Thursday, September 16, 2010

Intrusion Prevention Best Practice - IPS Placement


In today's organizations, attacks come from everywhere. As cliche as it sounds, networks are borderless and because of this organizations face more sophisticated threats. As networks evolve, many organizations struggle to have intrusion prevention or other security architecture evolve at the same pace. Visibility is everything: you must be able to detect and respond to threats before they cause significant damage. The following entry is all about how to gain visibility at the different areas of the network.

IPS Overview

Wikipedia defines Intusion Prevention Systems as a "network security appliance that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity."

By deploying IPS, organizations are able to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.

Internet Border & DMZ

The most common place to insert IPS is at an organizations' internet border(s) and DMZ(s). The following represents some of the options for placement of an IPS to protect an internet border and DMZ.

IPS Outside of Firewall

This architecture places the IPS outside of the internet firewall.This architecture was one of the first proposed when IPS came to market, but is not very common for today's environments.

  • Early indication of reconnaissance/scanning activities
  • Requires less interfaces to inspect traffic sourced/destined to the DMZ and Internal Network
  • Destination/Victims addresses will be NATed, causing research to determine which device inside the organization is being attacked. 
  • Source/Attacker addresses from the inside of the organization will be NATed causing additional research to track down the source of any malicious traffic coming from the organization.
  • Inspection of traffic that will be dropped by the firewall will create excess false positives.
  • No visibility of insider traffic destined to dmz
Figure 1 - IPS Placed Outside of the Firewall

IPS Inside of Firewall for DMZ and Internal Network

This architecture places the IPS inside of the internet firewall protecting both the Internal Network and DMZ segments.

  • Only inspects traffic that the firewall allows into the network. (Minimizing False Positives)
  • Events will include real IP addresses and not NATed IPs.
  • Differentiate traffic to/from DMZ and Internal Segments.
  • Requires 2 IPSs or an IPS with enough interfaces to protect both segments.
  • Traffic between internal and DMZ will be inspected twice.
Figure 2 - IPS Placed Inside the Firewall
IPS Software or Module in the Firewall

With the growing popularity of Unified Threat Management (UTM), this architecture is becoming extremely common. It places the IPS functionality inside the internet firewall protecting both the Internal Network and DMZ segments without a separate appliance.

  • No additional appliance required, saving rack space and energy.
  • Events will include real IP addresses and not NATed IPs.
  • Differentiate traffic to/from DMZ and Internal Segments.
  • Some manufacturers limit the throughput of integrated IPS (just be sure that the integrated IPS will support the required bandwidth)
Figure 3 - IPS Software or Module in the Firewall

Data Center

One of the most important assets an organization has is its data. Most data is stored on servers located in a data center. This is why placing IPS between users and the data center is becoming a must have for organizations.

Most designs will include placing the IPS at the most central point for the data center(typically distribution or core layers). The challenges faced when deploying IPS in data centers are making sure you keep the same levels of redundancy and throughput of the data center. This can be accomplished through using etherchannel load balancing of separate IPS Appliances. For more information on Cisco IPS in the Data Center with etherchannel load-balancing, please read Jamey Heary's blog post on the topic.

Remote Sites

Often forgotten, remote sites are an important part of an IPS deployment strategy. Advancements in WAN technology, like MPLS, allows for any to any access causing a gap in visibility. The challenges of deploying IPS to remote sites include: power, rack space, operations support, and cost. The following are the options associated with deploying IPS to remote sites:

IPS Appliance for each remote site

  • Full featured IPS
  • Scalable bandwidth for all sizes of remote offices.
  • Cost for a dedicated appliance, rack space and power
  • Management and Deployment of the appliance
IOS IPS running on the router at each remote site

  • Low Cost
  • No Additional HW
  • Manage with existing router management tools
  • Does not have full featured IPS code
  • Limited number of signatures
  • Can effect performance of the router 
  • Must run supported software and router
IPS Module inside the router at each remote site

  • Full featured IPS
  • Low Cost
  • No additional rack mount units (module fits in the router)
  • Bandwidth is limited
  • Must have a supported router

Determining where IPSs should be placed in an enterprise is a must do task. A single IPS on the internet border leaves organizations with a hard outer shell and chewy inside. Hopefully this gives you some more details on the areas (Data Center & Remote Sites) that you should focus on. If you have additional questions, please feel free to email me.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Wednesday, September 8, 2010

Cisco NAC vs. 802.1X


Access Control is on the rise. A recent Gartner survey indicates that 50% of enterprises plan to implement 802.1X in their wired networks by 2011. Gartner believes that momentum will increase strongly, and that actual enterprise adoption will reach 70% by 2011. With that said, we have a lot of organizations evaluating the differences between Cisco NAC and Cisco 802.1X. Before we dive into the details of either solution, I thought it would be appropriate to compare the two.

Cisco NAC Overview

Cisco NAC Appliance (formerly Cisco Clean Access) was designed to use your organization's network infrastructure to enforce security policy compliance on all devices that attempt to gain access. You can use the Cisco NAC Appliance to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can access the network.

  • Recognize users, their devices, and their roles in the network
  • Evaluate whether machines are compliant with security policies
  • Enforce security policies by blocking, isolating, and repairing noncompliant machines
  • Provide easy and secure guest access
  • Simplify non-authenticating device access
  • Audit and report whom is on the network
Cisco NAC Components
  • NAC Manager - Central Policy Management
  • NAC Server - Enforcement Point
  • NAC Agent - Used for Authentication, Posture Assessment, and Remediation
  • NAC Profiler - Endpoint Discovery/Profiling and Behavior Monitoring
  • NAC Guest Server - Secure Guest Provisioning
Figure 1 - NAC Appliance Components

Authentication & Authorization

NAC can be deployed using in-band(IB) or out-of-band(OOB) modes. OOB is typically used for LAN deployments, while IB is used for VPN/Wireless deployments. 

With IB, authentication is performed at the NAC Server by forcing traffic through the CAS. Traffic is forced through the cas using VLANs or Routing(PBR, VRF, etc.). Authorization (after the user goes through authentication and posture assessment)  is performed through ACLs on the NAC Server.

With OOB, authentication differs based on whether the user is Layer 2 or Layer 3 adjacent to the NAC Server. If the user is layer 2 adjacent, then VLANs are typically used and SNMP is used as the control plane to assign the appropriate VLAN. If the user is layer 3 adjacent to the NAC Server, SNMP will be used to assign VLANs, but authentication segmentation is typically performed by using ACLs or VRFs. Authorization is performed using dynamic VLAN assignment.

802.1X Overview

802.1X is a port based authentication and access control protocol that allows for authentication & authorization of wired and wireless devices. 802.1X enforces policy compliance, controlling port access and tracking users. It asks the following questions:
  • Who are you? - Machine and/or User Authentication
  • Where can you go? - Based on authentication, the user is placed in the correct VLAN or a PBACL is used.
  • What service level do you receive? - The user can be given a per-user access control list to explicitly restrict or allow access to specific resources on the network, or given specific QoS priority on the network.
  • What are you doing? - Using the identity and location of the user, tracking and accounting can be better managed.

  • IEEE/Industry Standard (RFC3380, IEEE )
  • Recognize users, their devices, and their roles in the network
  • Provide easy and secure guest access
  • Simplify non-authenticating device access
  • Audit and report whom is on the network
802.1X Components
  • Cisco ACS Server - Central Policy Management
  • Network Switches - Enforcement Point
  • 802.1X Supplicant - Client that provides credentials (Could be stand-alone or OS Supplicant)
  • NAC Profiler - Endpoint Discovery/Profiling and Behavior Monitoring
  • NAC Guest Server - Secure Guest Provisioning
Figure 2 - 802.1X Components


During authentication, traditional 802.1X keeps the port in a down state until authentication has been performed. If the newly created "Open Mode" or "Low Impact" mode is being used a vlan or PBACL can be used to enforce access restrictions.

For authorization, 802.1X uses VLANs or Port-Based ACLs(PBACLs) to enforce access-restrictions for devices. Policy can be different between the machine and user sessions. The switch acts as the enforcement point and uses RADIUS as a control plane with Cisco ACS.

Comparison of Cisco NAC & 802.1X 

Above you should notice some major differences between the two access control methods, but I would like to take you a little deeper and call out some of the major differences.


If you have a requirement of performing detailed posture assessment and remediation within the next 12 months than you must go with Cisco NAC Appliance. 802.1X does not perform posture and the two access control methods do not work together.

One major question that comes up regarding posture is determining whether a device is owned or furnished by the organization. With NAC, you can perform Active-Directory SSO or check for specific files/registry keys to determine if it is an asset. With 802.1X you can use Machine Authentication using certificates to determine if the asset is owned by your organization. So even though you cannot perform posture assessments, you can check whether the devices is your by validating a certificate that is issued only to authorized machines.

Components & Control Plane

The use of ACS Servers vs. NAC Appliances is a major difference. The use of RADIUS vs. SNMP is another. Does it really matter? In most cases, NO it does not. In some cases, administrators prefer to use ACS because they are experts in using it.

Some organizations "refuse" to install another agent onto their desktop, so having the option of running a supplicant that is native to the Operating System is a huge benefit of 802.1X.

Switch Requirements

Cisco NAC Appliance has a list of OOB supported switches and the list is very comprehensive. This means there is less chance you will have to upgrade hardware or IOS. In order to take advantage of the newer features that make 802.1X very easy to deploy, the switch support for 802.1X is a little more demanding of recent versions of code. Cisco has innovated around easing deployment of 802.1X and because of this, Cisco Switches are recommended(Stay tuned to the blog for more posts around these features).

802.1X is a standard and is supported on most switches vs. NAC OOB which requires Cisco switches

Network Changes

NAC network changes include SNMP configuration, new VLAN configuration, VRF and/or ACL configuration.

802.1X requires a standard access port template on each port, AAA configuration, radius configuration and potentially ACL Configuration.

NAC requires more initial configuration to perform authentication than 802.1X.

Deployment Methodology

With NAC cutover, authentication is a must on day 1 and posture is typically implemented in audit mode. If a user does not have a way of authenticating(no agent, not logged into domain, etc) the user would be stopped.

With 802.1X cutover, open authentication allows administrators to deploy with zero worries day 1. If a user does not have a supplicant or the MAC is not configured for MAB, the switchport will remain open.


The bottom line is that both deployments have their advantages. NACs ability to assess an endpoints compliance with policy and 802.1Xs ability to deploy day 1 without any headaches gives both options valid arguments. The real decision should be based on your environment.... Do you need posture? Do you have all 2900XLs? Can you install an Agent?

SOURCE: Multiple Sites on CISCO.COM

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Tuesday, September 7, 2010

Cisco NAC Version Matrix

One popular request is a list of features that come along with the different versions out. Below is a comparison of all the major code revisions of Cisco NAC Appliance.

4.8 (LATEST)

* Support for Cisco NME-NAC Platforms
* Administrator Access Restriction
* Out-of-Band Logoff
* In-Band and Out-of-Band Filter Behavior Enhancements
* RADIUS Session Timeout
* Passive Re-assessment
* Reporting Enhancements
* Agent Customization
* Agent Authorizes CAS
* Field-Replaceable FIPS Card for HP-Based Cisco NAC Appliances
* Cisco NAC Windows Agent Version
* Mac OS X Agent Version
* Cisco NAC Web Agent Version
* Features Optimized/Removed in Release 4.8
* Supported AV/AS Product List Enhancements (Windows Version 83, Mac OS X Version 7)


* FIPS 140-2 Compliance
* New Hardware Platform Support
* Cisco NAC Appliance WAN Deployment Enhancements
* AD SSO Requirements for Windows 7
* Windows 7 Support on Cisco NAC Agent


* Posture Assessment Support for 64-Bit Windows Operating Systems
* Agent Localization Support for "Double-Byte" Languages
* Selective Application Privilege Support for Windows Operating Systems
* Accessibility Support Via the JAWS Screen Reader Interface
* Full UTF-8 Compliance
* Agent Log Recording and Retrieval
* Support for EVDO Client Machines
* Optimized Windows Operating System Support
* Agent Configuration XML File Upload Enhancement
* Cisco Log Packager Agent Log Compiler Application
* Agent Backward-Compatibility
* Agent Upgrade Optional When Upgrading Cisco NAC Appliance
* Cisco NAC Appliance Agent Reports Enhancement
* Cisco NAC Windows Agent Version
* Mac OS X Clean Access Agent Version
* Cisco NAC Web Agent Version 4.6.0
* Administrator Web Console Enhancements to Support Cisco NAC Agent
* Features Optimized/Removed
* Supported AV/AS Product List Enhancements (Windows Version 78, Mac OS X Version 3)


* Policy Import/Export
* CAM/CAS SSL Certificate Management Enhancement
* CAM/CAS Software Upload Page Enhancements
* Database Snapshot Upgrade Enhancement
* Clean Access Manager High Availability User Interface Enhancement
* CAM/CAS Support Log Level Settings Enhancement
* CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
* Support for Wireless Out-of-Band Deployments
* Assign Restricted VLAN for OOB Client Machines When Disconnected
* Certified Device List/Online User List Enhancements
* Out-of-Band Shield Enhancement
* Out-of-Band Discovered Clients Cleanup
* Pre-Login Banner
* Strong Password Support for Root Admin Users
* External Authentication Server Support for Web Administrator Login
* Support for Cisco NAC Appliance/NME-NAC Platforms Only
* Web Upgrade Support Removed
* Default CAM Web Console Password Removed
* Windows ME/98/NT OS Support Removed
* Policy Import/Export
* CAM/CAS SSL Certificate Management Enhancement
* CAM/CAS Software Upload Page Enhancements
* CAS Fallback Behavior Enhancement
* CAS HA Pair Link-Detect Configuration Enhancement
* DHCP Failover Behavior Enhancement
* Cisco NAC Appliance API Enhancement
* Supported AV/AS Product List Enhancements (Version 74)


* CAS Policy Fallback
* Clean Access Agent/ActiveX/Applet DHCP Release/Renew
* Support for GPO Update Trigger
* Online Update to Retrieve Switch OIDs
* Qualified Remediation Program Launch
* Clean Access Agent for Mac OS X Authentication
* Clean Access Agent Installation Options
* Clean Access Agent Language Template Support
* Clean Access Agent Silent Auditing
* Searchable Clean Access Agent Reports
* Certified Devices Timer Enhancements for Periodic Assessment
* DHCP Renewal Enhancements
* DHCP Subnet List Enhancements
* DHCP Global Option Enhancements
* IE 7.0 Support
* Clean Access Agent Enhancements (
* Port Profile Management for OOB Users
* Enhancements to Check Parameters
* Daylight Savings Time Support
* Supported AV/AS Product List Enhancements (Version 42)
* Deprecated IPsec/L2TP/PPTP/PPP Features
* Deprecated Roaming Features
* Support for Windows Vista Operating System
* RADIUS Challenge-Response Support
* Layer 2 Traffic Policy Support
* Multiple Active Directory Server Support in AD SSO
* Restricted Administrator Web Console Options Hidden from View
* Proxy Server Basic/Digest/NTLM Authentication Support
* VLAN Profiles
* VLAN Pruning
* Event Logs Enhancement
* Agent Report Retrieval API Operation
* Out-of-Band IP Refresh Enhancement
* Switch Port Configuration Enhancements
* SNMP Receiver Settings Enhancement
* Support for Windows Vista Operating System
* Windows Update Upon Agent Login
* Agent Reports Show System and User Information
* Agent IP Address Refresh/Renew Enhancement
* CAS-Agent Discovery (SWISS) Enhancements
* 4.1.0.x Agent Support on Release 4.1(1)
* MAC OS RADIUS Challenge-Response Support
* MAC OS Automatically Close Message Dialog After Successful Login
* MAC OS IP Refresh Support for Out-of-Band Deployments
* MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time
* Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
* New Cisco NAC Network Module (NME-NAC-K9) Support
* NAC Appliance Platform Type Display
* Debug Log Download Enhancement
* Active VPN Client Status Page Enhancement
* WSUS Requirement Configuration Display Enhancement
* New "service perfigo platform" CLI Command
* Web Login Support Using Safari Browser for Mac OS
* Windows Clean Access Agent Language Template Support Enhancement
* Cisco NAC Web Agent
* Support for Clients with Multiple Active NICs
* Clean Access Server HA Heartbeat Link Enhancement
* Clean Access Manager HA Configuration and Heartbeat Link Enhancements
* Guest User Login and Registration Enhancements
* LDAP Authentication Enhancement
* Clean Access Server and WSUS Interaction Enhancement
* Agent Restricted User Access Enhancement
* Device Filter List Display and Import/Export Enhancement
* Agent Report Information Display and Export Enhancement
* VPN SSO Login Enhancement
* VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
* Syslog Configuration Enhancement
* Debug Log Download Enhancement
* cisco_api.jsp Enhancement
* CSRF Protection
* Proxy Support Enhancements
* ARP Broadcast Packet Handling Improvement
* Clean Access Server HA ARP Broadcast Enhancement
* Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
* Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
* Clean Access Agent Auto Remediation
* Delay Agent Logoff on CAM/CAS
* 64-bit Windows Operating System Agent Support
* Access to Authentication VLAN Change Detection Enhancement
* SNMP Inform Notification Enhancement
* SNMP "MAC Move Notification" Switch Port Configuration Support
* Trusted Certificate Authority Enhancement for Production Environments
* Enhanced CAM/CAS Web Console Features Certificate Warning Messages
* Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
* Enhanced Security with Server Identity Based Authorization
* JMX Over SSL Secured with Mutual Authentication
* HTTPS Connections Enhanced with Mutual Authentication
* Features Optimized/Removed
* CAS Fallback Behavior Enhancement
* CAS HA Pair Link-Detect Configuration Enhancement
* DHCP Failover Behavior Enhancement


* Support for Active Directory (Windows Domain) Single Sign-On (SSO)
* Corporate Asset Authentication and Posture Assessment by MAC Address
* Support for Layer 3 Out-of-Band (OOB) Deployment
* New Windows Update Requirement Type
* SMP Kernel Support for Super CAM
* Support for Assigning VLANs by VLAN Name in OOB Deployments
* Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
* Ability to Change Priority of Wildcard/Range Global Device Filters
* Ability to View or Search Active L2 Devices in Device Filter List
* Ability to Test MAC Addresses Against Device Filters
* Support for Relay IP Class Restrictions on DHCP Server
* Support for DHCP Global Actions
* New "service perfigo maintenance" CLI Command for CAS
* Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
* Support for Stub Installation/Update of the Clean Access Agent
* OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
* SNMP Enhancements for CAM
* CAS Host-Based Traffic Policy Enhancements for Proxy Servers
* Enhancements for DHCP Option Configuration Forms
* Authentication Cache Timeout
* Enable L3 Strict Mode
* OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
* Link-Failure Based Failover in CAS HA
* Upgrade Enhancements
* CAM Disable Serial Login
* CAM Admin Console Login Enhancements
* Client OS Detection Signature Lookup
* Start Timer Specification for Cisco Updates
* API Enhancements
* Enhancements for Windows XP Media Center Edition/Tablet PC
* Restricted Network Access Option for Clean Access Agent Users
* Daylight Savings Time Support
* Support for Windows Vista Operating System
* License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
* Improved Memory Footprint for Clean Access Agent Reports
* Broadcast ARP Server Management Option Removed
* Kernel Upgrade
* Debug Log Download Enhancement
* Syslog Configuration Enhancement

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.


Today, organizations use IT to support their mission and business objectives. With the evolution of business through technology, organizations have proven that it can be an accelerator for growth, competitive differentiator, productivity enhancer and even strengthen employee satisfaction. The challenge organizations face is how to obtain these returns from the technology that they have invested in?

This blog hopes to help unlock some of the secrets of deploying or using technology in a way to obtain return on your investment: get the most out of the features; optimize your environment to save cost; secure your IT infrastructure;

Some of the core topics that you can count on from this Cisco Security Blog:

  • Deployment Best Practices
  • Upgrade Announcements & Procedures
  • Gotchas & Workarounds
  • Troubleshooting Tips
  • Operationalizing Products

Unlike the Cisco NAC blog, CAYSEC will expand to covering Cisco ASA, IPS, SIEM, 802.1X, IronPort S-Series and C-Series(Web and Email), and router/switch security.

If you have comments/suggestions please contact me.