Год выпуска: 2006
Автор: Omar Santos, David White Jr, Jazib Frahim
Издательство: Cisco Press
Качество: eBook (изначально компьютерное)
Количество страниц: 615
Описание: This book is the second volume of Cisco Network Admission Control from Cisco Press. The first volume, NAC Architecture and Design, examines the protocols used in NAC and covers each individual component’s function in detail. Design guidance is provided to assist the reader in implementing NAC in an existing network infrastructure. This includes examining existing hardware and software to determine whether it is NAC capable, providing suggestions for logical enforcement points, and offering guidance on defining an admissions policy.
This book focuses on the key components that make up NAC and how one can successfully deploy and troubleshoot each component as well as the overall solution. Emphasis is placed on real-world deployment scenarios, and the reader is walked step by step through the individual component configurations.
Along the way, best practices are called out along with mistakes to avoid. Component-level and solution-level troubleshooting techniques are also presented.
Three common deployment scenarios are covered in Part III, “Deployment Scenarios.” They include a small business, a medium-size enterprise, and a large enterprise. Each topology builds on the previous one and adds additional components of NAC to the solution. The small business becomes the branch (or remote) office in the enterprise topologies, while the medium-size enterprise becomes a separate geographically located part of the large enterprise design. This approach also demonstrates how one can phase in NAC in any size network.
Доп. информация: Первый том можно скачать тут
Part I includes Chapter 1, which provides an overview of the NAC Framework solution and the technology and components used to implement it. The remainder of the book is divided into three parts. Part II encompasses Chapters 2 through 12 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the NAC solution. The chapters should be read in order, but if you are not using one of the components of the NAC solution in your network, you will want to skip the corresponding chapter. Part III encompasses Chapters 13 through 15, which cover how to deploy and troubleshoot the overall NAC solution in your network. Each deployment chapter builds off the previous; therefore, they should be read in order. However, if you are deploying NAC in only a small business, you will want to skip the chapters devoted to deploying NAC in an enterprise. Part IV encompasses Chapters 16 and 17, which explain how to manage and monitor the NAC solution. Some readers might find it useful to read Chapter 16 after Chapter 1. This will get your mind thinking about the overall tasks and processes in your business that need to be lined up before deploying NAC. The core chapters, Chapters 2 through 17, cover the following topics:
Part II, “Configuration Guidelines,” includes the following chapters:
• Chapter 2, “Cisco Trust Agent”—This chapter covers the installation, configuration, deployment, and troubleshooting of the Cisco Trust Agent (CTA). CTA is a small application, installed on end hosts in the NAC solution that provides posture information about the end host to ACS.
• Chapter 3, “Cisco Secure Services Client”—This chapter covers the installation, configuration, deployment, and troubleshooting of the Cisco Secure Services Client. The Cisco Secure Services Client is a full-featured wired and wireless 802.1X supplicant that natively supports NAC Framework by passing posture credentials through an EAP-FAST tunnel within the Layer 2 802.1X session.
• Chapter 4, “Configuring Layer 2 NAC on Network-Access Devices”—This chapter covers the configuration, operation, and troubleshooting of both Layer 2 IP and Layer 2 802.1X NAC on network-access devices.
• Chapter 5, “Configuring Layer 3 NAC on Network-Access Devices”—This chapter discusses the packet flow in an IOS NAD when NAC is enabled and then provides detailed steps to configure Layer 3 NAC on the NAD. This chapter also covers how to monitor and troubleshoot the NAC sessions by examining various log and debug messages.
• Chapter 6, “Configuring NAC on Cisco VPN 3000 Series Concentrators”—This chapter starts by covering the packet flow in a concentrator when NAC is enabled. Next, detailed configuration steps to enable NAC on the concentrator are provided, followed by a section on monitoring the remote-access VPN tunnels. For troubleshooting purposes, this chapter closes by covering various debug and log messages to help you isolate the issues related to remoteaccess tunnels and NAC.
• Chapter 7, “Configuring NAC on Cisco ASA and PIX Security Appliances”—This chapter covers the configuration required to enable NAC on the ASA or PIX security appliance for remote-access tunnels. In addition, for troubleshooting purposes, various debug and log messages are explained to help you isolate the issues related to remote-access tunnels and NAC.
• Chapter 8, “Cisco Secure Access Control Server”—At the core of NAC is the Cisco Secure Access Control Server. It is often considered the “brains” of NAC because ACS interprets the posture credentials returned from the end hosts and assigns a posture token and policy to them. This chapter covers an overview of ACS and walks the reader step by step through the installation and configuration of ACS for NAC. ACS logging is covered along with a troubleshooting section, which focuses on troubleshooting NAC issues on ACS.
• Chapter 9, “Cisco Security Agent”—This chapter starts with an overview of the Cisco Security Agent and then walks the reader step by step through the installation of the management center and creation of agent kits. The remainder of the chapter focuses on NAC-specific features in CSA, such as the capability to dynamically activate or deactivate rules based on system posture token returned.
• Chapter 10, “Antivirus Software Integration”—This chapter looks at the antivirus software vendors that interoperate with the NAC Framework. Installation of the antivirus posture plugin on CTA is covered along with the HCAP protocol (the protocol used to communicate between ACS and antivirus servers). Finally, the reader is walked systematically through the configuration steps necessary to add an antivirus policy server to ACS.
• Chapter 11, “Audit Servers”—This chapter looks at the integration of the QualysGuard Scanner appliance into the NAC Framework solution. This chapter provides step-by-step configuration for both the Cisco devices and the QualysGuard Scanner appliance.
• Chapter 12, “Remediation”—Remediation servers provide a way of automatically patching end hosts to bring them into compliance with network policies. This chapter examines the software provided by two of the remediation server vendors, Altiris and PatchLink.
Part III, “Deployment Scenarios,” includes the following chapters:
• Chapter 13, “Deploying and Troubleshooting NAC in Small Businesses”—This is the first of three chapters in the deployment section of the book. It focuses on the small business and what requirements a typical small business would have when deploying NAC in the network. After the requirements are defined, an example small business network is provided and the topology is reviewed. Next, the reader is walked through detailed steps on configuring ACS and the network devices to enable NAC-L2-IP and enforce the requirements drawn up earlier in the chapter. Finally, techniques for troubleshooting the NAC solution are covered.
• Chapter 14, “Deploying and Troubleshooting NAC in Medium-Size Enterprises”—This chapter focuses on the requirements of a medium-size enterprise to protect its network from both internal and external unknown threats. Based on the requirements, a solution is presented to the company. This chapter shows step-by-step configurations of all the devices involved. We discuss NAC-L2-IP on a Catalyst switch and NAC-L3-IP on a VPN3000 concentrator. The configurations of an Altiris server for remediation and a QualysGuard server for agentless hosts auditing are also covered. We walk through the steps required to configure ACS and define all the policies.
• Chapter 15, “Deploying and Troubleshooting NAC in Large Enterprises”—This chapter builds off the previous two deployment chapters and focuses on the large enterprise (greater than 5,000 users and multiple geographic locations). The requirements of the branch, regional, and headquarters sites are covered. Within the headquarters site, different policies are created for each of the following: executive floor, call center, human resources, finance, sales, engineering, conference center, and data center. Topics such as high availability and scalability are also covered.
Part IV, “Managing and Monitoring NAC,” includes the following chapters:
• Chapter 16, “NAC Deployment and Management Best Practices”—Some readers may find it useful to read this chapter first. The first half of the chapter is focused on the process of successfully deploying NAC in your network. Topics such as completing a readiness assessment, talking with stakeholders, deploying NAC in a lab, and creating test plans are covered. The second half of the chapter covers the following topics: provisioning user/client software (CTA and third-party software), handling CSA management, maintaining NAC policies, providing technical support, and performing education and awareness of end users as well as the support staff.
• Chapter 17, “Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System”—This chapter discusses how to monitor the NAC solution using the Cisco Security Monitoring, Analysis, and Response System (CS-MARS). Detailed instructions on how to configure the individual components of NAC to report to CS-MARS are covered, along with the reporting capabilities of CS-MARS. Troubleshooting the CS-MARS appliance is also covered.