6.2. The Technical Components of Cisco Clean Access
As discussed in Chapter 2, all NAC/NAP solutions consist of the same basic elements. Not all NAC/NAP solutions will contain all of the elements, and some vendors will be better at some elements than others. This section will analyze the following NAC components as they relate directly to Cisco NAC:
A technology to analyze the security posture of the device
A policy-related component to configure and set the policy on what specific security criteria will be analyzed on the device
A technology to communicate the security state of the device to other facets of the NAC/NAP solution
A mechanism that receives the security posture of the device and performs an action based upon those results
A policy-related component to configure and set the policy regarding what action will take place
A remediation technology whose purpose is to bring the device back into compliance
As the solution is detailed, it is important to understand the concept of roles. In Cisco Clean Access, the roles are:
Unauthenticated role — Default for unauthenticated users who have not been given access to the network.
Clean Access Agent Temporary role — CAA users are in the Temporary role while CAA requirements are checked on their systems.
Quarantine role — When a device has security deficiencies and vulnerabilities, they are put into this role.
Normal Login Role — User is logged in successfully.
6.2.1. Analyzing the Security Posture of a Device
Defining the current security state of any device attempting to gain access to the network is a critical step. As discussed in the previous chapters, there are two ways to do this:
Client — A software client is installed on the device.
Clientless — No software is installed. The device is scanned to see if any obvious deficiencies exist.
Cisco's solution allows for these two options, as well as a mixed environment of both of these options. The CAA is the client-based solution, and the clientless solution is referred to as Network Scanner. Cisco defines these two options as follows:
Clean Access Agent — This method provides local-machine agent-based vulnerability assessment and remediation. Users must download and install the CAA, which allows for visibility into the host registry, process checking, application checking, and service checking.
Network Scanner — This method provides network-based vulnerability assessment and web-based remediation. The Network Scanner in the local CAS performs the actual network scanning and checks for well-known port vulnerabilities to which a particular host may be prone.
Without question, the client-based solution will provide the highest degree of assessment capabilities. This is because this solution has a greater level of access to the system. The Network Scanner essentially has the same access as a hacker would, which hopefully isn't much. This is especially true if the system is running a personal firewall, which is specifically in place to block this type of information from being seen.
The CAA must be installed on all systems accessing the network. This client software automatically resides on all CASs. End users can be prompted to install the software as they access the network and to install upgrades to the agent. In addition to automatically prompting users to install the software, the agent can be installed via an MSI file called CCAAgent.msi. Figure 6-3 shows a sample of the agent install prompt.
Figure 6-3. The agent install prompt
6.2.2. Setting Policy for Device Analysis
With either the client-based software installed or the use of network scanning to analyze the endpoint, policies must be put into place regarding what should be analyzed. These policies are set on the CAM, which is the centralized management console for the CASs.
Cisco uses multiple elements in defining what is assessed on the client machine. These elements include:
Requirements
Rules
Checks
Requirements are what users can or cannot have running on their systems. For example, you may want to ensure that antivirus software is running on a machine, but ensure that the peer-to-peer application Limewire is not running.
Rules are used to check if a particular requirement is in place. Rules can be customized, or they can be preconfigured by Cisco.
Checks can check for a file, service, application, or registry setting. There are Cisco-preconfigured checks, but custom checks can also be used.
The agent can look for the following:
Windows Update Requirement — The agent can turn on Automatic Updates for Vista, Windows 2000, and Windows XP. Figure 6-4 shows the Windows Automatic Update configuration screen. Figure 6-5 shows this requirement being configured in Clean Access.
Figure 6-4. Windows automatic updates
Windows Server Update Requirement — This defines if updates are defined by Microsoft's severity level, or if Cisco Rules will be used.
Up-to-date antivirus — Is it up to date (see Figure 6-6)?
Up-to-date antispyware — Is antispyware up to date?
Preconfigured rules — These are for Critical Windows operating system hotfixes only.
Registry Check — Does a key exist and what is its value?
File Check — Does the file exist? What is its version and date of modification or creation?
Service Check — Is a service running?
Application Check — Is an application running (see Figure 6-7)?
Figure 6-5. Clean Access Windows update
NOTE
In Figure 6-6, you will see an amount of time left in the upper-right corner. This is a configurable amount of time that an endpoint is granted to allow the necessary checks and remediation to take place.
Because the agent is software that is installed on each endpoint, the analysis can be quite detailed and robust. For systems without an agent installed, Network Scanning is an option.
As was detailed in Chapter 4, scanning can also be used as a tool to analyze the security posture of device. Chapter 4 specifically mentioned the Nessus tool. For Cisco NAC, Nessus plugins are actually used to perform the scanning. The plugins can be loaded into the console, and the Network Scanning options are configured. Nessus plugins are individual components that each search for a particular vulnerability. Figure 6-8 shows Network Scanning being configured, while Figure 6-9 shows a test scan with results of a scan that used the Nessus plugins.
Figure 6-6. Antivirus update notification
6.2.3. Communicating the Security Posture of the Device
The security posture of the device is communicated from the CAA to the CAS. This communication takes place via Cisco's proprietary SWISS protocol, and this communication is encrypted. The following are additional agent communication and ports:
UDP 8905, 8906 — SWISS, a proprietary CAS-Agent communication protocol used by the Agent for UDP discovery of the CAS. UDP 8905 is used for Layer 2 discovery, and 8906 is used for Layer 3 discovery.
TCP 8910 — Microsoft Active Directory lookup to facilitate Active Directory Single Sign-On (AD SSO).
TCP 443 — HTTP over SSL communication between Agent, CAS, and CAM, such as that for user redirection to a web login page.
TCP 80 (for version 3.6.x and earlier) — HTTP communication between Agent, CAS, and CAM. Used to download the CAA from the CAM to an end-user machine.
6.2.4. Taking Action Based on the Security Posture
If the security posture of a device is deficient, a role of NAC can be taking some sort of action against that device. There are three enforcement options to choose from when a device's security posture is deficient, and it attempts to gain access to the network:
Figure 6-7. Application check
Mandatory — The user is informed that the security posture is deficient, and the user cannot proceed unless the device meets the minimum security requirements.
Optional — The user is informed of the deficiency, although the device is permitted access.
Audit — The user is permitted access and the deficiency is logged.
Users accessing the network may be authorized to access the network and have no restrictions placed upon them as they use the network. At the same time, users may be authorized, though have restrictions placed upon them as a result of a security deficiency. These restrictions can be in the form of blocking or quarantining.
Blocking is relatively straightforward. If a device and user do not meet the security requirements, access to the network can be blocked. This protects the network by not allowing a vulnerable device to gain access. By default, all access is blocked until the device is analyzed and a decision is made on what type of access should be granted.
Figure 6-8. Nessus plugins being configured
Quarantining grants limited access to the network. When in a quarantined state, only specific sections of the network can be accessed. This can provide the endpoint with opportunity to remediate itself. If remediated successfully, the device can then increase its security posture to meet the requirements to gain network access.
Quarantining is done at the IP Layer (Layer 3). The mechanism to control what is allowed or blocked is an ACL. This ACL is configured in the CAM. Figure 6-10 shows how this ACL is configured for a quarantined role.
6.2.5. Remediating the Security Deficiency
Clean Access offers a number of different options when it comes to remediating security deficiencies, including the following:
File Distribution distributes the required software directly by making the installation package available for user download using the CAA. In this case, the file to be downloaded by the user is placed on the CAM using the File to Upload field. An application or script to remove an infection is an example of a type of file that can distributed.
Figure 6-9. Test scan and results using Nessus plugins
Link Distribution refers the user to another web page where the software is available (such as a software download page). This link is provided in the CAA dialog box.
Clean Access can automatically trigger the native antivirus and antispy-ware applications so that they update themselves. This occurs when the user clicks the Update button in the CAA. Currently, Cisco has integration with more than 28 major antivirus and antispyware vendors.
The Windows AutoUpdate tool can be automatically launched in the case of a failed Windows hotfix.
Third-party remediation applications can also be launched to fix a deficiency. Cisco specifically mentions that Tivoli and BigFix can be integrated to work with the Clean Access solution.
NOTE
Many of these actions require the end users to initiate the remediation step by clicking on a link that invokes a command, or takes them to a place where they can download and install updates and applications. For users that don't have Administrative rights on their machines, this can be a challenge.
Figure 6-10. ACL configured for a quarantined role
6.2.6. The Reporting Mechanism
The Clean Access solution provides monitoring via the CAM, which organizes the monitoring into the following four different categories:
As would be expected, the Summary reporting provides a quick summary of what is taken place throughout the Clean Access infrastructure. This information includes the current version and patch level of the CAA that is being used, as well as information on how many devices and users are connected through the Clean Access solution.
Of particular interest is the information regarding how many users are in the various security roles (such as Quarantine, Temporary, and Unauthenticated). Figure 6-11 shows a Summary page.
The Online Users report provides detailed information for users utilizing the Clean Access infrastructure. The users are broken down as being either In-Band or Out-of-Band:
Figure 6-11. Summary page
In-Band Online Users — Tracks In-Band authenticated users logged into the network. In-Band users with active sessions on the network are listed by characteristics such as IP address, MAC address (if available), authentication provider, and user role.
Out-of-Band Online Users — Tracks all authenticated Out-of-Band users who are on the Access VLAN (trusted network). Out-of-Band users can be listed by Switch IP, Port, and Access VLAN, in addition to IP address, MAC address (if available), authentication provider, and user role.
Figure 6-12 shows a screenshot of the Online Users report.
Clean Access Event Logs are Syslog-based reporting events. The Event Logs capture the following information:
System statistics for CASs (generated every hour by default)
User activity, with user logon times, logoff times, failed logon attempts, and more
Network configuration events, including changes to the MAC or IP passthrough lists, and addition or removal of CASs
Switch management events (for OOB), including when linkdown traps are received, and when a port changes to the Auth or Access VLAN
Figure 6-12. Online Users report
Changes or updates to Clean Access checks, rules, and the Supported Antivirus/Antispyware Product List
Changes to CAS DHCP configuration
By default, the CAM generates these logs hourly for each CAS under its control. This timeframe is a configurable setting. Figure 6-13 shows an Event Log.
Figure 6-13. Event Logs page
The Clean Access solution offers minimal manageability via SNMP. Cisco expects to add more robust functionality in upcoming versions. The SNMP module can monitor the following processes:
The CAM can also send traps in the following cases:
When the CAM comes online
When the CAM shuts down
When the CAM gains or loses contact with any CASs it manages
When the SNMP service starts (a Cold Start Trap is sent)
There are also Agent reports that can be under the Device Management area of the CAM console. These reports can provide detailed information on specific agents and devices. Figure 6-14 shows a CAA User Report.
6.2.7. The Cisco NAC Profiler
An important supplement to the Clean Access solution is the Cisco NAC Profiler. This is an optional component that can help identify and categorize devices that typically are not computer systems. For example, VoIP phones, printers, and so on cannot typically run the CAA. These devices can also be difficult to identify, as well as difficult for companies to get their arms around. The NAC profiler will analyze the behavior of devices and categorize them as appropriate.
There is a very good reason why this functionality is important. Many different devices that are not typical computers require access to the network. These devices must be identified so that they can be exempt from being required to have the CAA running and from meeting all of the subsequent requirements. Rather than having administrators walk around and try to identify each of these devices, then manually record their MAC addresses to enter into an exempt list, enterprises can utilize the Cisco NAC Profiler.
Additional information on the Cisco NAC Profiler can be found at www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/p_intro.html.
Figure 6-14. CAA User Report
