CSA - External Access Policy

daniel-costa · ‎06-23-2008

Greetings!

Guys, I need some help. One of our customers bought the CSA solution in order to protect and narrow Internet access when an employee is out of the office.

Here is the scenario: If an employee takes one of the company's laptop to his house/hotel/etc and try to access any Internet based service(HTTP, HTTPS, P2P, FTP, Torrent, etc) it is MANDATORY that this person establish a VPN connection, this way all content will be processed by the company's Proxy and Firewall, there isn't split tunnel policy; otherwise all TCP/UDP stream should be BLOCKED.

I'm using the Roaming - Force VPN(action: Query the User, when: MC unreachable & Ethernet Active and NOT when: MC is reachable) and the Cisco VPN Client Rule Modules; there is no Temporary Allow Web Browser rule enabled. But I need some help with the parameters, what happens is that if the user answer yes(allow) to the Query message and does not have a VPN Connection he still manages to access the internet and that's not acceptable.

I need to BLOCK ALL UDP/TCP stream at first, ask the user if the VPN is established, check the status of the VPN connection and then, if is tunnel is UP allow access else block everything until the VPN is established.

Can you guys help me?

Thanks in advance!

Att, Daniel Yamashita

PS: I'm using CSA MC v.5.2.0.263 hot fix(fcs-csamc-hotfix-5.2.0.263-w2k3-k9.zip)

Marwan ALshawi · ‎06-23-2008

hi there

i think the better way is to look at how to use system or user state

in this way the csa will check for example ur client vpn pool will in the range of 10.1.1.0 to 10.1.1.50, so if he has taken this address then one of ur policies will come on effect which is the permit one

otherwise the deny one will stay in operation

just focus on system and user state field

if helpful rate,

thank you

daniel-costa · ‎06-24-2008

Hello 'marwanshawi'!

Unfortunately your suggestion won't work for my case because I can't foresee what range of IP address one can get on an Hotel/Airport Internet Access...It may be the same as the one configured on the VPN pool, it's not probable but it's possible and our customer won't accept that.

But I thank you anyways! Thanks for your time and attention!

Att, Dan

Marwan ALshawi · ‎06-24-2008

hi there

have you seen the options available on the system and user state ?

what i told only an example

u cold make for example if the client didnt not get an ip address whithing ur client private range address then one of ur policies comes to the effect and alot of thing u can do not only based on ip addresses...

rate if helpful

and try it

followurself · ‎08-29-2008

Hello,

Did you manage to get something working. i am too looking for the same.

help appreciated

Thanks

followurself · ‎09-01-2008

any help

daniel-costa · ‎09-01-2008

Greetings "followurself",

Sorry taking this long to answer but yes, I've managed to deploy the CSA as our customer wanted.

I've decided to create my own Rule and Policy Modules. I'm not sure if this is what you need but here is a simple sketch:

CSA-External Access Policies

[Rule Modules >> Windows Rule Modules]

-Name: External_Access

-Operating System: All Windows

-State Conditions: Apply this rule module only if the following state conditions are met

\> When: Ethernet Active and Management Center Not Reachable

\-> Not when: Management Center Reachable

[Rules]

(1)Terminate All

*Type: Network Access Control

*Action: Priority Terminate Process (take precedence)

*When ...: Active FTP Client Applications, Active HTTP Client Applications, Active TCP Client Applications, Active UDP Client Applications, Active UDP Server Applications, Active TCP Server Applications, Instant Messenger Applications

*But not in ...: Cisco VPN Client, Web Browser Applications

*Attempt to act as a client or server for network services: $Ephemeral Port Ranges, $TCP, $TCP Ephemeral server ports, $UDP, $UDP Ephemeral server ports

*Communicating with host addresses: $All_But_Private_Local >> Matching: but not: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-255.255, @(local)

*Using these local interfaces:

(2)Priority_Deny-Everything but http,https to local and VPN Peer

*Type: Network Access Control

*Action: Priority Deny (take precedence)

*When ...: Active TCP Client Applications, Active UDP Client Applications

*But not in ...: Cisco VPN Client

*Attempt to act as a client for network services: $FTP Control Channel, $HTTP, $Instant Messenger Protocols, $UDP Ephemeral server ports, $TCP Ephemeral server ports, $FTP Client Data Channel, $Email, $DNS, $ALT-HTTP

*Communicating with host addresses: $All_But_Private_Local

*Using these local interfaces:

(3)Allow Web Browser only to Private Range

*Type: Network Access Control

*Action: Priority Allow (take precedence)

*When ...: Web Browser Timed (custom class, $Web Browser Clients with Remove process from application class after 30 seconds)

*But not in the following class:

*Attempt to act as a client for network services: $DNS, $HTTP, $ALT-HTTP

*Communicating with host addresses: $Only Private Local and VPN Peer IP Addresses >> Matching: 10.0.0.0 10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-255.255, @(local)

*Using these local interfaces:

(4)Warning Message: VPN in NOW

*Type: Network Access Control

*Action: Query User(take precedence) | Query Settings: Establish VPN Connection(Allowed actions = Default Action = Logged = Allow)

*When ...:

*But not in the following class: Cisco VPN Client, MS Logon Setup Applications, MS winlogon

*Attempt to act as a client or server for network services: $TCP Ephemeral server ports, $TCP, $UDP, $UDP Ephemeral server ports

*Communicating with host addresses: $All but 127.0.0.1 >> Matching: but not: 127.0.0.1 && @(local)

*Using these local interfaces:

The Kit generated contains the following groups: + Desktop_All_Typed_Edited (Base Permission + Agent UI Control Disabled +Virus Scanner Module) + External Access.

As you can see the trigger for these rules is the Ethernet Active and if the MC Server is reachable or not. The only way the Pop-Up message could appear is when the MC is unreachable.

I might've mapped a little too much but I it worked great! Let me know if this is what you need. Remember that you should worry more about what to deny than to allow ok?

If there is anything else, don't hesitate to ask.

Regards, Dan

followurself · ‎09-03-2008

Thanks Dan

i shall try and let you know how it goes. I appreciate if you can help me with other questions

All our laptop users have local admin rights. hence they can turn off the CSA. How can i ensure that any user in local admin group apart from the default user administrator can stop or turn off the agent and service

Also these laptops our running in test mode. how can i get the above rule module and the rule modules which protect from day zero attacks,unkown virus , worms to run in protected mode and rest in test mode

Also these laptop users use the same laptop in office when they are in. so availabilty of MC even in LAN becomes a must for them to browse. we dnt have MC in redundancy. and yeah they are configured to use proxy server to browse but they can untick it

Thanks

tsteger1 · ‎09-04-2008

Hi

Use the Agent UI Module to control access to agent settings.

Use the rule override checkbox on a rule module put the module in test mode.

Not sure if the third sentence is a question or not.

Tom

followurself · ‎09-05-2008

Thanks Tom

Can you please tell me what rule modules are available to block unknown virus and worms. i m using version 5.2. since i m in test mode i want to ensure these modules can overide it and run them in protected mode

tsteger1 · ‎09-05-2008

The group "Desktops - All types" works fine for this.

We kept everything in test mode for several weeks until it was tuned properly then went to learn mode for a week and then protect mode.

I still have a few modules in test mode but everything else is protect.

Use your best judgement, it's all you can do.

Tom

followurself · ‎09-09-2008

Dan

i tried with the rules you sent. its not working

can i have your email id. i shall what i configured. i will also submit it here

Thanks

followurself · ‎09-09-2008

This is what the rule explains

Network access control

Irrespective of any other rules,

Attempts to connect to any server and accept connections from any client whose address is contained in address sets All_But_Private_Local using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services TCP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229], UDP [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], Email [V5.0 r229], Ephemeral Port Ranges [V5.0 r229] by processes in application class , but not in application classes Web browser applications [V5.0 r229], Cisco Trust Agent [V5.0 r229], Cisco VPN Client [V5.0 r229], will cause the process to be terminated. An event will be logged when the rule is triggered.

1023 [test]

In the absence of any applicable 'priority terminate process' rules,

Attempts to connect to any server whose address is contained in address sets All_But_Private_Local using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services FTP Client Data Channel [V5.0 r229], FTP Control Channel [V5.0 r229], Instant Messenger Protocols [V5.0 r229], HTTP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229], Email [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], ALT-HTTP [V5.0 r229], DNS [V5.0 r229] by processes in application class , but not in application classes Cisco Trust Agent [V5.0 r229], Cisco VPN Client [V5.0 r229], will be denied. An event will be logged when the rule is triggered.

1024 [test]

In the absence of any applicable 'priority deny' or 'priority terminate process' rules,

Attempts to connect to any server whose address is contained in address sets Only Private Local and VPN peer ip using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services HTTP [V5.0 r229], DNS [V5.0 r229], ALT-HTTP [V5.0 r229] by processes in application class Web Browser Timed will be allowed. An event will be logged when the rule is triggered.

1025 [test]

In the absence of any applicable 'priority deny', 'priority terminate process' or 'allow' rules,

Attempts to connect to any server and accept connections from any client whose address is contained in address sets All address but not localhost using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services TCP [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], UDP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229] by processes in application class , but not in application classes MS winlogon [V5.0 r229], MS Logon Setup application [V5.0 r229], Cisco Trust Agent [V5.0 r229], Cisco VPN Client [V5.0 r229], will be allowed, unless denied by the user. An event will be logged when the rule is triggered.

1026 [test]

now when i disconnect VPN i wont be able to reach MC but i can still browse

followurself · ‎09-09-2008

the rule module is configured for

met system state conditions

when Management center not reachable (v5.0 r229)

and none of the following

where management center reachable (v5.0 r229)

i didnt find Ethernet Active and Management center not reachable

Also within rules

theres no using these local interfaces, instead its using local addresses

Thanks in Advance

followurself · ‎09-10-2008

Hi Dan

any response will be appreciated

thanks