Preparing Network
=================
When planning your Genian NAC Deployment onto your network there are several
considerations.
- Where should the equipment be placed?
- How will it connect to my switches?
- How many pieces of equipment do I need?
- What ports do I need to open for Genians to communicate?
Wired Connectivity
------------------
The Policy Server should be directly connected to your Core Switch port as an
access port. The Network Sensor should be connected to an Edge Switch port that
can be an access port, or trunk port.
Switches
''''''''
Network Sensors must be able to see broadcast packets, so they must be
connected to all managed subnets.
**VLANs**
To monitor multiple VLANs (up to 128,recommended 64) through a single port, make sure the
switch port is configured with 802.1Q trunking and that all VLANs you wish to
monitor are allowed on that port.
Switches differ in how to configure this setup.
Below are examples of how to configure 802.1Q Trunk ports for VLANs on common
switches. In these examples, we will show how to add VLANs 100 and 200 to port
48, configured with .1q trunk encapsulation.
Cisco Switch
.. code-block:: bash
Cisco(config)#interface gi1/0/48
Cisco(config-if)#switchport trunk encapsulation dot1q
Cisco(config-if)#switchport mode trunk
Cisco(config-if)#switchport trunk allowed vlan add 100,200
HP Switch
.. code-block:: bash
Procurve(config)#vlan 100
Procurve(config)#tagged 48
Procurve(config)#vlan 200
Procurve(config)#tagged 48
**SNMP**
Genians supports SNMP Versions 1, 2c and 3. The read-only community string is
used to check whether the node supports SNMP in the process of collecting
information about the Node by the network sensor. If the node responds to an
SNMP request, the sensor verifies that the node is a switch by verifying that
it supports the BRIDGE-MIB through an SNMP query. The read-write community
string is used to make changes to the switches for port descriptions and
shutting down switch ports. In addition, it can be used for various additional
functions such as collecting information of wireless controller using SNMP,
detecting platform information of device.
.. note:: Be sure to add the Network Sensor to the access-lists of all switches
in the same network segment, and assign necessary permissions for users/groups
to view all OIDs. For more info see:
:doc:`../monitoring/switch/browsing-switchports`
WAN
'''
If you have more then one location behind WAN Technologies then a Network
Sensor would be required at each of these locations.
Wireless Connectivity
---------------------
Network Sensors with Wireless NIC is used to detect wireless packets and
identify SSIDs that are both Internal to your network and External
(Neighboring) to your network. Placement of the Network Sensor with Wireless
NIC is critical as you do not want to place this in a Data closet where you
will only detect Wireless SSIDs near the data closet. You will want to place
the Network Sensor with Wireless NIC centrally to where you can detect the
majority of the SSIDs around it.
Firewall Requirements
---------------------
The following connections must be allowed for Genian NAC to function properly.
On-Premise
''''''''''
+-------------------+----------------------------------------------+---------------------------------+------------------------------------------------------+
| SRC IP | DST IP | Service | Note |
+===================+==============================================+=================================+======================================================+
| Policy Server IP | | 54.81.159.137 | | TCP/443 | | Sign-in to www.genians.com (*On-Prem Only*) |
| | | d1s536j2uzv1h7.cloudfront.net (IP may vary)| | TCP/443 | | Download Updated Software Image (*On-Prem Only*) |
| | | Log-Server | | TCP/9200~9300, TCP/9300~9400 | | Log-Server |
| | | DB-Server | | TCP/3306 | | Database |
| | | Network Sensor IP, PC IP(Agent) | | UDP/3871 | | KeepAlive, Send Event |
| | | https://alarm.geninetworks.com | | TCP/443 | | Alarm Service |
| | | https://alarm2.geninetworks.com | | TCP/443 | | Alarm Service |
| | | https://geniupdate.geninetworks.com | | TCP/443 | | GenianData Update |
| | | | | | | **GENIAN Data** Update (*On-Prem Only*) |
| | | https://cmupdate.geninetworks.com | | TCP/443 | | GenianData Update(Global) |
| | | https://techlab.geninetworks.com | | TCP/80, TCP/443 | | Platform false positive report/non-detection report|
| | | https://pi-api.genians.com | | TCP/443 | | Genian DPI |
| | | https://api.genians.com | | TCP/443 | | Join Us Login Feature |
+-------------------+----------------------------------------------+---------------------------------+------------------------------------------------------+
| | | | | Various services on | | See UI under System > Services > Port |
| Network Sensor IP | | Policy Server IP/FQDN | | unique ports | | |
| | | | | | | |
+-------------------+----------------------------------------------+---------------------------------+------------------------------------------------------+
| PC IP (Agent) | | | | UDP/3870 | | Keep Alive |
| | | Policy Server IP/FQDN | | TCP/80, TCP/443 | | Update Information/Policy |
| | | | | TCP/8000 | | Windows Update |
+-------------------+----------------------------------------------+---------------------------------+------------------------------------------------------+
| Management PC | | Policy Server IP, Network Sensor IP | | TCP/3910 | | SSH Console |
| | | Policy Server IP | | TCP/8443 | | WEB Console |
+-------------------+----------------------------------------------+---------------------------------+------------------------------------------------------+
.. note:: **GENIAN Data**: It required to allow the On-Premise Policy Server to
get weekly/monthly updates for the Platform Detection DB, CVE and NIC Vendors.
Cloud Managed
'''''''''''''
+-------------------+----------------------------------------------+---------------------------+------------------------------------------------------+
| SRC IP | DST IP | Service | Note |
+===================+==============================================+===========================+======================================================+
| Policy Server IP | | 3.34.24.101 | | TCP/80, TCP/443 | | Platform false positive report/non-detection report|
| | | Network Sensor IP, PC IP(Agent) | | UDP/**UNIQUE PORT** | | KeepAlive, Send Event |
+-------------------+----------------------------------------------+---------------------------+------------------------------------------------------+
| | | Policy Server IP/FQDN | | UDP/**UNIQUE PORT** | | Keep Alive |
| Network Sensor IP | | | | TCP/80, TCP/443 | | Update Information/Policy |
+-------------------+----------------------------------------------+---------------------------+------------------------------------------------------+
| PC IP (Agent) | | | | UDP/**UNIQUE PORT** | | Keep Alive |
| | | Policy Server IP/FQDN | | TCP/80, TCP/443 | | Update Information/Policy |
| | | | | TCP/8000 | | Windows Update |
+-------------------+----------------------------------------------+---------------------------+------------------------------------------------------+
| Management PC | Network Sensor IP | TCP/22 | SSH Console |
+-------------------+----------------------------------------------+---------------------------+------------------------------------------------------+
.. note:: **UNIQUE PORT:** Specific Port Info for the Cloud Managed Policy
Server can be found in the Web Console by selecting **System** on the
top panel, and then selecting **Service > Port** from the left menu
bar.
.. note:: **Keep Alive** traffic is sent from all Sensor interfaces, including Vlan interfaces (ethX, and ethx.x)
.. _Trunked Switch Port: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=7