Pages

Friday, September 28, 2007

Custom Checks - Integration with Big Fix for Remediation

Background:

BigFix (www.bigfix.com) is one of the many remediation software solutions available that can work with NAC for a better end user experience. BigFix can enforce that a client has the proper software, patches, and updates on a device. This sounds a bit like NAC, but the missing puzzle piece is how to enforce that bigfix is really on the connecting device and doing its job? This posting will talk about some of checks that may be created to enforce the presence and compliance of bigfix on a device connecting into the network.

***Please note that there are many ways of looking for installed/running software and it is best practice to check in two different manners(e.g. service and application check), but to keep this post more straightforward, I will only shows one of the checks.


Is BigFix Installed:

In order to properly assess if BigFix is installed, the following checks if the BESClient is actually there.

Check Category: File Check
Check Type: File Existence
Check Name: BigFix_Installed
File Path: SYSTEM_PROGRAMS\BigFix Enterprise\BES Client\BESClient.exe
Check Description: Check if BigFix is Installed
Operating System: Windows All

Figure 1 - Check if BigFix is Installed

Using a Link or File type requirement for this check will give administrators the ability to offer the BESClient to users that do not have it installed. This will ultimately save on help desk calls and bring the host into compliance automatically.


Is BigFix Running:

Next, it is good to check if BigFix is actually running. The following custom check looks if the BESClient service is running.

Check Category: Service Check
Check Type: Service Status
Check Name: BigFix_Running
Service Name: BESClient
Check Description: Check if BigFix is Running
Operating System: Windows All

Figure 2 - Check if BigFix is Running

If a user does not have the BESClient running, we can use a Launch Programs requirement type to launch the BESClient. Look back to the blog for a future post on Launch Program Requirements.


Is BigFix Compliant:

Finally, BigFix has the ability to create central policy about what is needed on an end host. If the host has the latest patches, updates, etc. then the BESClient actually reports itself as "Compliant". The following custom check looks if the BESClient is reporting itself compliant.

Check Category: Registry Check
Check Type: Registry Value
Check Name: BigFix_Compliant
Registry Key: HKLM\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_BESClient_BigNACresult\
Value Data Type: String
Operator: Equals
Value Data: Compliant
Check Description: Check if BigFix is Compliant
Operating System: Windows All

Figure 3 - Check if BigFix is Compliant
This shows how if you already have policy created on your remediation platform, NAC Appliance can leverage that information by enforcing compliance to the policy before entry to the network.


Summary:

NAC Appliance may leverage the functionality of other vendors' Remediation solutions by using them to remediate non-complaint host. NAC, in some occasions, can even enforce policies or requirements of those solutions to hosts before the device is allowed on the network. This post should help administrators understand that the integration can be preformed and really will help leverage the existing investments made in remediation solutions.

Friday, September 21, 2007

Chalk Talk Series 3 - Update

To give everyone the update, the following is the schedule for the upcoming NAC chalk talks:

September 27th: Cisco NAC Profiler Introduction
Prem Ananthakrishnan will introduce the Cisco NAC Profiler, which discovers, tracks,
and monitors all non-PC endpoints attached to a network. By adding Profiler to a NAC
deployment, customers can apply policies and access prvileges to non-PC endpoints.

October 4: Secure Guest with Cisco NAC
Enhance guest access with Cisco’s NAC Guest Server. Syed Ghayur will introduce the
advanced provisioning and reporting features of this latest addition to the Cisco NAC
product line.

Access Information:

Time - 10am PDT, 12pm CDT, 1pm EDT
Audio - Toll-free US/Canada: 1-800-370-2618
Meeting ID: 321456#
Web - Disable any pop-up blocker software
http://gc46gw1.meetingplace.net
Enter Meeting ID 321456

Tuesday, September 18, 2007

Priveon Launches Real World NAC Appliance Training

Most training courses prepare individuals for certifications, but Priveon's Real-World training is the exact opposite. Their new Cisco NAC Appliance class is focused around how to design, deploy, operate and optimize Cisco NAC. With 20 labs and a topology that mimics typical organizations' environments, the class is very impressive and valuable for everyone interested or involved with Cisco NAC Appliance! I have personally reviewed the class and I highly recommend it to anyone wanting to take their expertise to the next level.


www.priveon.com

Priveon NAC Appliance Training Page
http://www.priveon.com/training/cisco-naca-training/priveon-real-world-naca-training.html

Saturday, September 15, 2007

NAC Chalk Talk Video on Demand (VOD) - A success for Force 3 and its clients

For those of you who missed the NAC Chalk Talk I did on Thursday, here is the link to the Video on Demand, so that you can catch some of the deployment best practices.

Cisco NAC Appliance: A Success for Force 3 and Its Clients


http://tools.cisco.com/cmn/jsp/index.jsp?id=65948

I also want to thank the NAC Appliance Business Unit at Cisco and specifically Prem who hosted me out in San Jose, he is the real Rock Star!

Friday, September 7, 2007

NEW NAC Chalk Talk Series - Starting Sept 13th

There is a new NAC chalk talk series starting next week and excitingly enough I will be the first person to present! My chalk talk will be focused around how to make your deployment more successful. This is your chance to ask me questions and get the answers live via IPTV! :)

If you are unfamiliar with the NAC chalktalks, they are a great source of information about how to design, deploy, configure, troubleshoot, operate and optimize Cisco NAC Appliance. Please review the existing series by visiting the below link:
View the existing NAC Chalk Talks



The details of my up coming chalk talk:

CISCO NAC APPLIANCE CHALK TALK SERIES 3

Kicking off SEPTEMBER 13th with a LIVE VIDEO BROADCAST featuring Jamie Sanbower from Force 3 --

Cisco NAC Appliance: A Success for Force 3 and Its Clients

Watch this interactive session to learn Force 3's secret to NAC success, key deployment strategies and how they use Cisco NAC to solve their client business requirements.

Date: Thursday, September 13th
Time: 10am PDT/12pm CDT/1pm EDT
Location: http://tools.cisco.com/cmn/jsp/index.jsp?id=65688 (requires CCO login)

No pre-registration required.


There will be additional chalk talks continuing the weeks following the 13th, so be sure to check back here for updates on the others!

Configure And Troubleshoot the Antivirus Definition Updates

Cisco posted a new Configuration Guide on how to configure and troubleshoot Antivirus Definition Updates. This is relevant for any deployment using Cisco Preconfigure AV definition rules.

NAC Appliance (Cisco Clean Access): Configure And Troubleshoot the Antivirus Definition Updates

Thursday, September 6, 2007

Cisco NAC Profiler Documentation

Cisco NAC Profiler is here, and let me tell you this product makes deployments go a lot smoother. How nice is it not to have to find all of your Printers, IP Fax Machines, UPS management, Game Consoles, etc.

If you are interested in NAC Profiler services or consulting, please contact me jsanbower hotmail.com or visit www.force3.com

To save everyone some time, the following is a list of all the public documentation on Cisco NAC Profiler:

Cisco NAC Profiler Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806b7d4e.html

Cisco NAC Profiler Brochure
http://www.cisco.com/en/US/products/ps6128/prod_brochure0900aecd806b7e8c.html

Cisco NAC Profiler Q & A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806b5d40.shtml

Cisco NAC Profiler Ordering Guide
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806b7d69.html

Configuration Guide 2.1.7
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/nac_profiler_cg.html