Solution Profile: Cisco NAC Framework
Cisco Systems offers two distinct NAC solutions.
Its NAC Framework enables organizations to create a comprehensive, universal and highly automated infrastructure for enforcing endpoint security compliance and controlling network admission policies. While Cisco provides the central NAC policy controller and NAC-enabled network systems more than 50 vendors provide complementary endpoint security and management software that integrates with the Cisco products. Deploying and managing a Cisco NAC Framework is a major undertaking which requires a substantial investment in hardware, software, services and manpower.
In contrast, the NAC Appliance, formerly called Cisco Clean Access, enables organization to rapidly deploy relatively self-contained endpoint assessment, policy management, and remediation services without requiring changes to switches and routers. The NAC Appliance capabilities are much narrower than a full-blown NAC Framework implementation and the required effort, time and costs are naturally much lower. View NAC Appliance Profile.
|
Which Cisco NAC solution should you choose? Cisco recommends the NAC Appliance unless one of the following conditions exist:
|
Cisco NAC Framework
Since Cisco provides a large amount of information about the NAC Framework on its web site the technical product details are not repeated here. Instead we l highlight key elements of Cisco's strategies, products and partnerships.
- The NAC Framework is the most comprehensive NAC initiative available today and all the "essential" NAC components are now available from either Cisco or its solution partners.
- A comprehensive implementation of the NAC Framework is a complex undertaking. The architecture includes many different components from Cisco and other vendors: multiple network systems, a NAC policy manager, Cisco & 3rd party security software posture validation servers, an audit server, a remediation server, and links to existing user directories and authentication servers. Even if some of these systems are already in-place, ensuring they continually work together will be an ongoing challenge for both network and security personnel.
- The Cisco-led NAC initiative is widely supported by vendors of endpoint security, audit and remediation servers and secure access gateways.
Functional Description
The Cisco NAC Framework can provide the following primary functions:
- Challenge all users with a log-on screen whenever they attempt to access the network
- Act as a proxy for all types of user authentication
- Authenticate devices using MAC addresses and link them to the users
- Restrict device traffic to NAC-related activities until authorization is granted
- Perform either network- or agent-based scans to verify security policy compliance
- Run compliance checks on all devices including non-user devices (e.g., printers)
- Take advantage of NAC-enabled, posture validation servers from other security vendors and 3rd party audit and remediation servers
- Restrict non-compliant endpoints to a quarantine LAN, notify users of connection status and required action, and automatically correct problems.
- Selectively control user access privileges with role-based policies
- User and device authentication are available only with 802.1x L2 LAN switches (wired and wireless), not with Cisco L3 LAN switches, routers or VPN concentrators.
- In order to perform user authentication 802.1x support must be provided on both the endpoint device and the Cisco switch. While Cisco L2 LAN switches currently in production support 802.1x, most installed systems DO NOT. These switches must be either upgraded or replaced wherever a NAC control point is required.
- Network-based scans look for network vulnerabilities such as remote-procedure call (RPC) buffer overflows or messenger buffer overflows
- Agent-based scans check examine device system registry, file system, and system memory for specific services and applications including other vendor security software
A Closer Look At the Cisco NAC Framework
The next Cisco graphic illustrates the key components of a comprehensive solution based on the Cisco NAC Framework. The role of each component is briefly described and highlighted links enable you to easily view additional information on the Cisco web site.
 |
||||
|
NAC Clients
|
Cisco Network Access Devices
|
NAC Servers
|
||
| Key NAC Solution Components |
|
|
|
|
Image Source: Cisco Systems
Cisco Trusted Agent (CTA). This installed software client collects state information from security software on the endpoint and communicates the "posture" to the Cisco AAA Policy Server. The CTA communicates with client applications that have been NAC-enabled by Cisco partners. Already more than 50 vendors participate in the NAC initiative, including leading antivirus, client security, and patch management vendors.
Network Access Devices. Cisco is now shipping NAC-enabled LAN switches, routers, and VPN concentrators. Most vendors offering similar products, firewalls, or integrated perimeter security appliances support the Cisco NAC Framework.
AAA Policy Server. The Cisco Secure Access Control Server (Secure ACS) acts as the policy decision point in NAC deployments, evaluating user credentials, determining the security posture of network endpoints, and sending out per-user authorization to Cisco and non-Cisco network access devices via downloaded access control lists (ACLs). The Cisco Secure ACS also communicates with the CTA on endpoints, authentication and authorization servers, other vendors' policy posture servers, software life-cycle management servers, and audit servers. The Cisco ACS is available as either a Windows application or an appliance.
In a much broader sense the "Cisco Secure ACS is a highly scalable, high-performance access control server that operates as a centralized RADIUS or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network. Cisco Secure ACS allows you to control user access to the network, authorize different types of network services for users or groups of users, and keep a record of all network user actions. Cisco Secure ACS supports access control and accounting for dialup access servers; cable and DSL broadband solutions; firewalls; VPNs; voice-over-IP (VoIP) solutions; storage; and switched and wireless LANs. In addition, network managers can use the same AAA framework to manage (through TACACS+) administrative roles and groups, and control how they change, access, and configure the network internally." - Cisco Systems.
Directory Servers. These systems provide user IDs, group membership information, and authorization privileges
Posture Validation Server. The Cisco Secure ACS can either assess endpoint postures or pass posture data to application-specific posture validation servers provided by other security vendors. These servers determine whether endpoint software is up-to-date and return results to the Cisco Secure ACS. Based on the information it collects from endpoints and vendor policy servers, the Cisco Secure ACS implements predefined policies, blocking, allowing or restricting user access to production networks or redirecting users to quarantine networks where compliance problems can be corrected.
Remediation Servers. These systems bring devices back into compliance. They can be as simple as a web server that supports software downloads. Or they can automatically examine devices, supply necessary software updates and patches, and ensure software is correctly configured. Several system management vendors have added security management to their product suites and integrated their remediation clients with the Cisco Trusted Agent.
Audit Servers. Several Cisco partners offer comprehensive vulnerability management solutions in the form of either applications or on-demand services. These solutions audit managed and unmanaged endpoints to identify critical vulnerabilities and assess their security postures. When an endpoint is found to be trusted and secure, access to the network is granted, without any further user action. When a host is vulnerable or infected it will be denied access or quarantined for remediation. These systems can audit unmanaged endpoints that do not have an installed Cisco Trusted Agent because the user either cannot or will not accept this client software.
Cisco-MARs. CS-MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. The result is a system that helps customers to readily and accurately identify, manage, and eliminate network attacks and maintain network security compliance.
How The Cisco NAC Framework Works
 |
Image Source: Cisco Systems
This example assumes a user is accessing a network through an edge L2 LAN switch with 802.1x support.
- When a user attempts to connect to the network the request is intercepted by the LAN switch which challenges the user for his credentials. The LAN switch also captures the MAC address of the endpoint.
- When the user responds both the MAC address and user credentials are forwarded by the LAN Switch to the Cisco AAA policy server (Cisco ACS) which then passes the ID credentials along to an authentication server for validation. The authentication server can have it's own user database or rely on external user directories. At this point in the network connection process the user device is restricted to communicating only with the Cisco ACS. This is enforced by MAC address filtering at the LAN switch.
- Once the authentication process is successfully completed the Cisco ACS requests the Client Trusted Agent to collect security posture attributes from the user's device. If a CTA is installed it will gather this data from the Cisco Security Agent (Optional) and CTA-enabled, 3rd party clients and send it to the Cisco ACS. The Cisco ACS then sends data from the 3rd party clients to the respective posture validation servers (PVSs) where compliance checking is performed (compliance checking for the Cisco Security Agent is performed at the Cisco ACS). The Cisco ACS then compares the results from the PVSs to its security policies to determine the user's network privileges. These privileges are implemented via preset MAC address filters on the LAN swiitch. Finally, the CTA is informed of the posture status of the device and the user can be notified of the device's status on the network.
- If a device is compliant it is allowed to access a suitable VLAN on the production network (role-based access controls can be used to determine which VLAN is available to individual users). If a device is deemed non-compliant, it can be redirected to a quarantine LAN for problem remediation. A non-compliant device can be restored to an approved security posture either manually by the user or automatically by remediation servers.
- If an unmanaged device does not have a CTA and will not accept one, the organization can either block it or request the user initiate a vulnerability scan. If a user selects this option his request is forwarded to the Cisco ACS which then requests that an audit server run a vulnerability scan against the device. The Cisco ACS will use the results from the audit server and its own security policies to determine what level of access, if any, will be permitted. Again this will be implemented at the LAN Switch. As with any 802.1x environment the unmanaged device must have an 802.1x client ("supplicant").
Future Directions
- "Future (Cisco Secure Access) phases will extend endpoint and network security interoperation to include dynamic incident-containment capabilities. This innovation will enable compliant system elements to report misuse emanating from rogue or infected systems during an attack. Thus, infected systems will be dynamically quarantined from the rest of the network to significantly reduce virus, worm, and blended threat propagation."(Source: Cisco web site)
Cisco NAC Product Reference Table
The following table summarizes the key capabilities of the Cisco NAC Framework. Cisco NAC Appliance (formerly Cisco Clean Access) data is also provided for comparative purposes.
| Product Names | ||
| Product Family | Cisco NAC Framework | Cisco Clean Access |
| Policy Manager | Secure Access Control Server (ACS) | Clean Access Manager |
| Enforcer | Secure Access Control Server (ACS) | Clean Access Server |
| Compliance Checker | Cisco Trusted Agent (CTA) | Clean Access Server or Clean Access Agent |
| Access Control Point | NAC-enabled Catalyst™ switches | Clean Access Server (inline install) |
| Wireless Access Points | Catalyst switches (out-of-band install) | |
| NAC-enabled routers | ||
| Policy Enforcement Usage Scenarios | ||
| Endpoint Device | Not Supported | Not Supported |
| Edge LAN Workgroup (Wired & Wireless) |
L2 LAN Switch via dynamic VLANs | Clean Access Server or L2 LAN Switch |
| Distribution LAN | L3 LAN Switch (LAN router) via L3/L4 ACLs | L3 LAN Switch (LAN router) |
| Remote Access | WAN/LAN Router via L3/L4 ACLs | Clean Access Server |
| Data Center | L3 LAN Switch (LAN router) via L3/L4 ACLs | Not Applicable |
| Supported Network Access Devices | Cisco | Any Vendor |
| Authentication & Compliance Services | ||
| User Interface | Captive Portal | Captive Portal |
| User Authentication Proxy | Password; OTP (requires 802.1x) | Password |
| > User Directory Support | RADIUS, Active Directory, LDAP Directories, Novell, Token Servers, Open Data Base Connectivity | RADIUS, Active Directory, LDAP Directories |
| > 802.1x Support | LAN Switches & Endpoint (Wired CTA only) | Inline Install Only? |
| Device Authentication | MAC Address (Requires 802.1x) | User-Authenticated MAC Addresses |
| Compliance Checking Rule Sets | Large 3rd Party SW Rule Set Plus API | Large 3rd Party SW Rule Set Plus API |
| Quarantine Method | IP Address (routers) or VLANs (switches) | Role-based (inline), VLAN (out-of-band) |
| Posture Checking | Client (CTA), Network Scanner (non-Cisco solution) | Network Scanner & Endpoint Client (Windows agent only) |
| Endpoint NAC Software | ||
| Agent Type | Installed Client (CTA + 3rd Party Plug-ins) | None or Installed Client (Windows only) |
| Device Support | Windows & Linux; 802.1x support only on Windows | All Endpoints (network scan only) |
| Additional Security Services | ||
| Identity-Based Traffic Analysis & Reporting |
None | None |
| Intrusion Protection | Host IPS - Endpoint (Option) - Windows only | None |
| User/Group Authorization Policy Manager | Granular access control to individual network resources (Works with only some Cisco switches) |
None |
| Rogue Device Protection | Requires 3rd Party Products | User-Authenticated MAC Address |
Other Key Cisco Publications
Industry Critiques of The Cisco NAC Framework
The Cisco NAC Framework is an ambitious industry initiative that merits the attention it has received. Both Cisco and its partners have done a great deal to deliver on the "promise". However, it remains a young work-in-process so naturally it has some shortcomings. The following critiques have appeared in the media and voiced by customers, industry analysts and Cisco competitors. They are presented for the sole purpose of making you aware of issues you might hear in the process of evaluating this and alternative NAC solutions. You can decide whether they are even relevent to your situation. And if you are aware of other concerns we welcome you to submit them to us.
Positives
- The NAC Framework is the most comprehensive NAC initiative available today and all the "essential" NAC components are now available from either Cisco or its solution partners.
- Will work with Microsoft Vista and Longhorn without need for additional Cisco NAC client.
Drawbacks
- The solution requires Cisco routers and switches
- Existing Cisco routers and switches will likely require an upgrade.
- User and device authenticaton require the implementation of 802.1x, which can be a very complex challenge for large organizations with many LAN switches, identity servers, and VLANs.
- Cisco Radius is the only supported authentication service.
- The Cisco solution does not provide security assurance for devices while they are off the corporate network.(source:Senforce)
- The Cisco NAC does not protect itself from malicious code or malicious users. (source:Senforce)