impossible for ideas to compete in the marketplace if no forum for
Network Admission Control
Contributed by Cisco Systems, Inc.
Network Admission Control (NAC), an industry initiative sponsored by Cisco Systems, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms.
Using NAC, organizations can provide network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant with established security policy. NAC can also identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to computing resources.
NAC is part of the Cisco Self-Defending Network. Its goal is to create greater intelligence in the network to automatically identify, prevent, and adapt to security threats.
Traditional identity management solutions can verify who a user is that is logging onto a network, and what the user is allowed to do, but do nothing to verify that an endpoint device conforms to security policy. As a result, networks are regularly compromised by the introduction of endpoint devices that do not conform to network security policy, which then spread viruses and worms throughout the networked environment.
NAC addresses this issue by making sure that every endpoint device entering the network conforms to policy.
Responding to Threat Evolution
Viruses and worms continue to disrupt business, causing system downtime, lost productivity, significant recovery costs, and expenses due to continual patching. The self-propagating nature of the latest computer attacks makes them especially virulent and damaging.
Security solutions that address this issue include antivirus software and intrusion prevention solutions. Existing antivirus solutions must be updated and maintained regularly, as they rely on current attack signatures in order to identify and mitigate attacks. Further, since they are unable to detect and contain “day-zero” viruses and the denial-of-service (DoS) attacks that they spawn, desktops and servers must also be hardened against attacks using intrusion prevention software such as the Cisco Security Agent. The installation and maintenance of these solutions is essential to any network security policy.
Servers and desktops not compliant with corporate security policy are common, and are difficult to detect, locate, contain, and cleanse. Locating and isolating these systems is time- and resource-intensive. Network availability is often unnecessarily compromised in order to protect computing resources while an infected device is located and repaired. Furthermore, infections can spread in such a way that remediation is extremely complex, often resulting in infections that appear to be removed from the corporate network but reappear at a later time.
The problem is compounded by the complexity of todayâ€™s networked environment, which contains:
NAC counters newly evolved threats, addresses the environmental complexity of todayâ€™s networks, and provides a real advance over point security technologies that have focused on the host, rather than global network availability and overall enterprise resiliency.
An Overview of Network Admission Control
The significant damage caused by recent worms and viruses demonstrates the inadequacy of existing safeguards. NAC provides a new, comprehensive solution that allows organizations to enforce host patch policies and to regulate noncompliant and potentially vulnerable systems by assigning them to quarantined environments for remediation. By combining information about endpoint security status with network admission enforcement, NAC enables organizations to dramatically improve the security of their computing infrastructures.
NAC allows network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example), and restricts the access of noncompliant devices. Network access decisions can be based on such information as the endpointâ€™s antivirus state, operating system version, operating system patch level, or Cisco Security Agent version and settings.
NAC has the following components:
NAC in Action
An access control solution is only effective if it can identify and evaluate all of the devices seeking to access the network. NACâ€™s unique implementation provides a flexible and ubiquitous solution capable of providing protection to all connected computing systems. NAC operates across all access methods that hosts use to connect to the network, including campus switching, wired and wireless, router WAN and LAN links, IP Security (IPSec) connections, remote access, and dialup links.
NAC deployment examples include:
Benefits of NAC
Availability and Use
Phase 1 of NAC, released in June, 2004, supports Cisco routers communicating with the Cisco Trust Agent to gather endpoint security credentials and enforce admission control policy. Router ACLs will restrict the communications between noncompliant hosts and other systems in the network — for example, only allowing communications to an antivirus server in order to download a new pattern file. NAC currently support endpoints running Microsoft Windows NT, XP, and 2000 operating systems.
“Recent worm and virus infections have elevated the issue of keeping insecure nodes from infecting the network and have made this a top priority for enterprises today,” said Mark Bouchard, senior program director, META Group. “Many organizations were successful at stopping recent worm attacks at their Internet boundaries, yet still fell victim to the exploits when mobile or guest users connected their infected PCs directly to internal LANs. Eliminating this type of threat will require a combination of strengthened policies and NAC technology.”
This first release of NAC addresses the two most pressing compliance tests required—antivirus software state and operating system information. This includes antivirus vendor software version, engine level, and signature file levels, as well as operating system type, patch, and hot fix. NAC is likely to first be used in monitoring mode, where host compliance will be assessed without any attempt to restrict network access. During this time, noncompliant systems may be updated as needed in order to reach desired compliance levels.
In Phase 2 of NAC, Cisco switches will be able to assign noncompliant hosts to quarantine VLAN segments on which only remediation servers reside. NAC will also support IPSec remote access platforms, such as the VPN 3000 concentrators, and expand support for additional endpoint operating systems. Cisco will also expand support beyond the initial NAC cosponsors in order to support an even broader range of access policy assessment and enforcement through the implementation of a broad API.
Future NAC releases will support additional access devices, such as firewalls and wireless access points, and continue to expand the platforms which it will support.
Advanced Services to Speed NAC Deployment
Cisco has developed planning, design, and implementation consulting services to support a successful NAC implementation. These Advanced Services include assessment, planning, design, implementation, and optimization consulting. These integrated services can assist IT staff deploy a reliable, efficient, and scalable NAC solution. Cisco Advanced Services can provide the following:
Conclusion — The Cisco Self-Defending Network
NAC is a crucial component of the Cisco Self-Defending Network, an innovative, multiphase security initiative that dramatically improves the ability of networks to identify, prevent, and adapt to security threats. The Cisco Self-Defending Network initiative significantly advances Ciscoâ€™s strategy of integrating security services throughout IP networks by delivering new system-level network threat defense.
For More Information: visit: http://www.cisco.com/go/nac
Visit the Authors Web Site
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business