Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual Policy enforcement points, Branch office compliance

Models: Tivoli and Cisco

1 516

Download 516 pages 58.69 Kb

Page 85

3.4.2 Policy enforcement points

The IBM Integrated Security Solution for Cisco Networks employs the Cisco NAC solution to restrict access to users depending on the compliance level of the client. The NAC solution requires network access devices (NAD) to be deployed at various network points to enforce the policy. Some of the widely used network topologies and possible policy enforcement points are discussed here.

Branch office compliance

Most medium and large networks have regional and branch offices. Routers are usually deployed at both ends (for example, at the headquarters and the branch office). Hence there are two locations at which policy enforcement can be achieved at the branch router or at the headquarter router. In addition, if the branch office has a NAC-capable switch, the NAC policy enforcement can be implemented on the switch.

Branch egress enforcement

Regional and branch offices can have the policy enforcement point deployed at their location before they connect to the central data center at the branch routers itself (Figure 3-10).

		Remote Office
		Branch Office Compliance
		(Branch egress Enforcement)
		Remote
		Offices
Remote	Regional
Offices	Offices		Corporate
		Private	Corporate
		Private	Headquarters
		WAN	Headquarters
		WAN	Data Center
			Data Center
	AAA	Internet
		Internet
			AAA
		Remote
		Offices
		AAA	AAA
		AAA	Server
			Posture Enforcement
			Points
			Router

Figure 3-10 Branch egress enforcement

Chapter 3. Component structure 67

Image 85

IBM Tivoli and Cisco manual Policy enforcement points, Branch office compliance, Branch egress enforcement

Contents

Building a Network Access Control Solution Page International Technical Support Organization Second Edition January Contents Part 2. Customer environment Part 3. Appendixes Index Copyright License ViiIBM TrademarksAIX Preface Team that wrote this redbook Preface IBM US Become a published authorComments welcome Page New information January 2007, Second EditionChanged information Page Part 1 Architecture and design Page Business context Security compliance and remediation concept Why we need this Http//banking.senate.gov/conf Does this concept help our mobile users Business driver for corporate security compliance Corporate security policy definedAchievable benefits for being compliant Policy Development and Assurance ConclusionBusiness context Page Architecting the solution Architecture overview Solution architectures, design, and methodologiesWAN Network Admission ControlPage Security Compliance Manager Page Architectural terminology Tivoli Configuration ManagerSecurity policy Compliance queryRemediation handler Compliance User InterfaceNetwork Admission Control process TCM ACS Cisco NAC and IeeeAuthenticator Using Cisco terminologySupplicant Network identity provisioning Posture agentRemediation process Definition of a Network Admission Control project Phased rollout approachInternet Security compliance management business process Design processArchitecting the solution Security policy life cycle management Implementation CreationReview and update Solution objectivesEnforcement Network design discussion Default networkTrusted network Quarantine accessPerformance controls Scalability and high availability Implementation flowPage Conclusion Page Component structure Logical components Solution logical block diagramNetwork Admission Control Framework Network Admission ControlPosture validation server CSMon CSlogAdmission control client Policy enforcement devicePosture plug-in Logging serviceClean Access Server CAS Clean Access Manager CAMClean Access Agent CAA Network Admission Control ApplianceCompliance Clean Access Policy UpdatesCompliance server Compliance reporting AdministrationCompliance client Compliance client logical component Posture collectorPolicy collector Remediation Default remediation handlerRemediation server Posture cacheNetwork client Physical componentsRemediation handler component Security Compliance Manager client Cisco Trust AgentSecurity Compliance Manager policy IBM Integrated Security Solution for Cisco Networks servers Network access infrastructureNetwork access device Cisco Secure Access Control ServerTivoli Configuration Manager servers Solution data and communication flowPolicy Policy creation and deployment flowComponent structure Posture collection process flow Posture validation and policy enforcement flow Page Remediation flow Secure communication between components Secure communicationSecurity zones Component placementNAC communication Security Compliance Manager communicationLess Secure Network Uncontrolled zone Internet, external networksControlled zone intranet Controlled zone external network-facing DMZRestricted zone production network Restricted zone management networkBranch office compliance Policy enforcement pointsBranch egress enforcement Campus internal enforcement Branch Office Compliance Campus Ingress Enforcement Small Office Home Office compliance Soho Compliance PAT access protectionExtranet Compliance Extranet complianceLAB Compliance Lab complianceData Center Protection Data Center protectionRemote Access Protection Remote access protectionPart 2 Customer environment Page Armando Banking Brothers Corporation Company profile Network infrastructure Current IT architectureIBM Integrated Security Solution for Cisco Networks lab Armando Banking Brothers Corporation NAC Appliance Armando Banking Brothers Corporation Page Application security infrastructure DMZ Middleware and application infrastructureCorporate business vision and objectives Project layout and implementation phasesAction Reference Part I Security compliance server Project overviewNAC L3 IP NAC L2 IPPart III Remediation server CCA OOB VGConclusion Page Solution design Page Business requirements Functional requirements Network access control requirementsSecurity compliance requirements Remediation requirements Solution functional requirementsCaused by worms and other hostile software NAC solution conceptual functional requirements Security compliance criteria Remediation servicesAttempt Implementation architectureLogical components Component subsystems total solutionEstablishing compliance criteria Configuring the compliance serverTivoli Security Compliance Manager client components Establishing the policy collector parametersSolution design Setting the policy version Maxdataagesecs conceptual flow Setting the remediation handler URL attribute Enforcing compliance criteria 11 Setting the remediation handler JAR classpathACS Posture token13 Posture validation policies Page 14 Shared Radius Authorization Components Assigning the System Posture Token Performing remediation Remediation handler Html pages Physical componentsIBM Security Compliance Manager server Compliance subsystemNetwork Admission Control subsystem Access Control ServerIBM Tivoli Security Compliance Manager client Solution design Layer 2 devices NAC-enabled network deviceLayer 3 devices LRECisco Trust Agent Remediation subsystem IBM Tivoli Configuration Manager serverSoftware Package Web Server Conclusion Page 125 Compliance subsystem implementationInstallation of DB2 database server Tivoli Security Compliance Manager setup127 DB2 installation welcome windowDB2 version selection is presented similar to the one shown 129 Setup wizard welcome windowLicense agreement window 131 Installation type selection windowInstallation action selection window 133 Installation folder selection windowUser information dialog 135 Administration contact list dialog10 DB2 Instance configuration window 11 DB2 Tools selection dialog 13712 Administrator contact selection window 139 13 Installation options summary14 Installation completion window Installation of Tivoli Security Compliance Manager server15 Language selection dialog 141Database Configuration Administration UtilitiesServer 143 18 Setup type selection window19 E-mail server configuration dialog 145 20 Server Communication Configuration windowServer Security Configuration window is displayed, as shown 22 Database Location selection window 14723 Database configuration information 24 Database creation choice window 14925 Administrator User ID Configuration window 151 26 Installation options summary window27 Installation result window Configuration of the compliance policiesPosture items and posture elements Posture collectors153 Posture collector parameters Policy collectorOperational Workflow155 Installation of posture collectors28 Tivoli Security Compliance Manager GUI login 157 30 Tivoli Security Compliance Manager Administration Console32 Import file selection dialog 34 Collectors signature validation 15935 Policy installation summary 161 Customization of compliance policies37 Policies view 163 38 Collectors configuration viewWarnversions PassversionVersionwf FaillastscanoverWarndefsolderthan 165Defswf Failminlenunder WarnminlenunderMinlenwf Warnmaxageover41 Editing collector parameters 167Warnwindowsnt PasswindowsntPASSWINDOWS2000 169 Failhotfixes WarnhotfixesHotfixwf KEY 171Value NokeyruleNovaluerule Pass173 Rule operators RulesRule results Checking for ZoneAlarm installation directoryRule format 175Checking for Windows XP firewall forced off 177 ReqserviceReqdisabled ServicerunningwfServicedisabledwf Reqrunning46 Copying an existing compliance query 17947 Destination policy selection dialog 48 Renaming compliance query 18149 Compliance query description modification 50 Violation message modification 18351 Disabling collector sharing 53 Saving changes made to the policy collectors 18554 Save policy collectors warning Assigning the policy to the clients55 Create group action selection 18757 Add policy menu selection Tcmcli utility policy Deploying the client software189 Prerequisites Cisco Trust Agent61 Certs directory with CTA 19162 Cisco Trust Agent installation wizard Installation of Cisco Trust Agent on Windows63 License agreement for Cisco Trust Agent 193Accept the defaults -64and click Next 195 65 Cisco Trust Agent installation typeClick Next Figure 67 Confirmation of the certificate import 197Click Finish to close the installation, as shown in Figure 199 IBM Tivoli Security Compliance Manager client70 Language selection Installation of the Security Compliance Manager client71 The welcome window 20172 Client Installation Utility window 203 74 Directory selection window 205 75 Setup type windowPull Accept the defaults and click Next77 Client connection window 20778 Server communication configuration window 209 79 Client Dhcp configuration windowNext 81 Successful completion window 21182 Security Compliance Manager posture plug-in files 213 Network enforcement subsystem implementationConfiguring the Cisco Secure ACS for NAC L2 Configuring NAC Framework components215 Installing Cisco Secure ACSConfiguring the administrative interface to Cisco Secure ACS 217 Interface configuration advanced optionsAdministration control Allowing administrator access via Http optional219 Cisco Secure ACS certificate setupUsing an ACS self-signed certificate Generating self-signed certificate 221Restart the Cisco Secure ACS Figure 223 Importing IBM Security Compliance Manager attributesExample 7-1 Security Compliance Manager attributes Example 7-2 Import Security Compliance Manager attribute 225Click CSV Passed Authentications Figure Configuring logging227 Select CSV Failed Authentications Figure11 Failed attempts logging 229 Configuring a network device group in Cisco Secure ACS13 Interface Configuration screen for the creation of NDGs 14 Network Device Group check box 23115 Network Configuration 16 AAA clients 23317 AAA client setup 18 AAA Clients 23519 Global Ietf Radius attributes Configuring Radius attributes237 Configuring groups21 Group Setup 239 Configuring users23 User-to-Group mappings Click Submit + Restart Global authentication setup241 EAP-FAST configuration Condition EAP-GTC 243EAP-TLS 26 Posture Validation Configuring posture validation27 Posture Validation Policies 24528 CTA Posture Validation Policy 29 Posture Validation for CTA 247Click Add Condition Set Figure 31 Adding a condition set 24932 Posture validation rule creation for CTA check 33 CTA rule defined 25134 Quarantine condition applied as default action 35 Completed posture validation for CTA 253Click Apply and Restart, as shown in Figure 37 Repeating the process for Security Compliance Manager 25538 IBM Tscm policy creation 39 IBM Tscm policy creation 257Click Add Rule to get to the screen shown in Figure 41 Tscm policy components 259Page 261 Click Done Figure 45 Completed posture validation rules 263Click Radius Authorization Components Configuring Radius Authorization ComponentsIetf 26547 IOS RAC attribute 48 Ietf drop-down menu 26749 Healthy Sales RAC 269 Tunnel-Medium-Type 802 Click Add Profile Configuring Network Access Profiles271 51 Newly created NAP 273 52 Authentication configuration for RACFrom the screen shown in -53,click Add Rule 275 54 Partial configuration of posture validation55 Selecting CTA and Tscm policies 277 An example of the CTA Healthy pop-up is shown in Figure58 CTA pop-up configuration 59 Completed posture validation for Naciisscn 27960 Authorization rule creation User group System posture token Shared RAC 281RAC 62 Completed Authorization RAC configurationExternal User Database Configuring the Cisco Secure ACS for NAC L2/L3 IPUnknown user policy Clientless user63 Downloadable ACL creation Downloadable Access Control Lists64 Naming of ACL 285Enter the name of the ACL and the ACL definition Figure 287 Select Radius Authorization ComponentsVendor Attribute Value 289 Click Add Rule68 L2IP Healthy Authorization rule Click Apply and Restart Deployment of the network infrastructure291 Configuring Cisco 3750 switch for NAC L2 293 Page 295 Configuring Cisco 3750 switch for NAC L2 IPPage 297 Has been applied to the switchportNo URL Redirect Configuring Cisco IOS Router for NAC L3 IP299 Page 301 Verifying Network Admission Control Example 7-3 Output of show eou and show eou all command303 Configuring NAC Appliance components71 Installation wizard Installing CCA Agent305 72 Default install directoryCCA version Required ports Configuring a CCA OOB VG server307 75 CAM loginClean Access Summary window will be displayed Figure 77 Device Management 30978 Adding a new CAS Click Add Clean Access Server79 Successful CAS addition 31180 CAS Status screen 81 Network IP screen 31382 Managed subnets Select Advanced → Vlan MappingClick Administration → User Pages → Login Configure default login315 Select Switch Management → Profiles → Group → New Configuring a Switch Group317 85 Switch Group creationVerify your new switch group Figure 319 Configuring a switch profile88 Switch profile Configuring Port Profile321 Select Switch Management → Profiles → Port → New Figure90 Managed profile creation Click Switch Management → Profiles → Snmp Receiver Configuring Snmp receiver323 Select Switch Management → Devices → Switches → New Adding a managed switch325 93 Manually adding a switch to be managedAs seen in -94,click the Ports icon Click User Management → User Roles → New Roles Defining user roles327 Click Save Role when completed Click User Management → User Roles → Traffic Control → IP Creating traffic policies329 98 Rules for trusted to untrusted Click Add Policy ActionAllow StateEnabled CategoryIP ProtocolTCP331 Click User Management → Local Users → New Local User Creating local users333 Click Create User102 List of local users Configure Clean Access Agent335 Click Add Check104 CCA version compliance check 105 Rules check list check 337Rule Description Rule NameOperating System Rule Expression107 CCA Compliance rule definition 339Newly defined rules will be displayed Figure Click Add Requirement Click Requirements → New Requirements Figure341 110 CCA Agent update 343 Click Requirement Rules112 CCA Compliance Requirement rule Click Role-Requirements113 Role requirements 345114 Viewing online users Discovered clients347 Logging on as a client117 Web page pop-up informing user about non-compliance Click Continue349 118 Temporary access notification120 Security Compliance Manager Compliance Report window 351 123 Successful login Configuring Cisco 3750 switch for NAC Appliance353 Example of interface configuration for CAM interfaceExample of Snmp configuration 355 Remediation subsystem implementationPage 357 Automated remediation enablementPrerequisites Remediation server software setupTivoli Configuration Manager Web Gateway setup Tivoli Configuration Manager359 Installation of the DB2 database Preparing for the installationInstallation of Web infrastructure WebSphere Application Server launchpad 361WebSphere Installation Wizard window Software License Agreement window 363Installation type selection Component selection dialog 365Destination folder selection window Node name selection window 367Run as a service selection window 369 Installation options summary10 Online registration dialog 371 Patching WebSphere Application Server installation12 WebSphere product location 373 13 Installation option selection14 Fix packs directory location Creating the necessary user account375 Installation of Tivoli Configuration Manager Web GatewayWelcome window is presented -16. Click Next 17 License agreement window 37718 Component selection 379 19 Installation directory selection window20 Database configuration window 381 21 Web infrastructure configuration window22 Endpoint configuration window 383 23 Secure access configuration24 Summary of installation options 385 Configuration of the remediation serverInstallation of Software Package Web Server 387 26 WebSphere administrative console login27 Install new application 389 28 Preparing for the application installation29 Installation option summary dialog 391 30 Installation status window31 Saving the configuration changes 393 Configuration of the Software Package Web ServerInstallation of the Software Package Utilities 395 Cd %BINDIR% Cd tcmremed\cfg Sputilinitialsetup.bat 397 Creating remediation instructions for the usersLocating Html 33 Directory structure for Html pages 399Base Html DefaultlangPosture item Html 401 Html pages examplePosture element Html Variables and variable tagsField Tag Wfattribute tag403 Fail Remattribute tag\PROGRA~1\IBM\SC 405Logging available attributes Debug attributes407 Logging posture itemsLogging the Html search path 409 Creating Html pages for Abbc policyExample 8-4shows the Html source code for this 411 Example 8-5 Content of style definition filePage 413 Example 8-6 Html source for password length policy detailsWfattributecurrentvalues.brbWARNING fieldmsg/bbr 415 Example 8-7shows the Html source forPage 417 Building the remediation workflowsTCRNavScan workflow 419 Example 8-8 Content of NavScanMessageen.wsfExample 8-9 Content of Sample.properties file for TCRNavScan 421 38 Remediation handler interface with the warning 423 TCRNavVirusDefUpdatePage 425 TCRNavSoftwareInstalledTCRMSPatchesInstallWinXP 427 HotfixId=KB896423 TmfWebUIEndpoint=tcmweb 429 TCRMSServicePackInstallWinXpSp2Page AddRegistryValueBeforeExecData.arrayLength=2 431TCRZLSoftwareInstalled 433 NorebootTCRZLSoftwareRunning 435 TCRMessengerDisabledModification of the remediation packages 437 Page 439 Part 3 AppendixesPage 441 Appendix A. Hints and tipsDeployment overview Appendix A. Hints and tips 443Top-level sequence of events Figure A-2 Isscn top-level sequence diagram Cisco Trust Agent Security Compliance Manager and NAC compliance subsystemCisco NAC sequence of events Figure A-4 Cisco NAC sequence diagramFault isolation Appendix A. Hints and tips Tivoli Security Compliance Manager Server Security Compliance Manager server and clientTools and tricks Summary of default port usageCommunication port usage Cisco NACCisco IOS Software router Cisco IOS Software switchCisco Secure ACS server Tools and tricks for the client40500 Cisco NAC Appliance components NAC Appliance detailsIn-band versus out-of-band NAC Appliance integration Integration design NAC Appliance Agent Integration componentsNACApplianceCompliance.entry TSCMAgent.batKickrich.html SchedulerInstalling and configuring prototype integration components Scheduler.bat System pathNAC Appliance Manager Considerations for designing a production solutionState mapping and scenarios Page Appendix A. Hints and tips Page 43 Sequence of Events for Scenarios #5 and #6 Conclusion 471 Appendix B. Network Admission ControlBenefit of NAC Executive summary473 Dramatically improve network securityNAC implementation options 475 NAC ApplianceInvestment protection NAC Framework solution477 Planning, designing, and deploying an effective NAC solutionNAC technology Next stepsNAC Appliance components 479 NAC Framework componentsPage 481 Locating the Web materialHow to use the Web material Using the Web materialOther publications IBM Redbooks483 Online resources How to get IBM RedbooksHelp from IBM IBM Support and downloads IBM Global ServicesPage 487 NumericsSCM client communication Html GlbaNAD NACCreation Deployment PPP Sarbanes-Oxley Act URL UDPVlan Page Page Page Building a Network Access Control Solution