This chapter covers the following topics:
- Network admission control overview
- NAC Framework benefits
- NAC Framework components
- Operational overview
- Deployment models
Network Admission Control (NAC) is a technology initiative led by Cisco Systems working in collaboration with many leading security vendors, including antivirus and desktop management. Their focus is the creation of solutions that limit security threats, such as worms and viruses.
This technology provides a framework using existing Cisco infrastructure to enforce network admission policies on NAC-enabled endpoint devices, guaranteeing software compliance before network access is granted. If an endpoint device is determined noncompliant, a variety of admission actions are available to administrators, and how the actions are implemented is at the discretion of the network administrator. For example, a noncompliant endpoint may be placed in a quarantine area of the network and redirected to a remediation server to load the necessary software or patches. A notification is displayed to the user warning that their device is not compliant or, in the worse case, that they are denied network access entirely.
This chapter describes the Cisco NAC Framework, identifies benefits, describes the solution components and how they interoperate, and describes common deployment models.
Network Admission Control Overview
Worms and viruses continue to be disruptive, even though many businesses have significantly invested in antivirus and traditional security solutions. Not all users stay up to date with the many needed software security patches of antivirus files. Noncompliant endpoints are frequent and the reasons vary; for example:
- A user might choose to wait and install a new update later because they don't have the time
- A contractor, partner, or guest needs network access; however, the business may not control the endpoint
- The endpoints are not managed
- The business lacks the capability to monitor the endpoints and determine whether they are updated to conform to the business's security policy
When infected endpoints connect to the network, they unsuspectingly spread their infections to other improperly protected devices. This has caused businesses to examine how they should implement endpoint compliance enforcement besides user authentication before granting access to their networks.
Cisco Systems provides two network admission control solution choices:
- NAC Appliance
- NAC Framework
Chapter 7, "Cisco Clean Access," describes NAC Appliance, which was originally marketed as Cisco Clean Access (CCA). NAC Appliance is a turnkey self-sufficient package that does not rely on third-party products for determining and enforcing software compliance. This chapter focuses on NAC Framework.
NAC Framework is an integrated solution that enables businesses to leverage many of their existing Cisco network products, along with many third-party vendor products such as antivirus, security, and identity-based software. Vendor products must be NAC-enabled in order to communicate with the NAC-enabled network access devices. NAC Framework is extremely flexible because it can enforce more features available from other vendors' products. A comparison of customer preferences for choosing the NAC Appliance and NAC Framework is shown in Table 6-1.
Table 6-1. NAC Customer Profile
|
NAC Framework |
NAC Appliance |
|
Uses an integrated framework approach, leveraging existing security solutions from other vendors |
Prefers bundled, out-of-the-box functionality with preinstalled support for antivirus and Microsoft updates |
|
Complex network environment, leveraging many types of Cisco network access products |
Heterogeneous network infrastructure |
|
Longer, phased-in deployment model |
Rapid deployment model |
|
Can integrate with 802.1x |
Independent of 802.1x |
| Source: Cisco Systems, Inc.1 | |