Thursday, August 23, 2007

NAC Network Modules

I just wanted to give everyone the update on the NEW NME-NAC-K9 module. They are supported as of version 4.1(2). The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The following are some documents to get you started with the new NAC Network Module:

Getting Started with Cisco NAC Network Modules in Cisco Access Routers
-- New guide describing initial configuration and deployment examples

Installing Cisco Network Modules in Cisco Access Routers
-- New Chapter in the Cisco Network Modules Hardware Installation Guide

Tuesday, August 21, 2007

Book Review - Cisco NAC Appliance Book

Title: Cisco NAC Appliance: Enforcing Host Security with Clean Access
Author: Jamey Heary, CCIE #7680

Contributing Authors: Jerry Lin, CCIE #6469, Chad Sullivan, CCIE #6493, and Alok Agrawal
Publisher: Cisco Press

I want to start out by saying that this book completely exceeded my expectations for the first NAC Appliance book. I wish this was published 3 years ago. The author clearly articulates the business benefits of NAC, including how NAC provides return on investment (ROI), which gives any reader the know-how to wisely purchase Cisco NAC Appliance. He also shows his technical expertise by diving extremely deep into the inner workings of Cisco NAC Appliance, which gives engineers, consultants, and operations the information they need to successfully deploy or maintain the product.

This book shows great details into the process flows of In-Band & Out-of-Band users, Clean Access Agent (CAA) users and network scanning users. The information on the different deployment options and how to use them in diverse environments is great to start your NAC Design. This book makes the confusing topics seem easy and manageable.

Some of the highlights that caught my eye and I thought everyone would like were:

  • Chapter on Host Security Policy – An amazing deal of information on how to design/create a Host Security Policy as it relates to NAC Appliance is invaluable to deployments
  • Exploration of High Availability and Load Balancing – Information on how to load balance Clean Access Servers using the CSM, CSS, ACE and PBR cannot be found anywhere else. This includes saving money on Failover Bundles by using N+1 Failover
  • Layer 3 OOB Deployment options – Walk through of the benefits of the different methods of deploying L3 OOB, e.g. PBR, ACLS, VPNs, etc.
  • Deployment Best Practices – An entire chapter on how to plan, schedule, and keep all parties happy for your NAC Appliance deployment
  • Monitoring & Troubleshooting information – detailed list of all logs located on the CAM and CAS, as well as the information on how to troubleshoot and monitor online users

All in all this is a great book and I would recommend it for all people interested in Buying, Deploying, Operating, or Troubleshooting Cisco NAC Appliance. This is definitely a great reference manual to have at your desk!

Buy it at amazon or ciscopress

Friday, August 17, 2007

NAC WSUS Requirement Type


New to 4.1.1, WSUS Requirements gives NAC Appliance administrators the ability to seamlessly integrate with local WSUS servers or utilize Microsoft Servers to ensure users are up to date on their microsoft service packs and patches.

Configuring WSUS Requirements:

The following are a list of options when configuring a WSUS Requirement:

  • Update Validation source - This involves checking to see if a particular client machine is up to date with patches. This check can be done against the WSUS server itself OR against Cisco rulesets.
    • Cisco Rules - In this case, the new “WSUS Server Update services” requirement needs to be mapped to the standard Cisco rule sets such as XP_hotfixes etc. Standard registry scans will be performed on the client machine based on these rule sets.
    • WSUS Server - In this case, the CCA Agent makes an API call to the WSUS Agent on the client machine to check compliance. Since our rule set is not used here (direct interaction between WSUS client and server, no need to map the Rule set to the requirement.
  • Update Installation source - This involves remediating the user after we have established that he/she is non-compliant. The remediation can be done either from local WSUS servers OR against WindowsUpdate
    • WSUS Servers - Download and Install the patches from the local WSUS servers.
    • Windows Update - Download and install patches from Microsoft Windows Update website
  • Update Installation type - This involves deciding what type of hotfixes should be downloaded and installed from the chosen source.
    • Express - This option installs the same Windows updates as would be available from the Windows Update application "Express" option. (For example, the Windows "Express" option may include just Critical and Important security updates or could call for installing an entire service pack update.)
    • Custom - Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu. If you select Critical only the most severe/critical Windows updates are installed; selecting Medium means all updates (except for those classified as "low severity" by Microsoft) are installed; selecting All means that all of the currently available Windows Updates are installed, regardless of severity.
    • Upgrade to Latest OS Service Pack - automatically install the latest service pack available for the user's operating system.
  • UI Experience - This setting controls what the end user sees when the Updates are being installedlist of options when
    • Show UI - The Windows Update UI (showing that patches are being installed) is displayed to user
    • No UI: Updates are done silently and user does not see any UI that shows updates are being installed
Figure 1 - Configuring a WSUS Requirement

Notes on configuring WSUS Requirements:
  • Validation against WSUS server may take between 10-15 seconds
  • Make sure Access is opened to WSUS server or Windows update server in the temporary role (depending on what is being used)
  • Make sure that the client PC can talk to the WSUS server on port 80/443. These are the ports client machine uses to talk to WSUS server
  • WSUS updates may take long. So, it is important to set the Session Timer for the temporary role long enough to allow enough time for the updates to complete.
  • In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
  • If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.
  • To see if you have a Local WSUS server configured go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and the "WUServer" key will have the server listed.

WSUS Requirements are a great new best practice method to ensure Microsoft is truly up to date.

Sources: 4.1(2) CAM Admin Guide; Whats New 4.1(1)

Monday, August 13, 2007

CAA Requirement Best Practices - Enforce Types

In the world of NAC Appliance, when using the NAC Agent, there are 3 different type of enforcement types. At first look you have the ability to use the following enforce types:

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

—Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking "Next"). The client system does not have to meet the requirement for the user to proceed or have network access.

Mandatory—Enforce requirement. The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

So why is this so important for NAC Deployments.... This gives administrators the ability to deploy with the least impact as possible. All deployments should start with AUDIT type requirements. By doing this we are able to see how many users are coming onto the network without compliant workstations. From this information we can see if all methods of users getting patches, updates, etc are correctly working. (E.G. if WSUS or EpolicyOrch is not working correctly you will immediately see almost all hosts out of compliance)

Next, you should change all of the previous AUDIT requirements to OPTIONAL requirements. This will still allow users access, in case of any discrepancy in your policy or remediation strategy, but will get them through any hurdles of learning how to self-remediate.

Finally, utilize MANDATORY requirements to ensure that all policy is enforced.

The last major idea that should be taken into account is how to schedule this type of roll out. I typically recommend 30-45 days for AUDIT requirements and then 30-60 days for OPTIONAL requirements, but this must be determined on a per organization basis. The key thing to take from this posting is that you do have this wonderful option to phase the enforcement of policy for your NAC deployment and it will help ensure a smooth transition for administrators and end users. One less talked about configuration option that you can use to make your NAC deployment more successful.

Sunday, August 5, 2007

Jamey Heary's Cisco NAC Blog on Network World

Make sure to check out the new blog on Cisco Subnet. Jamey Heary the author of the New Cisco NAC Appliance Book is writing it. It can be checked out here:

About the Blogger:

Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years