Chapter 13. Deploying Cisco NAC Appliance

This chapter covers the following topics:

• Pre-Deployment Phase
• Deployment Plan Overview
• Proof of Concept Phase
• Pilot Phase
• Production Deployment Phases

This chapter focuses on how to develop a deployment plan for a NAC Appliance solution rollout. This deployment plan focuses on larger-sized deployments, but it can be tailored to fit just about any size environment. It cannot be stressed enough how important it is to have a solid, well thought-out deployment plan in place before you start any rollout of the solution. A good deployment plan should result in a good deployment experience for all involved. In most cases, a NAC Appliance deployment should be broken into four distinct phases:

• Pre-deployment phase
• Proof of concept phase
• Pilot phase
• Production phase

The production phase should be broken into three subphases: initial introduction, host security policy checks with no enforcement, and host security policy enforcement. This phased approach is designed to flush out any host policy issues, configuration mistakes, and design issues before the final production phase. This should result in a more positive experience for the end users and fewer calls to the help desk.

As you are putting together your deployment plan, be sure to keep in mind that the success of a NAC Appliance deployment can be jeopardized as much by negative political sentiment as by having poor technical execution. Therefore, it is critical that the deployment plan include goals, scopes, and success criteria agreed to by those individuals or groups that have political influence over the NAC Appliance implementation.

Figure 13-1 shows the four phases of deployment. The creation of your host security policy should be done prior to deployment.

Figure 13-1. Phases of Deployment

Pre-Deployment Phase

The pre-deployment phase is where you get your hands wrapped around the project as a whole. You will set your overall vision statement and define your NAC Appliance project scope of work. During this phase, you will determine what additional resources are needed, what the overall timeline should look like, and how communication for the project will work. This phase should also include an executive summary and business drivers section. Having these sections well thought out and agreed to by all relevant parties can help later if you run into any political pressure. An outline for the pre-deployment phase might look like this sample:

Pre-Deployment Phase

1.1 Executive Summary

1.2 Scope

1.3 Vision

1.3.1 NAC Appliance Overview (diagram)

1.3.2 Host Security Policy Reference

1.4 Business Drivers for Deployment

1.5 Deployment Schedule

1.6 Resources

1.7 New Equipment

1.8 Support Plan

1.9 Communication Plan

1.10 Training Plan

Use this outline as a guideline and adapt it to fit the needs of your environment. The following sections discuss each section of this pre-deployment phase outline.

Executive Summary

The executive summary should be a one-page (or less) nontechnical explanation of the NAC Appliance deployment project. It should provide a quick, easy to understand, summary overview of the deployment project plan as a whole. Here is an example:

Maintaining a reliable and secure data network is critical to the health of our business. Almost all our business functions in some way rely on the network to complete tasks. In an effort to further secure our network from rogue users, viruses, worms, and other detrimental network activity, we have purchased the Cisco Network Admission Control (NAC) Appliance solution. Additionally, industry and government regulations, such as Payment Card Industry (PCI), the Sarbanes-Oxley (SOX) Act, and the Health Insurance Portability and Accountability Act (HIPAA), are mandating that many of the controls that Cisco NAC Appliance will provide be in place on our network. Cisco NAC Appliance will allow us to control who is allowed on the network, what access rights they will have on our network, and ensure that their PC is running the most up-to-date security software. The following phased deployment plan has been put together to ensure that the rollout of the NAC Appliance solution will not adversely affect users or business processes. The three phases that have been defined are 1. proof of concept, 2. pilot, and 3. production. The production phase has additionally been broken into three separate phases. This phased plan is designed to uncover and remediate any deployment issues before the final production rollout phase is complete.

Scope

This section should define the overall scope of the NAC Appliance deployment project. This should mirror the goals set forth in your host security policy document. Try to keep it short and simple. Additionally, it may include details about the following:

• Number and location of PCs affected
• Departments and user types affected
• Location of the NAC Appliance Servers
• Network diagram showing the final solution

Vision

This section should contain your NAC Appliance Solution vision statement. It should also include details about what you envision the future to be like after NAC Appliance is fully deployed. For example, a future vision might be as follows:

After deployment, all guest and contract workers will be authenticated, authorized, and posture assessed before they are allowed access to the network.

If necessary, create a bulleted list of all your future visions. After this is done, you can use this section to show others how things will be different and enhanced when NAC Appliance is deployed. Use this section to gain political buy-in and support.

NAC Appliance Overview (Diagram)

It might be advantageous to include a diagram of the way the network will look in the future. This diagram will clearly indicate the positions of the NAC Appliance Servers throughout the network. In most cases, the diagram should be fairly abstract at this point. As your deployment plan matures, you will want to increase the diagram's level of detail accordingly. Use the initial diagram as a guide for developing your deployment plan.

Host Security Policy

It is not necessary to include your host security policy document here. Rather, use this section to indicate that such a document exists, and where and how to obtain it. Indicate that the policies contained within the host security policy document will be enforced using Cisco NAC Appliance. For information on how to create a host security policy document, see Chapter 6, "Building a Cisco NAC Appliance Host Security Policy."

Business Drivers for Deployment

To make informed decisions regarding what the goals and scope of the deployment will be, it is important to understand the business drivers and priorities of the project. NAC Appliance has a multitude of features that you could use. The challenge will be in deciding which features you will enable and at what phase they should be tested and implemented. Typically, these feature decisions are based on the business drivers for the project in the first place. This section should include what those business drivers are. To keep the project within scope, be sure to refer to these drivers often. Here are a couple sample business drivers for NAC Appliance:

• Protect the company's intellectual property by ubiquitously denying access to the network until a user successfully passes authentication and authorization. Only those users who are authorized will be allowed access to sensitive information.
• Decrease business-affecting network and PC outages that are caused by security-related incidents such as virus and worm outbreaks.

Deployment Schedule

A realistic deployment schedule should be included as a part of the pre-deployment plan. Be sure to give realistic estimates of the time it will take to roll out a production NAC deployment. Keep this section brief and high level; detailed deployment schedules for each deployment phase will be included separately in the plan. For this reason, it is sometimes best to complete the detailed schedules before attempting to complete this high-level deployment schedule. The sample time frames below are for example only, and should not be used to judge how long a NAC Appliance deployment takes. In some circumstances, the NAC solution can be set up in a few hours or in a few days—the amount of time you spend in each phase is completely up to you. In some cases, you might even skip some phases in your deployment. Here is a sample high-level deployment schedule with sample time frames.

Deployment Start Date: 6/1/2007

Full Deployment End Date: 9/29/2007

• Testing Phase
  

  — Start Date: 6/1/2007

  — End Date: 7/1/2007

• Pilot Phase
  

  — Start Date: 7/2/2007

  — End Date: 8/1/2007

• Production Phase 1: Introduction to User Community
  

  — Start Date: 8/2/2007

  — End Date: 8/14/2007

• Production Phase 2: Security Checks with No Enforcement
  

  — Start Date: 8/15/2007

  — End Date: 9/20/2007

• Production Phase 3: Security Checks with Enforcement
  

  — Start Date: 9/21/2007

  — End Date: 9/29/2007

Resources

This section should list all the human and material resources you will need to complete this project. Be sure to include members of the relevant departments in this process. This helps ensure that what you think is available to you from another department is, in fact, actually available. It is usually a good idea to break down the resources list into the phases of deployment. Use this section to list any currently owned material resources that will need to be reappropriated for this project. Do not list any new purchases; they will be listed in the next section, "New Equipment." For human resources, you need not put specific names of individuals in this section because, where appropriate, they will be included in the plan for the individual phases. Instead, just listing the number of people required, characterize the skill sets and list the departments that people will be needed from. If you will be obtaining outsourced manpower, give approximate hours and cost totals. Table 13-1 shows a short example of a resource requisition list.

Table 13-1. Sample Resource Requisition List

New Equipment

Use this section to list all the new hardware that you will have to purchase to complete your NAC Appliance deployment. This might include new Cisco switches in some areas to support out-of-band (OOB) access or a new web server for remediation purposes. Try to give approximate pricing and total costs here. Remember that this section will be used to obtain the necessary funding amounts and later to create a bill of materials.

Support Plan

Indicate what departments or individuals will be responsible for supporting end-user trouble tickets during the various phases of the NAC Appliance deployment. The assigned support personnel might vary based on the deployment phase. If your support staff will need to be augmented with additional resources, note that here and again in the Resources section.

Communication Plan

Provide an overview of your messaging plan to end users regarding the introduction and use of the NAC Appliance solution. Appendix A, "Sample User Community Deployment Messaging Material," includes sample messaging material you can adapt to fit your environment. You might also include a communication plan for the help desk personnel that will be supporting the solution.

Cisco NAC Appliance Training

Develop a training program or plan for your support and implementation teams as well as for your end users. It is a best practice to appoint someone to project-manage the creation of the training plan. It is critical that these personnel be properly trained on the Cisco NAC Appliance solution before it is deployed. The support and help desk personnel should receive training on how the NAC solution works in your environment, how best to troubleshoot any issues that might come up, and what escalation procedures they should follow if they get stuck or the issue falls outside their department. Additionally, your implementation team must include several persons who have advanced knowledge of how to deploy the solution. This can be done either by outsourcing the whole or a part of your implementation team or by sending your own personnel to training. This might include either onsite or offsite training provided by a Cisco-certified training partner. End users will have to be trained on how to use the new system after it is deployed. As a general rule, this training is delivered to your end users via an e-mail, video on demand, or paper mailer, and it does not require a formal training class.

Deployment Plan Overview

The deployment plan is broken up into three main phases. Each phase has several sections. A sample deployment plan outline follows.

Sample Deployment Plan Outline

1: Proof of Concept Phase
1.1: Determine Goal of the Proof of Concept
1.2: Determine Scope of the Proof of Concept
1.3: Determine Criteria for Success
1.4: Work Assignments
1.5: Document Test Plan and Results
1.6: Post-Deployment Review

2: Pilot Phase
2.1: Determine Goal of the Pilot Phase
2.2: Determine Scope of the Pilot Phase
2.3: Determine Criteria for Success
2.4: Work Assignments
2.5: Document Deployment Plan and Results
2.6: Post-Deployment Review

3: Production Deployment Phases
3.1:Production Deployment Phase 1: Initial Introduction to User Community
3.1.1: Determine Goal of Phase 1
3.1.2: Determine Scope of Phase 1
3.1.3: Determine Criteria for Success
3.1.4: Work Assignments
3.1.5: Document Deployment Plan and Results
3.1.6: Post-Deployment Review
3.2:Production Deployment Phase 2: Implementing Host Security Policy Checks Without Enforcement
3.2.1: Determine Goal of Phase 2
3.2.2: Determine Scope of Phase 2
3.2.3: Determine Criteria for Success
3.2.4: Work Assignments
3.2.5: Document Deployment Plan and Results
3.2.6: Post-Deployment Review
3.3:Production Deployment Phase 3: Host Security Policy Enforcement
3.3.1: Determine Goal of Phase 3
3.3.2: Determine Scope of Phase 3
3.3.3: Determine Criteria for Success
3.3.4: Work Assignments
3.3.5: Document Deployment Plan and Results
3.3.6: Post-Deployment Review

Use this outline as a guideline, and adapt it to fit the needs of your environment. The elements that make up the plan for each phase are the same at a high level. The elements of each phase are described here:

• Determine and state the goal of each deployment phase Be sure to pick a goal that is measurable, attainable, concise, and unique to the phase it represents.
• Determine and state the scope of each phase This section might end up being lengthy. At a minimum, it must state the overall mission of the phase. For example, the scope of the pilot phase might be to authenticate, posture assess, and provide remediation services to all virtual private network (VPN) and guest users connecting to the network at the Colorado location. An overview network diagram should be included as part of the scope. Here is an example of some of the things you might include in the pilot phase scope:
  

  — Access types to be used, such as OOB, VPN, wireless, and in-band (IB)

  — Users or departments involved

  — Types of workstations involved, such as Windows XP, Mac, and so on

  — Types of checks and requirements for host posture assessment, such as antivirus, antispyware, Windows, network scanner plug-ins, and so on

  — Authentication provider types, such as RADIUS, Active Directory (AD), local, Lightweight Directory Access Protocol (LDAP), and so on

  — User role types and privileges, such as guests, employees, contractors, and so on

  — Use of the Clean Access Agent (CCA) and web login

• Define the criteria for success of each phase Because the definition of success can be different for different people, the key stakeholders must agree on a standard measure of success criteria to be used for each phase. After success criteria are defined and acceptable to the stakeholders, the project manager must periodically report on the phase's status. This will ensure that if you meet these criteria, you can claim a successful deployment with all involved. Part of this process is to decide on what variables will be used in the success criteria. Examples include end-user satisfaction, installation success, roll out of CCA's success, help desk support success, and so on.
• Work assignments for each phase A critical component of ensuring a successful deployment phase is agreeing on and keeping track of who is doing what, where, and when. This is accomplished by creating a detailed work assignment plan. Your work assignments section in each deployment phase should list the following:
  

  — Individuals and departments involved. Indicate who the project or team lead is.

  — Contact information for all involved.

  — Scope of work to be accomplished by each individual.

  — Time frame for the work to be completed. If the time frame is long enough, it is beneficial to create milestone dates along the way.

  — If applicable, list the location at which the work will be completed.

• Document deployment plan and results This section will include the detailed deployment plan. This section should make up the majority of the documentation for a phase. After the deployment has been completed, the results should be documented here as well. Keeping track of the results will enable you to adjust your future plans and learn from the successes and failures.
• Post-deployment review After the successful completion of a deployment phase, you should bring together the key stakeholders for a post-deployment review. During this review process, be sure to document the following:
  

  — Overall success of deployment. Did you achieve your success criteria?

  — What worked well and what didn't.

  — The next steps or phase to be implemented.

  — Key stakeholders signing off on the completion of the deployment phase and approving the project's completion or moving forward with subsequent phases.

The remainder of this chapter defines in more detail the purpose of each phase in the sample deployment outline.

Proof of Concept Phase

The proof of concept phase is your testing phase. Use this phase to test the various features available in NAC Appliance. Testing will help you narrow down exactly what features you want to implement in your pilot and production rollouts. Be sure to have your testing environment mimic your real environment as much as possible. This will ensure that your test results will accurately reflect those you will find in your production environment. Use this phase to get comfortable with the NAC Appliance solution; be sure to test out each of the production scenarios you will be confronted with. Of course, document everything along the way. This documentation, especially any troubleshooting methods discovered, will be invaluable to you in subsequent phases of the deployment.

If possible, at the end of your POC phase, it is a good idea to rebuild the POC lab to the exact specifications you will have in your pilot phase. When that is complete, rebuild the POC lab to the specifications of each phase as you progress. In this way, the POC lab can serve as an ongoing testing lab for troubleshooting and verifying viability of any configuration changes and new checks before putting them in production. The value of having a complete testing lab to use cannot be understated.

Pilot Phase

The pilot phase will be the first limited production deployment of the NAC Appliance solution. This is where you apply all the knowledge you gained during the proof of concept phase. The pilot phase plan should use the proof of concept testing as a guide to decide what NAC Appliance features and deployment methods you want to use in your production environment. Subsequently, the pilot phase plan should mirror that production vision as much as possible—just on a much smaller scale. You should aim to keep the pilot phase only as big as it has to be for your team to test all the NAC Appliance features you decided on. Keep your pilot small, focused, and simple. A good pilot phase plan should have the following elements included:

• A network deployment plan should be created. This will lay out all the networking changes that have to be made for the pilot phase rollout.
• A NAC Appliance configuration plan should be created. This plan should include the specific NAC Appliance features, functions, and configuration settings that will be used.
• A representative sampling of users, hosts, and network access types (for example, wireless, VPN, wired, and so on) should be incorporated. It is usually a good idea to include some nonuser devices, such as printers, in your pilot phase.
• A host security policy guide should be used or created for the purposes of deciding what security checks NAC Appliance will enforce.
• A NAC Appliance pilot phase support and help desk team should be created and trained. Be sure to keep your support team in the loop throughout the pilot phase—especially for any moves, adds, or changes to the pilot program. Your pilot phase participants should be educated on how and when to engage the support team.
• A solid fallback plan should be created and shared with the support team and pilot participants, as relevant. This will allow the support team to quickly remove users from the pilot and recover from any business affecting outages. Any fallback plan available directly to end users will allow users to remove themselves from the pilot program in the event of a problem. End users should be instructed to alert the support team as quickly as possible of this condition.
• A comprehensive, ongoing feedback plan should be created and implemented. Feedback is typically collected from all parties involved in the pilot phase. This includes any end users, support personnel, IT staff, and management that are directly or indirectly involved in the pilot.
• A documentation strategy should be created and strictly adhered to. The more comprehensive your pilot phase documentation, the better. This will improve the execution of subsequent deployment phases.

The individuals and departments that you choose to take part in the pilot phase should:

• Be located in a part of the network that makes the installation of the NAC Appliance solution feasible and straightforward.
• Allow you to test all the features and functions that your production phases will require.
• Be willing participants with some free time to dedicate to the pilot and the feedback process.

Here are a few other things you may need to consider when developing your pilot phase plan:

• Consider how to deploy the Clean Access Agent to hosts. This might include using a systems management server system, the built-in web download mechanism, or some other means that allows you to install the agent on the pilot hosts.
• Determine what authentication providers, host checks, host requirements, and user roles will be used in the pilot phase.
• Come up with a common naming convention for checks, rules, and requirement names.
• Determine what the traffic control and bandwidth policies will be for each user role.

Production Deployment Phases

Now that the pilot phase is complete, use the knowledge and experience gathered to decide what your final production deployment should look like. It is possible and likely that your organization will have multiple production deployments. For example, you might have a wireless production phase plan, a VPN production phase plan, and a wired OOB production phase plan. Each production deployment will be done on its own time schedule, and lessons learned from each should be applied to subsequent deployment plans.

The final production deployment should come in three phases:

• Production Deployment Phase 1 Initial Introduction to User Community
• Production Deployment Phase 2 Implementing Host Security Policy Checks Without Enforcement
• Production Deployment Phase 3 Host Security Policy Enforcement

This staged approach allows you to identify and address issues before a final networkwide deployment.

Production Deployment Phase 1: Initial Introduction to User Community

Phase 1 includes the initial introduction of the NAC Appliance solution. This includes both the introduction into the network as well as the introduction to the general user community. During this phase, you will install the NAC Appliance Servers throughout your network environment and make all necessary network modifications. You will also install the Clean Access Agent on end-user hosts.

The NAC Appliance solution should be introduced with a very limited set of features enabled. It is recommended that phase 1 be limited to performing user authentication. If applicable, a user agreement page can also be added to this phase. No host posture assessment or checking should be included in this phase. This phase is designed to get users comfortable using the Clean Access Agent and web login process of authenticating to the network. It is also designed to minimize the amount of change that users deal with at one time. Given that this phase is heavy on the amount of network changes and the potential downtime involved with implementing NAC Appliance, it is a good idea to limit NAC Appliance to performing only user authentication. As a result, your support personnel and IT staff will have fewer things to support and troubleshoot.

All production deployment phases should include a comprehensive communication plan. This plan will alert end users and support staff to the upcoming changes they will experience. It should also include information on how end users can obtain NAC Appliance support.

Production Deployment Phase 2: Implementing Host Security Policy Checks Without Enforcement

Welcome to production deployment phase 2. During this phase, you will start to implement host posture assessment without enforcement. With the changes on the hosts and in the network completed, it is time to introduce host security policy checking. At this point, your users should be comfortable with the operation of the Clean Access Agent and web login. Any NAC Appliance solution kinks should have been worked out, and your environment should be stable before moving on to phase 2.

The goal of this phase is to gradually start implementing host security checks with remediation options. However, users are not yet forced to comply with or remediate any failed security checks. This will allow your user community to become familiar with the checking and remediation process but still have the flexibility to bypass it if necessary. The IT team can monitor the remediation progress users have made through the reporting mechanisms included in NAC Appliance Manager. This will also give you a way to ensure your remediation services are working as planned without affecting a user's ability to log on to the network.

This phase requires that you decide which security checks to start implementing and set up reliable remediation sources that users will use to self-patch their systems. This might include a Microsoft Windows Server Update Services system or a corporate AV system. In many cases, these remediation solutions will already be installed and ready to go. During this phase, users will be alerted by NAC Appliance that their hosts are not up to date and why. It is then up to the users to follow the remediation steps provided by NAC Appliance. Ideally, most users will start to follow these remediation steps and self-patch their systems. It is important that the security updates related to your first few security checks are easy for users to install and do not require users to reboot their machines after updating. You want the users' first few remediation experiences to be as positive as possible.

It is a good best practice to reach out to a few users who have not successfully remediated their systems up to this point. This research can be used to ensure that there are no endemic reasons users are not patching their systems. It may uncover hidden remediation issues that need to be addressed before you move to enforcement of host checks in phase 3. Before moving to the next phase, which involves moving from optional requirements to enforced requirements, your user community must be alerted to the upcoming enforcement. Common methods for communicating this are via e-mail, websites, message boards, flyers, and mailers. The goal is to alert users to remediate soon because, starting at a certain date, enforcement of checks will be applied. Users have to understand that if they do not remediate prior to enforcement, their network access will be limited until they comply.

Production Deployment Phase 3: Host Security Policy Enforcement

After a majority of users run through remediation and are comfortable with this process, it is safe to move to production deployment phase 3. This phase involves enforcing the previously introduced optional security checks. One of the action items for this phase will be to establish a time frame between when a security check should be moved from optional to enforced and required. This established time frame can then be used going forward for subsequent patch cycles from Microsoft and other vendors. By establishing a common time frame for NAC Appliance enforcement cycles, users will learn this process quicker than if you use time frames that vary considerably patch to patch. Of course, when the security risk of a patch is very high, the enforcement cycle should be shortened accordingly.

A critical component of this phase will be ensuring that the help desk personnel are prepared to support the potential influx of support calls from end users. Given the sheer number of operating system, patch level, and installed application combinations present on hosts today, it is almost inevitable that some users will experience trouble installing a required patch. Of course, all due diligence should be taken to thoroughly test each required patch before enforcing it using NAC Appliance.

NAC Appliance includes built-in rules for Microsoft hotfixes and several antivirus and antispyware software vendors. If you choose to use these built-in rules, you give up some flexibility of having new patches from these vendors optional before making them required. In effect, all requirements put together using the built-in rules will automatically start enforcing any new updates released by the supported vendors. This is because NAC Appliance checks with Cisco every hour to see whether the supported vendors have released any new patches. If NAC Appliance finds new updates, it automatically adds them to the existing security checks for that vendor. In some environments, this works well; in others, it can be a help desk nightmare. It is important to note that for antivirus vendor built-in rules, you can set your policy to allow the antivirus data file to be x days out of date before marking it out of compliance. Use the proof of concept phase and even the pilot phase to determine what works best for your environment.

Summary

A solid, phased deployment plan agreed to by all relevant stakeholders is crucial to the success of a NAC Appliance deployment. The main phases are pre-deployment, proof of concept, pilot, and production. The production phase is divided into three subphases. This phased approach should ensure that your NAC Appliance deployment goes well. The sample deployment plan outlines given in this chapter are geared toward larger NAC Appliance environments but can be easily tailored to meet the needs of smaller organizations. It is also important to note that NAC Appliance deployment plans can vary greatly in scope, complexity, and content, and the ones presented to you in this chapter may or may not be appropriate for your environment. It is hoped that the deployment plans presented in this chapter have given you the information, best practice methods, and ideas necessary for you to develop your own customized plan. Overall, Cisco NAC Appliance is a relatively straightforward solution to deploy, but like most things worth doing well, it requires some forethought and planning. Always keep in mind that planning is vital but should not be so daunting in scope that it prevents actually doing something.