ISE Network Access Security Policy Document - High/Low

Has anybody created the High and Low level designs for the NASP?
This is my first time and its always easier to have a template to work off of than to reinvent the wheel.  An incomplete example is displayed below but I was hoping someone had a complete one of high and low.
Employee Authorization Rule
Table of Contents for Employee Security Policy:
I. Members pg. xxx
II. Acceptable Use Policy pg. xxx
III. Windows 7 Security Requirements pg. xxx
1. Approved AV Installed & Up-to-date pg. xxx
a. Security checks pg. xxx
b. Security rules pg. xxx
IV. Network Access Permissions pg. xxx
1. VLAN Segmentation pg. xxx
a. Noncompliant Posture VLAN pg. xxx
b. Access VLAN Name/ID pg. xxx
2. Access Control List pg. xxx
3. SmartPort Macro pg. xxx
4. Security Group Tag number pg. xxx
IV. Network Access Permissions
1. VLAN Segmentation – Yes
a. Noncompliant Posture VLAN = quarantine-vlan/100
b. Access VLAN Name/ID = employees/10
2. Access Control List – Yes
a. Compliant ACL = permit All IP
b. Noncompliant ACL =
5 Permit TCP from any to “AUP web server” equaling 80
Description: Allow anyone to access the acceptable use policy link
64 Cisco ISE for BYOD and Secure Unified Access
10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443
Description: Allow web traffic to the appropriate remediation resources
20 Permit TCP from any to “file based remediation” equaling 80 & 443
Description: Allow web traffic to the cam for remediation file distribution
30 Permit UDP from any to “dmz DNS Server” equaling DNS
Description: Allow DNS only to the dmz dns server
40 Deny IP from any to any
Description: Block everything else
3. SmartPort Macro – no
4. Security Group Tag number – 10

You can download Cisco ISE High Level design document template from the following link
ATP Partner Resource Center
http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

Similar Messages

  • Network Access Security

    I have been contacted by a company that says I have to pay hundreds of dollars to install a network access security program. I have Windows 2007 and see that it has Network Access Security and I have turned it on. However, I also see in the Configuration
    Manager that the program Windows Defender is not on and I am unable to turn it on. Is it required? Will the Network Access Security help stop persons accessing my computer to gain banking information etc.? 

    You can download Cisco ISE High Level design document template from the following link
    ATP Partner Resource Center
    http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

  • EAP-TLS client security policy enforcement question using ISE

    Hi Experts ,
    I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
    I am using EAP-TLS and machine authentication.
    In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    I am not sure ... will it get pushed through AD ? how will it happen ?
    It would be really helpful if someone could put light on this ..

    Hello Vino,
    Some answers below :
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
    It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
    If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
    In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
    In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
    Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
    Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
    I hope it helps.

  • Anyconnect Secure Mobility Client, Network Access Module, wired PEAP

    Hello there,
    I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well.  With default configuration it is Trusting any Root CA certificates installed on the OS.  Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?
    In Network Access Module profile editor it has two options about Certificates:
    One is Certificate Trusted Authority which has two options by its self  first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future  in that way.
    Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option ?

    Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.
    Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:
    I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.
    Hope this helps!

  • How do I resolve this error in Safari Your page is blocked due to a security policy that prohibits access to Category Remote Proxies"?

    I'm trying to access several pages and keep geting "Your page is blocked due to a security policy that prohibits access to Category Remote Proxies" After going over all my security stuff I just can't find where I would correct the error.
    Is there anyone who could help me?
    Thanks
    Fr. Gary

    very strange,
    1. check time and date on your computer
    2. reset network configuration, make sure there are no proxy servers and you get DNS from your router not manual
    3. Reset certificates database
    Go to Terminal (Applications>Utilities)
    sudo rm /var/db/crls/*cache.db
    (you will be prompted for your password)
    and reboot the computer
    post back

  • Cisco NAC web agent Network Security Policy

    I have a computer with an installed McAfee Antivirus that us up to date. However, each time try to access one of my client's server via VPN, I successfully connect to VPN using Cisco Anyconnnect but whenever I try to download the web agent and the device security check is being run, I get the feedback "Host is not compliant with network security policy". It also tells me a Remediation description of "please update your antivirus". (see attached screenshot)
    Please note that I already have my McAfee antivirus updated and I have done everything to keep my computer in good shape in terms of security.
    What is the possible cause for this?

    That means the CAM hasn't received an SNMP trap for that MAC address.  Double-check that the WLC is set up to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
    You can see if the CAM's received a trap for a specific MAC by looking under OOB Management > Devices > Discovered Clients.

  • Page can't be accessed due to security policy, category default-it's my homepage which has been my homepage forever.

    I suddenly can't access my homepage - I get this message: "Your page is blocked due to a security policy that prohibits access to Category default ". This has been my homepage for years and I've never had this problem before.

    Also do a malware check with several malware scanning programs on the Windows computer.
    Please scan with all programs because each program detects different malware.
    All these programs have free versions.
    Make sure that you update each program to get the latest version of their databases before doing a scan.
    *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
    *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
    *SuperAntispyware:<br>http://www.superantispyware.com/
    *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
    *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender
    *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
    *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
    You can also do a check for a rootkit infection with TDSSKiller.
    *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
    See also:
    *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
    *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware

  • RemoteApps Error "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator."

    Hello All,
    Good day. May I ask if anyone experienced this error when trying to access remoteapps in Azure? We are using IaaS and set-up RDS using Windows 2012 R2 but we are getting an error below.
    "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator.
    Various roles and services (Broker, Session Host, RD Gateway and Web Access are installed on each VMs).
    Please advise.
    Thanks,
    Glenn

    Hi Glen;
    Looks like the set up was not done correctly. Please follow the guidelines given on this
    blog by Keith Mayer.
    Regards;
    Prasant

  • How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

    Dear All,
    We are having an infrastructure setup of around 500 client computers managed through group policy.
    Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
    Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
    It would be great if you can assist me with the following query.
    How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
    Can we disable Network Tab on the left hand pane ?
    explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

    >   * explorer.exe is blocked already, but users are able to enter the
    >     Windows Explorer by clicking on the name which is visible on the
    >     Start Menu.
    You cannot block explorer.exe when you do not replace the shell - the
    desktop you see effectively IS explorer.exe...
    Your requirement sounds like you need a custom shell:
    http://gpsearch.azurewebsites.net/#2812
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Access denied security policy file

    All i a simple client which is trying to talk to a remote EJB. When i try and startup the client i get the following error.
    java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write)
         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
         at java.security.AccessController.checkPermission(AccessController.java:427)
         at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
         at java.lang.System.setProperty(System.java:699)
         at com.db.abmonitor.client.Client.example(Client.java:51)And i am calling it like
    System.setProperty("java.security.policy", "client.policy");
           if (System.getSecurityManager() == null)
           System.setSecurityManager(new RMISecurityManager());  And i have defined a client.policy file in the src directory of the project under eclipse, with the following entries
    grant {
         permission java.security.AllPermission;
    };Anyone got any ideas ?

    Ah RMI headaches...
    here is what i blogged for my own self when i was starting with the RMI security stuff:
    Since i havent figured out how to do SecurityManager stuff properly, i can override 2 checkPermission methods in SecurityManager with empty method bodies, thats a quick and dirty fix.
    - Alternativly, you can set your policy file located in /lib/security/java.policy to: http://java.sun.com/docs/books/tutorial/rmi/example-1dot2/java.policy
    - or pass the property to the policy location: -Djava.security.policy=./policy.all
    maybe that will help...
    i think that maybe your policy file isnt being found where it should be

  • How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

    Hi,
    I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
    security-role>
            <description>Authenticated</description>
            <role-name>Authenticated</role-name>
        </security-role>
    This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
    In weblogic, I have the following setting in weblogic.xml
    <wls:security-role-assignment>
            <wls:role-name>Authenticated</wls:role-name>
            <wls:externally-defined />
        </wls:security-role-assignment>
    And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
    I am wondering if this setting can be specified in  for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
    Thanks

    Hi,
    You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
    And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
    Hope this will solve your problem.
    Regards
    MuRam

  • Network Access Manager - Service (Secure Mobility Client)

    We are currently working on Deploying the Secure Mobility Client.
    1. We are looking at the ability to stop the Network Acess Manager without Admin rights, According to the Cisco Documentation on this:
    "Stopping and Starting the Network Access Manager"
    Users with local administrator privileges can start and stop the Network  Access Manager. Users without local administrator privileges cannot  start and stop the Network Access Manager without using the service  password defined in the Authentication panel of the profile editor.
    Question: I am unable to find the said option in the Authentication panel in the profile editor
    2. Since we will be using NAM for all of our computers, and since some users will not be using the VPN, we will need to push out profiles to the users (This is easy however we are concerned about updates and getting those pushed). A collegue shared that he head at Cisco Live2011 that there is an option in NAM to update it's profiles by connecting to the VPN-Headend without actually authenticating and logging into the VPN.
    I know if a user connects to the VPN Headend we can update the profiles on NAM/VPN etc... however without them connecting I'm not sure if there is any way to do so?

    Hi Alwin,
    There is nothing to be done with your anyconnnect client.... if needed changes needs to ne done at VPN FW/Router where your anyconnect connection is established..... here i guess your corporate office is having this VPN server.....
    They have configured it as tunnel all mode... means all traffic will be taken through VPN... see from your output preferred default route is pointed to 192.168.0.101, which is a vpn gateway....
    If needed anyconnect vpn configuration needs to be changed from tunnel all to split-tunnel....
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 20
    0.0.0.0 0.0.0.0 146.236.12.1 146.236.12.73 2
    Regards
    Karthik

  • Can JVM security policy be modified to access field values of private field

    Can JVM security policy be modified to access field values of "private" field in a Class?

    See http://developer.java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html#ReflectPermission.
    Note that you will have to use reflection to access the fields once the security policy allows you to supress the access controls.
    Chuck

  • This is what I get when I try to download my college text: This document requires global security policy to be disabled.  Please go to Edit Preferences JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions

    My college text is on my college website. When I try to download it this is what I get:
    "This document requires global security policy to be disabled.
    Please go to Edit > Preferences > JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions of Adobe Reader you may need to enable JavaScript first.
    Message code: 005"
    Help

    matermax wrote:
    Please go to Edit > Preferences > JavaScript and uncheck the "Enable global object security policy" checkbox. NOTE: In some versions of Adobe Reader you may need to enable JavaScript first.
    And - did you?

  • Query: Best practice SAN switch (network) access control rules?

    Dear SAN experts,
    Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
    I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
    Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
    In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
    For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
    These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
    So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
    regards,
    Will.

    Hi William,
    That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
    Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
    for zones there are a few best practices:
    * Default Zone: Don't use it. unless you're running Ficon.
    * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
    * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
    * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
    * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
    * Read-Only exists, but again any modern array should be able to make a lun read-only.
    * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
    VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
    When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
    Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
    They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
    I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
    http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
    To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
    http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
    That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

Maybe you are looking for

  • IWeb and SimpleViewer Pro gallery issues

    Hello all! I have a simple viewer gallery (http://simpleviewer.net/simpleviewer/) and I tried to upload the gallery on a page of my iweb site through IFRAME with this code: <IFRAME SRC = "MY LINK" WIDTH="260px" HEIGHT="425px" FRAMEBORDER="0" --if "0"

  • Re: Display video output on laptop external VGA port

    I posted exactly this in another forums, I will find the link.

  • Can't get past "please insert disk"

    I am trying to install CS5, it is asking me to insert disk, but it is already in. I can't get past this point. I have never had this problem before.

  • Table size difference?

    we have 2 db's called UT & ST.. with same setup and data also same running on hp-ux itanium 11.23 with same binary 9.2.0.6 one of schema called arb contain only materialised views in both db's and with same name of db link connect to same remote serv

  • Deltas not picking up..

    Hi experts, In lbwe in job control i have scheduled a job for SD Sales. But when i checked the job in sm37 it was cancelled and the error message is: Structures have changed (sy-subrc = 2). In development for the datasource 2lis_11_vaitm we have enha