Guest

Cisco NAC Appliance (Clean Access)

Clean Access - Use the Network Scanning Feature to Detect Users Who Attempt to Bypass Agent Checks

Cisco - Clean Access - Use the Network Scanning Feature to Detect Users Who Attempt to Bypass Agent Checks

Document ID: 67052

Updated: Nov 13, 2006

   Print

Introduction

Cisco Clean Access is a security policy compliance solution that enables users to satisfy network access requirements specified by network administrators. Cisco Clean Access restricts access to the network until the user complies with the access requirements. Cisco Clean Access also helps the user comply with the requirements through an easy-to-use client application that assesses a system, detects non-compliance, and aids the user in remediation so as to achieve compliance. Currently, this agent (client application) is available only for Microsoft Windows operating systems which include Windows 98, Windows Me, Windows 2000 Professional and Windows XP (both Home and Pro – only the 32-bits version of Pro is supported).

Malicious users, who might want to avoid agent installation in order to avoid compliance requirements checks, can modify their system to pose as a non-Windows system. This document provides suggestions on how to detect such users and potentially block their access to the network.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software versions:

  • Windows 98, Windows Me, Windows 2000 Professional and Windows XP (both Home and Pro – only the 32-bits version of Pro is supported)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Solution

In addition to the client-based scans and remediation, Cisco Clean Access also provides mechanisms to perform network-based scans on systems and provide web-based remediation. The network-based scans are primarily used for non-Windows systems. However, the scans are not limited to non-Windows systems.

In order to use the Network Scanning feature, the network administrator needs to download and install the required plug-ins for the Nessus open source vulnerability scanner on the Cisco Clean Access server. Refer to Configuring Network Scanning in Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(2) for information about how to download and install Nessus plug-ins.

You can use multiple Nessus plug-ins in this scenario. Some of them are (this is a non-exhaustive list):

  • Plug-ins for Operating System Identification (for example, plug-in #11936)—When you run these plug-ins against a target system, they provide the detected operating system name as the result of a scan. These plug-ins need to be modified in order to be used within Cisco Clean Access. Specifically, the plug-ins need to be modified to return a HOLE if the operating system that is scanned is not a non-Windows operating system. For example, if the Linux system that is scanned turns out to be a Windows system, then the plug-in should return a HOLE result.

  • Plug-ins for Port Scanning (for example, nmap.nasl )—When you run these plug-ins against a target system, you can configure them to provide a list of open ports, listeners, and so forth. These plug-ins also have the ability to detect which operating system is used on the host through techniques such as TCP fingerprinting. You need to modify these plug-ins in the same way as the plug-ins for operating system identification. They need to return a HOLE if the operating system that is scanned is not a non-Windows operating system. Specifically, you need to modify the plug-ins to return a HOLE if the expected operating system is not a non-Windows operating system. For example, if the Linux system that is scanned turns out to be a Windows system, then the plug-in should return a HOLE result.

  • Plug-ins to Obtain Information from Windows Systems (for example, Server Message Block [SMB]-related plug-ins and plug-in #10859)—The reasoning behind this approach is that it is sufficient enough to detect whether a machine that purports to be a Linux host, Mac host, or any other non-Windows system, is actually a Windows system. The easiest way to do this is to enable some SMB-related Nessus plug-ins, specifically plug-in id# 10859 (SMB get host SID). This plug-in should only return values for Windows systems. Hence, if it returns any information, it can be safely concluded that the system runs a Windows operating system. You can also use plug-ins that recover information from Windows systems that use NETBIOS. If a system returns NETBIOS information, it is likely to be a Windows system.

    caution Caution: There might be false positives such as Linux machines that run Samba.

Complete these steps in order to configure a Cisco Clean Access Manager to perform a network scan using the Nessus plug-ins:

  1. Open the Cisco Clean Access Manager web console in a browser and login as an administrator.

  2. Select Clean Access > Network Scanner to access the Scan Setup page.

  3. With the Role set to the user role you wish to scan, and the operating system set to All, select the plug-in mentioned in the Plug-ins to Obtain Information from Windows Systems bulleted item within this document (for example, #10859).

  4. Set the 'Vulnerable If…' setting to HOLE, WARN, INFO in the Vulnerabilities section.

  5. Disable the scan for Windows operating systems:

    1. Select WIN_ALL from the operating system drop-down list.

    2. Disable the scan for this selection.

Summary

This document provides a mechanism to use the Cisco Clean Access Network Scanning feature to detect users who pretend to use a non-Windows system. Note that there might be several other plug-ins available that can do a better job at detecting operating systems. As an example, using the nmap network scanning tool, xprobe2 from Sys-security, and so forth might fit your needs better. Also note that network scanning might not be able to provide reliable results if the client machine runs a personal firewall.

Notes

  • Nessus is a registered trademark of Tenable Network Security.

  • You need to register with Tenable Security in order to obtain Nessus plug-ins.

  • When you modify/author plug-ins, ensure that you are compliant with the licensing and trademark requirements for Nessus and Tenable Network Security.

Related Information

Updated: Nov 13, 2006
Document ID: 67052