Cisco NAC Appliance Executive Overview · Unmanaged Desktop Account Manager Mobile User SSL Tunnel VPN Supply Partner Extranet IPSec VPN Multi-Hop IP CCA Extends policy enforcement

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco NAC Appliance Executive Overview


1 The “Business Case” For Network Admission Control

2 Cisco NAC Appliance Product Overview

3 Common NAC Posture Assessments

4 Deployment Considerations

5 Additional Resources

Contents


The Vulnerability of Networks

Every bit of user data touches the network

Every device employee, consultant and guest has is attached to the network

In this environment, EVERYTHING is a potential target AND a potential threat

>> Threat vectors have changed: your “trusted users” can be the weakest link in your network’s security


The Evolution of Threats

Mitigating threats via policy compliance

Balancing productivity and security in a “connected” world

Changing threats from data-in-transit to data-in-storage

>> Business vectors have changed: you are accountable for your “policies” that are not enforced


Common Ways to Combat Threats

1. Require users to abide by “responsible computing”guidelines

2. Register use computers; require authentication

3. Pass out anti-X software, OS updates through patch management systems

4. Use IDS/IPS/endpoint monitoring solutions to find bad computers

No direct pain, no responsibilityBUT

Authentication not enoughBUT

Compliance is still voluntary and unenforceable

BUT

Does not stop vulnerabilities and fails to fix problem

BUT


Make Access Contingent on Compliance

Authenticate & AuthorizeEnforces authorization policies and privileges

Supports multiple user roles

Update & RemediateNetwork-based tools for vulnerability and threat remediation

Help-desk integration

Quarantine & EnforceIsolate non-compliant devices from rest of network

MAC and IP-based quarantine effective at a per-user level

Scan & EvaluateAgent scan for required versions of hotfixes, AV, etc

Network scan for virus and worm infections and port vulnerabilities

First, establish ACCESS POLICIES. Then:

NO COMPLIANCE = NO NETWORK ACCESS


Contents1 The “Business Case” For Network Admission Control






NAC Means Better Criteria for Security

What’s The PreferredWay To Check/Fix It?

Pre-Configured ChecksCustomized ChecksSelf-Remediation or Auto-RemediationThird-Party Software

Windows, Mac or LinuxLaptop or Desktop or PDAPrinter or Other Corporate Asset

What System Is It?

CompanyEmployeeContractorGuestUnknown

Who Owns It?

VPNLANWLANWAN

Where Is It Coming From?

Anti-Virus, Anti-SpywarePersonal FirewallPatching Tools

What’s On It?Is It Running?


SecurelyIdentify

Device and User

What ItMeans

Why It Is Important

Associate Users to Devices

Associating Users with Devices Enables Granular Enforcement of Policies by Role or group

Configureand

Manage

Policies That Are Easy to Create and Maintain Lead to Better System Operations and Adherence

Create and Manage Policies Easily

Quarantineand

Remediate

Quarantine Critical to Halt Spread of Vulnerabilities; Remediation Addresses Root Cost Drivers

Isolate and Fix Non-compliant Devices

EnforceConsistent

Policy

Enforcement at the Network Reduces Reliance on the Integrity of the Endpoint

Assess Devices; Enforce Policies

Four Key Capabilities of Cisco NAC

A Comprehensive NAC Solution Must Have All Four Capabilities: The Absence of Any One Weakens the Solution


Top Customer Pain Points*

Customer Pain Points

Cisco NAC authenticates and controls guest and unmanaged assets

Guests andunmanaged

users

Enforce endpointpolicy

requirements

Role-basedaccesscontrol

* Source: Current Analysis, July 2006

Cisco NAC assesses, quarantines, and

remediates noncompliant endpoints

Cisco NAC applies access and posture

policies based on roles

SecuredRemote Access

SecuredWireless Access

SecuredLAN Access


Cisco NAC Is Widely Deployed TodayCisco NAC Appliance has 1200+ customersMid-market and large enterprises

Financial services HealthcarePublic sectorManufacturing

All use casesRemote access Guest usersWirelessLAN/VoIP


Cisco NAC Appliance Advantage

Managed LAN/ VoIP Users

Unmanaged/ Guest LAN Users

Wireless LAN Users

VPN/Remote/ WAN Users

1.

One Product for

All Use Cases

2. Number 1:Most amount of experience brings the most relevant features

3. Easy to own:Most deployments ready under five days

4. Scalable:Installations from 100 users to 100,000+ users, from single site to 150+ locations

5. Flexible:Does not require an infrastructure upgrade


Cisco Clean Access ManagerCentralizes management for administrators, support personnel, and operators

Cisco Clean Access ServerServes as enforcement point for network access control

Cisco Clean Access AgentOptional lightweight client for device-based registry scans in unmanaged environments

Rule-set UpdatesScheduled automatic updates for anti-virus, critical hot-fixes and other applications

NAC Appliance Components


NAC Appliance Sizing

2500 users each

SuperManager manages up to 40

Enterprise andBranch Servers

Enterprise andBranch Servers

1500 users each

StandardManager manages up to 20

Branch Officeor SMB Servers

100 users 250 users 500 users

ManagerLite manages up to 3

Users = online, concurrent


NAC Appliance Use Cases

INTERNET

Endpoint ComplianceNetwork access only for compliant devices

Guest ComplianceRestricted internet access only for guest users

IPSec

802.1Q

CAMPUS BUILDING 1

Wireless ComplianceSecured network access only for compliant wireless devices

WIRELESS BUILDING 2

CONFERENCE ROOMIN BUILDING 3

VPN User ComplianceIntranet access only for

compliant remote access users

Intranet Access ComplianceEnsure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.


THE GOAL

Intranet/Network

Cisco NAC Appliance Overview

2. User is redirected to a login page

Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device

Device is noncompliant or login is incorrect

User is denied access and assigned to a quarantine role with access to online remediation resources

3a. QuarantineRole

3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network

Cisco CleanAccess Server

Cisco Clean Access Manager

1. End user attempts to access a Web page or uses an optional client

Network access is blocked until wired or wireless end user provides login information

AuthenticationServer


End User Experience: Web-based

LoginScreen

Scan is performed(types of checks depend on user role/OS)

Click-through remediation


End User Experience: with Agent

4.

LoginScreen Scan is performed

(types of checks depend on user role)

Scan fails

Remediate


Cisco NAC Appliance PartnershipsCisco NAC is committed to protecting customer’s

investments in partner applications

NAC Appliance Supports Policies for 250+ Applications, Including These Vendors:


Complementary Cisco Products

Switches and RoutersAll switches and routers (In Band)Catalyst 2900, 2940/50/60, 3500, 3550/60, 3750, 4000/4500, 6500 (Out of Band)

Cisco Security Agent for day-zero endpoint securityCisco MARS for security correlationVPN products

VPN3000 ConcentratorASA/PIX70ISR/IOSWebVPN

Wireless APsWLSM (Aironet) Wireless Controllers (Airespace)


1 The “Business Case” For Network Admission Control





Contents


Corporate/Employee Posture Assessment

Corporate Asset TagUnique registries inserted into corporate devicesCorporate PKI certificates installed in corporate devices

Microsoft Hotfixes:Critical hot-fixes checks (provided via Cisco automated updates)SUS/WUS running or AU Options (can force setting)SMS or Patch Management SW running (can launch qualified .exe)

Security Applications:HIDS (CSA) or Personal Firewall installed and runningAV installed, running and latest DAT (can launch AV)Anti-Spyware installed and runningEncryption software installed and running


NAC Decision Tree for Employee

Corp Asset Tag

SUS/SMS/CSA

Hotfixes AV/AS UptoDate

Quarantine

Access

No access, call HelpDesk

No access, start service

Internet only, SUS/SMS runs

Internet Only, launch AV


Contents1 The “Business Case” For Network Admission Control






Cisco Clean Access for Corporate LAN

Enables central deployment modeEnd user devices can be several hops awayExtends enforcement to campus buildings

Supports 802.1q trunkingSupports both L3 multi-hop and L2Supports L2TPv3 tunnelingSupports both inband and out-of-band

BENEFITSFEATURES

Central Site

Campus BuildingCorporate Users

L2TPv3802.1q

Campus BuildingGuest Users

Multi-Hop IP

Campus BuildingCorporate Users

CCA


Cisco Clean Access for Remote UsersCentral Site

Branch OfficeCorporate Users

IPSec VPN

CCA

Home OfficeUnmanaged Desktop

Account ManagerMobile User

SSL Tunnel VPN

Supply PartnerExtranet

IPSec VPN

Multi-Hop IP

CCA

Extends policy enforcement and compliance to remote access and VPN usersExtends enforcement to site-to-site VPN partnersLeverages VPN sign-on for single-sign-on

Supports IPSec and SSL Tunnel VPNsSupports site-to-site VPNsSupports VPN user sign-on

BENEFITSFEATURES


Cisco Clean Access for Wireless Users

Enables central deployment modeEnd user devices can be several hops awayExtends enforcement to any wireless networksLeverages EAP sign-on for single-sign-on

Supports 802.1q trunkingSupport L2TPv3 or GRE tunnelingSupports thin or thick wireless 802.11 APsSupports Wireless user sign-on

BENEFITSFEATURES

Central Site

Wireless NetworkLWAPP Users

LWAPP

Wireless NetworkWLSM Guest

Users802.1q

GRE

CCA

802.1q

Campus BuildingWireless Users


ADDITIONAL ADDITIONAL RESOURCESRESOURCES

Product information at:www.cisco.com/go/nac/appliance

Specific questions to:[email protected]


Documents

Cisco NAC Appliance Executive Overview · Unmanaged Desktop Account Manager Mobile User SSL Tunnel VPN Supply Partner Extranet IPSec VPN Multi-Hop IP CCA Extends policy enforcement