Security Profiles

If we go to ON CMDB -> Security profile we can create a new configuration object that can be called from policy engine as a post condition. Security profiles is like a security access-list that can be assigned to any user ingress port during its network access.

We have two type of Security profiles:

As shown at step1 Security profiles in a static way the access list must be set before in the switches and then used and call by the security engine. In the example we have defined an access list called DENY_DNS_GOOGLE.

You can apply Dynamically security profiles at shown at the step 2, this means that we can run a command directly to the network devices from openNAC without any previous access-list provisioning.

../../../_images/oncmdbsp.PNG

ON CMDB -> Security Profiles we are able to define Security profiles, we can identify those as a security access lists. This allow us to define an access list to allow or deny access for the ingress traffic at end users access ports.

As defined before we can use Security Profiles types, we have Static and Dynamic ones as shown in the Step 2.

Static configuration:

Switch configuration on the network device.

Ip device tracking
Ip access-list extended DENY_DNS_GOOGLE
Deny ip any host 8.8.8.8
Permit ip any any

openNAC Configuration security profile = DENY_DNS_GOOGLE as shown by the step 3.

DENY_DNS_GOOGLE

Dynamic configuration:

Switch configuration on the network device.

Ip device tracking

Only is required to carry out the configuration (lines bellow) over the openNAC instance using the “Command” field as show by the step 4

ip:inacl#1=deny ip any host 8.8.8.8

ip:inacl#2=permit ip any any

ip:inacl#1=deny ip any host 8.8.8.8
ip:inacl#2=permit ip any any
../../../_images/oncmdbsp1.PNG

As example we have defined two different types of security profiles.

The Step 1 shows a dynamic security profile where you define which command should be sent to the network devices, in this case the ACLs sent to the network devices allows specific traffic in the user port. The Step 2 shows a static security profile where is defined just the name of the security profile as shown by the step 3, this name must match with the ACLS defined in the network devices, as soon as the user devices o the user access to the network and the security policy is triggered is sent this Security profile via Radius.

../../../_images/oncmdbsp3.PNG