Policies examples

We can see a policy examples:

These columns, every icon specify a precondition, postcondition about the rule as this is shown by the orange square.

../../../_images/policy_sample.PNG

As a user precondition administrators can use the tags. For review some available tags: ref:Tags table<tags_table>

Sensor BCN

This rule is created to identify all user devices learned by the openNAC Sensor.

At step 1 we see that the policy apply switch default VLANs.

At step 2 is defined that auto-learn capability is available for the policy engine, this means that any user devices that match with the policy will be registered in the CMDB.

At the step 3 is defined an auto-learned tag, allowing us to Tag User devices during policy evaluation process.

../../../_images/policy_sample1.PNG

The source visibility contains the information collected by openNAC Sensor.

../../../_images/policy_sample1_1.PNG

Test VLAN

This rule is created for testing on Hotspot network.

At step 1 we see that is only allowed to the user devices with the MAC Address 78:E7:D1:01:8B:88.

At step 2 is assigned dynamically a service VLAN assigned for Hotspot network.

../../../_images/policy_sample2.PNG

Palo Alto scan port threat detected

This rule is created for sending malicious user to Quarantine network. ref:Palo Alto Passive integration<passive_integration_ngfw>

At step 1 we see that the User Devices tagged as SAM_THREAT_SCAN are selected. This tag is received from a Palo Alto firewalls with IPS module enabled. The IPS detect a malicious behavior (Port Scan) from a user device ip, this information is sent to openNAC Core and tagged.

At step 2 is assigned dynamically a Quarantine VLAN.

../../../_images/policy_sample3.PNG

Switch monitor

This rule is created for monitoring radius services, from switch device is used a user called monitor to check if radius is available.

At step 1 is selecting a user that is created on user openNAC local database, remember that Active directory can bed used.

At step 2 dynamic VLAN assignment is not being used, switch default.

../../../_images/policy_sample4.PNG

VPN & Corp Device

This rule is created to provide network access for VPN attempts, not dynamic IP or VLAN is assigned.

At step 1 an user devices tagged as CDT_CORPORATE_DEVICE are selected as an example of Tag of user devices but this is not mandatory, this tag have been inserted before for another profiling rule. This tag is included in the CMDB. Remember that tags can be added/generated manually or automatically.

At step 2 VPN authentication method is enabled to allow VPN authentication attempts, this enable VPN as a source of information for openNAC, using radius configuration files, VPNs peers ant its pre-shared keys must be taken into consideration.

../../../_images/policy_sample5.PNG

VPN, No Corporate Device & AV Enable

This rule is created to provide network access for VPN attempts without corporate devices and requiring to have AV enabled in the end user device.

At step 1 user devices tagged as ISS_AV_ENABLED are selected. This tag is included in the CMDB. In this case this tag is automatically generated through the openNAC Agent inventory scans. For more information about ref:openNAC agent<usersideconfig>.

At step 2 VPN authentication method is enabled to allow VPN authentication attempts.

../../../_images/policy_sample6.PNG

VPN Deny

This rule is created to deny network access from VPN, with any user device (Corporate o not corporate) without AV enabled, in this case there is not specific reason (End User TAGs) so is assumed that AV is disabled.

Remember that policy engine evaluate policies from top-down, if one rule match the conditions the following rules are not been evaluated, with that we can define a policy before this to check if AV is enabled. After that check we can apply a rule like that (VPN Deny) this rule assume that AV is disabled.

At step 1 VPN source is selected to allow VPN authentications attempts.

At step 2 dynamic VLAN assignment take place. In this case sending a VLAN ID 4095 and then deny the access.

../../../_images/policy_sample7.PNG

Printers

This rule is created to allow access to authorized printers, MAC authentication bypass is used. Printers are tagged as CDT_ALLOWED_PRINTER.

At step 1 is selected printer devices tagged as EPT_PRINTER.

../../../_images/policy_sample9.PNG

At step 2 Use plugin as a postcondition, Discover plugin allows openNAC to get more information about every single asset, the collected information is used for different things as profiling rules. ref:Discover Plugin<discover_plugin>.

../../../_images/policy_sample9_1.PNG

Corporate Devices

This rule is created to identify Corporate devices using Active Directory workstation accounts, if the workstation is member of the Windows Domain is tagged as CDT_CORPORATE_DEVICE, a supplicant host is used for that matter.

At step 1 activated Supplicant Host as authentication method.

At step 2 dynamically assign a VLAN, in this case the ID is 530.

At step 3 is assigned an User device Tags named CDT_CORPORATE_DEVICE, this plugin add a TAG to the user devices, adding it.

At step 4 automatically are registered the user devices into the openNAC CMDB detected by the policy engine.

At step 5 To ensure that not only “Auto Learn of User devices” will have the CDT_CORPORATE_DEVICE tag, any already registered device will be tagged as well if all preconditions matched. More information about plugins ref:Plugins<confvars_plugins>.

../../../_images/policy_sample11.PNG

Corp. User Corp. Device

This rule is created to allow access from WIFI and from user devices defined as Corporate devices, assign dynamically a VLAN and using Active Directory credentials, the LDAP filter used is memberOF (member of on group in Active Directory); VPN Group is the group name.

At step 1 activate the use of LDAP UDS (User Data sources).

At step 2 is defined the Active Directory group (LDAP Filter) to be used.

At step 3 is assigned an User device Tags named CDT_CORPORATE_DEVICE, so only from these devices the policy will match.

At step 4 define that only from Access points tagged as NDT_AP are going to match and then allowed.

At step 5 dynamically assign a VLAN id, in this case is a Service VLAN with an ID of 530.

../../../_images/policy_sample12.PNG

At steps 6 is defined the Supplicant Certificate and Supplicant user as authentication methods.

At step 7 is called a plugin that run commands, it searches for a product installed and tag it. This tag can be used by other policy.

../../../_images/policy_sample13.PNG

Unregistered Devices

This rule is created to register any device, this captive portal can be used to register new personal devices if a BYOD policy is in place pre-authentication or to manage Guest access.

At step 1 is selecting any unregistered devices.

At step 2 and orange square define that any authentication method will be accepted by the policy engine.

At step 3 a dynamic VLAN assignment is configured, in this case is a registry VLAN with an ID of 529, this will be send to the switches.

../../../_images/policy_sample14.PNG

Guest Users and Corporate Devices

This rule is created to manage guest access using a corporate device, a user is create in the local database called guestuser, in this case the corporate devices is authenticated with MAB.

At step 1 is selecting the user called guestuser.

At step 2 selects a set of user devices tagged with the name CDT_CORPORATE_DEVICE.

At step 3 allow MAB (MAC Authentication Bypass) as authentication method.

At step 4 a dynamic VLAN assignment is configured, in this case is a Service VLAN with an ID of 530.

../../../_images/policy_sample15.PNG

MAB deny

This rule is created to match all the MAB Based authentication attempts and deny its access, we have a very interesting track about authentication failures.

At step 1 MAB (MAC Authentication Bypass) is enabled.

At step 2 automatically send a VLAN ID 4095, this means an access denied.

../../../_images/policy_sample16.PNG