Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual Tcm

Models: Tivoli and Cisco

1 516

Download 516 pages 58.69 Kb

Page 39

If the client is not Security Compliance Manager policy–enabled, it is denied access to the corporate network and may be allowed only restricted access to the Internet or may be denied access to all networks.

When a client is quarantined, the user is given a choice to either remediate manually using the provided instructions or to use an automated remediation process by clicking a button on the pop-up window (if the Tivoli Configuration Manager infrastructure exists).

Untrusted LAN		Trusted LAN
	Healthy
Compliant	Remediation LAN
	Remediation LAN
	Quarantined
Non-compliant	Remediation	Corporate
Non-compliant		Resources
	TCM	Resources
	TCM
	Server
	Denied
Clientless

Figure 2-3 Basic overview of NAC functionality

In general, any admission control solution can base the admission decision on a number of factors. Authentication decisions are identity-based and the admission decisions are based on who is attempting access. Posture decisions are integrity-based and depend on the integrity of the device being used for access.

Posture-basedNAC is designed to protect the network from threats introduced by noncompliant workstations. Workstation-related information is presented to the authorization server. It describes the current state of the hardware, operating system, and installed applications (for example, the list of patches installed, version of installed antivirus or personal firewall software, version of virus definition file, the date of the last full scan). With Layer 3 NAC, it is not straightforward to tie the identity-based and posture-based admission decisions together. Since they operate in two different time frames with regard to network

Chapter 2. Architecting the solution

21

Image 39

IBM Tivoli and Cisco manual Tcm

Contents

Building a Network Access Control Solution Page International Technical Support Organization Second Edition January Contents Part 2. Customer environment Part 3. Appendixes Index Copyright License ViiTrademarks IBMAIX Preface Team that wrote this redbook Preface IBM US Become a published authorComments welcome Page January 2007, Second Edition New informationChanged information Page Part 1 Architecture and design Page Business context Security compliance and remediation concept Why we need this Http//banking.senate.gov/conf Does this concept help our mobile users Business driver for corporate security compliance Corporate security policy definedAchievable benefits for being compliant Policy Development and Assurance ConclusionBusiness context Page Architecting the solution Architecture overview Solution architectures, design, and methodologiesWAN Network Admission ControlPage Security Compliance Manager Page Compliance query Tivoli Configuration ManagerArchitectural terminology Security policyCompliance User Interface Remediation handlerNetwork Admission Control process TCM ACS Cisco NAC and IeeeUsing Cisco terminology AuthenticatorSupplicant Network identity provisioning Posture agentRemediation process Definition of a Network Admission Control project Phased rollout approachInternet Security compliance management business process Design processArchitecting the solution Security policy life cycle management Implementation CreationSolution objectives Review and updateEnforcement Network design discussion Default networkQuarantine access Trusted networkPerformance controls Scalability and high availability Implementation flowPage Conclusion Page Component structure Logical components Solution logical block diagramNetwork Admission Control Network Admission Control FrameworkPosture validation server CSMon CSlogAdmission control client Policy enforcement devicePosture plug-in Logging serviceNetwork Admission Control Appliance Clean Access Manager CAMClean Access Server CAS Clean Access Agent CAAClean Access Policy Updates ComplianceCompliance server Compliance reporting AdministrationCompliance client Compliance client logical component Posture collectorPolicy collector Posture cache Default remediation handlerRemediation Remediation serverPhysical components Network clientRemediation handler component Cisco Trust Agent Security Compliance Manager clientSecurity Compliance Manager policy Cisco Secure Access Control Server Network access infrastructureIBM Integrated Security Solution for Cisco Networks servers Network access deviceTivoli Configuration Manager servers Solution data and communication flowPolicy Policy creation and deployment flowComponent structure Posture collection process flow Posture validation and policy enforcement flow Page Remediation flow Secure communication between components Secure communicationSecurity Compliance Manager communication Component placementSecurity zones NAC communicationLess Secure Network Uncontrolled zone Internet, external networksRestricted zone management network Controlled zone external network-facing DMZControlled zone intranet Restricted zone production networkPolicy enforcement points Branch office complianceBranch egress enforcement Campus internal enforcement Branch Office Compliance Campus Ingress Enforcement Small Office Home Office compliance Soho Compliance PAT access protectionExtranet Compliance Extranet complianceLAB Compliance Lab complianceData Center Protection Data Center protectionRemote Access Protection Remote access protectionPart 2 Customer environment Page Armando Banking Brothers Corporation Company profile Network infrastructure Current IT architectureIBM Integrated Security Solution for Cisco Networks lab Armando Banking Brothers Corporation NAC Appliance Armando Banking Brothers Corporation Page Application security infrastructure DMZ Middleware and application infrastructureCorporate business vision and objectives Project layout and implementation phasesAction Reference Part I Security compliance server Project overviewNAC L3 IP NAC L2 IPPart III Remediation server CCA OOB VGConclusion Page Solution design Page Business requirements Network access control requirements Functional requirementsSecurity compliance requirements Remediation requirements Solution functional requirementsCaused by worms and other hostile software NAC solution conceptual functional requirements Security compliance criteria Remediation servicesAttempt Implementation architectureLogical components Component subsystems total solutionEstablishing compliance criteria Configuring the compliance serverTivoli Security Compliance Manager client components Establishing the policy collector parametersSolution design Setting the policy version Maxdataagesecs conceptual flow Setting the remediation handler URL attribute Enforcing compliance criteria 11 Setting the remediation handler JAR classpathACS Posture token13 Posture validation policies Page 14 Shared Radius Authorization Components Assigning the System Posture Token Performing remediation Remediation handler Html pages Physical componentsIBM Security Compliance Manager server Compliance subsystemAccess Control Server Network Admission Control subsystemIBM Tivoli Security Compliance Manager client Solution design LRE NAC-enabled network deviceLayer 2 devices Layer 3 devicesCisco Trust Agent IBM Tivoli Configuration Manager server Remediation subsystemSoftware Package Web Server Conclusion Page 125 Compliance subsystem implementationInstallation of DB2 database server Tivoli Security Compliance Manager setup127 DB2 installation welcome windowDB2 version selection is presented similar to the one shown 129 Setup wizard welcome windowLicense agreement window 131 Installation type selection windowInstallation action selection window 133 Installation folder selection windowUser information dialog 135 Administration contact list dialog10 DB2 Instance configuration window 11 DB2 Tools selection dialog 13712 Administrator contact selection window 139 13 Installation options summary14 Installation completion window Installation of Tivoli Security Compliance Manager server15 Language selection dialog 141Administration Utilities Database ConfigurationServer 143 18 Setup type selection window19 E-mail server configuration dialog 145 20 Server Communication Configuration windowServer Security Configuration window is displayed, as shown 22 Database Location selection window 14723 Database configuration information 24 Database creation choice window 14925 Administrator User ID Configuration window 151 26 Installation options summary window27 Installation result window Configuration of the compliance policiesPosture collectors Posture items and posture elements153 Workflow Policy collectorPosture collector parameters Operational155 Installation of posture collectors28 Tivoli Security Compliance Manager GUI login 157 30 Tivoli Security Compliance Manager Administration Console32 Import file selection dialog 34 Collectors signature validation 15935 Policy installation summary 161 Customization of compliance policies37 Policies view 163 38 Collectors configuration viewFaillastscanover PassversionWarnversions Versionwf165 WarndefsolderthanDefswf Warnmaxageover WarnminlenunderFailminlenunder Minlenwf41 Editing collector parameters 167Passwindowsnt WarnwindowsntPASSWINDOWS2000 169 Warnhotfixes FailhotfixesHotfixwf KEY 171Pass NokeyruleValue Novaluerule173 Rule operators Rules175 Checking for ZoneAlarm installation directoryRule results Rule formatChecking for Windows XP firewall forced off 177 ReqserviceReqrunning ServicerunningwfReqdisabled Servicedisabledwf46 Copying an existing compliance query 17947 Destination policy selection dialog 48 Renaming compliance query 18149 Compliance query description modification 50 Violation message modification 18351 Disabling collector sharing 53 Saving changes made to the policy collectors 18554 Save policy collectors warning Assigning the policy to the clients55 Create group action selection 18757 Add policy menu selection Deploying the client software Tcmcli utility policy189 Prerequisites Cisco Trust Agent61 Certs directory with CTA 19162 Cisco Trust Agent installation wizard Installation of Cisco Trust Agent on Windows63 License agreement for Cisco Trust Agent 193Accept the defaults -64and click Next 195 65 Cisco Trust Agent installation typeClick Next Figure 67 Confirmation of the certificate import 197Click Finish to close the installation, as shown in Figure 199 IBM Tivoli Security Compliance Manager client70 Language selection Installation of the Security Compliance Manager client71 The welcome window 20172 Client Installation Utility window 203 74 Directory selection window 205 75 Setup type windowPull Accept the defaults and click Next77 Client connection window 20778 Server communication configuration window 209 79 Client Dhcp configuration windowNext 81 Successful completion window 21182 Security Compliance Manager posture plug-in files 213 Network enforcement subsystem implementationConfiguring the Cisco Secure ACS for NAC L2 Configuring NAC Framework components215 Installing Cisco Secure ACSConfiguring the administrative interface to Cisco Secure ACS 217 Interface configuration advanced optionsAdministration control Allowing administrator access via Http optional219 Cisco Secure ACS certificate setupUsing an ACS self-signed certificate Generating self-signed certificate 221Restart the Cisco Secure ACS Figure 223 Importing IBM Security Compliance Manager attributesExample 7-1 Security Compliance Manager attributes Example 7-2 Import Security Compliance Manager attribute 225Click CSV Passed Authentications Figure Configuring logging227 Select CSV Failed Authentications Figure11 Failed attempts logging 229 Configuring a network device group in Cisco Secure ACS13 Interface Configuration screen for the creation of NDGs 14 Network Device Group check box 23115 Network Configuration 16 AAA clients 23317 AAA client setup 18 AAA Clients 23519 Global Ietf Radius attributes Configuring Radius attributes237 Configuring groups21 Group Setup 239 Configuring users23 User-to-Group mappings Global authentication setup Click Submit + Restart241 EAP-FAST configuration Condition 243 EAP-GTCEAP-TLS 26 Posture Validation Configuring posture validation27 Posture Validation Policies 24528 CTA Posture Validation Policy 29 Posture Validation for CTA 247Click Add Condition Set Figure 31 Adding a condition set 24932 Posture validation rule creation for CTA check 33 CTA rule defined 25134 Quarantine condition applied as default action 35 Completed posture validation for CTA 253Click Apply and Restart, as shown in Figure 37 Repeating the process for Security Compliance Manager 25538 IBM Tscm policy creation 39 IBM Tscm policy creation 257Click Add Rule to get to the screen shown in Figure 41 Tscm policy components 259Page 261 Click Done Figure 45 Completed posture validation rules 263Click Radius Authorization Components Configuring Radius Authorization ComponentsIetf 26547 IOS RAC attribute 48 Ietf drop-down menu 26749 Healthy Sales RAC 269 Tunnel-Medium-Type 802 Configuring Network Access Profiles Click Add Profile271 51 Newly created NAP 273 52 Authentication configuration for RACFrom the screen shown in -53,click Add Rule 275 54 Partial configuration of posture validation55 Selecting CTA and Tscm policies 277 An example of the CTA Healthy pop-up is shown in Figure58 CTA pop-up configuration 59 Completed posture validation for Naciisscn 27960 Authorization rule creation User group System posture token Shared RAC 281RAC 62 Completed Authorization RAC configurationClientless user Configuring the Cisco Secure ACS for NAC L2/L3 IPExternal User Database Unknown user policy63 Downloadable ACL creation Downloadable Access Control Lists64 Naming of ACL 285Enter the name of the ACL and the ACL definition Figure 287 Select Radius Authorization ComponentsVendor Attribute Value 289 Click Add Rule68 L2IP Healthy Authorization rule Deployment of the network infrastructure Click Apply and Restart291 Configuring Cisco 3750 switch for NAC L2 293 Page 295 Configuring Cisco 3750 switch for NAC L2 IPPage 297 Has been applied to the switchportNo URL Redirect Configuring Cisco IOS Router for NAC L3 IP299 Page 301 Verifying Network Admission Control Example 7-3 Output of show eou and show eou all command303 Configuring NAC Appliance components71 Installation wizard Installing CCA Agent305 72 Default install directoryCCA version Required ports Configuring a CCA OOB VG server307 75 CAM loginClean Access Summary window will be displayed Figure 77 Device Management 30978 Adding a new CAS Click Add Clean Access Server79 Successful CAS addition 31180 CAS Status screen 81 Network IP screen 31382 Managed subnets Select Advanced → Vlan MappingConfigure default login Click Administration → User Pages → Login315 Select Switch Management → Profiles → Group → New Configuring a Switch Group317 85 Switch Group creationVerify your new switch group Figure 319 Configuring a switch profile88 Switch profile Configuring Port Profile321 Select Switch Management → Profiles → Port → New Figure90 Managed profile creation Configuring Snmp receiver Click Switch Management → Profiles → Snmp Receiver323 Select Switch Management → Devices → Switches → New Adding a managed switch325 93 Manually adding a switch to be managedAs seen in -94,click the Ports icon Defining user roles Click User Management → User Roles → New Roles327 Click Save Role when completed Creating traffic policies Click User Management → User Roles → Traffic Control → IP329 98 Rules for trusted to untrusted ActionAllow StateEnabled CategoryIP ProtocolTCP Click Add Policy331 Click User Management → Local Users → New Local User Creating local users333 Click Create User102 List of local users Configure Clean Access Agent335 Click Add Check104 CCA version compliance check 105 Rules check list check 337Rule Expression Rule NameRule Description Operating System107 CCA Compliance rule definition 339Newly defined rules will be displayed Figure Click Requirements → New Requirements Figure Click Add Requirement341 110 CCA Agent update 343 Click Requirement Rules112 CCA Compliance Requirement rule Click Role-Requirements113 Role requirements 345114 Viewing online users Discovered clients347 Logging on as a client117 Web page pop-up informing user about non-compliance Click Continue349 118 Temporary access notification120 Security Compliance Manager Compliance Report window 351 123 Successful login Configuring Cisco 3750 switch for NAC Appliance353 Example of interface configuration for CAM interfaceExample of Snmp configuration 355 Remediation subsystem implementationPage 357 Automated remediation enablementPrerequisites Remediation server software setupTivoli Configuration Manager Tivoli Configuration Manager Web Gateway setup359 Preparing for the installation Installation of the DB2 databaseInstallation of Web infrastructure WebSphere Application Server launchpad 361WebSphere Installation Wizard window Software License Agreement window 363Installation type selection Component selection dialog 365Destination folder selection window Node name selection window 367Run as a service selection window 369 Installation options summary10 Online registration dialog 371 Patching WebSphere Application Server installation12 WebSphere product location 373 13 Installation option selection14 Fix packs directory location Creating the necessary user account375 Installation of Tivoli Configuration Manager Web GatewayWelcome window is presented -16. Click Next 17 License agreement window 37718 Component selection 379 19 Installation directory selection window20 Database configuration window 381 21 Web infrastructure configuration window22 Endpoint configuration window 383 23 Secure access configuration24 Summary of installation options 385 Configuration of the remediation serverInstallation of Software Package Web Server 387 26 WebSphere administrative console login27 Install new application 389 28 Preparing for the application installation29 Installation option summary dialog 391 30 Installation status window31 Saving the configuration changes 393 Configuration of the Software Package Web ServerInstallation of the Software Package Utilities 395 Cd %BINDIR% Cd tcmremed\cfg Sputilinitialsetup.bat 397 Creating remediation instructions for the usersLocating Html 33 Directory structure for Html pages 399Defaultlang Base HtmlPosture item Html 401 Html pages examplePosture element Html Variables and variable tagsWfattribute tag Field Tag403 Fail Remattribute tag\PROGRA~1\IBM\SC 405Logging available attributes Debug attributes407 Logging posture itemsLogging the Html search path 409 Creating Html pages for Abbc policyExample 8-4shows the Html source code for this 411 Example 8-5 Content of style definition filePage 413 Example 8-6 Html source for password length policy detailsWfattributecurrentvalues.brbWARNING fieldmsg/bbr 415 Example 8-7shows the Html source forPage 417 Building the remediation workflowsTCRNavScan workflow 419 Example 8-8 Content of NavScanMessageen.wsfExample 8-9 Content of Sample.properties file for TCRNavScan 421 38 Remediation handler interface with the warning 423 TCRNavVirusDefUpdatePage 425 TCRNavSoftwareInstalledTCRMSPatchesInstallWinXP 427 HotfixId=KB896423 TmfWebUIEndpoint=tcmweb 429 TCRMSServicePackInstallWinXpSp2Page AddRegistryValueBeforeExecData.arrayLength=2 431TCRZLSoftwareInstalled 433 NorebootTCRZLSoftwareRunning 435 TCRMessengerDisabledModification of the remediation packages 437 Page 439 Part 3 AppendixesPage 441 Appendix A. Hints and tipsDeployment overview Appendix A. Hints and tips 443Top-level sequence of events Figure A-2 Isscn top-level sequence diagram Cisco Trust Agent Security Compliance Manager and NAC compliance subsystemCisco NAC sequence of events Figure A-4 Cisco NAC sequence diagramFault isolation Appendix A. Hints and tips Tivoli Security Compliance Manager Server Security Compliance Manager server and clientCisco NAC Summary of default port usageTools and tricks Communication port usageCisco IOS Software router Cisco IOS Software switchCisco Secure ACS server Tools and tricks for the client40500 Cisco NAC Appliance components NAC Appliance detailsIn-band versus out-of-band NAC Appliance integration Integration design NAC Appliance Agent Integration componentsNACApplianceCompliance.entry TSCMAgent.batKickrich.html SchedulerInstalling and configuring prototype integration components Scheduler.bat System pathNAC Appliance Manager Considerations for designing a production solutionState mapping and scenarios Page Appendix A. Hints and tips Page 43 Sequence of Events for Scenarios #5 and #6 Conclusion 471 Appendix B. Network Admission ControlBenefit of NAC Executive summary473 Dramatically improve network securityNAC implementation options 475 NAC ApplianceInvestment protection NAC Framework solution477 Planning, designing, and deploying an effective NAC solutionNext steps NAC technologyNAC Appliance components 479 NAC Framework componentsPage 481 Locating the Web materialHow to use the Web material Using the Web materialIBM Redbooks Other publications483 Online resources How to get IBM RedbooksHelp from IBM IBM Support and downloads IBM Global ServicesPage 487 NumericsSCM client communication Html GlbaNAD NACCreation Deployment PPP Sarbanes-Oxley Act UDP URLVlan Page Page Page Building a Network Access Control Solution