bat This script should be placed in the c:\Program Files\IBM\SCM\Client directory. NACApplianceCompliance.entry This file should be placed in the c:\Program Files\IBM\SCM\Client directory.
Page 482 HTML form. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 483 State mapping and scenarios One way for the solution to approach a design is to consider all of the possible states that can occur with regards to the client, its compliance state, and its network admission state. Table 8-8 presents the possible states that should be considered.
Page 484 Starts TSCMAgent.bat – TSCMAgent.bat: i. Sets semaphore to -1 ii. Starts Security Compliance Manager Client iii. Runs statuscheck.exe – Statuscheck.exe: • Requests posture from Security Compliance Manager Client Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 485 – Security Compliance Manager Client: • Runs compliance validation. In this case, no violations are found, so set semaphore to 1. • No violations are found so return. – User clicks Next button. – NAC Appliance now finds Security Compliance Manager Client running and semaphore=1, so admit client.
Page 486 • Since semaphore is 0, call NAC Appliance Kick User API. • Exit. – NAC Appliance restarts the admission process. – Client is now in same state as state #5. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 487 Since scenarios 5 and 6 are the most complex, the sequence of events for these scenarios is depicted in Figure 8-43. R em ediat ion U I s tat usc hec k . exe pquery Violat ions >0 pnotif y Sem aphore=0 pquery Violat ions >0...
Page 488: Conclusion
Conclusion Having read this appendix, you should now have a better understanding of the IBM Integrated Security Solution for Cisco Networks and be familiar with the NAC Appliance offering. The prototype for integration with the NAC Appliance offering should have prepared you to implement this version of the solution in a laboratory...
Page 489: Appendix B. Network Admission Control
Appendix B. In this appendix we discuss the Network Admission Control initiative from Cisco Systems. This appendix contains a Cisco white paper that is publicly available at the following address: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aec d800fdd66.shtml © Copyright IBM Corp. 2005, 2007. All rights reserved.
Page 490: Executive Summary
(that they are running the latest and most relevant security protections, for example), organizations can significantly reduce or eliminate endpoint devices as a common source of infection or network compromise. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 491: Dramatically Improve Network Security
Dramatically improve network security While most organizations use identity management and authentication, authorization, and accounting (AAA) to authenticate users and authorize network privileges, there has been virtually no way to authenticate the security profile of a user’s endpoint device. Without an accurate way to assess the health of a device, even the most trustworthy user can inadvertently expose everyone else in the network to significant risks posed by either an infected device or by one that is not properly protected against infection.
Page 492: Nac Implementation Options
Cisco offers both appliance-based and architecture-based framework approaches to NAC that meet the functional and operational needs of any organization, whether they have a simple security policy requirement or require Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 493: The Nac Appliance
support for a complex security implementation involving a number of security vendors, combined with a corporate desktop management solution. The NAC Appliance, available as Cisco Clean Access, provides rapid deployment with self-contained endpoint assessment, policy management, and remediation services. In addition, the NAC Framework integrates an intelligent network infrastructure with solutions from more than 50 manufacturers of leading antivirus and other security and management software solutions.
Page 494: Nac Framework Solution
802.1X implementations or planned implementations Investment protection Cisco offers the most comprehensive set of admission control products and solutions to meet the functional needs of any organization. And because many Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 495: Planning, Designing, And Deploying An Effective Nac Solution
organizations have evolving needs, Cisco Clean Access product components that are installed now can be used to support a later NAC Framework implementation. Regardless of which approach you decide is appropriate for your environment, Cisco NAC technologies are designed to preserve your investments in corresponding network technology.
Page 496: The Next Steps
Cisco Clean Access is supported for wireless access via the following technologies: All 802.11 Wi-Fi access points, including Cisco Aironet access points Any Wi-Fi client devices with an IEEE 802.1X supplicant that supports NAC Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 497: Nac Framework Components
NAC Framework components The NAC Framework provides the following technology support: Broad network device support for campus LANs, WANs, VPNs, and wireless access points Ties to third-party host assessment tools for unmanned, nonresponsive devices, and is able to apply a different policy to each device Broad platform support for the Cisco Trust Agent Extends multivendor integration, with application and operating system status checks that go far beyond antivirus and basic operating system patches...
Page 498 Recommended components: – Cisco Security Agent – Cisco Security Monitoring, Analysis, and Response System (MARS) – CiscoWorks Security and Information Management Solution (SIMS) For more information visit: http://www.cisco.com/go/nac Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 499: Appendix C. Additional Material
Locating the Web material The Web material associated with this redbook is available in softcopy on the Internet from the IBM Redbooks Web server. Point your Web browser to: ftp://www.redbooks.ibm.com/redbooks/SG246678 Alternatively, you can go to the IBM Redbooks Web site at: ibm.com/redbooks...
Page 500: Using The Web Material
Create a subdirectory (folder) on your workstation, and unzip the contents of the Web material zip file into this folder. Building a Network Access Control Solution with IBM Tivoli and Cisco Systems Description Contains the Cisco Clean Access Agent Version 4.0.1.1 used for our example...
Page 501: Related Publications
IBM Redbooks For information about ordering these publications, see “How to get IBM Redbooks” on page 484. Note that some of the documents referenced here may be available in softcopy only.
Page 502: Online Resources
You can search for, view, or download Redbooks, Redpapers, Hints and Tips, draft publications, and Additional materials, as well as order hardcopy Redbooks or CD-ROMs, at this Web site: http://www.redbooks.ibm.com Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 503: Help From Ibm
Help from IBM IBM Support and downloads ibm.com/support IBM Global Services ibm.com/services Related publications...
Page 504 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...
Page 505: Index
58, 60 action parameter 58 administrators involvement 26 admission control client 43 antivirus collector configuration 163 application posture token 59 © Copyright IBM Corp. 2005, 2007. All rights reserved. architecture overview 14 audit readiness 85 authentication 41 configuration for ACS 241...
Page 506 103 exception 29 management business process 28 policy 57, 395 assigning to clients 186 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems configuration 152 customization 161 versioning 103 posture collector 153 query 19 report 46...
Page 507 HTML debugging attributes 406 remediation example pages 409 remediation information 116, 398 IBM Method for Architecting Secure Solution 63 IBM Method for Architecting Secure Solutions 14 IBM Solution Assurance Review Process 88 IBM Tivoli Access Manager for e-business see Access Manager for e-business...
Page 508 226 see network admission control NAC Appliance 17, 45, 82, 475 Clean Access Agent configuration 334 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems comparing with NAC Framework 17 components 455 configuration 303 default login page 315...
Page 509 configuration in ACS 229 network policy enforcement 60 placement 67 polling of posture status 61 posture validation 59 PostureQuery 444 session initiation 59 network admission control 15, 78, 87 appliance 17, 45 authentication server 214 clientless user 283 deployment scenario 27 external user database 283 guest VLAN 283 identity based decision 22...
Page 510 357 concept 4 configuration for manual ... 116 handler 20, 25, 50, 52, 61, 100–101, 357, 454 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems request URL 108 HTML example 409 HTML information 398...
Page 511 Sarbanes-Oxley Act 6 scalability 35, 357 scope of the project 27 Secure Access Control Server see Access Control Server secure communication 62 secure PEAP session 191 security compliance concept 4 criteria 100 data 18, 46 exception 29 management business process 28 officers involvement 26 policy 8, 19, 28 enforcement 32...
Page 512 65 unknown 60 system posture token 114 user policy 283 for remediation 60 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems URL-redirection 300, 302 user authentication 112 User Datagram Protocol 23 user roles 327...
Page 516 This IBM Redbook discusses the IBM Integrated Security Advanced security Solution for Cisco Networks, which offers a security-rich, compliance policy-based security compliance and remediation solution notification for small, medium, and large businesses.

This manual is also suitable for:

Network access control solution

IBM Tivoli and Cisco User Manual

Notices

Preface

Summary of Changes

Part 1. Architecture and Design

Chapter 1. Business Context

Chapter 2. Architecting the Solution

Chapter 3. Component Structure

Part 2. Customer Environment

Chapter 4. Armando Banking Brothers Corporation

Chapter 5. Solution Design

Chapter 6. Compliance Subsystem Implementation

Chapter 7. Network Enforcement Subsystem Implementation

Chapter 8. Remediation Subsystem Implementation

Part 3

Appendix A. Hints and Tips

Appendix B. Network Admission Control

Appendix C. Additional Material

Related Publications

Index

Quick Links

Building a Network

Related Manuals for IBM Tivoli and Cisco

Summary of Contents for IBM Tivoli and Cisco