Cisco Network Access Control for HP Thin Clients and CCI Introduction......................................................................................................................................... 2 The Components.................................................................................................................................. 2 HP PC Client Computing Solutions .....................................................................................................
Introduction This white paper provides a reference implementation of layered security policy enforcement created by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with Network Admission Control (NAC) solutions from Cisco. The combination of HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing solution that can be applied to any network.
Network Access Control Advancements in computer networking have significantly changed the way people and organizations communicate and access information. Networks have become critical resources in many organizations, providing real-time communications and access, through both the Internet and enterprise intranets. Much of the data available on internal business networks needs to be protected, either to follow data privacy regulations or to protect valuable information assets.
Cisco Clean Access NAC appliance can function in Real-IP Gateway mode or Virtual-IP Gateway mode. This reference implementation uses the Virtual-IP Gateway mode of operation. A full description of all the possible choices is beyond the scope of this white paper. For detailed information on implementation choices, refer to detailed Clean Access documentation on the CISCO web site: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.
Catalyst 3560 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1X 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 15X 17X 31 32 33 34 35 36 37 38 39 40 41 42 31X 33X 43 44 45 46 47 16X 18X PoE-48 47X STAT DUPLX SPEED POE 2X SERIES 48 SYST RPS 32X 34X 1 3 2 4 48X MODE CISCO 3560 Switch CAS Appliance CAM Appliance CAM console to switch port 3 Trusted interface to switch port 1(trunk) Untrusted interface to switch port 4 IP Addresses VPN information VPN Gr
4. On the figure below, we have defined three checks on thin clients: o Status of Sygate Firewall service (Sygate_Service_Check) o Sygate Engine actively enabled (Sygate_Engine_Enabled) o Status of Enhanced Write Filter service (EWF_Service_Check) 5. To add a Windows program/service/registry check, click New Check.
6. Select Category and Type of check from the respective drop-down menus. In the following illustration, we’ve selected Registry Check and Registry Value in order to validate that the Sygate Engine is Enabled. NOTE: This is in addition to another setting we’ll define later to ensure that the service is running. Our goal is to ensure that Sygate is both running and enabled in order to access the network. 7.
. Repeat steps 5 – 7 to add a check for Enhanced Write Filter (EWF) Service and Sygate Firewall Service. The EWF final selections are indicated in the following illustration. Next, set rules comprising the AND and OR policies of individual checks. For this white paper, we’ll set an AND policy comprising all three checks defined so far: Sygate service running, Sygate service active, and EWF service running. 9. To set a Rule, click New Rule.
10. Type the Rule Name (HP_TC_Rule, in this example) and select the operating system. Enter the Rule Expression by leveraging the checks shown (copy and paste the text). NOTE: You can form complex expressions of AND/OR policies using parentheses. Refer to Blade PC Policy later in this document for an example. 11. Now, build a requirement from the Rules called TC_Requirements by clicking Clean Access Agent/Requirements/New Requirements.
12. Name this new rule TC_Requirements and type a description in the Rule Description field. In the following example, we’re making the rule available for All Windows versions, although in this specific case, the t5720 thin client runs Windows XPe and is identified by CAS as XP Pro/Home. 13. Click Requirement Rules. 14. In the Requirement Name list, click TC_Requirements.
15. Select the HP_TC_Rule check box to associate the thin client rule to the TC Requirement entry. 16. Ensure that the Requirements entry is indeed listed. If multiple requirements exist, click on the appropriate arrow in the Move column to order the requirements, as seen in the following illustration. 17. Next, we choose what user roles we want to assign the thin client requirement to. Click the Clean Access Agent tab, then click Role-Requirements.
18. Select Employee from the User Role selection list. Click the TC_Requirements check box in the Select column. This requires all users in the Employee role to be tested for TC_Requirements, as defined above. 19. Click Update. We’re finished with thin client policy settings! Blade PC Policy The blade PC policy setting closely follows the steps previously covered for thin client, though different rules and policies are checked.
4. On the figure below we have added the following checks for blade PCs based on Windows Service names for each of the following: o Status of Windows Firewall service (WindowsXP_Firewall_Check and Vista_Firewall_Check) o Status of HP Watchdog Timer service (HP_Watchdog_Timer_Check) o Status of Altiris service for active patching (Altiris_Service_Check) o Status of HP SAM (Session Allocation Manager) service (SAM_Service_Check) 5.
6. Next, create and set rules based on the AND and OR policies of individual checks previously defined. 7. To set a Rule, click New Rule.
8. Type the Rule Name (HP_Blade_Rule, in this example) and select the operating system. Enter the Rule Expression by leveraging the checks shown (copy and paste the text). The policy for this reference implementation is to require: HP Watchdog Timer Service running AND Altiris Service running AND (Windows XP OR Vista Firewall service running) AND (HP Policy Service OR SAM Service running) 9.
13. Select both the HP_Blade_Rule and HP_TC_Rule check boxes to associate the thin client and blade rules and fulfill HP client requirements. 14. Finally, click Role-Requirements. Select employee from the User Role selection list. 15. Ensure that the HP_Client_Requirements check box is selected. 16. Click Update.
We’re finished with both blade and thin client policy settings! End-Point Configuration Thin Client Firewall Exceptions The HP t5720 XPe-based Thin Client is configured by default with the Sygate firewall actively blocking all ports except those required for basic Web browsing and RDP connections. The t5720 thin clients used in this white paper also had firewall port exceptions added for RGS, which accelerates graphics in a manner superior to RDP.
4. Read the warning notification and click OK. 5. In the Advanced Rules window, click Add. 6. On the General tab, type NAC UDP in the Rule Description field. 7. Select Allow this traffic.
8. Select a specific network interface card or the default, All network interface cards. 9. On the Hosts tab, select IP Addresses and then type the IP address of the 3960 internal switch port and CAM/CAS server addresses (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively).
10. On the Ports and Protocols tab in the Protocol list, click UDP. 11. In the Local field, type 8905,8906. 12. In the Traffic Direction list, click Both. 13. Click OK. 14. Next, to add a rule for TCP traffic, click Add in the Advanced Rules window. 15. In the Advanced Rule Settings dialog box on the General tab, type NAC TCP in the Rule Description field. 16. In the Action area, select Allow this traffic.
17. In the Apply Rule to Network Interface field, ensure that the proper network interface card is selected. 18. On the Hosts tab, select IP Addresses and type the IP address of the 3960 internal switch port and CAM/CAS server addresses in the field (10.6.6.2, 10.3.3.3, and 10.4.4.4, respectively).
19. On the Ports and Protocols tab in the Protocol list, select TCP. 20. Type 443 in the Local field. 21. In the Traffic Direction list, select Both. 22. Click OK. 23. At this point, scroll down in the Sygate Advanced Rules window and ensure that the two new NAC policies are defined and active.
Policy Enforcement Using Clean Access Agent Now that the Clean Access and thin client firewall policies are defined, we will demonstrate policy enforcement for both thin client and HP blade PCs using Cicso Clean Access Agent. We begin by ensuring that none of the blades or thin clients being tested is on the list of certified clients. Open the CAM console (http://10.3.3.3 on your Web browser, in this reference implementation). Click Clean Access under Device Management in the left panel.
Thin Client Policy Enforcement 1. Turn on the thin client connected to switch port 10 or 11; these ports are configured to start up in quarantine vlan6. 2. Ensure that the firewall and write filters are running. 3. Go to https://10.3.3.3 on your browser; this is the CAM configuration site on the trusted side of the network. The CAS server attempts to connect to CISCO Clean Access Agent and to validate the platform.
5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not already loaded on the target platform or the user has not authenticated through the agent.
6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8. Depending on the certificates installed on your thin client, you may receive another warning. Click Run and the InstallShield wizard opens the Clean Access Agent Installer.
9. Click Next when prompted to install the version 4.1.0.2 Clean Access Agent. NOTE: Ensure that the version of the Clean Access Agent matches the version of the CAS software. For purposes of this white paper, the CAS server was version 4.1.0. 10. Click Next to accept the default installation directory. 11. Click Install to install the agent. 12. Click Finish to complete the installation.
13. To test Clean Access Agent operation, log on to the thin client, complete user authentication, and click Login. For this reference implementation, log on using the “nactest” account that has the employee role assigned. Logging on in this role requires Clean Access Agent to verify compliance with the requirements we set previously. 14.
17. Click Services and Applications. 18. Click Services. 19. Disable EWF Status Service by right-clicking on the entry and selecting Stop. 20. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for “nactest” account.
21. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required for remediation). For purposes of this reference implementation, we have configured a temporarily network access of 4 minutes to allow any required access to any remediation resources that may exist on the trusted network and to demonstrate the flexibility of clean access enforcement.
23. Click Next to re-scan. Clean Access Agent displays information on the missing requirements after each re-scan until the policy requirements are corrected. Click Cancel to close this screen and end the temporary access. 24. For purposes of our example, if you re-enable EWF service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN.
Blade PC Policy Enforcement 1. Turn on a PC Blade connected via CISCO 3560 switch port 10 or 11; these ports are configured to start up in quarantine vlan6. 2. Ensure that the firewall and write filters are running. 3. Go to https://10.3.3.3 on your browser. This is the CAM configuration site on the trusted side of the network. The CAS server attempts to connect to CISCO Clean Access Agent and validate the platform.
5. Since the user authentication policy was selected during the initial NAC setup, you can type a valid username and password, and then press Enter or click Continue. Upon successful user authentication, a Network Security Notice appears to inform you that either Clean Access Agent is not already loaded on the target platform or the user has not authenticated through the agent.
6. For this reference solution, the agent has not been pre-populated on the thin client. Click Download Clean Access Agent 4.1.0.2. 7. Click Run when prompted to Save (download) or Run the clean access agent if the following window indicates that the wizard is ready to install the agent. 8. Depending on the certificates installed on your thin client, you may receive another warning. Click Run and the InstallShield wizard opens the Clean Access Agent Installer.
9. Click Next when prompted to install the version 4.1.0.2 Clean Access Agent. NOTE: Ensure that the version of the Clean Access Agent matches the version of the CAS software. For purposes of this white paper, the CAS server was version 4.1.0. 10. Click Next to accept the default installation directory. 11. Click Install to install the agent. 12. Click Finish to complete the installation. The Clean Access Agent should automatically start after a short time and the icon should be visible on the task bar.
NOTE: you may get a certificate warning message. Continue to log on. A successful logon notification appears. 13. We can validate that network connection is successful by once again attempting to connect to any device on the network, or in this case, we’ll connect again to the CAM Web site (at https://10.3.3.3), which should now be resolved without redirection. Next, let’s defeat one of the blade pc client requirements to force a failure of the clean access policy check. 14.
19. Log on again (through the CAM Web site at https://10.3.3.3) with user credentials for the “nactest” account. 20. The Clean Access Agent test should now find the machine out of policy. The machine is either kept in quarantine LAN or temporary access can be granted to the trusted LAN (if required for remediation).
22. Click Next to re-scan. Clean Access Agent displays information on the missing requirements after each re-scan until the policy requirements are corrected. Click Cancel to close this screen and end the temporary access. 23. For purposes of our example, if you re-enable HP SAM Registration Service and click Next within the time limit, the scan succeeds and full access is granted to the trusted network VLAN.
Closing Observations In this reference implementation, CISCO Clean Access NAC appliance has been used to gate access of HP t5720 Thin Clients and Blade HP blade PCs. We have used NAC agents on each client device to validate device configuration and user access to the network. In effect, the CAS bridges the production and quarantine networks and works along with CAS agents on client devices to ensure that configuration policy is met and that users are authorized to access the network.
Appendix A – CISCO 3560 Switch Configuration Switch#show configuration Using 4021 out of 524288 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! no aaa new-model vtp mode transparent ip subnet-zero ip routing ip dhcp excluded-address 10.5.5.1 10.5.5.5 ip dhcp excluded-address 10.6.6.1 10.6.6.5 ! ip dhcp pool DHCP network 10.5.5.0 255.255.255.0 default-router 10.5.5.2 ! ip dhcp pool DHCP6 network 10.6.6.0 255.
spanning-tree portfast ! interface FastEthernet0/10 description **CAS CLIENT INTERFACE** switchport access vlan 5 snmp trap mac-notification added spanning-tree portfast ! interface FastEthernet0/11 switchport access vlan 6 switchport mode access snmp trap mac-notification added spanning-tree portfast ! interface Vlan1 no ip address ! interface Vlan2 ip address 10.2.2.2 255.255.255.0 ! interface Vlan3 ip address 10.3.3.2 255.255.255.0 ! interface Vlan4 ip address 10.4.4.2 255.255.255.
For more information For more information about the HP thin clients or any other HP product, contact your HP Authorized Reseller or visit these online locations to learn more about HP products, services, and support: HP Links: • HP home page: www.hp.com/sbso/busproducts.html • HP desktop, blade PC, or thin client information: www.hp.com/desktops • HP workstations information: www.hp.com/workstations • HP notebook information: www.hp.com/notebooks • HP security: www.hp.
