7.1. Deployment Scenarios and Topologies

There are important differences between why a company would want to deploy Cisco's Framework solution versus the Cisco Clean Access solution. Likewise, the topology of the Framework solution is considerably different from that of Clean Access. Let's take a look at these differences and elements.

7.1.1. Network Admission Control Framework

The NAC Framework uses the network infrastructure and third-party vendor solutions to enforce security policy for compliance on all endpoints. The NAC Framework enables Cisco routers, concentrators, switches, and wireless access points (WAPs) to enforce access privileges when an endpoint device attempts to connect to the LAN or WAN. The access decision is based on the security posture of the endpoint as it relates to configured enterprise security rules and policies.

When people say that enterprises need to only use Cisco equipment to support Cisco NAC, this is the solution to which they are referring. It is important to note that this "Cisco network equipment only" knock (which you will undoubtedly hear often) isn't really true or necessary for implementing a Cisco NAC solution. It is certainly possible to implement Cisco NAC without having a Cisco-only network infrastructure.

The Cisco NAC Framework is suited for the following scenarios:

• Deep NAC partner integration is a starting requirement

• Deploying a NAC-compatible 802.1x solution is needed

• Cisco Secure Access Control Server (ACS) is required as the central policy server

• NAC appliance deployment cannot fit within the customer's network environment

As compared to the Clean Access solution, the NAC Framework is more complex and contains more moving parts. Following are the core pieces of this Framework:

• Posture Plugin (PP) — A Cisco or third-party DLL on a host that is able to determine and communicate an aspect of the security posture to the posture agent.

• Posture Agent (PA) — The component that aggregates the security posture information and communicates this information to the network. This is the Cisco Trust Agent (CTA).

• Remediation Client — A non-Cisco technology on the system attempting access that is used to fix deficiencies on the system.

• Network Access Device (NAD) — These are the Cisco network devices that act as the NAC enforcement point, such as Cisco access routers (800-7200), VPN Gateways (VPN3000 series), Catalyst Layer 2 and Layer 3 switches, and WAPs.

• Authentication, Authorization, and Accounting Server (AAA) Server — This is the Cisco Secure Access Control Server (ACS) that acts as the centralized policy and authentication.

• Directory Server — Directory severs such as Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory (AD), Novell Directory Services (NDS), and one-time token password servers (OTP), such as RSA.

• Posture Validation Server (PVS) — Acts as an application-specific policy decision point for a set of policy rules. An example would be an antivirus server.

• Remediation Server — A solution used to fix security deficiencies on the system attempting access. Examples are SMS and Altiris.

• External Audit Server — A server or software that performs vulnerability assessment (VA) against a host to determine the level of compliance or risk of the host prior to network admission.

The NAC Framework consists of many different components that come from many different vendors. Some of the items (such as the Cisco ACS and CTA) are specific to Cisco, while the remediation and other components can come from a variety of vendors.