The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.
Security Options Abound: New NAC Release
My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.
To access the NAC podcast go to:
http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns719/html_TW/tw_episode_198.html
And to get more information on all the great stuff coming from Techwise TV visit:
http://www.mytechwisetv.com/
or
http://cisco.com/go/interact
NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation
Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml
New NAC Profiler Release
Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.
One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.
Find all the Fixes and information in the Release Notes.
The Release Notes can be found:
http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/218/218rn.html#wp101317
The new software can be download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/nacprofiler-2.1.8 (Requires Valid Smartnet Contract)
Showing posts with label NAC Profiler. Show all posts
Showing posts with label NAC Profiler. Show all posts
Thursday, January 22, 2009
Tuesday, June 10, 2008
New Configuration Examples
Cisco posted two new Configuration Guides:
NAC: LDAP over SSL on the Clean Access Manager (CAM)
This example will walk you through using SSL with your LDAP Auth Server.
NAC: LDAP Integration with ACS Configuration Example
This example will explain how to use Cisco NAC Profiler for MAC Auth Bypass(MAB) for 802.1X deployments.
To see all the previous Configuration Examples and TechNotes
NAC: LDAP over SSL on the Clean Access Manager (CAM)
This example will walk you through using SSL with your LDAP Auth Server.
NAC: LDAP Integration with ACS Configuration Example
This example will explain how to use Cisco NAC Profiler for MAC Auth Bypass(MAB) for 802.1X deployments.
To see all the previous Configuration Examples and TechNotes
Friday, April 11, 2008
NAC Updates
I want to apologize for the lack of posts over the past couple of months. I have been out performing NAC Deployments non-stop.
I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!
Cisco Clean Access Agent 4.1.3.2
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.
Cisco NAC Profiler 2.1.8-37
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation
Cisco NAC Guest Server 1.1.0
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation
I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation
Friday, November 9, 2007
Deploying Cisco NAC Profiler
Background:
Profiles Uncovered:
Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8
Cisco NAC Profiler is an OEM software from Great Bay Software’s Beacon product(Read more). The basis and need for NAC Profiler is to secure Non-Responsive Hosts(NRHs). This is performed by using state of the art Endpoint Profiling and Behavior Monitoring technologies.
Endpoint profiling is defined as recording a network endpoint’s observable behaviors and analyzing identifiable characteristics of the endpoint in order to classify it as belonging to a particular group (Profile) and to assess each endpoint’s ability in a certain sphere. That certain sphere could be an endpoint’s ability to participate in a given authentication or Cisco NAC Appliance as an example. In essence, Endpoint Profiling is best described as behavior-based characterization of endpoints for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics.
Behavior Monitoring is the ability to ensure endpoints are behaving in a way that is consistent with the classification leading to being provided with the authentication or NAC accommodation, and not indicating behaviors associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network.
Enough with the formal definitions (that’s what the great documentation is for), what is the real value of this solution to an organization with or without Cisco NAC and pre and post deployment of Cisco NAC?
The Value of Cisco NAC Profiler:
When planning for a NAC Appliance deployment the question of NRHs is sure to come up. How does someone find all of the Printers, Game Consoles, UPSs, IP Phones, etc. in the network? The answer is never easy. The bottom line is that the average organization’s network consists of over 50% of devices that are NRHs. The traditional method of accounting for NRHs is to manually find and record all MAC Addresses and import all of them into the NAC Manager’s Device Filter list. The challenges that this method presents are resources(Who is going to perform this task), Human Error(48bit MAC Addresses can start to look very complex after writing down hundreds or thousands of them), Adds/Moves/Changes become a nightmare, and by the time you finish recording all of the devices you can guarantee that something has changed since you started.
It becomes very clear how many hours can be saved by implementing Cisco NAC Profiler just from the above. But wait there is more… The above shows how Endpoint profiling can be used to save time and headaches, but the Behavior monitoring goes a step further into the value of NAC Profiler. Take the example of the traditional method of adding NRHs into the device filter table of the NAC Manager: Once a printer’s MAC Address is added it is always there, so if a malicious hacker or auditor walks up to the printer, prints the properties page, gets the MAC address, then he or she unplugs the printer and uses the MAC address of the printer to gain access and bypass NAC. If NAC Profiler is implemented, once the computer that is spoofing the MAC Address of the printer exhibits behavior that is outside of the typical behavior of the printer, that user will be kicked off of Device Filter list and be forced to go through standard NAC Process.
Another key benefit of having NAC Profiler is the accountability and visibility into the devices on the NAC Manager Device Filter List. As devices are placed into the Device Filter list by the Profiler Server, there is a link placed that brings an administrator directly to a page showing which switchport the device is plugged into, the respective endpoint profile data, and when it first came on the network. Any Network Operator understands the value of understanding where devices are at and when they entered and left the network.
Figure 1– NAC Manager Link to NAC Profiler
Minimize deployment costs + Minimize operational costs + Added Visibility + Added security = The value of Cisco NAC Profiler
Designing NAC Profiler:
NAC Profiler is comprised of two components:
- Profiler Server: Aggregates and classifies data from collectors and manages the database of endpoint information. Communicates using the NAC Managers API to add devices into the Device Filter list. Installed on the 3350 Appliance
- Collector Module: Gathers information about endpoints using SNMP, NetFlow, Sniffing, and active profiling. Software already installed on the NAC Server, license activates the feature.
The profiler server can be and is recommended to be configured in an High Availability(HA) pair. The Collector license should be purchased for each NAC Server that will be used to profile devices. If the NAC Server is a HA pair the license should be purchased as an HA license.
For the latest information about licensing of Cisco NAC Profiler, please refer to the Cisco NAC Profiler Data Sheet.
NAC Profiler uses many data feeds to obtain the required information to perform Endpoint Profiling and Behavior Monitoring. The following list gives you the background of how the collectors gather data.
- NetMap Collector component module that queries network devices via SNMP for:
o System information
o Interface information
o Bridge information
o Routing/IP information
This information is used to Build and maintain a model of the network topology within the Endpoint Database.
- NetTrap Collector component module that receives selected traps from network devices to assist NetMap in maintaining the model of the network topology.
- NetWatch The passive network analyzer collector component module. Collects information about endpoints using network traffic received at one or more of the interfaces on the appliance it runs on.
- NetInquiry Active profiling Collector component module that can be used to collect information about endpoints using active techniques
- NetRelay Receives exported data from other systems such as Netflow and prepares it for processing for Endpoint Profiling and Behavior Monitoring
- Forwarder Facilitates communication between the collector and the server, acts as middleware between Collector modules and the Profiler Server.
Each NAC Profiler deployment may include a few of these or all of these depending on the required amount of data. As a best practice it is always good to start by using NetMap, NetTrap, and NetWatch to gather the relative information required to successfully profile endpoints. If any of these collectors are not available in the organization deploying NAC profiler, utilizing the NetInquiry or NetRelay collector is a great alternative. Please note that other than NetInquiry NAC Profiler is completely passive and does NOT actively send traffic to any endpoint.
Profiles Uncovered:
As of version 2.1.7, NAC Profiler comes with 38 default profiles out of the box. This includes many of the major device types in enterprise networks today.
Figure 2 – Default Profiles
In some cases, it will be required to create custom profiles in order to profile organizations’ specific devices. To do this NAC Profiler offers the ability to use the different type of rules to match the types of behavior that are specific to the devices in question. The following shows the different types of rules you can configure using Cisco NAC Profiler:
- MAC Address – Beacon maintains a list of all OUI values for MAC address vendor assignments. MAC Vendor rules allow the endpoints MAC address to be used as a criteria for classification into a Profile.
- IP Address – Beacon can use the host address of endpoints to classify devices using host IP addresses within a designated range as a criterion for classification into a Profile.
- Traffic – analysis of traffic information at layers 3-4. Based oninformation gathered by either the NetWatch collector module (traffic analysis) or NetRelay collector module (Netflow data exported from a Netflow-capable device).
-
- Application – analysis of application layer behavior including DHCP, Server Banners, DNS names, User Agents, etc.
- Advanced – used to create complex expressions using AND, OR, and/or NOT, or to aggregate multiple rule logic into a single rule.
Summary:
Cisco NAC Profiler is an amazing add-on to the Cisco NAC Appliance portfolio and shows value for any organization that current has or plan to have Cisco NAC Appliance. Please stay tuned for more best practices, advanced configuration and troubleshooting of Cisco NAC Profiler.
Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8
Thursday, September 6, 2007
Cisco NAC Profiler Documentation
If you are interested in NAC Profiler services or consulting, please contact me jsanbower
Cisco NAC Profiler Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806b7d4e.html
Cisco NAC Profiler Brochure
http://www.cisco.com/en/US/products/ps6128/prod_brochure0900aecd806b7e8c.html
Cisco NAC Profiler Q & A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806b5d40.shtml
Cisco NAC Profiler Ordering Guide
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806b7d69.html
Configuration Guide 2.1.7
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/nac_profiler_cg.html
Wednesday, July 18, 2007
Cisco NAC Profiler Announcement
Background:
Great Bay Software Inc., the innovator of Endpoint Profiling for enterprise networks, today announced it has signed a worldwide OEM agreement with Cisco that adds the company's Beacon Endpoint Profiler solution to the award-winning Cisco Network Admission Control (NAC) product line. This agreement ensures that all network-attached endpoints, including non-PCs, meet the specified requirements for network access, creating the industry's most comprehensive NAC solution set.
Summary:
I have been working with beacon for over a year now and have had nothing but success for deployments and the customers on-going operations. It is the fries with burger when it comes to NAC in an enterprise environment. Next time you are planning a NAC deployment for your integration or are sick of adding device filters every time a new phone or printer is brought up check out Beacon!
Sources: MarketWire; Great Bay Software
Great Bay Software Inc., the innovator of Endpoint Profiling for enterprise networks, today announced it has signed a worldwide OEM agreement with Cisco that adds the company's Beacon Endpoint Profiler solution to the award-winning Cisco Network Admission Control (NAC) product line. This agreement ensures that all network-attached endpoints, including non-PCs, meet the specified requirements for network access, creating the industry's most comprehensive NAC solution set.
As part of the agreement, Cisco will rebrand and sell the Beacon Endpoint Profiler as Cisco NAC Profiler. The Endpoint Profiling and Behavior Monitoring functions provided by NAC Profiler combined with the Cisco NAC Appliance solution will ease deployments and improve the security management of endpoints unassociated with specific users, such as network printers, medical imaging devices, IP phones, HVAC sensors and wireless access points. NAC Profiler can improve the return on investment for a NAC deployment by dynamically tracking the movement of these devices on the network.
The Cisco NAC Profiler provides a number of benefits both in the initial implementation of NAC and throughout the entire lifecycle of a deployment. Great Bay's Endpoint Profiling technology generates an automated inventory of all endpoints, significantly reducing the level of effort required in the implementation of NAC. The Cisco NAC Profiler informs the NAC system of critical endpoint data, including device address information, a type descriptor (printer, phone, AP, UPS, etc.), access type (a value that defines the appropriate level of access for that endpoint) and access to additional information about that device and its history in the network. This eliminates the need for manual inventories and data entry.
"We're excited to extend our collaboration with Cisco and to be part of an end-to-end NAC solution that provides a security model for all network-attached endpoints," said Steve Pettit, president of Great Bay Software. "Customers will benefit from Cisco's global business infrastructure and from the ongoing innovation this relationship will continue to deliver."
"Great Bay Software's endpoint profiling enhances an end-to-end NAC solution strategy," said Nick Chong, head of the NAC Appliance line of business for Cisco. "Cisco NAC Appliance, the leading NAC offering in the marketplace today, continues to represent the latest in technical innovation involving NAC, and adding Great Bay's profiling technology enriches our overall NAC solution."
Cisco's NAC Profiler will consist of two functional components in the NAC Appliance solution: the Profiler Server and the Collector Application. The Profiler Server will run on a dedicated appliance while the Collector Application will reside on the Cisco NAC Appliance Server. Cisco NAC Profiler is scheduled to be available in August 2007.
About Great Bay Software:
Great Bay Software Inc. is the innovator of Endpoint Profiling, a technology designed to rapidly establish and maintain a real time view of all network attached endpoints. The company's Endpoint Profiling technology has applications in enabling the deployment and administration of Network Admission Control and network-based authentication, in addressing compliance concerns related to unauthorized devices attaching to the Enterprise network, and in managing the endpoint lifecycle for all network attached devices.Summary:
I have been working with beacon for over a year now and have had nothing but success for deployments and the customers on-going operations. It is the fries with burger when it comes to NAC in an enterprise environment. Next time you are planning a NAC deployment for your integration or are sick of adding device filters every time a new phone or printer is brought up check out Beacon!
Sources: MarketWire; Great Bay Software
Subscribe to:
Posts (Atom)
