ALLIED Telesis Network Security Solutions User Manual

Network Security Solutions
Implementing Network Access Control (NAC)
Tested Solution: Protecting a network with Sophos NAC
Advanced and Allied Telesis Switches
Sophos NAC Advanced is a sophisticated Network Access Control implementation. It integrates tightly with other facilities on the Microsoft Ser ver platform. This tested solution describes the steps involved in setting up Sophos NAC Advanced on a server running Microsoft Windows Server 2003, and the Allied Telesis switch configuration required to interoperate with this Sophos NAC implementation.
The description begins with a summary of the suppor ting applications that must be installed on the server. Then it moves on to the installation of the Sophos NAC server. The configuration of the NAC server to provide effective network protection is considered in some detail. Finally, the Allied Telesis switch configuration is provided, and the significant points in the configuration are discussed.
Steps to setup and configure this Solution
Install the supporting Server features and applications , see page 2
, see page 8
Install .NET Framework 2.0
, see page 8
Install SQL Server Express 2005
, see page 11
Install Microsoft WSE 3.0
, see page 13
Create remote access policies for the IAS server
, see page 17
Configure LAN switches as RADIUS client to the IAS server
, see page 23
Install Sophos NAC advanced
- Install the Sophos NAC SQL database, see page 23
- Install the Sophos NAC application server, see page 23
- Configure the Sophos NAC application, see page 25
, see page 27
Create RADIUS enforcer access templates
- Create/configure profiles, see page 29
- Create policies, see page 31
, see page 33
Configure endpoint devices
For fur ther information about NAC technology, and the NAC features available on Allied Telesis switches, see:
“Advanced edge security with NAC”
available from http://www.alliedtelesis.com/resources/literature/literature.aspx?id=5
Allied Telesis www.alliedtelesis.com
Page 1
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Installing the supporting server features and applications
To prepare a Windows 2003 server for installation of Sophos Advanced NAC, a number of Windows Ser ver features must be enabled, and other applications installed.
For completeness, this solution description will assume that the server begins with a fresh installation of Microsoft Windows 2003, and will discuss all the steps required to go from that fresh installation to a state that is ready for Sophos Advanced NAC.
Many readers will skip some of these steps, as they will be starting with a server that has a number of these features already enabled. However, different servers will begin from different star ting states, so to cover all cases; this document will describe all the required steps.
Setting up the server as a Domain Controller
In this section, we will set up the server as a Domain Controller, and create a user account with the Active Directory user database. This will be called the NAC service account.
To begin the setting up of the Domain Controller feature:
1 . Run dcpromo.exe.
2. In this example, the server is the Domain Controller for a new domain.
Allied Telesis www.alliedtelesis.com
Page 2
Ne t w o r k Se c u r i t y So l u t i o N S
3 . Select Domain in a new forest.
|
Network Access Control (NAC)
4 . Provide a full DNS name for the server.
5 . Select Permissions as required.
Allied Telesis www.alliedtelesis.com
Page 3
Ne t w o r k Se c u r i t y So l u t i o N S
6 . Set a restore mode password as required.
|
Network Access Control (NAC)
At this point, the enabling of the Domain Controller feature is complete.The next task is to raise the functional level of the Domain Controller.
Allied Telesis www.alliedtelesis.com
Page 4
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Raising the functional level of the Domain Controller
1. Select Administrative Tools > Active Directory Domains and Trusts.
The server’s name will appear in the list of domain servers in the left-hand pane.
2 . Right-click on the server’s name and select Raise Domain Functional Level.
3. Set the domain functional level to Windows Server 2003.
The final task in this section is to create the NAC service user account.
Allied Telesis www.alliedtelesis.com
Page 5
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Creating the NAC service user account
1 . Select Administrative Tools > Active Directory Users and Computers.
2 . Right-click on the Users menu item beneath the server’s name. From the resulting pop-ups, choose New >User.
3 . Provide the user with a First name and Last name, as below.
Allied Telesis www.alliedtelesis.com
Page 6
Ne t w o r k Se c u r i t y So l u t i o N S
4 . Provide the user with a Password, and the setup is complete.
|
Network Access Control (NAC)
Allied Telesis www.alliedtelesis.com
Page 7
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Install the .NET Framework 2.0
The .NET Framework 2.0 is a required pre-requisite for the SQL server express (which will be installed at the next step). The installer for this application is provided with the Sophos NAC Advanced distribution. It can also be downloaded from Microsoft.com.
This installation is very straightforward, simply run the installer, and you are guided through the installation, with no significant choices having to be made.
Install SQL Server Express 2005
Sophos NAC Advanced will work with any standard SQL server. In this example, the SQL server being used is SQL server express 2005 – a light server that is freely available from Microsoft.com.
1. Run the installer, and you will be presented with the following opening dialog.
2 . Click Install, and you will be offered the opportunity to decide which components to install. Leave this at the default setting.
Allied Telesis www.alliedtelesis.com
Page 8
Ne t w o r k Se c u r i t y So l u t i o N S
3 . Ensure that the authentication mode is set to Windows Authentication Mode.
|
Network Access Control (NAC)
4 . Click Install on the next dialog, and the SQL server will be installed.
Allied Telesis www.alliedtelesis.com
Page 9
Ne t w o r k Se c u r i t y So l u t i o N S
5. When the installation is complete, you are presented with a summary.
|
Network Access Control (NAC)
6 . Click Finish and the SQL server will be installed.
Allied Telesis www.alliedtelesis.com
Page 10
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Install Microsoft WSE 3.0
The Microsoft Web Services Enhancement provides capabilities that are used by the Sophos NAC Web interface.
The installer for this is provided on the Sophos NAC Advanced distribution CD, and can also be downloaded from Microsoft.com. The installation of this software is very straightforward. The only choice that needs to be made is on the second dialog, where you need to choose the setup type.
Choose to make a
Runtime setup.
Allied Telesis www.alliedtelesis.com
Page 11
Ne t w o r k Se c u r i t y So l u t i o N S
|
Network Access Control (NAC)
Ensure that ASP.NET v2.x is an allowed Web Service Extension
The operation of Sophos NAC Advanced requires that ASP.NET is an allowed Web Service Extension. By default, it is not an allowed extension, so you need to set it as such.
1 . Select Administrative Tools > IIS Manager.
2 . Within the IIS Manager, choose Web Services Extensions in the left-hand pane. A list of the Web Services Extensions is displayed.
1. ASP.NET v2.xxxxx.
Highlight
Click the 2. Allow button.
Allied Telesis www.alliedtelesis.com
Page 12
Loading...
+ 26 hidden pages