NAC Updates

I want to apologize for the lack of posts over the past couple of months. I have been out performing NAC Deployments non-stop.

I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!

Cisco Clean Access Agent 4.1.3.2
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.

Cisco NAC Profiler 2.1.8-37
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation

Cisco NAC Guest Server 1.1.0
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation

New NAC NEWS - ChalkTalks and PodCasts

If everyone out there has not heard yet, there is a spring 2008 chalktalk series going on currently. The chalk talks are very technical and can give everyone great insight into the topics discussed.

March 13th - Cisco NAC Deployment Methodologies
March 20th - Troubleshooting Cisco NAC Appliance
March 27th - NAC Profiler Best Practices

All can be seen at 10am PDT at http://premium.meetingplace.net with meeting ID 434343

Also, Robb Boyd and the TechWise TV team posted a podcast on Troubleshooting Cisco NAC Appliance. It features "rockstar" Prem Ananthakrishnan, one of the great TMEs from the NAC BU.

NAC Troubleshooting Podcast

NAC Appliance episode on TechwiseTV

There is a new TechWiseTV episode about to be taped, focusing on Cisco NAC Appliance and the producers are looking for feedback as to what the episode should focus on. The main presenter will be Alok Agrawal, one of the Technical Marketing Engineers from the Cisco NAC Business Unit. If you have never seen TechWiseTV, it is a highly technical show focusing on getting answers to the tough questions. I can promise that if enough of you want a topic discussed that Alok will definately be put on the spot to give you an answer. So please visit their website and start posting about what you are interested in hearing explained:

http://www.mytechwisetv.com/page/30+Network+Admission+Control


The following is a draft of the topics discussed:

Proposed Segmentation:
Segment 1: NAC Foundational Concepts -

• What is it, why do we need it, why now?
• Where does 802.1x fit, what problems can be solved here, etc.
• Posture Assesment - more than just AV and Spyware
• Client vs. Clientless, Inband vs. Out of Band, Remediation, Non-Cisco applications
• Server, Manager, Agent Communication, Rule Set updates.

Segment 2: Server Deployment Modes

• Virtual and Real IP Gateway
• Layer 2 and Layer 3
• In-band and Out of Band
• Client & Temporal Agent

Segment 3: Topology and Design Considerations

• VPN
• Wireless
• Remote Sites
• Campus

Segment 4: Device Profiling

• NAC Profiler
• Collector
• Design Choices/Trade-offs

NEW 4.1(3) Feature - Cisco NAC Web Agent

Background:

One of the much waited for features in the NAC 4.1(3) release is the NAC Web Agent. "The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list."

In short, it is a temporary agent that gives the ability to have a detailed posture assessment performed on a machine that it is not desired to or can't install software on.

Figure 1 – Cisco NAC Web Agent

The Spotlight:

The NAC Web Agent is a great addition to the capabilities of Cisco NAC Portfolio. The following is a functionality to agent type(CAA vs. Web Agnet) comparison. It includes some of the major benefits of each agent type to give everyone a better idea of where the new NAC Web Agent fits into their deployment.

Cisco Clean Access Agent

- Favorable end user experience - After the CAA is installed, the user does NOT have to open up a web browser every time NAC has to perform Authentication and Posture Assessment.

- Active Directory SSO - Without the CAA, internal users cannot perform ADSSO.

- Automatic Remediation - CAA walks users step-by-step through what they need to do to become compliant.

Cisco NAC Web Agent

- No Administrative Rights Required - The Web Agent only requires the rights to run Java or Active-X by the browser for it to successfully install and perform posture assessment. Some guests/visitors do not have the administrator rights necessary to install the full blown CAA, which makes the Web Agent very attractive.

- No permanent software installation - Using the Web agent takes away any chance of someone complaining of the software they downloaded at your location is the reason their computer crashed.

- Detailed Posture Assessment - The Web Agent can perform the same exact checks(Registry, File, Service, and Application) as the CAA. The only caveat is that the remediation is a manual process. The administrator may present a link to the user, but after remediation the user must click "Re-Scan" to be permitted access.

- Scan cannot be blocked by a personal firewall - As basic as this sounds, the Network Scanning capability is used a lot in the field to perform scans of guests and contractors. The problem is that a majority of users today are running some form of personal firewall rendering the network scanning useless. The NAC Web Agent is run locally on the machine to enforce posture assessment, which puts network scanning on the back burner.

Configuring Cisco NAC Web Agent:

The good news is if you have ever configured posture assessment for the CAA, then you have already configured posture assessment for the Cisco NAC Web Agent. For more information on configuring Posture Assessment, check out the CAM Installation & Configuration Guide or Cisco NAC Chalk Talk 5. The only background that should be mentioned is when creating requirements for the Web Agent it is a best practice to use a Link type requirement, so that the end user can click on the appropriate link to remediate.

The first step to enabling the web agent is to create a or modify your existing User Page. The most important option is the "Web Client (ActiveX/Applet)" setting which tells NAC which type of web agent to use or prefer. e.g. Active X or Java

The next step is to require the use of the Web Agent for the relevant Roles.

Figure 2 – Require the use of the Cisco NAC Web Agent

The final step is to assign requirements to the roles that requires the web agent.

The end user experience:

Figure 3 – Cisco NAC Web Agent end user process flow

Summary:

The Cisco NAC Web Agent is definitely going to be a highly used feature in most Cisco NAC deployments. It is fairly straight forward to understand and configure. I encourage everyone to check it out along with all the great new features in 4.1(3).

Sources: 4.1(3) Release Notes; 4.1(3) CAM Installation & Configuration Guide

NAC Version 4.1(3)

4.1.3 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download
























4.1.3 Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1.3 CAM Installation & Configuration Guide

4.1.3 CAS Installation & Configuration Guide

Enhancements in Release 4.1(3)

General Enhancements

• Cisco NAC Web Agent

• Support for Clients with Multiple Active NICs

• Clean Access Server HA Heartbeat Link Enhancement

• Clean Access Manager HA Configuration and Heartbeat Link Enhancements

• Guest User Login and Registration Enhancements

• LDAP Authentication Enhancement

• Clean Access Server and WSUS Interaction Enhancement

• Agent Restricted User Access Enhancement

• Device Filter List Display and Import/Export Enhancement

• Agent Report Information Display and Export Enhancement

• VPN SSO Login Enhancement

• Syslog Configuration Enhancement

• Debug Log Download Enhancement

• cisco_api.jsp Enhancement

• CSRF Protection

• Proxy Support Enhancements

• ARP Broadcast Packet Handling Improvement

• Clean Access Server HA ARP Broadcast Enhancement

• Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature

• Previously-Deprecated Features Removed from CAM/CAS Web Console Pages

• Supported AV/AS Product List Enhancements (Version 67)

Out-of-Band Enhancements

• Access to Authentication VLAN Change Detection Enhancement

• SNMP Inform Notification Enhancement

• SNMP "MAC Move Notification" Switch Port Configuration Support

Clean Access Agent Enhancements

• Clean Access Agent Auto Remediation

• Windows Clean Access Agent Version 4.1.3.0

• Mac OS X Clean Access Agent Version 4.1.3.0

Look out for more detailed explainations and configuration examples from the new features and functionality.

Cisco NAC Guest Server Documentation

Bulletin
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806f3235.html

Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806e98c9.html

Q&A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806f525a.shtml

Release Notes 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/10/gsrn100.html

Configuration Guide 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/nacguestserver.html

Deploying Cisco NAC Profiler

Background:

Cisco NAC Profiler is an OEM software from Great Bay Software’s Beacon product(Read more). The basis and need for NAC Profiler is to secure Non-Responsive Hosts(NRHs). This is performed by using state of the art Endpoint Profiling and Behavior Monitoring technologies.

Endpoint profiling is defined as recording a network endpoint’s observable behaviors and analyzing identifiable characteristics of the endpoint in order to classify it as belonging to a particular group (Profile) and to assess each endpoint’s ability in a certain sphere. That certain sphere could be an endpoint’s ability to participate in a given authentication or Cisco NAC Appliance as an example. In essence, Endpoint Profiling is best described as behavior-based characterization of endpoints for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics.

Behavior Monitoring is the ability to ensure endpoints are behaving in a way that is consistent with the classification leading to being provided with the authentication or NAC accommodation, and not indicating behaviors associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network.

Enough with the formal definitions (that’s what the great documentation is for), what is the real value of this solution to an organization with or without Cisco NAC and pre and post deployment of Cisco NAC?

The Value of Cisco NAC Profiler:

When planning for a NAC Appliance deployment the question of NRHs is sure to come up. How does someone find all of the Printers, Game Consoles, UPSs, IP Phones, etc. in the network? The answer is never easy. The bottom line is that the average organization’s network consists of over 50% of devices that are NRHs. The traditional method of accounting for NRHs is to manually find and record all MAC Addresses and import all of them into the NAC Manager’s Device Filter list. The challenges that this method presents are resources(Who is going to perform this task), Human Error(48bit MAC Addresses can start to look very complex after writing down hundreds or thousands of them), Adds/Moves/Changes become a nightmare, and by the time you finish recording all of the devices you can guarantee that something has changed since you started.

It becomes very clear how many hours can be saved by implementing Cisco NAC Profiler just from the above. But wait there is more… The above shows how Endpoint profiling can be used to save time and headaches, but the Behavior monitoring goes a step further into the value of NAC Profiler. Take the example of the traditional method of adding NRHs into the device filter table of the NAC Manager: Once a printer’s MAC Address is added it is always there, so if a malicious hacker or auditor walks up to the printer, prints the properties page, gets the MAC address, then he or she unplugs the printer and uses the MAC address of the printer to gain access and bypass NAC. If NAC Profiler is implemented, once the computer that is spoofing the MAC Address of the printer exhibits behavior that is outside of the typical behavior of the printer, that user will be kicked off of Device Filter list and be forced to go through standard NAC Process.

Another key benefit of having NAC Profiler is the accountability and visibility into the devices on the NAC Manager Device Filter List. As devices are placed into the Device Filter list by the Profiler Server, there is a link placed that brings an administrator directly to a page showing which switchport the device is plugged into, the respective endpoint profile data, and when it first came on the network. Any Network Operator understands the value of understanding where devices are at and when they entered and left the network.

Figure 1– NAC Manager Link to NAC Profiler

Minimize deployment costs + Minimize operational costs + Added Visibility + Added security = The value of Cisco NAC Profiler

Designing NAC Profiler:

NAC Profiler is comprised of two components:

- Profiler Server: Aggregates and classifies data from collectors and manages the database of endpoint information. Communicates using the NAC Managers API to add devices into the Device Filter list. Installed on the 3350 Appliance

- Collector Module: Gathers information about endpoints using SNMP, NetFlow, Sniffing, and active profiling. Software already installed on the NAC Server, license activates the feature.

The profiler server can be and is recommended to be configured in an High Availability(HA) pair. The Collector license should be purchased for each NAC Server that will be used to profile devices. If the NAC Server is a HA pair the license should be purchased as an HA license.

For the latest information about licensing of Cisco NAC Profiler, please refer to the Cisco NAC Profiler Data Sheet.

Collector Architecture:

NAC Profiler uses many data feeds to obtain the required information to perform Endpoint Profiling and Behavior Monitoring. The following list gives you the background of how the collectors gather data.

- NetMap Collector component module that queries network devices via SNMP for:

o System information

o Interface information

o Bridge information

o Routing/IP information

This information is used to Build and maintain a model of the network topology within the Endpoint Database.

- NetTrap Collector component module that receives selected traps from network devices to assist NetMap in maintaining the model of the network topology.

- NetWatch The passive network analyzer collector component module. Collects information about endpoints using network traffic received at one or more of the interfaces on the appliance it runs on.

- NetInquiry Active profiling Collector component module that can be used to collect information about endpoints using active techniques

- NetRelay Receives exported data from other systems such as Netflow and prepares it for processing for Endpoint Profiling and Behavior Monitoring

- Forwarder Facilitates communication between the collector and the server, acts as middleware between Collector modules and the Profiler Server.

Each NAC Profiler deployment may include a few of these or all of these depending on the required amount of data. As a best practice it is always good to start by using NetMap, NetTrap, and NetWatch to gather the relative information required to successfully profile endpoints. If any of these collectors are not available in the organization deploying NAC profiler, utilizing the NetInquiry or NetRelay collector is a great alternative. Please note that other than NetInquiry NAC Profiler is completely passive and does NOT actively send traffic to any endpoint.

Profiles Uncovered:

As of version 2.1.7, NAC Profiler comes with 38 default profiles out of the box. This includes many of the major device types in enterprise networks today.

Figure 2 – Default Profiles

In some cases, it will be required to create custom profiles in order to profile organizations’ specific devices. To do this NAC Profiler offers the ability to use the different type of rules to match the types of behavior that are specific to the devices in question. The following shows the different types of rules you can configure using Cisco NAC Profiler:

- MAC Address – Beacon maintains a list of all OUI values for MAC address vendor assignments. MAC Vendor rules allow the endpoints MAC address to be used as a criteria for classification into a Profile.

- IP Address – Beacon can use the host address of endpoints to classify devices using host IP addresses within a designated range as a criterion for classification into a Profile.

- Traffic – analysis of traffic information at layers 3-4. Based oninformation gathered by either the NetWatch collector module (traffic analysis) or NetRelay collector module (Netflow data exported from a Netflow-capable device).

- TCP Open Port – Layer 4 port information that is gathered either by monitoring SYN-ACK information passively or via the Active Profiling capabilities of NetInquiry.

- Application – analysis of application layer behavior including DHCP, Server Banners, DNS names, User Agents, etc.

- Advanced – used to create complex expressions using AND, OR, and/or NOT, or to aggregate multiple rule logic into a single rule.

Summary:

Cisco NAC Profiler is an amazing add-on to the Cisco NAC Appliance portfolio and shows value for any organization that current has or plan to have Cisco NAC Appliance. Please stay tuned for more best practices, advanced configuration and troubleshooting of Cisco NAC Profiler.

Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8