Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual Implementation flow, Scalability and high availability

Models: Tivoli and Cisco

1 516

Download 516 pages 58.69 Kb

Page 53

revalidation process takes place too often, this pop-up window may become annoying and significantly lower the user’s productivity. The recommended value is 14400 seconds (4 hours) or more.

The router or the network access device (NAD) periodically queries the client for the current policy compliance status changes. This activity introduces additional network traffic, which becomes larger as the defined time intervals shorten.

However, frequent polling enables quick disconnection from a client that becomes noncompliant from the network. Depending on the network architecture (number of clients connected to one NAD, network bandwidth, current network load, and so on) the status query period should not be shorter than 30 seconds.

2.4 Implementation flow

IBM best practice in implementation of this concept in an enterprise-wide deployment has been identified by the following project phases that would assist in a smooth transition to the new environment:

Initiation

Definition

Design

Build

Maintenance

In the initiation phase, high-level project requirements are gathered and verified to be included in the Statement of Work (SoW) document.

During the definition phase, those requirements are refined and documented in detail, and as a result several of the documents are created, including Project Definition Report (PDR), functional specification, and existing system analysis.

In the design phase, the detailed design of the solution is created, typically in the

form of architecture and design documents covering macro and micro design studies. Then the solution is actually implemented in the build phase.

The final stage is maintaining and updating the solution as the surrounding environment or business requirements change. This typically is a cyclic process as described in 2.3.2, “Security policy life cycle management” on page 30.

2.5 Scalability and high availability

Any architecture must be easily scalable and available at all times for secure and reliable business transactions and the future growth of the business. This

Chapter 2. Architecting the solution

35

Image 53

IBM Tivoli and Cisco manual Implementation flow, Scalability and high availability

Contents

Building a Network Access Control Solution Page International Technical Support Organization Second Edition January Contents Part 2. Customer environment Part 3. Appendixes Index Copyright License ViiAIX TrademarksIBM Preface Team that wrote this redbook Preface IBM US Become a published authorComments welcome Page Changed information January 2007, Second EditionNew information Page Part 1 Architecture and design Page Business context Security compliance and remediation concept Why we need this Http//banking.senate.gov/conf Does this concept help our mobile users Business driver for corporate security compliance Corporate security policy definedAchievable benefits for being compliant Policy Development and Assurance ConclusionBusiness context Page Architecting the solution Architecture overview Solution architectures, design, and methodologiesWAN Network Admission ControlPage Security Compliance Manager Page Architectural terminology Tivoli Configuration ManagerSecurity policy Compliance queryNetwork Admission Control process Compliance User InterfaceRemediation handler TCM ACS Cisco NAC and IeeeSupplicant Using Cisco terminologyAuthenticator Network identity provisioning Posture agentRemediation process Definition of a Network Admission Control project Phased rollout approachInternet Security compliance management business process Design processArchitecting the solution Security policy life cycle management Implementation CreationEnforcement Solution objectivesReview and update Network design discussion Default networkPerformance controls Quarantine accessTrusted network Scalability and high availability Implementation flowPage Conclusion Page Component structure Logical components Solution logical block diagramPosture validation server Network Admission ControlNetwork Admission Control Framework CSMon CSlogAdmission control client Policy enforcement devicePosture plug-in Logging serviceClean Access Server CAS Clean Access Manager CAMClean Access Agent CAA Network Admission Control ApplianceCompliance server Clean Access Policy UpdatesCompliance Compliance reporting AdministrationCompliance client Compliance client logical component Posture collectorPolicy collector Remediation Default remediation handlerRemediation server Posture cacheRemediation handler component Physical componentsNetwork client Security Compliance Manager policy Cisco Trust AgentSecurity Compliance Manager client IBM Integrated Security Solution for Cisco Networks servers Network access infrastructureNetwork access device Cisco Secure Access Control ServerTivoli Configuration Manager servers Solution data and communication flowPolicy Policy creation and deployment flowComponent structure Posture collection process flow Posture validation and policy enforcement flow Page Remediation flow Secure communication between components Secure communicationSecurity zones Component placementNAC communication Security Compliance Manager communicationLess Secure Network Uncontrolled zone Internet, external networksControlled zone intranet Controlled zone external network-facing DMZRestricted zone production network Restricted zone management networkBranch egress enforcement Policy enforcement pointsBranch office compliance Campus internal enforcement Branch Office Compliance Campus Ingress Enforcement Small Office Home Office compliance Soho Compliance PAT access protectionExtranet Compliance Extranet complianceLAB Compliance Lab complianceData Center Protection Data Center protectionRemote Access Protection Remote access protectionPart 2 Customer environment Page Armando Banking Brothers Corporation Company profile Network infrastructure Current IT architectureIBM Integrated Security Solution for Cisco Networks lab Armando Banking Brothers Corporation NAC Appliance Armando Banking Brothers Corporation Page Application security infrastructure DMZ Middleware and application infrastructureCorporate business vision and objectives Project layout and implementation phasesAction Reference Part I Security compliance server Project overviewNAC L3 IP NAC L2 IPPart III Remediation server CCA OOB VGConclusion Page Solution design Page Business requirements Security compliance requirements Network access control requirementsFunctional requirements Remediation requirements Solution functional requirementsCaused by worms and other hostile software NAC solution conceptual functional requirements Security compliance criteria Remediation servicesAttempt Implementation architectureLogical components Component subsystems total solutionEstablishing compliance criteria Configuring the compliance serverTivoli Security Compliance Manager client components Establishing the policy collector parametersSolution design Setting the policy version Maxdataagesecs conceptual flow Setting the remediation handler URL attribute Enforcing compliance criteria 11 Setting the remediation handler JAR classpathACS Posture token13 Posture validation policies Page 14 Shared Radius Authorization Components Assigning the System Posture Token Performing remediation Remediation handler Html pages Physical componentsIBM Security Compliance Manager server Compliance subsystemIBM Tivoli Security Compliance Manager client Access Control ServerNetwork Admission Control subsystem Solution design Layer 2 devices NAC-enabled network deviceLayer 3 devices LRECisco Trust Agent Software Package Web Server IBM Tivoli Configuration Manager serverRemediation subsystem Conclusion Page 125 Compliance subsystem implementationInstallation of DB2 database server Tivoli Security Compliance Manager setup127 DB2 installation welcome windowDB2 version selection is presented similar to the one shown 129 Setup wizard welcome windowLicense agreement window 131 Installation type selection windowInstallation action selection window 133 Installation folder selection windowUser information dialog 135 Administration contact list dialog10 DB2 Instance configuration window 11 DB2 Tools selection dialog 13712 Administrator contact selection window 139 13 Installation options summary14 Installation completion window Installation of Tivoli Security Compliance Manager server15 Language selection dialog 141Server Administration UtilitiesDatabase Configuration 143 18 Setup type selection window19 E-mail server configuration dialog 145 20 Server Communication Configuration windowServer Security Configuration window is displayed, as shown 22 Database Location selection window 14723 Database configuration information 24 Database creation choice window 14925 Administrator User ID Configuration window 151 26 Installation options summary window27 Installation result window Configuration of the compliance policies153 Posture collectorsPosture items and posture elements Posture collector parameters Policy collectorOperational Workflow155 Installation of posture collectors28 Tivoli Security Compliance Manager GUI login 157 30 Tivoli Security Compliance Manager Administration Console32 Import file selection dialog 34 Collectors signature validation 15935 Policy installation summary 161 Customization of compliance policies37 Policies view 163 38 Collectors configuration viewWarnversions PassversionVersionwf FaillastscanoverDefswf 165Warndefsolderthan Failminlenunder WarnminlenunderMinlenwf Warnmaxageover41 Editing collector parameters 167PASSWINDOWS2000 PasswindowsntWarnwindowsnt 169 Hotfixwf WarnhotfixesFailhotfixes KEY 171Value NokeyruleNovaluerule Pass173 Rule operators RulesRule results Checking for ZoneAlarm installation directoryRule format 175Checking for Windows XP firewall forced off 177 ReqserviceReqdisabled ServicerunningwfServicedisabledwf Reqrunning46 Copying an existing compliance query 17947 Destination policy selection dialog 48 Renaming compliance query 18149 Compliance query description modification 50 Violation message modification 18351 Disabling collector sharing 53 Saving changes made to the policy collectors 18554 Save policy collectors warning Assigning the policy to the clients55 Create group action selection 18757 Add policy menu selection 189 Deploying the client softwareTcmcli utility policy Prerequisites Cisco Trust Agent61 Certs directory with CTA 19162 Cisco Trust Agent installation wizard Installation of Cisco Trust Agent on Windows63 License agreement for Cisco Trust Agent 193Accept the defaults -64and click Next 195 65 Cisco Trust Agent installation typeClick Next Figure 67 Confirmation of the certificate import 197Click Finish to close the installation, as shown in Figure 199 IBM Tivoli Security Compliance Manager client70 Language selection Installation of the Security Compliance Manager client71 The welcome window 20172 Client Installation Utility window 203 74 Directory selection window 205 75 Setup type windowPull Accept the defaults and click Next77 Client connection window 20778 Server communication configuration window 209 79 Client Dhcp configuration windowNext 81 Successful completion window 21182 Security Compliance Manager posture plug-in files 213 Network enforcement subsystem implementationConfiguring the Cisco Secure ACS for NAC L2 Configuring NAC Framework components215 Installing Cisco Secure ACSConfiguring the administrative interface to Cisco Secure ACS 217 Interface configuration advanced optionsAdministration control Allowing administrator access via Http optional219 Cisco Secure ACS certificate setupUsing an ACS self-signed certificate Generating self-signed certificate 221Restart the Cisco Secure ACS Figure 223 Importing IBM Security Compliance Manager attributesExample 7-1 Security Compliance Manager attributes Example 7-2 Import Security Compliance Manager attribute 225Click CSV Passed Authentications Figure Configuring logging227 Select CSV Failed Authentications Figure11 Failed attempts logging 229 Configuring a network device group in Cisco Secure ACS13 Interface Configuration screen for the creation of NDGs 14 Network Device Group check box 23115 Network Configuration 16 AAA clients 23317 AAA client setup 18 AAA Clients 23519 Global Ietf Radius attributes Configuring Radius attributes237 Configuring groups21 Group Setup 239 Configuring users23 User-to-Group mappings 241 Global authentication setupClick Submit + Restart EAP-FAST configuration Condition EAP-TLS 243EAP-GTC 26 Posture Validation Configuring posture validation27 Posture Validation Policies 24528 CTA Posture Validation Policy 29 Posture Validation for CTA 247Click Add Condition Set Figure 31 Adding a condition set 24932 Posture validation rule creation for CTA check 33 CTA rule defined 25134 Quarantine condition applied as default action 35 Completed posture validation for CTA 253Click Apply and Restart, as shown in Figure 37 Repeating the process for Security Compliance Manager 25538 IBM Tscm policy creation 39 IBM Tscm policy creation 257Click Add Rule to get to the screen shown in Figure 41 Tscm policy components 259Page 261 Click Done Figure 45 Completed posture validation rules 263Click Radius Authorization Components Configuring Radius Authorization ComponentsIetf 26547 IOS RAC attribute 48 Ietf drop-down menu 26749 Healthy Sales RAC 269 Tunnel-Medium-Type 802 271 Configuring Network Access ProfilesClick Add Profile 51 Newly created NAP 273 52 Authentication configuration for RACFrom the screen shown in -53,click Add Rule 275 54 Partial configuration of posture validation55 Selecting CTA and Tscm policies 277 An example of the CTA Healthy pop-up is shown in Figure58 CTA pop-up configuration 59 Completed posture validation for Naciisscn 27960 Authorization rule creation User group System posture token Shared RAC 281RAC 62 Completed Authorization RAC configurationExternal User Database Configuring the Cisco Secure ACS for NAC L2/L3 IPUnknown user policy Clientless user63 Downloadable ACL creation Downloadable Access Control Lists64 Naming of ACL 285Enter the name of the ACL and the ACL definition Figure 287 Select Radius Authorization ComponentsVendor Attribute Value 289 Click Add Rule68 L2IP Healthy Authorization rule 291 Deployment of the network infrastructureClick Apply and Restart Configuring Cisco 3750 switch for NAC L2 293 Page 295 Configuring Cisco 3750 switch for NAC L2 IPPage 297 Has been applied to the switchportNo URL Redirect Configuring Cisco IOS Router for NAC L3 IP299 Page 301 Verifying Network Admission Control Example 7-3 Output of show eou and show eou all command303 Configuring NAC Appliance components71 Installation wizard Installing CCA Agent305 72 Default install directoryCCA version Required ports Configuring a CCA OOB VG server307 75 CAM loginClean Access Summary window will be displayed Figure 77 Device Management 30978 Adding a new CAS Click Add Clean Access Server79 Successful CAS addition 31180 CAS Status screen 81 Network IP screen 31382 Managed subnets Select Advanced → Vlan Mapping315 Configure default loginClick Administration → User Pages → Login Select Switch Management → Profiles → Group → New Configuring a Switch Group317 85 Switch Group creationVerify your new switch group Figure 319 Configuring a switch profile88 Switch profile Configuring Port Profile321 Select Switch Management → Profiles → Port → New Figure90 Managed profile creation 323 Configuring Snmp receiverClick Switch Management → Profiles → Snmp Receiver Select Switch Management → Devices → Switches → New Adding a managed switch325 93 Manually adding a switch to be managedAs seen in -94,click the Ports icon 327 Defining user rolesClick User Management → User Roles → New Roles Click Save Role when completed 329 Creating traffic policiesClick User Management → User Roles → Traffic Control → IP 98 Rules for trusted to untrusted 331 ActionAllow StateEnabled CategoryIP ProtocolTCPClick Add Policy Click User Management → Local Users → New Local User Creating local users333 Click Create User102 List of local users Configure Clean Access Agent335 Click Add Check104 CCA version compliance check 105 Rules check list check 337Rule Description Rule NameOperating System Rule Expression107 CCA Compliance rule definition 339Newly defined rules will be displayed Figure 341 Click Requirements → New Requirements FigureClick Add Requirement 110 CCA Agent update 343 Click Requirement Rules112 CCA Compliance Requirement rule Click Role-Requirements113 Role requirements 345114 Viewing online users Discovered clients347 Logging on as a client117 Web page pop-up informing user about non-compliance Click Continue349 118 Temporary access notification120 Security Compliance Manager Compliance Report window 351 123 Successful login Configuring Cisco 3750 switch for NAC Appliance353 Example of interface configuration for CAM interfaceExample of Snmp configuration 355 Remediation subsystem implementationPage 357 Automated remediation enablementPrerequisites Remediation server software setup359 Tivoli Configuration ManagerTivoli Configuration Manager Web Gateway setup Installation of Web infrastructure Preparing for the installationInstallation of the DB2 database WebSphere Application Server launchpad 361WebSphere Installation Wizard window Software License Agreement window 363Installation type selection Component selection dialog 365Destination folder selection window Node name selection window 367Run as a service selection window 369 Installation options summary10 Online registration dialog 371 Patching WebSphere Application Server installation12 WebSphere product location 373 13 Installation option selection14 Fix packs directory location Creating the necessary user account375 Installation of Tivoli Configuration Manager Web GatewayWelcome window is presented -16. Click Next 17 License agreement window 37718 Component selection 379 19 Installation directory selection window20 Database configuration window 381 21 Web infrastructure configuration window22 Endpoint configuration window 383 23 Secure access configuration24 Summary of installation options 385 Configuration of the remediation serverInstallation of Software Package Web Server 387 26 WebSphere administrative console login27 Install new application 389 28 Preparing for the application installation29 Installation option summary dialog 391 30 Installation status window31 Saving the configuration changes 393 Configuration of the Software Package Web ServerInstallation of the Software Package Utilities 395 Cd %BINDIR% Cd tcmremed\cfg Sputilinitialsetup.bat 397 Creating remediation instructions for the usersLocating Html 33 Directory structure for Html pages 399Posture item Html DefaultlangBase Html 401 Html pages examplePosture element Html Variables and variable tags403 Wfattribute tagField Tag Fail Remattribute tag\PROGRA~1\IBM\SC 405Logging available attributes Debug attributes407 Logging posture itemsLogging the Html search path 409 Creating Html pages for Abbc policyExample 8-4shows the Html source code for this 411 Example 8-5 Content of style definition filePage 413 Example 8-6 Html source for password length policy detailsWfattributecurrentvalues.brbWARNING fieldmsg/bbr 415 Example 8-7shows the Html source forPage 417 Building the remediation workflowsTCRNavScan workflow 419 Example 8-8 Content of NavScanMessageen.wsfExample 8-9 Content of Sample.properties file for TCRNavScan 421 38 Remediation handler interface with the warning 423 TCRNavVirusDefUpdatePage 425 TCRNavSoftwareInstalledTCRMSPatchesInstallWinXP 427 HotfixId=KB896423 TmfWebUIEndpoint=tcmweb 429 TCRMSServicePackInstallWinXpSp2Page AddRegistryValueBeforeExecData.arrayLength=2 431TCRZLSoftwareInstalled 433 NorebootTCRZLSoftwareRunning 435 TCRMessengerDisabledModification of the remediation packages 437 Page 439 Part 3 AppendixesPage 441 Appendix A. Hints and tipsDeployment overview Appendix A. Hints and tips 443Top-level sequence of events Figure A-2 Isscn top-level sequence diagram Cisco Trust Agent Security Compliance Manager and NAC compliance subsystemCisco NAC sequence of events Figure A-4 Cisco NAC sequence diagramFault isolation Appendix A. Hints and tips Tivoli Security Compliance Manager Server Security Compliance Manager server and clientTools and tricks Summary of default port usageCommunication port usage Cisco NACCisco IOS Software router Cisco IOS Software switchCisco Secure ACS server Tools and tricks for the client40500 Cisco NAC Appliance components NAC Appliance detailsIn-band versus out-of-band NAC Appliance integration Integration design NAC Appliance Agent Integration componentsNACApplianceCompliance.entry TSCMAgent.batKickrich.html SchedulerInstalling and configuring prototype integration components Scheduler.bat System pathNAC Appliance Manager Considerations for designing a production solutionState mapping and scenarios Page Appendix A. Hints and tips Page 43 Sequence of Events for Scenarios #5 and #6 Conclusion 471 Appendix B. Network Admission ControlBenefit of NAC Executive summary473 Dramatically improve network securityNAC implementation options 475 NAC ApplianceInvestment protection NAC Framework solution477 Planning, designing, and deploying an effective NAC solutionNAC Appliance components Next stepsNAC technology 479 NAC Framework componentsPage 481 Locating the Web materialHow to use the Web material Using the Web material483 IBM RedbooksOther publications Online resources How to get IBM RedbooksHelp from IBM IBM Support and downloads IBM Global ServicesPage 487 NumericsSCM client communication Html GlbaNAD NACCreation Deployment PPP Sarbanes-Oxley Act Vlan UDPURL Page Page Page Building a Network Access Control Solution