Chapter 2. Introducing Cisco Network Admission Control Appliance

This chapter covers the following topics:

• Cisco NAC Approaches
• Cisco NAC Appliance Overview
• Cisco NAC Return on Investment

The primary goal of Cisco Network Admission Control (NAC) Appliance is to proactively enforce corporate host security policies on users and hosts accessing the network. A primary advantage of this solution is enabling ubiquitous user authentication at the network layer, and then using that information to grant network access based on the user's identity and characteristics of the device. For example, all guest users receive only limited Internet access and no internal access. Cisco NAC can leverage existing security technologies, such as antivirus, antispam, and operating system updaters to ensure that user machines are current with the latest patches. Cisco NAC can also collaborate with the network infrastructure to identify, assess, and authorize users according to the compliance status of the user's PC.

Cisco NAC Approaches

Cisco offers NAC as an appliance or as an embedded solution for an 802.1x-enabled infrastructure. This book focuses strictly on the appliance-based approach, but it may be helpful for the reader to understand the high-level differences between the two approaches.

NAC as an Appliance

Cisco NAC Appliance (formerly known as Cisco Clean Access) comes from the Cisco 2004 acquisition of Perfigo. NAC Appliance was designed as a self-contained NAC solution, able to authenticate, posture assess, quarantine, and remediate without the need to tie in multiple products from various certified vendors. Due to its rapid and flexible deployment capabilities, NAC Appliance has attained a 45 percent market share, according to a November 2006 Frost & Sullivan report. See Figure 2-1 for the components and architecture of NAC Appliance.

Figure 2-1. NAC Appliance Components

A NAC Appliance solution consists of NAC Appliance Manager (NAM), NAC Appliance Server (NAS), and NAC Agent (also known as Cisco Clean Access [CCA] Agent). This book provides more detail on each of these components throughout later chapters. For now, simply keep in mind that NAC Manager is the back-end central policy server hosting the user credentials and NAC policies. NAC Server is the workhorse of the NAC Appliance solution because it performs all authentication activities and enforces the user policies. You can think of NAC Server as a policy firewall. The free NAC Agent gathers username and password, antivirus, antispyware, and operating systems hotfix information from the user's machine and delivers it to NAC Server and NAC Manager.

User authentication occurs in two ways: agent and agentless (via web browser). The agent is the ideal and most effective use of NAC Appliance because the installed agent can easily read the details of the antivirus, antispyware, and operating system information via the registry. The agentless or web browser redirect authentication process can authenticate a user and scan the user's machine via the built-in Nessus scanner in NAC Server. Assuming that agentless machines do not have personal firewalls enabled, the Nessus scanner is effective in checking for current vulnerabilities.

Many customers see the primary strength of NAC Appliance as its off-the-shelf packaging with little customization required for deployment. NAC Appliance's proven flexibility in a myriad of network environments has led a majority of Cisco customers to quickly and successfully deploy a Cisco NAC Appliance solution.

NAC as an Embedded Solution

The initial Cisco vision of NAC, first introduced in 2003, leverages the Cisco IOS in Cisco routers and switches to deliver the NAC functionality. Also referred to as NAC Framework, it comprises Cisco Access Control Server (ACS), Cisco routers and switches, and an end point software agent called Cisco Trust Agent (CTA). To assist with posture assessment, device auditing, and software remediation, the embedded NAC solution relies on third-party software via application program interfaces (API). Third-party security software, such as antivirus and antispam programs from Symantec, McAfee, TrendMicro, and so on, is installed to protect the end points. These security applications use APIs to report their software version and status to Cisco Trust Agent. Cisco Trust Agent, acting as an application broker, collects the required software information regarding the machine and reports to Cisco ACS, which is the back-end authentication and policy server. See Figure 2-2 for components of the embedded NAC approach.

Figure 2-2. Embedded NAC Components

Based on the posture information provided by CTA, ACS compares the received information against its configured policies and informs the appropriate network device, such as a router or switch, to quarantine, permit, or deny network access. This process works well for PCs capable of running CTA. For devices incapable of running CTA (considered non-NAC–responsive devices), such as IP phones or network printers, NAC Framework allows for third-party auditing servers (that is, Qualys or Foundstone, now McAfee) to perform an audit of non-NAC responsive devices to determine the device type and its appropriate network access privileges. After the third-party auditing servers determine which devices on the network are printers, they can inform the routers or switches through ACS to assign those printers into the appropriate printer access role. For further details about the Cisco embedded approach to NAC, refer to http://www.cisco.com/go/nac/framework or Cisco Network Admission Control Volume 1: NAC Framework Architecture and Design from Cisco Press.

The embedded NAC approach is an elegant and deeply customizable technology, but the appliance-based approach is faster to deploy. Cisco recently introduced an integrated implementation strategy that combines the benefits of both approaches.

Note

This book does not cover the embedded (framework) NAC solution.

Cisco NAC Integrated Implementation

Cisco recently finalized a roadmap for an integrated implementation that enables both the NAC Appliance and embedded NAC approaches to interoperate within the same network. An existing example of this model is the Cisco firewall offering in both Cisco IOS routers and switches and dedicated appliances. Some customers deploy both IOS firewalls and dedicated firewall appliances as part of their defense-in-depth strategy. The integrated NAC implementation allows existing NAC appliance or embedded NAC customers to preserve their existing investments without having to worry about the long-term longevity of either NAC approach. The goal of Cisco is to provide interoperability and coexistence of either NAC approach where required. This integrated implementation is slated for availability in 2008. Contact your local Cisco account team for the latest developments.

Cisco NAC Appliance Overview

The leading Cisco NAC offering is Cisco NAC Appliance (formerly known as Cisco Clean Access). Cisco NAC Appliance is the focus of this book. Cisco NAC Appliance is an easily deployable NAC solution that leverages the existing Cisco network infrastructure to enforce network security policies and software compliance. NAC Appliance can authenticate a user or device and perform posture assessment before granting access to the network. Devices such as PCs found to be missing the latest required OS patch or antivirus and antispyware definition can be quarantined and remediated through the self-remediation process before assigning them an appropriate user access role. A key strength of NAC Appliance is its ability to dynamically assign user roles based on the posture of the PC or device. If an employee PC complies with corporate software policies, that PC can be placed in an employee role with full network access. If a guest user joins the network, that guest user is placed in the guest role with only limited guest access privileges such as web access only. Devices such as printers or IP phones typically do not respond to NAC and thus can bypass NAC and be placed in their appropriate network roles.

NAC can be applied to the following networks:

• High-speed LANs (optimized with out-of-band deployment)
• Hub-spoke networks across the WAN
• Remote-access IPsec and Secure Socket Layer Virtual Private Networks (SSL VPNs)
• Intranets and extranets
• Wireless networks

Cisco NAC provides the following benefits:

• Minimize unauthorized access and potential breach of sensitive data By identifying users and PCs as they access the network and assigning access roles, users can access only data allowed in their access role.
• Minimize network outages By ensuring that all end hosts have the latest antivirus and antispyware definitions and OS patches, the total number of virus and worm outbreaks is reduced.
• Reduce the overall endpoint support cost Through the self-healing and remediation process, antivirus, antispyware, and OS updates are performed automatically or with little to no help from the IT help desk.

Cisco NAC Return on Investment

Many Cisco customers who have deployed the NAC appliance solution have quickly realized the immediate return on investment (ROI) of the NAC appliance. There are many references listed on the Cisco website at http://www.cisco.com/go/nac/appliance under Case Studies. The following four case studies give you an example of how a higher-education institute, healthcare medical center, clinical research lab, and local city agency are using the Cisco NAC solution to improve their overall endpoint security:

• Arizona State University (ASU) With more than 58,000 users on campus, ASU is faced with unregulated laptops entering the residence halls and public access areas daily and potentially spreading viruses and worms. With Cisco NAC Appliance, the number of security incidents during the first six weeks of the fall semester of 2005 dramatically reduced from 1800 infected machines (2004) to 400 infected machines trying to access the network.
• UK National Health Service NAC Appliance has been implemented at a new children's medical center based in southeast London. This new center hosts approximately 3500 employees and deployed a multilayer security model that included biometric fingerprint readers and Cisco NAC Appliance. The center uses Cisco NAC Appliance to authenticate users to the network based on fingerprint, and then checks the status of PCs and laptops for the latest antivirus and security software before granting them access to the network.
• Charles River Labs (CRL) CRL is based in Wilmington, Massachusetts, and provides research models, preclinical services, and clinical services to the pharmaceutical and biotech markets. Its key IT driver was the construction of new research buildings known as Centers of Excellence. CRL relies on Cisco security products, including Cisco NAC Appliance, to make sure that it could meet and exceed the strict information security requirements mandated by the Food and Drug Administration, and to ensure that customers could trust CRL with their critical clinical data.
• The City of Dublin, Ohio This city is home to more than 3000 businesses and continually strives to create an attractive economic environment by investing in information technology. The city implemented a Cisco secure wireless solution that uses Cisco NAC Appliance to enforce security policy compliance on every device accessing the wireless network. Doing so improves overall network health and maintains network availability for the public and private services that depend on it.

Summary

The main purpose of Network Admission Control is to enforce endhost policies. Example endhost policies are antivirus and antispam updates and operating system patches that must be current to mitigate potential virus and worm outbreaks and PC exploits. PCs that comply with corporate software policies are assigned a role and given appropriate network access. Devices that don't comply are quarantined and placed through the self-guided remediation process. Non-NAC–responsive devices, such as IP phones, printers, fax servers, and so on, can be configured to bypass NAC through exceptions. In general, NAC ensures that all PCs joining the network are compliant with corporate software policies, and it improves the overall network quality and availability.

The primary Cisco NAC offering is the NAC Appliance solution. NAC Appliance is prepackaged with minimal software customization and can be quickly deployed by any customer. NAC can apply to every component of the network such as high-speed Layer 2 and 3 LANs, across the WAN, remote-access IPsec and Secure Socket Layer virtual private networks, and wireless networks. Benefits of the Cisco NAC Appliance solution are minimized network outages due to virus and worm outbreaks, minimized unauthorized data access and sensitive data breach, and reduced overall endpoint support cost through its self-guided remediation process.