IBM Tivoli and Cisco Скачать руководство пользователя страница 1

Страница: 1 / 516

ibm.com/redbooks

Building a Network
Access Control Solution

with IBM Tivoli and Cisco Systems

Axel Buecker

Richard Abdullah

Markus Belkin

Mike Dougherty

Wlodzimierz Dymaczewski

Vahid Mehr

Frank Yeh

Covering Cisco Network Admission
Control Framework and Appliance

Automated remediation of
noncompliant workstations

Advanced security
compliance notification

Front cover

Содержание Tivoli and Cisco

Страница 1: ...o Systems Axel Buecker Richard Abdullah Markus Belkin Mike Dougherty Wlodzimierz Dymaczewski Vahid Mehr Frank Yeh Covering Cisco Network Admission Control Framework and Appliance Automated remediation...

Страница 2: ......

Страница 3: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems January 2007 International Technical Support Organization SG24 6678 01...

Страница 4: ...plication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp Second Edition January 2007 This edition applies to Tivoli Security Compliance Manager V5 1 Tivoli Configuration Manager V...

Страница 5: ...for corporate security compliance 8 1 6 Achievable benefits for being compliant 9 1 7 Conclusion 10 Chapter 2 Architecting the solution 13 2 1 Solution architectures design and methodologies 14 2 1 1...

Страница 6: ...ecurity Solution for Cisco Networks lab 80 4 2 3 Application security infrastructure 85 4 2 4 Middleware and application infrastructure 86 4 3 Corporate business vision and objectives 87 4 3 1 Project...

Страница 7: ...uring a CCA OOB VG server 306 7 2 3 Deployment of the network infrastructure 352 7 3 Conclusion 354 Chapter 8 Remediation subsystem implementation 355 8 1 Automated remediation enablement 357 8 2 Reme...

Страница 8: ...nefit of NAC 472 Dramatically improve network security 473 NAC implementation options 474 The NAC Appliance 475 NAC Framework solution 476 Investment protection 476 Planning designing and deploying an...

Страница 9: ...bed in this publication at any time without notice Any references in this information to non IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those W...

Страница 10: ...all Java based trademarks are trademarks of Sun Microsystems Inc in the United States other countries or both Active Directory Expression Internet Explorer Microsoft Visual Basic Windows NT Windows Se...

Страница 11: ...ad the first edition It is important to realize what is the compliance and remediation solution It is not a one size fits all product that will work out of the box for customers It is an integrated so...

Страница 12: ...and Rich Axel Buecker is a Certified Consulting Software IT Specialist at the International Technical Support Organization Austin Center He writes extensively and teaches IBM classes worldwide in Sof...

Страница 13: ...Software Group in Poland Before joining the Tivoli Technical Sales team in 2002 he worked for four years in IBM Global Services where he was a technical leader for several Tivoli deployment projects H...

Страница 14: ...fery Paul John Giammanco Harish Rajagopal Hideki Katagiri Additional support Tom Ballard Sam Yang Mike Garrison Max Rodriguez Don Cronin Michael Steiner Jeanette Fetzer Sean Brain Sean McDonald IBM US...

Страница 15: ...Redbooks to be as helpful as possible Send us your comments about this or other Redbooks in one of the following ways Use the online Contact us review redbook form found at ibm com redbooks Send your...

Страница 16: ...xiv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 17: ...Cisco Systems as created or updated on January 16 2007 January 2007 Second Edition This revision reflects the addition deletion or modification of new and changed information described below New infor...

Страница 18: ...xvi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 19: ...rt we discuss the overall business context of the IBM Integrated Security Solution for Cisco Networks We then describe how to technically architect the overall solution into an existing environment an...

Страница 20: ...2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 21: ...everyone relies on the Internet it is not difficult for an intruder to find the tools on the Web to assist in breaking into an enterprise network To overcome this immense threat faced by many organiza...

Страница 22: ...concerns by validating users against a centrally predefined policy before granting them access to the network It also provides a path for an automated remediation process to fix noncompliant workstat...

Страница 23: ...rate CIOs who must regard proactive protection against viruses as constant The IBM Integrated Security Solution for Cisco Networks solution provides in depth defense by ensuring that authorized users...

Страница 24: ...enacted to protect individual investors and corporations are required by law to provide truthful financial statements All public financial statements released by corporations are subjected to intense...

Страница 25: ...to the corporate LAN Corporations must allow external partners and contractors to have access to limited IT resources as well Most businesses are looking for ways to remotely connect to their corpora...

Страница 26: ...is fundamental to maintain a trusted relationship between organizations and customers Many businesses have outsourced their IT management to third party companies now it is the responsibility of that...

Страница 27: ...rules Enforcing and maintaining strong passwords for example can make it more difficult for malicious users to access protected data Corporate auditors check for consistency in compliancy to corporate...

Страница 28: ...ity Compliance Manager SG24 6450 1 7 Conclusion Organizations are constantly looking to maintain compliance status with their corporate security policy for both inter company and intra company interac...

Страница 29: ...y compliance problems This approach enables corporations to implement a simplified compliance based full life cycle Network Admission Control and remediation solution that can result in greater produc...

Страница 30: ...12 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 31: ...he solution architecture of the IBM Integrated Security Solution for Cisco Networks with its compliance based Network Admission Control system We provide an overview of the key modules and their relat...

Страница 32: ...ration of resulting IT solutions More information about MASS may be found in the IBM Redbook Enterprise Security Architecture Using IBM Tivoli Security Solutions SG24 6014 2 1 1 Architecture overview...

Страница 33: ...etwork representation It shows the involved stationary and portable clients the different network segregations the server components and the required networking equipment Figure 2 2 IBM and Cisco arch...

Страница 34: ...campus switching wireless access router WAN links IP Security IPSec remote access and dialup Extension of existing technologies and standards NAC extends the use of existing communications protocols...

Страница 35: ...ontrol subsystem can be delivered by NAC Framework or NAC Appliance While the interfaces between these two offerings vary the Tivoli Security Compliance Manager and Tivoli Configuration Manager subsys...

Страница 36: ...ormation about its environment required to assess compliance with the security policy at a predefined schedule Using different collectors this data is sent back to the Security Compliance Manager serv...

Страница 37: ...condition on a client More information about Tivoli Configuration Manager can be found in the Deployment Guide Series IBM Tivoli Configuration Manager SG24 6454 More details of each subsystem and its...

Страница 38: ...ace includes a functional Web browser that supports customized HTML content that can assist the user in remediating In addition if an automated remediation handler is installed a button to start autom...

Страница 39: ...sions are based on who is attempting access Posture decisions are integrity based and depend on the integrity of the device being used for access Posture based NAC is designed to protect the network f...

Страница 40: ...d on their identity and assigned groups with posture based checking providing an additional way to control a user s traffic Figure 2 4 Layer 3 and Layer 2 NAC overview Cisco NAC and IEEE 802 1x An int...

Страница 41: ...p or LAN connection It defines the way an EAP message is packaged in an Ethernet frame so there is no need for PPP over LAN overhead On the other hand Cisco NAC is a posture based Network Admission Co...

Страница 42: ...e of the posture agent is performed by Cisco Trust Agent Third party applications including the IBM Tivoli Security Compliance Manager client register with the posture agent using a plug in More infor...

Страница 43: ...t receives the list of noncompliant settings from the compliance client then asks the remediation server to provide the new software or the correct settings as required by the security policy In the p...

Страница 44: ...nce It is essential to follow these steps in the implementation of the IBM Tivoli Security Compliance Manager and Cisco Network Admission Control Creation of the policies to meet the business requirem...

Страница 45: ...ethods of enforcing compliance are limited In the next step all branch office networks 4 can be protected with NAC Finally the solution can be extended to cover all wireless networks 5 and the station...

Страница 46: ...Tivoli Security Compliance Manager SG24 6450 Figure 2 6 Generic security compliance management business process The security compliance management business process consists of these general steps 1 A...

Страница 47: ...port compliance status The audit team creates security compliance status reports for management and external audit purposes on a regular basis 7 Request compliance exceptions System administrators who...

Страница 48: ...ulated by a separate policy there is no need to test the changes on every client All requested changes should be applied as soon as possible either through the manual process according to designated i...

Страница 49: ...the automated audit most of the policies have be operationalized For example the policy statement such as Each workstation connected to the corporate network should have all of the latest recommended...

Страница 50: ...ng to connect to the network can be denied access to corporate resources or quarantined that is they are allowed to connect to only one designated network for remediation until the workstation regains...

Страница 51: ...In general access to trusted networks is not allowed while in quarantine except in cases where the remediation or compliance servers are deployed within trusted networks Trusted network These are the...

Страница 52: ...y connected In this book we consider as trusted any network segment that is excluded from the NAC Of course other security means such as firewalls may still apply but this outside the scope of this bo...

Страница 53: ...t would assist in a smooth transition to the new environment Initiation Definition Design Build Maintenance In the initiation phase high level project requirements are gathered and verified to be incl...

Страница 54: ...ide adequate redundancies for individual components are put in place For example a NAC enabled Cisco router Network Access Device utilizes a secondary router that is configured in a redundant pair usi...

Страница 55: ...this chapter was to introduce a description of functionality provided by the IBM Integrated Security Solution for Cisco Networks and how the IBM Tivoli products and Cisco NAC are integrated We also di...

Страница 56: ...38 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 57: ...hapter introduces the logical and physical components of the IBM Integrated Security Solution for Cisco Networks The final section of this chapter talks about the logical data flow among the various c...

Страница 58: ...ch as operating system levels hotfixes and security and policy settings These policies and workflows can be configured to address new instances of these conditions The IBM Integrated Security Solution...

Страница 59: ...ssion Control Framework consists of the following subcomponents Posture validation server Policy enforcement device Admission control client Posture validation server The posture validation server val...

Страница 60: ...ACS CSAuth Provides authentication services CSDBSync Provides synchronization of the internal ACS user database with third party external RDBMS applications CSlog Provides logging services both for ac...

Страница 61: ...ts denies or restricts the network access of the network client The NAD also checks for a change in posture of the client by polling the client at specified intervals Admission control client The Cisc...

Страница 62: ...les Posture plug in Provides the capability to collect information such as operating system type and version EXT Posture plug in Represents an external or third party posture plug in This is a communi...

Страница 63: ...he policies you have defined in the CAM Web admin console including network access privileges authentication requirements bandwidth restrictions and NAC Appliance system requirements It can be deploye...

Страница 64: ...collectors are written to evaluate system data and state information Collectors can be written to evaluate virtually any system parameter Compliance server The server is the central component of a Se...

Страница 65: ...urity relevant configuration data from connected systems such as operating systems middleware components applications firewalls routers and so on Compliance reporting Deliver different kinds of config...

Страница 66: ...duces a new posture plug in that communicates with the Cisco Trust Agent required by Cisco to report posture data during the NAC process The Security Compliance Manager client is Java based software t...

Страница 67: ...examples Reading the content of one or more files on the client system Running an operating system command or utility and examining the output Running an executable program packaged as part of the co...

Страница 68: ...posture collector also contains appropriate information to be used in order to remediate any compliance violations A posture collector can be called by the Security Compliance Manager server or by the...

Страница 69: ...of software and configuration management capabilities that an enterprise can leverage to centrally manage and automate the remediation process for noncompliant endpoints The remediation subsystem cons...

Страница 70: ...ager client for NAC and the Tivoli Configuration Manager server These components are shown in Figure 3 6 on page 56 and explained in the next sections This component is not actually installed on the c...

Страница 71: ...to the remediation handler when collected values do not match required values A special policy collector gathers data from the various collectors and summarizes the collector data to provide version...

Страница 72: ...gral part of the solution In our solution Cisco switches routers VPN Concentrators Adaptive Security Appliances and access points can be used as policy enforcement devices 3 2 3 IBM Integrated Securit...

Страница 73: ...create remediation objects and publish them to the Tivoli Configuration Manager Web Gateway Server where they are made available to clients requesting remediation 3 3 Solution data and communication f...

Страница 74: ...ep in the data flow is the creation and deployment of a policy If a Tivoli Configuration Manager server is used for remediation a corresponding Network Rem Attributes Rem URL SCM Server AAA Policy Ser...

Страница 75: ...checked against when making compliance decisions Information specific to the remediation object that will remediate violations when detected as noted in step 1a Other attributes that are used to suppo...

Страница 76: ...olicy must be updated with the new Policy_Version as noted at the Security Compliance Manager server in 1b NAD configuration deployment 1e The NAD should be a NAC compliant hardware device with specif...

Страница 77: ...g on the network client receives the security posture credential request and in turn requests security posture credentials from the NAC compliant applications in this case Security Compliance Manager...

Страница 78: ...play meaningful messages to the client that correspond to the posture token assigned to the network client The access policy depends on the policy defined by the organization s network policy d When t...

Страница 79: ...diation is initiated by the user of the network client machine by clicking a remediation button from the Security Compliance Manager client pop up window The policy collector then passes a remediation...

Страница 80: ...ow the various components securely communicate and Figure 3 7 shows an overview of the secure communications Figure 3 7 Secure communication between components Cisco Trust Agent Client EAPoUDP EAPonLA...

Страница 81: ...all traffic within the Tivoli Security Compliance Manager environment Remediation communication The communication between the remediation client and Tivoli Configuration Manager Web Gateway is based o...

Страница 82: ...d Security Solution for Cisco Networks addresses network clients compliance to policies that are centrally defined by the enterprise The solution can enforce client compliance and help remediate compl...

Страница 83: ...co Networks in their organization Figure 3 9 Client access to enterprise with zone details Uncontrolled zone Internet external networks The Internet has become a major business driver for many organiz...

Страница 84: ...ogies to connect to various enterprise resources are participants of this zone Restricted zone production network One or more network zones may be designated as restricted zones in systems to which ac...

Страница 85: ...ple at the headquarters and the branch office Hence there are two locations at which policy enforcement can be achieved at the branch router or at the headquarter router In addition if the branch offi...

Страница 86: ...ber associated with the posture state of the user which would be healthy or quarantine EAP UDP passes only posture information in an UDP datagram ACS responds with a port based ACL PACL that provides...

Страница 87: ...re 69 Figure 3 11 Campus ingress enforcement Site to Site VPN Users Internet AAA AAA Branch Office Compliance Campus Ingress Enforcement Corporate Headquarters Data Center Posture Enforcement Points R...

Страница 88: ...ially infected small office and home office SOHO users as shown in Figure 3 12 This will also be the practical deployment option for clients who are using Port Address Translation to access corporate...

Страница 89: ...ization to comply with the policies laid down by the parent organization The policy enforcement device can be deployed appropriately to ensure that these partner systems comply to the parent organizat...

Страница 90: ...lab setup do not disrupt the production systems and networks A policy enforcement at the connection between the production systems and lab setup can ensure that only systems that comply to the enterp...

Страница 91: ...ire maximum protection Compliance can be checked for client systems before they are provided connections to the resources at the Data Center Figure 3 15 Figure 3 15 Data Center protection A A A A A A...

Страница 92: ...The IBM Integrated Security Solution for Cisco Networks is an integration of products from IBM and Cisco New components have been added to each of the individual product sets so they can work in uniso...

Страница 93: ...Banking Brothers Corp In our last encounter in the IBM Redbook Deployment Guide Series IBM Tivoli Security Compliance Manager SG24 6450 they successfully deployed the Tivoli Security Compliance Manage...

Страница 94: ...76 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 95: ...f the Armando Banking Brothers Corporation ABBC This introduction includes a description of ABBC s business profile their current IT architecture and their medium term business vision and objectives 4...

Страница 96: ...uthorization policies Like many companies ABBC has found that traditional hacker attempts to gain unauthorized access are only part of the security threat factor In today s environment network worms t...

Страница 97: ...infrastructure in line with the IBM MASS security model The network has the following major security zones Uncontrolled zone Internet external networks Controlled zone demilitarized zone DMZ Controll...

Страница 98: ...is done before any system is deployed in a production environment The IBM Integrated Security Solution for Cisco Networks has been tested by ABBC The test simulation is discussed briefly in 4 2 2 IBM...

Страница 99: ...yII VLAN 13 Quarantine Sales VLAN in the Core network This VLAN hosts those users that have been authenticated by IEEE 802 1x as members of the Sales Group but are not compliant VLAN 14 Quarantine Eng...

Страница 100: ...to the network is based on access control lists ACLs bound to the Layer 3 Switched Virtual Interfaces SVIs on the switch which in this example is also the access switch NAC Appliance NAC Appliance is...

Страница 101: ...M sending the relevant configuration commands to the switch using SNMP Once the user is compliant the CAM will again change the user s switchport VLAN membership this time from 120 back to 20 VLAN 9 T...

Страница 102: ...er will be granted access to the network on their Access VLAN which in this case is VLAN 20 If the MAC address is not present or the credentials supplied are incorrect the CAM will send an SNMP write...

Страница 103: ...previous project deployment provided a centralized solid and easy to manage security architecture to help control access to ABBC s Web based assets and protect them from attacks Consistent with the A...

Страница 104: ...applications We also see the Security Compliance Manager server in the core network 4 2 4 Middleware and application infrastructure In addition to illustrating the existing security infrastructure Fig...

Страница 105: ...lution to all of its server systems this deployment provided monitoring and management of security compliance postures Next ABBC plans to extend the IBM Security Compliance Manager down to the worksta...

Страница 106: ...ing the compliance to the security policy for the workstations connected to the ABBC s corporate network This team is also responsible for network design allowing the noncompliant workstation to acces...

Страница 107: ...cure ACS server for a NAC Framework NAC L2 802 1x deployment 7 1 1 Configuring the Cisco Secure ACS for NAC L2 802 1x on page 214 Configuring the Cisco Secure ACS for NAC L2 L3 IP Highlights the confi...

Страница 108: ...iled steps required were not described in this book For the installation and configuration instructions refer to the product documentation IBM Tivoli Configuration Manager Version 4 2 3 Planning and I...

Страница 109: ...Manager client to the ABBC workstations through integration with Cisco Systems componentry enables ABBC to deploy a Network Admission Control system based on posture compliance status ABBC intends to...

Страница 110: ...92 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 111: ...ronment This document assumes that all such test lab practices are transparently in place so we discuss only the fictional production environment There are essentially three parts of this deployment s...

Страница 112: ...in Chapter 7 Network enforcement subsystem implementation on page 213 Part 3 Appendixes on page 439 builds on this infrastructure and adds automatic remediation functionality The detailed technical im...

Страница 113: ...fy who can access what information in the network ABBC requires a method to ensure that basic safeguards are employed at the workstation level such as Password quality standards Detection of unauthori...

Страница 114: ...y less secure The operational level security policy is changing frequently especially with the high number of security updates and hotfixes being released by the operating system vendor 5 2 2 Network...

Страница 115: ...r while incorporating the emergency change procedure maintaining employee productivity must also be considered as ABBC must continue to do business and serve its customer base In addition the solution...

Страница 116: ...tions This limits or prevents the interruption of network operations caused by worms and other hostile software The third functional requirement is to provide a means of facilitating automated remedia...

Страница 117: ...ture status from the client then queries the Cisco NAC server may be Cisco Secure Access Control Server or Clean Access Manager policy to make an access decision If the system meets the posture policy...

Страница 118: ...k Admission Control checking 1 Local workstation password quality must meet the following criteria a Password age must not be older than 90 days b Password minimum length must be eight characters 2 Th...

Страница 119: ...nclude calling the remote remediation server in order to download appropriate software and execute the actions to get the workstation back to the compliant state Figure 5 2 Remediation process 5 3 Imp...

Страница 120: ...premise that ABBC has the software distribution server subsystem based on the Tivoli Configuration Manager installed and configured For detailed information about basic implementation of IBM Tivoli Co...

Страница 121: ...scribes the detailed flow of the overall installation and configuration including the assignment of the policy to the client groups Additionally administrative Security Compliance Manager information...

Страница 122: ...5 4 Tivoli Security Compliance Manager client components The policy collector gathers data from the posture collectors and passes it to the posture plug in after which it is forwarded to the Cisco co...

Страница 123: ...lationship as shown in Figure 5 4 on page 104 Figure 5 5 Security Compliance Manager policy collector edit collector parameters The Tivoli Security Compliance Manager policy collector parameters are s...

Страница 124: ...t the client has an acceptable version of the compliance policy More on this in the next section Figure 5 6 Setting the policy version The MAX_DATA_AGE_SECS parameter Figure 5 7 establishes the maximu...

Страница 125: ...nceptual control flow for this parameter Figure 5 8 MAX_DATA_AGE_SECS conceptual flow C lient challeng e issued by ne tw ork access d evice P osture C ach e Is the cache d ata m ore rece nt than M A X...

Страница 126: ...as to have a form of attribute_name value string as presented below remediation url http tcmweb SoftwarePackageServerWeb SPServlet Figure 5 9 Setting the remediation handler URL attribute The REMEDIAT...

Страница 127: ...ure 5 11 Setting the remediation handler JAR classpath The value of the POLICY_VERSION parameter must then be handed over to the networking team Enforcing compliance criteria Now we must configure the...

Страница 128: ...posture client to the network The version of the posture policy the client is running This parameter is a string value and is established at the time of policy collection We set this value in Establis...

Страница 129: ...Figure 5 13 Posture validation policies For detailed information about the creation and configuration of the Cisco Secure Access Control Server reference see 7 1 1 Configuring the Cisco Secure ACS fo...

Страница 130: ...LAN by using Cisco switches There are two methods of NAC enablement NAC L2 IP which uses EAPoUDP and NAC L2 802 1x which uses an IEEE 802 1X supplicant embedded in the Cisco Trust Agent to provide mac...

Страница 131: ...S Authorization Components In our scenario we list the Cisco Trust Agent Cisco PA and the Security Compliance Manager agent IBM Corporation SCM as our posture validation policies Thus in all three pie...

Страница 132: ...s are not yet available Infected The endpoint device is an active threat to other hosts Network access should be severely restricted and placed into remediation or totally denied all network access Un...

Страница 133: ...tcp any any eq domain access list 130 deny ip any any log Note that the Healthy Engineering VLAN ACL has three deny entries before the permit statement This is to stop any member of this VLAN trying t...

Страница 134: ...emediation subsystem implementation on page 355 3 Distributing the HTML pages to the client systems At the time of writing this book there is no Security Compliance Manager in band mechanism for distr...

Страница 135: ...ertified for support For the latest list check the IBM Support Web site at http www ibm com software sysmgmt products support Tivoli_Supported_Platforms html Lists of the hardware requirements for all...

Страница 136: ...y Windows and Linux systems at this time The system used by ABBC for the Security Compliance Manager client is Windows XP professional with SP2 installed Pentium IV 3 0Ghz CPU 512 MB of system memory...

Страница 137: ...llation Guide for Cisco Secure ACS for Windows Server Version 4 0 the Access Control Server must comply to these minimum hardware specifications Pentium IV CPU at 1 8 Ghz or faster 1 GB of system memo...

Страница 138: ...es The following list shows the supported Layer 3 devices if they use Cisco IOS Software Release 12 3 8 T or later with Advanced Security feature set or greater Cisco 83x Series Router Cisco 850 Serie...

Страница 139: ...oft Windows 2000 Advanced Server Service Pack 4 or later Microsoft Windows XP Professional Service Pack 1 or 2 Microsoft Windows 2003 Server Standard Edition Service Packs 0 and 1 Microsoft Windows 20...

Страница 140: ...it is used by the Operations department for Software Distribution and Inventory In 8 2 2 Tivoli Configuration Manager on page 359 the installation of the additionally required Web Gateway component is...

Страница 141: ...hnology that brings with it a huge paradigm shift in network security management There are three main parts outlined in this chapter In part one the security compliance infrastructure is established a...

Страница 142: ...124 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 143: ...Security Compliance Manager server Installation of the policy collector and the Tivoli Configuration Manager based remediation handler collectors onto the Tivoli Security Compliance Manager server Co...

Страница 144: ...ion bundle and it is a prerequisite that it be installed first Follow the below steps to install the DB2 database 1 To start the installation move to the directory where you have copied the binaries a...

Страница 145: ...liance subsystem implementation 127 2 After a little while you are presented with the Welcome window as shown in Figure 6 1 Click the Install Product selection on the left Figure 6 1 DB2 installation...

Страница 146: ...Systems 3 The DB2 version selection is presented similar to the one shown in Figure 6 2 Depending on the media installation you use there may be more than one option presented Select DB2 UDB Enterpri...

Страница 147: ...Chapter 6 Compliance subsystem implementation 129 4 Next the welcome window is displayed as presented in Figure 6 3 Click Next Figure 6 3 Setup wizard welcome window...

Страница 148: ...work Access Control Solution with IBM Tivoli and Cisco Systems 5 On the next dialog you are presented with the standard license agreement Figure 6 4 Accept the license and click Next Figure 6 4 Licens...

Страница 149: ...liance subsystem implementation 131 6 In the Installation type selection window Figure 6 5 leave all of the default values which is Typical installation and click Next Figure 6 5 Installation type sel...

Страница 150: ...action selection where there are two options Install the product Which is selected by default Save your settings Which will save your selections to a response file which can then be used for silent i...

Страница 151: ...mplementation 133 8 In the next window shown in Figure 6 7 you must select the installation destination folder Make sure that there is enough space on the selected drive and click Next Figure 6 7 Inst...

Страница 152: ...provide user information We strongly recommend leaving the default user name db2admin In the next two fields provide the password for this user Make sure that you have written this down as you will n...

Страница 153: ...tion options where you may specify names of the users who should be notified by the database if something goes wrong If you leave the defaults and click Next you will be presented with the additional...

Страница 154: ...uration options You can explore the protocols settings and change the startup options The default instance name on Windows is DB2 the communication protocol used is TCP IP and the database instance is...

Страница 155: ...Chapter 6 Compliance subsystem implementation 137 12 As we do not need to use any DB2 tools on the next dialog shown in Figure 6 11 click Next Figure 6 11 DB2 Tools selection dialog...

Страница 156: ...3 In the next window presented in Figure 6 12 you can provide the contact information for a user to receive the database health notifications Select the option to Defer this task until after installat...

Страница 157: ...ce subsystem implementation 139 14 In the next window shown in Figure 6 13 you are given a last chance to review your selected options If everything is as you want click Install Figure 6 13 Installati...

Страница 158: ...om left corner Figure 6 14 Installation completion window This completes the installation of the DB2 database You may proceed with installing the next components for the solution 6 1 2 Installation of...

Страница 159: ...e 6 15 Accept English and click Next Figure 6 15 Language selection dialog 3 Click Next on the Tivoli Security Compliance Manager Welcome window which is presented next There will be a license agreeme...

Страница 160: ...cted the graphical user interface will be installed as well as the command line utilities for managing the server This option is displayed during the installation on all supported operating systems Ho...

Страница 161: ...ance Manager server installation This is a recommended option in large scale deployments For this installation we must have all three components installed so select the second option Server as present...

Страница 162: ...he administrators of the violations found as well as for distributing the reports Specify the SMTP server name as well as the account the Tivoli Security Compliance Manager server will use to send the...

Страница 163: ...In the next window shown on Figure 6 20 the installation wizard asks for the communication ports the server uses to communicate with the clients We strongly recommend leaving the defaults Click Next F...

Страница 164: ...e System name certificate field you must provide the system name that will be used to generate the self signed certificate for the Tivoli Security Compliance Manager server In the next four fields pro...

Страница 165: ...ow presented in Figure 6 22 select the location for your database If you installed DB2 as described in 6 1 1 Installation of DB2 database server on page 126 select The database is on the local system...

Страница 166: ...next dialog provide the database configuration information as shown in Figure 6 23 Enter the username and password for the DB2 administrator you have provided in step 9 on page 134 Leave the other fi...

Страница 167: ...lementation 149 11 In the next dialog shown in Figure 6 24 you are asked whether the database should be created during this installation Make sure that the check box is marked and click Next Figure 6...

Страница 168: ...user ID and password for Tivoli Security Compliance Manager server as shown in Figure 6 25 Use the name admin and enter a password of your choice This user Id is created in the Tivoli Security Complia...

Страница 169: ...nce subsystem implementation 151 13 Finally you are presented with the installation selection summary as shown in Figure 6 26 Click Next to start the actual installation Figure 6 26 Installation optio...

Страница 170: ...his concludes the Tivoli Security Compliance Manager server installation You may proceed with the next components 6 2 Configuration of the compliance policies Since we have a Security Compliance Manag...

Страница 171: ...and return the collected data back to the Tivoli Security Compliance Manager server Queries reports and policies can be defined and run to verify compliance using the data collected However posture co...

Страница 172: ...f one of two types Operational Operational parameters are used to make a determination regarding a client system s security posture For example an operational parameter might indicate the required sof...

Страница 173: ...are defined There are several ways to this for example installing them from the jar files posted on the Tivoli Security Compliance Manager support page or importing the already defined policy which b...

Страница 174: ...tallation as described in step 12 on page 150 in the Installation of Tivoli Security Compliance Manager server procedure Figure 6 28 Tivoli Security Compliance Manager GUI login 4 If it is the first t...

Страница 175: ...the Tivoli Security Compliance Manager version Click OK On the main Administrative Console window as shown on Figure 6 30 switch to the Policies tab Figure 6 30 Tivoli Security Compliance Manager Adm...

Страница 176: ...tep 1 and select the TCMCLI pol file as shown in Figure 6 32 Click Import Figure 6 32 Import file selection dialog 8 In the next dialog presented in Figure 6 33 you can change the default policy name...

Страница 177: ...ementation 159 9 In the next step the import wizard performs a validation of the signatures of the collectors included with the policy When it is completed as shown in Figure 6 34 click Next Figure 6...

Страница 178: ...installed in your environment you may be asked if the existing collectors should be overwritten with the new ones included with the policy If you are just following this book there will be no warning...

Страница 179: ...ust be assigned to every client that is supposed to use the auto remediation feature This policy is not checking anything on the client The only task of this policy is to distribute the correct level...

Страница 180: ...alues must be supplied as parameters for the NAC collectors rather then in the SQL query in the compliance object definition 1 To start the customization open the Tivoli Security Compliance Manager Ad...

Страница 181: ...The collector responsible for the Symantec Antivirus policy check is named nac win any nav PostureNavV2 and it is capable of checking three conditions regulated by the parameters specified on the Para...

Страница 182: ...ymantec Norton Antivirus product versions that should be upgraded This list may consist of one or more entries VERSION_WF Workflow Name of the workflow used for remediation if the software is not inst...

Страница 183: ...nd right click the User Password Settings collector Then click Edit collector parameters The parameters for the collector nac win any netaccounts PostureNetAccountsV2 are displayed as shown in Figure...

Страница 184: ...ARN_MIN_LEN_UNDER Operational An integer value used to indicate the minimum allowable password length to avoid a warning FAIL_MIN_LEN_UNDER Operational An integer value used to indicate the minimum al...

Страница 185: ...customize is the one that checks for the appropriate operating system service pack level installed on the client workstation Back at the list of the collectors right click the Windows Service Pack col...

Страница 186: ...s we only need to edit the two relevant parameters WARN_WINDOWS_XP PASS_WINDOWS_XP The full list of parameters is described in Table 6 3 Table 6 3 Parameter information for nac win any oslevel Posture...

Страница 187: ...licy we customize is the one that checks for appropriate hotfixes installed on the client workstation WARN_WINDOWS_2000 Operational List of service packs that generate warnings for the Microsoft Windo...

Страница 188: ...parameters by selecting the proper tabs and adding all of the hotfixes that you require to be installed in your environment To add additional values to the parameter click the plus sign To remove the...

Страница 189: ...d with parameters for the generic nac win any regkey PostureRegKeyV2 collector as shown in Figure 6 44 This is one of the most universal collectors as it allows you to check the existence and value of...

Страница 190: ...heck run is the registry key existence check for the key specified in the KEY parameter If more than one parameter value is provided only the first parameter value will be used NO_VALUE_RULE Operation...

Страница 191: ...determine the status of various checks if a specific rule does not apply No more than one parameter value should be provided If more than one parameter value is provided only the first parameter value...

Страница 192: ...or the last rule is reached If a matching rule is found the status of the value data check is set to the rule s result and no more rules are evaluated If all the rules are evaluated without finding a...

Страница 193: ...ith the check If a value was detected the current_values attribute of the workflow will be set to the detected value The workflow will also have the attribute key set to the parameter value of the KEY...

Страница 194: ...emediation with different parameters depending on which part of the check was missing Checking for Windows XP firewall forced off In order to check whether the Windows XP Firewall is not forced off th...

Страница 195: ...ollector parameters from the pop up menu Figure 6 45 Parameters for Service collector The nac win any serice ServicePostureV2 collector is able to check two conditions If the service specified is runn...

Страница 196: ...so we will not specify any values for the REQ_DISABLED and SERVICE_DISABLED_WF fields The summary of the settings for this policy is presented below SERVICE_REQ equal to TrueVector Internet Monitor R...

Страница 197: ...urity policy requires this service to be disabled For that purpose we reuse the same collector type as for checking the ZoneAlarm service However this time we must specify the SERVICE_REQ REQ_DISABLED...

Страница 198: ...stems The new dialog is presented as shown in Figure 6 47 Select the destination policy for the copy process of the compliance query Select IISSCN_TCM_v2 00_winXP which is also the source for this com...

Страница 199: ...in one policy so the copy of the compliance query is automatically renamed It received an added _0 suffix We must rename our new compliance query Right click the new ZoneAlarm Firewall Active_0 compli...

Страница 200: ...ms In the following dialog modify the name value to Messenger Service Disabled and click OK Then in the right pane modify the description of the compliance query as shown on Figure 6 49 and click the...

Страница 201: ...fy the collector parameters for the Messenger Service Disabled compliance query Select the IISSCN_TCM_v2 00_winXP policy in the left pane and then click the Collectors tab for this policy in the left...

Страница 202: ...ssenger Service Disabled and click Stop sharing collector item from the pop up menu as shown in Figure 6 51 Figure 6 51 Disabling collector sharing A small dialog window is displayed asking you for th...

Страница 203: ...wing parameter values SERVICE_REQ equal to Messenger REQ_RUNNING not set SERVICE_RUNNING_WF not set REQ_DISABLED equal to 1 SERVICE_DISABLED_WF equal to TCRMessengerDisabled When you are done editing...

Страница 204: ...s of clients in your environment with different operating systems or different requirements you may need to add more policies repeating the steps described above for each policy and setting the correc...

Страница 205: ...with administrative privileges select the Clients tab and click the Actions Group Create Group menu item as shown in Figure 6 55 Figure 6 55 Create group action selection 2 On the Create group dialog...

Страница 206: ...tree in the left pane and click Actions Policy Add policy as shown in Figure 6 57 Figure 6 57 Add policy menu selection 4 The Select a policy window is displayed as shown in Figure 6 58 Select the IIS...

Страница 207: ...to the group TCMCLI utility policy The TCMCLI is the utility policy that associates the Tivoli Configuration Manager CLI back end for use by the Tivoli Security Compliance Manager remediator The quer...

Страница 208: ...and is available in two different options There is the Cisco Trust Agent for Windows with a dot1x supplicant and the Cisco Trust Agent for Windows without a dot1x supplicant This section focuses on t...

Страница 209: ...ificate you have to extract and use this certificate The procedure of extracting the Cisco Secure ACS certificate is described in 7 1 1 Configuring the Cisco Secure ACS for NAC L2 802 1x on page 214 N...

Страница 210: ...installation uses the Microsoft Windows Installer MSI and requires administrator privileges 1 Start the installation process by double clicking the setup file or typing the command ctasetup supplicant...

Страница 211: ...6 Compliance subsystem implementation 193 3 The license agreement is presented as shown in Figure 6 63 Select I accept the license agreement and click Next Figure 6 63 License agreement for Cisco Trus...

Страница 212: ...194 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Accept the defaults Figure 6 64 and click Next Figure 6 64 Cisco Trust Agent destination folder selection...

Страница 213: ...Chapter 6 Compliance subsystem implementation 195 5 Accept the default depicted in Figure 6 65 and click Next Figure 6 65 Cisco Trust Agent installation type...

Страница 214: ...196 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Click Next Figure 6 66 Figure 6 66 Ready to install the Cisco Trust Agent application...

Страница 215: ...s copied into the Certs directory the window in Figure 6 67 is presented during the installation Click OK Remember this step is optional and will only be presented if you have copied the certificate f...

Страница 216: ...igure 6 67 on page 197 during the installation install the certificates manually using the ctaCert exe utility This utility is located in the CiscoTrustAgent subdirectory of the installation directory...

Страница 217: ...er client setup 6 3 2 IBM Tivoli Security Compliance Manager client In this section we describe the installation of Tivoli Security Compliance Manager client It is a requirement to have the Cisco Trus...

Страница 218: ...sing the same type of Java installer however since this version of the client is running a different version of JVM and the installation files were separated To perform the installation follow the ste...

Страница 219: ...Chapter 6 Compliance subsystem implementation 201 2 The Security Compliance Manager welcome screen appears momentarily Figure 6 71 Figure 6 71 The welcome window...

Страница 220: ...ol Solution with IBM Tivoli and Cisco Systems 3 The Client Installation Utility window appears as depicted in Figure 6 72 After carefully reading all of the required information click Next Figure 6 72...

Страница 221: ...ubsystem implementation 203 4 The license agreement window is displayed Figure 6 73 Select I accept the terms in the license agreement and click Next Figure 6 73 License agreement for IBM Tivoli Secur...

Страница 222: ...204 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 5 Accept the default destination folder shown in Figure 6 74 and click Next Figure 6 74 Directory selection window...

Страница 223: ...Chapter 6 Compliance subsystem implementation 205 6 Accept the default client installation Figure 6 75 and click Next Figure 6 75 Setup type window...

Страница 224: ...ns for requests The default port is 1950 The client can operate in one of these communication modes Push This is the mode in which communication can be initiated from both sides client and server This...

Страница 225: ...Chapter 6 Compliance subsystem implementation 207 Figure 6 77 Client connection window...

Страница 226: ...umber during the server installation accept the default Figure 6 78 Server communication configuration window If you selected the push mode in the previous step you will be given an option to indicate...

Страница 227: ...ias name for the client This name will be shown on the Security Compliance Manager server during client registration and the client will be referenced by this name in the Security Compliance Manager G...

Страница 228: ...twork Access Control Solution with IBM Tivoli and Cisco Systems 11 Finally the installation summary window is displayed Figure 6 80 Click Next Figure 6 80 Security Compliance Manager client installati...

Страница 229: ...ystem implementation 211 12 The Security Compliance Manager client is successfully installed Click Finish to close the window shown in Figure 6 81 to complete this step of the process Figure 6 81 Succ...

Страница 230: ...igure 6 82 Security Compliance Manager posture plug in files 6 4 Conclusion This concludes the installation and configuration of the basic compliance subsystem At this point you have established and a...

Страница 231: ...ment of the network infrastructure Configuring NAC Appliance components Installing the CCA Agent Configuring Out Of Band Virtual Gateway Server Deployment of the network infrastructure 7 Note Although...

Страница 232: ...uired and configuration of the individual components that comprise the NAC feature 1 Installing Cisco Secure ACS 2 Configuring the administrative interface to Cisco Secure ACS 3 Allowing administrator...

Страница 233: ...ave and reuse your existing configuration For details about the install process refer to the Installation Guide for Cisco Secure ACS for Windows 4 0 located at http www cisco com en US products sw sec...

Страница 234: ...t actions to the NAD To enable the appearance of the enforcement action interface in the Cisco Secure ACS administrator interface perform the following steps 1 Click Interface Configuration on the Cis...

Страница 235: ...r its software update 4 Click Submit Figure 7 3 to add these configuration options to the Shared Profile Components interface These options are necessary for the configuration of the enforcement actio...

Страница 236: ...P optional If you want to configure ACS from a remote client using the Web interface you must configure at least one administrator user name and password 1 Click Administration Control on the Cisco Se...

Страница 237: ...es Cisco Secure ACS certificate setup ACS should be configured with a digital certificate for establishing client trust when challenging the client for its credentials Cisco Secure ACS uses the X 509...

Страница 238: ...nstalled on each client taking part in the network admission control process For the purpose of the book we used a self signed certificate Using an ACS self signed certificate With Cisco Secure ACS Ve...

Страница 239: ...window Figure 7 6 Figure 7 6 Generating self signed certificate 2 Fill in the blanks with the appropriate information according to your own installation Be sure to enable Install generated certificate...

Страница 240: ...222 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Restart the Cisco Secure ACS Figure 7 7 Figure 7 7 Restart Cisco Secure ACS...

Страница 241: ...nerating and installing the self signed certificate on the Cisco Secure ACS include the certificate file as part of the install process for each client when installing the Cisco Trust Agent or install...

Страница 242: ...attribute id 00020 attribute name Policy Version attribute profile in out attribute type string attr 1 vendor id 2 vendor name IBM Corporation application id 50 application name SCM attribute id 0002...

Страница 243: ...sion added to registry attr 2 Attribute 2 50 21 Violation number added to registry AVP Summary 3 AVPs were added to the registry In addition 2 AVPs were automatically added to the registry IMPORTANT N...

Страница 244: ...set up logging 1 Click System Configuration on the Cisco Secure ACS main menu 2 Click Logging 3 Click CSV Passed Authentications Figure 7 9 Figure 7 9 Logging configuration 4 Enable the Log to CSV Pa...

Страница 245: ...y access This makes writing policy rules and troubleshooting much easier The NAS IP Address and User Name fields also provide valuable information during troubleshooting All client instances successfu...

Страница 246: ...the Log to CSV Failed Attempts report under Enable Logging Repeat step 4 on page 226 selecting the items you wish to log A selection is shown in Figure 7 11 Figure 7 11 Failed attempts logging 7 Clic...

Страница 247: ...sary Click Restart to apply the new configuration Figure 7 12 Log file management Configuring a network device group in Cisco Secure ACS To make Cisco Secure ACS interact with a Network Access Device...

Страница 248: ...is possible to group the NADs into Network Device Groups NDGs for location or service based filtering To do this the use of NDGs must first be enabled 1 Click Interface Configuration from the main me...

Страница 249: ...ter 7 Network enforcement subsystem implementation 231 2 Select Advanced Options Figure 7 13 on page 230 Ensure that Network Device Groups is checked Figure 7 14 Figure 7 14 Network Device Group check...

Страница 250: ...you wish to use for example switches and the RADIUS key used by the AAA clients that makes up this NDG for example cisco123 Note Figure 7 15 changes depending on your interface configuration If you a...

Страница 251: ...e Network Configuration screen select the hyperlink under Network Device Groups If you did not assign a name in step 5 you will see Not Assigned as the name Figure 7 15 on page 232 By clicking this li...

Страница 252: ...a NAD Click Submit and then Apply Figure 7 17 AAA client setup Note The use of wild cards is designed to help with scalability issues For example if your network has over 100 switches defining each o...

Страница 253: ...Chapter 7 Network enforcement subsystem implementation 235 8 You should now see the newly defined AAA clients Figure 7 18 Figure 7 18 AAA Clients...

Страница 254: ...he main menu Figure 7 13 on page 230 then select RADIUS IETF Figure 7 19 Figure 7 19 Global IETF RADIUS attributes For L2Dot1x NAC you must select the following 027 Session Timeout 029 Termination Act...

Страница 255: ...isco Secure ACS requires careful thought and planning In the NAC L2 802 1x scenario we are using here we have two locally defined groups sales and engineering One of the nice features about NAC L2 802...

Страница 256: ...ach group as applicable In the example here we have renamed Group 2 as Sales and Group 3 as Engineering Figure 7 21 Group Setup 3 Click Submit Restart after completing the group configuration Note Onl...

Страница 257: ...sers Now that the groups have been defined we can create our users and then add them to their relevant group 1 From the main menu select User Setup as shown in Figure 7 22 Figure 7 22 User setup 2 In...

Страница 258: ...Info followed by user setup details as shown in Figure 7 23 The password authentication in this example is set to ACS Internal Database the password has been entered and confirmed and the user has be...

Страница 259: ...t Global Authentication Setup Figure 7 24 Figure 7 24 Global Authentication Setup 2 Make sure that each check box is selected that Enable Fast Reconnect is selected that PEAP and EAP TLS time outs are...

Страница 260: ...wn in Figure 7 25 requires you to enter a lot of fields Table 7 1 lists all fields and their respective values Table 7 1 EAP FAST Configuration values EAP FAST configuration Condition Allow EAP FAST C...

Страница 261: ...ume Checked Authorization PAC TTL One hour Allow inner methods EAP GTC Checked EAP MSCHAPv2 Checked EAP TLS Checked Select one or more of the following EAP TLS comparison methods Certificate SAN compa...

Страница 262: ...ilding a Network Access Control Solution with IBM Tivoli and Cisco Systems Configuring posture validation To do this 1 Select Posture Validation from the Main Menu Figure 7 26 Figure 7 26 Posture Vali...

Страница 263: ...7 Network enforcement subsystem implementation 245 2 Select Internal Posture Validation The screen show in Figure 7 27 will be displayed 3 Click Add Policy Figure 7 27 Figure 7 27 Posture Validation P...

Страница 264: ...ontrol Solution with IBM Tivoli and Cisco Systems 4 In this example we have entered the name of the first policy as CTA with the description Cisco Trust Agent Then click Submit Figure 7 28 Figure 7 28...

Страница 265: ...Chapter 7 Network enforcement subsystem implementation 247 5 Click Add Rule Figure 7 29 Figure 7 29 Posture Validation for CTA...

Страница 266: ...248 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Click Add Condition Set Figure 7 30 Figure 7 30 Condition sets for CTA policy...

Страница 267: ...PA PA Version The operator value should be set to and the value set to 2 0 0 0 This simply means that we are setting up a check for the Cisco Trust Agent to be present on the endpoint and that it mus...

Страница 268: ...ivoli and Cisco Systems 8 Figure 7 32 shows that if this condition is satisfied that an Application Posture Token APT of Healthy is returned Clicking Submit here takes us to Figure 7 33 on page 251 Fi...

Страница 269: ...need to modify the default action which is the action to be taken if the condition we just created is not met You will notice that there is a default condition which we will modify for this purpose Cl...

Страница 270: ...Quarantine as shown in Figure 7 34 In the notification string add the line http tcmweb SoftwarePackageServerWeb SPServlet Figure 7 34 Quarantine condition applied as default action Note http tcmweb So...

Страница 271: ...apter 7 Network enforcement subsystem implementation 253 11 Click Submit and you will find yourself back in the dialog shown in Figure 7 35 Figure 7 35 Completed posture validation for CTA 12 Click Do...

Страница 272: ...cess Control Solution with IBM Tivoli and Cisco Systems 13 Click Apply and Restart as shown in Figure 7 36 Figure 7 36 CTA posture validation policy 14 Next we must repeat the process to create a post...

Страница 273: ...Chapter 7 Network enforcement subsystem implementation 255 15 Click Add Policy Figure 7 37 Figure 7 37 Repeating the process for Security Compliance Manager...

Страница 274: ...Access Control Solution with IBM Tivoli and Cisco Systems 16 In this example we use TSCM in the Name field and IBM Security Compliance in the Description field as shown in Figure 7 38 Figure 7 38 IBM...

Страница 275: ...Chapter 7 Network enforcement subsystem implementation 257 17 After entering the name and description click Submit and you will see the dialog shown in Figure 7 39 Figure 7 39 IBM TSCM policy creation...

Страница 276: ...ing used on the Security Compliance Manager server In this example the policy version is IISSCN_EBU_v2 20_winXP Click Enter Note This is to enforce the version of the TSCM policy being used There is o...

Страница 277: ...em implementation 259 20 From the Attribute drop down menu select IBMCorporation SCM PolicyViolation From the Operator menu select and for the Value enter 0 Then click Enter Figure 7 41 Figure 7 41 TS...

Страница 278: ...that the posture token is set to IBMCorporation SCM and the value should be set to Healthy Figure 7 42 Figure 7 42 Completed posture validation check for Security Compliance Manager 23 Click Submit 2...

Страница 279: ...orporation SCM Figure 7 43 and the value should be set to Quarantine The notification string should be the same as we discussed in step 10 on page 252 of this section http tcmweb SoftwarePackageServer...

Страница 280: ...262 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 27 Click Done Figure 7 44 Figure 7 44 Completed Security Compliance Manager posture validation...

Страница 281: ...Chapter 7 Network enforcement subsystem implementation 263 28 Click Apply and Restart Figure 7 45 Figure 7 45 Completed posture validation rules...

Страница 282: ...d with Cisco Secure ACS 4 0 1 Click Shared Profile Components from the main menu This brings you to the dialog shown in Figure 7 46 Figure 7 46 Shared Profile Components 2 Click RADIUS Authorization C...

Страница 283: ...ion When a user authenticates via IEEE 802 1x the posture is checked and a RAC is applied In this way we can have individual Quarantine VLANs for the different groups which also allows for different a...

Страница 284: ...to Cisco IOS PIX6 0 which brings you to Figure 7 47 Figure 7 47 IOS RAC attribute 7 In the value field enter status query timeout 30 8 Click Submit 9 Repeat this procedure clicking Add next to Cisco I...

Страница 285: ...tem implementation 267 10 Repeat the same procedure for the IETF attributes first selecting the relevant field from the drop down menu then clicking Add Figure 7 48 Use the values in Table 7 2 on page...

Страница 286: ...lthy Engineering RAC the Quarantine Sales RAC the Quarantine Engineering RAC and the Default Quarantine RAC to be configured The values for each can be found in the following tables Table 7 3 Healthy...

Страница 287: ...DIUS Request 1 IETF Tunnel Type 64 T1 VLAN 13 IETF Tunnel Medium Type 65 T1 802 6 IETF Tunnel Private Group ID 81 T1 13 Vendor Attribute Value Cisco IOS PIX 6 0 cisco av pair 1 status query timeout 30...

Страница 288: ...entication timer is controlled by the value assigned to the IETF Session Timeout 27 attribute If set to 60 for example the CTA pop up screen will appear on the client workstation every 60 seconds Ther...

Страница 289: ...ake based on the results of those checks Again we have deleted all of the pre configured sample configs to create our own from scratch 1 Select Network Access Profiles from the main menu which brings...

Страница 290: ...comprise the NAP authentication posture validation and authorization Each of these will have to be configured in turn after clicking Apply and Restart Figure 7 51 Newly created NAP Note Be careful in...

Страница 291: ...Validation Required is set Selected Databases should contain ACS Internal Database Figure 7 52 Figure 7 52 Authentication configuration for RAC 6 Click Submit This will take you back to the screen in...

Страница 292: ...Control Solution with IBM Tivoli and Cisco Systems 8 From the screen shown in Figure 7 53 click Add Rule Figure 7 53 Posture validation rule creation 9 Add a name in the Name field In our example we u...

Страница 293: ...dential Types there is a list of available credentials Select IBMCorporation SCM then click the arrow to move this to the column for selected credentials as shown in Figure 7 54 Repeat this process fo...

Страница 294: ...nal Posture Validation Policies CTA and TSCM should already be present The only action required here is to check them both under Select Figure 7 55 Figure 7 55 Selecting CTA and TSCM policies 12 Optio...

Страница 295: ...ample of CTA Healthy pop up 13 Optional Under System Posture Token Configuration add the following syntax in the Quarantine PA message this process is depicted in Figure 7 58 on page 278 img border 0...

Страница 296: ...imply embedding some color in the CTA pop ups on the end user s workstation You can tailor this so that you can have as simple or as colorful a pop up as you like Leaving these fields blank will resul...

Страница 297: ...twork enforcement subsystem implementation 279 Figure 7 59 Completed posture validation for NAC_IISSCN 15 Click Done This will take you back to the screen shown in Figure 7 50 on page 271 Click Apply...

Страница 298: ...click Authorization This takes you to the dialog depicted in Figure 7 60 Figure 7 60 Authorization rule creation 17 Click Add Rule 18 For this example from the drop down list under User Group select...

Страница 299: ...1x As mentioned previously NAC L2 802 1x does not yet support downloadable ACLs Therefore the Downloadable ACL field has been deliberately left blank If you were configuring NAC L2 L3 IP this field w...

Страница 300: ...ure 7 62 Completed Authorization RAC configuration 24 Click Submit 25 This will take you back to the screen in Figure 7 51 on page 272 Click Apply and Restart Engineering Quarantine Quarantine_Enginee...

Страница 301: ...is that the user would have to log a call with the Helpdesk to have her account created or recreated Clientless user If a client tries to connect who does not have the CTA installed in a NAC L2 802 1...

Страница 302: ...750 switch The ACLs are downloaded on a per user basis and are applied to the individual switch ports on a per session basis The section describes how to configure these downloadable ACLs 1 From the m...

Страница 303: ...er 7 Network enforcement subsystem implementation 285 5 Add a name and description in the Name and Description fields as appropriate Figure 7 64 After this has been done click Add Figure 7 64 Naming o...

Страница 304: ...286 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 6 Enter the name of the ACL and the ACL definition Figure 7 65 Figure 7 65 Quarantine ACL definitions 7 Click Submit...

Страница 305: ...nt items We are not using network filtering so we leave the default All AAA Clients Figure 7 66 Binding the ACL 9 Click Submit 10 Repeat steps 4 9 for the various ACLs to be created In our example we...

Страница 306: ...sec pg healthy_hosts Cisco IOS PIX 6 0 cisco av pair 1 url redirect acl healthy_acl IETF Session Timeout 27 3600 IETF Termination Action 29 RADIUS Request 1 Vendor Attribute Value Cisco IOS PIX 6 0 ci...

Страница 307: ...and what action to take based on the results of those checks Again we have deleted all the pre configured sample configs to create our own from scratch 1 Repeat step 1 on page 271 through to step 18...

Страница 308: ...Downloadable ACL drop down list select Healthy_ACL Figure 7 68 Figure 7 68 L2IP Healthy Authorization rule 7 Click Add Rule 8 From User Group select Any 9 From System Posture Token select Quarantine 1...

Страница 309: ...9 Completed L2IP Authorization rules 13 Click Submit 14 Click Apply and Restart This concludes the changes that needed to be made to the previous section to configure the ACS for a NAC deployment usin...

Страница 310: ...ort for EoU Another example is that a Cisco 6500 running 12 2 18 SXF does not support NAC L2 802 1x authentication and validation on edge switches The current switch compatibility matrix can be found...

Страница 311: ...0 deny ip any 192 168 15 0 0 0 0 255 access list 120 permit ip any any access list 130 remark Quarantine Sales VLAN ACLs access list 130 permit icmp any host 192 168 9 220 access list 130 permit icmp...

Страница 312: ...rest of the network Quarantine a If you are in either the sales or engineering Quarantine VLAN you will need access to a DHCP server to get an IP address b You should be able to ping the Security Com...

Страница 313: ...ReAuthPeriod From Authentication Server ReAuthMax 2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Guest Vlan 15 Dot1x Authenticator Client List Supplicant 0011 25ce f56c Auth SM State AUTHENTICATED Auth BEND...

Страница 314: ...st Port switchport access vlan 11 switchport mode access ip access group initial acl in spanning tree portfast ip admission l2 lpip output omitted ip access list extended Healthy_ACL remark Healthy AC...

Страница 315: ...ure Token Age min 192 168 11 51 FastEthernet1 0 11 EAP Quarantine 0 show ip access list interface fa1 0 11 to check that the downloadable ACL has been applied to the switchport nac3750sa sho ip access...

Страница 316: ...een from the ACS Configuring Cisco IOS Router for NAC L3 IP Currently NAC requires a Cisco IOS Software router running Cisco IOS Software Release 12 3 8 T or later that includes the Cisco IOS Advanced...

Страница 317: ...aaa session id common Router config radius server host 10 1 1 1 key secret Replace the word secret with the shared key you configured for the Cisco Secure ACS Also configure the source IP address int...

Страница 318: ...router configuration Router config identity profile eapoudp Router config device authorize ip address 172 30 40 32 policy NACless Router config identity policy NACless Router config access group clie...

Страница 319: ...erface facing the hosts to be posture validated Router config access list 101 permit udp any host 172 30 40 1 eq 21862 Router config access list 101 deny ip any any Router config interface FastEtherne...

Страница 320: ...d EAPoUDP messages or sessions enter the show eou or show eou all command Example 7 3 shows sample output Example 7 3 Output of show eou and show eou all command Router show eou Global EAPoUDP Configu...

Страница 321: ...ted network The CAS enforces the policies you have defined in the CAM Web admin console including network access privileges authentication requirements bandwidth restrictions and Clean Access system r...

Страница 322: ...lable from Cisco was 4 0 2 0 The version that we used for this book is a special Version 4 0 1 1 1 Click CCAAgent_Setup exe Click Next in the screen shown in Figure 7 71 Figure 7 71 Installation wizar...

Страница 323: ...stem implementation 305 2 Accept the default installation folder and click Next as shown in Figure 7 72 Figure 7 72 Default install directory 3 Click Install to begin the installation Figure 7 73 Figu...

Страница 324: ...s of its communication with the CAS which means it uses dynamically allocated ports for this purpose For deployments that have a firewall between the CAS and the CAM we recommend setting up rules in t...

Страница 325: ...bsystem implementation 307 The steps are 1 Open a Web browser and enter the IP address of the CAM There is no specific port required 2 Enter the administrator name and password then click Login Figure...

Страница 326: ...308 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The Clean Access Summary window will be displayed Figure 7 76 Figure 7 76 CAM summary window...

Страница 327: ...Chapter 7 Network enforcement subsystem implementation 309 4 From the Main Menu select Device Management CCA Servers Figure 7 77 Figure 7 77 Device Management...

Страница 328: ...ution with IBM Tivoli and Cisco Systems 5 Select New Server Add the server IP address and server location and from the drop down list select Out Of Band Virtual Gateway Figure 7 78 Figure 7 78 Adding...

Страница 329: ...e CAS in Virtual Gateway Mode in band or out of band you must leave the untrusted interface eth1 disconnected until after you have added the CAS to the CAM and completed the VLAN mappings Keeping eth1...

Страница 330: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 8 Click the Manage icon for the CAS just added This takes you to the dialog shown in Figure 7 80 Figure 7 80 CAS Status scr...

Страница 331: ...from the trusted and non trusted networks access and authentication VLANs in the IP Address field These IP addresses should be static outside of the DHCP scope and be neither the network number nor b...

Страница 332: ...clude the IP Address and subnet mask VLAN ID as shown in Figure 7 82 Click Add Managed Subnet Figure 7 82 Managed subnets 12 Select Advanced VLAN Mapping 13 Check the Enable VLAN Mapping box Click Upd...

Страница 333: ...client s port is initially set to VLAN 20 By using VLAN mapping the client will receive a VLAN 20 access VLAN IP address from DHCP Should the client not be compliant the CAM will change the port s VLA...

Страница 334: ...n asterisk the subnet information should be and the operating system should be set to ALL This will allow Web login and Clean Access Agent users to authenticate Figure 7 84 Figure 7 84 Login page Conf...

Страница 335: ...Chapter 7 Network enforcement subsystem implementation 317 2 Enter the group name and description Figure 7 85 Figure 7 85 Switch Group creation 3 Click Add...

Страница 336: ...318 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 4 Verify your new switch group Figure 7 86 Figure 7 86 Switch Group verification...

Страница 337: ...menu select Profiles Switch New Figure 7 87 Figure 7 87 New switch profile 2 Fill in the fields as appropriate In our scenario we used Profile Name 3750 Switch Model Cisco Catalyst 3750 series SNMP P...

Страница 338: ...profile will appear as shown in Figure 7 88 Figure 7 88 Switch profile Configuring Port Profile There are three types of port profiles for switch ports uncontrolled controlled and controlled using ro...

Страница 339: ...ort is assigned to the Access VLAN specified in the port profile or the role settings 1 Select Switch Management Profiles Port New Figure 7 89 Figure 7 89 New port profile 2 Enter a profile name We us...

Страница 340: ...rk Access Control Solution with IBM Tivoli and Cisco Systems 4 Under Options Device Disconnect check the box Remove out of band online user when SNMP link down is received Figure 7 90 Figure 7 90 Mana...

Страница 341: ...91 Configured switch profiles Configuring SNMP receiver SNMP receiver setup provides settings for the SNMP receiver running on the CAM which receives the mac notification link down SNMP trap notificat...

Страница 342: ...ess of the switch if already known or by searching a specific subnet In our example we are specifying the exact IP address of the switch 1 Select Switch Management Devices Switches New 2 3750 should b...

Страница 343: ...IP address of the switch should be entered in the IP Address box and a description entered in the Description field Figure 7 93 Figure 7 93 Manually adding a switch to be managed 3 Click Add 4 The sw...

Страница 344: ...326 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 5 As seen in Figure 7 94 click the Ports icon Figure 7 94 Managed switch...

Страница 345: ...efined to classify the user for the duration of their session This classification of the user controls traffic policies bandwidth restrictions session duration and VLAN assignment 1 Click User Managem...

Страница 346: ...tion as appropriate Our example uses the name AllowAll Select the options as appropriate The fields of main importance here are Role Type and Out Of Band User Role VLAN For our example we used Normal...

Страница 347: ...he trusted network Two types of traffic policies are available IP based policies and host based policies IP based policies Allow you to specify IP protocol numbers as well as source and destination po...

Страница 348: ...you have created In our example that is AllowAll In the second drop down menu select Trusted Untrusted Click Select Figure 7 98 Figure 7 98 Rules for trusted to untrusted 3 The action should be Allow...

Страница 349: ...ill be to allow access from the Auth VLAN to the Security Compliance Manager Set the following parameters Action Allow State Enabled Category IP Protocol TCP Untrusted 192 168 20 0 255 255 255 0 Trust...

Страница 350: ...tine role is used for users not passing a network scan which is out of the scope of this guide Creating local users CAM has the ability to perform user authentication using a variety of methods such a...

Страница 351: ...ubsystem implementation 333 2 Add the user name password and description as appropriate From the Role drop down menu select which role this user should be mapped to Figure 7 101 Figure 7 101 Creating...

Страница 352: ...ce especially designed to interoperate with the Tivoli Security Compliance Manager client for the purpose of this book NAC Appliance 4 1 scheduled for release before the end of 2006 will contain a fea...

Страница 353: ...be set to running Check Description should be set to SCM_Service Operating System should have Windows XP checked Figure 7 103 Security Compliance Manager Service check 3 Click Add Check 4 Repeat step...

Страница 354: ...be set to Version Value Data Type should be set to String Operator should be set to equals Value Data should be set to 4 0 1 1 Check Description should be set to CCA_Compliance Operating System shoul...

Страница 355: ...Chapter 7 Network enforcement subsystem implementation 337 6 These two checks should now be displayed Figure 7 105 Figure 7 105 Rules check list check...

Страница 356: ...BM Tivoli and Cisco Systems 7 Click New Rule Figure 7 106 Figure 7 106 New rule 8 Enter the following information Rule Name SCM_Service Rule Description Tivoli SCM Service Operating System Windows XP...

Страница 357: ...epeat steps 7 and 8 entering the following information Figure 7 107 Rule Name CCA_Compliance Rule Description Cisco Clean Access Agent version Operating System Windows XP Rule Expression CCA_Complianc...

Страница 358: ...g a Network Access Control Solution with IBM Tivoli and Cisco Systems 12 The newly defined rules will be displayed Figure 7 108 Figure 7 108 New rules 13 Note that both the rules have a blue tick unde...

Страница 359: ...er the following information From the Requirement Type drop down menu select IBM Tivoli SCM Set the Priority to 1 For Requirement Name enter IBM Tivoli SCM For Description enter Click Update to activa...

Страница 360: ...ng the following information Figure 7 110 From the Requirement Type drop down menu select IBM Tivoli SCM Set the Priority to 2 For Requirement Name enter CCA_Compliance For Description enter CCA Versi...

Страница 361: ...hould appear similar to Figure 7 111 Figure 7 111 Requirements list 20 Click Requirement Rules 21 Enter the following information From Requirement Name select SCM_Service From Operating System select...

Страница 362: ...ation Figure 7 112 From Requirement Name select CCA_Compliance From Operating System select Windows XP From Rules for Selected Operating System check the box CCA_Compliance Click Update Figure 7 112 C...

Страница 363: ...7 Network enforcement subsystem implementation 345 25 From Select requirements to associate with the role select both SCM_Service and CCA_Compliance Figure 7 113 Figure 7 113 Role requirements 26 Clic...

Страница 364: ...Access Control Solution with IBM Tivoli and Cisco Systems Discovered clients To check that the Clean Access Solution is working properly select View Online Users Out of Band Figure 7 114 Figure 7 114...

Страница 365: ...hese steps 1 Once the CCA Agent software has been installed on the client machine the user will be prompted for their user name and password Figure 7 115 Figure 7 115 Client log in screen 2 Click Logi...

Страница 366: ...b page will pop up notifying the user that he is noncompliant Figure 7 117 Figure 7 117 Web page pop up informing user about non compliance 6 Click Continue 7 The user is disconnected from the network...

Страница 367: ...ystem implementation 349 8 The user is advised of their temporary access Figure 7 118 and clicks Continue Figure 7 118 Temporary access notification 9 User clicks Update Figure 7 119 Figure 7 119 Requ...

Страница 368: ...Figure 7 120 In this example we can see that there is a policy violation with the user password settings Figure 7 120 Security Compliance Manager Compliance Report window 11 User clicks Fix Now 12 A r...

Страница 369: ...on the Security Compliance Manager Compliance Report window which shows all items in a state of green tick compliance Figure 7 122 Figure 7 122 Security Compliance Manager Compliance Report window all...

Страница 370: ...t Configuring Cisco 3750 switch for NAC Appliance NAC Appliance OOB only works with Cisco switches If you are using hardware other than Cisco this solution can still be deployed but as in band which i...

Страница 371: ...trunk allowed vlan 120 998 switchport mode trunk spanning tree portfast Example of interface configuration for Trusted CAS interface interface FastEthernet1 0 16 description Trusted Interface CCA Ser...

Страница 372: ...public mac notification snmp 7 3 Conclusion In this chapter we presented the essential steps to build and configure a Network Admission Control solution for both NAC Framework and NAC Appliance appro...

Страница 373: ...enance issues with the solution components and provide a detailed walkthrough for remediation workflow creation to match the security policy change process Creating the automated remediation component...

Страница 374: ...rol Solution with IBM Tivoli and Cisco Systems Installation of the software package utilities Creating remediation workflows that matches Security Compliance Manager policies with the suitable remedia...

Страница 375: ...lanation of the current security policy as well as remediation instructions to the user The Tivoli Configuration Manager remediation handler is an additional Java class that is called when the user cl...

Страница 376: ...re downloaded and maintained automatically from the Security Compliance Manager server when the policy is assigned to the client The steps required to properly set up the client workstation are descri...

Страница 377: ...mponents In the next section we describe the detailed walkthrough to prepare the Tivoli Configuration Manager machine for automated remediation Tivoli Configuration Manager Web Gateway setup In our la...

Страница 378: ...ents of Tivoli Configuration Manager Installation of Web infrastructure Installation of WebSphere Application Server is a simple process Below we describe the installation of WebSphere Application Ser...

Страница 379: ...our installation media for WebSphere Application Server 5 1 to the win subdirectory and run the file LaunchPad bat 2 The installation Launchpad window is displayed as shown on Figure 8 1 Using the lau...

Страница 380: ...Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The WebSphere Application Server Installation wizard is displayed as shown in Figure 8 2 Click Next Figure 8 2 WebSphere Installatio...

Страница 381: ...Remediation subsystem implementation 363 4 In the next window the standard license agreement is presented as shown in Figure 8 3 Accept the license and click Next Figure 8 3 Software License Agreemen...

Страница 382: ...mory usage you can follow the full installation path However some of the next windows presented in the book may slightly differ If you want to follow the book select Custom and click Next Figure 8 4 I...

Страница 383: ...nt selection dialog Important If you have the Internet Information Server installed on the machine where you are performing WebSphere installation there may be a port conflict on port 80 To prevent th...

Страница 384: ...on with IBM Tivoli and Cisco Systems 7 In the next window shown in Figure 8 6 you may specify the directories where the software components will be installed Leave the default values and click Next Fi...

Страница 385: ...dow you must specify the node name and host name for the Application Server to use Both fields will be filled in with your server host name by default as shown in Figure 8 7 We recommend that you leav...

Страница 386: ...accept the default selection which is yes for both components enter a user name and password for the user account you want to use for the service to run Check the WebSphere installation guide for the...

Страница 387: ...s summary as shown in Figure 8 9 To proceed with the installation click Next Figure 8 9 Installation options summary 11 The installation progress is shown in another dialog The process has several pha...

Страница 388: ...BM Tivoli and Cisco Systems It may take a few minutes to complete the installation Then you are presented with the online registration window as shown in Figure 8 10 Uncheck Register this product now...

Страница 389: ...tallation media set contains a CD with the base version of the WebSphere Application Server 5 1 Before installing further components you must install the latest recommended cumulative fix which is 11...

Страница 390: ...IBM HTTP Server 1 3 28 4 Set up the proper environment variables using the following command cd C Program Files WebSphere AppServer bin SetupCmdLine bat 5 Go to the temporary directory you have create...

Страница 391: ...Chapter 8 Remediation subsystem implementation 373 b The Install fix packs option is selected as shown in Figure 8 13 Figure 8 13 Installation option selection...

Страница 392: ...rst one is installed You must run the procedure twice installing first Fix Pack 1 and then Cumulative Fix 11 Creating the necessary user account The Web Gateway component requires that a DB2 user exis...

Страница 393: ...tion Manager Web Gateway To install this component you need the Tivoli Configuration Manager Web Gateway CD which is included with your Tivoli Configuration Manager installation bundle 1 Go to the dir...

Страница 394: ...376 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems 3 The welcome window is presented Figure 8 16 Click Next Figure 8 16 Welcome window...

Страница 395: ...Chapter 8 Remediation subsystem implementation 377 4 In the next window Figure 8 17 the standard license agreement is shown Accept the license and click Next Figure 8 17 License agreement window...

Страница 396: ...work Access Control Solution with IBM Tivoli and Cisco Systems 5 The component selection is displayed as shown in Figure 8 18 Make sure that all three options are selected and click Next Figure 8 18 C...

Страница 397: ...entation 379 6 The installation directory selection window is displayed Figure 8 19 Accept the default path but make sure that the drive has at least 510 MB of free space and click Next Figure 8 19 In...

Страница 398: ...ialog Figure 8 20 most of the fields are already filled in Provide the passwords for the DB2 administration user and the dmsadmin user you have created according to the procedure described in Creating...

Страница 399: ...usually these are the defaults for the selected platform and click Next Figure 8 21 Web infrastructure configuration window 9 If there was no Tivoli Endpoint installed on the server you are presented...

Страница 400: ...Control Solution with IBM Tivoli and Cisco Systems If your Tivoli Configuration Manager is a single node installation this would be localhost as shown in the Figure 8 22 Then click Next Figure 8 22 E...

Страница 401: ...383 10 The Secure access configuration window is presented as shown in Figure 8 23 Since we are not using Tivoli Access Manager in our environment accept the default Enable security is False and clic...

Страница 402: ...Control Solution with IBM Tivoli and Cisco Systems 11 The summary of the selected installation options is presented as shown in Figure 8 24 Click Next to proceed with the installation Figure 8 24 Sum...

Страница 403: ...e prerequisites are installed and configured you can proceed with the remediation server configuration After the Tivoli Configuration Manager Web Gateway installation there are two additional instance...

Страница 404: ...Guide TCM package 1 Create a temporary directory on the Tivoli Configuration Manager Web Gateway server and extract the files from the IISSCN Extension Pack2 for Tivoli Configuration Manager file iiss...

Страница 405: ...ollowed the installation of WebSphere Application Server as described in this book you should have no security turned on and you will see the standard login screen as shown in Figure 8 26 Enter any na...

Страница 406: ...item in the left pane and click the Install New Application option The new content should be displayed in the right pane as shown in Figure 8 27 Figure 8 27 Install new application 5 In the Local pat...

Страница 407: ...emediation subsystem implementation 389 6 The Preparing for the application installation window is displayed Figure 8 28 Accept the defaults and click Next Figure 8 28 Preparing for the application in...

Страница 408: ...several next windows until you reach the one shown in the Figure 8 29 Click Finish to start the actual installation The button may be hidden in the lower part of the window depending on the resolutio...

Страница 409: ...391 8 The installation may take a few seconds or few minutes depending on your server configuration In the window that displays the installation results find and click the Save to Master Configuratio...

Страница 410: ...Access Control Solution with IBM Tivoli and Cisco Systems 9 In the next window shown in Figure 8 31 select Save to save the configuration changes to the master configuration file Figure 8 31 Saving th...

Страница 411: ...ir C Program Files WebSphere AppServer installedApps your_server_name SoftwarePackageServer ear SoftwarePackageServerWeb war WEB INF lib Copy the file twguserpull jar located in WebSphere home directo...

Страница 412: ...he installation and configuration of the remediation workflows used to automatically remediate noncompliant workstations 8 2 4 Installation of the Software Package Utilities The IISSCN extension pack2...

Страница 413: ...TCRNavScan nac win any nav PostureNavV2 SCAN_WF TCRNavVirusDefUpdate nac win any nav PostureNavV2 DEFS_WF TCRNavSoftwareInstalled nac win any nav PostureNavV2 VERSION_WF TCRMSPatchesInstallWinXP nac...

Страница 414: ...ion name_of_the_collector _ workflow_type DefaultConfig properties For example nac win any hotfix PostureHotfixV2_HOTFIX_WF DefaultConfig properties By default there are nine files nac win any nav Pos...

Страница 415: ...Postur eCollectorParameterName latest Example 8 3 nac win any services PostureServices_SERVICE_DISABLED_WF Def aultConfig properties file content SPUtil default config file for nac win any services P...

Страница 416: ...nted to the user if there are any policy violations The intention of these instructions is to guide the user to remediate the situation As a part of the IBM Integrated Security Solution for Cisco Netw...

Страница 417: ...ust be named after the collector for example nac win any service PostureServices The next level below has to contain a separate directory for each language setting For this book we use US English so t...

Страница 418: ...nac win any posture PostureCollector DEFAULT_LANG default html If no match is found a blank page will be displayed Posture item HTML Each instance of posture collector generates exactly one posture it...

Страница 419: ...ureServicesV2 en_US ZoneAlarm Firewall default html scripts nac win any services PostureServicesV2 en_US Remote Desktop Service default html scripts nac win any services PostureServicesV2 pl_PL ZoneAl...

Страница 420: ...ector DEFAULT_LANG status html scripts collector DEFAULT_LANG default html If no pages age found at the instance level the user interface will fall back to searching for the HTML of the element s pare...

Страница 421: ...r a required list of users might have the following attribute lists current_values jdoe ssmith admin required_values jdoe ssmith admin secureadmin files etc users Table 8 4 shows possible HTML and the...

Страница 422: ...ompliance Manager client and the others come from either the local handlers properties file or from the HANDLERS_ATTRIBUTES parameter of the policy collector Tag Description Example field instancename...

Страница 423: ...s This may be null if the client is not a DHCP client client dhcp false Indicates whether the client is a DHCP client client fingerprint a3 55 e5 62 2a db 52 93 3b c2 22 38 44 53 bf 02 The client s gl...

Страница 424: ...Path true in handlers properties results in the attribute being set to false Additionally providing multiple entries with the same key name in the same location will result in one value being used onl...

Страница 425: ...ibute client id 2 Attribute client alias scmxp Logging posture items To enable logging of posture items and their posture elements the following attribute should be set remediationdialog logItems true...

Страница 426: ...hen this attribute is set the paths searched are logged to the client log file For example File scripts nac win any oslevel PostureOSLevelV2 en_US Windows Service Pack Windows Service Pack Level PASS...

Страница 427: ...following three steps build meaningful HTML examples for the policies described in Security compliance criteria on page 100 1 Our example policy specifies the following requirements Local workstation...

Страница 428: ...e user in the remediation user interface Figure 8 35 Sample ABBC Corp security policy description page Example 8 4 shows the HTML source code for this page Example 8 4 HTML source for password policy...

Страница 429: ...equirements For violation details click the items marked with image src file c Program Files IBM SCM client scripts com ibm scm nac posture PolicyCollector images icon fail gif icon br br For further...

Страница 430: ...px background color eee font 13pt arial font weight 500 font variant small caps MajorTitle padding 5px 4px 0px 0px font 14 pt arial font weight 700 text align right DetailText padding 20px 0px 0px 40p...

Страница 431: ...for changing the minimum password length setting This page mostly consists of static HTML shown in Example 8 6 It also introduces some of the tags described in 8 3 2 Variables and variable tags on pag...

Страница 432: ...ust be at least 8 characters long br Your minimal password lenght is set to wfattribute current_values br b WARNING field msg b br To change the minimum password length setting on Windows XP br br ul...

Страница 433: ...the resulting page Figure 8 37 Maximum password age HTML page Example 8 7 shows the HTML source for the page Example 8 7 HTML source for password age policy details page DOCTYPE html PUBLIC W3C DTD H...

Страница 434: ...e current_values b br br To change the maximum password age setting on Windows XP br br ul li Start gt Control Panel gt Administrative Tools gt Local Security Policy br li li Double click Maximum pass...

Страница 435: ...ver in this book we use the terms remediation workflow and remediation package interchangeably Software package block SPB is a native format of the Tivoli software distribution products used with Tivo...

Страница 436: ...ter in the Symantec Antivirus policy to be used when the compliance check generated a FAIL or WARNING status The purpose of the workflow is to initiate the Symantec Antivirus scan In this case for sim...

Страница 437: ...nMessage_en wsf xml version 1 0 job script language JScript CDATA var WshShell WScript CreateObject WScript Shell var strTitle Tivoli Security Compliance Manager var nSecondsToWait 0 var nButtonType_O...

Страница 438: ...llation instruction from this book it will be the host name of that server Leave the other values as is They are used by the utility during the package creation Example 8 9 Content of Sample propertie...

Страница 439: ...the Tivoli Configuration Manager Web Gateway TCRNavScanConfig properties Final properties file as a result of combining the Sample properties file specified as a parameter to the sputil sh command and...

Страница 440: ...published on the Web page and is downloaded to the client workstation during the remediation process 6 Now you are ready to test the remediation process On a client workstation which indicates to have...

Страница 441: ...Message_en wsf When you click OK the final remediation handler window should look Figure 8 40 Figure 8 40 Remediation handler status window TCRNavVirusDefUpdate The TCRNavVirusDefUpdate workflow was d...

Страница 442: ...VirusDefUpdate 2 Then create a configuration file for sputil sh utility containing the instructions about how to build the package Copy the Sample properties file from the sample_TCRNavDefUpdate direc...

Страница 443: ...ned in the VERSION_WF parameter in the Symantec Antivirus policy to be used when the compliance check generated a FAIL or WARNING status The purpose of the workflow is to install the required version...

Страница 444: ...on the Web Gateway To achieve this run the following commands cd BINDIR tcmremed download cd TCRNavSoftwareInstalled BINDIR tcmremed bin sputil sh p Sample properties 5 Verify the result of running t...

Страница 445: ...ownload the appropriate hotfix from the Microsoft Web site KB896423 can be found at the following location http www microsoft com downloads details aspx familyid EF402946 1C3B 47E9 9D51 77D890DF8725 d...

Страница 446: ...can install multiple hotfixes one by another without a reboot You must add this qchain exe utility to your remediation package This utility is a part of the Microsoft Windows 2000 Resource Kit and is...

Страница 447: ...Figure 8 41 Figure 8 41 Remediation handler interface for hotfix installation Repeat this procedure for any other hotfix that you have defined as required in your security policy TCRMSServicePackInst...

Страница 448: ...download the appropriate Service Pack 2 installation file from the Microsoft Web site The Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers can be found at th...

Страница 449: ...ive ExeArg 0 1 norestart RunQchainFlag false TmfWebUIEndpoint tcmweb 4 Run the sputil sh command to create the software package block and publish it on the Web Gateway To achieve this run the followin...

Страница 450: ...edia from the vendor to build that package and you have to obtain the proper license Follow the steps described below 1 Open a command prompt import the environment variables for the Tivoli Framework...

Страница 451: ...CRZLSoftwareInstalled BINDIR tcmremed bin sputil sh p Sample properties 5 Verify the result of running the tool with the following command wlookup ar SoftwarePackage grep TCRZLSoftwareInstalled If the...

Страница 452: ...sue the following commands cmd k SystemRoot system32 drivers etc Tivoli setup_env cmd bash cd BINDIR tcmremed download mkdir TCRZLSoftwareRunning cd TCRZLSoftwareRunning 2 Create the very simple Windo...

Страница 453: ...s This is the second type of the two workflows called by the nac win any services PostureService collector It is called during the remediation of a violation when the service that should be disabled i...

Страница 454: ...e properties 5 Verify the result of running the tool with the following command wlookup ar SoftwarePackage grep TCRMessengerDisabled If the package was created the result will look like below the numb...

Страница 455: ...ll option The final content should look like Example 8 17 Example 8 17 Content of TCRMessengerDisabled_unpublish sh script wweb unpublish p TCRMessengerDisabled nac win any services PostureServices SE...

Страница 456: ...438 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 457: ...s In the following two appendixes we take a closer look at these topics General hints and tips for everything around the IBM Integrated Security Solution for Cisco Networks A generic introduction to t...

Страница 458: ...440 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 459: ...integration with the NAC Appliance offering Information provided in this section may also be used for problem determination and detailed analysis of the key components and associated sequence diagrams...

Страница 460: ...f interest Note that when a new policy is installed a new set of collector objects will be placed in the SCM_HOME client collectors directory These collectors determine what data the client will colle...

Страница 461: ...licy Version Action Policy Version Violation Count Token Action Policy Version Violation Count Token Action User Group ACL or RAC Network Access Profiles Client Cisco Trust Agent Posture Cache Policy...

Страница 462: ...he notification also includes an action which is the URL to be used to request automated remediation In either case the Cisco Trust Agent pops up a window on the client that displays the current postu...

Страница 463: ...stureQuery SCM Policy Collector QuarantinePostureNotification Posture Remediation Commands TCM Web Gateway Remediation Handler Remediation Request Cisco NAC SCM Posture PlugIn Endpoint RemediationInfo...

Страница 464: ...the modules Figure A 3 The compliance subsystem Cisco Trust Agent Process Posture Request Process Posture Notification Query Posture Status Change SCM PlugIn dll Called by Cisco Trust Agent Socket com...

Страница 465: ...nt Figure A 4 Cisco NAC sequence diagram The PostureQuery asks the client for the full set of attribute data that the client has registered with the ACS The client responds to the PostureQuery by send...

Страница 466: ...s on the client it will be reflected as a status change and the network will then reset both polling cycles and issue a PostureQuery to the client starting the whole process over to evaluate the new s...

Страница 467: ...reachable message then the NAD is quarantining the host and the Cisco Trust Agent is probably not running If a message appears then the NAD and the Cisco Trust Agent are communicating correctly If a c...

Страница 468: ...curity Compliance Manager client server communication and the interaction between the server and client and associated TCP port numbers Figure A 5 Communication port usage in Security Compliance Manag...

Страница 469: ...the server is performed using an internal protocol Communications between the administration utilities and the server are handled using the Java Remote Method Invocation RMI technology Summary of defa...

Страница 470: ...sco IOS Software switch For Cisco switches configured for IP based NAC the commands listed in the preceding section apply to both a router and a switch For 802 1x based NAC a useful command is the fol...

Страница 471: ...e the values that are passed from the Security Compliance Manager Posture Plug in for each host in this report Cisco Trust Agent On the client the Cisco Trust Agent handles all communications with the...

Страница 472: ...he following commands you can see what is being passed back to the network look at the complete posture cache and test calls to the remediation handler The commands pquery and pstatuschange have no ar...

Страница 473: ...the NAC Appliance components Clean Access Manager CAM This is the administration server for Clean Access deployment The secure Web console of the Clean Access Manager is the single point of managemen...

Страница 474: ...co Clean Access Manager is designed to support both in band and out of band Cisco Clean Access servers as well as the switches associated with the out of band portion of the network With the Cisco Cle...

Страница 475: ...been deployed by a larger set of customers than NAC Framework simply due to its lower cost factor and deployment footprint In order to provide Cisco NAC Appliance customers access to the compliance an...

Страница 476: ...lient is running and check that a special compliance semaphore file indicating the compliance state of the endpoint exists in order to admit the endpoint A special NAC Appliance Agent is installed on...

Страница 477: ...met on the client When the production version of this file is delivered it will not run a bat file but will require a signed executable NAC Appliance Client Start Authentication TSCM Client Running C...

Страница 478: ...lient s statuscheck exe which forces the TSecurity Compliance Manager Client to run a rescan and recompute the compliance posture NACApplianceCompliance entry This file is an identical copy of the com...

Страница 479: ...tor In addition this version of the collector was written quickly in lab conditions and several issues should be corrected in a production version Users of this protype version of the policy collector...

Страница 480: ...AC Appliance Agent The prototype version of this agent installs on the client in the same manner as the production version It is basically a wizard install and there are no configuration parameters re...

Страница 481: ...Access Manager to place the endpoint in quarantine If an html form other than the one performed in the example is to be used this parameter must be changed to use the other form This collector include...

Страница 482: ...e not protected and could be manipulated by users We recommend that these files be set to hidden with administrative privileges required to access them Timing With the current version of the prototype...

Страница 483: ...n The following list is the expected behavior for each of these states Scenario 1 Pre admission Security Compliance Manager not running noncompliant client NAC Appliance detects that the Security Comp...

Страница 484: ...and there is no way to address this state This state can be reached if the user halts the Security Compliance Manager Client after the client has already been admitted to the network and then creates...

Страница 485: ...Cron job to check whether the Security Compliance Manager Client is running and start it if it is not running This would then bring the client to state 8 Scenario 5 pre admission Security Compliance M...

Страница 486: ...Security Compliance Manager running noncompliant client In this case the semaphore starts as 1 since we have been admitted Windows Scheduler or cron job runs statuscheck exe Statuscheck exe Requests...

Страница 487: ...ost admission Security Compliance Manager running compliant client In this case the semaphore should start as 1 since we have been admitted Windows Scheduler or cron job runs statuscheck exe NAC Appli...

Страница 488: ...clusion Having read this appendix you should now have a better understanding of the IBM Integrated Security Solution for Cisco Networks and be familiar with the NAC Appliance offering The prototype fo...

Страница 489: ...ntrol In this appendix we discuss the Network Admission Control initiative from Cisco Systems This appendix contains a Cisco white paper that is publicly available at the following address http www ci...

Страница 490: ...at NAC can play as part of a policy based security strategy and describes and defines the available NAC approaches The benefit of NAC Despite years of security technology development and millions of d...

Страница 491: ...verification strategy be implemented in the network instead of somewhere else Virtually every bit of data that an organization is interested in or is concerned about touches the network Virtually any...

Страница 492: ...security of any network regardless of size or complexity by helping to ensure that all user network devices conform to security policy By proactively protecting against worms viruses spyware and malw...

Страница 493: ...functions Recognizes users their devices and their roles in the network at the point of authentication authorization Evaluates the security posture of endpoints using either scanning and analysis tech...

Страница 494: ...entication authorization and remediation of endpoints A combination of central policy management intelligent network devices and network services with solutions from dozens of leading antivirus securi...

Страница 495: ...s NAC Readiness Assessment Analyzes deployment requirements and assesses the readiness of your network devices operations and architecture to support NAC NAC Limited Deployment Provides installation a...

Страница 496: ...on 4 Take advantage of your Cisco Clean Access investment Cisco Clean Access components can be fully integrated into a NAC Framework solution NAC technology Let us take a look at the components needed...

Страница 497: ...ters 2600XM 2691 3640 and 3660 ENT multiservice access routers 72xx Series routers Cisco switches Cisco Catalyst 6500 Series Supervisor Engine 2 32 and 720 with Cisco Catalyst OS Cisco IOS Software or...

Страница 498: ...th IBM Tivoli and Cisco Systems Recommended components Cisco Security Agent Cisco Security Monitoring Analysis and Response System MARS CiscoWorks Security and Information Management Solution SIMS For...

Страница 499: ...ng the Web material The Web material associated with this redbook is available in softcopy on the Internet from the IBM Redbooks Web server Point your Web browser to ftp www redbooks ibm com redbooks...

Страница 500: ...scription IBM Tivoli CCA Agent zip Contains the Cisco Clean Access Agent Version 4 0 1 1 used for our example NACAppliancePrototype zip Contains the necessary files policy collector remediation html f...

Страница 501: ...g IBM Tivoli Security Solutions SG24 6014 Other publications These publications are also relevant as further information sources IBM Tivoli Security Compliance Manager Version 5 1 Administration Guide...

Страница 502: ...uct vpn ciscosec cta cta1_0 index htm IBM Tivoli Security Compliance Manager Installation Guide http publib boulder ibm com infocenter tiv2help index jsp topic com ibm itscm doc_5 1 scm51_install html...

Страница 503: ...Related publications 485 Help from IBM IBM Support and downloads ibm com support IBM Global Services ibm com services...

Страница 504: ...486 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 505: ...iolation count 442 Access Manager for e business 85 access policy 58 60 action parameter 58 administrators involvement 26 admission control client 43 antivirus collector configuration 163 application...

Страница 506: ...or workstations 100 data 18 decisions 103 exception 29 management business process 28 policy 57 395 assigning to clients 186 configuration 152 customization 161 versioning 103 posture collector 153 qu...

Страница 507: ...6 emergency change procedure 95 97 encapsulated authentication protocol 45 endpoint posture credentials 43 enduser challenges 97 error handling 448 Extensible Authentication Protocol 16 23 session ini...

Страница 508: ...26 N NAC see network admission control NAC Appliance 17 45 82 475 Clean Access Agent configuration 334 comparing with NAC Framework 17 components 455 configuration 303 default login page 315 port prof...

Страница 509: ...uration 165 PEAP 59 client session 60 PEAP session 191 performance controls 34 personal firewall 53 collector configuration 171 physical components 52 pnotify 454 Point to Point Protocol 23 policy 8 c...

Страница 510: ...configuration 357 concept 4 configuration for manual 116 handler 20 25 50 52 61 100 101 357 454 request URL 108 HTML example 409 HTML information 398 instructions for the users 397 JAVA classes 108 l...

Страница 511: ...osture collector 18 50 153 posture credentials 50 posture policy 89 posture status 20 push pull mode 206 remediation handler 50 rule 174 secure communication 63 security certificate 146 security compl...

Страница 512: ...6 Software Package Web server 357 TCMCLI policy 189 Web Gateway configuration 359 Web Gateway installation 375 Web Gateway user account 375 Tivoli Framework 51 totel cost of ownership 27 traffic polic...

Страница 513: ...Building a Network Access Control Solution with IBM Tivoli and Cisco Systems...

Страница 514: ......

Страница 515: ......

Страница 516: ...e corrupted in some way can infect other parts of the enterprise and cause significant IT infrastructure damage and loss of productivity Additionally organizations must address security compliance as...

Результаты поиска

Содержание Tivoli and Cisco

Отзывы:

Похожие инструкции для Tivoli and Cisco

Бренды по названию

Популярные бренды

IBM Tivoli and Cisco, Руководство пользователя

Результаты поиска

Содержание Tivoli and Cisco

Отзывы:

Похожие инструкции для Tivoli and Cisco

Бренды по названию

Популярные бренды