ebook img

Cisco NAC Appliance: Enforcing Host Security with Clean Access PDF

571 Pages·2007·9.29 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cisco NAC Appliance: Enforcing Host Security with Clean Access

viii Cisco Clean Access Agent 257 Figure 9-18 Installation Options for the Agent Installer as Well as the Agent Download Options — Reduced UI The user can see the installation, but it requires no user input or selections. — Full UI The user is required to interact with the installer to complete the installation. • Run Agent After Installation Choose Yes or No. • Stub Installation Options When the installer is executed via a stub installer as downloaded for installation by a third-party software distribution system, you can configure how much interaction is required by the end user. The same options that were available to the direct installer are also configurable for the stub installer. Using the stub Clean Access Agent allows a domain administrator to install Clean Access Agent such that on connection to the network, the necessary permissions are granted to the full Clean Access Agent. Alternative Agent Installation Methods Another alternative to installing Clean Access Agent via the web authentication page is to distribute it through your typical software delivery mechanism, such as login scripts, BigFix, or Microsoft SMS. To retrieve the installer files from NAM, you must navigate to theInstallation option under the Clean Access Agent tab. At the bottom of this 258 Chapter 9: Host Posture Validation and Remediation configuration page, you can download either the CCAA MSI Stub or the CCAA EXE Stub file as necessary for your software distribution mechanism. After it is downloaded, your software distribution system administrator has to appropriately script and test the automated installation process as with any other package currently distributed via this mechanism. The download options can be seen in Figure 9-18. Agent Policy Enforcement After Clean Access Agent authenticates to NAC Appliance, it is interrogated using mechanisms available to the current Clean Access Agent. The system will either have to meet the requirements or be brought into compliance in order to access the network. If the system does not meet requirements, access will be prevented or degraded if the administrator has configured the system for such access. The following sections cover the configuration of requirements, rules, and checks that will interrogate and remediate the end-user’s system. Requirements, Rules, and Checks You must map requirements, rules, and checks to implement the necessary remediation actions that you will define for your network-attached systems. Requirements implement decisions (remediation actions) as a result of what you determine systems must have to be considered compliant. Rules are mapped to a requirement in order to define the necessary guidelines that must be met to in turn meet the requirement. Checks are single parameters that must exist for custom rules to be met, such as the existence of a registry key or process. Creating and Enforcing a Requirement The following seven types of definable requirements are available: • File Distribution • Link Distribution • Local Check • AV Definition Update • AS Definition Update • Windows Update • Launch Program The seven options define what outcome will occur when a requirement is not met. After the necessary configuration between rules and requirements is defined, the administrator can assign the requirement to a specific normal login user role. At this point, on authentication, users are placed into the Temporary role until they meet the requirements tied to their specific normal login role. Agent Policy Enforcement 259 A common requirement configured in a customer environment is an antivirus update. The following list steps through the necessary process to create that requirement: Step 1 Before proceeding, you must ensure that your current antivirus product is supported by navigating to the Clean Access Agent>Rules>AV/AS Support Info page. You can select your specific antivirus vendor from the drop-down list and verify that your currently deployed antivirus is supported, as illustrated in Figure 9-19. After you verify that it is supported, you can continue with your configuration steps. Figure 9-19 Antivirus and Antispyware Support Verification Step 2 Prior to creating the requirement, you have to create the necessary rules that are the building blocks of the requirement. Remaining on the Rules page, select the New AV Rule option. All the substeps listed here are displayed in Figure 9-20 for configuring this specific antivirus rule. (a) Enter a rule name, such as Trend_Micro_AV_Definition. (b) Select Trend Micro, Inc. from the Antivirus Vendor drop-down list. (c) Select Virus Definition from the Type drop-down list. (d) Select the appropriate OS. 260 Chapter 9: Host Posture Validation and Remediation Figure 9-20 New Antivirus Rule Configuration (e) Enter a description. (f) Select the appropriate check boxes for the virus definitions you want to verify. Step 3 After adding the rule, you are returned to the rule list page that contains all configured rules. It should be noted that you can edit, copy, and delete individual rules from this listing page. Step 4 Now that you have a rule, you can create a requirement by navigating to theRequirementsoption under the Clean Access Agenttab. Select New Requirement. The substeps configured here for the new requirement are displayed in Figure 9-21. (a) Select AVDefinition Updatefrom the Requirement Type drop-down list. (b) Select the appropriate enforcement type: • Mandatory The client absolutely must comply with this requirement to proceed on the network. • Optional The user can bypass this requirement or comply as desired. Agent Policy Enforcement 261 Figure 9-21 New Antivirus Requirement Configuration • Audit The requirement is checked, but the user is not notified of either a pass or fail outcome. The system reports the results back for administrative review. (c) Select the priority. The priority is where in the order of requirement enforcement the requirement is placed. Failure at any point causes the system to fail the requirements check. (d) Select the appropriate antivirus vendor namefrom the list. (e) Provide a requirement name. (f) Provide a description. (g) Select the operating systems on which the requirement should be evaluated. (h) Click the Add Requirement button. Step 5 After completion of that page, you are returned to the requirement list page where you can reorder, edit, and delete individual requirements. 262 Chapter 9: Host Posture Validation and Remediation Step 6 You can now associate the rules with your new requirement. Navigate to Requirement-Rulesunder the Requirementsoption. All substeps here are displayed in Figure 9-22. (a) Select the requirement name from the drop-down list. (b) Select the appropriate operating system. (c) Select the appropriate option for Requirement Met If: • All Selected Rules Succeed All rules must be met. • Any Selected Rule Succeeds At least one rule must be met. • No Selected Rule Succeeds No rules must be met. (d) Set the number of days the client antivirus definition can be older than what NAM lists as current. (e) Select the rule you created earlier regarding the Trend_Micro_AV_Definition or select the appropriate pr_rule provided by Cisco. (f) Click the Update button to commit the mapping. Figure 9-22 Requirement-Rules Mapping Agent Policy Enforcement 263 Step 7 Now that you have configured the requirement that relies on the mapped rules, you must choose to enforce the requirement on the chosen role. Navigate to Role-Requirements to configure this requirement assignment. The configuration of the following substeps is displayed in Figure 9-23. (a) Select the type of role you want to apply to the requirements as either Normal Login RoleorQuarantine Role. (b) Select the User role to map the requirement. (c) Check the boxes in front of the requirement or requirements you want to map to this role. (d) Click the Update button to commit the change. Figure 9-23 Role-Requirement Mapping NOTE You might notice many of the rules and checks are prefaced with pr_andpc_. pr_ indicates a Cisco-deployed preconfigured rule, and pc_ indicates a Cisco-deployed preconfigured check. 264 Chapter 9: Host Posture Validation and Remediation Many requirement types, rules, and checks are preconfigured and automatically updated by Cisco in addition to the unlimited number of configurations you can make yourself. Becoming familiar with the configuration of custom rules will provide you with extremely granular control over the policy you want to enforce. Creating Checks Checks are logic that allows the Cisco Clean Access Agent to verify that a registry key, file, service, or application exists and, if pertinent, whether it is running or not running. To create a new check, you simply navigate to the New Checkoption under the Rulesmenu option. You will now configure a simple application check to verify that ftpserv.exe is running on the system you are interrogating. The following steps are illustrated in Figure 9-24. Step 1 SelectApplication Check from the Check Category drop-down list. Step 2 Leave the default and only option of Application Status for this check type. Step 3 Name the check. Step 4 Provide the application name. Step 5 SelectRunning in the Operator drop-down list. Step 6 Provide a check description. Step 7 Select the appropriate operating systems for this particular check. Step 8 SelectAutomatically Create Rule Based on This Check. Step 9 Click the Add Check button. Step 10 Navigate to the Check List menu option and scroll to the bottom to see your check. Step 11 Navigate to the Rule Listmenu option and scroll to the bottom to locate the created rule. Step 12 SelectEdit Rule to better understand the creation of the new rule. This rule is displayed in Figure 9-25. Agent Policy Enforcement 265 Figure 9-24 Creating an Application Check for ftpserv.exe Figure 9-25 Dynamically Created Rule for ftpserv.exe Running

Description:
CiscoR Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all ho
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.