Cyber Sanbower

Background: Many organizations require personal firewall software to be run on clients connecting into their network as a part of their security policy. This post explores how to create custom checks to enforce the use of personal firewall software on connecting clients. This is one of the most requested custom checks I receive and hopefully you will find it benefit. Create Checks and Rules: For this example, I am going to show how to create custom checks for 3 different types of Personal Firewall Applications. All of this software is free and can be downloaded. To create a custom check you must go to: Device Management – Clean Access – Clean Access Agent – Rules – New Check Windows XP Firewall Check The most reliable way I have found to check for XP firewall is to use a Registry Check looking for the following Registry Value: Registry Key: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Registry Value: EnableFirewa...

Background: Operations Acceptance of NACA is very important for a successful deployment. If Staff does not accept the solution than it will not be utilized to its capabilities or be maintained. This post is all about educating staff in order to ensure a successful deployment. Introducing NACA to the Operations Staff: NACA has to become an integral part of network and security operations in order to have a successful deployment. The following are some of the topics that Network Operations must be informed about: Clean Access Servers ( CASs ) act as an extension to the routers and switches in the network This causes network operations the need to understand how the CASs reside in the data path of users In an Out-of-Band ( OOB ) Deployment, netops has to understand the integration between the Clean Access Manager (CAM) and all access switches This requires the staff to have knowledge about SNMP Servers & SNMP Traps Security Operations have many topics that they must know abou...

Background: NAC Appliance is a product that can looks very easy to install. For most people, this can be the start of many problems. It is important to realize that the product is made to be easy and that level can be obtained, but a lot of hours are required to realize the Ins and Outs of NACA. This post is all about the misconceptions about what level of knowledge a deployment engineer should have, as well as the steps engineers can do to get to that level. Understanding the Learning Curve: NAC Appliance is a product that does deploy very quickly. For smaller deployments, it can be stood up and working in just hours, but this is for engineers that have taken the time to understand it. The more hours you spend looking into the CAM GUI the easier things get. This product gets confusing in a few instances: Customization of Posture Assessment and Remediation Going above and beyond the normal of Windows HotFixes and AV Installation/Definitions Truly enforcing security policy with CCA ...

Background: User Acceptance of NACA is the #1 most important consideration that must be made during a deployment. This post should hopefully help you understand the best practices to make users "accept" the solution. Messaging the Solution to Users: In order for users to not get really upset about the solution, you MUST message the plans of turning on the NACA solution. If you do not message this information to users they will have no idea what hit them and you can rest assure that their boses or parents(in the EDU space) will hear about it and you will be getting A LOT of complaints. Along with these complaints will be the complete dislike of the solution before they have even used it. Messaging is simple and can be performed by using: - Posters/Banners - E-mail - Formal Letters The content on the messaging needs to include: - Benefits of CCA for the end-user & organization as a whole - Reasons the organization is deploying the solution - Time frames of deployment - How ...

I receive the following question all the time: "How do I make sure that my deployment of NAC Appliance goes well?" The easiest way to answer this question is to ask "What makes a NACA Deployment Fail?" Failing, in context to the above, means that the solution causes more harm than good and does not provide the benefits as promised. Cisco NAC Appliance is a product that can do everything and more that Cisco promises. The following are what I have found to cause more harm than good if they are not addressed from the beginning of the deployment: 1.) User Acceptance of the Solution 2.) Deployment Expertise 3.) Operations Acceptance of the Solution This is where the series comes into play. I will be posting what I have found to be "best practices" to address these 3 problem areas and hopefully help everyone to understand how to make their deployments successful. I really am open to feedback if anyone has any suggestion/comments for the series.

Version 4.1.1 was posted to CCO for download on April 30th. Some of the feature "enhancements" that i found interesting and useful, but not too geeky are: - Support for Windows Vista This is something that has been around in the 4.0.X train but not 4.1.X, so customers should really enjoy this feature - Multiple Active Directory Server Support in ADSSO Previously, you could only define a single AD Server for ADSSO. Now with 4.1.1 you are able to authenticate to an entire "Domain". This greatly enhances the availability of ADSSO. - Restricted Administrator Web Console Options Hidden from View Now when you can take away even Read-Only rights to certain aspects of the CAM. This makes it less tempting for the help-desk staff to go in and look through private event data, etc. - VLAN Prunning This works in conjunction with a Virtual Gateway CAS using VLAN Mapping to ensure that only known VLAN ID packets are allowed to traverse the internal netw...

The guys at the BU have invested a lot of time on getting people the basic knowledge about NACA by doing a "chalk talk" series that can provide you with a really good resource. If you are joining us with zero knowledge or just basic knowledge these presentations are a great place to start. They do require CCO Login, but are definitely worth filling out the form. I probably will not talk about any of the topics in the presentations, because that would not hold any value, but you probably will see me expand on some of the topics that did not get as much attention as warranted. Chalk Talk 1: Cisco NAC Appliance Foundation Concepts Presenter: Alok Agrawal Chalk Talk 2: Configuring NAC Appliance in In-Band Mode Presenter: Prem Ananthakrishnan Chalk Talk 3: Configuring NAC Appliance in Out-of-Band Mode Presenter: Alok Agrawal Chalk Talk 4: Configuring NAC Appliance for High Availability Presenter: Alok Agrawal Chalk Talk 5: Configuring Posture Assessment and Remediation Presen...

CCA is licensed in two manners: CAM Licensing The CAM is licensed on the basis of how many CASs it can manage. 1 CAS Failover Bundle = 1 Server Count CAM comes in 3 Flavors: Lite(manages up to 3 Servers), Standard(manages up to 20 Servers), & Super(manages up to 40 Servers) CAS Licensing The CAS is licensed on the basis of how many users are logged in. The easiest way to understand this is to think about how many Online Users show up int the IB/OOB OU List. The only caveat to this is that if you are using Device Filters that are marked as "Check" you need to include them in the CAS User Count. CAS comes in many flavors ranging from 100 users to 2500 users Reference: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/license.htm

I just wanted to say welcome to people. I am really utilizing this blog as a Knowledge Management System to post ideas about best practices, whacky or mis-understood topics, Tip & Tricks, and Configuration Topics. Please let me know if you would like to help contribute to this blog and the more comments the better.