Network Admission Control (NAC), an industry initiative sponsored
by Cisco Systems, uses the network infrastructure to enforce security policy
compliance on all devices seeking to access network computing resources,
thereby limiting damage from viruses and worms.
Using NAC, organizations
can provide network access to endpoint devices such as PCs, PDAs, and servers
that are verified to be fully compliant with established security policy. NAC
can also identify noncompliant devices and deny them access, place them in a
quarantined area, or give them restricted access to network resources.
NAC is part of the Cisco Self-Defending Network. Its goal is to create
greater intelligence in the network to automatically identify, prevent, and
adapt to security threats.
An Overview of Network Admission
Control
The significant damage caused by recent worms and viruses
demonstrates the inadequacy of existing safeguards. NAC provides a new,
comprehensive solution that allows organizations to enforce host patch policies
and to regulate noncompliant and potentially vulnerable systems by assigning
them to quarantined environments for remediation. By combining information
about endpoint security status with network admission enforcement, NAC enables
organizations to dramatically improve the security of their computing
infrastructures.
NAC allows network access to compliant and trusted
endpoint devices, such as PCs, servers, and PDAs, and restricts the access of
noncompliant devices. Network access decisions can be based on such information
as the antivirus state of the endpoint device, operating system version,
operating system patch level, or Cisco Security Agent version and settings.
NAC Components
NAC has the following components
:
- Endpoint security software, such as antivirus software, and the Cisco Trust
Agent – The Cisco Trust Agent collects security state information from multiple
security software clients, such as antivirus clients, and communicates this
information to the connected Cisco network where access control decisions are
enforced. Application and operating system status, such as antivirus and
operating system patch levels or credentials, can be used to determine the
appropriate network admission decision. Cisco and NAC cosponsors integrate the
Cisco Trust Agent with their security software clients.
- Network access devices – Network devices that enforce admission control
policy include routers, switches, wireless access points, and security
appliances. These devices demand host credentials and relay this information to
policy servers where network admission control decisions are made. Based on
customer-defined policy, the network enforces the appropriate admission control
decision-permit, deny, quarantine, or restrict.
- Policy server – The policy server is responsible for evaluating the
endpoint security information relayed from network devices and for determining
the appropriate access policy to apply. Cisco Secure ACS, using RADIUS, is the
foundation of the policy server system. It works in concert with NAC cosponsor
application servers that provide deeper credential validation capabilities,
such as antivirus policy servers. It also works in conjunction with audit
servers, which aid in assessing systems that do not respond to NAC credential
inquiries.
- Management system – Cisco management solutions provision the appropriate
NAC elements and provide monitoring and reporting operational tools. CiscoWorks
VPN/Security Management Solution (VMS) and CiscoWorks Security Information
Management Solution (SIMS ) form the basis for this capability. NAC cosponsors
provide management solutions for their endpoint security software.