NAC as an Embedded Solution

The initial Cisco vision of NAC, first introduced in 2003, leverages the Cisco IOS in Cisco routers and switches to deliver the NAC functionality. Also referred to as NAC Framework, it comprises Cisco Access Control Server (ACS), Cisco routers and switches, and an end point software agent called Cisco Trust Agent (CTA). To assist with posture assessment, device auditing, and software remediation, the embedded NAC solution relies on third-party software via application program interfaces (API). Third-party security software, such as antivirus and antispam programs from Symantec, McAfee, TrendMicro, and so on, is installed to protect the end points. These security applications use APIs to report their software version and status to Cisco Trust Agent. Cisco Trust Agent, acting as an application broker, collects the required software information regarding the machine and reports to Cisco ACS, which is the back-end authentication and policy server. See Figure 2-2 for components of the embedded NAC approach.

Figure 2-2 Embedded NAC Components

Endpoints (PCs)

Network Access Devices

Endpoints (PCs)

• Security Applications Protecting the PC

• Plug-Ins Provide Posture Information to CTA

• Security Applications Protecting the PC

• Plug-Ins Provide Posture Information to CTA

Network Access Devices

Policy Servers (Decision Points and Remediation)

Enforcement

• Posture Info Provided by CTA Is Validated by Third-Party Applications

• Remediation Performed by Third Party

Based on the posture information provided by CTA, ACS compares the received information against its configured policies and informs the appropriate network device, such as a router or switch, to quarantine, permit, or deny network access. This process works well for PCs capable of running CTA. For devices incapable of running CTA (considered non-NAC-responsive devices), such as IP phones or network printers, NAC Framework allows for third-party auditing servers (that is, Qualys or Foundstone, now McAfee) to perform an audit of non-NAC responsive devices to determine the device type and its appropriate network access privileges. After the third-party auditing servers determine which devices on the network are printers, they can inform the routers or switches through ACS to assign those printers into the appropriate printer access role. For further details about the Cisco embedded approach to NAC, refer to http://www.cisco.com/ go/nac/framework or Cisco Network Admission Control Volume 1: NAC Framework Architecture and Design from Cisco Press.

The embedded NAC approach is an elegant and deeply customizable technology, but the appliance-based approach is faster to deploy. Cisco recently introduced an integrated implementation strategy that combines the benefits of both approaches.

NOTE This book does not cover the embedded (framework) NAC solution.

Was this article helpful?

0 0

Post a comment