Ibm Tivoli and Cisco Manuel d'utilisateur Page 1

ibm.com/redbooksBuilding a NetworkAccess Control Solution with IBM Tivoli and Cisco SystemsAxel BueckerRichard AbdullahMarkus BelkinMike DoughertyWlo

viii Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTrademarksThe following terms are trademarks of the International Bu

82 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemshis credentials, the Cisco Secure ACS checks its local user database a

Chapter 4. Armando Banking Brothers Corporation 83Figure 4-3 on page 84 is representative of the ITSO Lab environment used for NAC Appliance deploym

84 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFigure 4-3 Armando Banking Brothers network environment for NAC Appl

Chapter 4. Armando Banking Brothers Corporation 854.2.3 Application security infrastructureGeneral management and the IT department are aware of th

86 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe diagram in Figure 4-4 provides a high-level graphical overview of

Chapter 4. Armando Banking Brothers Corporation 87cluster of IBM HTTP servers and WebSphere® Application Servers providing Internet banking and othe

88 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIn the practice of IT security, it is possible to design an extremely

Chapter 4. Armando Banking Brothers Corporation 89Configure Security Compliance Manager posture policy.Ample thought time must always be provided fo

90 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsInstalling the Clean Access AgentHighlights the steps for installing t

Chapter 4. Armando Banking Brothers Corporation 914.4 ConclusionArmando Banking Brothers Corporation (ABBC) is a company with a long history of lea

© Copyright IBM Corp. 2005, 2007. All rights reserved. ixPrefaceIn February of 2004, IBM® announced that it would be joining Cisco’s Network Admission

92 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 93Chapter 5. Solution designIn this chapter we describe the business objectives that drive the

94 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsimplementation of part two is described in Chapter 7, “Network enforce

Chapter 5. Solution design 955.1 Business requirementsAs described in Chapter 4, “Armando Banking Brothers Corporation” on page 77, Armando Banking

96 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5.2 Functional requirementsIn this section, the business requirements

Chapter 5. Solution design 975.2.3 Remediation requirementsExamining the operational maintenance related requirements we found that the following p

98 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsallows us to warn users if any noncompliance is found and explain the

Chapter 5. Solution design 99ABBC will institute posture-based network admission. Systems deemed in noncompliance will be quarantined and allowed to

100 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. The Security Compliance Manager client is armed with a remediation

Chapter 5. Solution design 101recommend that a process be in place for the normal notification and distribution of required workstation updates and

x Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe team that wrote this redbookThis redbook was produced by a team of

102 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsintegrated solution include the Security Compliance Manager client/se

Chapter 5. Solution design 103with the Web Gateway component to allow for automated remediation at the workstation level without need of having Tivo

104 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsEstablishing the policy collector parametersAt this point, we have to

Chapter 5. Solution design 105Although the policy collector appears to be at a peer level with the posture collectors in Figure 5-5, it is actually

106 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThere are several parameters of interest:򐂰 The POLICY_VERSION paramet

Chapter 5. Solution design 107For ABBC we set the parameter to 60 seconds. Effectively this forces the posture status to refresh itself at every cha

108 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 The HANDLER_ATTRIBUTES parameter (Figure 5-9) establishes the URL w

Chapter 5. Solution design 109򐂰 The REMEDIATOR_JAR parameter (Figure 5-10 on page 108) tells the class loader where the JAR file is located for the

110 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsfocus on how our posture policy, as established by the Tivoli Securit

Chapter 5. Solution design 111In the posture validation policies, we check that a client has the correct minimum supported version of CTA installed

Preface xiRichard Abdullah is a Consulting Engineer with Cisco Systems Strategic Alliances. Prior to joining Cisco Systems in 2001, he worked in tec

112 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsthose users that are in breach of these requirements, and how to reme

Chapter 5. Solution design 113Quarantine System Posture Token for a policy violation, he will be mapped to the Quarantine_Engineering_RAC (VLAN14).

114 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe Cisco Secure ACS evaluates each of the authorization rules in ord

Chapter 5. Solution design 115SVIs. Each Shared RADIUS Authorization Component had a corresponding ACL defined on the NAD. The example below shows t

116 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsSee 8.4, “Building the remediation workflows” on page 417, for inform

Chapter 5. Solution design 117Compliance subsystemThe compliance subsystem has two major components: 򐂰 The IBM Security Compliance Manager server򐂰 T

118 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe system used by ABBC for the Security Compliance Manager server is

Chapter 5. Solution design 119Operating system requirements for ACS V4.0 are:򐂰 Windows 2000 Server 򐂰 Windows 2000 Advanced Server with the following

120 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsNAC-enabled network deviceThe following Layer 2 and Layer 3 network d

Chapter 5. Solution design 121򐂰 Cisco 2600XM Series Router򐂰 Cisco 2691 Multiservice Platform򐂰 Cisco 2800 Series Router򐂰 Cisco 3640 Multiservice Plat

xii Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThanks to the following people for their contributions to this projec

122 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsRemediation subsystemThe remediation subsystem has three components:򐂰

Chapter 5. Solution design 123EAR file. This application must be installed on the same WebSphere Application Server as the Web Gateway component.Rem

124 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 125Chapter 6. Compliance subsystem implementationThis chapter describes the IBM Tivoli Security

126 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6.1 Tivoli Security Compliance Manager setupTivoli Security Complian

Chapter 6. Compliance subsystem implementation 1272. After a little while you are presented with the Welcome window, as shown in Figure 6-1. Click t

128 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. The DB2 version selection is presented similar to the one shown in

Chapter 6. Compliance subsystem implementation 1294. Next the welcome window is displayed, as presented in Figure 6-3. Click Next.Figure 6-3 Setup

130 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. On the next dialog you are presented with the standard license agr

Chapter 6. Compliance subsystem implementation 1316. In the Installation type selection window (Figure 6-5) leave all of the default values (which i

Preface xiiiFind out more about the residency program, browse the residency index, and apply online at:ibm.com/redbooks/residencies.htmlComments wel

132 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. On the next dialog, shown in Figure 6-6, you are presented with th

Chapter 6. Compliance subsystem implementation 1338. In the next window, shown in Figure 6-7, you must select the installation destination folder. M

134 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems9. In the next dialog, shown in Figure 6-8, you must provide user inf

Chapter 6. Compliance subsystem implementation 13510.In the next dialog, depicted in Figure 6-9, you are presented with the administration contact c

136 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems11.In the next window, shown in Figure 6-10, you can modify the DB2 i

Chapter 6. Compliance subsystem implementation 13712.As we do not need to use any DB2 tools on the next dialog, shown in Figure 6-11, click Next.Fig

138 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems13.In the next window, presented in Figure 6-12, you can provide the

Chapter 6. Compliance subsystem implementation 13914.In the next window, shown in Figure 6-13, you are given a last chance to review your selected o

140 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems15.The installation may take a few minutes depending on the configura

Chapter 6. Compliance subsystem implementation 1412. The usual language selection box is presented, as shown on Figure 6-15. Accept English and clic

xiv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

142 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. In the next window, shown in Figure 6-17, specify the destination

Chapter 6. Compliance subsystem implementation 143Tivoli Security Compliance Manager server installation. This is a recommended option in large scal

144 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. You are presented the e-mail Server configuration dialog, as shown

Chapter 6. Compliance subsystem implementation 1457. In the next window, shown on Figure 6-20, the installation wizard asks for the communication po

146 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems8. The Server Security Configuration window is displayed, as shown in

Chapter 6. Compliance subsystem implementation 1479. In the next window, presented in Figure 6-22, select the location for your database. If you ins

148 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems10.In the next dialog, provide the database configuration information

Chapter 6. Compliance subsystem implementation 14911.In the next dialog, shown in Figure 6-24, you are asked whether the database should be created

150 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems12.The next dialog allows you to specify an administrator user ID and

Chapter 6. Compliance subsystem implementation 15113.Finally you are presented with the installation selection summary, as shown in Figure 6-26. Cli

© Copyright IBM Corp. 2005, 2007. All rights reserved. xvSummary of changesThis section describes the technical changes made in this edition of the bo

152 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems14.The installation itself is very fast, but the database creation pr

Chapter 6. Compliance subsystem implementation 153򐂰 The user password settings on the client workstation have to be following the policy, which mean

154 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe status of a posture element can be one of the following:PASS The

Chapter 6. Compliance subsystem implementation 155remediation subsystem, such as a Tivoli Configuration Manager. After the remediation has been perf

156 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. When the GUI pops up, as shown on Figure 6-28, log in with the cre

Chapter 6. Compliance subsystem implementation 1575. You are presented with the default Message of the day window, which by default contains only th

158 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. Navigate to the sample_polices directory created in step 1 and sel

Chapter 6. Compliance subsystem implementation 1599. In the next step the import wizard performs a validation of the signatures of the collectors in

160 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems10.Now the actual policy installation is performed. Depending on the

Chapter 6. Compliance subsystem implementation 16111.After the wizard is closed you will see the imported policy in the Administrative Console, as s

xvi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

162 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsmust be evaluated on each client workstation. This is the reason why

Chapter 6. Compliance subsystem implementation 1632. In the right pane click the Collectors tab and select the Symantec Antivirus collector, as show

164 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe different conditions are:– Version of the Symantec Antivirus Soft

Chapter 6. Compliance subsystem implementation 165To adjust the parameters to your need modify the operational parameters, selecting the appropriate

166 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThere are six parameters regulating the behavior of the collector, wh

Chapter 6. Compliance subsystem implementation 167When you are done editing click Save.5. The next policy we customize is the one that checks for th

168 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. The parameters for the collector nac.win.any.oslevel.PostureOSLeve

Chapter 6. Compliance subsystem implementation 169The operational parameters listed above accept multiple values, so edit the appropriate parameters

170 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsBack at the list of the collectors right-click the Windows Hotfixes c

Chapter 6. Compliance subsystem implementation 1718. The next policy we configure checks whether the personal firewall is installed and running. Sin

© Copyright IBM Corp. 2005, 2007. All rights reserved. 1Part 1 Architecture and designIn this part we discuss the overall business context of the IBM

172 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsNO_KEY_RULE Operational Used to determine the status of the registry

Chapter 6. Compliance subsystem implementation 173The way this collector works depends on the data you have provided as parameters.It first checks f

174 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsRulesRules are used to evaluate the detected registry value and deter

Chapter 6. Compliance subsystem implementation 175There are some limitations on numeric context evaluations. The collector initially receives all va

176 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 VALUE equal to InstallDirectory.򐂰 NO_KEY_RULE equal to FAIL.򐂰 NO_VA

Chapter 6. Compliance subsystem implementation 177When you are done with editing the parameters for the nac.win.any.regkey.PostureRegKeyV2 collector

178 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTo configure the policy with the right service name check it in the S

Chapter 6. Compliance subsystem implementation 179– SERVICE_RUNNING_WF equal to TCRZLSoftwareRunning– REQ_DISABLED not set– SERVICE_DISABLED_WF not

180 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe new dialog is presented, as shown in Figure 6-47. Select the dest

Chapter 6. Compliance subsystem implementation 181There cannot be two compliance queries with the same name in one policy, so the copy of the compli

2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

182 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIn the following dialog modify the name value to Messenger Service Di

Chapter 6. Compliance subsystem implementation 183Next select the Compliance SQL tab on the right pane and modify the violation message generated by

184 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemscollector as well. Right-click the ZoneAlarm Firewall Active name und

Chapter 6. Compliance subsystem implementation 185Now we must change the parameters for the new collector instance. Right-click the Messenger Servic

186 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsYou are presented with a warning that the changes will affect all of

Chapter 6. Compliance subsystem implementation 187The steps are:1. When logged into the Tivoli Security Compliance Manager Administration Console wi

188 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Assign the policy to this new group. Select the group in the navig

Chapter 6. Compliance subsystem implementation 1895. An informational dialog is displayed, as shown in Figure 6-59, showing the successful completio

190 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsbook we cover only the installation of the client on Windows. For oth

Chapter 6. Compliance subsystem implementation 191The installation of the certificate that is required for secure communication with the Cisco Secur

© Copyright IBM Corp. 2005, 2007. All rights reserved. 3Chapter 1. Business contextInformation Technology (IT) security is a vital component of busine

192 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsInstallation of Cisco Trust Agent on WindowsThe Cisco Trust Agent ins

Chapter 6. Compliance subsystem implementation 1933. The license agreement is presented, as shown in Figure 6-63. Select I accept the license agreem

194 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Accept the defaults (Figure 6-64) and click Next.Figure 6-64 Cis

Chapter 6. Compliance subsystem implementation 1955. Accept the default depicted in Figure 6-65 and click Next.Figure 6-65 Cisco Trust Agent insta

196 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. Click Next (Figure 6-66).Figure 6-66 Ready to install the Cisco

Chapter 6. Compliance subsystem implementation 1977. If the certificate file was copied into the Certs directory, the window in Figure 6-67 is prese

198 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems8. Click Finish to close the installation, as shown in Figure 6-68.Fi

Chapter 6. Compliance subsystem implementation 199If the certificate has been successfully imported, the window shown in Figure 6-69 is displayed.Fi

200 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe Security Compliance Manager client installation requires the foll

Chapter 6. Compliance subsystem implementation 2012. The Security Compliance Manager welcome screen appears momentarily (Figure 6-71).Figure 6-71

4 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsPersonal computer workstations are used in the office, at home, or at a

202 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. The Client Installation Utility window appears, as depicted in Fig

Chapter 6. Compliance subsystem implementation 2034. The license agreement window is displayed (Figure 6-73). Select I accept the terms in the licen

204 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. Accept the default destination folder, shown in Figure 6-74, and c

Chapter 6. Compliance subsystem implementation 2056. Accept the default client installation (Figure 6-75) and click Next.Figure 6-75 Setup type wi

206 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. In the IBM Security Solution for Cisco Networks window (Figure 6-7

Chapter 6. Compliance subsystem implementation 207Figure 6-77 Client connection window

208 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems9. The server communication configuration window, shown in Figure 6-7

Chapter 6. Compliance subsystem implementation 20910.If you selected the DHCP option in the previous step, you will see the client DHCP configuratio

210 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems11.Finally, the installation summary window is displayed (Figure 6-80

Chapter 6. Compliance subsystem implementation 21112.The Security Compliance Manager client is successfully installed. Click Finish to close the win

Chapter 1. Business context 5concept that can protect all networks in this era. This IBM and Cisco integration, depicted in an overview in Figure 1-

212 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems13.If you want to verify that the Security Compliance Manager posture

© Copyright IBM Corp. 2005, 2007. All rights reserved. 213Chapter 7. Network enforcement subsystem implementationThis chapter contains detailed descri

214 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7.1 Configuring NAC Framework componentsThis section focuses on the

Chapter 7. Network enforcement subsystem implementation 215Installing Cisco Secure ACSTo install Cisco Secure ACS Version 4.0 software on a machine

216 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsConfiguring the administrative interface to Cisco Secure ACSBy defaul

Chapter 7. Network enforcement subsystem implementation 217– Network Access FilteringThis option enables the appearance of the network access filter

218 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsAllowing administrator access via HTTP (optional)If you want to confi

Chapter 7. Network enforcement subsystem implementation 2192. Fill in the user name and password fields, and click Grant All to give all configurati

220 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsCisco Secure ACS uses the certificate store that is built into the Wi

Chapter 7. Network enforcement subsystem implementation 221To use a self-signed certificate, perform the following steps:1. Click Generate Self-Sign

6 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIt has become mandatory for businesses to comply with regulatory guidel

222 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Restart the Cisco Secure ACS (Figure 7-7).Figure 7-7 Restart Cis

Chapter 7. Network enforcement subsystem implementation 2235. After completing the certificate setup process and installation, verify that the certi

224 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTo import Security Compliance Manager attributes, perform the followi

Chapter 7. Network enforcement subsystem implementation 225filename is the name of the file in which you want CSUtil.exe to write all attribute defi

226 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsfilename is the file that the attributes will be written to. The Secu

Chapter 7. Network enforcement subsystem implementation 227that you wish to include in the log file. Scroll down and change the file management sett

228 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. Click the Log to CSV Failed Attempts report under Enable Logging.

Chapter 7. Network enforcement subsystem implementation 2298. In the window in under Services Log File Configuration (Figure 7-12) change Level of D

230 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIt is possible to group the NADs into Network Device Groups (NDGs) fo

Chapter 7. Network enforcement subsystem implementation 2312. Select Advanced Options (Figure 7-13 on page 230). Ensure that Network Device Groups i

Chapter 1. Business context 7The IBM Integrated Security Solution for Cisco Networks checks every client’s workstation when it attempts to connect t

232 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Select Network Configuration in the main menu. The screen in Figur

Chapter 7. Network enforcement subsystem implementation 2336. From the Network Configuration screen, select the hyperlink under Network Device Group

234 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. Click Add Entry under AAA Clients to add any AAA clients to this p

Chapter 7. Network enforcement subsystem implementation 2358. You should now see the newly defined AAA clients (Figure 7-18).Figure 7-18 AAA Clien

236 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsConfiguring RADIUS attributesThe RADIUS attributes required for NAC m

Chapter 7. Network enforcement subsystem implementation 2372. From the Interface Configuration menu, select RADIUS (Cisco IOS/PIX 6.0) (Figure 7-20)

238 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsActive Directory, for example. To configure groups and vendor-specifi

Chapter 7. Network enforcement subsystem implementation 239Configuring usersNow that the groups have been defined, we can create our users and then

240 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. You will be prompted for the user’s real name and description unde

Chapter 7. Network enforcement subsystem implementation 241Global authentication setupThe Cisco Secure ACS supports many types of protocols for secu

8 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsStandard reports that can be generated from the IBM Integrated Security

242 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Click EAP-FAST Configuration from the Global Authentication Setup

Chapter 7. Network enforcement subsystem implementation 2436. Click Submit + Restart.Require client certificate for provisioning CheckedAllow Machin

244 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsConfiguring posture validationTo do this:1. Select Posture Validation

Chapter 7. Network enforcement subsystem implementation 2452. Select Internal Posture Validation. The screen show in Figure 7-27 will be displayed.3

246 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. In this example, we have entered the name of the first policy as C

Chapter 7. Network enforcement subsystem implementation 2475. Click Add Rule (Figure 7-29).Figure 7-29 Posture Validation for CTA

248 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. Click Add Condition Set (Figure 7-30).Figure 7-30 Condition sets

Chapter 7. Network enforcement subsystem implementation 2497. From the Attribute drop-down list (Figure 7-31), select Cisco:PA:PA-Version. The opera

250 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems8. Figure 7-32 shows that if this condition is satisfied, that an App

Chapter 7. Network enforcement subsystem implementation 2519. Next we need to modify the default action, which is the action to be taken if the cond

Chapter 1. Business context 9򐂰 Enable an automated remediation process that eases the process of regaining compliancy for all authorized users on th

252 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems10.The posture token remains Cisco:PA, however the posture token valu

Chapter 7. Network enforcement subsystem implementation 25311.Click Submit and you will find yourself back in the dialog shown in Figure 7-35.Figure

254 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems13.Click Apply and Restart, as shown in Figure 7-36.Figure 7-36 CTA

Chapter 7. Network enforcement subsystem implementation 25515.Click Add Policy (Figure 7-37).Figure 7-37 Repeating the process for Security Compli

256 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems16.In this example, we use TSCM in the Name field and IBM Security Co

Chapter 7. Network enforcement subsystem implementation 25717.After entering the name and description, click Submit and you will see the dialog show

258 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems18.Click Add Rule to get to the screen shown in Figure 7-40.Figure 7-

Chapter 7. Network enforcement subsystem implementation 25920.From the Attribute drop-down menu, select IBMCorporation:SCM:PolicyViolation. From the

260 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems22.Make sure that the posture token is set to IBMCorporation:SCM, and

Chapter 7. Network enforcement subsystem implementation 26125.The posture token should be set to IBMCorporation:SCM (Figure 7-43) and the value shou

10 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFigure 1-2 depicts the relevant tasks in a life-cycle overview for end

262 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems27.Click Done (Figure 7-44).Figure 7-44 Completed Security Complian

Chapter 7. Network enforcement subsystem implementation 26328.Click Apply and Restart (Figure 7-45).Figure 7-45 Completed posture validation rules

264 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsConfiguring RADIUS Authorization ComponentsIn this section we configu

Chapter 7. Network enforcement subsystem implementation 2653. Click Add.4. To create the Healthy Sales RAC, in the Name field type Healthy_Sales_RAC

266 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. Click Add next to Cisco IOS/PIX6.0, which brings you to Figure 7-4

Chapter 7. Network enforcement subsystem implementation 26710.Repeat the same procedure for the IETF attributes, first selecting the relevant field

268 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems11.When completed, your Healthy Sales RAC should look like Figure 7-4

Chapter 7. Network enforcement subsystem implementation 269Table 7-4 Quarantine Sales RAC attributesTable 7-5 Quarantine Engineering RAC attribu

270 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIETF Termination-Action (29) RADIUS-Request(1)IETF Tunnel-Type (64) [

Chapter 7. Network enforcement subsystem implementation 271Configuring Network Access ProfilesWe have now configured all of the individual component

Chapter 1. Business context 11those mentioned in 1.2, “Why we need this” on page 5, mandate every organization to comply with regulatory acts. Keys

272 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. The newly created NAP is shown (Figure 7-51) with the three polici

Chapter 7. Network enforcement subsystem implementation 2735. Click Authentication. Click the tab Populate from Global and ensure that Posture Valid

274 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems8. From the screen shown in Figure 7-53, click Add Rule.Figure 7-53

Chapter 7. Network enforcement subsystem implementation 27510.Under Condition → Required Credential Types, there is a list of available credentials.

276 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems11.Scrolling down the page to Action → Selected Internal Posture Vali

Chapter 7. Network enforcement subsystem implementation 277An example of the CTA Healthy pop-up is shown in Figure 7-56.Figure 7-56 Example of CTA

278 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFigure 7-58 CTA pop-up configuration14.Click Submit.Note: Steps 12

Chapter 7. Network enforcement subsystem implementation 279Figure 7-59 Completed posture validation for NAC_IISSCN15.Click Done. This will take yo

280 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems16.From the screen shown in Figure 7-51 on page 272, click Authorizat

Chapter 7. Network enforcement subsystem implementation 28121.Click Submit (Figure 7-61).Figure 7-61 Healthy Sales SPT creation22.Repeat this proc

Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsJanuary 2007International Technical Support OrganizationSG24-6678-01

12 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

282 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems23.Your screen should look similar to that in Figure 7-62.Figure 7-62

Chapter 7. Network enforcement subsystem implementation 283External User DatabaseOne of the most common methods of deploying an ACS is to use an ext

284 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsDownloadable Access Control ListsNAC L2/L3 IP uses EAPoUDP (EOU), whi

Chapter 7. Network enforcement subsystem implementation 2855. Add a name and description in the Name and Description fields as appropriate (Figure 7

286 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. Enter the name of the ACL and the ACL definition (Figure 7-65).Fig

Chapter 7. Network enforcement subsystem implementation 2878. Note that there is an option of binding the ACL just created to a network access filte

288 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Repeat step 3 on page 265 to step 12 on page 268, using the values

Chapter 7. Network enforcement subsystem implementation 289Configuring Network Access ProfilesWe have now configured all the individual components t

290 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems6. From the Downloadable ACL drop-down list, select Healthy_ACL (Figu

Chapter 7. Network enforcement subsystem implementation 29112.For this scenario, we selected the Quarantine_L2IP_RAC and Quarantine_ACL as the Share

© Copyright IBM Corp. 2005, 2007. All rights reserved. 13Chapter 2. Architecting the solutionIn this chapter we discuss the solution architecture of t

292 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsConfiguring Cisco 3750 switch for NAC L2 802.1xNew for NAC Phase 2 is

Chapter 7. Network enforcement subsystem implementation 293!<output omitted>!interface FastEthernet1/0/5 description **Connected to CARE-SYSTE

294 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsaccess-list 140 deny ip any 192.168.11.0 0.0.0.255access-list 140 den

Chapter 7. Network enforcement subsystem implementation 295allow Web access and DNS access in case of manual remediation requirements or access to t

296 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThis section describes how to configure a Cisco 3750 switch acting as

Chapter 7. Network enforcement subsystem implementation 297 permit tcp any any eq domain deny ip any anyip access-list extended initial-acl permit

298 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsAudit Session ID : 000000005222BFF40000001BC0A80B33PostureToken

Chapter 7. Network enforcement subsystem implementation 2992. Configuring Admission Control EOU3. Configuring an Exception List Configuration for Cl

300 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThis example causes traffic with a destination port 53 (domain) or po

Chapter 7. Network enforcement subsystem implementation 301The Cisco Secure ACS then issues a token according to the group in which a user with the

14 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2.1 Solution architectures, design, and methodologiesOur objective fo

302 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. Enabling the HTTP server is necessary for URL redirection. When UR

Chapter 7. Network enforcement subsystem implementation 30310.3.3.30 FastEthernet0/0 EAP Healthy 1310.3.3.31 FastEthernet0

304 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7.2.1 Installing CCA AgentAt the time of writing this book, the late

Chapter 7. Network enforcement subsystem implementation 3052. Accept the default installation folder and click Next, as shown in Figure 7-72.Figure

306 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Click Finish to complete the installation (Figure 7-74).Figure 7-7

Chapter 7. Network enforcement subsystem implementation 307The steps are:1. Open a Web browser and enter the IP address of the CAM. There is no spec

308 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. The Clean Access Summary window will be displayed (Figure 7-76).Fi

Chapter 7. Network enforcement subsystem implementation 3094. From the Main Menu, select Device Management → CCA Servers (Figure 7-77).Figure 7-77

310 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. Select New Server. Add the server IP address and server location,

Chapter 7. Network enforcement subsystem implementation 3117. The CAS should now be visible under List of Servers, shown in Figure 7-79.Figure 7-79

Chapter 2. Architecting the solution 15In general, the IBM Integrated Security Solution for Cisco Networks consists of three subsystems or logical c

312 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems8. Click the Manage icon for the CAS just added. This takes you to th

Chapter 7. Network enforcement subsystem implementation 3139. Select Device Management → CCA Servers → Network. Check that your screen resembles Fig

314 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsand non-trusted networks. The main subnet is added by default. For ea

Chapter 7. Network enforcement subsystem implementation 31514.Click Add Mapping. Confirmation of the successful mapping will appear (Figure 7-83).Fi

316 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2. Click Add. The VLAN ID should be an asterisk (*), the subnet infor

Chapter 7. Network enforcement subsystem implementation 3172. Enter the group name and description (Figure 7-85).Figure 7-85 Switch Group creation

318 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Verify your new switch group (Figure 7-86).Figure 7-86 Switch Gr

Chapter 7. Network enforcement subsystem implementation 319Configuring a switch profileTo configure a switch profile follow these steps:1. From Swit

320 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Click Add. A confirmation of the new profile will appear, as shown

Chapter 7. Network enforcement subsystem implementation 321When a client connects to a controlled port, the port is assigned to the authentication V

16 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsdevices seeking to access network computing resources, thereby limitin

322 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Under Options: Device Disconnect, check the box Remove out-of-band

Chapter 7. Network enforcement subsystem implementation 3235. Click Add. The configured switch profiles will be displayed (Figure 7-91).Figure 7-91

324 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2. Complete as necessary, depending on the version of SNMP being used

Chapter 7. Network enforcement subsystem implementation 325the IP address of the switch should be entered in the IP Address box, and a description e

326 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. As seen in Figure 7-94, click the Ports icon.Figure 7-94 Managed

Chapter 7. Network enforcement subsystem implementation 3276. Under Profile, use the drop-down list to configure the ports as appropriate. Our clien

328 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2. Add the role name and role description as appropriate. Our example

Chapter 7. Network enforcement subsystem implementation 3294. The new role should be visible under List Of Roles, depicted in Figure 7-97.Figure 7-9

330 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2. From the first drop-down menu, select the role you have created. I

Chapter 7. Network enforcement subsystem implementation 3315. The action should be Allow and the protocol should be All (Figure 7-99).Figure 7-99

Chapter 2. Architecting the solution 17Security Compliance ManagerIBM Tivoli Security Compliance Manager performs the functions of managing security

332 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe completed ruleset should look like Figure 7-100.Figure 7-100 Un

Chapter 7. Network enforcement subsystem implementation 3332. Add the user name, password, and description as appropriate. From the Role drop-down m

334 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. The user just created should be seen under List of Local Users, as

Chapter 7. Network enforcement subsystem implementation 3352. Select the following options (Figure 7-103):– From the Check Category drop-down menu,

336 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Value Name should be set to Version.– Value Data Type should be set

Chapter 7. Network enforcement subsystem implementation 3376. These two checks should now be displayed (Figure 7-105).Figure 7-105 Rules check lis

338 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. Click New Rule (Figure 7-106).Figure 7-106 New rule8. Enter the

Chapter 7. Network enforcement subsystem implementation 33910.Repeat steps 7 and 8, entering the following information (Figure 7-107):Rule Name CCA_

340 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems12.The newly defined rules will be displayed (Figure 7-108).Figure 7-

Chapter 7. Network enforcement subsystem implementation 34114.Click Requirements → New Requirements (Figure 7-109).Figure 7-109 Requirements15.Ent

18 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsPort details and communication flows between Security Compliance Manag

342 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems17.Repeat steps 14 and 15, entering the following information (Figure

Chapter 7. Network enforcement subsystem implementation 34319.The Requirement List window should appear similar to Figure 7-111.Figure 7-111 Requi

344 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems22.Repeat steps 20 and 21, entering the following information (Figure

Chapter 7. Network enforcement subsystem implementation 34525.From “Select requirements to associate with the role,” select both SCM_Service and CCA

346 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsDiscovered clientsTo check that the Clean Access Solution is working

Chapter 7. Network enforcement subsystem implementation 347Logging on as a clientTo log on as a client follow these steps.1. Once the CCA Agent soft

348 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. Click OK.5. If a client fails the compliance check, a Web page wil

Chapter 7. Network enforcement subsystem implementation 3498. The user is advised of their temporary access (Figure 7-118), and clicks Continue.Figu

350 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems10.The Security Compliance Manager Compliance Report window pops up (

Chapter 7. Network enforcement subsystem implementation 35113.The user clicks Close on the Security Compliance Manager Compliance Report window, whi

Chapter 2. Architecting the solution 19Tivoli Configuration ManagerIBM Tivoli Configuration Manager automates the manual provisioning and deployment

352 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems15.The end user is advised of successful login to the network (Figure

Chapter 7. Network enforcement subsystem implementation 353Example of interface configuration for CAM interface:interface FastEthernet1/0/18 descrip

354 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsExample of SNMP configuration:snmp-server community public RWsnmp-ser

© Copyright IBM Corp. 2005, 2007. All rights reserved. 355Chapter 8. Remediation subsystem implementationThis chapter describes the IBM Tivoli Configu

356 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Installation of the software package utilities– Creating remediatio

Chapter 8. Remediation subsystem implementation 3578.1 Automated remediation enablementTo enable automated remediation, the remediation handler tha

358 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsfor Tivoli Configuration Manager package at the IBM Tivoli Security C

Chapter 8. Remediation subsystem implementation 359򐂰 For Software Package Web Server component:The IISSCN enablement pack2 for Tivoli Configuration

360 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsPreparing for the installationTivoli Configuration Manager Web Gatewa

Chapter 8. Remediation subsystem implementation 361The steps to install the minimal required version of Web infrastructure are:1. To start the insta

20 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemstables that contain data gathered by the collectors. In a generic Secu

362 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. The WebSphere Application Server Installation wizard is displayed,

Chapter 8. Remediation subsystem implementation 3634. In the next window, the standard license agreement is presented, as shown in Figure 8-3. Accep

364 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. In the next window shown in Figure 8-4 you must select the install

Chapter 8. Remediation subsystem implementation 365This is shown in Figure 8-5. Click Next.Figure 8-5 Component selection dialogImportant: If you

366 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. In the next window, shown in Figure 8-6, you may specify the direc

Chapter 8. Remediation subsystem implementation 3678. In the next window you must specify the node name and host name for the Application Server to

368 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems9. The next dialog (Figure 8-8) allows you to select whether you want

Chapter 8. Remediation subsystem implementation 36910.The next window presented to you contains the installation options summary, as shown in Figure

370 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIt may take a few minutes to complete the installation. Then you are

Chapter 8. Remediation subsystem implementation 37112.Finally, there remain two open windows. One of them is the First Steps dialog you can just exi

Chapter 2. Architecting the solution 21򐂰 If the client is not Security Compliance Manager policy–enabled, it is denied access to the corporate netwo

372 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Make sure that the IBM HTTP server is not running (look for the Ap

Chapter 8. Remediation subsystem implementation 373b. The Install fix packs option is selected, as shown in Figure 8-13.Figure 8-13 Installation o

374 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsc. The directory location provided for the fix packs is the fix packs

Chapter 8. Remediation subsystem implementation 375Now you can continue with the Tivoli Configuration Manager Web Gateway installation.Installation

376 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. The welcome window is presented (Figure 8-16). Click Next.Figure 8

Chapter 8. Remediation subsystem implementation 3774. In the next window (Figure 8-17), the standard license agreement is shown. Accept the license

378 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. The component selection is displayed, as shown in Figure 8-18. Mak

Chapter 8. Remediation subsystem implementation 3796. The installation directory selection window is displayed (Figure 8-19). Accept the default pat

380 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. In the next dialog (Figure 8-20) most of the fields are already fi

Chapter 8. Remediation subsystem implementation 3818. The Web infrastructure configuration window is displayed (Figure 8-21). Check whether the righ

© Copyright International Business Machines Corporation 2005, 2007. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, dupli

22 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsaccess, this is an acceptable solution. Users are authenticated and pl

382 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIf your Tivoli Configuration Manager is a single node installation th

Chapter 8. Remediation subsystem implementation 38310.The Secure access configuration window is presented, as shown in Figure 8-23. Since we are not

384 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems11.The summary of the selected installation options is presented, as

Chapter 8. Remediation subsystem implementation 38512.The installation can take a while depending on the configuration of your system. You can follo

386 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemshandler located on the workstation attempting to connect to the netwo

Chapter 8. Remediation subsystem implementation 3873. If you have followed the installation of WebSphere Application Server as described in this boo

388 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4. On the next page expand the Applications menu item in the left pan

Chapter 8. Remediation subsystem implementation 3896. The Preparing for the application installation window is displayed (Figure 8-28). Accept the d

390 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems7. Leave the defaults and click Next in the several next windows unti

Chapter 8. Remediation subsystem implementation 3918. The installation may take a few seconds or few minutes depending on your server configuration.

Chapter 2. Architecting the solution 23The IEEE 802.1x standard addresses the need to authenticate the user or client trying to connect to the parti

392 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems9. In the next window, shown in Figure 8-31, select Save to save the

Chapter 8. Remediation subsystem implementation 39310.When you click the Enterprise Application link under Applications in the left pane you should

394 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsOpen the file using a text editor, and find the value of the WEB_SERV

Chapter 8. Remediation subsystem implementation 395This file contains the mapping between the remediation workflows and the posture collector parame

396 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems5. You must initialize the package creation utility environment. Issu

Chapter 8. Remediation subsystem implementation 397In Example 8-2 and Example 8-3 we present the final content required for the files that must be c

398 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsaccess to corporate intranet resources). To avoid serious business di

Chapter 8. Remediation subsystem implementation 399The checks defined by the particular compliance objects within the policy relate to the data gath

400 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemspages would be in a subdirectory named pl_PL. The default language an

Chapter 8. Remediation subsystem implementation 401If none of these locations contain a valid page, the user interface falls back to the method used

24 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 In the Cisco NAC solution, the EAP header is extended with posture d

402 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsPosture element HTMLEach posture element has a unique name and status

Chapter 8. Remediation subsystem implementation 403The wfattribute tagThe simplest variables are workflow attributes. When a posture collector perfo

404 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTable 8-5 presents the field names that may be used when a posture it

Chapter 8. Remediation subsystem implementation 405The attributes that are generated by the Security Compliance Manager client are always present, a

406 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsinformation. For example, to enable the user interface to display the

Chapter 8. Remediation subsystem implementation 407The attributes will be listed each time a posture element is selected (they are not logged when a

408 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems `--PostureElement

Chapter 8. Remediation subsystem implementation 4098.3.4 Creating HTML pages for ABBC policyFigure 8-34 summarizes the directory structure for the

410 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFirst we create the default.html page describing these basic requirem

Chapter 8. Remediation subsystem implementation 411<div id="Logo"></div><div id="MajorTitle">Tivoli Network Ac

Chapter 2. Architecting the solution 25This requirement can be fulfilled by providing each user with a unique identity and verifying it even before

412 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsbackground: #fff url("file:///C:/Progra~1/IBM/SCM/client/scripts

Chapter 8. Remediation subsystem implementation 413To prepare separate descriptions for each of these conditions we create two subdirectories named

414 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems</title></head><body><div id="Logo">

Chapter 8. Remediation subsystem implementation 4153. Understanding the tags described in the previous step, we now build a more sophisticated HTML

416 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems<div id="Logo"></div><div id="MajorTitl

Chapter 8. Remediation subsystem implementation 417You can build similar pages for all of the compliance checks described in your policy. In the nex

418 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsWhile editing our policy in 6.2, “Configuration of the compliance pol

Chapter 8. Remediation subsystem implementation 4192. In the next step we create the Windows script that will perform the actual job. We can reuse t

420 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Next we create the configuration file for the sputil.sh utility co

Chapter 8. Remediation subsystem implementation 421As a result you should see the output presented below:Region Disp Flags Port

26 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2.2 Definition of a Network Admission Control projectObjectives of a

422 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTwo additional files are created in the $BINDIR/tcmremed/work directo

Chapter 8. Remediation subsystem implementation 423The remediation process window is displayed and the proper software package block is downloaded a

424 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsfile. The live update process is initiated with the vpdn_lu.exe execu

Chapter 8. Remediation subsystem implementation 4253. Run the sputil.sh command to create the software package block and publish it on the Web Gatew

426 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3. Create the configuration file for sputil.sh utility containing the

Chapter 8. Remediation subsystem implementation 427the missing hotfixes. As this policy checks for multiple hotfixes in parallel, the missing ones m

428 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsHotfixId=KB896423TmfWebUIEndpoint=tcmweb4. This configuration file is

Chapter 8. Remediation subsystem implementation 429If the package was created the result will look like below (the number in the middle of the resul

430 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThere is a small catch with this collector, as it is able to check fo

Chapter 8. Remediation subsystem implementation 431AddRegistryValueBeforeExecData.arrayLength=2AddRegistryValueBeforeExecParentKey[0]=HKEY_LOCAL_MAC

Chapter 2. Architecting the solution 27Figure 2-5 illustrates a possible NAC deployment scenario.Figure 2-5 NAC deployment scenarioTypical candida

432 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTCRZLSoftwareInstalledThe TCRZLSoftwareInstalled workflow is also ver

Chapter 8. Remediation subsystem implementation 4333. Create the configuration file for the sputil.sh utility containing the instructions on how to

434 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsworkflows installing or uninstalling software should use silent mode

Chapter 8. Remediation subsystem implementation 4354. Run the sputil.sh command to create the software package block and publish it on the Web Gatew

436 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTCRZLSoftwareDisabled directory and edit it with the text editor to m

Chapter 8. Remediation subsystem implementation 437In order to remove the package for the TCRMessengerDisabled remediation workflow:1. Open a comman

438 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 439Part 3 AppendixesIn the following two appendixes we take a closer look at these topics:򐂰 Gen

440 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 441Appendix A. Hints and tipsThis appendix contains hints, tips, and other useful information t

28 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems2.3 Design processThe MASS methodology that we follow in this book in

442 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsDeployment overviewThe solution deployment starts with the registrati

Appendix A. Hints and tips 443Figure A-1 TRC-specific objects and relationshipACS ServerExternal User DatabaseViolation CountTokenMandatory Creden

444 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTop-level sequence of eventsThe NAC process starts when the client tr

Appendix A. Hints and tips 445Figure A-2 ISSCN top-level sequence diagramRemediation Objects()PostureQuery()SCM Policy CollectorQuarantinePostureN

446 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsSecurity Compliance Manager and NAC compliance subsystemFigure A-3 sh

Appendix A. Hints and tips 447Cisco NAC sequence of eventsThe NAC process is initiated by the network. Whenever access to a protected network is det

448 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsattempts by the client to access a protected resource will also trigg

Appendix A. Hints and tips 449then to determine the actual problem based on the expected behavior of the solution.Assuming that all of the software

450 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemscollectors, at which time any state changes affected by the remediati

Appendix A. Hints and tips 451Communication port usageTivoli Security Compliance Manager server and client communicate only with temporary connectio

Chapter 2. Architecting the solution 292. Check control settings and compare to security policy.The audit team periodically checks the systems to be

452 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsCisco IOS Software routerOn a Cisco router running Cisco IOS Software

Appendix A. Hints and tips 453TimeToNextReauth = 48Authentication Method = Dot1xPosture = HealthyAuthorized By = Authentication ServerVlan Policy =

454 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsSecurity Compliance Manager clientWhen the Security Compliance Manage

Appendix A. Hints and tips 455Client logging can be turned on by setting the debug property to true in the %SCM_HOME%\client\client.pref file. When

456 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsassessment). It can also be deployed in Layer-2 mode (users are L2-ad

Appendix A. Hints and tips 457meantime, the Clean Access Manager provides port-level or role-level control by assigning ports to specific VLANs, ass

458 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsInterested parties can use this design and the prototypes of these co

Appendix A. Hints and tips 459A high-level overview of this design is depicted in Figure 8-42.Figure 8-42 High-level overviewIntegration component

460 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTSCMAgent.batThis script creates the compliance semaphore file in and

Appendix A. Hints and tips 461SchedulerA platform-specific task scheduler (EG Windows Task Scheduler or Cron on UNIX) is configured to run the Secur

30 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe security compliance process for desktops and mobile clients can be

462 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsusing the example HTML form provided. It should be noted that default

Appendix A. Hints and tips 463the old one. This will indicate that the special functionality of this prototype collector will be lost when the produ

464 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsNAC Appliance ManagerA policy on the NAC Appliance Manager must be cr

Appendix A. Hints and tips 465State mapping and scenariosOne way for the solution to approach a design is to consider all of the possible states tha

466 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Security Compliance Manager Client:i. Runs compliance validation. I

Appendix A. Hints and tips 467– Security Compliance Manager Client:• Runs compliance validation. In this case, no violations are found, so set semap

468 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Remediation handler:• Since semaphore is -1, PopUp Remediation Inte

Appendix A. Hints and tips 469Since scenarios 5 and 6 are the most complex, the sequence of events for these scenarios is depicted in Figure 8-43.Fi

470 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Statuscheck.exe:• Requests rescan from Security Compliance Manager

© Copyright IBM Corp. 2005, 2007. All rights reserved. 471Appendix B. Network Admission ControlIn this appendix we discuss the Network Admission Contr

Chapter 2. Architecting the solution 31reason a policy cannot be complied with due to a particular business need, the situation has to be accepted a

472 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsExecutive summaryEmerging network security threats, such as viruses,

Appendix B. Network Admission Control 473Dramatically improve network securityWhile most organizations use identity management and authentication, a

474 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsSome of the security policy compliance checks that NAC can perform in

Appendix B. Network Admission Control 475support for a complex security implementation involving a number of security vendors, combined with a corpo

476 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 Network access by unmanaged computers (such as guests, contractors,

Appendix B. Network Admission Control 477organizations have evolving needs, Cisco Clean Access product components that are installed now can be used

478 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe next stepsLet us take a look at the next steps:1. Deploy Cisco Cl

Appendix B. Network Admission Control 479NAC Framework componentsThe NAC Framework provides the following technology support:򐂰 Broad network device

480 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 Recommended components:– Cisco Security Agent– Cisco Security Monit

© Copyright IBM Corp. 2005, 2007. All rights reserved. 481Appendix C. Additional materialThis redbook refers to additional material that can be downlo

© Copyright IBM Corp. 2005, 2007. All rights reserved. iiiContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

32 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThis means that for each desired change in the configuration settings,

482 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsUsing the Web materialThe additional Web material that accompanies th

© Copyright IBM Corp. 2005, 2007. All rights reserved. 483Related publicationsThe publications listed in this section are considered particularly suit

484 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsOnline resourcesThese Web sites and URLs are also relevant as further

Related publications 485Help from IBMIBM Support and downloadsibm.com/supportIBM Global Servicesibm.com/services

486 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 487IndexNumerics802.1x 16, 22, 26, 68, 81, 95, 265credentials 112Aaccess control list 34

488 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsphysical components 121pop-up notification 277posture plug-in 4

Index 489service pack level collector 167service running collector 177Software Package Utilities 394Software Package Web Server 386switch co

490 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIBM Tivoli Security Compliance Managersee Security Compliance Manager

Index 491configuration in ACS 229network policy enforcement 60placement 67polling of posture status 61posture validation 59PostureQuery

Chapter 2. Architecting the solution 332.3.4 Network design discussionIn this section we discuss the following network design factors for the IBM I

492 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemstimers 301PostureNotification 447PostureQuery 444, 447PPPsee Po

Index 493SSarbanes-Oxley Act 6scalability 35, 357scope of the project 27Secure Access Control Serversee Access Control Serversecure communicat

494 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsTCRMessengerDisabled workflow 435TCRMSPatchesInstallWinXP workflow

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

®SG24-6678-01 ISBN 0738489883INTERNATIONAL TECHNICALSUPPORTORGANIZATIONBUILDING TECHNICALINFORMATION BASED ONPRACTICAL EXPERIENCE IBM Redbooks are dev

34 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIn the reference architecture described later in this book, there are

Chapter 2. Architecting the solution 35revalidation process takes place too often, this pop-up window may become annoying and significantly lower th

36 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsparticular security compliance concept is aimed at validating client a

Chapter 2. Architecting the solution 37Part 2, “Customer environment” on page 75, details a comprehensive deployment scenario.2.6 ConclusionIn this

38 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 39Chapter 3. Component structureThis chapter introduces the logical and physical components of

40 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3.1 Logical componentsThe IBM Integrated Security Solution for Cisco

Chapter 3. Component structure 41The logical components are:򐂰 Network Admission Control򐂰 Compliance򐂰 RemediationThe following sections provide funct

iv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3.1.1 Network Admission Control. . . . . . . . . . . . . . . . . . .

42 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsfor network devices and other services. The various components that co

Chapter 3. Component structure 43Policy enforcement deviceClients access enterprise resources via the network which makes it an effective point to v

44 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFigure 3-3 shows the Cisco Trust Agent architecture, followed by a bri

Chapter 3. Component structure 45EAP methods Provide a mechanism to authenticate the application or device requesting the host credentials, and encr

46 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsClean Access Policy UpdatesThese are regular updates of pre-packaged p

Chapter 3. Component structure 47Figure 3-4 depicts Security Compliance Manager’s high-level component architecture, followed by a brief explanation

48 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsCompliance evaluation Consisting of Security Compliance Manager snapsh

Chapter 3. Component structure 49The compliance client component (Figure 3-5) consists of the following modules:򐂰 Policy collector򐂰 Posture collecto

50 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsIn the IBM Integrated Security Solution for Cisco Networks, the collec

Chapter 3. Component structure 51Posture cacheThis component provides the caching area where posture collectors store the results of posture determi

Contents v6.2.1 Posture collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1536.2.2 Policy collector . . . .

52 Building a Network Access Control Solution with IBM Tivoli and Cisco Systemsand any client components that would normally be installed on a Tivoli

Chapter 3. Component structure 53Cisco Trust AgentThe Cisco Trust Agent is Cisco client software that is required to pass posture credentials and va

54 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3.2.2 Network access infrastructureAll users connect to enterprise re

Chapter 3. Component structure 55be deployed to the clients. The server is also used for administration and for providing reports about client compl

56 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsThe flow consists of these process groups, depicted in Figure 3-6:1. P

Chapter 3. Component structure 57remediation object should also be provided. Details of the policy creation and deployment process are discussed her

58 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 Cisco Secure ACS policy creation (1d)An ACS policy consists of rules

Chapter 3. Component structure 59Posture validation and policy enforcement (flow 3)This section contains details about how a client in a live enviro

60 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems– Quarantine– Infected– Unknown򐂰 Posture notification (3f)After the AC

Chapter 3. Component structure 61Remediation (flow 4)Two cases should be considered for the remediation process: one where the organization has a Ti

vi Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFault isolation . . . . . . . . . . . . . . . . . . . . . . . . . . .

62 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems3.3.1 Secure communicationThe components are designed to provide a hi

Chapter 3. Component structure 63NAC communicationDuring communication of the Cisco Trust Agent client with the Cisco Secure ACS, a secure PEAP sess

64 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsFigure 3-8 shows the security zones and their classifications. Organiz

Chapter 3. Component structure 65corporate network through what are considered external networks, such as the DMZ and intranet zones.Details of reso

66 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems򐂰 Remote offices and branch offices can use the Internet as a primary

Chapter 3. Component structure 673.4.2 Policy enforcement pointsThe IBM Integrated Security Solution for Cisco Networks employs the Cisco NAC solut

68 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsAdvantages of this kind of deployment are:򐂰 Policy enforcement load di

Chapter 3. Component structure 69Figure 3-11 Campus ingress enforcementSite-to-SiteVPN UsersInternetAAAAAABranch Office Compliance(Campus Ingress

70 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsSmall Office Home Office compliancePolicy enforcement can be used to p

Chapter 3. Component structure 71Extranet complianceOrganizations could have WAN connections to share information with partners. This would require

© Copyright IBM Corp. 2005, 2007. All rights reserved. viiNoticesThis information was developed for products and services offered in the U.S.A. IBM ma

72 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsLab complianceOrganizations prefer having lab networks to test systems

Chapter 3. Component structure 73Data Center protectionThe Data Center is the site where organizations host business-critical systems that require m

74 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsRemote access protectionRemote access users use dial-up or VPN to conn

© Copyright IBM Corp. 2005, 2007. All rights reserved. 75Part 2 Customer environmentPart 2 discusses how the IBM Integrated Security Solution for Cisc

76 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

© Copyright IBM Corp. 2005, 2007. All rights reserved. 77Chapter 4. Armando Banking Brothers CorporationThis chapter provides an introduction to the o

78 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems4.1 Company profileArmando Brothers Banking Corporation (ABBC) is a f

Chapter 4. Armando Banking Brothers Corporation 794.2 Current IT architectureThis section provides background information about the existing Armand

80 Building a Network Access Control Solution with IBM Tivoli and Cisco SystemsUncontrolled zone - InternetThe Internet has become a pivotal componen

Chapter 4. Armando Banking Brothers Corporation 81Figure 4-2 is representative of the ITSO Lab Environment used for L2Dot1x NAC deployment.VLAN-11 H