Technical assisstance required for NAC / NAP architecture for VPNs
We have employed dual firewall architecture at the network edge consisting of a pair of Cisco ASA 5540 with the AIP-SSM20 IPS module, and Microsoft's ISA server with Surf Control. The Cisco ASA's connect to the Internet and the ISA's connect to the Internal Core LAN. Between the firewalls sits a DMZ consisting of 2 Cisco 2960's. The Cisco ASA's terminate all Remote Access and Site-to-Site IPSec VPNs and we will shortly be enabling full IPS functionality to scan traffic inline.
In order to further enhance the security of remote clients accessing internal resources over VPN we are thinking of rolling out a NAP / NAC solution.
Our entire LAN is Cisco (Dual 6500's at Core and Distribution, with 2950 / 2960 at the access layer), and with heavy investment in Microsoft Active Directory we are keen to leverage a solution that plays on the strengths of both vendors.
After looking over the architecture for a NAP / NAC solution I am fairly confident that I understand how the framework fits together for the internal LAN, using the Microsoft NAP client built into the Windows OS and utilising dot1x / Cisco ACS for initial posture assessment. Microsoft policy and health servers then perform the final decision / remediation functions within AD.
However I become a little unstuck when trying to understand how a solution will work for VPNs. According the Cisco documentation,
âIn a NAC Framework configuration involving the adaptive security appliance, only a Cisco Trust Agent running on the client can fulfil the role of posture agent, and only a Cisco Access Control Server (ACS) can fulfil the role of posture validation server.â
Can we use the above architecture and pass all posture assessment information from the ACS server to the same policy / health servers used on for the LAN NAC / NAP or do we have to use a different mechanism? Or can we simply bypass the Cisco ASA altogether and simply use the Microsoft NAP agent on the client and perform NAC as we have on the Internal LAN? (bearing in mind that we want to perform IPS on all inbound traffic IPSec / SSL VPN or otherwise)
Similar questions exist for the Site-to-Site VPNs. If we were to use the Cisco ASA to apply the initial NAC policy, do we simply have to provide an IP address within the tunnel to allow communication with the trust agent? or as above, can we bypass the ASA and use the Microsoft agent?
We have done some provisional testing using SSL VPNs to introduce "NAC Like" features, using CSD etc, but with licences costing around Â£7,500 and the problem of site-to-site VPNs still remaining, I thought it better to investigate a full NAC / NAP solution considering that we already have most of the infrastructure in place.
I would appreciate any assisstance that you can offer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...