Network Admission Control (NAC)
NAC components

Network Admission Control (NAC), an industry initiative sponsored by Cisco Systems, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms.

Using NAC, organizations can provide network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant with established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to network resources.

NAC is part of the Cisco Self-Defending Network. Its goal is to create greater intelligence in the network to automatically identify, prevent, and adapt to security threats.

An Overview of Network Admission Control
The significant damage caused by recent worms and viruses demonstrates the inadequacy of existing safeguards. NAC provides a new, comprehensive solution that allows organizations to enforce host patch policies and to regulate noncompliant and potentially vulnerable systems by assigning them to quarantined environments for remediation. By combining information about endpoint security status with network admission enforcement, NAC enables organizations to dramatically improve the security of their computing infrastructures.

NAC allows network access to compliant and trusted endpoint devices, such as PCs, servers, and PDAs, and restricts the access of noncompliant devices. Network access decisions can be based on such information as the antivirus state of the endpoint device, operating system version, operating system patch level, or Cisco Security Agent version and settings.

NAC Components
NAC has the following components :

  • Endpoint security software, such as antivirus software, and the Cisco Trust Agent – The Cisco Trust Agent collects security state information from multiple security software clients, such as antivirus clients, and communicates this information to the connected Cisco network where access control decisions are enforced. Application and operating system status, such as antivirus and operating system patch levels or credentials, can be used to determine the appropriate network admission decision. Cisco and NAC cosponsors integrate the Cisco Trust Agent with their security software clients.
  • Network access devices – Network devices that enforce admission control policy include routers, switches, wireless access points, and security appliances. These devices demand host credentials and relay this information to policy servers where network admission control decisions are made. Based on customer-defined policy, the network enforces the appropriate admission control decision-permit, deny, quarantine, or restrict.
  • Policy server – The policy server is responsible for evaluating the endpoint security information relayed from network devices and for determining the appropriate access policy to apply. Cisco Secure ACS, using RADIUS, is the foundation of the policy server system. It works in concert with NAC cosponsor application servers that provide deeper credential validation capabilities, such as antivirus policy servers. It also works in conjunction with audit servers, which aid in assessing systems that do not respond to NAC credential inquiries.
  • Management system – Cisco management solutions provision the appropriate NAC elements and provide monitoring and reporting operational tools. CiscoWorks VPN/Security Management Solution (VMS) and CiscoWorks Security Information Management Solution (SIMS ) form the basis for this capability. NAC cosponsors provide management solutions for their endpoint security software.

Web Links