This chapter covers the following topics:
This chapter focuses on how to develop a deployment plan for a NAC Appliance solution rollout. This deployment plan focuses on larger-sized deployments, but it can be tailored to fit just about any size environment. It cannot be stressed enough how important it is to have a solid, well thought-out deployment plan in place before you start any rollout of the solution. A good deployment plan should result in a good deployment experience for all involved. In most cases, a NAC Appliance deployment should be broken into four distinct phases:
The production phase should be broken into three subphases: initial introduction, host security policy checks with no enforcement, and host security policy enforcement. This phased approach is designed to flush out any host policy issues, configuration mistakes, and design issues before the final production phase. This should result in a more positive experience for the end users and fewer calls to the help desk.
As you are putting together your deployment plan, be sure to keep in mind that the success of a NAC Appliance deployment can be jeopardized as much by negative political sentiment as by having poor technical execution. Therefore, it is critical that the deployment plan include goals, scopes, and success criteria agreed to by those individuals or groups that have political influence over the NAC Appliance implementation.
Figure 13-1 shows the four phases of deployment. The creation of your host security policy should be done prior to deployment.
Figure 13-1. Phases of Deployment
The pre-deployment phase is where you get your hands wrapped around the project as a whole. You will set your overall vision statement and define your NAC Appliance project scope of work. During this phase, you will determine what additional resources are needed, what the overall timeline should look like, and how communication for the project will work. This phase should also include an executive summary and business drivers section. Having these sections well thought out and agreed to by all relevant parties can help later if you run into any political pressure. An outline for the pre-deployment phase might look like this sample:
Pre-Deployment Phase
1.1 Executive Summary
1.2 Scope
1.3 Vision
1.3.1 NAC Appliance Overview (diagram)
1.3.2 Host Security Policy Reference
1.4 Business Drivers for Deployment
1.5 Deployment Schedule
1.6 Resources
1.7 New Equipment
1.8 Support Plan
1.9 Communication Plan
1.10 Training Plan
Use this outline as a guideline and adapt it to fit the needs of your environment. The following sections discuss each section of this pre-deployment phase outline.
The executive summary should be a one-page (or less) nontechnical explanation of the NAC Appliance deployment project. It should provide a quick, easy to understand, summary overview of the deployment project plan as a whole. Here is an example:
Maintaining a reliable and secure data network is critical to the health of our business. Almost all our business functions in some way rely on the network to complete tasks. In an effort to further secure our network from rogue users, viruses, worms, and other detrimental network activity, we have purchased the Cisco Network Admission Control (NAC) Appliance solution. Additionally, industry and government regulations, such as Payment Card Industry (PCI), the Sarbanes-Oxley (SOX) Act, and the Health Insurance Portability and Accountability Act (HIPAA), are mandating that many of the controls that Cisco NAC Appliance will provide be in place on our network. Cisco NAC Appliance will allow us to control who is allowed on the network, what access rights they will have on our network, and ensure that their PC is running the most up-to-date security software. The following phased deployment plan has been put together to ensure that the rollout of the NAC Appliance solution will not adversely affect users or business processes. The three phases that have been defined are 1. proof of concept, 2. pilot, and 3. production. The production phase has additionally been broken into three separate phases. This phased plan is designed to uncover and remediate any deployment issues before the final production rollout phase is complete.
This section should define the overall scope of the NAC Appliance deployment project. This should mirror the goals set forth in your host security policy document. Try to keep it short and simple. Additionally, it may include details about the following:
This section should contain your NAC Appliance Solution vision statement. It should also include details about what you envision the future to be like after NAC Appliance is fully deployed. For example, a future vision might be as follows:
After deployment, all guest and contract workers will be authenticated, authorized, and posture assessed before they are allowed access to the network.
If necessary, create a bulleted list of all your future visions. After this is done, you can use this section to show others how things will be different and enhanced when NAC Appliance is deployed. Use this section to gain political buy-in and support.
It might be advantageous to include a diagram of the way the network will look in the future. This diagram will clearly indicate the positions of the NAC Appliance Servers throughout the network. In most cases, the diagram should be fairly abstract at this point. As your deployment plan matures, you will want to increase the diagram's level of detail accordingly. Use the initial diagram as a guide for developing your deployment plan.
It is not necessary to include your host security policy document here. Rather, use this section to indicate that such a document exists, and where and how to obtain it. Indicate that the policies contained within the host security policy document will be enforced using Cisco NAC Appliance. For information on how to create a host security policy document, see Chapter 6, "Building a Cisco NAC Appliance Host Security Policy."
To make informed decisions regarding what the goals and scope of the deployment will be, it is important to understand the business drivers and priorities of the project. NAC Appliance has a multitude of features that you could use. The challenge will be in deciding which features you will enable and at what phase they should be tested and implemented. Typically, these feature decisions are based on the business drivers for the project in the first place. This section should include what those business drivers are. To keep the project within scope, be sure to refer to these drivers often. Here are a couple sample business drivers for NAC Appliance:
A realistic deployment schedule should be included as a part of the pre-deployment plan. Be sure to give realistic estimates of the time it will take to roll out a production NAC deployment. Keep this section brief and high level; detailed deployment schedules for each deployment phase will be included separately in the plan. For this reason, it is sometimes best to complete the detailed schedules before attempting to complete this high-level deployment schedule. The sample time frames below are for example only, and should not be used to judge how long a NAC Appliance deployment takes. In some circumstances, the NAC solution can be set up in a few hours or in a few days—the amount of time you spend in each phase is completely up to you. In some cases, you might even skip some phases in your deployment. Here is a sample high-level deployment schedule with sample time frames.
Deployment Start Date: 6/1/2007
Full Deployment End Date: 9/29/2007
— Start Date: 6/1/2007
— End Date: 7/1/2007
— Start Date: 7/2/2007
— End Date: 8/1/2007
— Start Date: 8/2/2007
— End Date: 8/14/2007
— Start Date: 8/15/2007
— End Date: 9/20/2007
— Start Date: 9/21/2007
— End Date: 9/29/2007
This section should list all the human and material resources you will need to complete this project. Be sure to include members of the relevant departments in this process. This helps ensure that what you think is available to you from another department is, in fact, actually available. It is usually a good idea to break down the resources list into the phases of deployment. Use this section to list any currently owned material resources that will need to be reappropriated for this project. Do not list any new purchases; they will be listed in the next section, "New Equipment." For human resources, you need not put specific names of individuals in this section because, where appropriate, they will be included in the plan for the individual phases. Instead, just listing the number of people required, characterize the skill sets and list the departments that people will be needed from. If you will be obtaining outsourced manpower, give approximate hours and cost totals. Table 13-1 shows a short example of a resource requisition list.
Table 13-1. Sample Resource Requisition List
Use this section to list all the new hardware that you will have to purchase to complete your NAC Appliance deployment. This might include new Cisco switches in some areas to support out-of-band (OOB) access or a new web server for remediation purposes. Try to give approximate pricing and total costs here. Remember that this section will be used to obtain the necessary funding amounts and later to create a bill of materials.
Indicate what departments or individuals will be responsible for supporting end-user trouble tickets during the various phases of the NAC Appliance deployment. The assigned support personnel might vary based on the deployment phase. If your support staff will need to be augmented with additional resources, note that here and again in the Resources section.
Provide an overview of your messaging plan to end users regarding the introduction and use of the NAC Appliance solution. Appendix A, "Sample User Community Deployment Messaging Material," includes sample messaging material you can adapt to fit your environment. You might also include a communication plan for the help desk personnel that will be supporting the solution.
Develop a training program or plan for your support and implementation teams as well as for your end users. It is a best practice to appoint someone to project-manage the creation of the training plan. It is critical that these personnel be properly trained on the Cisco NAC Appliance solution before it is deployed. The support and help desk personnel should receive training on how the NAC solution works in your environment, how best to troubleshoot any issues that might come up, and what escalation procedures they should follow if they get stuck or the issue falls outside their department. Additionally, your implementation team must include several persons who have advanced knowledge of how to deploy the solution. This can be done either by outsourcing the whole or a part of your implementation team or by sending your own personnel to training. This might include either onsite or offsite training provided by a Cisco-certified training partner. End users will have to be trained on how to use the new system after it is deployed. As a general rule, this training is delivered to your end users via an e-mail, video on demand, or paper mailer, and it does not require a formal training class.
The deployment plan is broken up into three main phases. Each phase has several sections. A sample deployment plan outline follows.
Sample Deployment Plan Outline
1: Proof of Concept Phase
1.1: Determine Goal of the Proof of Concept
1.2: Determine Scope of the Proof of Concept
1.3: Determine Criteria for Success
1.4: Work Assignments
1.5: Document Test Plan and Results
1.6: Post-Deployment Review
2: Pilot Phase
2.1: Determine Goal of the Pilot Phase
2.2: Determine Scope of the Pilot Phase
2.3: Determine Criteria for Success
2.4: Work Assignments
2.5: Document Deployment Plan and Results
2.6: Post-Deployment Review
3: Production Deployment Phases
3.1:Production Deployment Phase 1: Initial Introduction to User Community
3.1.1: Determine Goal of Phase 1
3.1.2: Determine Scope of Phase 1
3.1.3: Determine Criteria for Success
3.1.4: Work Assignments
3.1.5: Document Deployment Plan and Results
3.1.6: Post-Deployment Review
3.2:Production Deployment Phase 2: Implementing Host Security Policy Checks Without Enforcement
3.2.1: Determine Goal of Phase 2
3.2.2: Determine Scope of Phase 2
3.2.3: Determine Criteria for Success
3.2.4: Work Assignments
3.2.5: Document Deployment Plan and Results
3.2.6: Post-Deployment Review
3.3:Production Deployment Phase 3: Host Security Policy Enforcement
3.3.1: Determine Goal of Phase 3
3.3.2: Determine Scope of Phase 3
3.3.3: Determine Criteria for Success
3.3.4: Work Assignments
3.3.5: Document Deployment Plan and Results
3.3.6: Post-Deployment Review
Use this outline as a guideline, and adapt it to fit the needs of your environment. The elements that make up the plan for each phase are the same at a high level. The elements of each phase are described here:
— Access types to be used, such as OOB, VPN, wireless, and in-band (IB)
— Users or departments involved
— Types of workstations involved, such as Windows XP, Mac, and so on
— Types of checks and requirements for host posture assessment, such as antivirus, antispyware, Windows, network scanner plug-ins, and so on
— Authentication provider types, such as RADIUS, Active Directory (AD), local, Lightweight Directory Access Protocol (LDAP), and so on
— User role types and privileges, such as guests, employees, contractors, and so on
— Use of the Clean Access Agent (CCA) and web login
— Individuals and departments involved. Indicate who the project or team lead is.
— Contact information for all involved.
— Scope of work to be accomplished by each individual.
— Time frame for the work to be completed. If the time frame is long enough, it is beneficial to create milestone dates along the way.
— If applicable, list the location at which the work will be completed.
— Overall success of deployment. Did you achieve your success criteria?
— What worked well and what didn't.
— The next steps or phase to be implemented.
— Key stakeholders signing off on the completion of the deployment phase and approving the project's completion or moving forward with subsequent phases.
The remainder of this chapter defines in more detail the purpose of each phase in the sample deployment outline.
The proof of concept phase is your testing phase. Use this phase to test the various features available in NAC Appliance. Testing will help you narrow down exactly what features you want to implement in your pilot and production rollouts. Be sure to have your testing environment mimic your real environment as much as possible. This will ensure that your test results will accurately reflect those you will find in your production environment. Use this phase to get comfortable with the NAC Appliance solution; be sure to test out each of the production scenarios you will be confronted with. Of course, document everything along the way. This documentation, especially any troubleshooting methods discovered, will be invaluable to you in subsequent phases of the deployment.
If possible, at the end of your POC phase, it is a good idea to rebuild the POC lab to the exact specifications you will have in your pilot phase. When that is complete, rebuild the POC lab to the specifications of each phase as you progress. In this way, the POC lab can serve as an ongoing testing lab for troubleshooting and verifying viability of any configuration changes and new checks before putting them in production. The value of having a complete testing lab to use cannot be understated.
The pilot phase will be the first limited production deployment of the NAC Appliance solution. This is where you apply all the knowledge you gained during the proof of concept phase. The pilot phase plan should use the proof of concept testing as a guide to decide what NAC Appliance features and deployment methods you want to use in your production environment. Subsequently, the pilot phase plan should mirror that production vision as much as possible—just on a much smaller scale. You should aim to keep the pilot phase only as big as it has to be for your team to test all the NAC Appliance features you decided on. Keep your pilot small, focused, and simple. A good pilot phase plan should have the following elements included:
The individuals and departments that you choose to take part in the pilot phase should:
Here are a few other things you may need to consider when developing your pilot phase plan:
Now that the pilot phase is complete, use the knowledge and experience gathered to decide what your final production deployment should look like. It is possible and likely that your organization will have multiple production deployments. For example, you might have a wireless production phase plan, a VPN production phase plan, and a wired OOB production phase plan. Each production deployment will be done on its own time schedule, and lessons learned from each should be applied to subsequent deployment plans.
The final production deployment should come in three phases:
This staged approach allows you to identify and address issues before a final networkwide deployment.
Phase 1 includes the initial introduction of the NAC Appliance solution. This includes both the introduction into the network as well as the introduction to the general user community. During this phase, you will install the NAC Appliance Servers throughout your network environment and make all necessary network modifications. You will also install the Clean Access Agent on end-user hosts.
The NAC Appliance solution should be introduced with a very limited set of features enabled. It is recommended that phase 1 be limited to performing user authentication. If applicable, a user agreement page can also be added to this phase. No host posture assessment or checking should be included in this phase. This phase is designed to get users comfortable using the Clean Access Agent and web login process of authenticating to the network. It is also designed to minimize the amount of change that users deal with at one time. Given that this phase is heavy on the amount of network changes and the potential downtime involved with implementing NAC Appliance, it is a good idea to limit NAC Appliance to performing only user authentication. As a result, your support personnel and IT staff will have fewer things to support and troubleshoot.
All production deployment phases should include a comprehensive communication plan. This plan will alert end users and support staff to the upcoming changes they will experience. It should also include information on how end users can obtain NAC Appliance support.
Welcome to production deployment phase 2. During this phase, you will start to implement host posture assessment without enforcement. With the changes on the hosts and in the network completed, it is time to introduce host security policy checking. At this point, your users should be comfortable with the operation of the Clean Access Agent and web login. Any NAC Appliance solution kinks should have been worked out, and your environment should be stable before moving on to phase 2.
The goal of this phase is to gradually start implementing host security checks with remediation options. However, users are not yet forced to comply with or remediate any failed security checks. This will allow your user community to become familiar with the checking and remediation process but still have the flexibility to bypass it if necessary. The IT team can monitor the remediation progress users have made through the reporting mechanisms included in NAC Appliance Manager. This will also give you a way to ensure your remediation services are working as planned without affecting a user's ability to log on to the network.
This phase requires that you decide which security checks to start implementing and set up reliable remediation sources that users will use to self-patch their systems. This might include a Microsoft Windows Server Update Services system or a corporate AV system. In many cases, these remediation solutions will already be installed and ready to go. During this phase, users will be alerted by NAC Appliance that their hosts are not up to date and why. It is then up to the users to follow the remediation steps provided by NAC Appliance. Ideally, most users will start to follow these remediation steps and self-patch their systems. It is important that the security updates related to your first few security checks are easy for users to install and do not require users to reboot their machines after updating. You want the users' first few remediation experiences to be as positive as possible.
It is a good best practice to reach out to a few users who have not successfully remediated their systems up to this point. This research can be used to ensure that there are no endemic reasons users are not patching their systems. It may uncover hidden remediation issues that need to be addressed before you move to enforcement of host checks in phase 3. Before moving to the next phase, which involves moving from optional requirements to enforced requirements, your user community must be alerted to the upcoming enforcement. Common methods for communicating this are via e-mail, websites, message boards, flyers, and mailers. The goal is to alert users to remediate soon because, starting at a certain date, enforcement of checks will be applied. Users have to understand that if they do not remediate prior to enforcement, their network access will be limited until they comply.
After a majority of users run through remediation and are comfortable with this process, it is safe to move to production deployment phase 3. This phase involves enforcing the previously introduced optional security checks. One of the action items for this phase will be to establish a time frame between when a security check should be moved from optional to enforced and required. This established time frame can then be used going forward for subsequent patch cycles from Microsoft and other vendors. By establishing a common time frame for NAC Appliance enforcement cycles, users will learn this process quicker than if you use time frames that vary considerably patch to patch. Of course, when the security risk of a patch is very high, the enforcement cycle should be shortened accordingly.
A critical component of this phase will be ensuring that the help desk personnel are prepared to support the potential influx of support calls from end users. Given the sheer number of operating system, patch level, and installed application combinations present on hosts today, it is almost inevitable that some users will experience trouble installing a required patch. Of course, all due diligence should be taken to thoroughly test each required patch before enforcing it using NAC Appliance.
NAC Appliance includes built-in rules for Microsoft hotfixes and several antivirus and antispyware software vendors. If you choose to use these built-in rules, you give up some flexibility of having new patches from these vendors optional before making them required. In effect, all requirements put together using the built-in rules will automatically start enforcing any new updates released by the supported vendors. This is because NAC Appliance checks with Cisco every hour to see whether the supported vendors have released any new patches. If NAC Appliance finds new updates, it automatically adds them to the existing security checks for that vendor. In some environments, this works well; in others, it can be a help desk nightmare. It is important to note that for antivirus vendor built-in rules, you can set your policy to allow the antivirus data file to be x days out of date before marking it out of compliance. Use the proof of concept phase and even the pilot phase to determine what works best for your environment.
A solid, phased deployment plan agreed to by all relevant stakeholders is crucial to the success of a NAC Appliance deployment. The main phases are pre-deployment, proof of concept, pilot, and production. The production phase is divided into three subphases. This phased approach should ensure that your NAC Appliance deployment goes well. The sample deployment plan outlines given in this chapter are geared toward larger NAC Appliance environments but can be easily tailored to meet the needs of smaller organizations. It is also important to note that NAC Appliance deployment plans can vary greatly in scope, complexity, and content, and the ones presented to you in this chapter may or may not be appropriate for your environment. It is hoped that the deployment plans presented in this chapter have given you the information, best practice methods, and ideas necessary for you to develop your own customized plan. Overall, Cisco NAC Appliance is a relatively straightforward solution to deploy, but like most things worth doing well, it requires some forethought and planning. Always keep in mind that planning is vital but should not be so daunting in scope that it prevents actually doing something.