Cisco Network Access Control
for HP Thin Clients and CCI
Introduction......................................................................................................................................... 2
The Components.................................................................................................................................. 2
HP PC Client Computing Solutions ..................................................................................................... 2
Network Access Control ................................................................................................................... 3
Cisco Network Admission Control...................................................................................................... 3
Implementation Prerequisites ................................................................................................................. 4
The Implementation.............................................................................................................................. 4
NAC Installation .............................................................................................................................. 4
Configuring Policy Settings................................................................................................................ 5
Testing Methods ........................................................................................................................... 5
Thin Client Policy.......................................................................................................................... 5
Blade PC Policy.......................................................................................................................... 12
End-Point Configuration .................................................................................................................. 17
Thin Client Firewall Exceptions ..................................................................................................... 17
Policy Enforcement using Clean Access Agent ................................................................................... 23
Thin Client Policy Enforcement ..................................................................................................... 24
Special Thin Client Consideration: Committing Image Changes ....................................................... 27
Blade PC Policy Enforcement ....................................................................................................... 32
Closing Observations......................................................................................................................... 39
Appendix A – CISCO 3560 Switch Configuration................................................................................. 40
For more information.......................................................................................................................... 42
HP Links: ....................................................................................................................................... 42
CISCO NAC Links:......................................................................................................................... 42
General NAC Links ........................................................................................................................ 42
Introduction
This white paper provides a reference implementation of layered security policy enforcement created
by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with Network
Admission Control (NAC) solutions from Cisco. The combination of HP thin clients and Consolidated
Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing
solution that can be applied to any network. Like any other networked component, it is important to
examine security issues associated with their operation. This paper addresses the use of network
policy enforcement services with HP thin clients and blade PCs linked to Cisco Clean Access Manager
and Clean Access Server NAC appliance built from HP ProLiant DL140 and DL360 serves
respectively. This configuration provides strong network policy enforcement to ensure client devices on
the network are properly configured; otherwise these clients can be quarantined and/or remediated.
Overviews of NAC, as well as usage models and known working implementations, are provided.
The Components
HP PC Client Computing Solutions
HP PC client computing solutions consist of two major components: thin clients and blade PCs. A thin
client is a computing device without a hard drive that provides display and input/output for
applications running on remotely located servers or blade PCs. A basic thin client consists of a
processor, flash memory for storing the embedded operating system, local RAM, a network adapter,
and standard input/output for the display and other select peripherals. HP thin clients have no moving
parts, offering higher reliability than a PC, lower ownership costs, enhanced security, and extended
product life. These small, robust devices consume significantly less energy than a desktop PC, put out
less heat into your office spaces, are made with much less material than a desktop, and are
practically silent.
HP offers thin clients based on three operating systems: Windows XPe, Debian Linux, and Windows
CE. Each operating system provides protection for the OS image housed within the flash device while
creating a partition on that flash device to act as a virtual hard drive. Only an account with
administrator privileges can make changes to the base image to add applications or operating system
patches. With the Windows XPe operating system, HP also includes a Sygate firewall on the base
image that locks down all ports except those necessary for typical Microsoft Remote Desktop Protocol
(RDP) and Citrix-level connections and general Web browsing. The Sygate settings must be edited to
unlock any additional ports on the thin client.
Consolidated Client Infrastructure (CCI) is the enterprise/data center computing architecture through
which blade PCs can be allocated to end-users connecting on thin clients. The blade PCs are stored
and managed in a centralized location, and are accessed through HP Remote Graphics Software
(RGS) or RDP. A remote user can present credentials to the HP Session Allocation Management (SAM)
service and be connected to a computing session on a blade PC with access to network resources
such as applications and data. Unlike Terminal Services-, Citrix-, or VDI-hosted computing sessions,
CCI computing sessions typically match up a connected user onto a blade PC that is not shared,
which provides a stable computing experience that does not change as additional users are added to
the array of blade PCs.
Although CCI blade PCs are housed in the data center for security, they are full-blooded PC systems
running the latest operating systems. As such, it is assumed in this paper that images for blades are
configured with a firewall and virus scanning software as a security baseline. For the usage models
presented here, the blades were configured to use the native Windows XP firewall, as well as antimalware software.
2
Network Access Control
Advancements in computer networking have significantly changed the way people and organizations
communicate and access information. Networks have become critical resources in many
organizations, providing real-time communications and access, through both the Internet and
enterprise intranets. Much of the data available on internal business networks needs to be protected,
either to follow data privacy regulations or to protect valuable information assets. As such, the need to
provide reliable and secure network access has become a key challenge facing today’s Information
Technology (IT) organizations.
As organizations take advantage of the benefits of making information available, they also need to
consider the security implications. They must protect valuable proprietary information. They also might
be responsible for complying with government regulations related to data privacy. This leads to two
business objectives that many IT organizations are striving to maximize: data availability and data
security. While addressing each of these objectives individually can be straightforward, the methods
used to address one often conflict with the other. Therefore, it is important for organizations to
address these objectives together.
To meet these needs adequately requires a layered security approach, often defined as Defense in
Depth. NAC is one component of such an approach, and should not be considered in isolation. The
high level role of NAC is to protect the network and its resources from harmful users and devices or
systems. It does this by restricting network access based on certain criteria and business policies. The
policies may be quite simple, such as allowing access to a set of known users or devices while
denying all others. Or, in order to model more intricate business policies, the policies may be much
more complex.
NAC works together with other network security layers such as firewalls, Intrusion Detection and
Prevention Systems (IDPS), endpoint security, and so forth to build a defensive posture in your
environment. NAC should be used to minimize the risk associated with unauthorized, infected, or
improperly configured devices trying to connect to your network.
In its most basic form, NAC allows a network administrator to restrict network access to authorized
users and/or devices. However, many organizations have the need to provide, or can benefit from
providing, different levels of access depending on the role of the user. For example, employees have
access to internal network resources and the Internet while guest users are only provided access to the
external Internet.
There is also a need for protection from malicious software, which is accomplished by evaluating the
security posture of devices connecting to the network. The security posture required is defined by
organizational policies and is based on checking for things such as operating system versions and
patches, security software (antivirus, anti-spam, firewalls, etc.), security settings on common software,
and other required or prohibited software.
There are many aspects to a complete network security implementation. This white paper addresses
use of the Cisco Clean Access Network Admission Control (NAC) appliances and software as
applied to HP thin clients and blade PCs to control their access to a production network and the
information available on that network. We note here that the NAC acronym for Cisco products
denotes “Network Admission Control” which in this paper is synonymous with “Network Access
Control.”
Cisco Network Admission Control
Cisco Clean Access NAC appliances provides an easily managed way to implement Network Access
Control on any network. The NAC Appliance is made up of three components: The Clean Access
Manager (CAM), the Clean Access Server (CAS), and the Clean Access Agents (CAA). The CAM
serves a Web console allowing configuration of the CAS and CAA components. The CAS actively
protects and enforces policy on the network.
3
Cisco Clean Access NAC appliance can function in Real-IP Gateway mode or Virtual-IP Gateway
mode. This reference implementation uses the Virtual-IP Gateway mode of operation. A full description
of all the possible choices is beyond the scope of this white paper. For detailed information on
implementation choices, refer to detailed Clean Access documentation on the CISCO web site:
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
Implementation Prerequisites
For the purpose of this white paper, we assume a basic network infrastructure is already in place. The
reference implementation consists of HP BladeSystem bc1500, bc2000 and bc2500 Blade PCs
running Windows XP. HP
access devices.
The network topology for this reference implementation consists of a flat Class-A network setup with
topology: 10.xxx.yyy.zzz/24, see Table 1 below.
Compaq t5720 Thin Clients (t5720) running Windows XPe are used as
Component Operating
System
CAM Server
HP Proliant DL140
CAS Server
HP Proliant DL360
Thin Client (t5720) Windows XPe hptc1.cisco.com 10.6.6.x
Blade PC (bc1500,
bc2000, & bc2500)
Table 1 -- Procurve NAC Reference Solution -- Network Topology
A CISCO 3560 layer-3 network switch is used so that 10.6.6.x addresses can be initially configured
to a quarantined VLAN and then switched via SNMP upon successfully validating platform to CAS.
Linux cam.cisco.com 10.3.3.3
Linux cas.cisco.com 10.4.4.4
Windows XP hpbpc1.cisco.com 10.6.6.x
Host Name IP
Address
The Implementation
NAC Installation
This section covers use of a CISCO CAM and CAS appliances in conjunction with a CISCO layer 3
switch to ensure that thin clients and blade PCs meet configuration policy prior to connection with the
trusted network segment. The network topology used in this reference implementation is found in
Figure 1 below.
4
SERIES
Catalyst 3560
1X
SYST
RPS
STAT
DUPLX
SPEED
POE
2X
MODE
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 481 2 3 4 5 6 7 8 9 10
17X
15X 31X
18X
16X
CISCO 3560 Switch
33X 47X
32X34X
48X
1
2 4
PoE-48
3
CAM Appliance
VPN information
VPN Group Name – cisco
VPN Group Password – cisco
VPN Username – jeremy
VPN Password – cisco123
CAM console to switch port 3
HP clients to switch
ports 5 & 6
Trusted interface to
switch port 1(trunk)
HP Compaq t5720
Thin Clients
HP CCI Blade System
CAS Appliance
Untrusted interface to switch port 4
IP Addresses
VPN Private – 10.2.2.1
VPN Public – 10.1.1.1
Switch VLAN 2 – 10.2.2.2
Switch VLAN 3 – 10.3.3.2
Switch VLAN 4 – 10.4.4.2
Switch VLAN 5 – 10.5.5.2
Switch VLAN 6 – 10.6.6.2
CAM – 10.3.3.3
CAS Untrusted – 10.4.4.4
CAS trusted – 10.4.4.4
Client VPN – 10.1.1.2
Thin Client – 10.5.5.5
Figure 1 - Reference network topology
The Cisco 3560 switch is configured with VLANs assigned to ports 1 to 5, as shown in Figure 1
above. Full switch configuration settings can be found in Appendix A – CISCO 3560 Switch
Configuration.
Configuring Policy Settings
As we are focusing on the integration of NAC into a CCI and thin client network, we are exploring
only the network policy enforcement settings that are pertinent to thin clients and blade PCs. This does
not exhaust all the features of the Cisco NAC solution. Likewise, in a production environment, you
may wish to validate many more OS configuration components than are discussed in this reference
white paper.
Testing Methods
Tests for compliance are configured in stages via the CAM console for CAS to enforce. First we
define checks, each of a single Windows registry setting, service status, program run state, etc. We
then define rules as a combination of checks using AND/OR logical operators. We then construct
requirements assigned to user roles and encompassing any or all rules we’ve defined.
Thin Client Policy
1. Use the Web browser to connect to the Clean Access Manager console at https://10.3.3.3
.
2. Click Clean Access under Device Management in the left panel.
3. Click the Clean Access Agent tab, and then click Rules.
5
4. On the figure below, we have defined three checks on thin clients:
o Status of Sygate Firewall service (Sygate_Service_Check)
o Sygate Engine actively enabled (Sygate_Engine_Enabled)
o Status of Enhanced Write Filter service (EWF_Service_Check)
5. To add a Windows program/service/registry check, click New Check.
6
6. Select Category and Type of check from the respective drop-down menus. In the following
illustration, we’ve selected Registry Check and Registry Value in order to validate that the
Sygate Engine is Enabled.
NOTE: This is in addition to another setting we’ll define later to ensure that the service is
running. Our goal is to ensure that Sygate is both running and enabled in order to access the
network.
7. For this reference implementation, ensure that the option for creating rules based on this check
is not selected. Click Save Check.
7
8. Repeat steps 5 – 7 to add a check for Enhanced Write Filter (EWF) Service and Sygate
Firewall Service. The EWF final selections are indicated in the following illustration.
Next, set rules comprising the AND and OR policies of individual checks. For this white paper,
we’ll set an AND policy comprising all three checks defined so far: Sygate service running,
Sygate service active, and EWF service running.
9. To set a Rule, click New Rule.
8
10. Type the Rule Name (HP_TC_Rule, in this example) and select the operating system. Enter
the Rule Expression by leveraging the checks shown (copy and paste the text).
NOTE: You can form complex expressions of AND/OR policies using parentheses. Refer to
Blade PC Policy
11. Now, build a requirement from the Rules called TC_Requirements by clicking Clean
Access Agent/Requirements/New Requirements.
later in this document for an example.
9
12. Name this new rule TC_Requirements and type a description in the Rule Description field.
In the following example, we’re making the rule available for All Windows versions, although
in this specific case, the t5720 thin client runs Windows XPe and is identified by CAS as XP
Pro/Home.
13. Click Requirement Rules.
14. In the Requirement Name list, click TC_Requirements.
10
15. Select the HP_TC_Rule check box to associate the thin client rule to the TC Requirement entry.
16. Ensure that the Requirements entry is indeed listed. If multiple requirements exist, click on the
appropriate arrow in the Move column to order the requirements, as seen in the following
illustration.
17. Next, we choose what user roles we want to assign the thin client requirement to. Click the
Clean Access Agent tab, then click Role-Requirements.
11
18. Select Employee from the User Role selection list. Click the TC_Requirements check box
in the Select column. This requires all users in the Employee role to be tested for
TC_Requirements, as defined above.
19. Click Update.
We’re finished with thin client policy settings!
Blade PC Policy
The blade PC policy setting closely follows the steps previously covered for thin client, though different
rules and policies are checked. In many illustrations, the HP blade PC policies/settings are shown
together, since they are simultaneously selected. Also, several detail illustrations for settings (like
registry checks) have been left out of this section, as they follow the same process previously
documented for thin clients.
1. Use the Web browser to connect to the Clean Access Manager console at https://10.3.3.3
2. Click Clean Access under Device Management in the left panel.
3. Click the Clean Access Agent tab, and then click Rules.
.
12
4. On the figure below we have added the following checks for blade PCs based on Windows
Service names for each of the following:
o Status of Windows Firewall service
(WindowsXP_Firewall_Check and Vista_Firewall_Check)
o Status of HP Watchdog Timer service (HP_Watchdog_Timer_Check)
o Status of Altiris service for active patching (Altiris_Service_Check)
o Status of HP SAM (Session Allocation Manager) service (SAM_Service_Check)
5. To add an additional Windows program/service/registry check, click New Check.
13
Loading...