About This Chapter
This appendix explains how SafeGuard PortProtector Client interacts with Cisco Trust Agent (CTA) and Cisco Secure Access Control Server (ACS) to enhance your network's security. It contains the following sections:
What is NAC, page 95, describes Cisco's NAC (Network Access Control) and its benefits.
Posture Validation, page 95, explains how attributes, such as those reported by SafeGuard PortProtector Client through CTA , are validated by ACS.
SafeGuard PortProtector and NAC, page 82, describes how Sophos interfaces with NAC to provide comprehensive network protection.
Configuring Posture Validation Policies, page 96, describes the process of importing the SafeGuard PortProtector Client Attribute-Value Pairs (AVP) file and provides a link to Cisco documentation of posture validation policy configuration.
Attribute–Value Pairs (AVP) File, page 98, provides a sample AVP file which should be imported into ACS in order to check SafeGuard PortProtector Client attributes.
7.1 What is NAC
NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. It uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can limit network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.
7.1.1 Benefits of NAC
Dramatically improves any network's security—NAC ensures that all endpoints conform to the latest security policy; regardless of the size or complexity of the network. With NAC in place, you can focus operations on prevention, rather than on reaction. As a result, you can
proactively protect against intruders and leakage.
Extends the value of your existing investments—Besides being integrated into the Cisco
network infrastructure, NAC enjoys broad integration with antivirus, security, and management solutions from dozens of leading manufacturers.
NAC provides deployment scalability and comprehensive span of control—NAC provides admission control across all access methods (LAN, WAN, wireless, and remote access).
Increases enterprise resilience—NAC prevents noncompliant and rogue endpoints from affecting network availability.
Reduces operational expenses—NAC reduces the expense of identifying and repairing noncompliant, rogue, and infected systems.
7.2 Posture Validation
The term posture is used to refer to the collection of attributes that play a role in the conduct and
"health" of the endpoint device that is seeking access to the network, and that can be checked. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as SafeGuard
PortProtector Client (refer to SafeGuard PortProtector Client Attributes on page 96 for a list of SafeGuard PortProtector Client attributes).
Posture validation refers to the act of applying a set of rules to the posture data to provide an
7.3 SafeGuard PortProtector and NAC
During installation of the SafeGuard PortProtector Client, a DLL is installed (SProtectorPP.dll) that communicates the status of various SafeGuard PortProtector attributes (see below) to CTA. CTA, which includes a Posture Agent, delivers the posture attributes to ACS, which performs evaluation of the posture attributes.
If one or more of the attribute checks fail, the endpoint's access to the organizational network is blocked.
7.3.1 SafeGuard PortProtector Client Attributes
In addition to checking for the existence of a SafeGuard PortProtector Client on the endpoint, the following parameters may be checked and reported to the CTA Posture Agent:
Software version
SafeGuard PortProtector policy name
SafeGuard PortProtector policy ID
SafeGuard PortProtector policy revision
SafeGuard PortProtector policy type
SafeGuard PortProtector policy update time
7.4 Configuring Posture Validation Policies
A Posture Validation policy is where you define validation checks for SafeGuard PortProtector Client attributes. These checks are performed on the attributes communicated by SafeGuard PortProtector Client by means of SProtectorPP.dll to the CTA Posture Agent, and reported by CTA to ACS. In order to enable you to configure policies for SafeGuard PortProtector Client attributes, the SafeGuard PortProtector Attribute-Value Pairs (AVP) file, which defines these attributes, needs to be imported into ACS.
Note: Basic instructions are provided below. For additional details please refer to Cisco ACS documentation, available from :
To import the AVP file into ACS policy:
1 If you have not yet done so, install SafeGuard PortProtector Client on relevant endpoints. This automatically copies two files into c:\Program Files\Common
Files\PostureAgent\Plugins:
SProtectorPP.inf: includes a description of SafeGuard PortProtector Client attributes and their identification.
SProtectorPP.dll: performs checks of SafeGuard PortProtector Client attributes, the posture of which is reported to CTA.
2 Prepare a SafeGuard PortProtector AVP file according to the example provided in Attribute–
Value Pairs (AVP) File on page 98.
3 Open a command window on ACS.
4 Navigate to %\Program Files\Cisco Systems\CiscoSecure ACS 4.0\bin.
5 Drop the AVP file (AVPfilename) into this folder.
6 Run csutil –addAVP AVPfilename.The system will begin adding each attribute from the AVP file. When the process is completed, the following message appears:
---AVP Summary---
(N) AVPs have been added to the dictionary <DB>.
7 Restart csauth, csadmin and cslogd services. The attributes are now imported into ACS.
8 Set up a profile, and create posture validation policies in the Posture Validation Page. This is explained in User help for Cisco Secure ACS for Windows available from
http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a 008053d5e4.pdf
OR
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a 008052e984.html#wp1196118
7.5 Attribute–Value Pairs (AVP) File
The AVP file describes the SafeGuard PortProtector Client attributes necessary for posture validation. The file should be imported into ACS as explained in the previous section.
The example provided below contains all available SafeGuard PortProtector Client attributes. You may delete the sections that apply to attributes which you do not wish to check.
[attr#0]
attribute-id=32770
attribute-name=Policy-Type attribute-profile=in out
attribute-type=unsigned integer
[attr#6]
vendor-id=24493 vendor-name= Sophos application-id=5
application-name=HIPS attribute-id=32774
attribute-name=Policy-Update-Time attribute-profile=in out
attribute-type=date