The first release of NAC addresses the two most pressing compliance
tests required. These tests gather information about antivirus software state
and operating system information. This includes antivirus vendor software
version, engine level, and signature file levels, as well as operating system
type, patch, and hot fix. The second and subsequent phases will extend coverage
for additional security, management, and workplace application checks.
NAC Phase 1
Phase 1 of NAC, released in June, 2004, supports
Cisco routers communicating with the Cisco Trust Agent to gather endpoint
security credentials and enforce admission control policy. The Cisco Trust
Agent software allows NAC to use existing Cisco network devices, Cisco Security
Agent software, and co-sponsor security software, including antivirus software
. Router ACLs
will restrict the communications between noncompliant hosts and other systems
in the network-for example, only allowing communications to an antivirus server
in order to download a new pattern file. NAC currently support endpoints
running Microsoft Windows NT, XP, and 2000 operating systems.
NAC is
likely to first be used in monitoring mode, where host compliance will be
assessed without any attempt to restrict network access. During this time,
noncompliant systems may be updated as needed in order to reach desired
compliance levels.
NAC Phase 2
In Phase 2 of NAC, Cisco switches will be able to
assign noncompliant hosts to quarantine VLAN segments on which only remediation
servers reside. NAC will also support IPSec remote access platforms, such as
the VPN 3000 concentrators, and expand support for additional endpoint
operating systems. Cisco will also expand support beyond the initial NAC
cosponsors in order to support an even broader range of access policy
assessment and enforcement through the implementation of a broad API.
Future NAC releases will support additional access devices, such as
firewalls and wireless access points, and continue to expand the platforms
which it will support.