Device Configuration Guide for Cisco Security MARS, Release 6.x - Cisco NAC Appliance [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Cisco NAC Appliance

Bootstrap the Cisco NAC Appliance

Define a Cisco NAC Appliance in MARS Manually

Cisco NAC Appliance

Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access Manager (CAM) web console and enforced through the Clean Access Server (CAS) and the Clean Access Agent (CAA). Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients for remediation before clients access the network.

CAM manages one or more CASs. Cisco Security MARS receives event data from CAM. CAM can send both syslog messages and SNMP traps. SNMP traps provide system health status, whereas the syslog message provide details about quarantined or infected hosts, connection attempts, and connection status.

This chapter contains the following topics:

•Bootstrap the Cisco NAC Appliance

•Define a Cisco NAC Appliance in MARS Manually

Bootstrap the Cisco NAC Appliance

Using the Clean Access Manager (CAM) web console, perform the following tasks so that the NAC appliance publishes the required events to Cisco Security MARS.

Syslog Support

To enable syslog processing support, define the MARS appliance as a syslog server. For detailed steps, see Configuring Syslog Logging in Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.

SNMP Support

For SNMP support, perform the following tasks:

1. Enable SNMP alerts for the NAC appliance.

2. Define the MARS appliance as a trapsink.

For detailed steps, see SNMP in Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.

Define a Cisco NAC Appliance in MARS Manually

To define a Cisco NAC appliance manually, you must define the appliance in the MARS web interface. When the appliance is defined and the changes are activated, MARS normalizes the syslog message receive by the appliance against known event types.

To define a NAC appliance in MARS, follow these steps:

Step 1 Select Admin > System Setup > Security and Monitor Devices > Add.

Step 2 Select Cisco NAC Appliance 4.1 for the Device Type list.

A the Device Type page appears.

Step 3 Type the name of this appliance in the Device Name field.

Step 4 Type the reporting IP of the appliance in the Reporting IP field.

Step 5 To save your changes, click Submit.

The device name appears under the Security and Monitoring Information list. The submit operation records the changes in the database tables. However, it does not load the changes into working memory of the MARS Appliance. The activate operation loads submitted changes into working memory.

Step 6 To enable MARS to start sessionizing events from this device, click Activate.

MARS begins to recognize, map, and sessionize events generated by this appliance and evaluate those events using the defined inspection and drop rules. Any events published by the device to MARS before activation can be queried using the reporting IP address of the device as a match criterion. For more information on the activate action, see Activate the Reporting and Mitigation Devices, page 1-15.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Cisco NAC Appliance
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Cisco NAC Appliance Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Cisco NAC Appliance Bootstrap the Cisco NAC Appliance Define a Cisco NAC Appliance in MARS Manually Cisco NAC Appliance Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access Manager (CAM) web console and enforced through the Clean Access Server (CAS) and the Clean Access Agent (CAA). Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients for remediation before clients access the network. CAM manages one or more CASs. Cisco Security MARS receives event data from CAM. CAM can send both syslog messages and SNMP traps. SNMP traps provide system health status, whereas the syslog message provide details about quarantined or infected hosts, connection attempts, and connection status. This chapter contains the following topics: •Bootstrap the Cisco NAC Appliance •Define a Cisco NAC Appliance in MARS Manually Bootstrap the Cisco NAC Appliance Using the Clean Access Manager (CAM) web console, perform the following tasks so that the NAC appliance publishes the required events to Cisco Security MARS. Syslog Support To enable syslog processing support, define the MARS appliance as a syslog server. For detailed steps, see Configuring Syslog Logging in Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide. SNMP Support For SNMP support, perform the following tasks: 1. Enable SNMP alerts for the NAC appliance. 2. Define the MARS appliance as a trapsink. For detailed steps, see SNMP in Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide. Define a Cisco NAC Appliance in MARS Manually To define a Cisco NAC appliance manually, you must define the appliance in the MARS web interface. When the appliance is defined and the changes are activated, MARS normalizes the syslog message receive by the appliance against known event types. To define a NAC appliance in MARS, follow these steps: Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Cisco NAC Appliance 4.1 for the Device Type list. A the Device Type page appears. Step 3 Type the name of this appliance in the Device Name field. Step 4 Type the reporting IP of the appliance in the Reporting IP field. Step 5 To save your changes, click Submit. The device name appears under the Security and Monitoring Information list. The submit operation records the changes in the database tables. However, it does not load the changes into working memory of the MARS Appliance. The activate operation loads submitted changes into working memory. Step 6 To enable MARS to start sessionizing events from this device, click Activate. MARS begins to recognize, map, and sessionize events generated by this appliance and evaluate those events using the defined inspection and drop rules. Any events published by the device to MARS before activation can be queried using the reporting IP address of the device as a match criterion. For more information on the activate action, see Activate the Reporting and Mitigation Devices, page 1-15.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.