IBM Tivoli and Cisco, User Manual

Page 1: ...o Systems Axel Buecker Richard Abdullah Markus Belkin Mike Dougherty Wlodzimierz Dymaczewski Vahid Mehr Frank Yeh Covering Cisco Network Admission Control Framework and Appliance Automated remediation...

Page 2: ......

Page 3: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems January 2007 International Technical Support Organization SG24 6678 01...

Page 4: ...plication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp Second Edition January 2007 This edition applies to Tivoli Security Compliance Manager V5 1 Tivoli Configuration Manager V...

Page 5: ...for corporate security compliance 8 1 6 Achievable benefits for being compliant 9 1 7 Conclusion 10 Chapter 2 Architecting the solution 13 2 1 Solution architectures design and methodologies 14 2 1 1...

Page 6: ...ecurity Solution for Cisco Networks lab 80 4 2 3 Application security infrastructure 85 4 2 4 Middleware and application infrastructure 86 4 3 Corporate business vision and objectives 87 4 3 1 Project...

Page 7: ...uring a CCA OOB VG server 306 7 2 3 Deployment of the network infrastructure 352 7 3 Conclusion 354 Chapter 8 Remediation subsystem implementation 355 8 1 Automated remediation enablement 357 8 2 Reme...

Page 8: ...nefit of NAC 472 Dramatically improve network security 473 NAC implementation options 474 The NAC Appliance 475 NAC Framework solution 476 Investment protection 476 Planning designing and deploying an...

Page 9: ...bed in this publication at any time without notice Any references in this information to non IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those W...

Page 10: ...all Java based trademarks are trademarks of Sun Microsystems Inc in the United States other countries or both Active Directory Expression Internet Explorer Microsoft Visual Basic Windows NT Windows Se...

Page 11: ...ad the first edition It is important to realize what is the compliance and remediation solution It is not a one size fits all product that will work out of the box for customers It is an integrated so...

Page 12: ...and Rich Axel Buecker is a Certified Consulting Software IT Specialist at the International Technical Support Organization Austin Center He writes extensively and teaches IBM classes worldwide in Sof...

Page 13: ...Software Group in Poland Before joining the Tivoli Technical Sales team in 2002 he worked for four years in IBM Global Services where he was a technical leader for several Tivoli deployment projects H...

Page 14: ...fery Paul John Giammanco Harish Rajagopal Hideki Katagiri Additional support Tom Ballard Sam Yang Mike Garrison Max Rodriguez Don Cronin Michael Steiner Jeanette Fetzer Sean Brain Sean McDonald IBM US...

Page 15: ...Redbooks to be as helpful as possible Send us your comments about this or other Redbooks in one of the following ways Use the online Contact us review redbook form found at ibm com redbooks Send your...

Page 16: ...xiv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 17: ...Cisco Systems as created or updated on January 16 2007 January 2007 Second Edition This revision reflects the addition deletion or modification of new and changed information described below New infor...

Page 18: ...xvi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 19: ...rt we discuss the overall business context of the IBM Integrated Security Solution for Cisco Networks We then describe how to technically architect the overall solution into an existing environment an...

Page 20: ...2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 21: ...everyone relies on the Internet it is not difficult for an intruder to find the tools on the Web to assist in breaking into an enterprise network To overcome this immense threat faced by many organiza...

Page 22: ...concerns by validating users against a centrally predefined policy before granting them access to the network It also provides a path for an automated remediation process to fix noncompliant workstat...

Page 23: ...rate CIOs who must regard proactive protection against viruses as constant The IBM Integrated Security Solution for Cisco Networks solution provides in depth defense by ensuring that authorized users...

Page 24: ...enacted to protect individual investors and corporations are required by law to provide truthful financial statements All public financial statements released by corporations are subjected to intense...

Page 25: ...to the corporate LAN Corporations must allow external partners and contractors to have access to limited IT resources as well Most businesses are looking for ways to remotely connect to their corpora...

Page 26: ...is fundamental to maintain a trusted relationship between organizations and customers Many businesses have outsourced their IT management to third party companies now it is the responsibility of that...

Page 27: ...rules Enforcing and maintaining strong passwords for example can make it more difficult for malicious users to access protected data Corporate auditors check for consistency in compliancy to corporate...

Page 28: ...ity Compliance Manager SG24 6450 1 7 Conclusion Organizations are constantly looking to maintain compliance status with their corporate security policy for both inter company and intra company interac...

Page 29: ...y compliance problems This approach enables corporations to implement a simplified compliance based full life cycle Network Admission Control and remediation solution that can result in greater produc...

Page 30: ...12 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 31: ...he solution architecture of the IBM Integrated Security Solution for Cisco Networks with its compliance based Network Admission Control system We provide an overview of the key modules and their relat...

Page 32: ...ration of resulting IT solutions More information about MASS may be found in the IBM Redbook Enterprise Security Architecture Using IBM Tivoli Security Solutions SG24 6014 2 1 1 Architecture overview...

Page 33: ...etwork representation It shows the involved stationary and portable clients the different network segregations the server components and the required networking equipment Figure 2 2 IBM and Cisco arch...

Page 34: ...campus switching wireless access router WAN links IP Security IPSec remote access and dialup Extension of existing technologies and standards NAC extends the use of existing communications protocols...

Page 35: ...ontrol subsystem can be delivered by NAC Framework or NAC Appliance While the interfaces between these two offerings vary the Tivoli Security Compliance Manager and Tivoli Configuration Manager subsys...

Page 36: ...ormation about its environment required to assess compliance with the security policy at a predefined schedule Using different collectors this data is sent back to the Security Compliance Manager serv...

Page 37: ...condition on a client More information about Tivoli Configuration Manager can be found in the Deployment Guide Series IBM Tivoli Configuration Manager SG24 6454 More details of each subsystem and its...

Page 38: ...ace includes a functional Web browser that supports customized HTML content that can assist the user in remediating In addition if an automated remediation handler is installed a button to start autom...

Page 39: ...sions are based on who is attempting access Posture decisions are integrity based and depend on the integrity of the device being used for access Posture based NAC is designed to protect the network f...

Page 40: ...d on their identity and assigned groups with posture based checking providing an additional way to control a user s traffic Figure 2 4 Layer 3 and Layer 2 NAC overview Cisco NAC and IEEE 802 1x An int...

Page 41: ...p or LAN connection It defines the way an EAP message is packaged in an Ethernet frame so there is no need for PPP over LAN overhead On the other hand Cisco NAC is a posture based Network Admission Co...

Page 42: ...e of the posture agent is performed by Cisco Trust Agent Third party applications including the IBM Tivoli Security Compliance Manager client register with the posture agent using a plug in More infor...

Page 43: ...t receives the list of noncompliant settings from the compliance client then asks the remediation server to provide the new software or the correct settings as required by the security policy In the p...

Page 44: ...nce It is essential to follow these steps in the implementation of the IBM Tivoli Security Compliance Manager and Cisco Network Admission Control Creation of the policies to meet the business requirem...

Page 45: ...ethods of enforcing compliance are limited In the next step all branch office networks 4 can be protected with NAC Finally the solution can be extended to cover all wireless networks 5 and the station...

Page 46: ...Tivoli Security Compliance Manager SG24 6450 Figure 2 6 Generic security compliance management business process The security compliance management business process consists of these general steps 1 A...

Page 47: ...port compliance status The audit team creates security compliance status reports for management and external audit purposes on a regular basis 7 Request compliance exceptions System administrators who...

Page 48: ...ulated by a separate policy there is no need to test the changes on every client All requested changes should be applied as soon as possible either through the manual process according to designated i...

Page 49: ...the automated audit most of the policies have be operationalized For example the policy statement such as Each workstation connected to the corporate network should have all of the latest recommended...

Page 50: ...ng to connect to the network can be denied access to corporate resources or quarantined that is they are allowed to connect to only one designated network for remediation until the workstation regains...

Page 51: ...In general access to trusted networks is not allowed while in quarantine except in cases where the remediation or compliance servers are deployed within trusted networks Trusted network These are the...

Page 52: ...y connected In this book we consider as trusted any network segment that is excluded from the NAC Of course other security means such as firewalls may still apply but this outside the scope of this bo...

Page 53: ...t would assist in a smooth transition to the new environment Initiation Definition Design Build Maintenance In the initiation phase high level project requirements are gathered and verified to be incl...

Page 54: ...ide adequate redundancies for individual components are put in place For example a NAC enabled Cisco router Network Access Device utilizes a secondary router that is configured in a redundant pair usi...

Page 55: ...this chapter was to introduce a description of functionality provided by the IBM Integrated Security Solution for Cisco Networks and how the IBM Tivoli products and Cisco NAC are integrated We also di...

Page 56: ...38 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 57: ...hapter introduces the logical and physical components of the IBM Integrated Security Solution for Cisco Networks The final section of this chapter talks about the logical data flow among the various c...

Page 58: ...ch as operating system levels hotfixes and security and policy settings These policies and workflows can be configured to address new instances of these conditions The IBM Integrated Security Solution...

Page 59: ...ssion Control Framework consists of the following subcomponents Posture validation server Policy enforcement device Admission control client Posture validation server The posture validation server val...

Page 60: ...ACS CSAuth Provides authentication services CSDBSync Provides synchronization of the internal ACS user database with third party external RDBMS applications CSlog Provides logging services both for ac...

Page 61: ...ts denies or restricts the network access of the network client The NAD also checks for a change in posture of the client by polling the client at specified intervals Admission control client The Cisc...

Page 62: ...les Posture plug in Provides the capability to collect information such as operating system type and version EXT Posture plug in Represents an external or third party posture plug in This is a communi...

Page 63: ...he policies you have defined in the CAM Web admin console including network access privileges authentication requirements bandwidth restrictions and NAC Appliance system requirements It can be deploye...

Page 64: ...collectors are written to evaluate system data and state information Collectors can be written to evaluate virtually any system parameter Compliance server The server is the central component of a Se...

Page 65: ...urity relevant configuration data from connected systems such as operating systems middleware components applications firewalls routers and so on Compliance reporting Deliver different kinds of config...

Page 66: ...duces a new posture plug in that communicates with the Cisco Trust Agent required by Cisco to report posture data during the NAC process The Security Compliance Manager client is Java based software t...

Page 67: ...examples Reading the content of one or more files on the client system Running an operating system command or utility and examining the output Running an executable program packaged as part of the co...

Page 68: ...posture collector also contains appropriate information to be used in order to remediate any compliance violations A posture collector can be called by the Security Compliance Manager server or by the...

Page 69: ...of software and configuration management capabilities that an enterprise can leverage to centrally manage and automate the remediation process for noncompliant endpoints The remediation subsystem cons...

Page 70: ...ager client for NAC and the Tivoli Configuration Manager server These components are shown in Figure 3 6 on page 56 and explained in the next sections This component is not actually installed on the c...

Page 71: ...to the remediation handler when collected values do not match required values A special policy collector gathers data from the various collectors and summarizes the collector data to provide version...

Page 72: ...gral part of the solution In our solution Cisco switches routers VPN Concentrators Adaptive Security Appliances and access points can be used as policy enforcement devices 3 2 3 IBM Integrated Securit...

Page 73: ...create remediation objects and publish them to the Tivoli Configuration Manager Web Gateway Server where they are made available to clients requesting remediation 3 3 Solution data and communication f...

Page 74: ...ep in the data flow is the creation and deployment of a policy If a Tivoli Configuration Manager server is used for remediation a corresponding Network Rem Attributes Rem URL SCM Server AAA Policy Ser...

Page 75: ...checked against when making compliance decisions Information specific to the remediation object that will remediate violations when detected as noted in step 1a Other attributes that are used to suppo...

Page 76: ...olicy must be updated with the new Policy_Version as noted at the Security Compliance Manager server in 1b NAD configuration deployment 1e The NAD should be a NAC compliant hardware device with specif...

Page 77: ...g on the network client receives the security posture credential request and in turn requests security posture credentials from the NAC compliant applications in this case Security Compliance Manager...

Page 78: ...play meaningful messages to the client that correspond to the posture token assigned to the network client The access policy depends on the policy defined by the organization s network policy d When t...

Page 79: ...diation is initiated by the user of the network client machine by clicking a remediation button from the Security Compliance Manager client pop up window The policy collector then passes a remediation...

Page 80: ...ow the various components securely communicate and Figure 3 7 shows an overview of the secure communications Figure 3 7 Secure communication between components Cisco Trust Agent Client EAPoUDP EAPonLA...

Page 81: ...all traffic within the Tivoli Security Compliance Manager environment Remediation communication The communication between the remediation client and Tivoli Configuration Manager Web Gateway is based o...

Page 82: ...d Security Solution for Cisco Networks addresses network clients compliance to policies that are centrally defined by the enterprise The solution can enforce client compliance and help remediate compl...

Page 83: ...co Networks in their organization Figure 3 9 Client access to enterprise with zone details Uncontrolled zone Internet external networks The Internet has become a major business driver for many organiz...

Page 84: ...ogies to connect to various enterprise resources are participants of this zone Restricted zone production network One or more network zones may be designated as restricted zones in systems to which ac...

Page 85: ...ple at the headquarters and the branch office Hence there are two locations at which policy enforcement can be achieved at the branch router or at the headquarter router In addition if the branch offi...

Page 86: ...ber associated with the posture state of the user which would be healthy or quarantine EAP UDP passes only posture information in an UDP datagram ACS responds with a port based ACL PACL that provides...

Page 87: ...re 69 Figure 3 11 Campus ingress enforcement Site to Site VPN Users Internet AAA AAA Branch Office Compliance Campus Ingress Enforcement Corporate Headquarters Data Center Posture Enforcement Points R...

Page 88: ...ially infected small office and home office SOHO users as shown in Figure 3 12 This will also be the practical deployment option for clients who are using Port Address Translation to access corporate...

Page 89: ...ization to comply with the policies laid down by the parent organization The policy enforcement device can be deployed appropriately to ensure that these partner systems comply to the parent organizat...

Page 90: ...lab setup do not disrupt the production systems and networks A policy enforcement at the connection between the production systems and lab setup can ensure that only systems that comply to the enterp...

Page 91: ...ire maximum protection Compliance can be checked for client systems before they are provided connections to the resources at the Data Center Figure 3 15 Figure 3 15 Data Center protection A A A A A A...

Page 92: ...The IBM Integrated Security Solution for Cisco Networks is an integration of products from IBM and Cisco New components have been added to each of the individual product sets so they can work in uniso...

Page 93: ...Banking Brothers Corp In our last encounter in the IBM Redbook Deployment Guide Series IBM Tivoli Security Compliance Manager SG24 6450 they successfully deployed the Tivoli Security Compliance Manage...

Page 94: ...76 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 95: ...f the Armando Banking Brothers Corporation ABBC This introduction includes a description of ABBC s business profile their current IT architecture and their medium term business vision and objectives 4...

Page 96: ...uthorization policies Like many companies ABBC has found that traditional hacker attempts to gain unauthorized access are only part of the security threat factor In today s environment network worms t...

Page 97: ...infrastructure in line with the IBM MASS security model The network has the following major security zones Uncontrolled zone Internet external networks Controlled zone demilitarized zone DMZ Controll...

Page 98: ...is done before any system is deployed in a production environment The IBM Integrated Security Solution for Cisco Networks has been tested by ABBC The test simulation is discussed briefly in 4 2 2 IBM...

Page 99: ...yII VLAN 13 Quarantine Sales VLAN in the Core network This VLAN hosts those users that have been authenticated by IEEE 802 1x as members of the Sales Group but are not compliant VLAN 14 Quarantine Eng...

Page 100: ...to the network is based on access control lists ACLs bound to the Layer 3 Switched Virtual Interfaces SVIs on the switch which in this example is also the access switch NAC Appliance NAC Appliance is...

Page 101: ...M sending the relevant configuration commands to the switch using SNMP Once the user is compliant the CAM will again change the user s switchport VLAN membership this time from 120 back to 20 VLAN 9 T...

Page 102: ...er will be granted access to the network on their Access VLAN which in this case is VLAN 20 If the MAC address is not present or the credentials supplied are incorrect the CAM will send an SNMP write...

Page 103: ...previous project deployment provided a centralized solid and easy to manage security architecture to help control access to ABBC s Web based assets and protect them from attacks Consistent with the A...

Page 104: ...applications We also see the Security Compliance Manager server in the core network 4 2 4 Middleware and application infrastructure In addition to illustrating the existing security infrastructure Fig...

Page 105: ...lution to all of its server systems this deployment provided monitoring and management of security compliance postures Next ABBC plans to extend the IBM Security Compliance Manager down to the worksta...

Page 106: ...ing the compliance to the security policy for the workstations connected to the ABBC s corporate network This team is also responsible for network design allowing the noncompliant workstation to acces...

Page 107: ...cure ACS server for a NAC Framework NAC L2 802 1x deployment 7 1 1 Configuring the Cisco Secure ACS for NAC L2 802 1x on page 214 Configuring the Cisco Secure ACS for NAC L2 L3 IP Highlights the confi...

Page 108: ...iled steps required were not described in this book For the installation and configuration instructions refer to the product documentation IBM Tivoli Configuration Manager Version 4 2 3 Planning and I...

Page 109: ...Manager client to the ABBC workstations through integration with Cisco Systems componentry enables ABBC to deploy a Network Admission Control system based on posture compliance status ABBC intends to...

Page 110: ...92 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 111: ...ronment This document assumes that all such test lab practices are transparently in place so we discuss only the fictional production environment There are essentially three parts of this deployment s...

Page 112: ...in Chapter 7 Network enforcement subsystem implementation on page 213 Part 3 Appendixes on page 439 builds on this infrastructure and adds automatic remediation functionality The detailed technical im...

Page 113: ...fy who can access what information in the network ABBC requires a method to ensure that basic safeguards are employed at the workstation level such as Password quality standards Detection of unauthori...

Page 114: ...y less secure The operational level security policy is changing frequently especially with the high number of security updates and hotfixes being released by the operating system vendor 5 2 2 Network...

Page 115: ...r while incorporating the emergency change procedure maintaining employee productivity must also be considered as ABBC must continue to do business and serve its customer base In addition the solution...

Page 116: ...tions This limits or prevents the interruption of network operations caused by worms and other hostile software The third functional requirement is to provide a means of facilitating automated remedia...

Page 117: ...ture status from the client then queries the Cisco NAC server may be Cisco Secure Access Control Server or Clean Access Manager policy to make an access decision If the system meets the posture policy...

Page 118: ...k Admission Control checking 1 Local workstation password quality must meet the following criteria a Password age must not be older than 90 days b Password minimum length must be eight characters 2 Th...

Page 119: ...nclude calling the remote remediation server in order to download appropriate software and execute the actions to get the workstation back to the compliant state Figure 5 2 Remediation process 5 3 Imp...

Page 120: ...premise that ABBC has the software distribution server subsystem based on the Tivoli Configuration Manager installed and configured For detailed information about basic implementation of IBM Tivoli Co...

Page 121: ...scribes the detailed flow of the overall installation and configuration including the assignment of the policy to the client groups Additionally administrative Security Compliance Manager information...

Page 122: ...5 4 Tivoli Security Compliance Manager client components The policy collector gathers data from the posture collectors and passes it to the posture plug in after which it is forwarded to the Cisco co...

Page 123: ...lationship as shown in Figure 5 4 on page 104 Figure 5 5 Security Compliance Manager policy collector edit collector parameters The Tivoli Security Compliance Manager policy collector parameters are s...

Page 124: ...t the client has an acceptable version of the compliance policy More on this in the next section Figure 5 6 Setting the policy version The MAX_DATA_AGE_SECS parameter Figure 5 7 establishes the maximu...

Page 125: ...nceptual control flow for this parameter Figure 5 8 MAX_DATA_AGE_SECS conceptual flow C lient challeng e issued by ne tw ork access d evice P osture C ach e Is the cache d ata m ore rece nt than M A X...

Page 126: ...as to have a form of attribute_name value string as presented below remediation url http tcmweb SoftwarePackageServerWeb SPServlet Figure 5 9 Setting the remediation handler URL attribute The REMEDIAT...

Page 127: ...ure 5 11 Setting the remediation handler JAR classpath The value of the POLICY_VERSION parameter must then be handed over to the networking team Enforcing compliance criteria Now we must configure the...

Page 128: ...posture client to the network The version of the posture policy the client is running This parameter is a string value and is established at the time of policy collection We set this value in Establis...

Page 129: ...Figure 5 13 Posture validation policies For detailed information about the creation and configuration of the Cisco Secure Access Control Server reference see 7 1 1 Configuring the Cisco Secure ACS fo...

Page 130: ...LAN by using Cisco switches There are two methods of NAC enablement NAC L2 IP which uses EAPoUDP and NAC L2 802 1x which uses an IEEE 802 1X supplicant embedded in the Cisco Trust Agent to provide mac...

Page 131: ...S Authorization Components In our scenario we list the Cisco Trust Agent Cisco PA and the Security Compliance Manager agent IBM Corporation SCM as our posture validation policies Thus in all three pie...

Page 132: ...s are not yet available Infected The endpoint device is an active threat to other hosts Network access should be severely restricted and placed into remediation or totally denied all network access Un...

Page 133: ...tcp any any eq domain access list 130 deny ip any any log Note that the Healthy Engineering VLAN ACL has three deny entries before the permit statement This is to stop any member of this VLAN trying t...

Page 134: ...emediation subsystem implementation on page 355 3 Distributing the HTML pages to the client systems At the time of writing this book there is no Security Compliance Manager in band mechanism for distr...

Page 135: ...ertified for support For the latest list check the IBM Support Web site at http www ibm com software sysmgmt products support Tivoli_Supported_Platforms html Lists of the hardware requirements for all...

Page 136: ...y Windows and Linux systems at this time The system used by ABBC for the Security Compliance Manager client is Windows XP professional with SP2 installed Pentium IV 3 0Ghz CPU 512 MB of system memory...

Page 137: ...llation Guide for Cisco Secure ACS for Windows Server Version 4 0 the Access Control Server must comply to these minimum hardware specifications Pentium IV CPU at 1 8 Ghz or faster 1 GB of system memo...

Page 138: ...es The following list shows the supported Layer 3 devices if they use Cisco IOS Software Release 12 3 8 T or later with Advanced Security feature set or greater Cisco 83x Series Router Cisco 850 Serie...

Page 139: ...oft Windows 2000 Advanced Server Service Pack 4 or later Microsoft Windows XP Professional Service Pack 1 or 2 Microsoft Windows 2003 Server Standard Edition Service Packs 0 and 1 Microsoft Windows 20...

Page 140: ...it is used by the Operations department for Software Distribution and Inventory In 8 2 2 Tivoli Configuration Manager on page 359 the installation of the additionally required Web Gateway component is...

Page 141: ...hnology that brings with it a huge paradigm shift in network security management There are three main parts outlined in this chapter In part one the security compliance infrastructure is established a...

Page 142: ...124 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 143: ...Security Compliance Manager server Installation of the policy collector and the Tivoli Configuration Manager based remediation handler collectors onto the Tivoli Security Compliance Manager server Co...

Page 144: ...ion bundle and it is a prerequisite that it be installed first Follow the below steps to install the DB2 database 1 To start the installation move to the directory where you have copied the binaries a...

Page 145: ...liance subsystem implementation 127 2 After a little while you are presented with the Welcome window as shown in Figure 6 1 Click the Install Product selection on the left Figure 6 1 DB2 installation...

Page 146: ...Systems 3 The DB2 version selection is presented similar to the one shown in Figure 6 2 Depending on the media installation you use there may be more than one option presented Select DB2 UDB Enterpri...

Page 147: ...Chapter 6 Compliance subsystem implementation 129 4 Next the welcome window is displayed as presented in Figure 6 3 Click Next Figure 6 3 Setup wizard welcome window...

Page 148: ...work Access Control Solution with IBM Tivoli and Cisco Systems 5 On the next dialog you are presented with the standard license agreement Figure 6 4 Accept the license and click Next Figure 6 4 Licens...

Page 149: ...liance subsystem implementation 131 6 In the Installation type selection window Figure 6 5 leave all of the default values which is Typical installation and click Next Figure 6 5 Installation type sel...

Page 150: ...action selection where there are two options Install the product Which is selected by default Save your settings Which will save your selections to a response file which can then be used for silent i...

Page 151: ...mplementation 133 8 In the next window shown in Figure 6 7 you must select the installation destination folder Make sure that there is enough space on the selected drive and click Next Figure 6 7 Inst...

Page 152: ...provide user information We strongly recommend leaving the default user name db2admin In the next two fields provide the password for this user Make sure that you have written this down as you will n...

Page 153: ...tion options where you may specify names of the users who should be notified by the database if something goes wrong If you leave the defaults and click Next you will be presented with the additional...

Page 154: ...uration options You can explore the protocols settings and change the startup options The default instance name on Windows is DB2 the communication protocol used is TCP IP and the database instance is...

Page 155: ...Chapter 6 Compliance subsystem implementation 137 12 As we do not need to use any DB2 tools on the next dialog shown in Figure 6 11 click Next Figure 6 11 DB2 Tools selection dialog...

Page 156: ...3 In the next window presented in Figure 6 12 you can provide the contact information for a user to receive the database health notifications Select the option to Defer this task until after installat...

Page 157: ...ce subsystem implementation 139 14 In the next window shown in Figure 6 13 you are given a last chance to review your selected options If everything is as you want click Install Figure 6 13 Installati...

Page 158: ...om left corner Figure 6 14 Installation completion window This completes the installation of the DB2 database You may proceed with installing the next components for the solution 6 1 2 Installation of...

Page 159: ...e 6 15 Accept English and click Next Figure 6 15 Language selection dialog 3 Click Next on the Tivoli Security Compliance Manager Welcome window which is presented next There will be a license agreeme...

Page 160: ...cted the graphical user interface will be installed as well as the command line utilities for managing the server This option is displayed during the installation on all supported operating systems Ho...

Page 161: ...ance Manager server installation This is a recommended option in large scale deployments For this installation we must have all three components installed so select the second option Server as present...

Page 162: ...he administrators of the violations found as well as for distributing the reports Specify the SMTP server name as well as the account the Tivoli Security Compliance Manager server will use to send the...

Page 163: ...In the next window shown on Figure 6 20 the installation wizard asks for the communication ports the server uses to communicate with the clients We strongly recommend leaving the defaults Click Next F...

Page 164: ...e System name certificate field you must provide the system name that will be used to generate the self signed certificate for the Tivoli Security Compliance Manager server In the next four fields pro...

Page 165: ...ow presented in Figure 6 22 select the location for your database If you installed DB2 as described in 6 1 1 Installation of DB2 database server on page 126 select The database is on the local system...

Page 166: ...next dialog provide the database configuration information as shown in Figure 6 23 Enter the username and password for the DB2 administrator you have provided in step 9 on page 134 Leave the other fi...

Page 167: ...lementation 149 11 In the next dialog shown in Figure 6 24 you are asked whether the database should be created during this installation Make sure that the check box is marked and click Next Figure 6...

Page 168: ...user ID and password for Tivoli Security Compliance Manager server as shown in Figure 6 25 Use the name admin and enter a password of your choice This user Id is created in the Tivoli Security Complia...

Page 169: ...nce subsystem implementation 151 13 Finally you are presented with the installation selection summary as shown in Figure 6 26 Click Next to start the actual installation Figure 6 26 Installation optio...

Page 170: ...his concludes the Tivoli Security Compliance Manager server installation You may proceed with the next components 6 2 Configuration of the compliance policies Since we have a Security Compliance Manag...

Page 171: ...and return the collected data back to the Tivoli Security Compliance Manager server Queries reports and policies can be defined and run to verify compliance using the data collected However posture co...

Page 172: ...f one of two types Operational Operational parameters are used to make a determination regarding a client system s security posture For example an operational parameter might indicate the required sof...

Page 173: ...are defined There are several ways to this for example installing them from the jar files posted on the Tivoli Security Compliance Manager support page or importing the already defined policy which b...

Page 174: ...tallation as described in step 12 on page 150 in the Installation of Tivoli Security Compliance Manager server procedure Figure 6 28 Tivoli Security Compliance Manager GUI login 4 If it is the first t...

Page 175: ...the Tivoli Security Compliance Manager version Click OK On the main Administrative Console window as shown on Figure 6 30 switch to the Policies tab Figure 6 30 Tivoli Security Compliance Manager Adm...

Page 176: ...tep 1 and select the TCMCLI pol file as shown in Figure 6 32 Click Import Figure 6 32 Import file selection dialog 8 In the next dialog presented in Figure 6 33 you can change the default policy name...

Page 177: ...ementation 159 9 In the next step the import wizard performs a validation of the signatures of the collectors included with the policy When it is completed as shown in Figure 6 34 click Next Figure 6...

Page 178: ...installed in your environment you may be asked if the existing collectors should be overwritten with the new ones included with the policy If you are just following this book there will be no warning...

Page 179: ...ust be assigned to every client that is supposed to use the auto remediation feature This policy is not checking anything on the client The only task of this policy is to distribute the correct level...

Page 180: ...alues must be supplied as parameters for the NAC collectors rather then in the SQL query in the compliance object definition 1 To start the customization open the Tivoli Security Compliance Manager Ad...

Page 181: ...The collector responsible for the Symantec Antivirus policy check is named nac win any nav PostureNavV2 and it is capable of checking three conditions regulated by the parameters specified on the Para...

Page 182: ...ymantec Norton Antivirus product versions that should be upgraded This list may consist of one or more entries VERSION_WF Workflow Name of the workflow used for remediation if the software is not inst...

Page 183: ...nd right click the User Password Settings collector Then click Edit collector parameters The parameters for the collector nac win any netaccounts PostureNetAccountsV2 are displayed as shown in Figure...

Page 184: ...ARN_MIN_LEN_UNDER Operational An integer value used to indicate the minimum allowable password length to avoid a warning FAIL_MIN_LEN_UNDER Operational An integer value used to indicate the minimum al...

Page 185: ...customize is the one that checks for the appropriate operating system service pack level installed on the client workstation Back at the list of the collectors right click the Windows Service Pack col...

Page 186: ...s we only need to edit the two relevant parameters WARN_WINDOWS_XP PASS_WINDOWS_XP The full list of parameters is described in Table 6 3 Table 6 3 Parameter information for nac win any oslevel Posture...

Page 187: ...licy we customize is the one that checks for appropriate hotfixes installed on the client workstation WARN_WINDOWS_2000 Operational List of service packs that generate warnings for the Microsoft Windo...

Page 188: ...parameters by selecting the proper tabs and adding all of the hotfixes that you require to be installed in your environment To add additional values to the parameter click the plus sign To remove the...

Page 189: ...d with parameters for the generic nac win any regkey PostureRegKeyV2 collector as shown in Figure 6 44 This is one of the most universal collectors as it allows you to check the existence and value of...

Page 190: ...heck run is the registry key existence check for the key specified in the KEY parameter If more than one parameter value is provided only the first parameter value will be used NO_VALUE_RULE Operation...

Page 191: ...determine the status of various checks if a specific rule does not apply No more than one parameter value should be provided If more than one parameter value is provided only the first parameter value...

Page 192: ...or the last rule is reached If a matching rule is found the status of the value data check is set to the rule s result and no more rules are evaluated If all the rules are evaluated without finding a...

Page 193: ...ith the check If a value was detected the current_values attribute of the workflow will be set to the detected value The workflow will also have the attribute key set to the parameter value of the KEY...

Page 194: ...emediation with different parameters depending on which part of the check was missing Checking for Windows XP firewall forced off In order to check whether the Windows XP Firewall is not forced off th...

Page 195: ...ollector parameters from the pop up menu Figure 6 45 Parameters for Service collector The nac win any serice ServicePostureV2 collector is able to check two conditions If the service specified is runn...

Page 196: ...so we will not specify any values for the REQ_DISABLED and SERVICE_DISABLED_WF fields The summary of the settings for this policy is presented below SERVICE_REQ equal to TrueVector Internet Monitor R...

Page 197: ...urity policy requires this service to be disabled For that purpose we reuse the same collector type as for checking the ZoneAlarm service However this time we must specify the SERVICE_REQ REQ_DISABLED...

Page 198: ...stems The new dialog is presented as shown in Figure 6 47 Select the destination policy for the copy process of the compliance query Select IISSCN_TCM_v2 00_winXP which is also the source for this com...

Page 199: ...in one policy so the copy of the compliance query is automatically renamed It received an added _0 suffix We must rename our new compliance query Right click the new ZoneAlarm Firewall Active_0 compli...

Page 200: ...ms In the following dialog modify the name value to Messenger Service Disabled and click OK Then in the right pane modify the description of the compliance query as shown on Figure 6 49 and click the...

Page 201: ...fy the collector parameters for the Messenger Service Disabled compliance query Select the IISSCN_TCM_v2 00_winXP policy in the left pane and then click the Collectors tab for this policy in the left...

Page 202: ...ssenger Service Disabled and click Stop sharing collector item from the pop up menu as shown in Figure 6 51 Figure 6 51 Disabling collector sharing A small dialog window is displayed asking you for th...

Page 203: ...wing parameter values SERVICE_REQ equal to Messenger REQ_RUNNING not set SERVICE_RUNNING_WF not set REQ_DISABLED equal to 1 SERVICE_DISABLED_WF equal to TCRMessengerDisabled When you are done editing...

Page 204: ...s of clients in your environment with different operating systems or different requirements you may need to add more policies repeating the steps described above for each policy and setting the correc...

Page 205: ...with administrative privileges select the Clients tab and click the Actions Group Create Group menu item as shown in Figure 6 55 Figure 6 55 Create group action selection 2 On the Create group dialog...

Page 206: ...tree in the left pane and click Actions Policy Add policy as shown in Figure 6 57 Figure 6 57 Add policy menu selection 4 The Select a policy window is displayed as shown in Figure 6 58 Select the IIS...

Page 207: ...to the group TCMCLI utility policy The TCMCLI is the utility policy that associates the Tivoli Configuration Manager CLI back end for use by the Tivoli Security Compliance Manager remediator The quer...

Page 208: ...and is available in two different options There is the Cisco Trust Agent for Windows with a dot1x supplicant and the Cisco Trust Agent for Windows without a dot1x supplicant This section focuses on t...

Page 209: ...ificate you have to extract and use this certificate The procedure of extracting the Cisco Secure ACS certificate is described in 7 1 1 Configuring the Cisco Secure ACS for NAC L2 802 1x on page 214 N...

Page 210: ...installation uses the Microsoft Windows Installer MSI and requires administrator privileges 1 Start the installation process by double clicking the setup file or typing the command ctasetup supplicant...

Page 211: ...6 Compliance subsystem implementation 193 3 The license agreement is presented as shown in Figure 6 63 Select I accept the license agreement and click Next Figure 6 63 License agreement for Cisco Trus...

Page 212: ...194 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Accept the defaults Figure 6 64 and click Next Figure 6 64 Cisco Trust Agent destination folder selection...

Page 213: ...Chapter 6 Compliance subsystem implementation 195 5 Accept the default depicted in Figure 6 65 and click Next Figure 6 65 Cisco Trust Agent installation type...

Page 214: ...196 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Click Next Figure 6 66 Figure 6 66 Ready to install the Cisco Trust Agent application...

Page 215: ...s copied into the Certs directory the window in Figure 6 67 is presented during the installation Click OK Remember this step is optional and will only be presented if you have copied the certificate f...

Page 216: ...igure 6 67 on page 197 during the installation install the certificates manually using the ctaCert exe utility This utility is located in the CiscoTrustAgent subdirectory of the installation directory...

Page 217: ...er client setup 6 3 2 IBM Tivoli Security Compliance Manager client In this section we describe the installation of Tivoli Security Compliance Manager client It is a requirement to have the Cisco Trus...

Page 218: ...sing the same type of Java installer however since this version of the client is running a different version of JVM and the installation files were separated To perform the installation follow the ste...

Page 219: ...Chapter 6 Compliance subsystem implementation 201 2 The Security Compliance Manager welcome screen appears momentarily Figure 6 71 Figure 6 71 The welcome window...

Page 220: ...ol Solution with IBM Tivoli and Cisco Systems 3 The Client Installation Utility window appears as depicted in Figure 6 72 After carefully reading all of the required information click Next Figure 6 72...

Page 221: ...ubsystem implementation 203 4 The license agreement window is displayed Figure 6 73 Select I accept the terms in the license agreement and click Next Figure 6 73 License agreement for IBM Tivoli Secur...

Page 222: ...204 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 5 Accept the default destination folder shown in Figure 6 74 and click Next Figure 6 74 Directory selection window...

Page 223: ...Chapter 6 Compliance subsystem implementation 205 6 Accept the default client installation Figure 6 75 and click Next Figure 6 75 Setup type window...

Page 224: ...ns for requests The default port is 1950 The client can operate in one of these communication modes Push This is the mode in which communication can be initiated from both sides client and server This...

Page 225: ...Chapter 6 Compliance subsystem implementation 207 Figure 6 77 Client connection window...

Page 226: ...umber during the server installation accept the default Figure 6 78 Server communication configuration window If you selected the push mode in the previous step you will be given an option to indicate...

Page 227: ...ias name for the client This name will be shown on the Security Compliance Manager server during client registration and the client will be referenced by this name in the Security Compliance Manager G...

Page 228: ...twork Access Control Solution with IBM Tivoli and Cisco Systems 11 Finally the installation summary window is displayed Figure 6 80 Click Next Figure 6 80 Security Compliance Manager client installati...

Page 229: ...ystem implementation 211 12 The Security Compliance Manager client is successfully installed Click Finish to close the window shown in Figure 6 81 to complete this step of the process Figure 6 81 Succ...

Page 230: ...igure 6 82 Security Compliance Manager posture plug in files 6 4 Conclusion This concludes the installation and configuration of the basic compliance subsystem At this point you have established and a...

Page 231: ...ment of the network infrastructure Configuring NAC Appliance components Installing the CCA Agent Configuring Out Of Band Virtual Gateway Server Deployment of the network infrastructure 7 Note Although...

Page 232: ...uired and configuration of the individual components that comprise the NAC feature 1 Installing Cisco Secure ACS 2 Configuring the administrative interface to Cisco Secure ACS 3 Allowing administrator...

Page 233: ...ave and reuse your existing configuration For details about the install process refer to the Installation Guide for Cisco Secure ACS for Windows 4 0 located at http www cisco com en US products sw sec...

Page 234: ...t actions to the NAD To enable the appearance of the enforcement action interface in the Cisco Secure ACS administrator interface perform the following steps 1 Click Interface Configuration on the Cis...

Page 235: ...r its software update 4 Click Submit Figure 7 3 to add these configuration options to the Shared Profile Components interface These options are necessary for the configuration of the enforcement actio...

Page 236: ...P optional If you want to configure ACS from a remote client using the Web interface you must configure at least one administrator user name and password 1 Click Administration Control on the Cisco Se...

Page 237: ...es Cisco Secure ACS certificate setup ACS should be configured with a digital certificate for establishing client trust when challenging the client for its credentials Cisco Secure ACS uses the X 509...

Page 238: ...nstalled on each client taking part in the network admission control process For the purpose of the book we used a self signed certificate Using an ACS self signed certificate With Cisco Secure ACS Ve...

Page 239: ...window Figure 7 6 Figure 7 6 Generating self signed certificate 2 Fill in the blanks with the appropriate information according to your own installation Be sure to enable Install generated certificate...

Page 240: ...222 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Restart the Cisco Secure ACS Figure 7 7 Figure 7 7 Restart Cisco Secure ACS...

Page 241: ...nerating and installing the self signed certificate on the Cisco Secure ACS include the certificate file as part of the install process for each client when installing the Cisco Trust Agent or install...

Page 242: ...attribute id 00020 attribute name Policy Version attribute profile in out attribute type string attr 1 vendor id 2 vendor name IBM Corporation application id 50 application name SCM attribute id 0002...

Page 243: ...sion added to registry attr 2 Attribute 2 50 21 Violation number added to registry AVP Summary 3 AVPs were added to the registry In addition 2 AVPs were automatically added to the registry IMPORTANT N...

Page 244: ...set up logging 1 Click System Configuration on the Cisco Secure ACS main menu 2 Click Logging 3 Click CSV Passed Authentications Figure 7 9 Figure 7 9 Logging configuration 4 Enable the Log to CSV Pa...

Page 245: ...y access This makes writing policy rules and troubleshooting much easier The NAS IP Address and User Name fields also provide valuable information during troubleshooting All client instances successfu...

Page 246: ...the Log to CSV Failed Attempts report under Enable Logging Repeat step 4 on page 226 selecting the items you wish to log A selection is shown in Figure 7 11 Figure 7 11 Failed attempts logging 7 Clic...

Page 247: ...sary Click Restart to apply the new configuration Figure 7 12 Log file management Configuring a network device group in Cisco Secure ACS To make Cisco Secure ACS interact with a Network Access Device...

Page 248: ...is possible to group the NADs into Network Device Groups NDGs for location or service based filtering To do this the use of NDGs must first be enabled 1 Click Interface Configuration from the main me...

Page 249: ...ter 7 Network enforcement subsystem implementation 231 2 Select Advanced Options Figure 7 13 on page 230 Ensure that Network Device Groups is checked Figure 7 14 Figure 7 14 Network Device Group check...

Page 250: ...you wish to use for example switches and the RADIUS key used by the AAA clients that makes up this NDG for example cisco123 Note Figure 7 15 changes depending on your interface configuration If you a...

Page 251: ...e Network Configuration screen select the hyperlink under Network Device Groups If you did not assign a name in step 5 you will see Not Assigned as the name Figure 7 15 on page 232 By clicking this li...

Page 252: ...a NAD Click Submit and then Apply Figure 7 17 AAA client setup Note The use of wild cards is designed to help with scalability issues For example if your network has over 100 switches defining each o...

Page 253: ...Chapter 7 Network enforcement subsystem implementation 235 8 You should now see the newly defined AAA clients Figure 7 18 Figure 7 18 AAA Clients...

Page 254: ...he main menu Figure 7 13 on page 230 then select RADIUS IETF Figure 7 19 Figure 7 19 Global IETF RADIUS attributes For L2Dot1x NAC you must select the following 027 Session Timeout 029 Termination Act...

Page 255: ...isco Secure ACS requires careful thought and planning In the NAC L2 802 1x scenario we are using here we have two locally defined groups sales and engineering One of the nice features about NAC L2 802...

Page 256: ...ach group as applicable In the example here we have renamed Group 2 as Sales and Group 3 as Engineering Figure 7 21 Group Setup 3 Click Submit Restart after completing the group configuration Note Onl...

Page 257: ...sers Now that the groups have been defined we can create our users and then add them to their relevant group 1 From the main menu select User Setup as shown in Figure 7 22 Figure 7 22 User setup 2 In...

Page 258: ...Info followed by user setup details as shown in Figure 7 23 The password authentication in this example is set to ACS Internal Database the password has been entered and confirmed and the user has be...

Page 259: ...t Global Authentication Setup Figure 7 24 Figure 7 24 Global Authentication Setup 2 Make sure that each check box is selected that Enable Fast Reconnect is selected that PEAP and EAP TLS time outs are...

Page 260: ...wn in Figure 7 25 requires you to enter a lot of fields Table 7 1 lists all fields and their respective values Table 7 1 EAP FAST Configuration values EAP FAST configuration Condition Allow EAP FAST C...

Page 261: ...ume Checked Authorization PAC TTL One hour Allow inner methods EAP GTC Checked EAP MSCHAPv2 Checked EAP TLS Checked Select one or more of the following EAP TLS comparison methods Certificate SAN compa...

Page 262: ...ilding a Network Access Control Solution with IBM Tivoli and Cisco Systems Configuring posture validation To do this 1 Select Posture Validation from the Main Menu Figure 7 26 Figure 7 26 Posture Vali...

Page 263: ...7 Network enforcement subsystem implementation 245 2 Select Internal Posture Validation The screen show in Figure 7 27 will be displayed 3 Click Add Policy Figure 7 27 Figure 7 27 Posture Validation P...

Page 264: ...ontrol Solution with IBM Tivoli and Cisco Systems 4 In this example we have entered the name of the first policy as CTA with the description Cisco Trust Agent Then click Submit Figure 7 28 Figure 7 28...

Page 265: ...Chapter 7 Network enforcement subsystem implementation 247 5 Click Add Rule Figure 7 29 Figure 7 29 Posture Validation for CTA...

Page 266: ...248 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Click Add Condition Set Figure 7 30 Figure 7 30 Condition sets for CTA policy...

Page 267: ...PA PA Version The operator value should be set to and the value set to 2 0 0 0 This simply means that we are setting up a check for the Cisco Trust Agent to be present on the endpoint and that it mus...

Page 268: ...ivoli and Cisco Systems 8 Figure 7 32 shows that if this condition is satisfied that an Application Posture Token APT of Healthy is returned Clicking Submit here takes us to Figure 7 33 on page 251 Fi...

Page 269: ...need to modify the default action which is the action to be taken if the condition we just created is not met You will notice that there is a default condition which we will modify for this purpose Cl...

Page 270: ...Quarantine as shown in Figure 7 34 In the notification string add the line http tcmweb SoftwarePackageServerWeb SPServlet Figure 7 34 Quarantine condition applied as default action Note http tcmweb So...

Page 271: ...apter 7 Network enforcement subsystem implementation 253 11 Click Submit and you will find yourself back in the dialog shown in Figure 7 35 Figure 7 35 Completed posture validation for CTA 12 Click Do...

Page 272: ...cess Control Solution with IBM Tivoli and Cisco Systems 13 Click Apply and Restart as shown in Figure 7 36 Figure 7 36 CTA posture validation policy 14 Next we must repeat the process to create a post...

Page 273: ...Chapter 7 Network enforcement subsystem implementation 255 15 Click Add Policy Figure 7 37 Figure 7 37 Repeating the process for Security Compliance Manager...

Page 274: ...Access Control Solution with IBM Tivoli and Cisco Systems 16 In this example we use TSCM in the Name field and IBM Security Compliance in the Description field as shown in Figure 7 38 Figure 7 38 IBM...

Page 275: ...Chapter 7 Network enforcement subsystem implementation 257 17 After entering the name and description click Submit and you will see the dialog shown in Figure 7 39 Figure 7 39 IBM TSCM policy creation...

Page 276: ...ing used on the Security Compliance Manager server In this example the policy version is IISSCN_EBU_v2 20_winXP Click Enter Note This is to enforce the version of the TSCM policy being used There is o...

Page 277: ...em implementation 259 20 From the Attribute drop down menu select IBMCorporation SCM PolicyViolation From the Operator menu select and for the Value enter 0 Then click Enter Figure 7 41 Figure 7 41 TS...

Page 278: ...that the posture token is set to IBMCorporation SCM and the value should be set to Healthy Figure 7 42 Figure 7 42 Completed posture validation check for Security Compliance Manager 23 Click Submit 2...

Page 279: ...orporation SCM Figure 7 43 and the value should be set to Quarantine The notification string should be the same as we discussed in step 10 on page 252 of this section http tcmweb SoftwarePackageServer...

Page 280: ...262 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 27 Click Done Figure 7 44 Figure 7 44 Completed Security Compliance Manager posture validation...

Page 281: ...Chapter 7 Network enforcement subsystem implementation 263 28 Click Apply and Restart Figure 7 45 Figure 7 45 Completed posture validation rules...

Page 282: ...d with Cisco Secure ACS 4 0 1 Click Shared Profile Components from the main menu This brings you to the dialog shown in Figure 7 46 Figure 7 46 Shared Profile Components 2 Click RADIUS Authorization C...

Page 283: ...ion When a user authenticates via IEEE 802 1x the posture is checked and a RAC is applied In this way we can have individual Quarantine VLANs for the different groups which also allows for different a...

Page 284: ...to Cisco IOS PIX6 0 which brings you to Figure 7 47 Figure 7 47 IOS RAC attribute 7 In the value field enter status query timeout 30 8 Click Submit 9 Repeat this procedure clicking Add next to Cisco I...

Page 285: ...tem implementation 267 10 Repeat the same procedure for the IETF attributes first selecting the relevant field from the drop down menu then clicking Add Figure 7 48 Use the values in Table 7 2 on page...

Page 286: ...lthy Engineering RAC the Quarantine Sales RAC the Quarantine Engineering RAC and the Default Quarantine RAC to be configured The values for each can be found in the following tables Table 7 3 Healthy...

Page 287: ...DIUS Request 1 IETF Tunnel Type 64 T1 VLAN 13 IETF Tunnel Medium Type 65 T1 802 6 IETF Tunnel Private Group ID 81 T1 13 Vendor Attribute Value Cisco IOS PIX 6 0 cisco av pair 1 status query timeout 30...

Page 288: ...entication timer is controlled by the value assigned to the IETF Session Timeout 27 attribute If set to 60 for example the CTA pop up screen will appear on the client workstation every 60 seconds Ther...

Page 289: ...ake based on the results of those checks Again we have deleted all of the pre configured sample configs to create our own from scratch 1 Select Network Access Profiles from the main menu which brings...

Page 290: ...comprise the NAP authentication posture validation and authorization Each of these will have to be configured in turn after clicking Apply and Restart Figure 7 51 Newly created NAP Note Be careful in...

Page 291: ...Validation Required is set Selected Databases should contain ACS Internal Database Figure 7 52 Figure 7 52 Authentication configuration for RAC 6 Click Submit This will take you back to the screen in...

Page 292: ...Control Solution with IBM Tivoli and Cisco Systems 8 From the screen shown in Figure 7 53 click Add Rule Figure 7 53 Posture validation rule creation 9 Add a name in the Name field In our example we u...

Page 293: ...dential Types there is a list of available credentials Select IBMCorporation SCM then click the arrow to move this to the column for selected credentials as shown in Figure 7 54 Repeat this process fo...

Page 294: ...nal Posture Validation Policies CTA and TSCM should already be present The only action required here is to check them both under Select Figure 7 55 Figure 7 55 Selecting CTA and TSCM policies 12 Optio...

Page 295: ...ample of CTA Healthy pop up 13 Optional Under System Posture Token Configuration add the following syntax in the Quarantine PA message this process is depicted in Figure 7 58 on page 278 img border 0...

Page 296: ...imply embedding some color in the CTA pop ups on the end user s workstation You can tailor this so that you can have as simple or as colorful a pop up as you like Leaving these fields blank will resul...

Page 297: ...twork enforcement subsystem implementation 279 Figure 7 59 Completed posture validation for NAC_IISSCN 15 Click Done This will take you back to the screen shown in Figure 7 50 on page 271 Click Apply...

Page 298: ...click Authorization This takes you to the dialog depicted in Figure 7 60 Figure 7 60 Authorization rule creation 17 Click Add Rule 18 For this example from the drop down list under User Group select...

Page 299: ...1x As mentioned previously NAC L2 802 1x does not yet support downloadable ACLs Therefore the Downloadable ACL field has been deliberately left blank If you were configuring NAC L2 L3 IP this field w...

Page 300: ...ure 7 62 Completed Authorization RAC configuration 24 Click Submit 25 This will take you back to the screen in Figure 7 51 on page 272 Click Apply and Restart Engineering Quarantine Quarantine_Enginee...

Page 301: ...is that the user would have to log a call with the Helpdesk to have her account created or recreated Clientless user If a client tries to connect who does not have the CTA installed in a NAC L2 802 1...

Page 302: ...750 switch The ACLs are downloaded on a per user basis and are applied to the individual switch ports on a per session basis The section describes how to configure these downloadable ACLs 1 From the m...

Page 303: ...er 7 Network enforcement subsystem implementation 285 5 Add a name and description in the Name and Description fields as appropriate Figure 7 64 After this has been done click Add Figure 7 64 Naming o...

Page 304: ...286 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Enter the name of the ACL and the ACL definition Figure 7 65 Figure 7 65 Quarantine ACL definitions 7 Click Submit...

Page 305: ...nt items We are not using network filtering so we leave the default All AAA Clients Figure 7 66 Binding the ACL 9 Click Submit 10 Repeat steps 4 9 for the various ACLs to be created In our example we...

Page 306: ...sec pg healthy_hosts Cisco IOS PIX 6 0 cisco av pair 1 url redirect acl healthy_acl IETF Session Timeout 27 3600 IETF Termination Action 29 RADIUS Request 1 Vendor Attribute Value Cisco IOS PIX 6 0 ci...

Page 307: ...and what action to take based on the results of those checks Again we have deleted all the pre configured sample configs to create our own from scratch 1 Repeat step 1 on page 271 through to step 18...

Page 308: ...Downloadable ACL drop down list select Healthy_ACL Figure 7 68 Figure 7 68 L2IP Healthy Authorization rule 7 Click Add Rule 8 From User Group select Any 9 From System Posture Token select Quarantine 1...

Page 309: ...9 Completed L2IP Authorization rules 13 Click Submit 14 Click Apply and Restart This concludes the changes that needed to be made to the previous section to configure the ACS for a NAC deployment usin...

Page 310: ...ort for EoU Another example is that a Cisco 6500 running 12 2 18 SXF does not support NAC L2 802 1x authentication and validation on edge switches The current switch compatibility matrix can be found...

Page 311: ...0 deny ip any 192 168 15 0 0 0 0 255 access list 120 permit ip any any access list 130 remark Quarantine Sales VLAN ACLs access list 130 permit icmp any host 192 168 9 220 access list 130 permit icmp...

Page 312: ...rest of the network Quarantine a If you are in either the sales or engineering Quarantine VLAN you will need access to a DHCP server to get an IP address b You should be able to ping the Security Com...

Page 313: ...ReAuthPeriod From Authentication Server ReAuthMax 2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Guest Vlan 15 Dot1x Authenticator Client List Supplicant 0011 25ce f56c Auth SM State AUTHENTICATED Auth BEND...

Page 314: ...st Port switchport access vlan 11 switchport mode access ip access group initial acl in spanning tree portfast ip admission l2 lpip output omitted ip access list extended Healthy_ACL remark Healthy AC...

Page 315: ...ure Token Age min 192 168 11 51 FastEthernet1 0 11 EAP Quarantine 0 show ip access list interface fa1 0 11 to check that the downloadable ACL has been applied to the switchport nac3750sa sho ip access...

Page 316: ...een from the ACS Configuring Cisco IOS Router for NAC L3 IP Currently NAC requires a Cisco IOS Software router running Cisco IOS Software Release 12 3 8 T or later that includes the Cisco IOS Advanced...

Page 317: ...aaa session id common Router config radius server host 10 1 1 1 key secret Replace the word secret with the shared key you configured for the Cisco Secure ACS Also configure the source IP address int...

Page 318: ...router configuration Router config identity profile eapoudp Router config device authorize ip address 172 30 40 32 policy NACless Router config identity policy NACless Router config access group clie...

Page 319: ...erface facing the hosts to be posture validated Router config access list 101 permit udp any host 172 30 40 1 eq 21862 Router config access list 101 deny ip any any Router config interface FastEtherne...

Page 320: ...d EAPoUDP messages or sessions enter the show eou or show eou all command Example 7 3 shows sample output Example 7 3 Output of show eou and show eou all command Router show eou Global EAPoUDP Configu...

Page 321: ...ted network The CAS enforces the policies you have defined in the CAM Web admin console including network access privileges authentication requirements bandwidth restrictions and Clean Access system r...

Page 322: ...lable from Cisco was 4 0 2 0 The version that we used for this book is a special Version 4 0 1 1 1 Click CCAAgent_Setup exe Click Next in the screen shown in Figure 7 71 Figure 7 71 Installation wizar...

Page 323: ...stem implementation 305 2 Accept the default installation folder and click Next as shown in Figure 7 72 Figure 7 72 Default install directory 3 Click Install to begin the installation Figure 7 73 Figu...

Page 324: ...s of its communication with the CAS which means it uses dynamically allocated ports for this purpose For deployments that have a firewall between the CAS and the CAM we recommend setting up rules in t...

Page 325: ...bsystem implementation 307 The steps are 1 Open a Web browser and enter the IP address of the CAM There is no specific port required 2 Enter the administrator name and password then click Login Figure...

Page 326: ...308 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The Clean Access Summary window will be displayed Figure 7 76 Figure 7 76 CAM summary window...

Page 327: ...Chapter 7 Network enforcement subsystem implementation 309 4 From the Main Menu select Device Management CCA Servers Figure 7 77 Figure 7 77 Device Management...

Page 328: ...ution with IBM Tivoli and Cisco Systems 5 Select New Server Add the server IP address and server location and from the drop down list select Out Of Band Virtual Gateway Figure 7 78 Figure 7 78 Adding...

Page 329: ...e CAS in Virtual Gateway Mode in band or out of band you must leave the untrusted interface eth1 disconnected until after you have added the CAS to the CAM and completed the VLAN mappings Keeping eth1...

Page 330: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 8 Click the Manage icon for the CAS just added This takes you to the dialog shown in Figure 7 80 Figure 7 80 CAS Status scr...

Page 331: ...from the trusted and non trusted networks access and authentication VLANs in the IP Address field These IP addresses should be static outside of the DHCP scope and be neither the network number nor b...

Page 332: ...clude the IP Address and subnet mask VLAN ID as shown in Figure 7 82 Click Add Managed Subnet Figure 7 82 Managed subnets 12 Select Advanced VLAN Mapping 13 Check the Enable VLAN Mapping box Click Upd...

Page 333: ...client s port is initially set to VLAN 20 By using VLAN mapping the client will receive a VLAN 20 access VLAN IP address from DHCP Should the client not be compliant the CAM will change the port s VLA...

Page 334: ...n asterisk the subnet information should be and the operating system should be set to ALL This will allow Web login and Clean Access Agent users to authenticate Figure 7 84 Figure 7 84 Login page Conf...

Page 335: ...Chapter 7 Network enforcement subsystem implementation 317 2 Enter the group name and description Figure 7 85 Figure 7 85 Switch Group creation 3 Click Add...

Page 336: ...318 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Verify your new switch group Figure 7 86 Figure 7 86 Switch Group verification...

Page 337: ...menu select Profiles Switch New Figure 7 87 Figure 7 87 New switch profile 2 Fill in the fields as appropriate In our scenario we used Profile Name 3750 Switch Model Cisco Catalyst 3750 series SNMP P...

Page 338: ...profile will appear as shown in Figure 7 88 Figure 7 88 Switch profile Configuring Port Profile There are three types of port profiles for switch ports uncontrolled controlled and controlled using ro...

Page 339: ...ort is assigned to the Access VLAN specified in the port profile or the role settings 1 Select Switch Management Profiles Port New Figure 7 89 Figure 7 89 New port profile 2 Enter a profile name We us...

Page 340: ...rk Access Control Solution with IBM Tivoli and Cisco Systems 4 Under Options Device Disconnect check the box Remove out of band online user when SNMP link down is received Figure 7 90 Figure 7 90 Mana...

Page 341: ...91 Configured switch profiles Configuring SNMP receiver SNMP receiver setup provides settings for the SNMP receiver running on the CAM which receives the mac notification link down SNMP trap notificat...

Page 342: ...ess of the switch if already known or by searching a specific subnet In our example we are specifying the exact IP address of the switch 1 Select Switch Management Devices Switches New 2 3750 should b...

Page 343: ...IP address of the switch should be entered in the IP Address box and a description entered in the Description field Figure 7 93 Figure 7 93 Manually adding a switch to be managed 3 Click Add 4 The sw...

Page 344: ...326 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 5 As seen in Figure 7 94 click the Ports icon Figure 7 94 Managed switch...

Page 345: ...efined to classify the user for the duration of their session This classification of the user controls traffic policies bandwidth restrictions session duration and VLAN assignment 1 Click User Managem...

Page 346: ...tion as appropriate Our example uses the name AllowAll Select the options as appropriate The fields of main importance here are Role Type and Out Of Band User Role VLAN For our example we used Normal...

Page 347: ...he trusted network Two types of traffic policies are available IP based policies and host based policies IP based policies Allow you to specify IP protocol numbers as well as source and destination po...

Page 348: ...you have created In our example that is AllowAll In the second drop down menu select Trusted Untrusted Click Select Figure 7 98 Figure 7 98 Rules for trusted to untrusted 3 The action should be Allow...

Page 349: ...ill be to allow access from the Auth VLAN to the Security Compliance Manager Set the following parameters Action Allow State Enabled Category IP Protocol TCP Untrusted 192 168 20 0 255 255 255 0 Trust...

Page 350: ...tine role is used for users not passing a network scan which is out of the scope of this guide Creating local users CAM has the ability to perform user authentication using a variety of methods such a...

Page 351: ...ubsystem implementation 333 2 Add the user name password and description as appropriate From the Role drop down menu select which role this user should be mapped to Figure 7 101 Figure 7 101 Creating...

Page 352: ...ce especially designed to interoperate with the Tivoli Security Compliance Manager client for the purpose of this book NAC Appliance 4 1 scheduled for release before the end of 2006 will contain a fea...

Page 353: ...be set to running Check Description should be set to SCM_Service Operating System should have Windows XP checked Figure 7 103 Security Compliance Manager Service check 3 Click Add Check 4 Repeat step...

Page 354: ...be set to Version Value Data Type should be set to String Operator should be set to equals Value Data should be set to 4 0 1 1 Check Description should be set to CCA_Compliance Operating System shoul...

Page 355: ...Chapter 7 Network enforcement subsystem implementation 337 6 These two checks should now be displayed Figure 7 105 Figure 7 105 Rules check list check...

Page 356: ...BM Tivoli and Cisco Systems 7 Click New Rule Figure 7 106 Figure 7 106 New rule 8 Enter the following information Rule Name SCM_Service Rule Description Tivoli SCM Service Operating System Windows XP...

Page 357: ...epeat steps 7 and 8 entering the following information Figure 7 107 Rule Name CCA_Compliance Rule Description Cisco Clean Access Agent version Operating System Windows XP Rule Expression CCA_Complianc...

Page 358: ...g a Network Access Control Solution with IBM Tivoli and Cisco Systems 12 The newly defined rules will be displayed Figure 7 108 Figure 7 108 New rules 13 Note that both the rules have a blue tick unde...

Page 359: ...er the following information From the Requirement Type drop down menu select IBM Tivoli SCM Set the Priority to 1 For Requirement Name enter IBM Tivoli SCM For Description enter Click Update to activa...

Page 360: ...ng the following information Figure 7 110 From the Requirement Type drop down menu select IBM Tivoli SCM Set the Priority to 2 For Requirement Name enter CCA_Compliance For Description enter CCA Versi...

Page 361: ...hould appear similar to Figure 7 111 Figure 7 111 Requirements list 20 Click Requirement Rules 21 Enter the following information From Requirement Name select SCM_Service From Operating System select...

Page 362: ...ation Figure 7 112 From Requirement Name select CCA_Compliance From Operating System select Windows XP From Rules for Selected Operating System check the box CCA_Compliance Click Update Figure 7 112 C...

Page 363: ...7 Network enforcement subsystem implementation 345 25 From Select requirements to associate with the role select both SCM_Service and CCA_Compliance Figure 7 113 Figure 7 113 Role requirements 26 Clic...

Page 364: ...Access Control Solution with IBM Tivoli and Cisco Systems Discovered clients To check that the Clean Access Solution is working properly select View Online Users Out of Band Figure 7 114 Figure 7 114...

Page 365: ...hese steps 1 Once the CCA Agent software has been installed on the client machine the user will be prompted for their user name and password Figure 7 115 Figure 7 115 Client log in screen 2 Click Logi...

Page 366: ...b page will pop up notifying the user that he is noncompliant Figure 7 117 Figure 7 117 Web page pop up informing user about non compliance 6 Click Continue 7 The user is disconnected from the network...

Page 367: ...ystem implementation 349 8 The user is advised of their temporary access Figure 7 118 and clicks Continue Figure 7 118 Temporary access notification 9 User clicks Update Figure 7 119 Figure 7 119 Requ...

Page 368: ...Figure 7 120 In this example we can see that there is a policy violation with the user password settings Figure 7 120 Security Compliance Manager Compliance Report window 11 User clicks Fix Now 12 A r...

Page 369: ...on the Security Compliance Manager Compliance Report window which shows all items in a state of green tick compliance Figure 7 122 Figure 7 122 Security Compliance Manager Compliance Report window all...

Page 370: ...t Configuring Cisco 3750 switch for NAC Appliance NAC Appliance OOB only works with Cisco switches If you are using hardware other than Cisco this solution can still be deployed but as in band which i...

Page 371: ...trunk allowed vlan 120 998 switchport mode trunk spanning tree portfast Example of interface configuration for Trusted CAS interface interface FastEthernet1 0 16 description Trusted Interface CCA Ser...

Page 372: ...public mac notification snmp 7 3 Conclusion In this chapter we presented the essential steps to build and configure a Network Admission Control solution for both NAC Framework and NAC Appliance appro...

Page 373: ...enance issues with the solution components and provide a detailed walkthrough for remediation workflow creation to match the security policy change process Creating the automated remediation component...

Page 374: ...rol Solution with IBM Tivoli and Cisco Systems Installation of the software package utilities Creating remediation workflows that matches Security Compliance Manager policies with the suitable remedia...

Page 375: ...lanation of the current security policy as well as remediation instructions to the user The Tivoli Configuration Manager remediation handler is an additional Java class that is called when the user cl...

Page 376: ...re downloaded and maintained automatically from the Security Compliance Manager server when the policy is assigned to the client The steps required to properly set up the client workstation are descri...

Page 377: ...mponents In the next section we describe the detailed walkthrough to prepare the Tivoli Configuration Manager machine for automated remediation Tivoli Configuration Manager Web Gateway setup In our la...

Page 378: ...ents of Tivoli Configuration Manager Installation of Web infrastructure Installation of WebSphere Application Server is a simple process Below we describe the installation of WebSphere Application Ser...

Page 379: ...our installation media for WebSphere Application Server 5 1 to the win subdirectory and run the file LaunchPad bat 2 The installation Launchpad window is displayed as shown on Figure 8 1 Using the lau...

Page 380: ...Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The WebSphere Application Server Installation wizard is displayed as shown in Figure 8 2 Click Next Figure 8 2 WebSphere Installatio...

Page 381: ...Remediation subsystem implementation 363 4 In the next window the standard license agreement is presented as shown in Figure 8 3 Accept the license and click Next Figure 8 3 Software License Agreemen...

Page 382: ...mory usage you can follow the full installation path However some of the next windows presented in the book may slightly differ If you want to follow the book select Custom and click Next Figure 8 4 I...

Page 383: ...nt selection dialog Important If you have the Internet Information Server installed on the machine where you are performing WebSphere installation there may be a port conflict on port 80 To prevent th...

Page 384: ...on with IBM Tivoli and Cisco Systems 7 In the next window shown in Figure 8 6 you may specify the directories where the software components will be installed Leave the default values and click Next Fi...

Page 385: ...dow you must specify the node name and host name for the Application Server to use Both fields will be filled in with your server host name by default as shown in Figure 8 7 We recommend that you leav...

Page 386: ...accept the default selection which is yes for both components enter a user name and password for the user account you want to use for the service to run Check the WebSphere installation guide for the...

Page 387: ...s summary as shown in Figure 8 9 To proceed with the installation click Next Figure 8 9 Installation options summary 11 The installation progress is shown in another dialog The process has several pha...

Page 388: ...BM Tivoli and Cisco Systems It may take a few minutes to complete the installation Then you are presented with the online registration window as shown in Figure 8 10 Uncheck Register this product now...

Page 389: ...tallation media set contains a CD with the base version of the WebSphere Application Server 5 1 Before installing further components you must install the latest recommended cumulative fix which is 11...

Page 390: ...IBM HTTP Server 1 3 28 4 Set up the proper environment variables using the following command cd C Program Files WebSphere AppServer bin SetupCmdLine bat 5 Go to the temporary directory you have create...

Page 391: ...Chapter 8 Remediation subsystem implementation 373 b The Install fix packs option is selected as shown in Figure 8 13 Figure 8 13 Installation option selection...

Page 392: ...rst one is installed You must run the procedure twice installing first Fix Pack 1 and then Cumulative Fix 11 Creating the necessary user account The Web Gateway component requires that a DB2 user exis...

Page 393: ...tion Manager Web Gateway To install this component you need the Tivoli Configuration Manager Web Gateway CD which is included with your Tivoli Configuration Manager installation bundle 1 Go to the dir...

Page 394: ...376 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The welcome window is presented Figure 8 16 Click Next Figure 8 16 Welcome window...

Page 395: ...Chapter 8 Remediation subsystem implementation 377 4 In the next window Figure 8 17 the standard license agreement is shown Accept the license and click Next Figure 8 17 License agreement window...

Page 396: ...work Access Control Solution with IBM Tivoli and Cisco Systems 5 The component selection is displayed as shown in Figure 8 18 Make sure that all three options are selected and click Next Figure 8 18 C...

Page 397: ...entation 379 6 The installation directory selection window is displayed Figure 8 19 Accept the default path but make sure that the drive has at least 510 MB of free space and click Next Figure 8 19 In...

Page 398: ...ialog Figure 8 20 most of the fields are already filled in Provide the passwords for the DB2 administration user and the dmsadmin user you have created according to the procedure described in Creating...

Page 399: ...usually these are the defaults for the selected platform and click Next Figure 8 21 Web infrastructure configuration window 9 If there was no Tivoli Endpoint installed on the server you are presented...

Page 400: ...Control Solution with IBM Tivoli and Cisco Systems If your Tivoli Configuration Manager is a single node installation this would be localhost as shown in the Figure 8 22 Then click Next Figure 8 22 E...

Page 401: ...383 10 The Secure access configuration window is presented as shown in Figure 8 23 Since we are not using Tivoli Access Manager in our environment accept the default Enable security is False and clic...

Page 402: ...Control Solution with IBM Tivoli and Cisco Systems 11 The summary of the selected installation options is presented as shown in Figure 8 24 Click Next to proceed with the installation Figure 8 24 Sum...

Page 403: ...e prerequisites are installed and configured you can proceed with the remediation server configuration After the Tivoli Configuration Manager Web Gateway installation there are two additional instance...

Page 404: ...Guide TCM package 1 Create a temporary directory on the Tivoli Configuration Manager Web Gateway server and extract the files from the IISSCN Extension Pack2 for Tivoli Configuration Manager file iiss...

Page 405: ...ollowed the installation of WebSphere Application Server as described in this book you should have no security turned on and you will see the standard login screen as shown in Figure 8 26 Enter any na...

Page 406: ...item in the left pane and click the Install New Application option The new content should be displayed in the right pane as shown in Figure 8 27 Figure 8 27 Install new application 5 In the Local pat...

Page 407: ...emediation subsystem implementation 389 6 The Preparing for the application installation window is displayed Figure 8 28 Accept the defaults and click Next Figure 8 28 Preparing for the application in...

Page 408: ...several next windows until you reach the one shown in the Figure 8 29 Click Finish to start the actual installation The button may be hidden in the lower part of the window depending on the resolutio...

Page 409: ...391 8 The installation may take a few seconds or few minutes depending on your server configuration In the window that displays the installation results find and click the Save to Master Configuratio...

Page 410: ...Access Control Solution with IBM Tivoli and Cisco Systems 9 In the next window shown in Figure 8 31 select Save to save the configuration changes to the master configuration file Figure 8 31 Saving th...

Page 411: ...ir C Program Files WebSphere AppServer installedApps your_server_name SoftwarePackageServer ear SoftwarePackageServerWeb war WEB INF lib Copy the file twguserpull jar located in WebSphere home directo...

Page 412: ...he installation and configuration of the remediation workflows used to automatically remediate noncompliant workstations 8 2 4 Installation of the Software Package Utilities The IISSCN extension pack2...

Page 413: ...TCRNavScan nac win any nav PostureNavV2 SCAN_WF TCRNavVirusDefUpdate nac win any nav PostureNavV2 DEFS_WF TCRNavSoftwareInstalled nac win any nav PostureNavV2 VERSION_WF TCRMSPatchesInstallWinXP nac...

Page 414: ...ion name_of_the_collector _ workflow_type DefaultConfig properties For example nac win any hotfix PostureHotfixV2_HOTFIX_WF DefaultConfig properties By default there are nine files nac win any nav Pos...

Page 415: ...Postur eCollectorParameterName latest Example 8 3 nac win any services PostureServices_SERVICE_DISABLED_WF Def aultConfig properties file content SPUtil default config file for nac win any services P...

Page 416: ...nted to the user if there are any policy violations The intention of these instructions is to guide the user to remediate the situation As a part of the IBM Integrated Security Solution for Cisco Netw...

Page 417: ...ust be named after the collector for example nac win any service PostureServices The next level below has to contain a separate directory for each language setting For this book we use US English so t...

Page 418: ...nac win any posture PostureCollector DEFAULT_LANG default html If no match is found a blank page will be displayed Posture item HTML Each instance of posture collector generates exactly one posture it...

Page 419: ...ureServicesV2 en_US ZoneAlarm Firewall default html scripts nac win any services PostureServicesV2 en_US Remote Desktop Service default html scripts nac win any services PostureServicesV2 pl_PL ZoneAl...

Page 420: ...ector DEFAULT_LANG status html scripts collector DEFAULT_LANG default html If no pages age found at the instance level the user interface will fall back to searching for the HTML of the element s pare...

Page 421: ...r a required list of users might have the following attribute lists current_values jdoe ssmith admin required_values jdoe ssmith admin secureadmin files etc users Table 8 4 shows possible HTML and the...

Page 422: ...ompliance Manager client and the others come from either the local handlers properties file or from the HANDLERS_ATTRIBUTES parameter of the policy collector Tag Description Example field instancename...

Page 423: ...s This may be null if the client is not a DHCP client client dhcp false Indicates whether the client is a DHCP client client fingerprint a3 55 e5 62 2a db 52 93 3b c2 22 38 44 53 bf 02 The client s gl...

Page 424: ...Path true in handlers properties results in the attribute being set to false Additionally providing multiple entries with the same key name in the same location will result in one value being used onl...

Page 425: ...ibute client id 2 Attribute client alias scmxp Logging posture items To enable logging of posture items and their posture elements the following attribute should be set remediationdialog logItems true...

Page 426: ...hen this attribute is set the paths searched are logged to the client log file For example File scripts nac win any oslevel PostureOSLevelV2 en_US Windows Service Pack Windows Service Pack Level PASS...

Page 427: ...following three steps build meaningful HTML examples for the policies described in Security compliance criteria on page 100 1 Our example policy specifies the following requirements Local workstation...

Page 428: ...e user in the remediation user interface Figure 8 35 Sample ABBC Corp security policy description page Example 8 4 shows the HTML source code for this page Example 8 4 HTML source for password policy...

Page 429: ...equirements For violation details click the items marked with image src file c Program Files IBM SCM client scripts com ibm scm nac posture PolicyCollector images icon fail gif icon br br For further...

Page 430: ...px background color eee font 13pt arial font weight 500 font variant small caps MajorTitle padding 5px 4px 0px 0px font 14 pt arial font weight 700 text align right DetailText padding 20px 0px 0px 40p...

Page 431: ...for changing the minimum password length setting This page mostly consists of static HTML shown in Example 8 6 It also introduces some of the tags described in 8 3 2 Variables and variable tags on pag...

Page 432: ...ust be at least 8 characters long br Your minimal password lenght is set to wfattribute current_values br b WARNING field msg b br To change the minimum password length setting on Windows XP br br ul...

Page 433: ...the resulting page Figure 8 37 Maximum password age HTML page Example 8 7 shows the HTML source for the page Example 8 7 HTML source for password age policy details page DOCTYPE html PUBLIC W3C DTD H...

Page 434: ...e current_values b br br To change the maximum password age setting on Windows XP br br ul li Start gt Control Panel gt Administrative Tools gt Local Security Policy br li li Double click Maximum pass...

Page 435: ...ver in this book we use the terms remediation workflow and remediation package interchangeably Software package block SPB is a native format of the Tivoli software distribution products used with Tivo...

Page 436: ...ter in the Symantec Antivirus policy to be used when the compliance check generated a FAIL or WARNING status The purpose of the workflow is to initiate the Symantec Antivirus scan In this case for sim...

Page 437: ...nMessage_en wsf xml version 1 0 job script language JScript CDATA var WshShell WScript CreateObject WScript Shell var strTitle Tivoli Security Compliance Manager var nSecondsToWait 0 var nButtonType_O...

Page 438: ...llation instruction from this book it will be the host name of that server Leave the other values as is They are used by the utility during the package creation Example 8 9 Content of Sample propertie...

Page 439: ...the Tivoli Configuration Manager Web Gateway TCRNavScanConfig properties Final properties file as a result of combining the Sample properties file specified as a parameter to the sputil sh command and...

Page 440: ...published on the Web page and is downloaded to the client workstation during the remediation process 6 Now you are ready to test the remediation process On a client workstation which indicates to have...

Page 441: ...Message_en wsf When you click OK the final remediation handler window should look Figure 8 40 Figure 8 40 Remediation handler status window TCRNavVirusDefUpdate The TCRNavVirusDefUpdate workflow was d...

Page 442: ...VirusDefUpdate 2 Then create a configuration file for sputil sh utility containing the instructions about how to build the package Copy the Sample properties file from the sample_TCRNavDefUpdate direc...

Page 443: ...ned in the VERSION_WF parameter in the Symantec Antivirus policy to be used when the compliance check generated a FAIL or WARNING status The purpose of the workflow is to install the required version...

Page 444: ...on the Web Gateway To achieve this run the following commands cd BINDIR tcmremed download cd TCRNavSoftwareInstalled BINDIR tcmremed bin sputil sh p Sample properties 5 Verify the result of running t...

Page 445: ...ownload the appropriate hotfix from the Microsoft Web site KB896423 can be found at the following location http www microsoft com downloads details aspx familyid EF402946 1C3B 47E9 9D51 77D890DF8725 d...

Page 446: ...can install multiple hotfixes one by another without a reboot You must add this qchain exe utility to your remediation package This utility is a part of the Microsoft Windows 2000 Resource Kit and is...

Page 447: ...Figure 8 41 Figure 8 41 Remediation handler interface for hotfix installation Repeat this procedure for any other hotfix that you have defined as required in your security policy TCRMSServicePackInst...

Page 448: ...download the appropriate Service Pack 2 installation file from the Microsoft Web site The Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers can be found at th...

Page 449: ...ive ExeArg 0 1 norestart RunQchainFlag false TmfWebUIEndpoint tcmweb 4 Run the sputil sh command to create the software package block and publish it on the Web Gateway To achieve this run the followin...

Page 450: ...edia from the vendor to build that package and you have to obtain the proper license Follow the steps described below 1 Open a command prompt import the environment variables for the Tivoli Framework...

Page 451: ...CRZLSoftwareInstalled BINDIR tcmremed bin sputil sh p Sample properties 5 Verify the result of running the tool with the following command wlookup ar SoftwarePackage grep TCRZLSoftwareInstalled If the...

Page 452: ...sue the following commands cmd k SystemRoot system32 drivers etc Tivoli setup_env cmd bash cd BINDIR tcmremed download mkdir TCRZLSoftwareRunning cd TCRZLSoftwareRunning 2 Create the very simple Windo...

Page 453: ...s This is the second type of the two workflows called by the nac win any services PostureService collector It is called during the remediation of a violation when the service that should be disabled i...

Page 454: ...e properties 5 Verify the result of running the tool with the following command wlookup ar SoftwarePackage grep TCRMessengerDisabled If the package was created the result will look like below the numb...

Page 455: ...ll option The final content should look like Example 8 17 Example 8 17 Content of TCRMessengerDisabled_unpublish sh script wweb unpublish p TCRMessengerDisabled nac win any services PostureServices SE...

Page 456: ...438 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 457: ...s In the following two appendixes we take a closer look at these topics General hints and tips for everything around the IBM Integrated Security Solution for Cisco Networks A generic introduction to t...

Page 458: ...440 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 459: ...integration with the NAC Appliance offering Information provided in this section may also be used for problem determination and detailed analysis of the key components and associated sequence diagrams...

Page 460: ...f interest Note that when a new policy is installed a new set of collector objects will be placed in the SCM_HOME client collectors directory These collectors determine what data the client will colle...

Page 461: ...licy Version Action Policy Version Violation Count Token Action Policy Version Violation Count Token Action User Group ACL or RAC Network Access Profiles Client Cisco Trust Agent Posture Cache Policy...

Page 462: ...he notification also includes an action which is the URL to be used to request automated remediation In either case the Cisco Trust Agent pops up a window on the client that displays the current postu...

Page 463: ...stureQuery SCM Policy Collector QuarantinePostureNotification Posture Remediation Commands TCM Web Gateway Remediation Handler Remediation Request Cisco NAC SCM Posture PlugIn Endpoint RemediationInfo...

Page 464: ...the modules Figure A 3 The compliance subsystem Cisco Trust Agent Process Posture Request Process Posture Notification Query Posture Status Change SCM PlugIn dll Called by Cisco Trust Agent Socket com...

Page 465: ...nt Figure A 4 Cisco NAC sequence diagram The PostureQuery asks the client for the full set of attribute data that the client has registered with the ACS The client responds to the PostureQuery by send...

Page 466: ...s on the client it will be reflected as a status change and the network will then reset both polling cycles and issue a PostureQuery to the client starting the whole process over to evaluate the new s...

Page 467: ...reachable message then the NAD is quarantining the host and the Cisco Trust Agent is probably not running If a message appears then the NAD and the Cisco Trust Agent are communicating correctly If a c...

Page 468: ...curity Compliance Manager client server communication and the interaction between the server and client and associated TCP port numbers Figure A 5 Communication port usage in Security Compliance Manag...

Page 469: ...the server is performed using an internal protocol Communications between the administration utilities and the server are handled using the Java Remote Method Invocation RMI technology Summary of defa...

Page 470: ...sco IOS Software switch For Cisco switches configured for IP based NAC the commands listed in the preceding section apply to both a router and a switch For 802 1x based NAC a useful command is the fol...

Page 471: ...e the values that are passed from the Security Compliance Manager Posture Plug in for each host in this report Cisco Trust Agent On the client the Cisco Trust Agent handles all communications with the...

Page 472: ...he following commands you can see what is being passed back to the network look at the complete posture cache and test calls to the remediation handler The commands pquery and pstatuschange have no ar...

Page 473: ...the NAC Appliance components Clean Access Manager CAM This is the administration server for Clean Access deployment The secure Web console of the Clean Access Manager is the single point of managemen...

Page 474: ...co Clean Access Manager is designed to support both in band and out of band Cisco Clean Access servers as well as the switches associated with the out of band portion of the network With the Cisco Cle...

Page 475: ...been deployed by a larger set of customers than NAC Framework simply due to its lower cost factor and deployment footprint In order to provide Cisco NAC Appliance customers access to the compliance an...

Page 476: ...lient is running and check that a special compliance semaphore file indicating the compliance state of the endpoint exists in order to admit the endpoint A special NAC Appliance Agent is installed on...

Page 477: ...met on the client When the production version of this file is delivered it will not run a bat file but will require a signed executable NAC Appliance Client Start Authentication TSCM Client Running C...

Page 478: ...lient s statuscheck exe which forces the TSecurity Compliance Manager Client to run a rescan and recompute the compliance posture NACApplianceCompliance entry This file is an identical copy of the com...

Page 479: ...tor In addition this version of the collector was written quickly in lab conditions and several issues should be corrected in a production version Users of this protype version of the policy collector...

Page 480: ...AC Appliance Agent The prototype version of this agent installs on the client in the same manner as the production version It is basically a wizard install and there are no configuration parameters re...

Page 481: ...Access Manager to place the endpoint in quarantine If an html form other than the one performed in the example is to be used this parameter must be changed to use the other form This collector include...

Page 482: ...e not protected and could be manipulated by users We recommend that these files be set to hidden with administrative privileges required to access them Timing With the current version of the prototype...

Page 483: ...n The following list is the expected behavior for each of these states Scenario 1 Pre admission Security Compliance Manager not running noncompliant client NAC Appliance detects that the Security Comp...

Page 484: ...and there is no way to address this state This state can be reached if the user halts the Security Compliance Manager Client after the client has already been admitted to the network and then creates...

Page 485: ...Cron job to check whether the Security Compliance Manager Client is running and start it if it is not running This would then bring the client to state 8 Scenario 5 pre admission Security Compliance M...

Page 486: ...Security Compliance Manager running noncompliant client In this case the semaphore starts as 1 since we have been admitted Windows Scheduler or cron job runs statuscheck exe Statuscheck exe Requests...

Page 487: ...ost admission Security Compliance Manager running compliant client In this case the semaphore should start as 1 since we have been admitted Windows Scheduler or cron job runs statuscheck exe NAC Appli...

Page 488: ...clusion Having read this appendix you should now have a better understanding of the IBM Integrated Security Solution for Cisco Networks and be familiar with the NAC Appliance offering The prototype fo...

Page 489: ...ntrol In this appendix we discuss the Network Admission Control initiative from Cisco Systems This appendix contains a Cisco white paper that is publicly available at the following address http www ci...

Page 490: ...at NAC can play as part of a policy based security strategy and describes and defines the available NAC approaches The benefit of NAC Despite years of security technology development and millions of d...

Page 491: ...verification strategy be implemented in the network instead of somewhere else Virtually every bit of data that an organization is interested in or is concerned about touches the network Virtually any...

Page 492: ...security of any network regardless of size or complexity by helping to ensure that all user network devices conform to security policy By proactively protecting against worms viruses spyware and malw...

Page 493: ...functions Recognizes users their devices and their roles in the network at the point of authentication authorization Evaluates the security posture of endpoints using either scanning and analysis tech...

Page 494: ...entication authorization and remediation of endpoints A combination of central policy management intelligent network devices and network services with solutions from dozens of leading antivirus securi...

Page 495: ...s NAC Readiness Assessment Analyzes deployment requirements and assesses the readiness of your network devices operations and architecture to support NAC NAC Limited Deployment Provides installation a...

Page 496: ...on 4 Take advantage of your Cisco Clean Access investment Cisco Clean Access components can be fully integrated into a NAC Framework solution NAC technology Let us take a look at the components needed...

Page 497: ...ters 2600XM 2691 3640 and 3660 ENT multiservice access routers 72xx Series routers Cisco switches Cisco Catalyst 6500 Series Supervisor Engine 2 32 and 720 with Cisco Catalyst OS Cisco IOS Software or...

Page 498: ...th IBM Tivoli and Cisco Systems Recommended components Cisco Security Agent Cisco Security Monitoring Analysis and Response System MARS CiscoWorks Security and Information Management Solution SIMS For...

Page 499: ...ng the Web material The Web material associated with this redbook is available in softcopy on the Internet from the IBM Redbooks Web server Point your Web browser to ftp www redbooks ibm com redbooks...

Page 500: ...scription IBM Tivoli CCA Agent zip Contains the Cisco Clean Access Agent Version 4 0 1 1 used for our example NACAppliancePrototype zip Contains the necessary files policy collector remediation html f...

Page 501: ...g IBM Tivoli Security Solutions SG24 6014 Other publications These publications are also relevant as further information sources IBM Tivoli Security Compliance Manager Version 5 1 Administration Guide...

Page 502: ...uct vpn ciscosec cta cta1_0 index htm IBM Tivoli Security Compliance Manager Installation Guide http publib boulder ibm com infocenter tiv2help index jsp topic com ibm itscm doc_5 1 scm51_install html...

Page 503: ...Related publications 485 Help from IBM IBM Support and downloads ibm com support IBM Global Services ibm com services...

Page 504: ...486 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 505: ...iolation count 442 Access Manager for e business 85 access policy 58 60 action parameter 58 administrators involvement 26 admission control client 43 antivirus collector configuration 163 application...

Page 506: ...or workstations 100 data 18 decisions 103 exception 29 management business process 28 policy 57 395 assigning to clients 186 configuration 152 customization 161 versioning 103 posture collector 153 qu...

Page 507: ...6 emergency change procedure 95 97 encapsulated authentication protocol 45 endpoint posture credentials 43 enduser challenges 97 error handling 448 Extensible Authentication Protocol 16 23 session ini...

Page 508: ...26 N NAC see network admission control NAC Appliance 17 45 82 475 Clean Access Agent configuration 334 comparing with NAC Framework 17 components 455 configuration 303 default login page 315 port prof...

Page 509: ...uration 165 PEAP 59 client session 60 PEAP session 191 performance controls 34 personal firewall 53 collector configuration 171 physical components 52 pnotify 454 Point to Point Protocol 23 policy 8 c...

Page 510: ...configuration 357 concept 4 configuration for manual 116 handler 20 25 50 52 61 100 101 357 454 request URL 108 HTML example 409 HTML information 398 instructions for the users 397 JAVA classes 108 l...

Page 511: ...osture collector 18 50 153 posture credentials 50 posture policy 89 posture status 20 push pull mode 206 remediation handler 50 rule 174 secure communication 63 security certificate 146 security compl...

Page 512: ...6 Software Package Web server 357 TCMCLI policy 189 Web Gateway configuration 359 Web Gateway installation 375 Web Gateway user account 375 Tivoli Framework 51 totel cost of ownership 27 traffic polic...

Page 513: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Page 514: ......

Page 515: ......

Page 516: ...e corrupted in some way can infect other parts of the enterprise and cause significant IT infrastructure damage and loss of productivity Additionally organizations must address security compliance as...