7.3. The Purpose of Cisco NAC

By now, you should have a clear understanding of the purpose of Cisco Clean Access (Cisco NAC Framework). It is a technology that helps protect the LAN from unauthorized users and devices, and it is a technology used to control the access of devices that have a deficient security posture. From a product perspective, Cisco describes the purpose and benefits of the Cisco NAC Framework as follows:

NAC works with antivirus, patch management, and Personal Firewall software to assess the condition, called the posture, of a client before allowing that client network access. NAC helps ensure that a network client has an up-to-date virus signature set, the most current operating system patches, and is not infected. If the client requires an antivirus signature update or an operating system update, NAC directs the client to complete the necessary updates. If the client has been compromised or if a virus outbreak is occurring on the network, NAC places the client into a quarantined network segment. After the client has completed its update process or disinfection, the client is checked again.

Based on the technical solution as it's been described in this chapter, let's now compare how the solution stands up to the various types of users who may be accessing the network.

7.3.1. Unauthorized Users

As with Clean Access, a big reason why companies look at a NAC solution is to control unauthorized access to their LANs. The Cisco NAC Framework can control this problem by ensuring that all devices accessing the LAN be authenticated and assessed before being provided access. The solution includes Client and Clientless modes, so even devices that cannot have the CTA installed can still be authenticated and assessed. Clientless mode does require the use of a third-party audit server to assess the systems without any agent software installed. If authentication fails and/or the security posture of the device is deficient, access to the network can be restricted or blocked.

7.3.2. Authorized Users with Deficient Security Postures

The Cisco NAC Framework can assess the security posture of devices a number of different ways. The CTA can provide basic operating system and hotfix information, while PPs from other security solutions can be used to communicate their state to the CTA. If the security posture of the device is deficient, it can be restricted or access to the network can be blocked. An opportunity to remediate the deficiency can also be made available to the end user, and there are links into supported, existing third-party remediation solutions that can be triggered to start the remediation process. There is no remediation server component that is part of the NAC Framework.

Figure 7-8. NAC Framework protecting the LAN from mobile device access

7.3.3. Mobile Users

Mobile users can be assessed at two points with this solution. The first is when the user physically returns to the LAN, and the second is when the user VPNs back into the network. While this provides a layer of protection to the LAN, this solution does not provide any protection to the mobile device as the device is mobile. The assessment, quarantining, and remediation elements are not in play while the device is mobile unless the user attempts a VPN session. Figure 7-8 illustrates how the NAC Framework protects the LAN from mobile devices as they attempt to gain access to the network.